Key Size - Symmetric Algorithm Key Lengths

Symmetric Algorithm Key Lengths

US Government export policy has long restricted the 'strength' of cryptography which can be sent out of the country. For many years the limit was 40 bits. Today, a key length of 40 bits offers little protection against even a casual attacker with a single PC, a predictable and inevitable consequence of governmental restrictions limiting key length. In response, by the year 2000, most of the major US restrictions on the use of strong encryption were relaxed. However, not all regulations have been removed, and encryption registration with the U.S. Bureau of Industry and Security is still required to export "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 F.R. 36494).

When the Data Encryption Standard cipher was released in 1977, a key length of 56 bits was thought to be sufficient. There was speculation at the time, however, that the NSA has deliberately reduced the key size from the original value of 112 bits (in IBM's Lucifer cipher) or 64 bits (in one of the versions of what was adopted as DES) so as to limit the strength of encryption available to non-US users. The NSA has major computing resources and a large budget; some thought that 56 bits was NSA-breakable in the late '70s. However, by the late 90s, it became clear that DES could be cracked in a few days' time-frame with custom-built hardware such as could be purchased by a large corporation. The book Cracking DES (O'Reilly and Associates) tells of the successful attempt to break 56-bit DES by a brute force attack mounted by a cyber civil rights group with limited resources; see EFF DES cracker. 56 bits is now considered insufficient length for symmetric algorithm keys, and may have been for some time. More technically and financially capable organizations were surely able to do the same long before the effort described in the book. Distributed.net and its volunteers broke a 64-bit RC5 key in several years, using about seventy thousand (mostly home) computers.

The NSA's Skipjack algorithm used in its Fortezza program employs 80 bit keys.

DES has been replaced in many applications by Triple DES, which has 112 bits of security with 168-bit keys.

The Advanced Encryption Standard published in 2001 uses a key size of (at minimum) 128 bits. It also can use keys up to 256 bits (a specification requirement for submissions to the AES contest). 128 bits is currently thought, by many observers, to be sufficient for the foreseeable future for symmetric algorithms of AES's quality. The U.S. Government requires 192 or 256-bit AES keys for highly sensitive data.

In 2003 the U.S. National Institute for Standards and Technology, NIST, proposed that 80-bit keys should be phased out by 2015. As of 2005, 80-bit keys were allowed to be used only until 2010.