RSA key sizes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

RSA key sizes

Tan Eng Ten
Hi all,

        This is a general crypto question and I hope someone could help me out.

        Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are other
sizes such as 520/1045 bit "valid"? Mathematically, it should work, but
are there reasons why odd sizes are not to be used?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RSA key sizes

Victor Duchovni
On Wed, Aug 17, 2005 at 02:21:30PM +0800, Tan Eng Ten wrote:

> This is a general crypto question and I hope someone could help me
> out.
>
> Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are
> other sizes such as 520/1045 bit "valid"? Mathematically, it should work,
> but are there reasons why odd sizes are not to be used?

Well RSA 512 is not (or should not be) used. As for the others, 768 is
in fact used, then 1024 and 2048, I've not seen 4096 in real applications,
one is likely better off with a different algorithm at that point.

Non-standard sizes add no value, each incremental "standard" key size
supports a particular expected security range. Stick to the standard
sizes.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: RSA key sizes

Steven Reddie
I believe it's a matter of efficiency.  There are optimisations that can be
performed on the math of integers of length power-of-2.  It's possible that
there are implementations out there that won't work with non-standard sizes.

I have seen 4096 bit keys in the wild.  In fact, the Microsoft Root
Certificate Authority key in the Microsoft Certificate Store is 4096 bits in
length.

Steven

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Victor Duchovni
Sent: Wednesday, 17 August 2005 4:45 PM
To: [hidden email]
Subject: Re: RSA key sizes

On Wed, Aug 17, 2005 at 02:21:30PM +0800, Tan Eng Ten wrote:

> This is a general crypto question and I hope someone could help me
> out.
>
> Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are
> other sizes such as 520/1045 bit "valid"? Mathematically, it should
> work, but are there reasons why odd sizes are not to be used?

Well RSA 512 is not (or should not be) used. As for the others, 768 is in
fact used, then 1024 and 2048, I've not seen 4096 in real applications, one
is likely better off with a different algorithm at that point.

Non-standard sizes add no value, each incremental "standard" key size
supports a particular expected security range. Stick to the standard sizes.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RSA key sizes

Dr. Stephen Henson
In reply to this post by Tan Eng Ten
On Wed, Aug 17, 2005, Tan Eng Ten wrote:

> Hi all,
>
> This is a general crypto question and I hope someone could help me
> out.
>
> Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are
> other sizes such as 520/1045 bit "valid"? Mathematically, it should work,
> but are there reasons why odd sizes are not to be used?

One reason is interoperability. Some software (notably MS stuff based on
CryptoAPI including MSIE) places restrictions on the key sizes and parameters.

For public keys the only restriction is that the public exponent (e) can't
exceeed 32 bits.

For private keys the key size must be also be a multiple of 64 bits and every
CRT parmeter must be either the key size of half the key size, this means that
the two primes p and q must have the ame size for example.

The main reason for this is that the internal format (PRIVATEKEYBLOB) has
problems representing parameters which don't fit these criteria.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RSA key sizes

Mouse-2
In reply to this post by Steven Reddie
Please note that the importance of RSA is going to decline in favor of
Elliptic Curve Crypto over GF(p). In particular, by 2010 ECC will be
mandated. I suspect there are cryptographic reasons for it.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]