1

I have an RSA key I use for ssh between various accounts that was originally generated in 2002 — hence it has the then-standard 1024 bits. Is there any point to deleting that key from all my machines and regenerating a new (and presumably somewhat more secure) one?

Most of the responses to this similar but older question relate to worries about specific compromises and note the lack of “key-wear”. However, this isn't strictly true, since shorter keys do become easier to attack over time — my 1024-bit RSA key is notably weaker than currently-preferred sizes of 2048 or 4096 (although I believe it's the case that it still isn't thought to have been broken by publicly known attacks). Should I be worried now, in 2020 or, really, anytime in the foreseeable (non-quantum!) future, worried enough to retire the old key entirely? Or, realistically, is my key plenty safe in practice? (Again, I'm not asking about other aspects of key security, but purely about the age and size of the key itself.)

(There's another, also related and old, question here, but it's not limited to just ssh, and is more descriptive than prescriptive.)

Andrew Jaffe
  • 111
  • 2
  • 3
    Ask yourself, is the convenience of not rotating it worth more to you than the chance of it being compromised? Or asked differently, is rotating the key more difficult for you than dealing with recovering a compromised system? –  May 07 '20 at 10:16
  • 1
    @MechMK1 I guess that's why I'm asking -- I don't have a feeling for "the chance of it being compromised". For what it's worth, I'm not particularly worried about being an individual target of an attack, but more if there is a chance for large-scale attacks of many machines at a time. Also, the difficulty of rotating the key is likely to get worse over time, but so is the ease of attack, so I need to answer not just for *right now*, but also the foreseeable future. – Andrew Jaffe May 07 '20 at 10:22
  • I'd say since you mentioned that it'll get worse in time, I would switch sooner than later. If you get the chance, switch to an elliptic curve key. They're generally smaller and security is considered equivalent. –  May 07 '20 at 11:13

0 Answers0