
8192+ bit RSA keys in OS X - robbiet480
http://shizmob.tumblr.com/post/67305143330/8192-bit-rsa-keys-in-os-x
======
BoppreH
8192 bit RSA key is one or two notches above overkill. 2048 is expected to
last many more decades, and I haven't seen 4096 outside tin-foil hat
environments. I know our national root certification authority uses 4096, for
example.

I propose such a key actually decreases security because it is less compatible
with existing software, training the users to further ignore warnings or
dangerously tinker with their security settings.

Which one is more likely? NSA being able to break 4096 keys, but not 8192, or
your user accepting an invalid certificate because "the key is probably just
too big", or "it drains too much battery"? Which one will have more impact
down the line?

Besides, if you are worried about such sophisticated attackers, your priority
should be securing side channels and protecting yourself from rubber-hose
cryptanalysis ([http://en.wikipedia.org/wiki/Rubber-
hose_cryptanalysis](http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis)).

~~~
ppereira
What is the relative cost in cpu/memory of encrypting with 8192 bit vs. 2048
bit RSA?

~~~
wyager
According to the article, it ranges from 16x more time-complex to 256x more
time-complex, depending on what you're doing with it.

~~~
bennyg
This is a good analysis as well:
[http://security.stackexchange.com/questions/41937/pgp-rsa-
ke...](http://security.stackexchange.com/questions/41937/pgp-rsa-key-size-
encryption-decryption-time)

------
gfosco
Is he going to have to tell everyone who uses these affected versions of OS X
to run these commands / change these preferences in order to view his site?
This is much worse than he expressly states... How many people are going to
put in the effort to contact the site author, or investigate the error,
instead of writing off the site entirely? My takeaway from this is not to
update a machine to be able to view a site with large certificates, it is to
not use large certificates until Apple releases a fix for this.

------
m_eiman
For reference, this is how fast OpenSSL is with various key sizes on my Core
i5, 2.6GHz:

    
    
                          sign    verify    sign/s verify/s
        rsa  512 bits 0.000192s 0.000014s   5209.8  72185.6
        rsa 1024 bits 0.000909s 0.000037s   1100.4  27318.3
        rsa 2048 bits 0.004911s 0.000109s    203.6   9180.2
        rsa 4096 bits 0.030147s 0.000413s     33.2   2419.1

~~~
csmuk
Thanks for posting this. I've always wondered what the numbers were. 4096 bits
does appear to add a significant work factor.

~~~
m_eiman
Extrapolating a bit, the numbers for 8kb keys should be about 5 sign/sec, 500
verify/sec.

------
plorkyeran
Note that iOS has the same issue, except there's no way to change the relevant
setting (AFAIK), and in general 8k keys are likely to be prohibitively slow on
mobile.

------
fsiefken
Alternatively one could use Elliptic Curve Cryptography to mitigate potential
DOS issues as it less computationally intensive. For example a 409 ECC key is
equivalent to a 7680 RSA key. For more on this read "ECC Cipher Suites for
TLS", RFC 4492.
[http://www.ietf.org/rfc/rfc4492.txt](http://www.ietf.org/rfc/rfc4492.txt)

Be sure to take note of which curves to use as only some are supported by the
TLS standard: [http://stackoverflow.com/questions/16334662/some-elliptic-
cu...](http://stackoverflow.com/questions/16334662/some-elliptic-curves-in-
openssl-give-no-shared-cipher-errors)

------
Demiurge
So what's the actual limit it is set to by default? If I get a certificate,
I'm not exactly going to tell everyone to run a sudo command before opening
the site :)

~~~
andrewcooke
4096 according to the code linked to in the article -
[http://opensource.apple.com/source/Security/Security-55471/l...](http://opensource.apple.com/source/Security/Security-55471/libsecurity_apple_csp/lib/RSA_DSA_keys.h)

~~~
apaprocki
I noticed the Certificate Assistant UI in Keychain Access only lets you choose
as high as 2048 bits if you're generating certs that way.

------
apaprocki
Too funny -- I just went through this same exercise to see what the limits
were and figured nobody would actually care about it since > 2048 bits is a
little bit crazy.

I also found that TLS1.2 is not supported in Mail.app on Mavericks, even
though it is supported in Safari. I wanted to see if I could enable
TLS1.2-only AES-GCM on everything and quickly found the SMTP/IMAP TLS support
is lacking.

------
asdfaoeu
Annoyingly, StartSSL doesn't support ECDSA (well say they are less than the
required 1024 bits, which they are but are more secure comparably).

------
wellboy
Doesn´t it take 10^100 universes to crack 8192 bit RSA?

~~~
lutusp
> Doesn´t it take 10^100 universes to crack 8192 bit RSA?

That's easy to test:

a = 2^8192 ≅ 1.09 * 10^2466
([http://www.wolframalpha.com/input/?i=2%5E8192](http://www.wolframalpha.com/input/?i=2%5E8192))

b = 10^100 universes

If we assume one universe can only crack one value, then we need many more
than 10^100 universes. But it's reasonable to assume that one universe can
crack more than one encrypted value. Let's say that each universe can crack a
million values. Then 10^100 universes is too many.

