Karsten W. Rohrbach wrote:

> Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000:
>> I do. If someone with millions of dollars to spend on custom designed
>> hardware wants to break into your computer, I assure you that
>> increasing the size of your ssh keys will not stop them.

(no, but it might stop an attack based on too-small keysize, which if the
attacker can do it has the extra nice property that the user need not know
that security has been broken, unlike rubberhose cryptanalysis)

> you missed the concept behind crypto in general, i think. it's not about
> stopping someone from accessing private resources,


That's exactly what it _is_ about. Because we can't always achieve it some
cryptographers and security people say (with some justification) that
"making it hard" is good enough. Others pretend that making it hard is the
goal. 

Cryptography means "hidden writing", and while it is often confused with
security it is not the same thing. Cryptography only protects the writing,
not the writer.



For the non-crypto people here, it is possible to make crypto mathematically
secure under assumptions like "if the entire universe is made into a
reversing quantum computer it would not be able to break the crypto in the
projected lifetime of the universe. Squared.".

With deniability it can be impossible to prove you have decoded data, even
when you have. If you use an OTP (one-time-pad) then in theory the crypto
can _never_ be broken (without a time machine, which could watch you typing
the plaintext anyway).

But then, if the crypto is too strong, an attacker will usually choose
another point of attack, eg coshes to the head, weak implementations, OS
weaknesses, TEMPEST attacks, over-the-shoulder cameras, over-the-shoulder
blondes, Trojans, backdoors, keyloggers, legal attacks, and so on.

While these attacks cannot in general be totally defeated, the crypto itself
can sometimes be made unbreakable. Unfortunately this is impractical for
Public Key cryptography, and it's often impractical for symmetric-key
cryptography too.




How big should a public key be? I don't have enough information to answer
that. What do the likes of NSA/ GCHQ know that we don't? On the other hand,
that doesn't actually matter too much unless you are planning a nuclear
attack, as they are unlikely to admit they can break a cypher even to
prevent a 9/11 - the ability to break a cypher is most useful when the
people using the cypher believe it is unbreakable.

FWIW, I use 4k-bit keys unless the hardware is too old. Pt.3 of RIPA (the
GAK bit) is coming to the UK soon, and I will stop using public keys
entirely then (except for DH and authentication). 1024-bits is probably
still OK in practice for short-term security, if you're not subject to legal
demands for keys.

-- Peter Fairbrother