On Thu, Dec 06, 2007 at 04:11:52PM +1300, Peter Gutmann wrote:
How widely supported are values > 2K bits in hardware and crypto toolkits?
While I was sitting on a beach drinking Mai Tais listening to the audio of the
WG meeting, I was concerned about this exact issue.
The last time I looked (which admittedly was a few years ago), you ran into
problems if you assumed that everyone could handle > 2K bit keys.
So there's two halves that I think should be treated separately:
* HSMs (hardware).
* Software implementations.
As for hardware, there's some amount of "it is what it is". That is, a
deployed hardware module will essentially never grow more processing power or
breed more memory. He's stuck with the algorithms and lengths that he has, for
the most part -- I imagine that there's probably some hardware module out
there that is securely upgradeable to new algorithms and keylengths. But I
would think that the nature of hardware is that it automatically obsoletes
itself every few years in general.
As for software, why is there a limitation? I admit that all of my applied
cryptogruffer experience with my own RSA implementations has been academic
(implement multi-precision integer library, modpow, admire result), but are
implementations arbitrarily stopping at some keylength, or is there some
limitation due to the implementation choice that causes a bad performance
issue, or an optimization that doesn't work over a particular keysize, or
what? I guess this is an open-ended question.
The fact of the matter is that we need to keep increasing keylengths and
changing algorithms. Do we need to start putting in SHOULD+ recommendations
for a couple of years before putting it in as a MUST? My hope is that this
would give implementors enough time to revise for the higher keylengths.
Blake
--
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com