RSA 2048? Do not use anymore

RSA 3072-bit vs ECC Certificates

What’s Happening

• Germany’s BSI now requires RSA 3072-bit minimum (since January 2024)
• RSA 3072-bit = 128-bit security level

The Problem with RSA 3072

• Much larger certificate files (3x bigger than RSA 2048)
• Slower encryption/decryption operations
• Higher CPU usage and battery drain
• Increased network overhead

The Better Solution: ECC P-256

• Same security level as RSA 3072 (128-bit)
• Much smaller certificates and keys
• Faster operations (better performance)
• Lower resource consumption
• Widely supported by modern browsers and systems

Security Equivalence

• RSA 3072-bit ≈ ECC P-256 (256-bit)
• Both provide 128-bit security strength
• Both meet current and future security requirements

Recommendation ✅ Use ECC P-256 for new deployments

• Better performance
• Smaller certificates
• Future-ready
• Mobile-friendly

⚠️ Use RSA 3072 only if:

• Legacy system compatibility required
• Specific compliance mandates RSA
• ECC not supported in your environment

Bottom Line ECC P-256 gives you the same security as RSA 3072 with significantly better performance. Unless you have specific legacy requirements, choose ECC.

BSI (Germany) Requirements

BSI Technical Guideline TR-02102-1 “Cryptographic Mechanisms: Recommendations and Key Lengths”

Key Points

• As of January 1, 2024, BSI requires government systems to use at least 3000-bit RSA keys
• For asymmetric algorithms over finite fields (e.g. RSA signatures, RSA encryption, DH key exchange) the minimal requirements are 3,000 bits
• A key length of ≥ 3000 bits will be binding for cryptographic implementations which are to conform to this Technical Guideline as from 2023

RSA 3072-bit is approximately equivalent to ECC P-256 (256-bit) in terms of security strength.

Key Points

• RSA 3072 provides approximately 128 bits of security
• ECC P-256 (also called secp256r1 or prime256v1) also provides 128 bits of security
• This makes them cryptographically equivalent in terms of resistance to attacks

Practical Implications:

• Both RSA 3072 and ECC P-256 are considered secure for current and near-future use
• ECC P-256 is much more efficient (smaller certificates, faster operations, less bandwidth)
• Most modern systems prefer ECC P-256 over RSA 3072 for performance reasons
• Both meet current industry security standards and regulatory requirements

Current Recommendations:

• ECC P-256 is generally preferred for new deployments due to better performance
• RSA 3072 is still widely supported and secure, but less efficient
• Both are expected to remain secure well into the 2030s according to current cryptographic assessments