DigiCert Blog

Moving Beyond 1024-Bit Encryption

An increase in computing power suggests that 1024-bit encryption is no longer secure enough to protect company private keys.

With ever-rising Internet security standards, Google recently announced their plan to deprecate DHE-based cipher suites and Chrome will now prioritize ECDHE-based cipher suites. While the company raised the minimum TLS DHE group size to 1024-bit earlier this year, they admit that 1024-bit is insufficient for the long-term. As SSL technology has become a necessity for adequate Internet security, it all begins with the strength of encryption protecting enterprise private keys. Nadia Heninger recently told CSO Online, “It’s been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that.”

Not Enough Security in 1024-Bit Encryption

The strength of encryption directly correlates with key size, relying on the fact that the math required to break the algorithmic keys protecting a network takes more time than a hacker has in a lifetime. Keys smaller than 2048 bits are no longer considered safe to use because computing power has become less expensive and servers have become more advanced.

When encryption standards progressed to 1024-bit, the Lenstra group estimated that factoring the 1024-bit modulus would take about 1,000 times as long as it would to break the previous 786-bit modulus. But further progress to a larger 2048-bit encryption has made factorization even harder. The daunting new 617-digit number has such a large amount of possible encryption codes that the math would be 4.3 billion times harder, taking up to 6.4 quadrillion years.

According to security expert Bruce Schneier, breakthroughs in factoring have occurred regularly over the past several decades, allowing the breach of ever-larger public keys. The warnings acquired from documents released by Edward Snowden suggest that the NSA has tools and techniques for breaking what was once considered secure encryption. As Schneier writes, “The fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break [private keys] more easily.” Many companies have considered the solution of larger key lengths by transitioning from 1024-bit to a stronger 2048-bit or elliptic curve encryption, the implications of not doing so proving destructive.

The Steps towards Stronger Encryption

Increasing key lengths is a process easier said than done, but one that should be addressed. Larger key lengths can reduce how many connections per second a server can handle by up to 80%; the 2048-bit key requires upwards of four times as much CPU usage. As a guide, CPO Online has outlined the process for businesses as follows:

  • Evaluate how difficult it will be to move away from 1024-bit encryption
  • Stop building apps and devices that use 1024-bit
  • Get rid of legacy 1024-bit gear as it becomes feasible
  • Reconfigure everything that can be reconfigured to make the encryption stronger

Security in Mathematics

The Internet has evolved from a convenient supplement for everyday tasks at work to a necessary resource that users rely on. Businesses currently with 1024-bit encryption should make the transition to stronger encryption a priority because, according to Schneier, “The mathematics of cryptography will still be the most secure part of any encryption system.” The likelihood of attack lies within the number of possible encryption codes a hacker would have to break to finally breach your network. Higher-bit encryption makes this possibility unimaginable—for now.

Share on Facebook0Share on Google+2Tweet about this on TwitterShare on LinkedIn0

About Sara Drury

Sara is a Content Writer at DigiCert where she focuses on writing articles about data security, industry news, and the advancing Internet age.