Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://ioc.exchange/users/opal/statuses/112746521148875679">Opalescent (opal@ioc.exchange)'s status on Monday, 08-Jul-2024 03:16:25 JST</a><a href="https://ioc.exchange/@opal" title="opal@ioc.exchange"><img src="https://gnusocial.jp/avatar/174778-48-20230920171017.webp" width="48" height="48" alt="Opalescent" style="position: absolute; left: 0; top: 0;">Opalescent</a><div><ul><li><li><a href="https://gnusocial.jp/user/218230" title="mkj@social.mkj.earth">mkj</a></li></ul></div></section><article><p><a href="https://social.mkj.earth/@mkj">@mkj</a> <a href="https://infosec.exchange/@ryanc">@ryanc</a> </p><p>It's not as much about key length as it is about RSA in general.</p><p>There are, like, a HANDFUL of RSA implementations that are audited, trustworthy, and suitably protected against the insane variety of subtle mistakes that can completely wreck its security. Even using those implementations safely takes a lot of care and effort. Using other libraries is a gamble; rolling your own is the cryptographic equivalent of bungee jumping without bothering to check if your harness is attached.</p><p>Timing attacks, faulty prime selection, improper padding, poor public exponent selection, related message attacks, etc. Lots of it discovered 20+ years ago, yet still showing up in RSA software written today.</p><p>Heck, even partial key leakage is a shit show compared to more modern algos. If I accidentally expose a quarter of a SPHINCS+ key, the remaining bits should still need to be brute-forced. If I expose a quarter of the bits in a private RSA exponent, though, the game is up completely.</p><p>If you're gonna go classical, use ECC. If you're gonna go PQ, there are good options to choose from (and NIST standards coming out). Either way, deprecate RSA wherever possible.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3342839#notice-6582590">In conversation</a><time datetime="2024-07-08T03:16:25+09:00" title="Monday, 08-Jul-2024 03:16:25 JST">about 5 months ago</time> <span>from <span><a href="https://ioc.exchange/@opal/112746521148875679" rel="external" title="Sent from ioc.exchange via ActivityPub">ioc.exchange</a></span></span><a href="https://ioc.exchange/@opal/112746521148875679">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Opalescent (opal@ioc.exchange)'s status on Monday, 08-Jul-2024 03:16:25 JSTOpalescent
- Ryan Castellucci :nonbinary_flag:
- mkj
@mkj @ryanc
It's not as much about key length as it is about RSA in general.
There are, like, a HANDFUL of RSA implementations that are audited, trustworthy, and suitably protected against the insane variety of subtle mistakes that can completely wreck its security. Even using those implementations safely takes a lot of care and effort. Using other libraries is a gamble; rolling your own is the cryptographic equivalent of bungee jumping without bothering to check if your harness is attached.
Timing attacks, faulty prime selection, improper padding, poor public exponent selection, related message attacks, etc. Lots of it discovered 20+ years ago, yet still showing up in RSA software written today.
Heck, even partial key leakage is a shit show compared to more modern algos. If I accidentally expose a quarter of a SPHINCS+ key, the remaining bits should still need to be brute-forced. If I expose a quarter of the bits in a private RSA exponent, though, the game is up completely.
If you're gonna go classical, use ECC. If you're gonna go PQ, there are good options to choose from (and NIST standards coming out). Either way, deprecate RSA wherever possible.
In conversationabout 5 months ago from ioc.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice