https://bugzilla.mindrot.org/show_bug.cgi?id=1550
Summary: Move from 3DES to AES-256 for private key encryption
Product: Portable OpenSSH
Version: 5.1p1
Platform: All
OS/Version: All
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P2
Component: ssh-keygen
AssignedTo: unassigned-bugs@mindrot.org
ReportedBy: jmknoble@pobox.com
Created an attachment (id=1597)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1597)
Patch from Damien Miller to enable AES-256 in ssh-keygen
Date: Tue, 20 Jan 2009 01:06:35 -0500
From: Jim Knoble <jmknoble@pobox.com>
To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
Subject: OpenSSH private key encryption: time for AES?
Message-ID: <20090120060635.GA29074@crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
Hi, all.
So, in reviewing my OpenSSH keypairs and evaluating the size my RSA
keys
should be, i realized that, if i update my 2048-bit keypairs to 4096
bits, it really doesn't matter that much, because they're still
only encrypted with 3DES, which provides an effective 112 bits of
symmetric encryption strength:
$ head -4 ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,XXXXXXXXXXXXXXXX
$
According to NIST[1][2], a minimum of 112-bit symmetric / 2048-bit
asymmetric keystrength is recommended for protection up until about
2030. For protection beyond 2030, or for the paranoid, larger keysizes
are recommended. Other recommendations (e.g., those of ECRYPT) vary in
how long 112/2048-bit encryption should last.
With that in mind ... how can i encrypt my 4096-bit SSH RSA keypair
with
something like AES-128, AES-256, or Twofish instead of 3DES and still
use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
____________________
[1] http://csrc.nist.gov/groups/ST/toolkit/key_management.html
[2]
http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Summary: Move from 3DES to AES-256 for private key encryption
Product: Portable OpenSSH
Version: 5.1p1
Platform: All
OS/Version: All
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P2
Component: ssh-keygen
AssignedTo: unassigned-bugs@mindrot.org
ReportedBy: jmknoble@pobox.com
Created an attachment (id=1597)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1597)
Patch from Damien Miller to enable AES-256 in ssh-keygen
Date: Tue, 20 Jan 2009 01:06:35 -0500
From: Jim Knoble <jmknoble@pobox.com>
To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
Subject: OpenSSH private key encryption: time for AES?
Message-ID: <20090120060635.GA29074@crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev@mindrot.org>
Hi, all.
So, in reviewing my OpenSSH keypairs and evaluating the size my RSA
keys
should be, i realized that, if i update my 2048-bit keypairs to 4096
bits, it really doesn't matter that much, because they're still
only encrypted with 3DES, which provides an effective 112 bits of
symmetric encryption strength:
$ head -4 ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,XXXXXXXXXXXXXXXX
$
According to NIST[1][2], a minimum of 112-bit symmetric / 2048-bit
asymmetric keystrength is recommended for protection up until about
2030. For protection beyond 2030, or for the paranoid, larger keysizes
are recommended. Other recommendations (e.g., those of ECRYPT) vary in
how long 112/2048-bit encryption should last.
With that in mind ... how can i encrypt my 4096-bit SSH RSA keypair
with
something like AES-128, AES-256, or Twofish instead of 3DES and still
use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
____________________
[1] http://csrc.nist.gov/groups/ST/toolkit/key_management.html
[2]
http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs