[Cryptography] OpenSSL: rsa_builtin_keygen: key size too small

Viktor Dukhovni cryptography at dukhovni.org
Tue Dec 24 16:31:06 EST 2019

On Mon, Dec 23, 2019 at 11:38:30AM -0800, Ray Dillinger wrote:

> Further, I doubt anyone there will be interested in helping you create
> a version that doesn't throw that error message.

Well, I'm on the OpenSSL team, and did explain how to build a custom
version that will admit smaller keys.

> People have been badly burned several times by downgrade attacks. The
> openssl maintaners REALLY don't want any versions out there in the
> wild that fail to shut such attacks down cold.

We can't and don't try to stop users from building derived versions with
a more lax security policy.  Cryptanalytic weakness aside, an inherent
problem with very short RSA keys, is that they can't be used to sign
message digests whose length combined with the padding bits exceed the
length modulus.

Thus 512-bit RSA is already too small for SHA2-512, and RSA-128 can't
even sign MD5 digests.

> If you do get an openssl working that can produce a trivial RSA key,
> I'm pretty sure no other openssl in the world will consent to talk to
> it using that key.

Not a problem if both ends use the OpenSSL in question, and with TLS
the security level is set to 0 (e.g. @SECLEVEL=0 in the cipherlist).


More information about the cryptography mailing list