[ksk-rollover] Stand-by KSK for algorithm rollover

Michael StJohns msj at nthpermutation.com
Thu Apr 11 00:23:52 UTC 2019

On 4/10/2019 1:17 PM, Fred Baker wrote:
>> On Apr 10, 2019, at 3:31 AM, Davey Song(宋林健) <ljsong at biigroup.cn> wrote:
>> I noticed that no stand-by KSK is pre-published in 2017-ksk rollover, right? I put it due to the limitation of size of DNS response. Any other concerns on stand-by KSK in real production network?
> Besides the fact that publishing a secondary or future key gives a potential attacker that much longer to crack it? That is essentially the same as pre-publishing other keys, which has been discussed in some detail on this list.

Hi Fred -

Discussed and basically debunked.  (I'm still trying to figure out who 
introduced this argument in the first place - it's a really unusual claim).

The current keys are 2048 bit RSA keys.  To find the private key to be 
able to form a signature, you need to be able to factor the 2048 bit 
public key into two primes.   Right now the current thinking is mostly 
either it will take a long time to do the factorization, or the scheme 
itself (not the key) will be broken (e.g. via quantum computing attacks 
on the math) and no 2048 bit RSA key will ever be viable again.  There 
are some other attacks, but those are generally on the place or device 
in which the private key itself is stored (e.g. DPA, Mission Impossible 
style, etc).

Next - if we're rolling the active key every year or so over to the 
stand by key, then you've got at most an additional year to crack the 
stand by key.  E.g. call it a 2 year life span for the key from 
generation to revocation.  If you know of an attack that can recover an 
RSA 2048 bit private key in two years - let me in on it.

The viable attacks will mostly be on the active key and probably involve 
social engineering or hardware hacking and B&E.  E.g. it's going to be a 
lot cheaper and more fulfilling to attempt to attack the active private 
key rather than the stand by public key.

Basically - https://en.wikipedia.org/wiki/RSA_Factoring_Challenge is a 
reasonable indication of the problem set and risk.  Given that 
conventional computing still hasn't factored 1024, I think we're good 
for a long while on 2048.   Quantum may eventually change this.  If it 
does, it could break the existing root and any other trust anchor of 
similar size roughly at the same time.

Let me put it another way.  RSA 2048 bit is used for managing key 
material used to move $$$$ around.  Have we heard of any attacks where 
money was stolen due to being able to "crack" an RSA key?

So no - that's really not a reason not to generate and publish a stand 
by public key.  Preventing the stand-by private key from fate sharing 
with the active private key - that may be a reasonable argument (e.g. 
too costly/painful/unwieldy/insecure to secure them separately), but 
that's fixable.

Later, Mike

> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190410/e1d1a83f/attachment.html>

More information about the ksk-rollover mailing list