Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] What key lengths are currently adequate?

On Sun, Sep 7, 2014 at 10:48 AM, Edward Ned Harvey (blu)
<blu at> wrote:
> 3072

Ned is (nearly) spot on. I was planning to post the following anyway soon -

*Current recommended key sizes.*

RSA. 1024 is obsolete. 2048 is barely ok for short term use especially
with legacy devices, 3072 is currently acceptable, but for long
expiration, 4096 is now recommended.

> Because 4096 doesn't add significantly more strength,

Not exactly right, only approximately true today. These equivalences
are date specific and rounded.
    At current factoring speed, 3072 and 4096 have respective
equivalent symmetric strengths that *round down* to the same power of
2 = 128.  (Unlike between 56 and 128 they don't bother with values
between 128 and 256, since 256 is the holy grail value. Might be
useful but ...they don't. sometimes.)
   As Moore's Law grinds on and number theorists continue to tune
factoring shortcuts, 3072 bit RSA will drop below 128 equivalent
symmetric bit strength much sooner than 4096 will.

So new keys generated today for long-term use should be 4096, but 3072
is effectively as good today so no urgency to upgrade from a 3k key to
a 4k key yet.

NIST SP 800-131A.

For Signature (only)
DSA: |p| ? 2048 and |q| ? 224 ;
RSA: |n| ? 2048 ;
ECC: |n| ? 224

(these are stronger than RSA Lab recommended
since time has passed.
Note that RSA2048 is still ok for signing but for secrecy it's legacy-use-only.)

Note on cipher suites.
SHA-1 no longer acceptable for DSA (exc legacy), but *is* acceptable
for other uses*.
*[ ?HMAC, Key Derivation Functions (KDFs), Random Number Generation
(RNGs and RBGs), and hash-only applications (e.g., hashing passwords
and using SHA-1 to compute a checksum?.]

Note that ECC is only in GNUPG 2.1 Beta but not in 2.0 Prod. :-(
But you can create an ECC key now and start getting sigs on it, even
if you can't yet rely on it as your primary key.

[ Note. GPG's ECC is *not* affected by the presumed backdoor in
Dual_EC_DRBG  in FIPS 182-2 TLS. Same underlying EC Maths but,
Different curves, Different use. ]

Bill Ricker
bill.n1vux at

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /