The key length used by a cryptographic algorithm determines the highest
security it can offer. Newly discovered theoretical attacks and hardware
advances constantly erode this security level over time. Taking this
into account, as of 2011, governmental, academic, and private
organizations providing guidance on cryptographic security, such as
the National Institute of Standards and Technology (NIST),
the European Network of Excellence in Cryptology II (ECRYPT II),
make the following general recommendations to provide short to medium term
security against even the most well-funded attackers (eg. intelligence agencies):
- Symmetric key lengths of at least 80-112 bits.
- Elliptic curve key lengths of at least 160-224 bits.
- RSA key lengths of at least 1248-2048 bits.
In particular, the CA/Browser Forum
Extended Validation (EV) Guidelines
require a minimum key length of 2048 bits.
Also, current research shows that factoring a 1024-bit RSA modulus
is within practical reach.
- DSA key lengths of at least 2048 bits.
Additionally, starting in 2014, the Certificate Authority/Browser Forum has mandated that 1024-bit RSA keys no
longer be supported for SSL certificates or code signing.