zlacker

It's plausible based on public research that any well-funded adversary can break 1024-bit RSA. You should assume 1024-bit RSA is simply broken.

>>tptace+(OP)
Yes and given that I'm kinda surprised we haven't seen any docs talking about breaking 1024-bit RSA. That should have been their bread and butter, at least as far as DNI is concerned, a few years ago.

>>EthanH+a
What 'yuhong said: it could be expensive, with NSA having the capability to break only one every couple months. They might need to carefully coordinate which keys they break, in which case it would be an important secret which CA keys were broken.

>>tptace+f
Do you think that the NSA would bother breaking CA keys? We know that they have shadow certificates and have much success infiltrating CAs to steal their keys and that they have been able to forge them without having to break the keys (via the previously unknown MD5 collision - as they did for Stuxnet. Seems to me like there are more valuable certs to go after (diplomats' certs, smartcard certs, OS update certs, ...).

>>xnull2+G7
So many "diplomats' certs" are used in machines by Crypto AG from Switzerland. And guess what, they had one major incident years ago - and even people working there have simply no clue who owns and control the company.

I'd say most of commercial crypto systems are rigged. https://pbs.twimg.com/media/B5-aW_8CEAAUzji.jpg:large

>>spacef+0e
I've been interested in Crypto AG for many years and would like to know more. Do you have a source that Crypto AG is still used to store certs that diplomats use?

I guess there is this: http://www.crypto.ch/en/solutions/crypto-secure-diplomatic-m...