Opened 4 years ago

Closed 4 years ago

#17748 closed defect (invalid)

Is RSA-1024 secure enough to be used to identify HS

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Is there any threat of breaking it and making MiTM?

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by teor

Component: - Select a componentTor
Keywords: tor-hs added

I don't know the exact answer to you question - it very likely depends on your threat model.
(In particular, the computing power an adversary is willing to devote to breaking a RSA 1024 key.)

Tor is moving to elliptic curve (ed25519) keys for relays and authorities as of the newly released 0.2.7.5.

We're hoping to work on moving hidden services to ed25519 keys in 2016.

comment:2 Changed 4 years ago by cypherpunks

comment:3 Changed 4 years ago by teor

I'm not sure if raising a ticket is the best way to get answers to these kinds of questions: overall, if we're using a cryptographic primitive in Tor, we believe it's secure enough, or we're making plans to transition away from it.

As far as ECC is concerned:

It depends on the curve, the implementation, and the threat model.

You may find the following comparison of different ECC schemes helpful:
http://safecurves.cr.yp.to/

It's worth noting that ed25519 fulfils all the criteria listed on the site.

comment:4 in reply to:  3 Changed 4 years ago by yawning

Resolution: invalid
Status: newclosed

Replying to teor:

I'm not sure if raising a ticket is the best way to get answers to these kinds of questions

This is not a forum, nor a Q&A board, closing since we have tickets open for the prop 224 work already.

Note: See TracTickets for help on using tickets.