On Wed, Feb 26, 2014, Jeffrey Walton wrote: > What are the limits on PEM_write_RSAPrivateKey and EVP_CIPHER? Is it > possible to use 256-bit security levels with authentication tags? > > I could not get "AES-256-HMAC-SHA-256" or "AES-256-CBC-HMAC-SHA1" to > work, and I could not get "AES-256-GCM" to work. > > "AES-256-HMAC-SHA-256" and "AES-256-HMAC-SHA-384": > > EVP_get_cipherbyname failed. > > "AES-256-CBC-HMAC-SHA1", I got error 0x23077006 on PEM_write_RSAPrivateKey : > > error:0D0A706C:asn1 encoding routines:PKCS5_pbe2_set_iv:cipher has > no object identifier > > "AES-256-GCM", I got error 0x23077006 on PEM_write_RSAPrivateKey: > > error:23077006:PKCS12 routines:PKCS12_pbe_crypt:EVP lib > > Looking at the PKCS 12 spec, GCM mode is probably not be supported. > But it appears SHA-256 and SHA-1 are supported (Appendix A, p. 13). >
There is no standard AFAIK for using PKCS#8/PKCS#5 with GCM mode and OpenSSL doesn't support it. AES-256-CBC-HMAC-SHA1 is a ciphersuite name so wont work with EVP_get_cipherbyname. Some other names like AES-256-CBC-HMAC-SHA1 are ciphers which only work in special TLS control codes so can't be used here. If you pass EVP_aes_256_cbc() to PEM_write_bio_PKCS8PrivateKey it will end up using SHA1 for the derivation algorithm. This will provide at least 128 bits of security according to SP800-57 and possibly more. Does anyone have a reference for how many bits of security PBKDF2 provides? Writing an encrypted private key using a digest other than SHA1 for the key derivation function and PKBKDF2 is currently rather awkward. Reading one is handled transparently though. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org