SSH Agent keys >4096 bit?

Hubert Kario hka at
Fri May 4 00:27:10 CEST 2012

On Thursday 03 of May 2012 15:09:42 Robert J. Hansen wrote:
> On 05/03/2012 01:14 PM, Ali Lown wrote:
> > Does anyone know why the limit is set at 4096 bits
> The consensus of the cryptographic community is that beyond 3K keys you
> really need to be switching to elliptical-curve cryptography.  A 3K RSA
> or Elgamal key is roughly as difficult to break by brute-force as
> AES128, and that one's so hard that nobody with two brain cells to rub
> together is going to try it.

It all depends on who you're talking to. French[1] suggest 4k for AES128.

But if you've got data that needs to be protected for 30-40 years, using 
AES256 is basically a no-brainer. Using just 4k RSA with that is not a smart 
decision, and that's agreed by basically anybody (NIST, ECRYPT II). Especially 
when the cost of establishing the link with 8k RSA is insignificant for any 
session over 5min in length (as is common in SSH).

Besides that, Schneier and Ferguson[2] say that basically any RSA based crypto 
system should support 8k keys. Switching to ECC is not easy, you need to 
change your whole infrastructure, protocols, management systems, etc. to allow 
this. Generating extemely large keys is very easy in comparision.

Using large keys would be stupid only if you need low latency/high IOPS system 
that can't use long lasting secure channels: web servers. But that's not our 
use case.

Hubert Kario

[2]: Practical Cryptography, Chapter: RSA Defined, section "The size of n", 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24

More information about the Gnupg-users mailing list