Many times, we’re asked the question: “how long should I make my keylength?”. The answer really comes down to how long do you want to protect your data?

You want your data protected longer than it’s usefulness to anyone who shouldn’t have access to it. That requires you to really think about the content of the data you are protecting. If you want to protect a message to friend A about friend B’s birthday next week, the crypto in use only needs to be strong enough so that friend B can’t read the message for a week – in some cases, ROT13 may be sufficient.

For corporate data, you may want the information to be protected for years, or even decades. In this case, you need to determine what the best key length is for you.

There are both symmetric and asymmetric key lengths, and the concept of key length also depends on the type of cryptography you are using – traditional versus elliptic curve, and even quantum cryptography.

The strength of a key length also changes over time. The most common reason for increasing key lengths is that computers are becoming more powerful. It takes less time to brute-force an encrypted item. Research into “solving” decryption problems is ongoing, and a new method for finding a key may be found. And, new types of cryptography may be found to “solve” older types very quickly.

You have to see into the future to determine how long of a key you should use – and if you have that power, I think we need to go in on a few lottery tickets together. So, how is key length really determined? Luckily, two cryptologists (Lenstra and Verheul) have provided a mathematical method for computing key lengths

Additionally, NIST and the NSA are two organizations that have special areas that focus on cryptography and the appropriate key lengths to use. There are likely international standards as well.

keylength.com provides a handy chart to use for figuring out what key length you should use. This is based on papers by Lenstra and Verheul, NIST recommendations, and recommendations from other similar groups.

If you’ve never studied cryptography, this provides a nice reference. And even if you have, consider the work already done.

This entry was posted on Thursday, March 6th, 2008 at 2:02 pm by Laura Raderman and is filed under data protection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.