The importance of a certificate key size is immense in terms of encryption for all types of network traffic and communications security today. The safety of encrypted connections thus depends heavily on the used key size, as keys of sufficient length are necessary for better protection, as they are more challenging to break.
Below you can find an overview of the basics of certificate key size and how to tweak your security properties for the best protection of your server certificates and overall systems. In particular, the article looks at TLS/SSL certificates and the RSA and ECDSA key types.
TLS Key Size Security Assessment
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
How TLS/SSL Encryption Certificates Work
Encryption certificates like the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) are the building blocks of secure online interactions. They protect our credentials, such as usernames and passwords, financial data, credit card numbers, and many other security items — personal and sensitive details transmitted online.
In 2014, the Internet Architecture Board (IAB) called for the application of encryption protocols on all internet traffic — intending to protect both personal and business sensitive data and digital identities.
The TLS is the most prevalent cryptographic protocol used on the internet, providing safety for web browsing. It’s also employed for file transfers, email, messaging, VoIP, and DNS, among other uses. The TLS became an evolved version of the SSL protocol that was created at the beginning of the 1990s.
The TLS certificate uses a mixture of symmetric and asymmetric cryptography to deliver the best current combination between the level of security, performance, and efficiency. A symmetric encryption algorithm is based on data encryption and decryption using a secret key that both parties know. The asymmetric approach bets on a private key known only for decryption.
These certificates encrypt data to protect data transfers and communication between parties, protecting them from unwanted interference and eavesdropping. In particular, the TLS encrypts the application layer for HTTP, FTP, SMTP, and IMAP protocols. In addition, it can also be applied to UDP, DCCP, and SCTP.
The encryption process is executed through keys or public key infrastructure (PKI). There are two unique keys for SSL/TLS certificate-based websites, namely — a private key and a public key, based on the asymmetric cryptography approach, which is considered to yield more robust algorithms.
The public key is used for encryption and is publicly available. Therefore, it can be easily checked in the browser. On the other hand, the private key is secret and is known only by the digital asset owner. It is used to decrypt session content encrypted with the public key.
Because asymmetric cryptography offers a higher level of security, TLS uses this mode for creating and transmitting a session key.
Different TLS/SSL Key Types and the Importance of Their Size
The certificate key size is of particular significance for the level of protection that the TLS protocol can provide.
But first, let’s go back to the most widely used TLS/SSL key types. There is a wide variety of key generation approaches, including Diffie-Hellman Key Exchange (DH), Ephemeral Diffie–Hellman Key Exchange (DHE), Elliptic Curve Diffie-Hellman (ECDH), and Ephemeral Elliptic Curve Diffie-Hellman (ECDHE). However, there are two main ones — RSA (named after its three inventors) and ECDSA, or Elliptic Curve Digital Signature Algorithm. RSA and ECDSA are currently the most well-known public key signing algorithms. The recognized industry standards and maximum sizes are the 2048-bit RSA with SHA256 key or 256-bit ECDSA with SHA256 on the P-256 curve key.
The RSA key type, also referred to as a public-key cryptosystem, is more prevalent for securing data transmission. The Certificate Authorities (CA) have set the industry standard at least 2,048 bits in size. It was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.
The ECDSA is a different key type that is not so massively used but has its benefits and is adopted by more and more organizations. For example, it performs quicker than RSA for SSL/TLS signing and handshakes.
The same level of key strength for an ECDSA key compared to an RSA key is obtained through a minor key size, with 256 bits being the industry standard.
In particular, the comparisons are the following:
- 1024 RSA key size corresponds to 160 ECDSA key length
- 2048 (minimum version for RSA) to 224
- 3072 to 256 (minimum version for ECDSA)
- 7680 to 384
- 15360 to 512
This shows that the key size is not the only factor to consider when estimating a certificate key’s data and communications security. For example, a shorter ECDSA key may provide the same level of protection as a longer RSA key, with a smaller size that requires less computation power and time.
Learn how to detect and prevent different kinds of SSL/TLS vulnerabilities.
Variations in the TLS/SSL Key Size
In the case of RSA, the recommended industry minimum is 2048 bits. However, some organizations might opt-in to use 4096-bit RSA as an extra level of security. While this can be helpful in some ways and may provide longer compliance with National Institute of Standards and Technology (NIST) recommendations on cryptographic algorithms, this longer key size is also heavier for operations. That’s why it’s preferable to use the current industry recommendation for faster performance and not to increase the TLS/SSL key size from 2048 to 4096.
You need to generate a new key to get a certificate with a larger key. You can refer to our Configure Trusted Certificates guide for further information on that process. Don’t forget that executing any and all security updates relevant to your systems is also necessary.
Your Complete Cyber Security Plan with Crashtest Security
Ensuring your cyber safety can be a complicated process. However, it gets easier with Crashtest Security’s Vulnerability Testing Software.
Our platform allows you to execute a security assessment of all your systems. So you can keep tabs on security risks, including the CRIME attack, FREAK attack, BEAST attack, and Man-in-the-Middle attack, among others. It protects you from the ever-increasing number and types of cyber threats.
What is a certificate key size?
The term ‘certificate key size’ refers to the length of the key used by the TLS/SSL certificate for data encryption.
Why does key size matter in encryption?
The size of a certificate key directly impacts the level of protection it can provide. Shorter key sizes (of the same key type) usually are easier to break by malevolent users (i.e., 1024 vs. 2048 bits).
What is a 2048-bit RSA key?
The 2,048-bit RSA key is the most widely used key type and size.
How secure is the 1024-bit RSA key?
The short answer is: not enough. The current industry standard for RSA keys is 2048.