The three algorithms we’ve discussed can be used to solve the key distribu- tion problem. Which one is the best? There’s probably no answer to that question because each has its advantages and disadvantages. A more appro- priate question might be, “Which algorithm works best in which situation?” When you’re evaluating each approach, it’s a good idea to look at five areas: security, key size, performance, transmission size, and interoperability.
Security
Is one of the algorithms more secure than the others? There’s no truly objective answer. It depends on what you think is important.
ECC is based on the EC discrete log problem, which is “harder”; does this mean it’s more secure than RSA, which is based on factoring, or DH, which is based on the discrete log problem? Not necessarily.
Thousands of mathematicians have been studying the factoring prob- lem for many years (most intently since 1978). Some of them think that if a solution could have been found, it would have been found by now. On the other hand, it took about 300 years to come up with a proof of Fermat’s Last Theorem, so maybe the ultimate factoring solution simply has not yet been found. Considering the enormous bank of research available to build on, finding a solution may become easier over time.
ECC is newer and less well understood. Far fewer researchers have been attacking it, and for a shorter time. Some people think that more time and effort are needed to develop a better sense of security. Further- more, despite the “lag” in research, some classes of curves have been found
to be susceptible to cryptanalysis. Of the many flavors of elliptic curves, not all of them are used in crypto. For some flavors, it was known early that they contained more weaknesses than others and that there were ways to break them faster than security requirements allowed. Such curves have never been proposed for use in crypto. Other flavors that were proposed for such use were later shown to possess weaknesses. All the weaknesses found so far lie in the F2 area. At this point, it’s believed that no application has ever been deployed in the real world with a weak EC. But because some curves have fallen, some cryptographers are not confi- dent in F2 ECC, and others do not trust any curve at all—Fpor F2.
Some people prefer RSA because DH and ECDH are susceptible to the man-in-the-middle attack. In our sales rep example, the potential attacker is a woman in the middle, Satomi. She could intercept all mes- sages between Pao-Chi and Gwen, establishing DH or ECDH keys with each of them. Pao-Chi would think he’s computing a shared secret key with Gwen but would really be computing one with Satomi. Similarly, Gwen would compute a shared secret key with Satomi, thinking she was talking with Pao-Chi. Then if Pao-Chi sent a message to Gwen, only Satomi would be able to decrypt it. She would decrypt it, store the mes- sage, reencrypt it with the key she established with Gwen, and send it on (see Figure 4-23). The man-in-the-middle attack is easily thwarted by using authentication along with the key exchange (Chapter 5 discusses authentication), and most protocols include authentication anyway. So for some people, this attack is no real disadvantage.
Another issue is each correspondent’s ability to contribute to the key. With RSA, only the initiator of the contact has any say in what the session key will be. With DH or ECDH, both parties contribute to generating the session key. Each correspondent performs some operations and sends the result to the other; the final secret depends on each individual’s contribu- tion. For some people, this arrangement sounds better than trusting someone else entirely to generate a good key. For others, it’s not a great feature. After all, they argue, another party who would do a bad job of gen- erating a session key probably wouldn’t do any better with the key exchange.
So, the choice of algorithm is a matter of your own feeling of security. At this time, no honest cryptographer can make a definitive statement about which algorithm is more secure.
Chapter 4
118
TEAM
FLY
The man-in-the- middle attack
Key Sizes
The bigger the key, the greater the level of security and the slower any public-key algorithm will run. You want the algorithm to run as fast as possible but maintain a particular level of security. The question is, how low can you go before you jeopardize security? The conventional wisdom is that a 1,024-bit RSA or DH key is equivalent in security to a 160-bit ECC key. There is a little contention on that issue, but research continues. In this book, when making comparisons, we look at 1,024-bit RSA or DH, and 160-bit ECC. With RSA, the modulus is made up of three primes; with DH, the private value is 160 bits.
In April 2000, RSA Labs published a paper that analyzed how long it would take to break the RSA algorithm at various key sizes if an attacker had $10 million to throw at the problem. Table 4-1 summarizes the research; the symmetric key and ECC key columns are there for compar- ison. With ECC, you could probably get the same results with smaller key
sizes. However, the assumption in the report is that the public key algo- rithm should use a key size at least twice as long as the symmetric key (regardless of performance) for security reasons.
The table says that with $10 million, an attacker could buy 105 spe- cially made computers to crack a 56-bit symmetric key, a 112-bit ECC key, or a 430-bit RSA key in a few minutes. Actually, that $10 million would probably buy more than 105 machines, but 105 is all it would take. With the same amount of money, at the next key level the attacker could buy 4,300 machines specially built to solve the problem; at the next key level, 114, and at the next level, 0.16.
Why does the money buy fewer machines as the key size increases? The reason is that the amount of required memory increases. The base com- puter is the same, but to break bigger keys, the attacker needs more mem- ory (120 terabytes, or about 120 trillion bytes, in the case of a 1,620-bit RSA key), and buying memory would eat up the budget. In fact, the attacker will probably need more than $10 million to break a 1,620-bit RSA key because that amount of money would only buy 0.16, or about 1/6, of a machine.