tech-security: Re: OpenSSH key size

Subject: Re: OpenSSH key size
To: Alistair Crooks <agc@pkgsrc.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 09/14/2005 17:35:38
--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 14, 2005 at 10:36:27PM +0100, Alistair Crooks wrote:
> On Wed, Sep 14, 2005 at 02:07:28PM +0000, Charles M. Hannum wrote:
> > There is a talk being presented at MIT today that shows clearly that 1K=
b=20
> > public keys can be factored fairly easily on cheap custom hardware.  It=
 is=20
> > long past time for SSH keys to be at least 2Kb by default.
>=20
> You are quite right.
>=20
> Have I missed anything out of the attached diff?

Not sure...

> And can you give us a summary of the talk, please? It sounds interesting.
>=20
> Thanks,
> Alistair

> Index: ssh-keygen.1
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /cvsroot/src/crypto/dist/ssh/ssh-keygen.1,v
> retrieving revision 1.16
> diff -u -r1.16 ssh-keygen.1
> --- ssh-keygen.1	23 Apr 2005 16:53:29 -0000	1.16
> +++ ssh-keygen.1	14 Sep 2005 21:34:17 -0000
> @@ -189,8 +189,8 @@
>  .It Fl b Ar bits
>  Specifies the number of bits in the key to create.
>  Minimum is 512 bits.
> -Generally, 1024 bits is considered sufficient.
> -The default is 1024 bits.
> +Generally, 2048 bits is considered sufficient.
> +The default is 2048 bits.
>  .It Fl C Ar comment
>  Provides a new comment.
>  .It Fl c
> Index: ssh-keygen.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /cvsroot/src/crypto/dist/ssh/ssh-keygen.c,v
> retrieving revision 1.23
> diff -u -r1.23 ssh-keygen.c
> --- ssh-keygen.c	23 Apr 2005 16:53:29 -0000	1.23
> +++ ssh-keygen.c	14 Sep 2005 21:34:18 -0000
> @@ -38,7 +38,7 @@
>  #include "dns.h"
> =20
>  /* Number of bits in the RSA/DSA key.  This value can be changed on the =
command line. */
> -int bits =3D 1024;
> +int bits =3D 2048;

I was under the impression that DSA keys were only 1k long, by design.=20
This of course makes them rather useless as time goes by. Or am I=20
mistaken?

Take care,

Bill

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFDKMHaWz+3JHUci9cRAngtAJ4l4bzuYgUAhD1kyBfR6kJYOGcOegCfQIL7
XcqP5KOYKZYusb6lpZR5HzM=
=ayGn
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--