[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RSA key sizes

To: another <lists.tarsnap@deadcode.eu>, tarsnap-users@tarsnap.com
Subject: Re: RSA key sizes
From: Colin Percival <cperciva@tarsnap.com>
Date: Mon, 25 Aug 2014 01:12:59 -0700
In-reply-to: <30d6495699be8f00c0c8c9e86602c10c@deadcode.eu>
References: <30d6495699be8f00c0c8c9e86602c10c@deadcode.eu>

On 08/25/14 01:05, another wrote:
> so as an online backup for the truly paranoid, I'm kinda missing bigger RSA keys.
> I couldn't find anything on the manpages nor on a quick check of the source.
> Are there plans to implement this?

No.

> Are there specific reasons why it isn't implemented?

On 2048-bit RSA, attacks on implementations (e.g., side channels) are far easier
than mathematical attacks (aka. factoring).  Larger RSA sizes make side channel
attacks easier by slowing down the process and reducing the bandwidth required
for measurements.

In my opinion, 2048-bit RSA is the safest key length available, and the modus
operandi for Tarsnap from the start has been "I know crypto, so let me pick the
right tools for you to use".

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid

References:
- RSA key sizes
  - From: another <lists.tarsnap@deadcode.eu>

Prev by Date: RSA key sizes
Next by Date: Unique files
Previous by thread: RSA key sizes
Next by thread: Unique files
Index(es):
- Date
- Thread