undefined | Better HN

0 pointsthrow0101a2y ago0 comments

RSA 3072 has the 'comparable' security of AES 128:

Going to 4096 doesn't get you much given you have weaker links in the security chain. The next step up would be AES 192 and RSA 7680, and then AES 256 with RSA 15360.

0 comments

nullc2y ago

You'd have an argument if you were just talking about the DH key used for PFS, but the ID key is a long term secret, so breaking it has a radically payoff surface.

Even when AES and ECC have similar security they have different behavior in terms of multi-target attacks and the curve for success probability vs computation invested are quite different.

You're also not limited to use AES 128 with ssh, ChaCha20-Poly1305 is a nice choice.

j / k navigate · click thread line to collapse