View Source

Choosing an appropriate key strength.

The term strength is used rather than length because an n-bit key may not really offer n-bits of strength. For example, even though (three-key) triple DES uses a 168-bit key, there is an attack that reduces the work required to try all keys to that of 112 bits.

For keys where only a small subset of numbers are valid keys (such as RSA), the strength is only a fraction of the key length. For example, a 1024-bit RSA key is about 80 bits of strength in an equivalent symmetric crypto algorithm..

Typically within a given crypto algorithm, stronger ciphers result as the key size increases. So, 128 bit AES is less secure than 192 bit AES because we are within the same crypto algorithm (AES). If you're comparing key sizes across different algorithms (AES vs. RSA), then the rule changes.

When comparing symmetric vs. asymmetric cryptosystems not only are asymmetric algorithms more resource intensive (eat up your CPU time) than symmetric routines, they also require much longer keys to provide the same strength. While symmetric keys range from 40 bit to 256 bit, asymmetric keys are typically 1,024 bits or longer. The table below shows equivalent strength between symmetric and asymmetric crypto algorithms. In other words, you need to compare key strength AND crypto algorithm (symmetric vs. asymmetric).

Three major factors
- Security required
- Expected lifetime of encryption system
- Expected lifetime of data

Key Size versus Strength

NIST

SP 800-57 Recommendation for Key Management - Part 1: General (Revised)
- 5.6 Guidance for Cryptographic Algorithm and Key Size Selection

Bits of Security	Symmetric Key Algorithms	RSA	Hash Size
80	2TDEA	1024	SHA-1
112	3TDEA	2048	SHA-224
128	AES-128	3072	SHA-256
192	AES-192	7680	SHA-384
256	AES-256	15360	SHA-512

(Note: Some liberties have been taken with this table. See the actual publication for more info.)

Draft SP 800-131 Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths (15 Jun 2010)
- For the Federal government, a minimum security strength of 80 bits is recommended in 2010.
- minimum security strength of 112 bits is strongly recommended beginning in 2011
- transition to 112-bit strength shall be accomplished by 2014

NSA

Suite B Cryptography (2005)

Type	Symmetric	Elliptic Curve	Hash	RSA
Secret	AES-128	ECDH and ECDSA 256	SHA-256	2048
Top Secret	AES-256	ECDH and ECDSA 384	SHA-384

RSA

RSA: TWIRL and RSA Key Size (Revised May 6, 2003)

Protection Lifetime of Data	Present - 2010	Present - 2030	Present - 2031 and Beyond
Minimum symmetric security level	80 bits	112 bits	128 bits
Minimum RSA key size	1024 bits	2048 bits	3072 bits

Others

Keylength.com
javamex: RSA Key Lengths - shows the increase in computational complexity for various key lengths. This may be very significant if encryption/decryption is done frequently, e.g. an SSL web server.
SHA-2 and Windows

Passwords/Passphrases

WP: Password Strength
SP 800-63 Rev. 1: DRAFT Electronic Authentication Guideline - See Appendix A: Estimating Entropy and Strength for more detailed info on passwords.
Upper bound: random printable ASCII characters are 6.5bits.
Lower bound: plain English is between 0.6 and 1.5 bits per character.
Double a character consecutively, to discourage shoulder surfing (WP)

Cryptographic Systems

All but the most trivial cryptographic systems will use a combination of asymmetric ciphers, symmetric ciphers, and hashes. It is important that each of these be selected with care.

A good source of random numbers is at the heart of every crypto system. If the source of random numbers is flawed, every crypto system using it is weakened.

The encryption system can be entirely defeated of an adversary can pose as the intended recipient and get you to use the key of his choice. You must verify the source of public keys to be sure they belong to the intended recipients.

Symmetric Encryption

OpenSSH always encrypts data with a symmetric session key derived from a random number source. A header containing the session key encrypted with the pass phrase is included in the encrypted data file. Here are some of the things that must work together. The resulting encrypted file is only as good as the weakest element.

Session key - derived from random number source
Asymmetric key packet - session key encrypted with the passphrase.
Passphrase - You can slow the exhaustive testing of passphrases with more complexity in the string-to-key algorithm.

Asymmetric encrpytion

OpenSSH always encrypts data with a symmetric session key derived from a random number source. A header containing the session key encrypted with each recipient's asymmetric key is included in the encrypted data file. Here are some of the things that must work together. The resulting encrypted file is only as good as the weakest element.

Session key - derived from random number source
Symmetric key packets - session key encrypted with the recipients' asymmetric keys.
- The asymmetric keys depend on the random number source as well.
Note: An attacker who has the encrypted private half of the asymmetric key pair can also exhaustively test pass phrases.

Signature

A signature depends on the strength of the asymmetric key used to make it and the hash function used to calculate the message digest.

Key Size Fun

Bits	Digits	Number of keys
56	17	72,057,594,037,927,936
64	20	18,446,744,073,709,551,616
80	25	1,208,925,819,614,629,174,706,176
112	34	5,192,296,858,534,827,628,530,496,329,220,096
128	39	340,282,366,920,938,463,463,374,607,431,768,211,456
192	57	6,277,101,735,386,680,763,835,789,423,207,666,416,102,355,444,464,034,512,896
256	78	115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936