About: Cryptographic Algorithm Key Sizes
In cryptography, the key size is a measure of the number of possible keys which can be used in a cipher. The length of a key is critical in determining the susceptibility of a cipher to exhaustive search attacks.
Finding Weakness
Keys are used to control the operation of a cipher so that only the correct key can conver encrypted text known as ciphertext to plaintext. Many well known encryption methods and ciphers are based on publicly known algorithms which are usually open source. What this means is that only is there the difficulty of obtaining the key determines how difficult the code is to crack; which in turn determines the security/integrity/weakness of that particular system. Assuming that the key is not available (such as theft, extortion, compromised computer systems). The widely accepted notion that the security of the system should depend on the key alone has been explicity formulated by Auguste Kerckoffs in 1880 and Claude Shannon in 1940. Statements known as Kerckhoffs’ principle and Shannons’s maxim were created.
How Big does my key need to be secure?
A key should therefore be large enough that a brute force attack (possible against any encryption algorithm) is infeasible (i.e. not impossible, but would take such a theortically long time for it to desuade the hacker/cracker or to slow them down enough to pose minimum or even negligable security risk. Claude Shannon’s information th eory suggests that to achieve perfect secrecy, it is necessary for the key length to be at least as large as the message to be transmitted. The practical difficulty of managing such long keys, modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focusses on computation security. This is an important thing to remember if you are protecting or breaching a system or infrastructure.
Does this mean there is no such thing as a secure password? Or just, its really not worth it? Or worse, people are so obsessed with functionality they can’t sit on their ass for 5 minutes to think about it more carefully?
the preferred numbers commonly used as key sizes (in bits) are powers of two, potentially multiplied with a small odd integer.
Brute Force Attack on Key’s
Even if a cipher is unbreakable by exploiting structural weaknesses in the algorithm, it is possible to run through the entire space of keys in what is known as a brute force attack. Since longer keys require more work to brute force search, a long enough key will require more work than is feasible. Thus, length of the key is important in resisting this type of attack.
With a key length of n bits, there are 2^n possible keys.
The number of possible keys grows rapidly as n increases. Moore’s Law suggests thatcomputing power doubles roughly every 18 months, but even this doubling effect leaves the key length currently considered acceptable well out of reach. The large number of operations (2^128) required to try all possible 128-bit keys will be out of reach for all of humankind’s conventional computing power for the forseeable future. (apparently!)
Symmetric Algorithmn Key Lengths
US government export policy has long restricted the “strength” of cryptography which can be sent out of the country. For many years the limit was 40 bits. today, a key length of 40 bits offers little protection against even a casual attacker with a single PC. The restrictions have not been removed (it is still illegal to export some cryptographic products), but the limit was effectively raised to 128-bit key length in 1999 and 2000.
Whgen the Data Encryption Standard cipher was released in 1977, a key length of 56 bitrs was thought to be sufficient (though there was speculation at the time that the NSA intentionally reduced the key size from the original value of 112 bits, in IBM’s Lucifer cipher, or 64 bits, in one of the versions that was adopted as DES) so as to limit the strength of ecnryption available to non-US users. The NSA has major computing resources and a large budget; some though that 56 bits was NSA-breakable in the late ’70’s. However by the late 90’s, it became clear that DES could be cracked in a few days’ time-frame with custom build hardware such as could be purchased by a large corporation (or the NSA btw). The book cracking DES tells of the succesful attempt to break 56-bit DES by a brute force attack mounted by a cyber civil rights group with limited resources; see EFF DES cracker.
Assymmetric Algorithm key Length
The effectiveness of public key cryptosystems depends on the intractability (computation and theoretical) of certain methematical problems such as integer factorization. These problems are time consuming to solve, but usually faster than trying all possible keys by brtute force. Thus, asymmetric keys must be longer for equivalent resistance to attack thanb symmetric algorithm keys. As of 2002, a key length of 1024 bits was generally considered the minimum necessary for the RSA encryption algorithm. As of 2003 RSA security claims that the 1024-bit RSA keys are equivalent in strength to that of 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable sometime between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030. NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.
One of the assymmetric algorithm types, elliptic curve cryptography, or ECC, appears to be secure with shorter keys than those needed by other assymetric key algorithms. NIST guildeines states that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example a 224-bit ECC key would have roughly the same strength that a 112-bit symmetric key would have. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on. A message encrypted with an elliptic key algorithm using a 109-bit long key has been broken by brute force. Amazing.
source: wikipedia