Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Size considerations for public and private keys z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RACF® has restrictions for the size of the private key for certificates that have associated private keys. For NISTECC keys, valid key sizes are 192, 224, 256, 384, and 521 bits. For BPECC keys, valid key sizes are 160, 192, 224, 256, 320, 384, and 512 bits. For DSA keys, the minimum key size is 512. For RSA keys, the minimum size for clear RSA keys and secure RSA keys on the public key data set (PKDS) is 512 bits. The minimum size for secure RSA keys on the token key data set (TKDS) is 1024 bits and the size must be a multiple of 256. The maximum key size is determined by United States export regulations and is controlled by RACF and non-RACF code in z/OS. Depending on the installation, non-RACF code might enforce a lower maximum size. Maximum key sizes: The maximum key size for
a private key depends on key type, as follows:
Currently, the standard sizes for RSA keys are as follows:
Key strength considerations: Shorter keys of the ECC type, which are generated when you specify NISTECC or BPECC, achieve comparable key strengths when compared with longer RSA keys. RSA, NISTECC, and BPECC keys of the following sizes
are comparable in strength:
Hashing algorithm used for signing: RACF signs certificates using a
set of secure hash algorithms that are based on the SHA-1 or SHA-2
hash functions. When the signing key is a DSA type, the SHA-1 algorithm
is used for keys of all sizes. When the signing key is an RSA, NISTECC,
or BPECC type, the size of the signing key determines the hashing
algorithm that is used for signing, as follows:
|
Copyright IBM Corporation 1990, 2014
|