Does Key Size Really Matter in Cryptography?

One of the most interesting and useful aspects of the YubiKey NEO and NEO-n is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card.

Many end-users like this functionality, but some question the key lengths. It’s an expected cryptographic question and is worth examining in some detail. I will walk you through it with a series of three blogs I will publish this week. Today is the first installment.crypto bug

OpenPGP is a standard that allows users to encrypt, decrypt, sign and authenticate data. It is an open standardized variant of PGP, available as a FOSS implementation in the form GNU Privacy Guard (GPG). Its most notable uses are for email encryption and authentication. Independent of the actual implementation, OpenPGP (and PGP) supports both symmetric and asymmetric cryptography. Today we will focus on the latter.

Simplified cryptography primer

To better understand what follows, we will cover a few very basic concepts of cryptography. In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (RSA, ECC, ElGamal, etc.) and a cryptographic key pair. (There are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion.)

Each encryption algorithm is based on a computationally-hard problem. The mathematical transformation constitutes the operation that the encryption scheme can perform, encrypt/decrypt, whereas the keys provide the additional data. We can make a similar statement for signature algorithms where the operations are sign/ verify.

The two keys of a same key pair are strongly interconnected. This is a fundamental property of asymmetric cryptography. A user must utilize the keys together to achieve different properties such as confidentiality, authenticity and integrity.

Confidentiality guarantees the message is received only by the intended recipients. Authenticity guarantees the identity of the author. Integrity confirms both confidentiality and authenticity by ensuring that a message has not been modified in transit. (Click here for a brief introduction to cryptography.)

On to PGP

We can achieve all of this if, and only if, the secret key of a user remains uncompromised. However, not all keys are created equal.

In computer security, the length of a cryptographic key is defined by its length measured in number of bits, rather than being connected to the number and shape of its ridges and notches like in a physical key (say for your car). Provided that an encryption algorithm actually supports different key lengths, the general rule is that the longer the key, the better.

In the next installment, we’ll look at suitable key lengths and how they compare. In a third installment, we will take on the 2048 vs 4096 key length debate then examine chip-based characteristics that define today’s YubiKey cryptography. And then we will wrap up by looking at what Yubico has in the lab and how we plan to move forward. See you tomorrow.

Part 2: Comparing Asymmetric Encryption Algorithms
Part 3: The Big Debate, 2048 vs. 4096, Yubico’s Position

Talk to our teamTalk to our team

Share this article:


  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreYubiKey