Share via


Announcing New Advanced Keys

Hello Folks,

Today we're very excited to announce new Advanced key length's that Azure Key Vault supports.
Before we delve deeper into this post, let's review a few basics about cryptographic keys

In cryptography, key size or key length is the number of bits used by a cryptographic algorithm.
A key should be large enough that a brute force attack (possible against any encryption algorithm) is infeasible – i.e., would take too long to execute. Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to RSA to provide equivalent security.

Oftentimes standards by government regulations (such as NIST) stipulate the key size that must be used in order to remain compliant. For more information on NIST security standards, please see this.

Today Azure Key Vault is delighted to announce the support of RSA Key sizes of  3072, and 4096 bit Keys and ECC Keys of type P-256, P-384, P-521 and P-256K . Please find the Reference documentation for the REST API, .NET and Node, Python, Java

ECC Keys is a often asked feature on our feedback forum.
The foremost benefit of ECC is that it’s simply stronger than RSA for same key size. The typical ECC key size of 256 bits is equivalent to a 3072-bit RSA key and 10,000 times stronger than a 2048-bit RSA key! To stay ahead of an attacker’s computing power, RSA keys must get longer.
ECC Keys allow Azure Key Vault to create digital signatures which are far smaller to transmit and faster to verify than their RSA counterparts. Moreover, as you can see in the table below, future RSA key sizes quickly expand while ECC key lengths increase linearly with strength.


Source: NIST 800-57, Table 2 (https://csrc.nist.gov/publications/nistpubs/800-57/sp800-57\_part1\_rev3\_general.pdf)

ECC is also faster for a number of reasons. First off, smaller keys means less data that must be transmitted from the server to the client during an SSL handshake. In addition, ECC requires less processing power (CPU) and memory, resulting in significantly faster response times and throughput on Web servers when it is in use.

The following algorithm identifiers are supported with EC and EC-HSM keys in Azure Key Vault.

ES256 - ECDSA for SHA-256 digests and keys created with curve P-256. This algorithm is described at [RFC7518].
ES256K - ECDSA for SHA-256 digests and keys created with curve P-256K. This algorithm is pending standardization.
ES384 - ECDSA for SHA-384 digests and keys created with curve P-384. This algorithm is described at [RFC7518].
ES512 - ECDSA for SHA-512 digests and keys created with curve P-521. This algorithm is described at [RFC7518].

Note: In this release, we are not introducing support to ECC encryption and decryption algorithms.

To read more about our EC Algorithm identifiers please read here

To read more about the Key Types please visit our documentation here

Establish Announcement, Currently we are in preview, on this date the price will change

That's all folks!
We're very eager to learn how this feature would help you and are always open to hearing suggestions or feedback.
We value your input so please take a moment to send us feedback on our forum.

Reference Links

  1. Keys and Certificates
  2. Key Vault REST API Reference
  3. .NET SDK Documentation
  4. Java SDK Documentation
  5. Python SDK Documentation
  6. Node.JS SDK Documentation