2048 bits, damn the electrons! [rt at openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]
Thor Lancelot Simon
tls at rek.tjls.com
Wed Sep 29 16:03:18 EDT 2010
See below, which includes a handy pointer to the Microsoft and Mozilla
policy statements "requiring" CAs to cease signing anything shorter than
2048 bits.
As I think I said last week -- was it last week? -- it's my belief that
cutting everything on the Web over to 2048 bits rather than, say, 1280
or 1536 bits in the near term will be a significant net loss of security,
since the huge increase in computation required will delay or prevent the
deployment of "SSL everywhere".
These certificates (the end-site ones) have lifetimes of about 3 years
maximum. Who here thinks 1280 bit keys will be factored by 2014? *Sigh*.
----- Forwarded message from Rob Stradling via RT <rt at openssl.org> -----
Lines: 327
Return-Path: owner-openssl-dev at openssl.org
X-Original-To: tls at panix.com
Received: from mail1.panix.com (mail1.panix.com [166.84.1.72])
by mailbackend.panix.com (Postfix) with ESMTP id B4B4031A88
for <tls at panix.com>; Wed, 29 Sep 2010 15:54:48 -0400 (EDT)
Received: from master.openssl.org (master.openssl.org [195.30.6.166])
by mail1.panix.com (Postfix) with ESMTP id 2E38A1F094
for <tls at panix.com>; Wed, 29 Sep 2010 15:54:48 -0400 (EDT)
Received: by master.openssl.org (Postfix)
id 428621EAE8D5; Wed, 29 Sep 2010 21:54:16 +0200 (CEST)
Received: by master.openssl.org (Postfix, from userid 29101)
id 40DB41EAE8D4; Wed, 29 Sep 2010 21:54:16 +0200 (CEST)
Received: by master.openssl.org (Postfix, from userid 29101)
id EE8551EAE8D2; Wed, 29 Sep 2010 21:54:15 +0200 (CEST)
Subject: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits
From: Rob Stradling via RT <rt at openssl.org>
In-Reply-To: <201009291252.23829.rob.stradling at comodo.com>
References: <RT-Ticket-2354 at openssl.org>
<201009291252.23829.rob.stradling at comodo.com>
Message-ID: <rt-3.4.5-45870-1285790055-1192.2354-21-0 at openssl.org>
X-RT-Loop-Prevention: openssl.org
RT-Ticket: openssl.org #2354
Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/)
RT-Originator: rob.stradling at comodo.com
Cc: openssl-dev at openssl.org
MIME-Version: 1.0
X-RT-Original-Encoding: utf-8
Content-type: multipart/mixed; boundary="----------=_1285790055-45870-1"
Date: Wed, 29 Sep 2010 21:54:15 +0200 (CEST)
Sender: owner-openssl-dev at openssl.org
Precedence: bulk
Reply-To: openssl-dev at openssl.org
X-Sender: "Rob Stradling via RT" <rt at openssl.org>
X-List-Manager: OpenSSL Majordomo [version 1.94.5]
X-List-Name: openssl-dev
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.7
This is a multi-part message in MIME format...
------------=_1285790055-45870-1
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
NIST (SP800-57 Part 1) recommends a minimum RSA key size of 2048-bits beyond
2010. From January 1st 2011, in order to comply with the current Microsoft[1]
and Mozilla[2] CA Policies, Commercial CAs will no longer be permitted to
issue certificates with RSA key sizes of <2048-bit.
Please accept the attached patch, which increases the default RSA key size to
2048-bits for the "req", "genrsa" and "genpkey" apps.
Thanks.
[1] http://technet.microsoft.com/en-us/library/cc751157.aspx says:
"we have advised Certificate Authorities...to transition their subordinate and
end-certificates to 2048-bit RSA certificates, and to complete this transition
for any root certificate distributed by the Program no later than December 31,
2010".
[2] https://wiki.mozilla.org/CA:MD5and1024 says:
"December 31, 2010 – CAs should stop issuing intermediate and end-entity
certificates from roots with RSA key sizes smaller than 2048 bits. All CAs
should stop issuing intermediate and end-entity certificates with RSA key size
smaller than 2048 bits under any root".
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no liability
can be accepted and the recipient is requested to use their own virus checking
software.
------------=_1285790055-45870-1
Content-Type: text/x-patch; charset="utf-8"; name="default_2048bit_rsa.patch"
Content-Disposition: inline; filename="default_2048bit_rsa.patch"
Content-Transfer-Encoding: 7bit
RT-Attachment: 2354/28329/14216
Index: apps/genrsa.c
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/genrsa.c,v
retrieving revision 1.40
diff -U 5 -r1.40 genrsa.c
--- apps/genrsa.c 1 Mar 2010 14:22:21 -0000 1.40
+++ apps/genrsa.c 28 Sep 2010 14:44:44 -0000
@@ -76,11 +76,11 @@
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
-#define DEFBITS 512
+#define DEFBITS 2048
#undef PROG
#define PROG genrsa_main
static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
Index: apps/openssl-vms.cnf
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/openssl-vms.cnf,v
retrieving revision 1.11
diff -U 5 -r1.11 openssl-vms.cnf
--- apps/openssl-vms.cnf 23 Apr 2009 16:32:37 -0000 1.11
+++ apps/openssl-vms.cnf 28 Sep 2010 14:44:44 -0000
@@ -101,11 +101,11 @@
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
-default_bits = 1024
+default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
Index: apps/openssl.cnf
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/openssl.cnf,v
retrieving revision 1.32
diff -U 5 -r1.32 openssl.cnf
--- apps/openssl.cnf 4 Apr 2009 19:54:02 -0000 1.32
+++ apps/openssl.cnf 28 Sep 2010 14:44:44 -0000
@@ -101,11 +101,11 @@
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
-default_bits = 1024
+default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
Index: apps/req.c
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/req.c,v
retrieving revision 1.146
diff -U 5 -r1.146 req.c
--- apps/req.c 14 Mar 2010 12:54:45 -0000 1.146
+++ apps/req.c 28 Sep 2010 14:44:44 -0000
@@ -97,11 +97,11 @@
#define V3_EXTENSIONS "x509_extensions"
#define REQ_EXTENSIONS "req_extensions"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
-#define DEFAULT_KEY_LENGTH 512
+#define DEFAULT_KEY_LENGTH 2048
#define MIN_KEY_LENGTH 384
#undef PROG
#define PROG req_main
Index: crypto/rsa/rsa_pmeth.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/rsa/rsa_pmeth.c,v
retrieving revision 1.39
diff -U 5 -r1.39 rsa_pmeth.c
--- crypto/rsa/rsa_pmeth.c 1 Jun 2010 14:39:01 -0000 1.39
+++ crypto/rsa/rsa_pmeth.c 28 Sep 2010 14:44:44 -0000
@@ -91,11 +91,11 @@
{
RSA_PKEY_CTX *rctx;
rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
if (!rctx)
return 0;
- rctx->nbits = 1024;
+ rctx->nbits = 2048;
rctx->pub_exp = NULL;
rctx->pad_mode = RSA_PKCS1_PADDING;
rctx->md = NULL;
rctx->mgf1md = NULL;
rctx->tbuf = NULL;
Index: doc/apps/genpkey.pod
===================================================================
RCS file: /v/openssl/cvs/openssl/doc/apps/genpkey.pod,v
retrieving revision 1.5
diff -U 5 -r1.5 genpkey.pod
--- doc/apps/genpkey.pod 15 Apr 2009 15:26:55 -0000 1.5
+++ doc/apps/genpkey.pod 28 Sep 2010 14:44:44 -0000
@@ -95,11 +95,11 @@
=over 4
=item B<rsa_keygen_bits:numbits>
-The number of bits in the generated key. If not specified 1024 is used.
+The number of bits in the generated key. If not specified 2048 is used.
=item B<rsa_keygen_pubexp:value>
The RSA public exponent value. This can be a large decimal or
hexadecimal value if preceded by B<0x>. Default value is 65537.
Index: doc/apps/genrsa.pod
===================================================================
RCS file: /v/openssl/cvs/openssl/doc/apps/genrsa.pod,v
retrieving revision 1.9
diff -U 5 -r1.9 genrsa.pod
--- doc/apps/genrsa.pod 15 Apr 2009 15:26:55 -0000 1.9
+++ doc/apps/genrsa.pod 28 Sep 2010 14:44:44 -0000
@@ -63,11 +63,11 @@
for all available algorithms.
=item B<numbits>
the size of the private key to generate in bits. This must be the last option
-specified. The default is 512.
+specified. The default is 2048.
=back
=head1 NOTES
@@ -84,11 +84,11 @@
=head1 BUGS
A quirk of the prime generation algorithm is that it cannot generate small
primes. Therefore the number of bits should not be less that 64. For typical
private keys this will not matter because for security reasons they will
-be much larger (typically 1024 bits).
+be much larger (typically 2048 bits).
=head1 SEE ALSO
L<gendsa(1)|gendsa(1)>
Index: doc/apps/req.pod
===================================================================
RCS file: /v/openssl/cvs/openssl/doc/apps/req.pod,v
retrieving revision 1.21
diff -U 5 -r1.21 req.pod
--- doc/apps/req.pod 15 Apr 2009 15:26:56 -0000 1.21
+++ doc/apps/req.pod 28 Sep 2010 14:44:44 -0000
@@ -347,11 +347,11 @@
configuration file values.
=item B<default_bits>
This specifies the default key size in bits. If not specified then
-512 is used. It is used if the B<-new> option is used. It can be
+2048 is used. It is used if the B<-new> option is used. It can be
overridden by using the B<-newkey> option.
=item B<default_keyfile>
This is the default filename to write a private key to. If not
@@ -504,20 +504,20 @@
openssl req -in req.pem -text -verify -noout
Create a private key and then generate a certificate request from it:
- openssl genrsa -out key.pem 1024
+ openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem
The same but just using req:
- openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+ openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
Generate a self signed root certificate:
- openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
Example of a file pointed to by the B<oid_file> option:
1.2.3.4 shortName A longer Name
1.2.3.6 otherName Other longer Name
@@ -529,11 +529,11 @@
testoid2=${testoid1}.6
Sample configuration file prompting for field values:
[ req ]
- default_bits = 1024
+ default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
@@ -570,11 +570,11 @@
RANDFILE = $ENV::HOME/.rnd
[ req ]
- default_bits = 1024
+ default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
Index: doc/crypto/EVP_PKEY_CTX_ctrl.pod
===================================================================
RCS file: /v/openssl/cvs/openssl/doc/crypto/EVP_PKEY_CTX_ctrl.pod,v
retrieving revision 1.3
diff -U 5 -r1.3 EVP_PKEY_CTX_ctrl.pod
--- doc/crypto/EVP_PKEY_CTX_ctrl.pod 30 Sep 2009 23:42:56 -0000 1.3
+++ doc/crypto/EVP_PKEY_CTX_ctrl.pod 28 Sep 2010 14:44:44 -0000
@@ -80,12 +80,12 @@
signing -2 sets the salt length to the maximum permissible value. When
verifying -2 causes the salt length to be automatically determined based on the
B<PSS> block structure. If this macro is not called a salt length value of -2
is used by default.
-The EVP_PKEY_CTX_set_rsa_rsa_keygen_bits() macro sets the RSA key length for
-RSA key genration to B<bits>. If not specified 1024 bits is used.
+The EVP_PKEY_CTX_set_rsa_keygen_bits() macro sets the RSA key length for RSA key
+generation to B<bits>. If not specified 2048 bits is used.
The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value
for RSA key generation to B<pubexp> currently it should be an odd integer. The
B<pubexp> pointer is used internally by this function so it should not be
modified or free after the call. If this macro is not called then 65537 is used.
Index: doc/crypto/RSA_generate_key.pod
===================================================================
RCS file: /v/openssl/cvs/openssl/doc/crypto/RSA_generate_key.pod,v
retrieving revision 1.6
diff -U 5 -r1.6 RSA_generate_key.pod
--- doc/crypto/RSA_generate_key.pod 25 Sep 2002 13:33:27 -0000 1.6
+++ doc/crypto/RSA_generate_key.pod 28 Sep 2010 14:44:44 -0000
@@ -16,11 +16,11 @@
RSA_generate_key() generates a key pair and returns it in a newly
allocated B<RSA> structure. The pseudo-random number generator must
be seeded prior to calling RSA_generate_key().
The modulus size will be B<num> bits, and the public exponent will be
-B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
+B<e>. Key sizes with B<num> E<lt> 2048 should be considered insecure.
The exponent is an odd number, typically 3, 17 or 65537.
A callback function may be used to provide feedback about the
progress of the key generation. If B<callback> is not B<NULL>, it
will be called as follows:
------------=_1285790055-45870-1--
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev at openssl.org
Automated List Manager majordomo at openssl.org
----- End forwarded message -----
--
Thor Lancelot Simon tls at rek.tjls.com
"All of my opinions are consistent, but I cannot present them all
at once." -Jean-Jacques Rousseau, On The Social Contract
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list