RSA key lengths

From http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml

When you create an RSA key pair, you specify a key length in bits, as generally you would for other algorithms. Specifically, the key length of an RSA key specifies the number of bits in the modulus. In our RSA encryption example, we specified a key length of 2048 bits. But in practice, what RSA key length should we choose?

First the short answer:

  • a RSA key length of 1024 bits is sufficient for many medium-security purposes such as web site logins;
  • for high-security applications1 or for data that needs to remain confidential for more than a few years, you should use at least a 2048-bit key, and consider having a contingency plan for migrating to larger key sizes;
  • to keep data confidential for more than the next two decades, RSA recommends a key size larger than 2048 bits (see below).

So, why not just make the key much longer, say 4096 bits or even 8192 bits? Well, as usual, there's no such thing as a free lunch. A larger key increases the maximum number of bytes that we can encrypt at once, and also the security of the encryption. But it has a serious problem in practice:

With every doubling of the RSA key length, decryption is 6-7 times times slower.

Figure 1 shows how decryption time increases with modulus length. The timings were made on a 2GHz Pentium.

Figure 1: RSA decryption time by key length.

The key length also affects the speed of encryption, but it's usually the speed of decryption that we're more concerned about because (a) that's the part that takes place on the server, and (b) decryption is much much slower than encryption, because the decryption exponent is huge (whereas the encryption exponent is typically small).

If we use a 4096-bit modulus, it takes around a second of CPU time to decrypt a block of data. Even if you were able to sacrifice this amount of CPU to every log on, it leaves us with the problem that an attacker can effectively burn a second of CPU time on our server by firing some random data at it. With a 1024-bit key length, decryption takes just 25 milliseconds; with suitable restrictions on the rate of login attemps (and thus decryptions) we allow per remote client, protecting against a "CPU burn" attack is more feasible.

How secure is an n-bit RSA key?

As ever, judging the security of a key of a given size is a complex issue. With current knowledge, "breaking" an RSA key by brute force effectively means factoring the modulus. The largest number that has been factored publically to date is RSA-640, a 640-bit number put up as a challenge by RSA and factored in 2005. This number took "only" around 350 CPU hours (using a cluster of 80 2.2 GHz Opterons). Put another way, you can rent that CPU time from Amazon for about 50 dollars. This is a simplistic view: it doesn't take into account memory and data transfer requirements. And the experimental software used by the team isn't exactly a "plug and play RSA cracker": it surely requires considerable configuration by somebody well versed in number theory.

Factoring RSA 512-bit keys is now squarely within the reach of anyone who is determined enough. As testimony to this, several 512-bit RSA keys used to sign the operating systems of Texas Instruments calculators were recently factored, reportedly within "several months".

So what about 1024-bit keys? Generally, this size will keep your data safe now from an adversary with modest resources. But it's not sufficient for keeping data confidential much into the future, or for keeping it secret from an adversary prepared to devote a few million dollars to the problem. To see why, we'll look below at some estimates on the difficulty of breaking 1024-bit RSA encryption.

One estimate is made by Shamir & Tromer (2003) in their hypothetical TWIRL device. They suggested that for "a few dozen million US dollars", a hardware device could be built to break a 1024-bit RSA key within around a year. Franke et al (2005) similarly estimate a cost of 200 million dollars2 for a machine to factorise a 1024-bit number in one year. If these cost estimates are accurate, it's safe to assume that the NSA has built such a machine (unless they have another way of breaking RSA more efficiently). And by Moore's Law alone, we'd assume that their machine takes considerably less than a year.

Based on Shamir & Tromer's estimate, Kaliski (2003)— see reference in footnote 1— recommends the following RSA key lengths depending on how long data is intended to remain confidential:

Recommended RSA key sizes depending on lifetime of confidential data.
Lifetime of data RSA key size
Up to 2010 1024 bits
Up to 2030 2048 bits
Up to 2031 onwards 3072 bits

Shamir & Tromer considered hardware because they estimated that a solution in software would not scale beyond around 500 bits. Thorsten Kleinjung (one of the tem that broke RSA-640) estimates that around 8.4 million CPU years are needed to factorise a 1024-bit number in software3 (his estimate is specifically 8.4 million uniprocessor PCs, taking into account memory and data transfer requirements). Using my favourite crude approximation, that's a million or so dollars of rented CPU time in 2009. It's not clear if and how this would scale to, say, several thousand 256-core machines (bearing in mind that that could be a fairly modest botnet by, say, 2020).

Ferguson & Schneier (2003) in Practical Cryptography are actually more conservative than the RSA recommendations:

"The absolute minimum size for n is 2048 bits or so if you want to protect your data for 20 years. [...] If you can afford it in your application, let n be 4096 bits long, or as close to this size as you can get it." (p. 233)

They also recommend checking that your software supports keys up to 8192 bits, "just in case". To my knowledge, Sun's RSA implementation does in principle support this size, but at present it is impractical performance-wise.

RSA key lengths的更多相关文章

  1. ssh访问跳过RSA key"yes/no"验证

    通常我们再批量配置多台机器的时候经常出现通过ssh批量登录机器提示 RSA key fingerprint is ::a6:b1:c9:d7:b8::c1:::8e:f5::2b:8b. Are yo ...

  2. OpenSSL和Python实现RSA Key公钥加密私钥解密

    基于非对称算法的RSA Key主要有两个用途,数字签名和验证(私钥签名,公钥验证),以及非对称加解密(公钥加密,私钥解密).本文提供一个基于OpenSSL和Python进行非对称加解密的例子. 1. ...

  3. ClickHouse元数据异常-MySQLHandlerFactory:Failed to read RSA key pair from server

    Clickhouse版本:20.3.6.40-2 clickhouse集群三个节点,一分片,三副本,三个节点数据完全一样 1. 问题描述 在使用连接工具操作时,发现其中一个节点连接拒绝,无法操作,另外 ...

  4. tortoise git使用 git版本库的rsa key来进行ssh连接

    接触git以来 ,开始时用了命令行,但是命令行总归不如图形化菜单方便明了,而GIT本身自带的GUI又用的不习惯,以前用过许久的TOTORISE SVN,幸好有TORTOISE GIT,这个版本图形化工 ...

  5. Laravel RuntimeException inEncrypter.php line 43: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths

    php artisan key:generate 运行上面代码即可解决

  6. RSA key format is not supported

    对接支付宝时,提示RSA错误 : 请仔细检查 : 创建支付对象时,关键字参数的名字 如果公私钥是以拼接路径的方式传递给AliPay,正确的关键字参数的名字应该如下 :

  7. Laravel 出现"RuntimeException inEncrypter.php line 43: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths."问题的解决办法

    如果输入命令:php artisan key:generate 还是报错 那就要从别的项目里复制一个key到.env中,然后再运行命令:composer update和php artisan key: ...

  8. ssh RSA key变化后处理

    root@localhost:/# scp -r root@172.19.47.30:/home/linux-4.16.2-devm.1.2.aarch64.dongbo ./@@@@@@@@@@@@ ...

  9. The authenticity of host 'slaver2 (192.168.199.132)' can't be established. RSA key fingerprint is cc:4e:23:01:ca:97:52:21:85:78:bc:29:ca:b3:12:52.

    1:ssh登录 The authenticity of host 192.168.199.132 can't be established. 的问题 问题出现了,总要解决吧,百度一下,详细介绍的很多, ...

随机推荐

  1. Dynamics CRM - 如何通过 C# Plugin 给 Contact的 主键(FullName)赋值

    Contact 是 CRM 默认带有的 Entity,主键是 <FullName>,根据开发需求,与主键相关的字段都被设置成隐藏,包括了<Full Name>,<Firs ...

  2. Springboot注解--@Controller和@RestController的区别

    1.使用@Controller 注解,在对应的方法上,视图解析器可以解析return 的jsp,html页面,并且跳转到相应页面:若返回json等内容到页面,则需要加@ResponseBody注解 2 ...

  3. 使用MySQL传输表空间迁移数据

    对于大表的迁移,如果使用mysqldump进行导出,然后重新导入到其它环境,速度是非常缓慢的.如果使用传输表空间,则可以解决这个问题. 测试使用传输表空间迁移表,基础环境如下:   源库 目标库 IP ...

  4. c#连接sql server数据库字符串

    第一种方式 Data Source=数据库地址;Initial Catalog=数据库名称;User Id=数据库登录名;Password=数据库密码;[Integrated Security=SSP ...

  5. PAT甲级——1061 Dating (20分)

    Sherlock Holmes received a note with some strange strings: Let's date! 3485djDkxh4hhGE 2984akDfkkkkg ...

  6. Python验证6174猜想

    num=int(input()) c=num while c!=6174:     digits=list(str(c))     digits.sort(reverse=True)#排列最大数和最小 ...

  7. luffy项目:基于vue与drf前后台分离项目(1)

    """ 1.业务逻辑:登录注册 - 主页(基础信息展示) - 课程页(复杂信息展示)- 课程订单生产与支付 - 上线订单生成 2.实际项目开发的技术点: git版本控制 ...

  8. 887C. Slava and tanks#轰炸弹坦克游戏(分析)

    题目出处:http://codeforces.com/problemset/problem/877/C 题目大意:按照游戏规则,求最小炸弹使用次数 #include<iostream> u ...

  9. JS 特效三大系列总结

    一. offset系列 1. offset系列的5个属性 1. offsetLeft : 用于获取元素到最近的定位父盒子的左侧距离 * 计算方式: 当前元素的左边框的左侧到定位父盒子的左边框右侧 * ...

  10. zeroc ice log4net 多进程log文件问题

    使用zeroc ice 中的icebox 的时候多服务会有多个服务实例,每个实例都要写日志文件,所以要配置多个日志文件区分开来, 类似这样  orderservice_1_20160101.log   ...