Open In App

What Should Be the Length of the Symmetric Key in Cryptography?

Last Updated : 21 Mar, 2024
Like Article

In cryptography, a message is secured by encrypting it with a certain key and then sending it over the network. The security of the encryption process depends upon the key length. The article focuses on discussing the appropriate key length of the symmetric key in cryptography.

What is Key Length?

The keys are used to control the operation of a cipher so that only the correct key can convert encrypted  Key length is the number of bits of a key that are used to encrypt a message. The length alone is not a measure of how secure the ciphertext is. For secure ciphers, the longer the key the stronger the encryption.

  • A key should be large enough that the brute-force attack is infeasible.
  • The security of the cipher depends on how hard it is mathematically to break the code.

Key Size and Encryption System

There are two types of encryption systems:

  1. Symmetric Systems: These are the algorithms for cryptography that use the same cryptographic keys for both encryption and decryption of ciphertext. 
  2. Asymmetric Systems: These are the algorithms that use pair of related keys. Each key pair consists of a public key and a corresponding private key.

The security in a symmetric cryptosystem depends on two things: 

  1. Strength of the algorithm.
  2. Length of the key. 

There are two main types of attacks on a cipher, brute force, and cryptanalysis. Let’s analyze the impact of the key size on a brute-force attack. A brute force attack is also known as a plain text attack.

Key Size Impact in Brute Force Attack

Assuming that the algorithm is just perfect by perfect we mean that there is no way to break the cryptosystem other than performing the brute-force attack. 

  • Calculating the complexity of a brute force attack is easy, if the length of the key is 8 bits then there will be 256 possible keys. 
  • This implies it will take only 256 attempts to crack the correct key. 
  • Similarly, if the key is 56 bits long then it would take 2^256 that is it will take 2285 years in finding the correct key.

Time and cost Estimates for brute force attack:

A brute force attack requires cipher text and plain text in small amounts. If you think that the brute force attack is the most efficient possible attack against an algorithm, then a big assumption would be, How long should a key be?

There are two parameters that will determine the speed of a brute force attack:

  • The number of keys tested.
  • Test speed (time spent testing each key).

Most of the symmetric keys accept fixed-length bit patterns as the key. Generally, the DES(Data encryption standard) has a 56-bit key, which implies 256 possible keys. The speed at which a public key is tested is also a factor, but less important, because we are focusing on the length of the keys which will be more difficult to crack, small differences due to speed are irrelevant.

  • A brute force attack is tailor-made for parallel processors where each processor tests a subset of the keyspace. 
  • These parallel processors do not have to communicate with each other thus only message for which they communicate is “success”.
  • There are no shared memory requirements therefore it is easy to design a multi-processor system having millions of processors each working independently of others.

The below table shows the average time estimates for a hardware brute-force attack in 1995:

Cost Length of Key in Bits
  40 56 64 80 112 128
$100 K 2s 35 hrs 1 year 70,000 years 1014 years 1019 years
$1 M 0.2s 3.5 hrs 37 days  7000 years 1013 years 1018 years
$10 M 0.02s 21 min 4 days 700 years 1012 years 1017 years
$100 M 2 milliseconds 2 min 9 hrs 70 years 1011 years 1016 years

 Thus if an attacker wants to crack a key all he has to do is spend money in the parallel processor however it seems sensible when we try to estimate the minimum value of the key: How much value can be trusted in a single key before it makes economic sense in breaking it?

Key Size Impact in Virus Attack

The greatest difficulty in getting millions of computers to work on a brute force attack is to convince these millions of owners of computers to participate. One can ask the owners but then the owner can also say no, another way is to break into their machines but that’s time-consuming. So, the easiest way is to create a computer virus for cracking a computer program more efficiently.

  • The idea was to create a virus that won’t format or harm the user files but rather work on a brute force attack whenever the computer was idle and not performing any computation.
  • Eventually, one machine will find the correct key at that point there are two ways proceedings. 
  • First, the virus could spawn a different virus which will delete any copies of the cracking virus it finds but would contain the information about the correct key. 
  • This virus would simply propagate through the computer world until it lands on the computer of the person who wrote the original virus.

A second approach would be for the virus to display these messages on the screen:

There is a serious bug in this computer.
Please call 1800 123 XXX and read the following 64-bit number to the operator:
There is a $100 reward for the first person to report this bug.

How efficient is this attack?

Typically the virus-infected computer tries a thousand keys per second which is far less than the computer’s maximum potential as we’ve assumed that the computer will be performing the other operations as well, also assume that a typical machine would infect 10 million machines than it would take only 83 days in breaking a 56-bit key and 58 years in 64-bit key.

Keys in Symmetric Cryptography

The current standard for symmetric key cryptography is the Advanced Encryption Standard (AES) algorithm. 

  • AES is a block cipher.
  • The approved secure key sizes are 128, 192, and 512 bits.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads