It Is Time to Stop Using Short Security Keys

Why Key Lengths Are Important

The length of a key used in a signing or encryption algorithm relates to the difficulty of breaking or cracking the encryption. Consider this: if a key had only four bits, there would be only sixteen possible ways a message could be encrypted. With sixteen bits there would be 65,535 different ways. With 1024 bits there are about 1.8e+308 (that is about 18 followed by 307 zeroes!) possible ways. For 2048 bits we get 3.2e+616 ways which is clearly a lot!

With four bits, then, an attacker would need to only make sixteen possible tries to find the proper key; with sixteen bits, 65 thousand-plus tries. It is easy to search 65 thousand ways, but the 2048 bit one would take a long time, indeed. So, for the same algorithm, longer keys mean stronger encryption. Likewise shorter keys mean weaker encryption. We discuss encryption, keys and strength at length in Learning Tree Course 468, System and Network Security Introduction.

Long Key

Best Practices NIST Recommends

The US National Institute of Standards and Technology looked at computer capabilities and encryption technology back in 2010, (which they reported in 2011) and came up with recommendations for the lengths of keys agencies should use for specific cryptographic algorithms. They also looked at what algorithms were strong enough to keep using and what ones should be discontinued.

For instance:

Algorithm Use
Two-key Triple DES Encryption Acceptable through 2010
Restricted use from 2011 through
Disallowed after 2015
Two-key Triple DES Decryption Acceptable through 2010
Legacy-use after 2010
Three-key Triple DES Encryption and Decryption Acceptable
SKIPJACK Encryption Acceptable through 2010
SKIPJACK Decryption Acceptable through 2010
Legacy-use after 2010
AES-128 Encryption and Decryption Acceptable
AES-192 Encryption and Decryption Acceptable
AES-256 Encryption and Decryption Acceptable

There are other recommendations in the report too, including the lengths of keys used for digital signatures, how to generate random numbers and other items related to cryptography. One important recommendation is the use of 2048-bit or longer keys for the RSA encryption used in SSL/TLS on the Web.

The Impact of the Change


Using longer keys means changing software. It means saying “We won’t process the older stuff any longer.” It also means converting servers to use the longer keys. It is a big job and the time to start to meet the 2015 deadline is now.

The folks at the Mozilla project realized this and are phasing out certificates with 1024 bit RSA keys. This is a very good thing. There are reports that over 100,000 sites were impacted by the change, bit that is a very small part of the Internet, indeed.

The impact of those few sites that are slow to change is minimal compared to the benefit we all get by using longer keys. As computers get faster and faster – and as one can rent them more and more cheaply in the cloud – the need for greater encryption strength and thus longer keys continues to increase.

Was a favorite site of yours impacted? Has your company been impacted? Let us know in the comments below.

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.