DKIM: Posso usar uma chave RSA maior que 2048 bits, ou seja, 4096?

8

Será que posso simplesmente usar uma chave RSA de 4096 bits para o DKIM (no Registro TXT do DNS).
Existe alguma desvantagem (negligenciando o esforço computacional)?
Talvez existam servidores de email que não podem lidar com uma chave tão grande?

Além disso: Existe algum grande provedor de e-mail que usa chaves RSA maiores que 2048bits? Google, Yahoo e Microsoft parecem usar chaves de 2048 bits.

    
por Florian Schneider 06.01.2016 / 19:41

1 resposta

12

De IETF RFC 4871 (grifo nosso):

3.3.3. Key Sizes

Selecting appropriate key sizes is a trade-off between cost, performance, and risk. Since short RSA keys more easily succumb to off-line attacks, signers MUST use RSA keys of at least 1024 bits for long-lived keys. Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys. Verifier policies may use the length of the signing key as one metric for determining whether a signature is acceptable.

Factors that should influence the key size choice include the following:

  • The practical constraint that large (e.g., 4096 bit) keys may not fit within a 512-byte DNS UDP response packet

  • The security constraint that keys smaller than 1024 bits are subject to off-line attacks

  • Larger keys impose higher CPU costs to verify and sign email

  • Keys can be replaced on a regular basis, thus their lifetime can be relatively short

  • The security goals of this specification are modest compared to typical goals of other systems that employ digital signatures

See [RFC3766] for further discussion on selecting key sizes.

    
por 06.01.2016 / 19:53