56 HomeYamamoto and the Secret Admirers
Neal Stephenson


Cryptographic keys and keysize
To understand the importance of keysize or key length you need to first understand what a cryptographic key is and the different types of key that there are.

Computer cryptography can be basically broken down into two different varieties.
1) Conventional or symmetric cryptography
2) Public key or asymmetric cryptography

In conventional cryptography the key that is used to decrypt the message is the same as that key that was used to encrypt the message. Whereas public key cryptography uses a set of two keys, the first is the public key and is used to encrypt the message and the second is the private key, which is used to decrypt the message.

A cryptographic key is basically just a huge number that is combined with the message using a cryptographic algorithm to produce an output 'ciphertext' that appears to be gibberish. The numbers used as keys are binary and so their lengths are expressed in bits for example in the novel Cryptonomicon the character Randy uses a 4096 bit key, this you will see is utterly paranoid.

Keys for public key cryptography are much larger than those used for conventional cryptography and so cannot be directly compared when considering the relative security of either's key length. But they share the principle that the larger the key the more secure the encryption.

Why are larger keys more secure?
Assuming everything else is secure and there are no vulnerabilities that can be exploited to crack an encrypted message then a process known as a brute force attack is used. A brute force attack is where every possible key is tried until the correct one is found therefore the larger the keysize the more possible keys there are that need to be tried. The security lies in the length of time that is required to find the correct key using a brute force attack but it can be hard to estimate what that length of time will be as it is dependent on the level of computing power that the cracker has at their disposal.

A public/private key pair of 1024 bits is considered to be adequate for most people and a key of 2048 bits is considered good enough by even the most paranoid of people to prevent cracking of their encrypted messages for a very long time. For comparison a RSA key of 512 bits was cracked in 1999. This crack required 300 PC's averaging 400 MHz and with at least 64 Mbytes of RAM, running for 2 months, and 10 days and Cray C90 supercomputer with 2.3 Gbytes of memory. From this and data from cracking smaller keys it can be extrapolated that for a 1024 bit key to be cracked would require about 1.4 billion 500 MHz machines, each with about 170 Gbytes of memory.

A direct equivalence between the size of a RSA key and size of a symmetric key is impossible but it is possible to calculate a cost equivalence for the cracking of keys of each type. It is thought that the cost in time and money to crack a 128 bit symmetric key is equivalent to that of a 1620 bit RSA key.

For more information see the essay at RSA Security's website

A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths
By Robert D. Silverman, RSA Laboratories

© Copyright 2002  ElectricInca. All rights reserved. | About us