Re: MD5 is insecure

[nanog--- via NANOG <nanog () lists nanog org>]

Generally speaking, a *symmetric encryption* key made of 2048 random bits is 2^1024 times as hard to break as a key 
made of 1024 random bits. This is because generally, the only way to break a fully random key input to a symmetric key 
algorithm is to try every possible key, as there is no exploitable mathematical structure to symmetric algorithms.

128 bits is considered an acceptable key length for a symmetric algorithm and 256 bits is considered to be an overkill 
key length.

However, note that an RSA key is not random bits, but two prime numbers, and that most numbers are not prime, and that 
the corresponding public key is (very roughly) the answer to multiplying them together, and in many attack scenarios 
the attacker knows the public key (that's why you are using RSA instead of AES) and can use factorization algorithms 
that are much faster than brute force.

NIST recommends that 3072-, 7680-, and 15360-bit RSA keys are about as hard to crack as 128-, 192-, and 256-bit 
symmetric keys respectively.

So a 2048-bit RSA key is not 2^1024 times as hard to break as a 1024-bit one, but rather only (eyeballing the above 
numbers) something like 2^20 times as hard.

Yes, these key sizes get somewhat impractical. RSA is rather old and slow, but does still work if you use a long enough 
key. The newer elliptic curve family of asymmetric algorithms provides both smaller keys and faster algorithms. EC keys 
are estimated to be about as hard to break as symmetric keys half as long - though unlike RSA, each different key size 
requires a different algorithm. ed25519 keys, widely supported in SSH software by now but perhaps not in switch 
firmware, are ~256 bits and are about as hard to break as symmetric encryption keys of ~128 bits.


On 4 September 2025 22:22:21 CEST, Chris Woodfield via NANOG <nanog () lists nanog org> wrote:
> > On Sep 4, 2025, at 13:15, Gary Sparkes via NANOG <nanog () lists nanog org> wrote:
> >
> > <snip?
> >
> > 4096 is still in the realm of geological or universe-scale timeframes for classical computing, however. 
>
> I still occasionally run into the misconception that, a, say, 2048-bit key is only twice to crack than a 1024-bit one, 
> as opposed to 2^1024 times as hard. Exponents still escape the understanding of some people.
>
> (See also: IPv6 addressing)
>
> -Chris
>
>
> > ===========
> >
> >
> >
> >
> > On Thu, Sep 4, 2025 at 12:16 PM Dan Mahoney <danm () prime gushi org <mailto:danm () prime gushi org>> wrote:
> >
> > > > On Sep 4, 2025, at 05:21, Tom Beecher <beecher () beecher cc> wrote:
> > > >
> > > > Dan-
> > > >
> > > > The main concern I have with your post, and the reason I have been 
> > > > so
> > > vocal in these messages , centers around the following :
> > > > Or you might consider just going back to using inline passwords and
> > > consider Cisco’s ssh implementation a failure at launch — at least the 
> > > “secret” hashing algorithms are salted, but on older kit, it’s also 
> > > still md5.
> > > > It's absolutely fair to criticize their implementation in its 
> > > > current
> > > form. I could see it making sense 20 years ago, but they've had time 
> > > to iterate and improve on it, and should have.
> > > > However, Cisco's implementation is not vulnerable to any currently 
> > > > known
> > > exploits, and no theoretical attack vectors don't seem to apply either.
> > > > The fact that you make a recommendation for readers to *stop using
> > > public key SSH auth* because of that is , respectfully, absolutely 
> > > irresponsible. Someone, somewhere is going to read this, and follow 
> > > this advice, making their device LESS secure, and for no good reason.  
> > > We don't tell people that current cryptography might eventually 
> > > someday be vulnerable to quantum computers , so stop using cryptography completely.
> > > You are doing that here, by saying "This might be exploitable some 
> > > day, so don't use it."  Everything MIGHT be exploitable some day, 
> > > that's how it goes.
> > >
> > > Tom,
> > >
> > > You see those things on either sides of the words “stop using public 
> > > key SSH auth” ?  Those are called quotation marks, and they mean, in 
> > > this context, that you are directly citing my words, to the larger group.
> > >
> > > Except that those words, in that order, appear nowhere in my article, 
> > > which hasn’t changed at all, except for one typo which I’ve since 
> > > corrected.
> > >
> > > I make no such recommendation.  My usage of the word “you might” is 
> > > not a recommendation, it’s a statement that people may do their own 
> > > research and carefully consider how they put an older device online, 
> > > if at all.  Where you’ve cited me bashing md5, I am referring to its 
> > > crypt() implementation, also used in Cisco type 5 secrets, matching my 
> > > recommendations with that of the NSA.  If anything, I’ll happily 
> > > suggest that the best answer for an EOL or near-EOL devices is “just use a serial cable”.
> > >
> > > But back to your quote.
> > >
> > > I believe that you’re seeing words that literally aren’t on the page, 
> > > and are citing them to a public mailing list, claiming they’re mine.
> > >
> > > This is not ok.
> > >
> > > -Dan
> > _______________________________________________
> > NANOG mailing list
> > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FRQXA3TFDLTHZ2T7I7T2B2SMA6TLMJDG/
> > _______________________________________________
> > NANOG mailing list 
> > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/NCPG47PSBQFIJGGD3JZKLKTRSB4EGI4K/
>
> _______________________________________________
> NANOG mailing list 
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/DAJGPGHDP2MDWTUIRN3N6CJD4E4CNLEO/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/OQE3YGVSRGP5SXBGBYCGSZNGY4SZQ2VX/