• Contact Sales
  • Resellers
  • Support
Yubico Header Text LogoYubico Header Text Logo
Why Yubicoexpand_more
Why Yubico
  • Enterprises
  • SMBs
  • Individuals
  • Developers
  • Careers
  • Partner programs
  • Affiliate program
  • Contact Sales
  • Events
  • Press room
  • Yubico Blog
  • Yubico Executive Connect
  • About us
  • The team
  • Investors
  • Innovation history
  • Secure it Forward
Man holding YubiKey
Easy-to-use, secure authentication

With YubiKey there’s no tradeoff between great security and usability

Why YubiKey
  • about Yubico
Google headquarters
Proven at scale at Google

Google defends against account takeovers and reduces IT costs

Google Case Study
  • about Yubico
Hand holding YubiKey behind Apple iPhone
Protecting vulnerable organizations

Secure it Forward: One YubiKey donated for every 20 sold

Learn about Secure it Forward
  • about Yubico
Productsexpand_more
All products
  • YubiKey 5 Series
  • YubiKey 5 FIPS Series
  • YubiKey Bio Series
  • Security Key Series
  • YubiKey 5 CSPN Series
  • YubiHSM 2 & YubiHSM 2 FIPS
  • YubiEnterprise Subscription
  • YubiEnterprise Delivery
  • Yubico Authenticator
  • Computer login tools
  • Software Development Toolkits
  • YubiCloud
  • Using YubiKey is easy
  • Find the right YubiKey
  • Works with YubiKey
  • Compare YubiKeys
Woman holding YubiKey 5ci
One key for hundreds of apps and services

YubiKey works out-of-the-box and has no client software or battery

Yubico protects you
  • about Yubico
See YubiKeys as a Service
YubiEnterprise Subscription delivers scale and savings

Gain a future-proofed solution and faster MFA rollouts

See YubiKeys as a Service
  • about Yubico
Solutionsexpand_more
Solutions overview
  • Zero Trust
  • Executive Order OMB M-22-09
  • Phishing-resistant MFA
  • Passwordless
  • Compliance
  • Cyber Insurance
  • Secure supply chain
  • Critical infrastructure
  • Hybrid & remote workers
  • Secure privileged users
  • Mobile restricted environments
  • Call centers
  • Shared workstations
  • Microsoft ecosystem
  • Salesforce workspace
  • IAM solutions
  • AWS environment
  • HYPR experience
Hand holding YubiKey behind Apple iPhone
The Bridge to Passwordless

Begin the journey to make your organization passwordless

Get the white paper
  • about Yubico
Lock on a laptop
Accelerate your Zero Trust Strategy

7 best strong authentication practices to jumpstart your Zero Trust program

Get the white paper
  • about Yubico
Government building
Federal cybersecurity requirements

See guidance for CIOs and leaders to prepare for the modern cyber threat era

Get the white paper
  • about Yubico
Industriesexpand_more
Industries overview
  • High tech
  • Federal government
  • Federal systems integrators
  • State & local government
  • Education
  • Financial services
  • Elections & campaigns
  • Retail & hospitality
  • Telecommunications
  • Healthcare
  • Pharmaceuticals
  • Cryptocurrency
  • Energy & natural resources
  • Manufacturing
man working a manufacturing line
Manufacturing and supply chain security

Authentication best practices for manufacturing using highest-assurance security

Get the white paper
  • about Yubico
Person looking at a computer with a government building showing
Phishing-resistant MFA: Fact vs. Fiction

Meet requirements for phishing-resistant MFA in OMB M-22-09 guidelines

Get the white paper
  • about Yubico
Remote workers at a wind farm
Secure energy and natural resources from cyber threats

Best practices for phishing-resistant MFA to safeguard your critical infrastructure

Get the white paper
  • about Yubico
Resourcesexpand_more
All resources
  • Yubico Blog
  • Cybersecurity glossary
  • Authentication standards
  • Resource library
  • Developer program
  • Product briefs
  • Solution briefs
  • Case studies
  • Get a pilot started
  • White papers and reports
  • Webinars
Laptop with a YubiKey inserted
BeyondTrust: secured with a subscription

A leader in Privileged Access Management simplifies YubiKey deployment

How they optimized ROI
  • about Yubico
S&P Global Market Intelligence report: old habits die hard

Only 46% of respondents protect their applications with MFA. How about you?

Read the report
  • about Yubico
Considering Passkeys for your Enterprise?

Learn how to avoid the common pitfalls of synced passkeys

Get the Ebook
  • about Yubico
Supportexpand_more
Support home
  • Find the right YubiKey
  • Set up your YubiKey
  • Downloads
  • Product documentation
  • Support articles
  • Support Services
  • Professional Services
  • YubiEnterprise Subscription
  • Works with YubiKey Program
  • Buying and shipping information
  • Security advisories
  • Help center
YubiKeys in lots of form factors
How to set up your YubiKey

Follow our guided tutorials to start protecting your favorite services

Set up your YubiKey
  • about Yubico
YubiKey on a keychain plugged into a laptop
Find the best YubiKey for your needs

Take the guided quiz and see which YubiKey best fits your or your businesses needs

Take the quiz
  • about Yubico
Worker with a calculator and laptop with a spreadsheet
Accelerate your YubiKey deployment

Technical and operational guidance for your YubiKey implementation and rollout

Professional Services
  • about Yubico
SubscribeStore
  • Home » Blog » The Big Debate, 2048 vs. 4096, Yubico’s Position

    The Big Debate, 2048 vs. 4096, Yubico’s Position

    Alessio Di Mauro

    Alessio Di Mauro

    February 26, 2015
    4 minute read
    Share on FacebookShare on TwitterShare on LinkedInShare via Email

    In Part 2, we got a better understanding of what an algorithm like RSA does and what the length of a key entails.

    Now, in Part 3, we can talk about the elephant in the room. Are 2048-bit keys useless? And are your documents completely insecure if you are using them? What are the pros and cons of one key length versus the other?crypto bug

    As I showed in my last installment, RSA-2048 still has fifteen years of life left before it is considered obsolete. Plenty of time not to be worried now. Just imagine where technology was fifteen years ago!

    While it is true that a longer key provides better security, we have shown that by doubling the length of the key from 2048 to 4096, the increase in bits of security is only 18, a mere 16%. Moreover, besides requiring more storage, longer keys also translate into increased CPU usage and higher power consumption.

    While this might not seem much on a modern computer where we measure things in the order of gigabytes and hundreds of watts, it is still a valid concern for the ever-increasing low-power embedded devices where CPU frequency is measured in kilohertz and power consumption in milliwatts and microwatts.

    In these cases using a longer key means longer time to compute the result and shorter battery life on devices.

    The real advantage of using a 4096-bit key nowadays is future proofing, but even that is not so strong an argument. By the time that RSA 2048 is declared dead, hopefully Elliptic Curve Cryptography (ECC) will have taken over, or even better, new and wonderful encryption algorithms will have been discovered.

    What about ECC

    So what about Elliptic Curve Cryptography? These encryption schemes are an alternative to RSA and are based on a completely different mathematical problem. Apart from that, however, they are just normal asymmetric encryption algorithms.

    On the other hand, when it comes to speed and memory, ECC considerably outperforms RSA (with the notable exception of signature verification, where RSA is faster), even on embedded system and smaller microcontrollers.

    Key lengths for these kinds of algorithms are considerably smaller. According to NIST, 112 and 128 bits of security, (equivalent to RSA-2048 and RSA-4096) correspond to 255-bit and 383-bit long ECC keys (worst case, even less on some specific curves).

    So why are we not using this everywhere? Although the math behind them has been known for a while, ECC is a relatively new concept in cryptography, an inherently slow-changing and conservative field.

    New implementations and new “fast reduction” curves that make computation significantly quicker are still under study and it takes time. As if that was not enough, some curves and implementations are behind patent walls.

    Support for these kinds of encryption algorithms in OpenPGP has been proposed, and the first implementations are slowly starting to appear. Implementing cryptography, however, is an error-prone procedure and a fine art in and of itself.

    Blindly implementing an algorithm is usually not enough to plug all the potential security holes, and be impervious to side-channel attacks and the like.

    It is clear that once the issues are resolved and more implementations start coming around, ECC is the way forward.

    Where does Yubico stand

    Both the NEO and the NEO-n implement OpenPGP and support RSA up to 2048 bits. This is not a constraint from Yubico, but rather a hardware limitation of the NXP A700x chip used within the YubiKeys.

    While the chip also supports ECC, it cannot be easily implemented without using some proprietary extensions, making it troublesome to comply with the license used by OpenPGP (GNU GPL). Moreover, as stated before, implementing crypto is a difficult process and although we have an initial version available on github, this still requires more thorough testing before it is considered production-ready.

    A best practice is to determine how long you plan to use a specific key and then select a key length based on that decision. Everyday smartcards are fine at 2048 bits because they get changed out at regular intervals and will naturally migrate to longer key lengths over time. Long-term keys, like your master OpenPGP key that isn’t on a smartcard or used everyday, could be viable for the next 30 years if you pick longer key lengths today.

    All in all, we believe that the security of the asymmetric cryptography provided by the YubiKey NEO and NEO-n is adequate for the time being. However, we are constantly working to keep ourselves ahead of the curve (no pun intended) and we will make sure to provide new solutions when the time (and the technology) is right.

    Part 1: Does Key Size Really Matter in Cryptography?
    Part 2: Comparing Asymmetric Encryption Algorithms

    Share this article:

    Share on FacebookShare on TwitterShare on LinkedInShare via Email

    Recommended Posts

    • Q&A with CEO Mattias Danielsson: Yubico’s next stage of growth as a public company and what investors can expect

      Today marks an exciting, historic day in Yubico’s history: the company is now publicly traded under the ticker symbol YUBICO on Nasdaq First Growth North Market in Stockholm. As the cyber threat landscape continues to evolve rapidly through increasingly sophisticated attacks like phishing, the need for phishing-resistant MFA with the YubiKey are at an all-time […]

      Read more
      • Investors
      • Q&A
      • thought leadership
    • Five foundational cybersecurity controls to mitigate 90% of breaches

      During my 16 years in the cybersecurity industry, and after discussions with numerous CISOs and cyber security experts, they all agree that there are five easy steps all organizations can take to mitigate over 90% of all cyber breaches1.  Just like cars were not initially designed for safety, the internet was not designed for security. […]

      Read more
      • best practice guide
    • Okta + Yubico: Better together

      Modern cybersecurity needs to be phishing-resistant, but it also needs to incorporate a great user experience for employees, IT teams and customers. We know traditional authentication methods are perceived as user-friendly, but they are not secure and vulnerable to most attacks  – in fact, 59% of people still rely on username and password to authenticate […]

      Read more
      • Okta
      • Partner Program
    • Works with YubiKey Spotlight: How Yubico works with industry leaders who share the commitment to strong authentication

      As the cyber threat landscape continues to evolve rapidly in the form of more sophisticated attacks like phishing and ransomware, the need for industry collaborations and partnerships are more critical than ever to help businesses and consumers stay secure online. We first launched the Works with YubiKey (WWYK) program in 2018 with this in mind […]

      Read more
      • Works with YubiKey
      • wwyk
Yubico Text LogoYubico Text Logo
  • RSS
  • Twitter
  • LinkedIn
  • Facebook
  • Instagram
  • YouTube
  • GitHub
  • Product finder quiz
  • Find set-up guides
  • Buy online
  • Contact sales
  • Get Yubico updates
  • Careers
  • Events
  • Press room
  • About us
  • Investors
  • Partner programs
  • Affiliate program
  • YubiKey 5 Series
  • YubiKey 5 FIPS Series
  • YubiKey Bio Series
  • Security Key Series
  • YubiKey 5 CSPN Series
  • YubiHSM 2 & YubiHSM 2 FIPS
  • Yubico Authenticator
  • Zero Trust
  • Phishing-resistant MFA
  • Passwordless
  • Cyber insurance
  • More solutions
  • Industries overview
  • Yubico blog
  • Resource library
  • Cybersecurity glossary
  • Authentication standards
  • Developer program
  • Works with YubiKey
  • Help center
  • Downloads
  • Product documentation
  • Support Services
  • Professional Services
  • Contact support
Yubico © 2023 All Rights Reserved.
  • Sitemap
  • Cookies
  • Legal
  • Privacy
  • Patents
  • Terms of use
  • Trust