[Discuss] What key lengths are currently adequate?
OK, I'm not looking for entropy anymore. I just found an old key. It doesn't expire until 2017, so I don't think I have to generate a new one. Here's another question, though: what key lengths are considered adequate these days? This key is 4096 bits, which I'm confident is long enough for now, but I'm curious what the minimum recommended key length is these days. Bill -- Bill Horne William Warren Consulting 339-364-8487___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] What key lengths are currently adequate?
On 09/07/2014 01:59 AM, Bill Horne wrote: OK, I'm not looking for entropy anymore. I just found an old key. It doesn't expire until 2017, so I don't think I have to generate a new one. You can always change the expiry, so that shouldn't be what stops you using the key. Here's another question, though: what key lengths are considered adequate these days? This key is 4096 bits, which I'm confident is long enough for now, but I'm curious what the minimum recommended key length is these days. 2048 bit RSA is considered the minimum. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] What key lengths are currently adequate?
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Bill Horne This key is 4096 bits, which I'm confident is long enough for now, but I'm curious what the minimum recommended key length is these days. The cryptographic strength should be at least 128, preferably 256. For estimating cryptographic strength of various keysizes (including RSA 4096), see here: http://grouper.ieee.org/groups/1619/email-3/pdfnnOaPiCVTm.pdf In RSA, they keysize grows relative to the square of the cryptographic strength, and unfortunately, so does the computation cost. RSA 1024 ~= 80 (insufficient in present day) RSA 2048 ~= 112 (still good enough for most purposes, for a little while longer) RSA 3072 ~= 128 (good) RSA 4096 ~= 128 (pointless but fine) RSA 16k ~= 256 (computationally impractical to use) Basically in RSA, 3072 is the last useful level for RSA. Because 4096 doesn't add significantly more strength, and by the time you get up to 16k, the processing time becomes prohibitive (like half an hour to generate a key, 1 minute to encrypt a packet, etc). We are currently in the last days of RSA being useful. Next up: ECC. By the way, I'm exaggerating the performance problems of RSA 16k, but it does literally take 7-30 minutes to generate a key. In ECC, the cryptographic strength is equal to about half the ECC key size. And ECC is way, way, way, way, way faster than RSA. Like, use any size key, and both key generation and use will all be measured in ms. (Might be hundreds of ms for the largest operations, but still, that's compared to half an hour to do the equivalent operation in RSA). Strangely, the ECC key sizes are 256, 384, and 521. (That's not a type-o, I meant 521 not 512.) So the crypto strengths are: ECC 256 ~= 128 ECC 384 ~= 192 ECC 521 ~= 260 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] What key lengths are currently adequate?
On Sun, Sep 7, 2014 at 10:48 AM, Edward Ned Harvey (blu) b...@nedharvey.com wrote: 3072 Ned is (nearly) spot on. I was planning to post the following anyway soon - *Current recommended key sizes.* RSA. 1024 is obsolete. 2048 is barely ok for short term use especially with legacy devices, 3072 is currently acceptable, but for long expiration, 4096 is now recommended. Because 4096 doesn't add significantly more strength, Not exactly right, only approximately true today. These equivalences are date specific and rounded. At current factoring speed, 3072 and 4096 have respective equivalent symmetric strengths that *round down* to the same power of 2 = 128. (Unlike between 56 and 128 they don't bother with values between 128 and 256, since 256 is the holy grail value. Might be useful but ...they don't. sometimes.) As Moore's Law grinds on and number theorists continue to tune factoring shortcuts, 3072 bit RSA will drop below 128 equivalent symmetric bit strength much sooner than 4096 will. So new keys generated today for long-term use should be 4096, but 3072 is effectively as good today so no urgency to upgrade from a 3k key to a 4k key yet. *sources.* http://danielpocock.com/rsa-key-sizes-2048-or-4096-bits NIST SP 800-131A. For Signature (only) DSA: |p| ≥ 2048 and |q| ≥ 224 ; RSA: |n| ≥ 2048 ; ECC: |n| ≥ 224 (these are stronger than RSA Lab recommended http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm since time has passed. Note that RSA2048 is still ok for signing but for secrecy it's legacy-use-only.) Note on cipher suites. SHA-1 no longer acceptable for DSA (exc legacy), but *is* acceptable for other uses*. *[ “HMAC, Key Derivation Functions (KDFs), Random Number Generation (RNGs and RBGs), and hash-only applications (e.g., hashing passwords and using SHA-1 to compute a checksum”.] Note that ECC is only in GNUPG 2.1 Beta but not in 2.0 Prod. :-( But you can create an ECC key now and start getting sigs on it, even if you can't yet rely on it as your primary key. [ Note. GPG's ECC is *not* affected by the presumed backdoor in Dual_EC_DRBG in FIPS 182-2 TLS. Same underlying EC Maths but, Different curves, Different use. ] -- Bill Ricker bill.n1...@gmail.com https://www.linkedin.com/in/n1vux ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss