I received a few questions from my last post on Performance Considerations of Crypto asking what algorithms and key lengths were appropriate from a security perspective. There is some good and recent information on this from my former employer, NSA.

NSA released its Suite B algorithm and key size recommendations this year. For Sensitive But Unclassified and classifed information up to the Secret level these recommendations include:

• Encryption: 128-bit AES
• Key Exchange: 256-bit Elliptic Curve Diffie Hellman or 256-bit Elliptic Curve MQV
• Digital Signature: 256-bit Elliptic Curve Digital Signature Algorithm
• Hashing: SHA-256

All of these algorithms are Federal Standards issued by NIST, and I have linked to the appropriate standard.

The heavy reliance on elliptic curve may surprise some of you unfamiliar with this public key technology. Elliptic curve is computationally more efficient and adds less overhead to communication - - two factors that are very important in the SCADA security world where we may be dealing with low end processors and small bandwidth.

Let’s look at some numbers. From a security perspective, a 128-bit symmetric algorithm like AES = 3072-bit RSA or Diffie Hellman = 256-bit elliptic curve. Stated another way, all three of these algorithms/key sizes provide the same level of security. So elliptic curve saves over 2800-bits of overhead per digital signature or key exchange.

A 3072-bit RSA or Diffie Hellman operation, such as a key exchange or digital signature, takes 10 times the computing resources as the equivalent 256-bit elliptic curve operation. Elliptic curve is more computationally efficient at these key sizes by a factor of ten.

One of the valid concerns about elliptic curve technology is the general availability and the Certicom patent issues. The US Governments standardization on this technology has had an impact, and Microsoft plans to have elliptic curve technology in their next generation Crypto API that is released in Vista/Longhorn. It is increasingly available as an option in many security products, chips and toolkits, and RSA even offers elliptic curve in some of their products.

Obviously, I’m a fan of elliptic curve for SCADA security protocols for performance reasons and so the protocols are not obsolete when they hit the market. NSA makes the Case for Elliptic Curve Cryptography here.