The standard CSP on Windows XP only supports RSA up to 512-bit, which means that it's the maximum key size I can use for authenticity verification of updates. The public key is embedded in the updater, and the update files are signed with the private key, using SHA256.
I know that RSA-768 was factored back in 2010, which is what makes me wonder if RSA-512 is still acceptable for signing purposes. How much effort is it for an attacker to break a 512-bit RSA key?
No.
The challenge for RSA-155 (which is 512 bits) was broken in 1999. This took 6 months on pretty advanced hardware to break at the time, which works out to 8000 MIPS years. It should be much less today.
FYI, RSA 768 took just under 3 years.
I don't have any experience with this myself, but Tom Ritter talked about this on twitter:
Matthew Green: Out of curiosity: do you happen to know offhand how much it costs to factor a 512-bit RSA key on EC2?
Tom Ritter: My personal costs are \$120-\$150 with my setup. You can probably do it cheaper, heard reports of \$75.
He also published a description of how to factor RSA moduli.
Another project in a similar vein: Factoring as a Service:
The Factoring as a Service project is designed to allow anyone to factor 512-bit integers in as little as four hours using the Amazon EC2 platform for less than $100, with minimal setup.
You should be able to just run the scripts from their github.
It is not safe at all since Factoring as a service project (https://github.com/eniac/faas) together with Amazon EC2 allows the factorization of a 512-bit key for less than $100 in only a few hours.
Considering special purpose hardware, according to [40] sieving for a 1024-bit RSA modulus can be done in a year for about US \$10,000,000, plus a one-time development cost of about US \$20,000,000, and with a comparable time and cost for the matrix.
-- Bos et al.
RSA.816 offers very short-term protection against small organizations Should not be used for confidentiality in new systems.
