Re: Security of RSA params

On Fri, Jul 25, 2003 at 11:20:38AM -0400, Stephen Frost wrote:
> Greetings,

>   In the source code I see places where the RSA params are generated and
>   there are comments like "Only do this ever day, or every 500 connects"
>   or similar.  I'd like to understand what the story with these params
>   is.  It seems they need to be regenerated every so often for the
>   system to not be compramised but exactly what would happen if they
>   were, and how hard is it for them to be?
The RSA parameters are only used in the so called "export ciphersuites".
Quoting RFC2246:

D.1. Temporary RSA keys

   US Export restrictions limit RSA keys used for encryption to 512
   bits, but do not place any limit on lengths of RSA keys used for
   signing operations. Certificates often need to be larger than 512
   bits, since 512-bit RSA keys are not secure enough for high-value
   transactions or for applications requiring long-term security. Some
   certificates are also designated signing-only, in which case they
   cannot be used for key exchange.

   When the public key in the certificate cannot be used for encryption,
   the server signs a temporary RSA key, which is then exchanged. In
   exportable applications, the temporary RSA key should be the maximum
   allowable length (i.e., 512 bits). Because 512-bit RSA keys are
   relatively insecure, they should be changed often. For typical
   electronic commerce applications, it is suggested that keys be
   changed daily or every 500 transactions, and more often if possible.
   Note that while it is acceptable to use the same temporary key for