[91] in 6.033 discussion
key length
littlitt@ATHENA.MIT.EDU (littlitt@ATHENA.MIT.EDU)
Wed Mar 20 17:29:05 1996
Hello all,
Today in lecture Prof. Kaashoek discussed DES and RSA and touched upon
issues of key length. I thought I would point out that a group of
well-respected cryptographers (including Ron Rivest from MIT) recently
came up with a document about key length and security. Below is an
interesting excerpt from their document. The full document can be
found at:
ftp://ftp.research.att.com/dist/mab/keylength.txt
Note that these key lengths are for symmetric (private key) ciphers
such as DES, and not for public key systems such as RSA. (With RSA the
the public key needs to be long enough such that the attacker can not
find the two prime factors of the key. This leads to lengths near 1000
bits.) The prices below are estimates for brute force attacks. (Trying
out all possible keys.) Remember that DES uses 56 bit keys.
Also note that the U.S. Government currently does not grant export
licenses for cryptographic software that uses key lengths longer than
40 bits.
-jon
-------------------
Time and cost Length Needed
Type of Budget Tool per key recovered for protection
Attacker 40bits 56bits in Late 1995
Pedestrian Hacker
tiny scavenged 1 week infeasible 45
computer
time
$400 FPGA 5 hours 38 years 50
($0.08) ($5,000)
Small Business
$10,000 FPGA 12 minutes 556 days 55
($0.08) ($5,000)
Corporate Department
$300K FPGA 24 seconds 19 days 60
or ($0.08) ($5,000)
ASIC .18 seconds 3 hours
($0.001) ($38)
Big Company
$10M FPGA .7 seconds 13 hours 70
or ($0.08) ($5,000)
ASIC .005 seconds 6 minutes
($0.001) ($38)
Intellegence Agency
$300M ASIC .0002 seconds 12 seconds 75
($0.001) ($38)