Hacker News new | past | comments | ask | show | jobs | submit login

Unless you're worried about storing and/or transmitting a huge amount of keys (in the order of "at least 100/second") and/or using one key "at least 100 times/second", why not just go for 4096 by default?



Because 4096 bit RSA is a lot slower and bigger and those things matter. And there isn't any upside? If you're actually worried about 2048-bit RSA (and you should not be), you should switch to one of the elliptic curve schemes.


All other things equal, 256-bit elliptical curve cryptography is going to break before RSA2048 does with quantum computing advances.

Do NOT switch to ECC if your threat model includes a quantum computer arriving.

Either use larger RSA keys or more appropriately a hybrid signature scheme combining one of NIST's PQC signatures and a traditional algorithm.

https://csrc.nist.gov/Projects/post-quantum-cryptography/sel...


I'm not actually sure about this. the elliptic curve schemes are just as broken with quantum computers, and the larger key size of rsa seems like it might add a few years of overhead in terms of qbits needed. not an expert though


Because that will soon become "why not 128k". Or perhaps we should use 2 megabytes for each prime? We don't know, but it's better to be safe than sorry.


If you accept the current assumptions, then you would have to accept that 4096 bit RSA will be obsolete by 2060.


That's a significant amount of time if we're talking about long-term file storage.

I've had my dropbox account for over 10 years now. Being concerned about a timescale of 20 to 30 years seems reasonable for things like long term file storage IMO.

Backblaze, dropbox, google drive, onedrive, AWS are all over a decade old.


> I've had my dropbox account for over 10 years now. Being concerned about a timescale of 20 to 30 years seems reasonable for things like long term file storage IMO.

But you're relying on your chosen cloud-provider staying around for 30 years. The number of tech companies that have died in the last 30 years easily exceeds the number still standing [citation needed].


> But you're relying on your chosen cloud-provider staying around for 30 years.

Yes, and I recognize that the company existing, or at least that product existing for that long isn't incredibly likely. But I think the fact that there's 3 products from massive companies like Amazon, Google, Microsoft, and 2 from smaller ones, dropbox/backblaze that lasted 10 years means that at the very minimum ~20 years should be considered as realistically possible.

And honestly, if we're willing to assume whatever we're storing isn't worth them storing for longer (let's say against your will) - then you should just rekey it anyway yourself.

But I'm lazy, and again we're getting to near 15 years for some of those services now.

> The number of tech companies that have died in the last 30 years easily exceeds the number still standing [citation needed].

I don't disagree with your premise that the company/product you pick isn't likely to last for 30 years - however I don't think this specific statistic is the correct one to evaluate this with, given the wide range of tech companies with differing products, markets, financial situations, regulations, the many startups that are effectively designed to be acquired, etc.

At the very least, I don't think it's fair to compare Google/Microsoft/AWS to "insert latest crypto based file storage startup" in terms of long-term viability.


OK, so you're up for a bet. Thats fine by me - once a year I bet on the gee-gees in The Grand National.


> That's a significant amount of time

Depends on the threat model. I mean, WireGuard and Signal rotate derived keys every 2mins!


So only 37 years? I think I can live with that.


It depends on what you are transmitting, right?

Hypothetically if you are a journalist working with communications from a source in an authoritarian country (or a country that could become authoritarian in the next 4 decades; and name one that couldn’t, right?) it would be no good if you got some elderly person killed in the future.

Or just like bank account details I guess?


No cryptographic scheme remains unbreakable forever. If what you want is permanent protection, cryptography is not the solution. If people are encrypting things expecting that encryption will never be broken, they're misusing encryption.

The point of cryptography isn't to keep secrets forever, it's to keep secrets for long enough that by the time those secrets are revealed, they are worthless.


> No cryptographic scheme remains unbreakable forever. If what you want is permanent protection, cryptography is not the solution.

Whilst this has historically been true, it's very plausible that AES-256 means that (for this limited problem, symmetric encryption) we're done.

The "obvious" attack (some type of brute force) on AES-256, even assuming you have a quantum computer (which we don't) and it's actually more affordable than our current computers (which it won't be) is not practical in our universe.


I think this is a topic that much cleverer people than me have thought long and hard on. Of course nothing practical remains unbreakable forever, but it seems weird that for example the default key size for ssh-keygen isn’t in the “probably two lifetimes” range.


I can tell you that journalists aren't worrying about that most of the time. It's very much outside their threat model in the majority of cases, as it should be - there's no way to feasibly predict and protect against cryptographic risks 30+ years from now.


In that case the volume of traffic such a communication medium would need to handle is likely small enough that you can bump the key size higher to ensure greater longevity, currently past the lifetimes of those involved, and accept that transmitting data will take a small fraction of time longer.


If extreme security is needed it’s time to turn off your computer, leave your cellphone at home, don’t tell details to colleagues who do not have a need to know, and maybe resort to dead drop methods so even you don’t know who the source is yourself.


Some people are willing to take a on some extra risk to talk to journalists, and the world is a better place for their bravery.

And we’re talking about thousands of bits, we spend way more than that on stupid things like making UI slightly prettier. I’m streaming music at, I guess, ~200kbps, why not spend a couple seconds worth of music on keys? (Who knows, maybe it will protect some famous journalist somehow and we’ll end up ahead when it spares us a whole moment of silence).

Edit: TBH I’m not really sure this is a useful way to look at things, but the music bandwidth/moment of silence parallel was too convenient to pass up.


I would hope that someone invents a more robust cryptography protocol in the next 37 years.


A bit less, since you have to worry about an attacker storing anything you do now for future attacks.

But if you only want any given secret to stay save for 20 years, you can still use 4096 bit RSA for another 17 years. Which sounds like a good tradeoff: enough of time for better algorithms to get established, but little risk of a breach you will care about.


Isn't RSA from like the 80s? That would already make it ~40 years old.


Being pedantic: RSA is a cryptosystem, not a protocol, and the parameters that were used in 1980s RSA encryption look nothing like the parameters used in today's RSA (in part because they're much larger now, but also in part because we now know about all the weird things that happen when you choose non-standard exponents, primes that are too close to each other, etc.).

RSA is also not typically described as robust, for those reasons.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: