Entrust has been getting a lot of questions about the move to 2048-bit RSA keys. The move is causing some web administrators concern, so we thought it would be a good time to clarify the reasoning behind the move to 2048-bit keys.
The US National Institute of Standards and Technology (NIST) prepared a special report SP 800-57 in 2005 for comment. The updated report SP 800-57 in March 2007 Part 1 and subsequent reports Part 2 and Part 3, laid the foundation for how application developers and certification authorities would manage key sizes for digital certificates such as those used for SSL/TLS, code signing, and document signing. The recommendation was that 1024-bit RSA keys should only be depended on until 31 December 2010, after which the minimum key size should be 2048-bit RSA. This recommendation has been adopted and published by a number of organizations:
- CDS Subordinate CAs shall use an RSA key pair with at least 2048 bits.
- CDS Subscriber certificates shall use an RSA key pair with at least 2048 bits.
- Requires a minimum of 2048-bit RSA keys for Root and Subordinate CAs.
- Requires a minimum of 1024-bit RSA keys for end entity certificates and 2048-bit keys for end entity certificates that expire after 31 December 2010.
- All new Root certificates must have a minimum be 2048-bit RSA keys.
- 1024-bit Roots will be removed from the Microsoft Root Certificate Program by 31 December 2010.
- All end entity certificates issued after 31 December must have a minimum of 2048-bit RSA keys.
- December 31, 2010 – CAs must stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits. All CAs must stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root.
- December 31, 2013 – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits.
The reason for moving to stronger subscriber keys is to protect the data of Subscribers and Relying Parties. Cryptanalytic attacks against a particular key size become more practical as computing power increases and new techniques are developed. See, for instance, 768-bit RSA key in December 2009. A broken end-entity key could expose encrypted session data or allow a man-in-the-middle attack.
Entrust has been proactive in adopting the standards and recommendations. Entrust has put in restrictions that all certificates issued after 2010 have a minimum of 2048-bit RSA keys. In addition Entrust is actively moving to 2048-bit root certificates. As times move forward, we will keep our eyes on the technology and the standards and implement policy to protect our subscribers and relying parties.
Updated January 24, 2011: Here is a Key size update post based on the release of NIST Special Publication 800-131A.