108

I'm in the process of creating a CSR, and I wonder which is arguably the best length for my RSA key.

Of course, 384 is probably too weak, and 16384 is probably too slow.

Is there a consensus on the key length one should use, depending on the certificate lifetime?

Edit : Like most people, I want my key to be reasonably strong. I'm not concerned that the NSA could maybe break my key in 2019. I just want to know what's the best practice when one plan to do normal business (for example an e-commerce site)

Brann
  • 31,689
  • 32
  • 113
  • 162

8 Answers8

121

As of 2020, RSA keys should be 2048 bits.

1024 bits

  • 1024 bits RSA certificates are obsolete and not accepted by browsers.
  • Firefox stopped accepting 1024 bits RSA certificates in 2014.
  • Certificate authorities stopped delivering 1024 bits RSA certificates in 2014 or before. See GlobalSign or Comodo notice.
  • 1024 bits keys were deprecated because they could be cracked given a small datacenter (thousands of CPU or hundreds of GPU, in maybe a few months). It may seem a lot but it was well within reach of any large organization or government.

2048 bits

  • 2048 bits RSA certificates are currently the accepted norm in use.
  • Default baseline delivered by CA and used by software.
  • Will eventually be cracked too. Don't know when but could take decades.
  • Doubling the size takes many many orders of magnitude more compute power to crack. See question how much stronger is RSA 2048 compared to 1024.

3072 bits

  • For security beyond 2030, 3072-bit RSA keys are recommended.
  • NIST assigns an "effective strength" of 128 bits to 3072-bit RSA keys, versus 112 bits for 2048 bit keys. This means that it would take about 216 more computational effort to crack such a key.
  • As of 2022, less than 10% of surveyed sites use 3072-bit keys, while 85% still use 2048-bit keys.
  • For their extended validation services, some CAs don't allow 2048-bit keys and require at least 3072-bit keys.
  • Let's Encrypt will issue certificates for 3072-bit keys. It has been proposed as the default RSA key size, but opposition has ranged from "2048 bits is good enough," to "might as well go to 4096 bits."

4096 bits

  • While it's an oddball size, 4096-bit keys are available and widely supported. All major CAs can issue certificates for 4096-bit RSA.
  • The effective strength of 4096-bit keys has not been estimated by NIST, but others suggest a value of 140, which is only 4000 times stronger than 3072-bit keys and sometimes regarded as "not worth it."
  • Computational cost is not linear with key size. 4096 is not twice as slow as 2048, it is maybe 10 times slower to process. Do not blindly upgrade certificates to 4096 bits without considering the performance impact.
  • The "web" is largely remaining on 2048 bits certificates because it cannot bear the hardware cost for 4096 bits. Consider large actors like Google, CloudFlare, NetFlix with immense traffic and hardware footprint.
  • Fewer sites use RSA 4096-bit keys than 3072-bit keys, but usage is comparable.

Extra

  • Beyond 3072 bits, NIST recommends 7680 and 15360 bits, with effective security strength of 192 and 256 bits, respectively. However, support for these large keys is rare in software and with CAs.
  • RSA was first publicly described in 1977 and it's still strong almost 50 years later. Just have to increase the number of bits to keep up with faster computers.
  • There is another method for public key cryptography based on elliptic curves, see ECDSA (1992).
  • There is a huge disconnect between the capacity of a user and of an attacker. A web server or a mobile client have one (low-power) CPU. An attacker can have a whole datacenter, for reference a newly built AWS datacenter is hosting about 60 000 servers.
  • It is incredible that a single mobile device can compute some maths over a few seconds... that millions of computers couldn't dream to guess in a lifetime.
erickson
  • 265,237
  • 58
  • 395
  • 493
Georg Schölly
  • 124,188
  • 49
  • 220
  • 267
  • 15
    The differences ("256-bit will work forever" on one hand, and "1024-bit already crap" on the other) are due to the the differences between *symmetric* and *asymmetric* algorithms, and the kinds of keys used in each. With any given "equivalent level of security", you'll see very different raw numbers for the key lengths in symmetric versus asymmetric. – Ti Strga Apr 01 '14 at 22:18
  • 1
    As of Sep 2015, it seems the industry has moved to not accept less than 2048-bit CSRs. See below answers and [Comodo support article](https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/689/17/your-rsa-key-is-too-small-or-this-csr-uses-an-unsupported-key-size) – angularsen Sep 23 '15 at 07:35
  • 2
    @anjdreas, While it's true that 2048 is [the bare minimum](http://stackoverflow.com/questions/8453529/are-there-any-disadvantages-to-using-a-4096-bit-encrypted-ssl-certificate/8453915#comment60753920_8453915), I'll [be very careful](http://webmasters.stackexchange.com/questions/3836/what-are-the-benefits-of-a-more-expensive-ssl-certificate/3837#comment114486_3837) of quoting points from CA articles. – Pacerier Apr 13 '16 at 15:34
  • RSA Labs link is a 404 now, btw – jocull Jun 12 '17 at 16:16
  • 3
    note: fully rewrote the answer after 11 years, with up-to-date recommendations and references. comments above here were commenting on previous revisions. – user5994461 Apr 21 '20 at 15:28
15

As many customers require compliance with NIST cryptographic standards, I use the guidance in the NIST Special Publication 800‑57, Recommendation for Key Management Part 1, §5.6. Most of our applications are a good fit for 112 "bits" of security, so that corresponds to triple-DES (or a small bump up to 128-bit AES) for symmetric ciphers and a 2048-bit key for RSA. See Table 2 for a rough equivalence.

Valid or not, being able to refer them to a NIST publication helps customers feel better about security (if they bother to ask).

erickson
  • 265,237
  • 58
  • 395
  • 493
  • The Article mentioned in this answer is revised to [Recommendation for Key Management: Part 1: General (Revision 3)](http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf). Current revision is Jul 2012 – AaA Mar 26 '13 at 01:53
  • I see that NIST page has been taken down and replaced with a message: "Due to the lapse in government funding, csrc.nist.gov and all associated online activities will be unavailable until further notice." – wu-lee Dec 28 '18 at 21:58
  • There is this page which compares some key length recommendations https://www.keylength.com/en/compare/ – wu-lee Dec 28 '18 at 22:00
10

Certificate authorities will not sign csrs less than 2048 bits in size so you should generate your csr to be 2048 bits.

Yogi
  • 486
  • 4
  • 7
  • 2
    Source - http://answers.ssl.com/877/signing-request-needs-to-be-2048-bit-key-size - some CAs like Affirmtrust/Trend Micro are already embedding 4096 bit roots so we will likely switch those in the coming years – Yogi Jan 21 '13 at 19:17
  • I just tried Comodo and they [do not accept less than 2048-bits](https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/689/17/your-rsa-key-is-too-small-or-this-csr-uses-an-unsupported-key-size). – angularsen Sep 23 '15 at 07:34
7

This coming August, Microsoft is going to deploy a patch to Server 2003/2008, Win7 ect.. that will require the use of a minimum 1024 bit RSA key. So you might as well start making that your "bare minimum" standard.

Fed
  • 71
  • 1
  • 1
6

For SSL certificates used on websites, this text from the Thawte.com website (as at 2014-07-22) is important to note:

Industry standards set by the Certification Authority/Browser (CA/B) Forum require that certificates issued after January 1, 2014 MUST be at least 2048-bit key length.

Mike
  • 1,686
  • 19
  • 14
6

I needed to create several new SSL certs and was not satisfied with the answers above because they seemed vague or out dated so I did a little digging. Bottom line the selected answer is correct use "2048-bit keys... longer is meaningless".

Increasing the bit length to 4096 adds a potentially meaningful load to your server (depending on your existing load) while offering basically an insignificant security upgrade

If you are in a situation where you need longer than a 2048 bit key you don't need a longer bit length, you need a new algorithm

SemanticZen
  • 1,141
  • 14
  • 21
1

I think 4096 is ok for RSA

Check This link

The end of the SHA-1 signature is nothing new, but Google has accelerated the process of the chrome. In the next few weeks, you should check their SSL certificates.

This may be helpful

Ethaan
  • 11,291
  • 5
  • 35
  • 45
Vim
  • 11
  • 1
  • 1
    Could you possibly post some English language links too please? My German is rather weak. – Wai Ha Lee Mar 31 '15 at 20:21
  • De juro, RSA keys can only be of length 1024, 2048 or 3072 bits (according to PKCS #1 2.2 and FIPS 186-4). – aprelev Sep 14 '16 at 11:27
  • [Flame](https://en.wikipedia.org/wiki/Flame_(malware)) showed attackers will attack the hash rather than the bigger modulus. If you using SHA-1, then you may as well use a 1024-bit modulus since the hash and the modulus provide equivalent security. The 1024-bit modulus will make for faster operations than the bigger 4096-modulus. – jww Oct 20 '16 at 06:22
0

ENISA recommends 15360 Bit. Have a look to the PDF (page 35)

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report/at_download/fullReport

Micha
  • 157
  • 1
  • 6
  • 4
    Not exactly. The recommendation for near-term (at least ten years) is 3072. RSA 15360 is for long term (thirty to fifty years) and only makes sense if you expect to be able to keep the private key secret for that long. – Henrick Hellström Mar 02 '14 at 00:22