<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 4/10/2019 1:17 PM, Fred Baker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3C566F3E-433B-4CE9-9551-0F04F67147A5@isc.org">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On Apr 10, 2019, at 3:31 AM, Davey Song(宋林健) <a class="moz-txt-link-rfc2396E" href="mailto:ljsong@biigroup.cn"><ljsong@biigroup.cn></a> wrote:
I noticed that no stand-by KSK is pre-published in 2017-ksk rollover, right? I put it due to the limitation of size of DNS response. Any other concerns on stand-by KSK in real production network?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Besides the fact that publishing a secondary or future key gives a potential attacker that much longer to crack it? That is essentially the same as pre-publishing other keys, which has been discussed in some detail on this list.</pre>
</blockquote>
<p>Hi Fred - <br>
</p>
<p>Discussed and basically debunked. (I'm still trying to figure
out who introduced this argument in the first place - it's a
really unusual claim).<br>
</p>
<p><br>
</p>
<p> The current keys are 2048 bit RSA keys. To find the private key
to be able to form a signature, you need to be able to factor the
2048 bit public key into two primes. Right now the current
thinking is mostly either it will take a long time to do the
factorization, or the scheme itself (not the key) will be broken
(e.g. via quantum computing attacks on the math) and no 2048 bit
RSA key will ever be viable again. There are some other attacks,
but those are generally on the place or device in which the
private key itself is stored (e.g. DPA, Mission Impossible style,
etc).</p>
<p>Next - if we're rolling the active key every year or so over to
the stand by key, then you've got at most an additional year to
crack the stand by key. E.g. call it a 2 year life span for the
key from generation to revocation. If you know of an attack that
can recover an RSA 2048 bit private key in two years - let me in
on it. <br>
</p>
<p>The viable attacks will mostly be on the active key and probably
involve social engineering or hardware hacking and B&E. E.g.
it's going to be a lot cheaper and more fulfilling to attempt to
attack the active private key rather than the stand by public key.
<br>
</p>
<p>Basically - <a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/RSA_Factoring_Challenge">https://en.wikipedia.org/wiki/RSA_Factoring_Challenge</a>
is a reasonable indication of the problem set and risk. Given
that conventional computing still hasn't factored 1024, I think
we're good for a long while on 2048. Quantum may eventually
change this. If it does, it could break the existing root and any
other trust anchor of similar size roughly at the same time.</p>
<p>Let me put it another way. RSA 2048 bit is used for managing key
material used to move $$$$ around. Have we heard of any attacks
where money was stolen due to being able to "crack" an RSA key?</p>
<p>So no - that's really not a reason not to generate and publish a
stand by public key. Preventing the stand-by private key from
fate sharing with the active private key - that may be a
reasonable argument (e.g. too costly/painful/unwieldy/insecure to
secure them separately), but that's fixable.<br>
</p>
<p>Later, Mike<br>
</p>
<blockquote type="cite"
cite="mid:3C566F3E-433B-4CE9-9551-0F04F67147A5@isc.org">
<pre class="moz-quote-pre" wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ksk-rollover mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ksk-rollover">https://mm.icann.org/mailman/listinfo/ksk-rollover</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>