openssl-extensions icon indicating copy to clipboard operation
openssl-extensions copied to clipboard
verified publisher icon envylabs

Add #strength for ECDSA keys

Open omghax opened this issue 12 years ago • 5 comments

Currently there's no #strength method for OpenSSL::PKey::EC instances. These are Elliptic Curve DSA keys.

omghax avatar Aug 31 '13 20:08 omghax

The math in the Wikipedia article is a little impenetrable, but I think we may be able to calculate this as key.group.order.num_bits. This is made trickier by the apparent fact that EC key sizes aren't directly comparable to DSA or RSA.

omghax avatar Aug 31 '13 20:08 omghax

One example of this algorithm in the wild is google.com's certificate, which has the following public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmvTKDdXaEzCU3HZcwmVnTdoxdP4v
sWmuMDpkXca/7YFC3vgKipd517q+meYF+bIybVrw6Q1UJVtHpZA/3qQw0g==
-----END PUBLIC KEY-----

Evaluating key.group.order.num_bits gives me a result of 256 bits.

omghax avatar Aug 31 '13 20:08 omghax

Here's another article that claims a 256-bit ECC key is equivalent to a 128-bit symmetric key, which is equivalent to a 3048-bit RSA key.

The money quote:

As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys.

It seems like there's an exponential relationship between symmetric and asymmetric key sizes.

omghax avatar Aug 31 '13 20:08 omghax

After trying to discover a function to describe the key sizes, so far I have this:

def key_size(n)
  a = 3 ** (1 / 48.0)
  p = 1024.0 / (a ** 80)
  p * (a ** (n / 2.0))
end

key_size(256) # => 3071.9999999999877
key_size(224) # => 2130.0058348051443
key_size(160) # => 1023.9999999999999

Notice that the result for 224 (which should be 2048) is off by quite a bit. It looks as though RSA's recommendations don't follow any sort of mathematical progression. I'm not sure if it's possible to map ECC key strengths to RSA/DSA strengths programmatically. We might just have to do it with a lookup table, which is obviously not ideal.

omghax avatar Aug 31 '13 21:08 omghax

Yeah. I think I looked into the EC certificates way back when I started this library, but 1) didn't really understand them, 2) they appeared to be significantly different from the others, and 3) hadn't seen any in actual usage in the Real World. So, without something to use as a source, I couldn't do much.

nbibler avatar Sep 02 '13 15:09 nbibler