Security @ Opera

There has been a bit of news recently about a group's success in breaking the signature keys used for several Texas Instrument calculators.

I take no position on whether or not this effort is justifiable. What is of interest to me and to the rest of the crypto user community is the length of the RSA keys involved (512 bit), and how long it took a single dual-core PC to crack a single key (73 days).

This is important since we are still seeing Web sites (including online banking sites) using 512 bit keys to secure themselves. Seventy-three days is not that long considering a Web site certificate is usually valid for at least 365 days and sometimes for several years.

Even more importantly, this was just a single computer. The work of breaking encryption keys can be spread (with varying degrees of efficiency) across many computers working in parallel. Assuming linear scaling of time use, with 10 computers the time will be close to 7-8 days (which is at the faster end of my previous estimates for breaking 512 bit). Use 100 and you are down to about 1 day. This means that a reasonable adversary could have at least 357 days of free access to listen in on, or impersonate such a site. What is reasonable? Let me put it this way: I have direct login access to at least 11 computers of varying capabilities, 5 of them my own, and most of them multi-core.

This means that Web sites using 512 bit certificates should be considered cracked as soon as the certificate was used on the site. You should avoid doing any transactions at the site until they have upgraded their security.

At Opera we have long considered 512 bit keys to be extremely weak, considering that they were
broken ten years ago. Opera will therefore display a certificate warning about the weak public key used by the site. This warning is currently displayed for keys with a length shorter than 900 bits, but this can be adjusted upwards, as needed, through our on-line update system.