views:

2835

answers:

2

I'm in the process of creating a CSR, and I wonder which is arguably the best length for my RSA key.

Of course, 384 is probably too weak, and 16384 is probably too slow.

Is there a consensus on the key length one should use, depending on the certificate lifetime?

Edit : Like most people, I want my key to be reasonably strong. I'm not concerned that the NSA could maybe break my key in 2019. I just want to know what's the best practice when one plan to do normal business (for example an e-commerce site)

+4  A: 

Bruce Schneier wrote back in 1999:

Longer key lengths are better, but only up to a point. AES will have 128-bit, 192-bit, and 256-bit key lengths. This is far longer than needed for the foreseeable future. In fact, we cannot even imagine a world where 256-bit brute force searches are possible. It requires some fundamental breakthroughs in physics and our understanding of the universe. For public-key cryptography, 2048-bit keys have same sort of property; longer is meaningless.

Wikipedia writes:

RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030. NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.

RSA Laboratories writes (last time changed 2007 according to archive.org):

RSA Laboratories currently recommends key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority

Would be nice, if someone who knows more, could answer why there's this difference.

Georg
I'll go for 2048 then:) Thanks!
Brann
+2  A: 

As many customers require compliance with NIST cryptographic standards, I use the guidance in NIST Special Publication 800‑57 (Part 1), §5.6. Most of our applications are a good fit for 112 "bits" of security, so that corresponds to triple-DES (or a small bump up to 128-bit AES) for symmetric ciphers and a 2048-bit key for RSA. See Table 2 for a rough equivalence.

Valid or not, being able to refer them to a NIST publication helps customers feel better about security (if they bother to ask).

erickson