Key Length And Encryption Strength - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Key Length and Encryption Strength

Figure 1.2, "Public-Key Encryption"
The scheme shown in allows public keys to be freely distributed,
while only authorized people are able to read data encrypted using this key. In general, to send
encrypted data, the data is encrypted with that person's public key, and the person receiving the
encrypted data decrypts it with the corresponding private key.
Compared with symmetric-key encryption, public-key encryption requires more processing and may
not be feasible for encrypting and decrypting large amounts of data. However, it is possible to use
public-key encryption to send a symmetric key, which can then be used to encrypt additional data. This
is the approach used by the SSL/TLS protocols.
Figure 1.2, "Public-Key Encryption"
The reverse of the scheme shown in also works: data
encrypted with a private key can be decrypted only with the corresponding public key. This is not
a recommended practice to encrypt sensitive data, however, because it means that anyone with
the public key, which is by definition published, could decrypt the data. Nevertheless, private-key
encryption is useful because it means the private key can be used to sign data with a digital signature,
an important requirement for electronic commerce and other commercial applications of cryptography.
Client software such as Mozilla Firefox can then use the public key to confirm that the message was
signed with the appropriate private key and that it has not been tampered with since being signed.
Section 1.2, "Digital Signatures"
illustrates how this confirmation process works.
1.1.3. Key Length and Encryption Strength
Breaking an encryption algorithm is basically finding the key to the access the encrypted data in plain
text. For symmetric algorithms, breaking the algorithm usually means trying to determine the key used
to encrypt the text. For a public key algorithm, breaking the algorithm usually means acquiring the
shared secret information between two recipients.
One method of breaking a symmetric algorithm is to simply try every key within the full algorithm
until the right key is found. For public key algorithms, since half of the key pair is publicly known, the
other half (private key) can be derived using published, though complex, mathematical calculations.
Manually finding the key to break an algorithm is called a brute force attack.
Breaking an algorithm introduces the risk of intercepting, or even impersonating and fraudulently
verifying, private information.
The key strength of an algorithm is determined by finding the fastest method to break the algorithm
and comparing it to a brute force attack.
For symmetric keys, encryption strength is often described in terms of the size or length of the keys
used to perform the encryption: longer keys generally provide stronger encryption. Key length is
measured in bits. For example, 128-bit keys with the RC4 symmetric-key cipher supported by SSL
provide significantly better cryptographic protection than 40-bit keys used with the same cipher. The
26
128-bit RC4 encryption is 3 x 10 times stronger than 40-bit RC4 encryption.
An encryption key is considered full strength if the best known attack to break the key is no faster than
a brute force attempt to test every key possibility.
Different types of algorithms — particularly public key algorithms — may require different key lengths
to achieve the same level of encryption strength as a symmetric-key cipher. The RSA cipher can use
only a subset of all possible values for a key of a given length, due to the nature of the mathematical
problem on which it is based. Other ciphers, such as those used for symmetric-key encryption, can
use all possible values for a key of a given length. More possible matching options means more
security.
3