53

Where do 4096 bit RSA keys for SSL certs currently stand in terms of things like CA support, browser support, etc? In the overall scheme of things is the increased security worth the risk of 4096 bit keys not having the widespread support and compatibility as 2048 bit keys do, not to mention the increased CPU load required to process the key exchange? Are things slowly turning in favor of 4096?

Jeff-Inventor ChromeOS
  • 1,323
  • 9
  • 10
user53029
  • 2,687
  • 5
  • 24
  • 35
  • Is there actually "widespread support and compatibility" for 2096bit keys? –  Aug 12 '14 at 01:33
  • 3
    I'd rather use 2048 bit RSA for signing together with ECDH for key exchange instead of larger RSA for encryption. Unlike encryption/key-exchange keys, signing keys don't need long term security so 2048 is fine. – CodesInChaos Aug 12 '14 at 11:13
  • Unless quantum computing progresses significantly, tho is just number porn. 64 bits is enough to prevent brute force. – Robert Fraser Feb 23 '16 at 08:02
  • @RobertFraser , I think you're confused about asymmetric vs symmetric keys. For factoring a 64-bit number, you only need to check every number from 2 to 2^32, which is quite easily done in a day on any recent desktop processor. – rsaxvc Mar 07 '16 at 14:46

3 Answers3

46

Advisories recommend 2048 for now. Security experts are projecting that 2048 bits will be sufficient for commercial use until around the year 2030.

The main downside to using a large cert, such as 3072 or 4096, is that the algorithm is slightly slower (still fractions of a second, though).

Current browsers should all support certs upto 4096.

Some CAs won't issue a cert that large, so if you want a 4096 bit cert, you might have to shop around for a CA that will issue it.

Jeff-Inventor ChromeOS
  • 1,323
  • 9
  • 10
  • 11
    [Reference](http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf) for 2030 comment. 2048-bit RSA keys are equivalent in strength to 112-bit symmetric keys – Andrew Lott Oct 30 '14 at 11:16
  • 2
    Something to note: with the traditional RSA cypersuites the RSA key is relied on for both autentication and secrecy. If an adversary logs the session now and cracks the RSA key in the future then they can decrypt the traffic. – Peter Green Dec 17 '15 at 13:01
  • 1
    Also see http://stackoverflow.com/a/589850/632951 and http://security.stackexchange.com/a/1755/2379 regarding this. – Pacerier Apr 12 '16 at 14:55
  • @AndrewLott, How did you find that from? – Pacerier Apr 12 '16 at 14:56
  • Update for 2017: https://www.synopsys.com/blogs/software-security/roca-cryptographic-flaws/ (If the link fails in the future, search for "Return of Coppersmith’s Attack") – linagee Nov 15 '17 at 21:51
  • For SSH, the command `ssh-keygen` on latest Ubuntu stable version now uses a 3072-bit key by default and some tutorials of web hosting provider use a 4096-bit key (e.g. https://docs.ovh.com/gb/en/public-cloud/create-ssh-keys/). – baptx Mar 21 '20 at 14:23
2

I always generate 4096 bit keys since the downside is minimal (slightly lower performance) and security is slightly higher (although not as high as one would like). Larger keys like 8192 bit or even larger take forever to generate and require specially patched sw to use so are impractical. Luckily there are other algorithms slowly replacing rsa...

Mr. C
  • 131
  • 1
1

Since 2019, OpenSSH defaults to 3072 bit keys for RSA:

  • ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level.

https://www.openssh.com/txt/release-8.0

Colonel Panic
  • 2,134
  • 2
  • 22
  • 24