Re: Fwd: Re: IKEv2 Key Size Conformance Requirements

[Niklas Hallqvist <niklas@appli.se>]

> Date: Tue, 05 Nov 2002 16:10:10 -0500
> From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
> 
> >>>>> "Andrew" == Andrew Krywaniuk <andrew.krywaniuk@alcatel.com> writes:
>     Andrew> I still haven't figured out what the big deal is. If someone wants to use a
>     Andrew> 1022 bit key, can't they just call it a 1024 bit key where the 2 leading
>     Andrew> bits are zero? Is there some RSA chip/library out there that assumes that
>     Andrew> the high bit is a 1? The math works either way.
> 
>   Well, the OpenSSH people think that this is "broken", that you'd have a 1022
> bit key. I think that this reflects a misunderstanding of how public key
> cryptography works. 
> 
>   I agree with you, however.

Well depending on what you mean by broken, it may well be seen as
such.  The "brokenness" comes from the fact that a 1022 bit key is
not 1024 bit "strong".  If you call an RSA key of 1022 bits, a 1024
bit key, then you are lying, and likely create sense of false safety.
An RSA key is not just a bit pattern.  Seeing leading zero bits
drastically limits the search space of primes making up the key.  Or
am I off here, it has been a while since I read the RSA math?  Would
you call a 512-bit RSA key encapsuled in 1024 bits, a 1024 bit RSA key?

I would not, however, call it "broken" in the way that the math
wouldn't work, it would.  It just would not be as strong as you are
trying to imply.

Niklas