Re: RSA and Quantum

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Introducing a hardware dependency that existing protocols will be made to require simply won't happen.

it's the Clipper chip all over again. Pushback against another Brave New Crypto Future will be... well, more like complete indifference to it, really.

Lloyd Wood 
lloyd.wood@xxxxxxxxxxx

speaking of hardware dependencies, I'm still working on being indifferent about DTN mandating clocks.

> On 18 Jul 2024, at 07:11, Dr. Neal Krawetz <ietf=40hackerfactor.com@xxxxxxxxxxxxxx> wrote:
> 
> Hi folks,
> 
> TL;DR: Is anyone working on the "RSA will be deprecated, making DKIM and other protocols broken" issue?
> 
> Longer decription of the problem:
> 
> The talk in the crypto community is that RSA will become deprecated when quantum crypto becomes accepted as a standard.
> This could be in a year or a decade, but it's coming.  (Not "if", only "when".)
> 
> When this happens, a lot of standards rely on RSA and they will need to update.
> 
> I'm currently looking at DKIM (for email; RFC 6376).
> DKIM uses RSA for signing emails.
> DKIM uses DNS to host the public keys.
> 
> The problems:
> 
>  - Quantum keys are expected to be much larger than RSA keys.
> 
>  - DNS TXT values are limited to 255 characters.
>    RSA-1024 encoded as base64 = 172 bytes. That fits, but RSA-1024 is "weak" even by today's standards.
>    RSA-2048 does not fit in the 255 character limit and needs to be separated into multiple TXT values.
>    Quantum keys are expected to be much larger.
> 
>  - Most DNS requests still use UDP.
>    That typically limits the minimum unfragmented payload to 512 or 576 bytes (to be safe).
>    The unsafe size (including fragmentation) can be 65507 bytes (over IPv4) and a little smaller over IPv6.
>    But the second we talk about UDP fragmentation, we hit delivery nightmares that won't be ideal for DNS-based authentication.
>    (I think I have the numbers right, but I didn't double-check so feel free to correct me.)
> 
> Possible solutions?
> 
>  - Hope that DNS-over-TCP or DNS-over-QUIC (or anything else "not UDP") catches on before quantum becomes a standard.
> 
>  - Increase the minimum UDP size and hope it is big enough to hold a quantum key without fragmentation.
>    This goes along with increasing the "default" ethernet MTU to something larger than 1500.
> 
>  - Rely on some other distributed system for hosting DKIM keys. (Does any other global distributed system exist besides DNS? Don't say "blockchain".)
> 
> I guess my main question is:
> Is anyone working on this problem?
> Either for DKIM or for protocols in general?
> 
>                    -Neal
> --
> Neal Krawetz, Ph.D.
> Hacker Factor Solutions
> https://hackerfactor.com/
> 





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux