Am 21.07.2015 um 00:10 schrieb David Banes <[email protected]>: > On 20 Jul 2015, at 23:07, Peter Kieser <[email protected]> wrote: > >> On 2015-07-10 2:47 AM, Mathias Ertl wrote: >>> * Have a valid 4096 bit certificate with at least a sha256 signature. >> >> 4096 bit seems a bit excessive. NIST is still recommending 2048 bit from >> 2011 to 2030. >> >> -Peter > > I laughed....
He's actually right - the difference between 2048 and 4096 isn't that big. 2048 equals a symmetric cipher of ~ 112 bits, while 4096 equals a symmetric cipher of ~ 128 bits. If you think about it, it only makes sense: The bigger the number gets, the fewer primes there are… So, 4096 bit RSA just gives you an additional 16 bits for your AES, while doubling the number of RSA bits more than doubles the computational overhead… That's also the reason why there's no point in doing 8192 bit RSA: It wound be insanely slow for just giving you a few extra bits. IIRC, to match AES-256, you would need RSA-32768. Have fun calculating that! If you want to match AES-256, you therefore need to go to 512-bit ECC (for ECC, you need roughly double the bits than the symmetric cipher). -- Jonathan
