Key Length Choice in PKCS#11

Graham Steel
December 29, 2014

In a series of articles on the blog this year we've covered cryptographic algorithm choice in PKCS#11, taking into account recent cryptanalytic results. This post will complete the picture by discussing the choice of key-length and other parameters for these algorithms. As usual, our main source is the ENISA Algorithm and Key Length Report, recently updated for 2014.

Update March 2017

The most recent ECRYPT Algorithm and Keylength report is currently the 2016 version.Here's a summary table of current ENISA key length recommendations as applied to the mechanisms available in PKCS#11. Note that we only include mechanisms that are still considered secure.  

Mechanism Parameter Legacy Near term Long term
CKM_DH_*, CKM_X9_42_DH_* CKA_PRIME_BITS 1024 3072 15360
CKM_X9_42_DH_* CKA_SUBPRIME_BITS 160 256 512

Not covered here are parameters for elliptic curves in PKCS#11, which will be the subject of a future post.

For Diffie-Hellman, a little explanation is needed. PKCS#11 supports two families of DH parameter generation mechanism: PKCS#3 and ANSI x9.42. The former method, called using the CKM_DH_PKCS_PARAMETER_GEN mechanism requires only the specification of the size (in bits) of the prime p that will form the multiplicative group modulo p that will be used. If you asked your PKCS#11 hardware to generate you such a group, you have no easy way of checking that the p value that comes back is a "safe prime", i.e. that the order of the multiplicative group generated modulo p has a large prime factor to prevent the use of the Pohlig–Hellman algorithm. In X9.42, called by CKM_X9_42_DH_PARAMETER_GEN the device will also give you the "subprime" q that you can use to check that q | (p-1). However, most implementations of PKCS#3 generate p such that p=2q+1, where q is prime, allowing the check to be easily made anyway.  

Mastering PKCS#11 Security

Read our PKCS#11 white paper for more information.