From: Phil Karn <karn@qualcomm.com>
Date: Wed, 6 Apr 94 13:28:56 PDT
To: montgo@nws.globe.com
Subject: Reporting the RSA129 story
In-Reply-To: <0097C8C836433E60.27615C99@globe.com>
Message-ID: <199404062027.NAA28564@servo.qualcomm.com>
MIME-Version: 1.0
Content-Type: text/plain


When you write your story, *please* help correct what already seems to
be a widespread misconception by emphasizing that solving RSA129 does
*not* mean that the RSA public key cryptosystem has been "broken". It
only means that one *particular* and relatively short RSA key, chosen
long ago for test purposes, has been broken by brute computational
force.

An equally intensive effort would have to be mounted from scratch to
break any other RSA key of the same length; this is why it's good
practice to change "real" keys from time to time.

And, of course, the longer the RSA key, the more work it is to
crack. Barring major breakthroughs in the underlying algorithms for
attacking RSA, which have not occurred, a sufficiently long key (e.g.,
1024 bits) will be secure for quite some time even with present trends
in brute-force computer power.

The real importance of the RSA129 effort is that it provides a new
experimental "data point" on the security of a particular key length.
This is a good example of the seemingly paradoxical principle that
publishing the design of a cryptographic system and inviting attacks
by all comers can actually help to strengthen it in actual use.

This is in sharp contrast to, say, Clipper/Skipjack, where the NSA
classifies the algorithm and says "trust us, it's secure". The NSA may
believe that it's secure. It may even *be* secure (except, of course
for the gaping front door of key escrow). But without a sustained,
long-term public review there's no way to know if they missed
something.

Phil