Hi, I'm a bit concerned about the protection afforded by the PEM format to private keys against offline brute-force attacks. PEM seems to use a decent KDF, but uses a fixed iteration count of 1. Am I correct in my understanding that this cannot be changed without breaking the format? PEM is pretty convenient, and way more widely used than (say) PKCS12 so it makes sense to defend it well.
One might argue that if an attacker has a copy of a private key file then they have already won. I think this is true at the limit, but IMO it is still worth protecting them - from the moment they are taken it is a race between the attackers ability to brute force and the key owner's ability to detect and revoke/replace the keys. Anything that handicaps the race in favour of the defenders is worth considering -d ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
