Earlier this year, RSA Laboratories issued a challenge to crack a 140- bit RSA encryption key. After only 1 month, someone successfully cracked the key. RSA then issued another challenge--this time to crack a 512-bit RSA key. Although it took a little longer, someone has cracked that key too. Overall, the latest effort took 7.4 months.
If you've never checked into the way these challenges work, custom software combines the overall CPU cycles of numerous machines so that the machines work in unison. This way, the system can perform more calculations simultaneously, which leads to a faster cracking time.
RSA said it issued these challenges to back up its suggestion that people use a stronger 768-bit key as a baseline for minimum key length. And if you think about it, the suggestion is well founded. After all, if a group of people can jointly work together to crack a 140-bit key in 1 month, and a 512-bit key in 7 months, then it's entirely feasible that a more determined group of individuals could crack those same keys in far less time. Are you willing to hedge your bets against that happening to your information?
Choosing an encryption key length usually depends on how sensitive or valuable the information is that you're protecting. Unfortunately, many people don't weigh security that way. Instead, many people choose one key length and use it for all information, regardless of its nature. Needless to say, the RSA challenges point out how risky this mentality can be if you use a key less than 768 bits in length.
I think RSA's suggestion to use larger key lengths is sound advice. And although encryption overhead is taxing to a computer system, the added security you gain by using larger keys probably outweighs the cost of additional CPU cycles. If you're using encryption keys of 512 bits or less, consider changing to longer keys for added protection. Until next time, have a great week.
