[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Fwd: Re: IKEv2 Key Size Conformance Requirements



> An RSA key is not just a bit pattern.  Seeing leading zero bits
> drastically limits the search space of primes making up the key.

It's a matter of proportion. Two leading zero bits does not drastically
reduce the search space; 512 leading zero bits would.

The way the keys are constructed, for 1024 bit moduli you could use two 512
bit primes, but actually your key generation program probably chooses two
primes of slightly different lengths (e.g. a 514 bit and a 510 bit). This is
done to thwart an attack that I never really understood properly, but which
apparently makes your public key easier to crack. So a couple of bits
difference in the primes here and there clearly doesn't make that much
difference.

Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.


> -----Original Message-----
> From: Niklas Hallqvist [mailto:niklas@appli.se]
> Sent: Thursday, November 07, 2002 5:41 PM
> To: Michael Richardson
> Cc: andrew.krywaniuk@alcatel.com; 'ipsec'
> Subject: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
>
>
> > Date: Tue, 05 Nov 2002 16:10:10 -0500
> > From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
> >
> > >>>>> "Andrew" == Andrew Krywaniuk
> <andrew.krywaniuk@alcatel.com> writes:
> >     Andrew> I still haven't figured out what the big deal
> is. If someone wants to use a
> >     Andrew> 1022 bit key, can't they just call it a 1024
> bit key where the 2 leading
> >     Andrew> bits are zero? Is there some RSA chip/library
> out there that assumes that
> >     Andrew> the high bit is a 1? The math works either way.
> >
> >   Well, the OpenSSH people think that this is "broken",
> that you'd have a 1022
> > bit key. I think that this reflects a misunderstanding of
> how public key
> > cryptography works.
> >
> >   I agree with you, however.
>
> Well depending on what you mean by broken, it may well be seen as
> such.  The "brokenness" comes from the fact that a 1022 bit key is
> not 1024 bit "strong".  If you call an RSA key of 1022 bits, a 1024
> bit key, then you are lying, and likely create sense of false safety.
> An RSA key is not just a bit pattern.  Seeing leading zero bits
> drastically limits the search space of primes making up the key.  Or
> am I off here, it has been a while since I read the RSA math?  Would
> you call a 512-bit RSA key encapsuled in 1024 bits, a 1024
> bit RSA key?
>
> I would not, however, call it "broken" in the way that the math
> wouldn't work, it would.  It just would not be as strong as you are
> trying to imply.
>
> Niklas
>