You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Yoichiro Tanaka <yo...@eisbahn.jp> on 2010/03/17 09:56:42 UTC
The modulus bit length of the key for a signed request
Hi there,
I'm in charge of mixi platform supported OpenSocial in Japan. Our
platform has already been elapsed one year. Therefore, a signed
request has been supporting at this platform, and the key for signing
will be expired next month.
When I generated the key, the modulus length of the key was 1024 bit.
But, I heard recently that this length is short and dangerous. I think
that we should use 2048 bit. However, if we use this length and sign
each requests, I'm afraid that some libraries for OAuth can't use the
key and can't validate the request...
The bit length doesn't depend on the process of OAuth libs, right?
And, if you are in any containers, how much long is the key length you
are using?
Thanks,
-Yoichiro (mixi, Inc.)
Re: The modulus bit length of the key for a signed request
Posted by Yoichiro Tanaka <yo...@gmail.com>.
Hi Paul,
I see. We are not sure that a latency for our server with 2048 will be
reasonable. At least, our key will be out of date, and I think that we
should choice 1024 this time.
Thank you for your advice.
-Yoichiro
On Thu, Mar 18, 2010 at 4:31 AM, Paul Lindner <li...@inuus.com> wrote:
> If you renew keys yearly 1024 is probably fine. Next year you might go for
> 2048 depending on the state of prime number factoring available.
>
> The section "Integer factorization and RSA problem" covers this topic:
> http://en.wikipedia.org/wiki/RSA
>
> On Wed, Mar 17, 2010 at 3:32 AM, Yoichiro Tanaka <yo...@gmail.com>wrote:
>
>> Hi Jacky,
>>
>> We found the following sources:
>>
>>
>> http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf
>> See Table 6 in the section "6 Key Agreement and Key Transport Using RSA".
>>
>>
>> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
>> See Table4 in the section "5.6.2 Defining Appropriate Algorithm Suites".
>>
>> Of course, these documents was written about the system for
>> "government". However, it can be referred and applied to social
>> networking services and so on, I guess...
>>
>> Thanks,
>> -Yoichiro
>>
>>
>> On Wed, Mar 17, 2010 at 6:02 PM, Jacky Wang (王超) <ch...@google.com>
>> wrote:
>> > Hi Yoichiro,
>> >
>> > As mentioned in your mail that "... this length is short and dangerous. I
>> > think that we should use 2048 bit." Could you share with us the source
>> as
>> > well?
>> >
>> > Thanks,
>> > Jacky
>> >
>> > On Wed, Mar 17, 2010 at 4:56 PM, Yoichiro Tanaka <yoichiro@eisbahn.jp
>> >wrote:
>> >
>> >> Hi there,
>> >>
>> >> I'm in charge of mixi platform supported OpenSocial in Japan. Our
>> >> platform has already been elapsed one year. Therefore, a signed
>> >> request has been supporting at this platform, and the key for signing
>> >> will be expired next month.
>> >>
>> >> When I generated the key, the modulus length of the key was 1024 bit.
>> >> But, I heard recently that this length is short and dangerous. I think
>> >> that we should use 2048 bit. However, if we use this length and sign
>> >> each requests, I'm afraid that some libraries for OAuth can't use the
>> >> key and can't validate the request...
>> >>
>> >> The bit length doesn't depend on the process of OAuth libs, right?
>> >> And, if you are in any containers, how much long is the key length you
>> >> are using?
>> >>
>> >> Thanks,
>> >> -Yoichiro (mixi, Inc.)
>> >>
>> >
>> >
>> >
>> > --
>> > Best Regards,
>> >
>> > Jacky Wang
>> > (Office) +86-10-6250-3316
>> > (Mobile) +86-1381-0018-677
>> > Kejian Building, Tsinghua Science Park Building 6
>> > No.1 Zhongguancun East Road, Haidian District
>> > Beijing P.R.China 100084
>> >
>>
>>
>>
>> --
>> Yoichiro Tanaka
>> Email: yoichiro@eisbahn.jp
>> Blog: http://www.eisbahn.jp/yoichiro
>>
>
--
Yoichiro Tanaka
Email: yoichiro@eisbahn.jp
Blog: http://www.eisbahn.jp/yoichiro
Re: The modulus bit length of the key for a signed request
Posted by Paul Lindner <li...@inuus.com>.
If you renew keys yearly 1024 is probably fine. Next year you might go for
2048 depending on the state of prime number factoring available.
The section "Integer factorization and RSA problem" covers this topic:
http://en.wikipedia.org/wiki/RSA
On Wed, Mar 17, 2010 at 3:32 AM, Yoichiro Tanaka <yo...@gmail.com>wrote:
> Hi Jacky,
>
> We found the following sources:
>
>
> http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf
> See Table 6 in the section "6 Key Agreement and Key Transport Using RSA".
>
>
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
> See Table4 in the section "5.6.2 Defining Appropriate Algorithm Suites".
>
> Of course, these documents was written about the system for
> "government". However, it can be referred and applied to social
> networking services and so on, I guess...
>
> Thanks,
> -Yoichiro
>
>
> On Wed, Mar 17, 2010 at 6:02 PM, Jacky Wang (王超) <ch...@google.com>
> wrote:
> > Hi Yoichiro,
> >
> > As mentioned in your mail that "... this length is short and dangerous. I
> > think that we should use 2048 bit." Could you share with us the source
> as
> > well?
> >
> > Thanks,
> > Jacky
> >
> > On Wed, Mar 17, 2010 at 4:56 PM, Yoichiro Tanaka <yoichiro@eisbahn.jp
> >wrote:
> >
> >> Hi there,
> >>
> >> I'm in charge of mixi platform supported OpenSocial in Japan. Our
> >> platform has already been elapsed one year. Therefore, a signed
> >> request has been supporting at this platform, and the key for signing
> >> will be expired next month.
> >>
> >> When I generated the key, the modulus length of the key was 1024 bit.
> >> But, I heard recently that this length is short and dangerous. I think
> >> that we should use 2048 bit. However, if we use this length and sign
> >> each requests, I'm afraid that some libraries for OAuth can't use the
> >> key and can't validate the request...
> >>
> >> The bit length doesn't depend on the process of OAuth libs, right?
> >> And, if you are in any containers, how much long is the key length you
> >> are using?
> >>
> >> Thanks,
> >> -Yoichiro (mixi, Inc.)
> >>
> >
> >
> >
> > --
> > Best Regards,
> >
> > Jacky Wang
> > (Office) +86-10-6250-3316
> > (Mobile) +86-1381-0018-677
> > Kejian Building, Tsinghua Science Park Building 6
> > No.1 Zhongguancun East Road, Haidian District
> > Beijing P.R.China 100084
> >
>
>
>
> --
> Yoichiro Tanaka
> Email: yoichiro@eisbahn.jp
> Blog: http://www.eisbahn.jp/yoichiro
>
Re: The modulus bit length of the key for a signed request
Posted by Yoichiro Tanaka <yo...@gmail.com>.
Hi Jacky,
We found the following sources:
http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf
See Table 6 in the section "6 Key Agreement and Key Transport Using RSA".
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
See Table4 in the section "5.6.2 Defining Appropriate Algorithm Suites".
Of course, these documents was written about the system for
"government". However, it can be referred and applied to social
networking services and so on, I guess...
Thanks,
-Yoichiro
On Wed, Mar 17, 2010 at 6:02 PM, Jacky Wang (王超) <ch...@google.com> wrote:
> Hi Yoichiro,
>
> As mentioned in your mail that "... this length is short and dangerous. I
> think that we should use 2048 bit." Could you share with us the source as
> well?
>
> Thanks,
> Jacky
>
> On Wed, Mar 17, 2010 at 4:56 PM, Yoichiro Tanaka <yo...@eisbahn.jp>wrote:
>
>> Hi there,
>>
>> I'm in charge of mixi platform supported OpenSocial in Japan. Our
>> platform has already been elapsed one year. Therefore, a signed
>> request has been supporting at this platform, and the key for signing
>> will be expired next month.
>>
>> When I generated the key, the modulus length of the key was 1024 bit.
>> But, I heard recently that this length is short and dangerous. I think
>> that we should use 2048 bit. However, if we use this length and sign
>> each requests, I'm afraid that some libraries for OAuth can't use the
>> key and can't validate the request...
>>
>> The bit length doesn't depend on the process of OAuth libs, right?
>> And, if you are in any containers, how much long is the key length you
>> are using?
>>
>> Thanks,
>> -Yoichiro (mixi, Inc.)
>>
>
>
>
> --
> Best Regards,
>
> Jacky Wang
> (Office) +86-10-6250-3316
> (Mobile) +86-1381-0018-677
> Kejian Building, Tsinghua Science Park Building 6
> No.1 Zhongguancun East Road, Haidian District
> Beijing P.R.China 100084
>
--
Yoichiro Tanaka
Email: yoichiro@eisbahn.jp
Blog: http://www.eisbahn.jp/yoichiro
Re: The modulus bit length of the key for a signed request
Posted by "Jacky Wang (王超)" <ch...@google.com>.
Hi Yoichiro,
As mentioned in your mail that "... this length is short and dangerous. I
think that we should use 2048 bit." Could you share with us the source as
well?
Thanks,
Jacky
On Wed, Mar 17, 2010 at 4:56 PM, Yoichiro Tanaka <yo...@eisbahn.jp>wrote:
> Hi there,
>
> I'm in charge of mixi platform supported OpenSocial in Japan. Our
> platform has already been elapsed one year. Therefore, a signed
> request has been supporting at this platform, and the key for signing
> will be expired next month.
>
> When I generated the key, the modulus length of the key was 1024 bit.
> But, I heard recently that this length is short and dangerous. I think
> that we should use 2048 bit. However, if we use this length and sign
> each requests, I'm afraid that some libraries for OAuth can't use the
> key and can't validate the request...
>
> The bit length doesn't depend on the process of OAuth libs, right?
> And, if you are in any containers, how much long is the key length you
> are using?
>
> Thanks,
> -Yoichiro (mixi, Inc.)
>
--
Best Regards,
Jacky Wang
(Office) +86-10-6250-3316
(Mobile) +86-1381-0018-677
Kejian Building, Tsinghua Science Park Building 6
No.1 Zhongguancun East Road, Haidian District
Beijing P.R.China 100084