Everything Totally Explained


Ask & we'll explain, totally!
Key size
Totally Explained

  NEW! All the latest news in the worlds of computer gaming, entertainment, the environment,  
finance, health, politics, science, stocks & shares, technology and much, much, more.  

View this entry using RSS

Everything about Key Size totally explained

In cryptography, key size or key length is the size (usually measured in bits or bytes) of the key used in a cryptographic algorithm (such as a cipher). An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits. The security of an algorithm can't exceed its key length (since any algorithm can be cracked by brute force), but it can be smaller. For example, Triple DES has a key size of 168 bits but provides at most 112 bits of security, since an attack of complexity 2112 is known. This property of Triple DES isn't a weakness provided 112 bits of security is sufficient for an application. Most symmetric-key algorithms in common use are designed to have security equal to their key length. No asymmetric-key algorithms with this property are known; elliptic curve cryptography comes the closest with an effective security of roughly half its key length.

Significance

Keys are used to control the operation of a cipher so that only the correct key can convert encrypted text (ciphertext) to plaintext. Many ciphers are based on publicly known algorithms or are open source, and so it's only the difficulty of obtaining the key that determines security of the system, provided that there's no analytic attack (for example, a 'structural weakness' in the algorithms or protocols used), and assuming that the key isn't otherwise available (such as via theft, extortion, or compromise of computer systems). The widely accepted notion that the security of the system should depend on the key alone has been explicitly formulated by Auguste Kerckhoffs (in the 1880s) and Claude Shannon (in the 1940s); the statements are known as Kerckhoffs' principle and Shannon's Maxim respectively.
   A key should therefore be large enough that a brute force attack (possible against any encryption algorithm) is infeasible – i.e, would take too long to execute. Shannon's work on information theory showed that to achieve perfect secrecy, it's necessary for the key length to be at least as large as the message to be transmitted and only used once (this algorithm is called the One-time pad). In light of this, and the practical difficulty of managing such long keys, modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focuses on computational security. Under this definition, the computational requirements of breaking an encrypted text must be infeasible for an attacker.
   The preferred numbers commonly used as key sizes (in bits) are powers of two, potentially multiplied with a small odd integer.

Key size and encryption system

Encryption systems are often grouped into families. Common families include symmetric systems (eg AES) and asymmetric systems (eg RSA), or may be grouped according to the central algorithm used (eg elliptical encryption systems).
   As each of these is of a different level of cryptographic complexity, it's usual to have different key sizes for the same level of security, depending upon the algorithm used. For example, the security available with a 1024-bit key using asymmetric RSA is considered approximately equal in security to an 80-bit key in a symmetric algorithm (Source: RSA Security).
   The actual degree of security achieved over time varies, as more computational power and more powerful mathematical analytic methods become available. For this reason cryptologists tend to look at indicators that an algorithm or key length shows signs of potential vulnerability, to move to longer key sizes or more difficult algorithms. For example as of May 2007, a 1039 bit integer was factored, with the special number field sieve using 400 computers over 11 months. The computation is roughly equivalent to breaking a 700 bit RSA key. 1024 bit RSA keys can not yet be factored, because the special number field sieve can not be used for RSA keys. However, this computation was a "good advanced warning" that 1024 bit RSA used in secure online commerce, should be deprecated since they may become breakable in the near future. Cryptography professor Arjen Lenstra observed that "Last time, it took nine years for us to generalize from a special to a nonspecial, hard-to-factor number" and when asked whether 1024-bit RSA keys are dead, said: "The answer to that question is an unqualified yes." (External Link)

Brute force attack

brute force attack. Since longer keys require more work to brute force search, a long enough key will require more work than is feasible. Thus, length of the key is important in resisting this type of attack.
   With a key of length n bits, there are 2n possible keys. This number grows extremely rapidly as n increases. Moore's law suggests that computing power doubles roughly every 18 months, but even this doubling effect leaves the key lengths currently considered acceptable well out of reach. The large number of operations (2128) required to try all possible 128-bit keys will be out of reach for all of humankind's conventional computing power for the foreseeable future.

Symmetric algorithm key lengths

US Government export policy has long restricted the 'strength' of cryptography which can be sent out of the country. For many years the limit was 40 bits. Today, a key length of 40 bits offers little protection against even a casual attacker with a single PC. The restrictions have not been removed (in 2007, it's still illegal to export cryptographic software using key lengths greater than 64-bits without authorization from the U.S. Bureau of Industry and Security), but it became easier to gain authorization to export to certain countries in 1999/2000.
   When the Data Encryption Standard cipher was released in 1977, a key length of 56 bits was thought to be sufficient (though there was speculation at the time that the NSA has deliberately reduced the key size from the original value of 112 bits, in IBM's Lucifer cipher, or 64 bits, in one of the versions of what was adopted as DES) so as to limit the 'strength' of encryption available to non-US users. The NSA has major computing resources and a large budget; some thought that 56 bits was NSA-breakable in the late '70s. However, by the late 90s, it became clear that DES could be cracked in a few days' time-frame with custom-built hardware such as could be purchased by a large corporation. The book Cracking DES (O'Reilly and Associates) tells of the successful attempt to break 56-bit DES by a brute force attack mounted by a cyber civil rights group with limited resources; see EFF DES cracker. 56 bits is now considered insufficient length for symmetric algorithm keys, and may have been for some time. More technically and financially capable organizations were surely able to do the same long before the effort described in the book. Distributed.net and its volunteers broke a 64-bit RC5 key in several years, using about seventy thousand (mostly home) computers.
   The NSA's Skipjack algorithm used in its Fortezza program employs 80 bit keys.
   DES has been replaced in many applications by Triple DES, which has 112 bits of security with 168-bit keys.
   The Advanced Encryption Standard published in 2001 uses a key size of (at minimum) 128 bits. It also can use keys up to 256 bits (a specification requirement for submissions to the AES contest). 128 bits is currently thought, by many observers, to be sufficient for the foreseeable future for symmetric algorithms of AES's quality. The U.S. Government requires 192 or 256-bit AES keys for highly sensitive data.
   In 2003 the U.S. National Institute for Standards and Technology, NIST, proposed that 80-bit keys should be phased out by 2015. As of 2005, 80-bit keys are allowed to be used only until 2010.

Asymmetric algorithm key lengths

The effectiveness of public key cryptosystems depends on the intractability (computational and theoretical) of certain mathematical problems such as integer factorization. These problems are time consuming to solve, but usually faster than trying all possible keys by brute force. Thus, asymmetric algorithm keys must be longer for equivalent resistance to attack than symmetric algorithm keys. As of 2002, a key length of 1024 bits was generally considered the minimum necessary for the RSA encryption algorithm. As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030. NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.
   One of the asymmetric algorithm types, elliptic curve cryptography, or ECC, appears to be secure with shorter keys than those needed by other asymmetric key algorithms. NIST guidelines state that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example, a 224-bit ECC key would have roughly the same strength as a 112-bit symmetric key. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on. A message encrypted with an elliptic key algorithm using a 109-bit long key has been broken by brute force.

Effect of quantum computing on key strength

Bennett, Bernstein, Brassard, and Vazirani proved in 1996 that a brute-force key search on a quantum computer can't be faster than roughly 2n/2 invocations of the underlying cryptographic algorithm, compared with roughly 2n in the classical case. Algorithms which achieve this bound are known, such as Grover's algorithm. Thus in the presence of large quantum computers an n-bit key can provide at most n/2 bits of security. Quantum brute force is easily defeated by doubling the key length, which has little extra computational cost in ordinary use.
   In addition to the generic brute-force attack, specific quantum attacks on most public-key algorithms are known (including RSA, Diffie-Hellman and elliptic curve cryptography) which make them insecure at any key size if large quantum computers become available. No similar quantum attack is known against any symmetric cipher (such as AES).
   It is sometimes reported that quantum computers can break all classical cryptography by "trying all possible keys in parallel". This is incorrect.

Further Information

Get more info on 'Key Size'.


External Link Exchanges

Do you know how hard it is to get a link from a large encyclopaedia? Well we're different and will prove it. To get a link from us just add the following HTML to your site on a relevant page:

    <a href="http://key_size.totallyexplained.com">Key size Totally Explained</a>

Then simply click through this link from your web page. Our crawlers will verify your link, extract the title of your web page and instantly add a link back to it. If you like you can remove the words Totally Explained and embed the link in article text.
   As long as your link remains in place, we'll keep our link to you right here. Please play fair - our crawlers are watching. Your site must be closely related to this one's topic. Any kind of spamming, dubious practises or removing the link will result in your link from us being dropped and, potentially, your whole site being banned.



Copyright © 2007-8 totallyexplained.com | Licensed under the GNU Free Documentation License | Site Map
This article contains text from the Wikipedia article Key size (History) and is released under the GFDL | RSS Version