SoylentNews is people
SoylentNews
Researcher Ben Perez has written that it is time to stop using RSA[*] encryption. He goes into some of the problems with the algorithm and its supporting code bases, how bad they are, some of the mitigations, and then explains his conclusion. Curve25519 is being recommended instead.
RSA was an important milestone in the development of secure communications, but the last two decades of cryptographic research have rendered it obsolete. Elliptic curve algorithms for both key exchange and digital signatures were standardized back in 2005 and have since been integrated into intuitive and misuse-resistant libraries like libsodium. The fact that RSA is still in widespread use today indicates both a failure on the part of cryptographers for not adequately articulating the risks inherent in RSA, and also on the part of developers for overestimating their ability to deploy it successfully.
The security community needs to start thinking about this as a herd-immunity problem—while some of us might be able to navigate the extraordinarily dangerous process of setting up or implementing RSA, the exceptions signal to developers that it is in some way still advisable to use RSA. Despite the many caveats and warnings on StackExchange and Github READMEs, very few people believe that they are the ones who will mess up RSA, and so they proceed with reckless abandon. Ultimately, users will pay for this. This is why we all need to agree that it is flat out unacceptable to use RSA in 2019. No exceptions.
[*] RSA:
(Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and it is different from the decryption key which is kept secret (private). In RSA, this asymmetry is based on the practical difficulty of the factorization of the product of two large prime numbers, the "factoring problem". The acronym RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977.
However, many systems and hardware tokens are still hardcoded for RSA. So upgrading is not as easy a task as it could be.
Where have you been able to migrate from RSA? Where have there been obstacles?
Earlier on SN:
Mathematicians Seal Backdoor to Breaking RSA Encryption (2018)
Upgrade Your SSH Keys (2016)
512-bit RSA Keys Cracked in Four Hours for only $75 (2015)
NSA and RSA - Claims of More Evidence (2014)
(Score: 3, Interesting) by stormwyrm on Tuesday July 09 2019, @11:41PM (1 child)
The security of elliptic curve cryptography depends on the fact that the algebraic groups used for it have a structure such that the relatively more efficient algorithms known for computing discrete logarithms don't seem to work for them, so you can get away with much smaller key sizes. Given the known state of mathematical knowledge, a 256-bit ECC key appears to have the same level of security as a 3072-bit RSA key. However, if some smart mathematician somewhere (perhaps one employed by an intelligence agency somewhere) figures out an algorithm that is able to compute discrete logarithms over elliptic curve groups with the same level of efficiency as those over other groups then this advantage to elliptic curve cryptography goes out the window, and that 256-bit EC modulus might then actually be just as secure as a 256-bit RSA key, i.e. not at all. I rate the possibility of this someday happening as somewhat higher than someone finding a polynomial-time factoring algorithm (which would, by the way, also kill ECC just as dead as it would kill RSA).
The other thing is that Shor's algorithm can also be used to compute discrete logarithms, and the complex structure of an elliptic curve group that troubles the known classical algorithms doesn't seem to matter as much to the quantum algorithm. Computing a discrete logarithm for a 256-bit elliptic curve modulus with Shor's algorithm seems to require around 2330 qubits [arxiv.org], while factoring a 3072-bit RSA key will require around 6146 qubits. We really need to move to some other post-quantum algorithm instead.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by takyon on Tuesday July 09 2019, @11:45PM
A breakthrough could rapidly scale systems from hundreds directly to millions of qubits, since decades of nanolithography research apply.
Still, it would be funny to see some 8,192-bit and 16,384-bit RSA keys being used before the end.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]