Cryptographic Key Length Recommendation

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Choose a Method
NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. Recommendations in this report [4] are aimed to be use by Federal agencies and provide key sizes together with algorithms. The first table provides cryptoperiod for 19 types of key uses. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. The second table presents the key length recommendations.
Key Type
Move the cursor over a type for description
Cryptoperiod
Originator Usage Period (OUP) Recipient Usage Period
Private Signature Key 1-3 years
Public Signature Key Several years (depends on key size)
Symmetric Authentication Key
<= 2 years <= OUP + 3 years
Private Authentication Key 1-2 years
Public Authentication Key 1-2 years
Symmetric Data Encryption Key
<= 2 years <= OUP + 3 years
Symmetric Key Wrapping Key
<= 2 years <= OUP + 3 years
Symmetric and asymmetric RNG Keys Upon reseeding
Symmetric Master Key About 1 year
Private Key Transport Key <= 2 years (1)
Public Key Transport Key 1-2 years
Symmetric Key Agreement Key 1-2 years
Private Static Key Agreement Key 1-2 years (2)
Public Static Key Agreement Key 1-2 years
Private Ephemeral Key Agreement Key One key agreement transaction
Public Ephemeral Key Agreement Key One key agreement transaction
Symmetric Authorization Key <= 2 years
Private Authorization Key <= 2 years
Public Authorization Key <= 2 years
In some cases risk factors affect the cryptoperiod selection (see section 5.3.1 in report [4]).
(1) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of the Private Key Transport Key may exceed the cryptoperiod of the Public Key Transport Key.
(2) In certain email applications whereby received messages are stored and decrypted at a later time, the cryptoperiod of the Private Static Key Agreement Key may exceed the cryptoperiod of the Public Static Key Agreement Key.
TDEA (Triple Data Encryption Algorithm) and AES are specified in [10].
Hash (A): Digital signatures and hash-only applications.
Hash (B): HMAC, Key Derivation Functions and Random Number Generation.
The security strength for key derivation assumes that the shared secret contains sufficient entropy to support the desired security strength. Same remark applies to the security strength for random number generation.
Date Minimum of Strength Symmetric Algorithms Asymmetric
Discrete Logarithm
Key Group
Elliptic Curve Hash (A) Hash (B)
2010 (Legacy) 80 2TDEA* 1024
160 1024
160 SHA-1**
SHA-224
SHA-256
SHA-384
SHA-512
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
2011 - 2030 112 3TDEA 2048
224 2048
224 SHA-224
SHA-256
SHA-384
SHA-512
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
> 2030 128 AES-128 3072
256 3072
256 SHA-256
SHA-384
SHA-512
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
>> 2030 192 AES-192 7680
384 7680
384 SHA-384
SHA-512
SHA-224
SHA-256
SHA-384
SHA-512
>>> 2030 256 AES-256 15360
512 15360
512 SHA-512 SHA-256
SHA-384
SHA-512
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.
When selecting a block cipher cryptographic algorithm (e.g. AES or TDEA), the block size may also be a factor that should be considered. More information on this issue is provided in SP800-38.
(*) The assessment of at least 80 bits of security for 2TDEA is based on the assumption that an attacker has no more than 240 matched plaintext and ciphertext blocks.
(**) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. For the present time, SHA-1 is included here for digital signatures to reflect its widespread use in existing systems, for which the reduced security strength may not be of great concern when only 80 bits of security are required.
© 2014 BlueKrypt - v 27.8 - October 21, 2013
Author: Damien Giry
Approved by Prof. Jean-Jacques Quisquater
Contact:
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.
Bibliography[1] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, PKC2000: p. 446-465, 01/2000.
[2] Handbook of Information Security, Arjen K. Lenstra, 06/2004.
[3] Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012.
[4] Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 3, NIST, 07/2012.
[5] Mécanismes cryptographiques - Règles et recommandations, Rev. 1.20, ANSSI , 01/2010.
[6] Fact Sheet Suite B Cryptography, NSA, 05/2013.
[7] Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
[8] Algorithms for Qualified Electronic Signatures, BNetzA, BSI, 02/2013 updated with BSI Draft, 10/2013.
[10] Approved algorithms for block ciphers, NIST.
Privacy Policy (P3P)  |  Disclaimer / Copyright  |  Release Notes