3.4 Key length

The key space 𝒦 is large but finite. So, in principle, it is possible to search through it completely until the correct key K has been found. Such an attack is called a brute-force attack. Whether a brute-force attack is possible within a reasonable time frame, that is, within the time span the protected information is valuable for Eve, depends not only on the size of the key space but also on the speed of the latest computing technology and the resources Eve has at her disposal (this is part of the attacker model). This means key recommendations can (and do) vary over time.

For reasons of cost and usability, you should not always suppose the strongest possible attacker is after you. Thinking about the means an attacker realistically has at his or her disposal is part of the so-called attacker model in IT security. After that, you try to make your system secure against the specific type of attacker you have defined in your attacker model. When it comes to key length, however, it doesn’t hurt to think of Eve as a representative of the NSA or some other government-sponsored security agency with basically unlimited financial resources.

For symmetric cryptographic mechanisms, the key length is the bit length of the secret key. For public-key algorithms (see Chapter 7, Public-Key Cryptography), key length refers to different things depending on the specific algorithm [63]:

• For RSA, it is the bit length of the RSA modulus n
• For algorithms based on the DLP in Fp∗, it is the bit length of p
• For algorithms based on the DLP in an elliptic curve over the finite field Fn, it is the bit length of n

Key length, together with a few other parameters, determines the security level of a cryptographic mechanism [63]. We say that a security level of n bits is achieved if any attack on that particular cryptographic mechanism needs 2n (efficient) calculations, for example, 2n encryptions with the AES block cipher [63].

Considering the computational capabilities of today’s computers and taking into account the development of semiconductor technology for the foreseeable future (approximately five years), cryptographic mechanisms are currently required to achieve a security level of at least 112 bits; recommended key lengths for block ciphers and message authentication codes are 128 bits.

However, progress in semiconductor manufacturing and the introduction of fundamentally new cryptanalytic techniques, such as the application of a cryptographically relevant quantum computer, might require the adaptation of these recommendations in the medium term and a switch to 192 or even 256 bits.

Besides the key length, there are a few other parameters that affect the overall security of a cryptographic system [63]. For example, the digest length of a message authentication code is an important parameter for the security level. For block ciphers, their block width is an important security parameter.