Kryptografie/Schlüssellängen
Keylengths
- AES256 and AES128
- I would never consider using AES256, just like I don't wear a helmet when I sit inside my car.
- It's too much bother for the epsilon improvement in security.
- Recommendations on keylengths need to be adapted regularly
- Since this document first of all is static and second of all, does not consider itself to be authoritative on keylengths, we would rather refer to existing publications and websites.
- Recommending a safe key length is a hit-and-miss issue.
Furthermore, when choosing an encryption algorithm and key length, the designer/sysadmin always needs to consider the value of the information and how long it must be protected.
- In other words: consider the number of years the data needs to stay confidential.
The ECRYPT II publication gives a fascinating overview of strengths of symmetric keys in chapter 5 and chapter 7.
- Summarizing ECRYPT II, we recommend 128 bit of key strength for symmetric keys.
- In ECRYPT II, this is considered safe for security level 7, long term protection.
In the same ECRYPT II publication you can find a practical comparison of key size equivalence between symmetric key sizes and RSA, discrete log (DLOG) and EC keylengths.
- ECRYPT II arrives at the interesting conclusion that for an equivalence of 128 bit symmetric size, you will need to use an 3248 bit RSA key (II & SYM, 2012).
There are a couple of other studies comparing keylengths and their respective strengths.
- The website https://www.keylength.com/ compares these papers and offers a good overview of approximations for key lengths based on recommendations by different standardization bodies and academic publications.
- Figure #fig:keylengths.com[1] shows a typical comparison of keylengths on this web site.
"Screenshot for 128 bit symmetric key size equivalents"
Summary
- Asymmetric public-key cryptography
- we consider any key length below 3248 bits to be deprecated at the time of this writing (for long term protection)
- For elliptic curve cryptography
- we consider key lengths below 256 bits to be inadequate for long term protection
- For symmetric algorithms
- we consider anything below 128 bits to be inadequate for long term protection