This post will complete the picture by discussing the choice of key-length and other parameters for these algorithms. As usual, our main source is the ENISA Algorithm and Key Length Report, recently updated for 2014.
Here’s a summary table of current ENISA key length recommendations as applied to the mechanisms available in PKCS#11. Note that we only include mechanisms that are still considered secure.
|Mechanism||Parameter||Legacy||Near term||Long term|
Not covered here are parameters for elliptic curves in PKCS#11, which will be the subject of a future post.
For Diffie-Hellman, a little explanation is needed. PKCS#11 supports two families of DH parameter generation mechanism: PKCS#3 and ANSI x9.42. The former method, called using the
CKM_DH_PKCS_PARAMETER_GEN mechanism requires only the specification of the size (in bits) of the prime p that will form the multiplicative group modulo p that will be used. If you asked your PKCS#11 hardware to generate you such a group, you have no easy way of checking that the p value that comes back is a “safe prime”, i.e. that the order of the multiplicative group generated modulo p has a large prime factor to prevent the use of the Pohlig–Hellman algorithm. In X9.42, called by
CKM_X9_42_DH_PARAMETER_GEN the device will also give you the “subprime” q that you can use to check that q | (p-1). However, most implementations of PKCS#3 generate p such that p=2q+1, where q is prime, allowing the check to be easily made anyway.
A new version (v1.4) of our PKCS#11 Security Whitepaper is available.