Keylength - NIST Report on Cryptographic Key Length and Cryptoperiod (2012)

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Please enable JavaScript to fully utilize this website (Privacy Policy)

NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. Recommendations in this report [4] are aimed to be use by Federal agencies and provide key sizes together with algorithms. The first table provides cryptoperiod for 19 types of key uses. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. The second table presents the key length recommendations.

Key Type Move the cursor over a type for description

Cryptoperiod

Originator Usage Period (OUP)

Recipient Usage Period

Private Signature Key

1-3 years

Public Signature Key

Several years (depends on key size)

Symmetric Authentication Key

<= 2 years

<= OUP + 3 years

Private Authentication Key

1-2 years

Public Authentication Key

1-2 years

Symmetric Data Encryption Key

<= 2 years

<= OUP + 3 years

Symmetric Key Wrapping Key

<= 2 years

<= OUP + 3 years

Symmetric and asymmetric RNG Keys

Upon reseeding

Symmetric Master Key

About 1 year

Private Key Transport Key

<= 2 years ^{(1)}

Public Key Transport Key

1-2 years

Symmetric Key Agreement Key

1-2 years

Private Static Key Agreement Key

1-2 years ^{(2)}

Public Static Key Agreement Key

1-2 years

Private Ephemeral Key Agreement Key

One key agreement transaction

Public Ephemeral Key Agreement Key

One key agreement transaction

Symmetric Authorization Key

<= 2 years

Private Authorization Key

<= 2 years

Public Authorization Key

<= 2 years

In some cases risk factors affect the cryptoperiod selection (see section 5.3.1 in report [4]). (1) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of the Private Key Transport Key may exceed the cryptoperiod of the Public Key Transport Key. (2) In certain email applications whereby received messages are stored and decrypted at a later time, the cryptoperiod of the Private Static Key Agreement Key may exceed the cryptoperiod of the Public Static Key Agreement Key.

TDEA (Triple Data Encryption Algorithm) and AES are specified in [10]. Hash (A): Digital signatures and hash-only applications. Hash (B): HMAC, Key Derivation Functions and Random Number Generation. The security strength for key derivation assumes that the shared secret contains sufficient entropy to support the desired security strength. Same remark applies to the security strength for random number generation.

Date

Minimum of Strength

Symmetric Algorithms

Factoring Modulus

Discrete Logarithm

Key

Group

Elliptic Curve

Hash (A)

Hash (B)

2010 (Legacy)

80

2TDEA*

1024

160

1024

160

SHA-1** SHA-224 SHA-256 SHA-384 SHA-512

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

2011 - 2030

112

3TDEA

2048

224

2048

224

SHA-224 SHA-256 SHA-384 SHA-512

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

> 2030

128

AES-128

3072

256

3072

256

SHA-256 SHA-384 SHA-512

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

>> 2030

192

AES-192

7680

384

7680

384

SHA-384 SHA-512

SHA-224 SHA-256 SHA-384 SHA-512

>>> 2030

256

AES-256

15360

512

15360

512

SHA-512

SHA-256 SHA-384 SHA-512

All key sizes are provided in bits. These are the minimal sizes for security. Click on a value to compare it with other methods.

When selecting a block cipher cryptographic algorithm (e.g. AES or TDEA), the block size may also be a factor that should be considered. More information on this issue is provided in SP800-38.

(*) The assessment of at least 80 bits of security for 2TDEA is based on the assumption that an attacker has no more than 2^{40} matched plaintext and ciphertext blocks.

(**) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. For the present time, SHA-1 is included here for digital signatures to reflect its widespread use in existing systems, for which the reduced security strength may not be of great concern when only 80 bits of security are required.