The security in TLS is as strong as the cryptographic algorithms that are used and their respective key sizes. A strong private key is needed to prevent hackers from carrying out impersonation attacks. Algorithms of different strengths and key sizes can be used together for performance, availability or interoperability reasons, provided that sufficient protection is provided.
If we restrict the system to only a few strong cipher suites, and might not be able to connect. On the other hand, if we make it too permissive, it becomes vulnerable to known attacks. If the key sizes are too small, they could be brute forced. If they are too long, they could generate a serious impact over the performance. So what are the optimal key sizes that should be used?
RSA key sizes
In my previous post, I explained why RSA is a safe default choice. This public key algorithm is widely supported, even on older clients.
I had a look at the NIST SP800-57 document and, according to section 5.6.3, a 1024-bit RSA key provides only 80 bits of security. That’s not enough; with today’s computing power, GPU and FPGA clusters, we can break keys of this size. At 2048 bits, RSA keys provide about 112 bits of security. This is a good balance between security and performance and is enough for most cases. But that’s about as good as it’s going to get with RSA, since keys above this size don’t scale.
If more security is needed, we need to turn to some other algorithms, and this is where Elliptic Curve cryptography (ECC) comes in handy.
ECDSA key sizes
ECDSA (Elliptic Curve Digital Signature Algorithm) keys are a good alternative. Being based on ellyptic curves, ECDSA keys are smaller than RSA keys and provide the same level of security while maintaining performance. At 256 bits, ECDSA keys provide 128 bits of security, which is the equivalent of 3072-bit RSA keys. The downside is that ECDSA is not supported by some older clients.
When backwards compatibility is to be maintained, the best thing to do is to deploy both RSA and ECDSA keys on the server. Hence, by carefully selecting the order of TLS cipher suites, recent clients will use ECDSA, and older clients will fallback to RSA.