
What RSA key size to use for an SSL certificate - ck2
https://certsimple.com/blog/measuring-ssl-rsa-keys
======
dchest
"NIST says a 2048 bit RSA key has a strength of 112 bits: i.e., there are
theoretically 2^112 possibilities to brute force the private key."

This is incorrect. The number of 2048-bit RSA keys is much more than 2^112,
bruteforcing is out of question. 2^112 is an approximate number of operations
to compute the private key using techniques more efficient than brute force
(e.g. number field sieve described later in the article).

~~~
nailer
Author here. That's correct, thanks for spotting the error: indeed, it means
using a field sieve as mentioned in the article body, which is certainly not
brute force. I've fixed the quote and credited you accordingly.

------
amluto
> The results show a 2048 bit RSA key is equivalent to around 116 'bits' of a
> symmetric algo. Actually, 116.884, but since, you can't have .884 of a bit
> our JS implementation rounds down.

The number of bits is just the log base 2 of some complexity measure. You can
certainly have half of a bit in this context.

------
ck2
_" 4096 bit handshakes are indeed significantly slower in terms of CPU usage
than 2048 bit handshakes."_

I bet they are even slower on mobile devices.

~~~
nailer
Yep, and battery life too. I'll do a followup at some point with latency
figures from remote devtools on an android device.

------
jason_s
Is there a reason 3072-bit or 2560-bit RSA keys can't be used?

~~~
userbinator
RSA doesn't restrict key sizes to powers of 2, but powers of 2 are more
optimised for implementation.

[http://crypto.stackexchange.com/questions/7849/why-are-
rsa-k...](http://crypto.stackexchange.com/questions/7849/why-are-rsa-key-
sizes-almost-always-a-power-of-two)

~~~
jason_s
the answers you linked to cite key sizes of c * 2^k where c = 1,3,or 5 -- like
3072 = 3 * 1024, 2560 = 5 * 512.

------
giovannibajo1
The way forward will probably be to switch to ECDSA anyway, just like
Cloudflare "Universal SSL".

~~~
wolf550e
By the time time people switch to ECDSA, they should switch to Ed25519 or
Ed448, maybe with ECDSA fallback (with web server and TLS library support for
multiple keys for same domain, depending on ClientHello).

~~~
rsy96
Have Ed25519 or Ed448 been standardized into TLS? I've never seen a website
with that before.

~~~
dchest
They will be: [https://tools.ietf.org/html/draft-ietf-tls-
curve25519-01](https://tools.ietf.org/html/draft-ietf-tls-curve25519-01)

~~~
wolf550e
So far, that's only key exchange, not signatures [1]. CFRG is still debating a
signature method [2].

1 - [https://tools.ietf.org/html/draft-irtf-cfrg-
curves-07](https://tools.ietf.org/html/draft-irtf-cfrg-curves-07)

2 - [https://www.ietf.org/mail-
archive/web/cfrg/current/msg07291....](https://www.ietf.org/mail-
archive/web/cfrg/current/msg07291.html)

~~~
dchest
Ah, true. Hopefully, they will use the same curves, with EdDSA.

------
x13
[http://www.wolframalpha.com/input/?i=N[Log2[Exp[%2864%2F9*Lo...](http://www.wolframalpha.com/input/?i=N\[Log2\[Exp\[%2864%2F9*Log\[2^2048\]%29^%281%2F3%29*%28Log\[Log\[2^2048\]\]%29^%282%2F3%29\]\])]

------
pronoiac
That graph of "comparable algorithm strength" would be great if it included
the key length of the symmetric cipher.

It was discussed for 2048 bit RSA, but not for 4k or 8k. It seemed like an
oversight.

------
jjuhl
One could go for the middle ground with a 3072 bit key.

