Key generation and usage

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

The qcrypto library supports various types of cryptographic keys.

For detailed information about key generation functions, see qcrypto_keys.h.

Key requirements

The recommended key lengths depend on the application and the level of security required. For the NIST recommendations for key lengths, go to https://www.keylength.com/en/4/.

Symmetric keys

For the symmetric keys used in symmetric cryptographic primitives like AES, the size of the key depends on the symmetric algorithm.

Asymmetric keys

  • RSA — The RSA keys used for digital signing purposes are parameterized using the modulus size in bits and the exponent value. The parameters for RSA keys follow in part the NIST standard section B3.3.

    The qcrypto library does not support RSA encryption or decryption.

  • Digital signature algorithm (DSA) — DSA keys are used for digital signing and are parametrized using the prime size in bits. The subprime is one of the following sizes:
    • 160 bits — for prime lengths < 2048 bits
    • 256 bits — for prime lengths >= 2048 bits

    DSA keys also support the loading of pre-generated DSA parameters that are used to derive keys.

    It takes a long time to generate DSA keypairs if the parameters must be initialized before the keys are generated. Parameters are usually generated offline or in times of low system activity so that they are readily available to generate keys when required.

  • Diffie-Hellman (DH) — DH keys are used for key and secret exchange purposes (Ephemeral Diffie-Hellmand or DHE).
    DH keys are parametrized using the prime size in bits. The subprime is one of the following sizes:
    • 160 bits — for prime lengths < 2048 bits
    • 256 bits — for prime lengths >= 2048 bits

    DH keys also support the loading of pre-generated DH parameters used to derive keys.

    Generating DH key pairs takes a long time if the parameters must be initialized before generating the keys. Parameters are usually generated offline or in times of low system activity so that they are readily available to generate keys when required.

  • Elliptic curve cryptography (ECC) — ECC keys are used for digital signing (ECDSA).

    ECC keys are parametrized using the curve and the key type (named curve or explicit curve parameters).

    ECC keys also support the loading of pre-generated ECC parameters used to derive keys.

    ECC keys can be generated in the following formats:
    • Named curve — The curve parameters are only identified with the curve name.
    • Explicit curve — All curve parameters are explicitly enumerated in the key.
Page updated: