Keywords › KEYSIZE Keyword—Specify Key Size

KEYSIZE Keyword—Specify Key Size

Valid on z/OS.

Use the KEYSIZE keyword to specify the size of the private encryption key in decimal bits.

This keyword has the following format:

TSS REKEY(acid) KEYSIZE(nnnn) 

KEYSIZE

• Specifies the size of the private encryption key in decimal bits.
• Limits:
  • Non-NISTECC and non-BPECC: any numeric value from 512 to 4096.
  • For NISTECC, one of the following: 192, 224, 256, 384, 521.
  • For BPECC, one of the following: 160, 192, 224, 256, 320, 384, 512.
• Default:
  • Non-NISTECC and non-BPECC:1024.
  • NISTECC and BPECC: 192.

The maximum key size is dependent on the private key type.

Private key type maximum key sizes are:

• BPECC key—512 bits
• NISTECC key—521 bits
• ICSF RSA key—1024 bits
• DSA key —2048 bits
• Non-ICSF RSA key—4096 bits
• PCI-class cryptographic coprocessor RSA key—4096 bits

Shorter ECC keys have key strengths comparable to longer RSA keys. The following table displays the comparable strength of each key type:

Currently, the standard key sizes for RSA keys are as follows:

• 512—Specifies a low-strength key
• 1024—Specifies a medium-strength key
• 2048—Specifies a high-strength key
• 4096—Specifies a very high-strength key

This keyword is used with:

• The commands GENCERT and REKEY
• The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
• ACID(MAINTAIN) and MISC4(CERTGEN) authority for users
• MISC4(CERTSITE) authority for CERTSITE ACIDs
• MISC4(CERTAUTH) authority for CERTAUTH ACIDs

Example: KEYSIZE keyword

This example creates low strength key:

TSS REKEY(user1) DIGICERT(cert0001)
                 NEWDIGIC(cert0002)
                 KEYSIZE(512)