Re: Minimum RSA Key length ?
On Thu, Jun 05, 2003, [EMAIL PROTECTED] wrote: > Are we at cross-purposes here? I'm referring to server certificates, not > client certificates (about which I am completely clueless as I currently > have no business reason to use them). > > Anyway, the proof of the pudding is in the eating. Can you point me to a > secure site that uses a key size >1024 bits? I can't find one for love nor > money. > I don't know of any public sites but its easy enough to do a test. I made a sample self signed certificate with an 8192 bit key: openssl req -x509 -nodes -keyout x.pem -out x.pem -newkey rsa:8192 Then pointed the test server at it: openssl s_server -cert x.pem -www -port 443 Then putting https://127.0.0.1/ into browsers and clicking past the warnings brought up the test page on two browsers, Mozilla 1.3 and MSIE 6.0. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
[EMAIL PROTECTED] wrote: Anyway, the proof of the pudding is in the eating. Can you point me to a secure site that uses a key size >1024 bits? I can't find one for love nor money. This root certificate was found in the binary code for Netscape 7 Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=America Online Inc., CN=America Online Root Certification Authority 2 Validity Not Before: May 28 06:00:00 2002 GMT Not After : Sep 29 14:08:00 2037 GMT Subject: C=US, O=America Online Inc., CN=America Online Root Certification Authority 2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) == Modulus (4096 bit): 00:cc:41:45:1d:e9:3d:4d:10:f6:8c:b1:41:c9:e0: 5e:cb:0d:b7:bf:47:73:d3:f0:55:4d:dd:c6:0c:fa: b1:66:05:6a:cd:78:b4:dc:02:db:4e:81:f3:d7:a7: ... === There used to be a 16384 bit root certificate in Netscape 6 but I see it has been removed. It belonged to Thawte. === grep Modulus foombar | sort | uniq -c 1 Modulus (1000 bit): 38 Modulus (1024 bit): 26 Modulus (2048 bit): 2 Modulus (4096 bit): So, slightly less than half the commercial roots have moved to 2048 bits and several have moved to 4096. These are the numbers for the old Netscape 6: 1 Modulus (1000 bit): 54 Modulus (1024 bit): 1 Modulus (16384 bit): 34 Modulus (2048 bit): 1 Modulus (4096 bit): This should give you a pretty good snapshot of what the people who can pay Netscape $250,000 dollars a shot to have their roots included are doing... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
Dear John- I have used >1024 certs on my test 2k server for SSL connections to a browser, no problem. Encryption confirmed with a pacekt sniffer. As PK encryption is a hybrid, the use of resource intensive Asymmetric encryption (RSA or DH public key) is reserved for securely exchanging the 128 bit session key so that the connection can then use resource efficient symmetric encryption (3des, CAST5, IDEA, AES, TwoFish) for the data transmission. Since the certificate is used solely for authentication and session key exchange, its size is not a factor except in high volume sites where it may be a drag on responses. If volume was not a major consideration, and data security was...I would use a large key and better symmetric algorithms for things like a IPSec VPN, a "lite" VPN through SSL, or http over SSL. As I said, the literature by respected cryptographers supposes that 1024 bit asymmetric/90 bit symmetric keys are in danger or have been broken by now. The Bernstein paper suggests a work reduction of those suppositions by 1/3. So , if he is correct (jury is out but no major flaws found) a 1024 bit cert is really about 683 bits in effective strength. That would give you the session key for that particular SSL session and decrypt it. Who and why anyone would want to do that depends on your threat model. > Anyway, the proof of the pudding is in the eating. Can you point me to a > secure site that uses a key size >1024 bits? I can't find one for love nor > money. > Why commercial CAs don't issue larger certs may be the volume/work load factor. Maybe its business, larger one's now would be an admission that 1024 bits are compromised. I know Thawte will trigger and sign 2048 bit personal certificates created in a Mozilla browser. But in any case, you can create a server certificate of any size using OpenSSL. The benefit of going with a commercial CA is that they are listed in the Root Stores of the browsers. However, adding a Root cert to those stores is very easy. If you can securely distribute a Root (either out of channel or get visitors to your site to install them), then you can offer a better level of security for the data exchanged over SSL. Yours- Ridge [EMAIL PROTECTED] wrote: -Original Message- From: Ridge Cook [mailto:[EMAIL PROTECTED] Sent: 03 June 2003 03:10 To: [EMAIL PROTECTED] Subject: Re: Minimum RSA Key length ? >>>To answer your other question, I don't believe there are >>any browsers that can accept a RSA key > 1024 bits. I did look into this >>last year as I was >>>creating a new SSL key but was advised by the Thawte >>representative that >>>although I could create a certificate with this size key, >>it wouldn't work. The Thawte Rep was incorrect. I have imported and used certificates/RSA v3 keys of 4096 bit size and higher in Internet Explorer and Mozilla. > Anyway, the proof of the pudding is in the eating. Can you point me to a > secure site that uses a key size >1024 bits? I can't find one for love nor > money. Are we at cross-purposes here? I'm referring to server certificates, not client certificates (about which I am completely clueless as I currently have no business reason to use them). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] What is "real"? How do you define "real"? If you're talking about what you can feel, what you can smell, what you can taste and see, then "real" is simply electrical signals interpreted by your brain... (Morpheus, The Matrix, 1999) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager
RE: Minimum RSA Key length ?
> -Original Message- > From: Ridge Cook [mailto:[EMAIL PROTECTED] > Sent: 03 June 2003 03:10 > To: [EMAIL PROTECTED] > Subject: Re: Minimum RSA Key length ? > > > >>>To answer your other question, I don't believe there are > >>any browsers that can accept a RSA key > 1024 bits. I did > look into this > >>last year as I was > >>>creating a new SSL key but was advised by the Thawte > >>representative that > >>>although I could create a certificate with this size key, > >>it wouldn't work. > > The Thawte Rep was incorrect. I have imported and used > certificates/RSA v3 > keys of 4096 bit size and higher in Internet Explorer and Mozilla. > Are we at cross-purposes here? I'm referring to server certificates, not client certificates (about which I am completely clueless as I currently have no business reason to use them). Anyway, the proof of the pudding is in the eating. Can you point me to a secure site that uses a key size >1024 bits? I can't find one for love nor money. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] What is "real"? How do you define "real"? If you're talking about what you can feel, what you can smell, what you can taste and see, then "real" is simply electrical signals interpreted by your brain... (Morpheus, The Matrix, 1999) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
On Wed, Mar 26, 2003, Asad Ali wrote: > > Does TLS support any "non-static" RSA ciphersuites. For example is > it possible to use a 128 bit key to encrypt the pre-master secret > in chunks of 16 bytes (including the padding), or use a 256 bit > key to encrypt it in 32 byte chunks. > No, the standards expect it to be handled in one chunk. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Minimum RSA Key length ?
Does TLS support any "non-static" RSA ciphersuites. For example is it possible to use a 128 bit key to encrypt the pre-master secret in chunks of 16 bytes (including the padding), or use a 256 bit key to encrypt it in 32 byte chunks. regards, --- asad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Wednesday, March 26, 2003 11:30 AM To: [EMAIL PROTECTED] Subject: Re: Minimum RSA Key length ? On Wed, Mar 26, 2003, Asad Ali wrote: > > Hi, > > I am experimenting with the minumum RSA key lenght allowed > by TLS 1.0. What I gather from reading the specification is > that it is left to applications to enforce minimum/maximum > lenghts - please correct me if this is not the case. > There are various minimum limitations based on the protocol requirements of TLS. For example in static RSA ciphersuites it must be possible to encrypt the pre-master secret using the server's public key. The PMS is 48 bytes in length and the PKCS#1 padding overhead is 11 bytes effectively making the absolute minimum 59 * 8 = 472 bits. For client certificates or for ciphersuites where server certificates sign data it must be able to contain the combined SHA1+MD5 hash and with the overhead again this is 20+16+11 = 47 or 376 bits. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
On Wed, Mar 26, 2003, Asad Ali wrote: > > Hi, > > I am experimenting with the minumum RSA key lenght allowed > by TLS 1.0. What I gather from reading the specification is > that it is left to applications to enforce minimum/maximum > lenghts - please correct me if this is not the case. > There are various minimum limitations based on the protocol requirements of TLS. For example in static RSA ciphersuites it must be possible to encrypt the pre-master secret using the server's public key. The PMS is 48 bytes in length and the PKCS#1 padding overhead is 11 bytes effectively making the absolute minimum 59 * 8 = 472 bits. For client certificates or for ciphersuites where server certificates sign data it must be able to contain the combined SHA1+MD5 hash and with the overhead again this is 20+16+11 = 47 or 376 bits. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
