[cabfpub] Proposal to add DSA 2048
Adam Langley
agl at google.com
Fri Mar 8 21:50:04 UTC 2013
On Fri, Mar 8, 2013 at 4:38 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
>
> - Does it present any issues that are different from RSA algorithm certs? AFAIK, just what Erwann listed below (it can be used for signature only, not encryption/decryption). I haven’t heard of any particular vulnerabilities. In fact, the “Ron was wrong, Whit is right” paper (http://eprint.iacr.org/2012/064.pdf) suggests that there are advantages to cryptosystems like DSA that require only a single secret during key setup.
It presents significant issues beyond RSA.
As specified in FIPS, the nonce should be random and most
implementations follow this advice. However, even a couple of known
bits per nonce from a weak PRNG lead to complete key compromise. RSA
doesn't have that kind of sudden-death behaviour in the event of a RNG
problem.
ECDSA is similarly afflicted and the solution for both is to generate
the nonce from the message and secret key. (In the case of TLS, it's
fine to make the nonce a function of the secret key and message. In
general, someone might be depending on the fact that the signatures
are probabilistic, so some randomness should still be included.)
Having said that, I'd be happy to see DSA 2048 included in the
baseline. In fact, I'd be happy to say that anything believed to be >
80 bits of security is acceptable.
Cheers
AGL
More information about the Public
mailing list