Understanding Problem with rsa min key length 1024

Mark D. Baushke mdb at juniper.net
Fri Apr 12 02:48:01 AEST 2019

Hi Daniel,

I agree with your points and I also agree that a default of 2048 now and
3072 bits in a few years for OpenSSH may be desirable.

There was a bug in some SSHv2 implementatons where 1023 bit keys were
generated when 1024 bit keys were asked.



Regarding strength, see also this article:

which has a reference to this letter on RSA Key Size:


    Executive Summary

    The popular 1024-bit key size for RSA keys is becoming the next
    horizon for researchers in integer factorization, as demonstrated by
    the innovative “TWIRL” design recently proposed by Adi Shamir and
    Eran Tromer. The design confirms that the traditional assumption
    that a 1024-bit RSA key provides comparable strength to an 80-bit
    symmetric key has been a reasonable one. Thus, if the 80-bit
    security level is appropriate for a given application, then TWIRL
    itself has no immediate effect. Many details remain to be worked
    out, however, and the cost estimates are inconclusive. TWIRL
    provides an opportunity for review of key sizes in practice; RSA
    Laboratories’ revised recommendations are given in Table 1 below.

... elided ...

    The 112-bit security level is somewhat higher than needed now, but
    it is convenient since triple-DES is already widely implemented, and
    the 2048-bit RSA key size key size is convenient as it is already
    supported for root keys. In the recent NESSIE recommendations
    [NESSIE03], a minimum of 1536 bits is suggested for RSA signature
    keys. This may be an appropriate interim measure, but due to the
    lengthy process of upgrading key sizes, 2048 bits is a better goal.
    Based on these considerations, RSA Laboratories offers the following
    recommendations for key sizes:

    | Protection Lifetime     | Minimum         | Minimum RSA |
    | of Data                 | symmetric       | key size    |
    |                         | security level  |             |
    | 2003 – 2010             | 80 bits         | 1024 bits   |
    | 2003 – 2030             | 112 bits        | 2048 bits   |
    | 2003 – 2031 and Beyond  | 128 bits        | 3072 bits   |

    Table 1. Recommended minimum symmetric security levels and RSA key
    sizes based on protection lifetime. [I pivoted the table for easier
    reading in email]

The United States National Institute of Standards and Technology (NIST)
also has a letter on key strengths:


as well as a Special Publication which recomments RSA 2048-bit keys for now.


as well as this document:

  NIST Special Publication 800-131A Revision 2
  Transitioning the Use of Cryptographic Algorithms and Key Lengths

	-- Mark

More information about the openssh-unix-dev mailing list