X
Home & Office

No-one dies as researchers crack 768-bit RSA encryption

Spotted an interesting report recently stating that 768-bit RSA encryption has been broken. Specifically, what researchers have done is factorised a 768=bit 232-digit number using a number field sieve.
Written by Manek Dubash, Contributor

Spotted an interesting report recently stating that 768-bit RSA encryption has been broken. Specifically, what researchers have done is factorised a 768=bit 232-digit number using a number field sieve. The bar has just been raised.

The report quotes from a white paper written by researchers in which they conclude that "The overall effort [to crack 768-bit encryption] is sufficiently low that even for short-term protection of data of little value, 768-bit RSA moduli can no longer be recommended."

However, it's not as bad as it sounds. Research suggests that most organisations are using 1024-bit RSA encryption and above, with some using 4096-bit encryption and 2048-bit encryption now the default. Just as well, as the white paper suggests that 1024-bit encryption be phased out "within the next three to four years", as security expert Bruce Schneier argued three years ago.

This slightly aged article explains more, though I think he's wrong when he talks about how long it takes to crack 512-bit RSA, as the recent white paper shows that 768-bit was cracked, not by brute force but using smarter algorithms. What's more it took an cluster of hundreds of PCs two years to do the job.

RSA methodology is mainly used for public key transactions for data in transit. When you make a credit card transaction over SSL, it's probably using 1024-bit RSA encryption, for example.

Generally speaking, RSA is not used for bulk storage of static data. This means that your bank is probably storing your information in a manner that's technologically secure - insofar as the encryption it uses to keep that data on its hard disks is currently impossible to crack. This doesn't of course mean that your data can't be acquired using other methods, as is now well-known.

Of course, none of this will stop security vendors popping out of the woodwork, demanding that you pay attention to their high-powered security systems - I've already seen two press releases - but don't be spooked...

Editorial standards