Hi Daniel,

I agree with your points and I also agree that a default of 2048 now and

3072 bits in a few years for OpenSSH may be desirable.

There was a bug in some SSHv2 implementatons where 1023 bit keys were

generated when 1024 bit keys were asked.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661152 https://bugzilla.mozilla.org/show_bug.cgi?id=360126 Regarding strength, see also this article:

https://en.wikipedia.org/wiki/Key_size which has a reference to this letter on RSA Key Size:

https://web.archive.org/web/20170417095741/https://www.emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm Executive Summary

The popular 1024-bit key size for RSA keys is becoming the next

horizon for researchers in integer factorization, as demonstrated by

the innovative “TWIRL” design recently proposed by Adi Shamir and

Eran Tromer. The design confirms that the traditional assumption

that a 1024-bit RSA key provides comparable strength to an 80-bit

symmetric key has been a reasonable one. Thus, if the 80-bit

security level is appropriate for a given application, then TWIRL

itself has no immediate effect. Many details remain to be worked

out, however, and the cost estimates are inconclusive. TWIRL

provides an opportunity for review of key sizes in practice; RSA

Laboratories’ revised recommendations are given in Table 1 below.

... elided ...

The 112-bit security level is somewhat higher than needed now, but

it is convenient since triple-DES is already widely implemented, and

the 2048-bit RSA key size key size is convenient as it is already

supported for root keys. In the recent NESSIE recommendations

[NESSIE03], a minimum of 1536 bits is suggested for RSA signature

keys. This may be an appropriate interim measure, but due to the

lengthy process of upgrading key sizes, 2048 bits is a better goal.

Based on these considerations, RSA Laboratories offers the following

recommendations for key sizes:

+-------------------------+-----------------+-------------+

| Protection Lifetime | Minimum | Minimum RSA |

| of Data | symmetric | key size |

| | security level | |

+-------------------------+-----------------+-------------+

| 2003 – 2010 | 80 bits | 1024 bits |

+-------------------------+-----------------+-------------+

| 2003 – 2030 | 112 bits | 2048 bits |

+-------------------------+-----------------+-------------+

| 2003 – 2031 and Beyond | 128 bits | 3072 bits |

+-------------------------+-----------------+-------------+

Table 1. Recommended minimum symmetric security levels and RSA key

sizes based on protection lifetime. [I pivoted the table for easier

reading in email]

The United States National Institute of Standards and Technology (NIST)

also has a letter on key strengths:

https://csrc.nist.gov/csrc/media/projects/key-management/documents/transitions/transitioning_cryptoalgos_070209.pdf as well as a Special Publication which recomments RSA 2048-bit keys for now.

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf as well as this document:

NIST Special Publication 800-131A Revision 2

Transitioning the Use of Cryptographic Algorithms and Key Lengths

https://doi.org/10.6028/NIST.SP.800-131Ar2 Enjoy!

-- Mark

_______________________________________________

openssh-unix-dev mailing list

openssh-unix-dev@mindrot.org

https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev