-
Created by
Phil Benchoff, last updated on Oct 07, 2010
4 minute read
Choosing an appropriate key strength.
The term strength is used rather than length because an n-bit key may not really offer n-bits of strength. For example, even though (three-key) triple DES uses a 168-bit key, there is an attack that reduces the work required to try all keys to that of 112 bits.
For keys where only a small subset of numbers are valid keys (such as RSA), the strength is only a fraction of the key length. For example, a 1024-bit RSA key is about 80 bits of strength in an equivalent symmetric crypto algorithm..
Typically within a given crypto algorithm, stronger ciphers result as the key size increases. So, 128 bit AES is less secure than 192 bit AES because we are within the same crypto algorithm (AES). If you're comparing key sizes across different algorithms (AES vs. RSA), then the rule changes.
When comparing symmetric vs. asymmetric cryptosystems not only are asymmetric algorithms more resource intensive (eat up your CPU time) than symmetric routines, they also require much longer keys to provide the same strength. While symmetric keys range from 40 bit to 256 bit, asymmetric keys are typically 1,024 bits or longer. The table below shows equivalent strength between symmetric and asymmetric crypto algorithms. In other words, you need to compare key strength AND crypto algorithm (symmetric vs. asymmetric).
- Three major factors
- Security required
- Expected lifetime of encryption system
- Expected lifetime of data
Key Size versus Strength
NIST
- SP 800-57 Recommendation for Key Management - Part 1: General (Revised)
- 5.6 Guidance for Cryptographic Algorithm and Key Size Selection
Bits of Security |
Symmetric Key Algorithms |
RSA |
Hash Size |
|---|---|---|---|
80 |
2TDEA |
1024 |
SHA-1 |
112 |
3TDEA |
2048 |
SHA-224 |
128 |
AES-128 |
3072 |
SHA-256 |
192 |
AES-192 |
7680 |
SHA-384 |
256 |
AES-256 |
15360 |
SHA-512 |
(Note: Some liberties have been taken with this table. See the actual publication for more info.)
- Draft SP 800-131 Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths (15 Jun 2010)
- For the Federal government, a minimum security strength of 80 bits is recommended in 2010.
- minimum security strength of 112 bits is strongly recommended beginning in 2011
- transition to 112-bit strength shall be accomplished by 2014
NSA
Type |
Symmetric |
Elliptic Curve |
Hash |
RSA |
|---|---|---|---|---|
Secret |
AES-128 |
ECDH and ECDSA 256 |
SHA-256 |
2048 |
Top Secret |
AES-256 |
ECDH and ECDSA 384 |
SHA-384 |
|
RSA
Protection Lifetime of Data |
Present - 2010 |
Present - 2030 |
Present - 2031 and Beyond |
|---|---|---|---|
Minimum symmetric security level |
80 bits |
112 bits |
128 bits |
Minimum RSA key size |
1024 bits |
2048 bits |
3072 bits |
Others
- Keylength.com
- javamex: RSA Key Lengths - shows the increase in computational complexity for various key lengths. This may be very significant if encryption/decryption is done frequently, e.g. an SSL web server.
- SHA-2 and Windows
Passwords/Passphrases
- WP: Password Strength
- SP 800-63 Rev. 1: DRAFT Electronic Authentication Guideline - See Appendix A: Estimating Entropy and Strength for more detailed info on passwords.
- Upper bound: random printable ASCII characters are 6.5bits.
- Lower bound: plain English is between 0.6 and 1.5 bits per character.
- Double a character consecutively, to discourage shoulder surfing (WP)
Cryptographic Systems
All but the most trivial cryptographic systems will use a combination of asymmetric ciphers, symmetric ciphers, and hashes. It is important that each of these be selected with care.
Random Numbers
A good source of random numbers is at the heart of every crypto system. If the source of random numbers is flawed, every crypto system using it is weakened.
Key Authenticity
The encryption system can be entirely defeated of an adversary can pose as the intended recipient and get you to use the key of his choice. You must verify the source of public keys to be sure they belong to the intended recipients.
Symmetric Encryption
OpenSSH always encrypts data with a symmetric session key derived from a random number source. A header containing the session key encrypted with the pass phrase is included in the encrypted data file. Here are some of the things that must work together. The resulting encrypted file is only as good as the weakest element.
- Session key - derived from random number source
- Asymmetric key packet - session key encrypted with the passphrase.
- Passphrase - You can slow the exhaustive testing of passphrases with more complexity in the string-to-key algorithm.
Asymmetric encrpytion
OpenSSH always encrypts data with a symmetric session key derived from a random number source. A header containing the session key encrypted with each recipient's asymmetric key is included in the encrypted data file. Here are some of the things that must work together. The resulting encrypted file is only as good as the weakest element.
- Session key - derived from random number source
- Symmetric key packets - session key encrypted with the recipients' asymmetric keys.
- The asymmetric keys depend on the random number source as well.
- Note: An attacker who has the encrypted private half of the asymmetric key pair can also exhaustively test pass phrases.
Signature
A signature depends on the strength of the asymmetric key used to make it and the hash function used to calculate the message digest.
Key Size Fun
Bits |
Digits |
Number of keys |
|---|---|---|
56 |
17 |
72,057,594,037,927,936 |
64 |
20 |
18,446,744,073,709,551,616 |
80 |
25 |
1,208,925,819,614,629,174,706,176 |
112 |
34 |
5,192,296,858,534,827,628,530,496,329,220,096 |
128 |
39 |
340,282,366,920,938,463,463,374,607,431,768,211,456 |
192 |
57 |
6,277,101,735,386,680,763,835,789,423,207,666,416,102,355,444,464,034,512,896 |
256 |
78 |
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 |