nanog mailing list archives
From: Dorn Hetzel via NANOG <nanog () lists nanog org>
Date: Thu, 4 Sep 2025 18:13:20 -0400
I still moved to RSA-8192 bit keys over five years ago, and would have gone further but that's the largest some things support. For internal things where I can decide what to support, mostly 65536 and a few 131072 bit keys, because even quantum computers are going to have a rough ride with those :) Ginormous RSA keys are kind of even their own inherent proof-of-work if you want to have identities that are costly to make, without having to have any actual infrastructure to support them, it's not hard to choose a key size that represently at least a CPU-month or even a year worth of work. On Thu, Sep 4, 2025 at 5:15 PM Tom Beecher via NANOG <nanog () lists nanog org> wrote:
RSA-768 was successfully factored / private key derived from public keyin2009. The highest successful one before RSA shut down the RSA factoring challenge.Yes, impractical was the right word there, not impossible. On Thu, Sep 4, 2025 at 4:15 PM Gary Sparkes <gary () kisaracorporation com> wrote:<snip>The bedrock principle of public key cryptography is that it isimpossibleto re-create a private key while only having the public key. This is not "mathematically hard" ; it is currently considered mathematically IMPOSSIBLE. And until such a time as a quantum computer can do it, it remains impossible. One issue here - It's possible, but computationally expensive. Exponentially more so as key size increases. RSA-768 was successfully factored / private key derived from public keyin2009. The highest successful one before RSA shut down the RSA factoring challenge. It's a matter of time/computer resources, not outright impossible. That was almost 16 years ago. https://eprint.iacr.org/2010/006 &https://arstechnica.com/information-technology/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now/Whereas time estimates scale up exponentially as key length increases, with classical computers it is a "solved" problem for this algorithm,but acomputationally expensive one. 1024 should be feasible these days in a "reasonable" timeframe - the 2009 RSA-768 took approximately 2 years months of real-time processing acrossasizable cluster (80 processors). We can obviously scale much further now. 4096 is still in the realm of geological or universe-scale timeframes for classical computing, however. =========== On Thu, Sep 4, 2025 at 12:16 PM Dan Mahoney <danm () prime gushi org>wrote:On Sep 4, 2025, at 05:21, Tom Beecher <beecher () beecher cc> wrote: Dan- The main concern I have with your post, and the reason I have been sovocal in these messages , centers around the following :Or you might consider just going back to using inline passwords andconsider Cisco’s ssh implementation a failure at launch — at least the “secret” hashing algorithms are salted, but on older kit, it’s also still md5.It's absolutely fair to criticize their implementation in its currentform. I could see it making sense 20 years ago, but they've had time to iterate and improve on it, and should have.However, Cisco's implementation is not vulnerable to any currently knownexploits, and no theoretical attack vectors don't seem to apply either.The fact that you make a recommendation for readers to *stop usingpublic key SSH auth* because of that is , respectfully, absolutely irresponsible. Someone, somewhere is going to read this, and follow this advice, making their device LESS secure, and for no good reason. We don't tell people that current cryptography might eventually someday be vulnerable to quantum computers , so stop using cryptographycompletely.You are doing that here, by saying "This might be exploitable some day, so don't use it." Everything MIGHT be exploitable some day, that's how it goes. Tom, You see those things on either sides of the words “stop using public key SSH auth” ? Those are called quotation marks, and they mean, in this context, that you are directly citing my words, to the largergroup.Except that those words, in that order, appear nowhere in my article, which hasn’t changed at all, except for one typo which I’ve since corrected. I make no such recommendation. My usage of the word “you might” is not a recommendation, it’s a statement that people may do their own research and carefully consider how they put an older device online, if at all. Where you’ve cited me bashing md5, I am referring to its crypt() implementation, also used in Cisco type 5 secrets, matching my recommendations with that of the NSA. If anything, I’ll happily suggest that the best answer for an EOL or near-EOL devices is “justusea serial cable”.But back to your quote. I believe that you’re seeing words that literally aren’t on the page, and are citing them to a public mailing list, claiming they’re mine. This is not ok. -Dan_______________________________________________ NANOG mailing listhttps://lists.nanog.org/archives/list/nanog () lists nanog org/message/FRQXA3TFDLTHZ2T7I7T2B2SMA6TLMJDG/_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/7OVT6D7E375BZWKFCES7K7Q4J6EDKKDP/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/OYGBZFNMYVSMUKZJYK5KTFG4VXQKQHVX/
Current thread:
- Re: MD5 is insecure, (continued)
- Re: MD5 is insecure nanog--- via NANOG (Sep 03)
- Re: MD5 is insecure Saku Ytti via NANOG (Sep 04)
- Re: MD5 is insecure Dan Mahoney via NANOG (Sep 04)
- Re: MD5 is insecure Tom Beecher via NANOG (Sep 04)
- Re: MD5 is insecure Dan Mahoney via NANOG (Sep 04)
- Re: MD5 is insecure Tom Beecher via NANOG (Sep 04)
- RE: MD5 is insecure Gary Sparkes via NANOG (Sep 04)
- Re: MD5 is insecure Chris Woodfield via NANOG (Sep 04)
- Re: MD5 is insecure nanog--- via NANOG (Sep 04)
- Re: MD5 is insecure Tom Beecher via NANOG (Sep 04)
- Re: MD5 is insecure Dorn Hetzel via NANOG (Sep 04)
- Re: MD5 is insecure Jay Acuna via NANOG (Sep 04)
Related Articles
Stay Informed
Get the best articles every day for FREE. Cancel anytime.