North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: 1024-bit RSA keys in danger of compromise (fwd)
On Mon, 25 Mar 2002, Deepak Jain wrote: > Since you are mentioning Verisign here, and CA authorities in general, has > anyone considered that factoring the CA authority's key is far simpler than > breaking the underlying key [no matter how large?]. Based on the Well, that's not really the case. Breaking a 384 bit key is trivial. Breaking a 1024 bit key is probably not possible without a multi-billion dollar budget. 2048 bit keys are still in no danger of being broken any time soon unless further advances are made in factoring. But I see the point you are making, which is that targeting the CA lets you attack all of the browsers that trust keys signed by that CA, rather than specifically targeting that one site. However, MITM attacks are active attacks, and run the risk of being detected by the the victim. If you break the key a site is using for encryption, you can read the traffic without fear of detection. Other comments on this issue, which I covered in my DEFCON 9 presentation: it would probably be a lot easier to compromise a CA's root key by means of network or physical attack, rather than through cryptanalysis. It also doesn't have to be Verisign you target -- there are over a hundred trusted root certification authorities in IE, some of them issued to companies that have gone bankrupt, or sold their root as part of their assets. Remember, if you're attempting a MITM attack in TLS, you're really exploiting poor design of the trust-management features of the client, which is a whole can-o-worms in and of itself. --Len.