There is a rumor of RSA being broken. By which I mean something that looks like a strange hoax made it to the front on Hacker News. Someone uploaded a publicly available WIP paper on integer factorization algorithms by Claus Peter Schnorr to the Cryptology ePrint Archive, with the abstract modified to insert the text “This destroyes the RSA cryptosystem.” (Misspelled.)
Today is not the Recurring Internet Security Meltdown Day. That happens once every month or two, but not today in particular.
But this is a good opportunity to point out a non-obvious best practice around cryptographic key-sizes, which is this: Whatever key size is accepted as the standard, you want your SSH keys and your PGP keys to be one size bigger, so that if a gradually rising tide of mathematical advances causes a cryptography meltdown, you won’t be caught in the wave where everyone else gets pwned at once.
So I recommend making sure, if you’re using RSA for your SSH keys, that they are 4096-bit (as opposed to the current ssh-keygen default of 3072-bit).
While this sounds cool, what sort of activities are you thinking you need to encrypt? Consider the mechanisms for how information leaks.
a. Are you planning or coordinating illegal acts? The way you get caught is one of your co-conspirators reported you.
b. Are you protecting your credit card and other financial info? The way it leaks is a third party handler, not your own machine.
c. Protecting trade secrets? The way it gets leaked is one of your coworkers copied the info and brought it to a competitor.
d. Protecting crypto? Use an offline wallet. Too much protection and you will have the opposite problem.
Countless people—probably a substantial fraction of the entire population, maybe the majority—all their credit and identity records were leaked in various breaches. They have easily hackable webcams exposed on the internet. Skimmers trap their credit card periodically. And...nothing major happens to them.
There is a rumor of RSA being broken. By which I mean something that looks like a strange hoax made it to the front on Hacker News. Someone uploaded a publicly available WIP paper on integer factorization algorithms by Claus Peter Schnorr to the Cryptology ePrint Archive, with the abstract modified to insert the text “This destroyes the RSA cryptosystem.” (Misspelled.)
Today is not the Recurring Internet Security Meltdown Day. That happens once every month or two, but not today in particular.
But this is a good opportunity to point out a non-obvious best practice around cryptographic key-sizes, which is this: Whatever key size is accepted as the standard, you want your SSH keys and your PGP keys to be one size bigger, so that if a gradually rising tide of mathematical advances causes a cryptography meltdown, you won’t be caught in the wave where everyone else gets pwned at once.
So I recommend making sure, if you’re using RSA for your SSH keys, that they are 4096-bit (as opposed to the current ssh-keygen default of 3072-bit).
While this sounds cool, what sort of activities are you thinking you need to encrypt? Consider the mechanisms for how information leaks.
a. Are you planning or coordinating illegal acts? The way you get caught is one of your co-conspirators reported you.
b. Are you protecting your credit card and other financial info? The way it leaks is a third party handler, not your own machine.
c. Protecting trade secrets? The way it gets leaked is one of your coworkers copied the info and brought it to a competitor.
d. Protecting crypto? Use an offline wallet. Too much protection and you will have the opposite problem.
Countless people—probably a substantial fraction of the entire population, maybe the majority—all their credit and identity records were leaked in various breaches. They have easily hackable webcams exposed on the internet. Skimmers trap their credit card periodically. And...nothing major happens to them.