Leaving aside for a moment the issues of protocols and algorithms, the first choices to be made are the cryptographic strength of the system, embodied by choices of algorithm and key length, and some of the key-management questions. It is most important to choose truly random keys that are sufficiently long, keep those keys secret, and change keys "often enough." Again, this all supposes that you have selected a good cryptosystem; all the security of the system lies in the keys, and none in the algorithm itself.
We will consider key randomness and key secrecy shortly. For now, let us consider the selection of key length and the frequency of key updates.
Key Length
Given a reasonably strong algorithm, how well the data is protected depends largely on the length of the encryption key. Fundamentally, an encrypted message must remain secret for the useful life of the information. To a large extent, the value of the information in the encrypted message will govern the resources used to attack it. For example, an attacker would be foolish to spend $1 million to obtain information worth $1,000, but he might spend $1 million to obtain a secret worth $2 million. Here are some examples.
- Financial credentials must remain secret beyond their validity period.
- Contract bids must remain secret beyond the contract award.
- Editorial material must remain secret until published.
- Confidential personal information must remain secret beyond the lifetime of the individual.
Today, it is common to use 128-bit keys for symmetric algorithms, both for communications security and for the security of data to be protected for 20 years. The necessary key lengths for public-key algorithms vary considerably. The current recommendation for the RSA public-key algorithm, for example, is to use a minimum length of 1024 bits, with 2048 bits used for especially sensitive applications or longterm keys.
Key Updates
Cryptographic keys do not last forever; they need to be updated from time to time. The proper lifetime of a key is a function of the value of the items encrypted, the number of items encrypted, and the lifetime of the items encrypted. We have already discussed lifetime. If a key can be broken by a properly equipped adversary in 2 years, and the lifetime of information encrypted using the key is 6 months, then the key should be changed at least every 18 months so that an attack mounted on the first item encrypted will not succeed until after the last item encrypted loses its value.
The number of items encrypted is an issue for two reasons. First, if individual encrypted items have a market value, then the sum of the values of all encrypted items is the proper measure against which to balance the resources an attacker may bring to bear. Second, some cryptosystems can be attacked more easily when a large body of ciphertext is available. This effect is more difficult to quantify, but again, it is a good idea not to use a key for too long.
Another factor that leads to frequent key updates is paranoia. The longer a key has been in use, the greater the chance that someone has compromised the key storage system and obtained the key by subterfuge rather than by brute force attack.
It is important to note that changing a key does not increase the time that an attacker will need to find it using brute force or any other method of cryptographic attack. Changing keys does, however, limit the amount of information revealed if any particular key is found. For example, if the encryption keys are changed every month, then only one month's worth of information is disclosed if a key is discovered.
