A Question of Key Length

Similar documents
White Paper. Enhancing Website Security with Algorithm Agility

An Introduction to Cryptography as Applied to the Smart Grid

Cryptography & Digital Signatures

NEO Manager Quick Start Guide

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

CRYPTOGRAPHY IN NETWORK SECURITY

YubiKey PIV Deployment Guide

An Introduction to Cryptography and Digital Signatures

CSCE 465 Computer & Network Security

Walter Fumy discusses the importance of IT security standards in today s world and the role that SC 27 plays in this field.

Introduction to Cryptography

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Figure 1: Application scheme of public key mechanisms. (a) pure RSA approach; (b) pure EC approach; (c) RSA on the infrastructure

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Public Key (asymmetric) Cryptography

PowerKey Conditional Access System Phase 1.0. System Overview. Revision 1.0

Overview of Public-Key Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography

Ciphire Mail. Abstract

2. Cryptography 2.4 Digital Signatures

Yubico PIV Management Tools

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

Capture Resilient ElGamal Signature Protocols

What Are Certificates?

Internet Programming. Security

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Public Key Cryptography. Performance Comparison and Benchmarking

BRIEF INTRODUCTION TO CRYPTOGRAPHY. By PAGVAC. February 8, 2004

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Chapter 6 Electronic Mail Security

How To Encrypt Data With Encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Outline. Digital signature. Symmetric-key Cryptography. Caesar cipher. Cryptography basics Digital signature

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

NXP & Security Innovation Encryption for ARM MCUs

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

SSL/TLS: The Ugly Truth

Table of Contents. Bibliografische Informationen digitalisiert durch

A SOFTWARE COMPARISON OF RSA AND ECC

Fighting product clones through digital signatures

A Noval Approach for S/MIME

COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

IoT Security Platform

PGP from: Cryptography and Network Security

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

Evaluation of Digital Signature Process

Elements of Applied Cryptography Public key encryption

Cryptography and Key Management Basics

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Cryptography and Network Security Chapter 15

What is a digital certificate, why do I need one, and how do I get it?

Software Tool for Implementing RSA Algorithm

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

Cryptography and Network Security

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

AStudyofEncryptionAlgorithmsAESDESandRSAforSecurity

Lecture 9 - Message Authentication Codes

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Cryptography and Network Security Chapter 14

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

HTTPS is Fast and Hassle-free with CloudFlare

YubiKey & OATH- TOTP Verification

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

HW/Lab 1: Security with PGP, and Crypto CS 336/536: Computer Network Security DUE 09/28/2015 (11am)

Elliptic Curve Cryptography

Content Teaching Academy at James Madison University

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Secure Network Communications FIPS Non Proprietary Security Policy

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Authentication requirement Authentication function MAC Hash function Security of

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

Yubico Authenticator User's Guide

Unifying Information Security. Implementing Encryption on the CLEARSWIFT SECURE Gateway

Cryptography and Network Security

WIRELESS PUBLIC KEY INFRASTRUCTURE FOR MOBILE PHONES

CRYPTOGRAPHY AS A SERVICE

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Pretty Good Privacy (PGP)

Computer Security: Principles and Practice

Installation and usage of SSL certificates: Your guide to getting it right

GPG - GNU Privacy Guard

eid Security Frank Cornelis Architect eid fedict All rights reserved

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

2014 IBM Corporation

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

Notes on Network Security Prof. Hemant K. Soni

Transcription:

A Question of Key Length Does Size Really Matter When It Comes To Cryptography? White Paper December 7, 2015 By Alessio Di Mauro A Question of Key Length 2015 Yubico. All rights reserved. Page 1 of 10

Copyright 2015 Yubico Inc. All rights reserved. Trademarks Yubico and YubiKey are trademarks of Yubico Inc. All other trademarks are the property of their respective owners. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing. Contact Information Yubico Inc 420 Florence Street, Suite 200 Palo Alto, CA 94301 USA yubi.co/contact A Question of Key Length 2015 Yubico. All rights reserved. Page 2 of 10

Contents Introduction... 4 Simplified Cryptography Primer... 4 On to PGP... 5 Comparing Asymmetric Encryption Algorithms... 5 The Big Debate: 2048 vs. 4096 and Yubico s Stand... 8 What About ECC... 8 Where Does Yubico Stand?... 9 Addendum... 10 A Crash Course in Cryptography... 10 A Question of Key Length 2015 Yubico. All rights reserved. Page 3 of 10

Introduction One of the most interesting and useful aspects of the YubiKey NEO, YubiKey NEO-n, YubiKey 4, and YubiKey 4 Nano is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card. Many users like this functionality, but some question the key lengths. It s an expected cryptographic question and is worth examining in some detail. I will walk you through it. OpenPGP is a standard that allows users to encrypt, decrypt, sign, and authenticate data. It is an open, standardized variant of PGP, available as a FOSS implementation in the form GNU Privacy Guard (GPG) and is most notably used for email encryption and authentication. Independent of the actual implementation, OpenPGP (and PGP) supports both symmetric and asymmetric cryptography. Today we will focus on the latter. Simplified Cryptography Primer To better understand what follows, a few very basic concepts of cryptography are required. In asymmetric, or public key encryption, there are two main players: the encryption algorithm itself (such as RSA, ECC, or ElGamal) and a cryptographic key pair. Each encryption algorithm is normally based on a computationally hard problem. The mathematical transformation constitutes the operation that the encryption scheme can perform, such as encrypt/decrypt or sign/verify, whereas the keys provide the additional data. The two keys of a given key pair are strongly interconnected; this is a fundamental property of asymmetric cryptography. The keys must be used together to achieve different properties such as confidentiality, authenticity, and integrity. Confidentiality is a guarantee that the message is received only by the intended recipients. Authenticity guarantees the identity of the author, and integrity confirms both confidentiality and authenticity by ensuring that a message has not been modified in transit. (For a more detailed explanation on cryptography, see the Addendum at the end of this white paper.) A Question of Key Length 2015 Yubico. All rights reserved. Page 4 of 10

On to PGP All this can be achieved if, and only if, the secret key of a user remains uncompromised. However, not all keys are created equal. In computer security, the strength of a cryptographic key is defined by its length measured in number of bits, rather than being connected to the number and shape of its ridges and notches like in a physical key (say for your car). Provided that an encryption algorithm actually supports different key lengths, the general rule is that the longer the key, the better. Comparing Asymmetric Encryption Algorithms There are many asymmetric encryption algorithms, but let s focus on RSA, which is one of the most popular and is supported by the YubiKey NEO, YubiKey NEO-n, YubiKey 4, and YubiKey 4 Nano. What is a suitable key length to use with RSA and why not just use the longest key possible? RSA was first introduced in the 70s, but since it is based on a mathematically hard problem we are still able to use it with some adaptations. Historically, a common starting point for a key length has been 1024 bits. Despite the fact that attacks on this class of keys are very sophisticated and targeted to specific platforms, 1024-bit keys are generally considered not secure enough and their use is highly discouraged. In 2012, the National Institute of Standards and Technology (NIST), a US agency that promotes technological advancements, published a document that contained the following table (Table 4; page 67). A Question of Key Length 2015 Yubico. All rights reserved. Page 5 of 10

The column Security Strength, or more colloquially Bits of Security, is an estimation of the amount of work required to defeat a cryptographic algorithm, and therefore the higher the value, the better. The keywords Applying and Processing refer to encryption and decryption operations respectively. A Security Strength of 80 bits is currently Disallowed which translates to an algorithm or key length [that] shall not be used for applying cryptographic protection. Now, if you were guessing that 80 bits of security are approximately equivalent to RSA-1024, you have guessed right. This is mentioned in the same NIST document (Table 2, page 64). Similar results also can be found in ECRYPT II, the second incarnation of ECRYPT, the European Network of Excellence in Cryptography (Tables 7.2 and 7.3 on page 30 of the NIST document). For clarity, in the following text we will use the data from the NIST publication. The next relevant value in the table is 112 bits of security, which roughly corresponds to RSA with a key length of 2048 bits. At the moment this value is considered Acceptable, which means that it is not known to be insecure and it is deemed to be acceptable until 2030. Now comes the interesting bit. Although there is no requirement to use RSA keys with a length that is a power of two, depending on the implementation there might be some advantages in terms of speed. For this reason we take into account a length of 4096. Unfortunately, this value is not included in the table previously depicted. However, with a bit of exponential regression and assuming that the Security Strength function is continuous (or better, derivable) between the data points provided in the table above, we get the following plot: A Question of Key Length 2015 Yubico. All rights reserved. Page 6 of 10

As you can see, a 4096-bit RSA key clocks in at around 129 bits of security. This value is marginally better than a key length of 3072 bits, and considered Acceptable beyond year 2030. (Also see this key-length calculator.) A Question of Key Length 2015 Yubico. All rights reserved. Page 7 of 10

The Big Debate: 2048 vs. 4096 and Yubico s Stand Are 2048-bit keys useless? Are your documents completely insecure if you are using them? What are the pros and cons of one key length versus the other? As I have shown, RSA-2048 still has fifteen years of life left before it is considered obsolete. There is plenty of time not to be worried now. Just imagine where technology was fifteen years ago! While it is true that a longer key provides better security, we have shown that by doubling the length of the key from 2048 to 4096, the increase in bits of security is only 18, a mere 16%. Moreover, besides requiring more storage, longer keys also translate into increased CPU usage, higher power consumption, and slower operations. While this might not seem much on a modern computer where we measure things in the order of gigabytes and hundreds of watts, it is still a valid concern for the ever-increasing market of lowpower embedded devices, where CPU frequency is measured in kilohertz and power consumption in milliwatts and microwatts. In these cases, using a longer key means longer time to compute the result and shorter battery life on devices. The real advantage of using a 4096-bit key nowadays is future proofing, but by the time even RSA- 2048 is declared dead, hopefully Elliptic Curve Cryptography (ECC) will have taken over or, even better, new and wonderful encryption algorithms will have been discovered. What About ECC So what about Elliptic Curve Cryptography? These encryption schemes are an alternative to RSA and are based on a completely different mathematical problem. Apart from that, however, they are just normal asymmetric encryption algorithms. On the other hand, when it comes to speed and memory, ECC considerably outperforms RSA (with the notable exception of signature verification, where RSA is faster), even on embedded system and smaller microcontrollers. Key lengths for these kinds of algorithms are considerably smaller. According to NIST, 112 and 128 bits of security, (equivalent to RSA-2048 and RSA-4096) correspond to 255-bit and 383-bit long ECC keys (worst case, even less on some specific curves). So why are we not using this everywhere? Although the math behind them has been known for a while, ECC is a relatively new concept in cryptography, an inherently slow-changing and conservative field. New implementations and new fast reduction curves that make computation significantly quicker are still under study and it takes time. As if that was not enough, some curves and implementations are behind patent walls. Support for these algorithms in OpenPGP has been proposed, and the first implementations are slowly starting to appear. Implementing cryptography, however, is an error-prone procedure and a fine art in and of itself. A Question of Key Length 2015 Yubico. All rights reserved. Page 8 of 10

Blindly implementing an algorithm is usually not enough to plug all the potential security holes, and be impervious to side-channel attacks and the like. It is clear that once the issues are resolved and more implementations start coming around, the debate may shift to ECC or quantum-resistant algorithms. Where Does Yubico Stand? The YubiKey NEO and YubiKey NEO-n implement OpenPGP and support RSA up to 2048 bits. The YubiKey 4 and YubiKey 4 Nano, introduced in November 2015, also implement OpenPGP but add support for RSA 4096-bit keys. There is also the possibility of support for ECC, but it cannot be easily implemented without using some proprietary extensions. Moreover, as stated before, implementing crypto is a difficult process and although we have an initial version available on GitHub, this still requires more thorough testing before it is considered production-ready. A best practice is to determine how long you plan to use a specific key and then select a key length based on that decision. Everyday smart cards are fine at 2048 bits because they get changed out at regular intervals and will naturally migrate to longer key lengths over time. Long-term keys, such as your master OpenPGP key that isn t on a smart card or used every day, could be viable for the next 30 years if you pick longer key lengths today. All in all, we believe that the security of the asymmetric cryptography provided by the YubiKey NEO and YubiKey NEO-n is adequate for the time being. However, we are constantly working to keep ourselves ahead of the curve (no pun intended) and our new YubiKey 4 and YubiKey 4 Nano prove that, with their support for 4096-bit keys. A Question of Key Length 2015 Yubico. All rights reserved. Page 9 of 10

Addendum A Crash Course in Cryptography To better understand asymmetric cryptography, you need knowledge of some basic concepts. For those who are not familiar with public key cryptography, we will provide here a brief, strippeddown introduction to the topic. In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (such as RSA, ECC, ElGamal) and a cryptographic key pair (there are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion). The former is something that is (or should be ) publicly available. It tells us what are the steps to follow in order to encrypt and decrypt messages. A public/private key pair on the other hand is part of the input to the encryption algorithm and provides two things: the information necessary to uniquely identify a user (public key), and a connected secret required to make the scheme secure (private key). How does this all work together? Each encryption algorithm is normally based on a computationally hard problem. That is, some kind of mathematical operation that can be performed and inverted relatively easily provided that some information is available. The mathematical transformation constitutes the operation that the encryption scheme can perform, encrypt/decrypt, whereas the keys provide the additional data. The two keys of a same key pair are strongly interconnected. If the public key is used as part of a message transformation, only the private key can be used to invert it and obtain the same data back. This is a fundamental property of asymmetric cryptography and, depending on how the transformations are applied, and as long as the private key remains so, it allows us to achieve different properties such as confidentiality, authenticity, and integrity. Confidentiality is the guarantee a message will only be received (in a meaningful state) by its intended recipients. This is achieved by encrypting the message with the public key of the recipient, so that only she will be able to decrypt it with her private key. Authenticity, on the other hand, guarantees the identity of the author and can be achieved by signing a message with the private key of the author and verifying it with his public key. Finally, integrity is a somewhat orthogonal property, necessary for both confidentiality and authenticity to be upheld. It can guarantee that a message has reached a recipient (intended or not) unmodified. A typical way of providing integrity is through message authentication codes (MACs). A Question of Key Length 2015 Yubico. All rights reserved. Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information