Minimum modulus size #445
Comments
|
See also: #350 |
|
For testing and supporting existing implementations I don't think a blanket limit makes sense. |
|
Not supporting existing implementations which would require this is a benefit.
RSA 1024 and even 2048 are plenty fast for testing.
…On August 9, 2024 11:00:27 PM GMT+01:00, Friedel Ziegelmayer ***@***.***> wrote:
For testing and supporting existing implementations I don't think a blanket limit makes sense.
But maybe a default generator that limits the range would be helpful for newcomers.
|
I am glad for you that this is how you can run your projects, it is not the same for all of us. |
|
I agree with @ryancdotorg and with the rationales outlined in the Go proposal. I also note that the An intermediate pathway would therefore be to do the same thing for minimum sizes:
Then the question of whether to expose the insecure / hazmat configuration APIs at all can be separated from the "stop people shooting themselves in the foot because they think they are getting 256-bit security" issue. |
|
For reference, here's an example of use of 512 bit RSA that could have damaged a power grid: It's been known to basically worthless in terms of security for decades, let it die. |
|
Mis-use resistance would be good - similar with x25519-dalek we added static_secrets opt-in to track it's use. One way would be to split the constructor for insecure and secure constructions - the insecure constructor for given bit-lengths would be hidden behind a feature - however later on how this whole thing evolves through time requiring approach to avoid breaking changes. By having to use a feature (or cfg) to override mis-use resistance it could be potentially tracked in at least feature usage - now it is non-trivial (still possible but hard to maintain to track it's use) to find any direct dependencies which use insecure sizes - where as using a feature it can be tracked through analysing crates.io-index that exposes the used features. When we put If we take this to extreme - there could be even a crate with all the possible keysizes as marker types and the type only gets used through feature / cfg and then features can track which keysizes are supported. e.g. marker type could be categorised as known "minimums" with the size embedded in data-enum Also according to some literature 2048 bits is considered obsolete by 2030 - should this be taken into account ? Having this evolution built in without inducing breaking changes when the inevitable factorizations happen - tick tock. So for this reason I would say having "well known minimums" categories as types could be ok for future backward compat w/o having to do breaking changes allowing depreciation of surface that leads to insecure constructions. |
|
I strongly disagree with this restriction the library should remain as flexible as possible; modulus size is a user's choice. |
|
Extensive empirical evidence shows that users of cryptographic libraries are frequently not qualified to make choices on things like modulus size.
Putting broken (< 1024 bits) and weak (< 2048 bits) behind feature flags seems like a good solution, and type annotating by size is an interesting idea.
…On August 15, 2024 1:01:59 PM GMT+01:00, teknalb ***@***.***> wrote:
I strongly disagree with this restriction the library should remain as flexible as possible; modulus size is a user's choice.
As an alternative I'd suggest informing the user with a warning or something if the key size is known to be broken.
|
|
a feature flag for broken/weak sounds good idea without sacrificing flexibility :) |
|
I'll +1 @str4d's suggestion that we should follow what we already do with |
RSA is catastrophically weak with 512 bit keys, and anything less than 2048 bits is insecure. A minimum key size should be enforced. Golang has proposed to require 1024 bits minimum:
golang/go#68762
however 2048 would be a good choice where backwards compatibility requirements are minimal
The text was updated successfully, but these errors were encountered: