Does Key Size Really Matter in Cryptography?

One of the most interesting and useful aspects of the YubiKey NEO and NEO-n is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card.

Many end-users like this functionality, but some question the key lengths. It’s an expected cryptographic question and is worth examining in some detail. I will walk you through it with a series of three blogs I will publish this week. Today is the first installment.crypto bug

OpenPGP is a standard that allows users to encrypt, decrypt, sign and authenticate data. It is an open standardized variant of PGP, available as a FOSS implementation in the form GNU Privacy Guard (GPG). Its most notable uses are for email encryption and authentication. Independent of the actual implementation, OpenPGP (and PGP) supports both symmetric and asymmetric cryptography. Today we will focus on the latter.

Simplified cryptography primer

To better understand what follows, we will cover a few very basic concepts of cryptography. In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (RSA, ECC, ElGamal, etc.) and a cryptographic key pair. (There are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion.)

Each encryption algorithm is based on a computationally-hard problem. The mathematical transformation constitutes the operation that the encryption scheme can perform, encrypt/decrypt, whereas the keys provide the additional data. We can make a similar statement for signature algorithms where the operations are sign/ verify.

The two keys of a same key pair are strongly interconnected. This is a fundamental property of asymmetric cryptography. A user must utilize the keys together to achieve different properties such as confidentiality, authenticity and integrity.

Confidentiality guarantees the message is received only by the intended recipients. Authenticity guarantees the identity of the author. Integrity confirms both confidentiality and authenticity by ensuring that a message has not been modified in transit. (Click here for a brief introduction to cryptography.)

On to PGP

We can achieve all of this if, and only if, the secret key of a user remains uncompromised. However, not all keys are created equal.

In computer security, the length of a cryptographic key is defined by its length measured in number of bits, rather than being connected to the number and shape of its ridges and notches like in a physical key (say for your car). Provided that an encryption algorithm actually supports different key lengths, the general rule is that the longer the key, the better.

In the next installment, we’ll look at suitable key lengths and how they compare. In a third installment, we will take on the 2048 vs 4096 key length debate then examine chip-based characteristics that define today’s YubiKey cryptography. And then we will wrap up by looking at what Yubico has in the lab and how we plan to move forward. See you tomorrow.

Part 2: Comparing Asymmetric Encryption Algorithms
Part 3: The Big Debate, 2048 vs. 4096, Yubico’s Position

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Passkeys are here – are you ready?With 2025 at its midpoint, enterprises worldwide are grappling with how to protect their users and data against emerging challenges around user security. Since 2022, generative AI has fueled a 4,000% surge in phishing – exploiting human vulnerability in 68% of breaches. It’s no longer a question – the world has a password problem that […]Read morepartnerspasskeysWorks with YubiKeywwyk
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless