Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
6. Identification of all information that may be compromised as a result of the incident,<br />
7. Identification of all signatures that may be invalid due to the compromise of a signing<br />
key, and<br />
8. Distribution of new keying material, if required.<br />
5.6 Guidance for Cryptographic Algorithm and Key Size Selection<br />
Cryptographic algorithms that provide the security services identified in Section 3 are specified<br />
in Federal Information Processing Standards (FIPS) and NIST Recommendations. Several of<br />
these algorithms are defined for a number of key sizes. This section provides guidance for the<br />
selection of appropriate algorithms and key sizes.<br />
This section emphasizes the importance of acquiring cryptographic systems with appropriate<br />
algorithm and key sizes to provide adequate protection for 1) the expected lifetime of the system<br />
and 2) any data protected by that system during the expected lifetime of the data.<br />
5.6.1 Comparable Algorithm Strengths<br />
Cryptographic algorithms provide different “strengths” of security, depending on the algorithm<br />
and the key size used. In this discussion, two algorithms are considered to be of comparable<br />
strength for the given key sizes (X and Y) if the amount of work needed to “break the algorithms”<br />
or determine the keys (with the given key sizes) is approximately the same using a given<br />
resource. The security strength of an algorithm for a given key size is traditionally described in<br />
terms of the amount of work it takes to try all keys for a symmetric algorithm with a key size of<br />
"X" that has no short cut attacks (i.e., the most efficient attack is to try all possible keys). In this<br />
case, the best attack is said to be the exhaustion attack. An algorithm that has a "Y" bit key, but<br />
whose strength is comparable to an "X" bit key of such a symmetric algorithm is said have a<br />
“security strength of X bits” or to provide “X bits of security”. Given a few plaintext blocks and<br />
corresponding cipher, an algorithm that provides X bits of security would, on average, take 2 X-1 T<br />
of time to attack, where T is the amount of time that is required to perform one encryption of a<br />
plaintext value and comparison of the result against the corresponding ciphertext value.<br />
Determining the security strength of an algorithm can be nontrivial. For example, consider<br />
TDEA. TDEA uses three 56-bit keys (K1, K2 and K3). If each of these keys is independently<br />
generated, then this is called the three key option or three key TDEA (3TDEA). However, if K1<br />
and K2 are independently generated, and K3 is set equal to K1, then this is called the two key<br />
option or two key TDEA (2TDEA). One might expect that 3TDEA would provide 56 × 3 = 168<br />
bits of strength. However, there is an attack on 3TDEA that reduces the strength to the work that<br />
would be involved in exhausting a 112-bit key. For 2TDEA, if exhaustion were the best attack,<br />
then the strength of 2TDEA would be 56 × 2 = 112 bits. This appears to be the case if the<br />
attacker has only a few matched plain and cipher pairs. However, if the attacker can obtain<br />
approximately 2 40 such pairs, then 2TDEA has strength comparable to an 80-bit algorithm (see<br />
[ANSX9.52], Annex B).<br />
The recommended comparable key size classes discussed in this section are based on<br />
assessments made as of the publication of this recommendation using currently known methods.<br />
Advances in factoring algorithms, advances in general discrete logarithm attacks, elliptic curve<br />
discrete logarithm attacks and quantum computing may affect these equivalencies in the future.<br />
New or improved attacks or technologies may be developed that leave some of the current<br />
61