This post will complete the picture by discussing the choice of key-length and other parameters for these algorithms. As usual, our main source is the ENISA Algorithm and Key Length Report, recently updated for 2014.
Update March 2017
The most recent ECRYPT Algorithm and Keylength report is currently the 2016 version.
Here’s a summary table of current ENISA key length recommendations as applied to the mechanisms available in PKCS#11. Note that we only include mechanisms that are still considered secure.
|Mechanism||Parameter||Legacy||Near term||Long term|
Not covered here are parameters for elliptic curves in PKCS#11, which will be the subject of a future post.
For Diffie-Hellman, a little explanation is needed. PKCS#11 supports two families of DH parameter generation mechanism: PKCS#3 and ANSI x9.42. The former method, called using the
CKM_DH_PKCS_PARAMETER_GEN mechanism requires only the specification of the size (in bits) of the prime p that will form the multiplicative group modulo p that will be used. If you asked your PKCS#11 hardware to generate you such a group, you have no easy way of checking that the p value that comes back is a “safe prime”, i.e. that the order of the multiplicative group generated modulo p has a large prime factor to prevent the use of the Pohlig–Hellman algorithm. In X9.42, called by
CKM_X9_42_DH_PARAMETER_GEN the device will also give you the “subprime” q that you can use to check that q | (p-1). However, most implementations of PKCS#3 generate p such that p=2q+1, where q is prime, allowing the check to be easily made anyway.