White paper: Bridge to Passwordless best practices
In Part 2, we got a better understanding of what an algorithm like RSA does and what the length of a key entails.
Now, in Part 3, we can talk about the elephant in the room. Are 2048-bit keys useless? And are your documents completely insecure if you are using them? What are the pros and cons of one key length versus the other?
As I showed in my last installment, RSA-2048 still has fifteen years of life left before it is considered obsolete. Plenty of time not to be worried now. Just imagine where technology was fifteen years ago!
While it is true that a longer key provides better security, we have shown that by doubling the length of the key from 2048 to 4096, the increase in bits of security is only 18, a mere 16%. Moreover, besides requiring more storage, longer keys also translate into increased CPU usage and higher power consumption.
While this might not seem much on a modern computer where we measure things in the order of gigabytes and hundreds of watts, it is still a valid concern for the ever-increasing low-power embedded devices where CPU frequency is measured in kilohertz and power consumption in milliwatts and microwatts.
In these cases using a longer key means longer time to compute the result and shorter battery life on devices.
The real advantage of using a 4096-bit key nowadays is future proofing, but even that is not so strong an argument. By the time that RSA 2048 is declared dead, hopefully Elliptic Curve Cryptography (ECC) will have taken over, or even better, new and wonderful encryption algorithms will have been discovered.
What about ECC
So what about Elliptic Curve Cryptography? These encryption schemes are an alternative to RSA and are based on a completely different mathematical problem. Apart from that, however, they are just normal asymmetric encryption algorithms.
On the other hand, when it comes to speed and memory, ECC considerably outperforms RSA (with the notable exception of signature verification, where RSA is faster), even on embedded system and smaller microcontrollers.
Key lengths for these kinds of algorithms are considerably smaller. According to NIST, 112 and 128 bits of security, (equivalent to RSA-2048 and RSA-4096) correspond to 255-bit and 383-bit long ECC keys (worst case, even less on some specific curves).
So why are we not using this everywhere? Although the math behind them has been known for a while, ECC is a relatively new concept in cryptography, an inherently slow-changing and conservative field.
New implementations and new “fast reduction” curves that make computation significantly quicker are still under study and it takes time. As if that was not enough, some curves and implementations are behind patent walls.
Support for these kinds of encryption algorithms in OpenPGP has been proposed, and the first implementations are slowly starting to appear. Implementing cryptography, however, is an error-prone procedure and a fine art in and of itself.
Blindly implementing an algorithm is usually not enough to plug all the potential security holes, and be impervious to side-channel attacks and the like.
It is clear that once the issues are resolved and more implementations start coming around, ECC is the way forward.
Where does Yubico stand
Both the NEO and the NEO-n implement OpenPGP and support RSA up to 2048 bits. This is not a constraint from Yubico, but rather a hardware limitation of the NXP A700x chip used within the YubiKeys.
While the chip also supports ECC, it cannot be easily implemented without using some proprietary extensions, making it troublesome to comply with the license used by OpenPGP (GNU GPL). Moreover, as stated before, implementing crypto is a difficult process and although we have an initial version available on github, this still requires more thorough testing before it is considered production-ready.
A best practice is to determine how long you plan to use a specific key and then select a key length based on that decision. Everyday smartcards are fine at 2048 bits because they get changed out at regular intervals and will naturally migrate to longer key lengths over time. Long-term keys, like your master OpenPGP key that isn’t on a smartcard or used everyday, could be viable for the next 30 years if you pick longer key lengths today.
All in all, we believe that the security of the asymmetric cryptography provided by the YubiKey NEO and NEO-n is adequate for the time being. However, we are constantly working to keep ourselves ahead of the curve (no pun intended) and we will make sure to provide new solutions when the time (and the technology) is right.