Re: speaking of keys

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

Russ,

I am fine with 1024-bit DH group as must-to-implement today.
(At least for those that  assume that no attacker is interested to record 
their traffic today and be able to decrypt it in a few years,
in which case a longer modulus may be recommended.)
Yet your analogy to signature-key size does not hold.
Breaking your signatures in two years from now is meaningless if you
revoked your key/certificates in the meantime. 
In the case of DH, however, the secrecy of the key (if used to derive
data encryption keys) may need to be protected long after the DH key is
expired and removed from memory.
Therefore the security requirements on DH (especially standarized
groups) are more stringent, in general, than on signatures.

Hugo

On Fri, 6 Dec 2002, Russ Housley wrote:

> Steve:
> 
> I support your recommendation.  In fact, I was going to make the same 
> recommendation, but for a different reason.  I few weeks ago, we had a long 
> thread discussing mandatory to implement signature algorithms.  We decided 
> that RSA with 1024-bit keys will be mandatory to implement.  So, if 1024 
> bits is adequate for the signature, it seems like 1024 should also be 
> adequate for the key agreement algorithm.
> 
> Russ
>