info gnutls

3.7 Selecting Cryptographic Key Sizes

In TLS, since a lot of algorithms are involved, it is not easy to set a consistent security level. For this reason this section will present some correspondance between key sizes of symmetric algorithms and public key algorithms based on the most conservative values of [SELKEY] (see section Bibliography). Those can be used to generate certificates with appropriate key sizes as well as parameters for Diffie-Hellman and SRP authentication.

Year	Symmetric key size	RSA key size, DH and SRP prime size	ECC key size
1982	56	417	105
1988	61	566	114
2002	72	1028	139
2015	82	1613	173
2028	92	2362	210
2040	101	3214	244
2050	109	4047	272

The first column provides an estimation of the year until these parameters are considered safe and the rest of the columns list the parameters for the various algorithms.

Note however that the values suggested here are nothing more than an educated guess that is valid today. There are no guarrantees that an algorithm will remain unbreakable or that these values will remain constant in time. There could be scientific breakthroughs that cannot be predicted or total failure of the current public key systems by quantum computers. On the other hand though the cryptosystems used in TLS are selected in a conservative way and such catastrophic breakthroughs or failures are believed to be unlikely.

NIST publication SP 800-57 [NISTSP80057] (see section Bibliography) contains a similar table that extends beyond the key sizes given above.

Bits of security	Symmetric key algorithms	RSA key size, DSA, DH and SRP prime size	ECC key size
80	2TDEA	1024	160-223
112	3DES	2048	224-255
128	AES-128	3072	256-383
192	AES-192	7680	384-511
256	AES-256	15360	512+

The recommendations are fairly consistent.

[ < ]

[ > ]

[ << ]

[ Up ]

[ >> ]

[Top]

[Contents]

[Index]

[ ? ]