No crisis over 1,024-bit encryption

Security firm RSA has hit back at cryptography experts' claims that 1,024-bit encryption is no longer secure.

A discussion on security mailing list Bugtraq at the end of March concluded that 1,024-bit encryption was "compromised", but RSA is now claiming that the situation has been misinterpreted.

At the Financial Cryptography conference in March the main topic of discussion was a paper published last October by cryptographer Dan Bernstein which proposed an architecture capable of factoring 1,024-bit RSA keys.

Based on this proposal, the experts suggested that such a device could be built by an agency with good resources - the National Security Agency, for example - for less than $1bn.

But Burt Kaliski, director of RSA Laboratories, insisted that such estimates were done quickly and proved to be inaccurate by a significant factor.

"The Bernstein paper was also misinterpreted, because it is highly theoretical and not practical," he said. "Bernstein himself has been very conservative in his claims."

Kaliski explained that the architectural proposals didn't offer much more than what was already available, and that encryption is still in the same position as it was before the debate kicked off.

He said that, based on estimations, "a well funded agency could build a machine capable of breaking strong encryption by the end of the decade".

But at the cost, it is likely that decryption machines will only be built if they offer the best return on investment, added Kaliski. "If it works out better than bribery, for example, then a machine will be built," he said.

1,024-bit is still adequate protection for the average user but, if they do want to use a larger key, vendors are gradually moving along to stronger encryption.

"Lots of people support 1,024-bit," stated Kaliski. "It'll be good for a few years yet. There's no crisis."

He said that, with encryption export conditions from the US being relaxed, he saw the industry legitimising the practice of stronger encryption.