Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Key size
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Asymmetric algorithm key lengths== The effectiveness of [[public key cryptography|public key cryptosystems]] depends on the intractability (computational and theoretical) of certain mathematical problems such as [[integer factorization]]. These problems are time-consuming to solve, but usually faster than trying all possible keys by brute force. Thus, [[asymmetric key]]s must be longer for equivalent resistance to attack than symmetric algorithm keys. The most common methods are assumed to be weak against sufficiently powerful [[quantum computer]]s in the future. Since 2015, NIST recommends a minimum of 2048-bit keys for [[RSA (algorithm)|RSA]],<ref name="keymanagement">{{cite journal |url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf |archive-url=https://web.archive.org/web/20150226074432/http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf |archive-date=2015-02-26 |url-status=live |title=Recommendation for Key Management; Part 3: Application-Specific Key Management Guidance |date=2015-01-22 |page=12 |access-date=2017-11-24 |journal=NIST Special Publication |publisher=[[National Institute of Standards and Technology]] |doi=10.6028/NIST.SP.800-57pt3r1 |first1=Elaine |last1=Barker |first2=Quynh |last2=Dang}}</ref> an update to the widely accepted recommendation of a 1024-bit minimum since at least 2002.<ref>{{cite web|url=http://emc.com/emc-plus/rsa-labs/historical/a-cost-based-security-analysis-key-lengths.htm |title=A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths |publisher=[[RSA Security|RSA Laboratories]] |access-date=2016-09-24 |url-status=dead |archive-url=https://web.archive.org/web/20170113075540/https://www.emc.com/emc-plus/rsa-labs/historical/a-cost-based-security-analysis-key-lengths.htm |archive-date=2017-01-13}}</ref> 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys, 3072-bit RSA keys to 128-bit symmetric keys, and 15360-bit RSA keys to 256-bit symmetric keys.<ref>{{cite journal |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf |archive-url=https://web.archive.org/web/20200509101121/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf |archive-date=2020-05-09 |url-status=live |title=Recommendation for Key Management: Part 1 – General |page=53 |journal=NIST Special Publication |publisher=[[National Institute of Standards and Technology]] |doi=10.6028/NIST.SP.800-57pt1r5 |first=Elaine |last=Barker |date=May 2020|s2cid=243189598 }}</ref> In 2003, [[RSA Security]] claimed that 1024-bit keys were likely to become crackable sometime between 2006 and 2010, while 2048-bit keys are sufficient until 2030.<ref name="twirl">{{cite web |url=http://emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm|title=TWIRL and RSA Key Size |publisher=[[RSA Security|RSA Laboratories]] |archive-url=https://web.archive.org/web/20170417095741/https://www.emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm |archive-date=2017-04-17 |url-status=dead |access-date=2017-11-24 |first=Burt |last=Kaliski |date=May 6, 2003 |df=ymd-all}}</ref> {{As of|2020}} the largest RSA key publicly known to be cracked is [[RSA-250]] with 829 bits.<ref>{{cite web |title=Factorization of RSA-250 |date=2020-02-28 |first=Paul |last=Zimmermann |publisher=Cado-nfs-discuss |url=https://lists.gforge.inria.fr/pipermail/cado-nfs-discuss/2020-February/001166.html |access-date=2020-07-12 |archive-date=2020-02-28 |archive-url=https://web.archive.org/web/20200228234716/https://lists.gforge.inria.fr/pipermail/cado-nfs-discuss/2020-February/001166.html |url-status=dead }}</ref> The Finite Field [[Diffie-Hellman]] algorithm has roughly the same key strength as RSA for the same key sizes. The work factor for breaking Diffie-Hellman is based on the [[discrete logarithm problem]], which is related to the integer factorization problem on which RSA's strength is based. Thus, a 2048-bit Diffie-Hellman key has about the same strength as a 2048-bit RSA key. [[Elliptic-curve cryptography]] (ECC) is an alternative set of asymmetric algorithms that is equivalently secure with shorter keys, requiring only approximately twice the bits as the equivalent symmetric algorithm. A 256-bit [[Elliptic-curve Diffie–Hellman]] (ECDH) key has approximately the same safety factor as a 128-bit [[Advanced Encryption Standard|AES]] key.<ref name="keymanagement"/> A message encrypted with an elliptic key algorithm using a 109-bit long key was broken in 2004.<ref>{{cite web|url=https://www.certicom.com/news-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months- |title=Certicom Announces Elliptic Curve Cryptography Challenge Winner |date=2004-04-27 |access-date=2016-09-24 |publisher=[[BlackBerry Limited]] |url-status=dead |archive-url=https://web.archive.org/web/20160927063421/https://www.certicom.com/news-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months- |archive-date=2016-09-27}}</ref> The [[National Security Agency|NSA]] previously recommended 256-bit ECC for protecting classified information up to the SECRET level, and 384-bit for TOP SECRET;<ref name=NSASuiteBphaseout>{{cite web|url=http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml |title=NSA Suite B Cryptography |date=2009-01-15 |access-date=2016-09-24 |url-status=dead |archive-url=https://web.archive.org/web/20090207005135/http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml |archive-date=2009-02-07 |publisher=[[National Security Agency]]}}</ref> In 2015 it announced plans to transition to quantum-resistant algorithms by 2024, and until then recommends 384-bit for all classified information.<ref name="NSAComSuite">{{cite web|url=https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm |archive-url=https://web.archive.org/web/20220218193742/https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm |archive-date=2022-02-18 |title=Commercial National Security Algorithm Suite |date=2015-08-09 |access-date=2020-07-12 |publisher=[[National Security Agency]]}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)