bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:03 UTC
[Bug 1550] New: Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550
Summary: Move from 3DES to AES-256 for private key encryption
Product: Portable OpenSSH
Version: 5.1p1
Platform: All
OS/Version: All
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P2
Component: ssh-keygen
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: jmknoble at pobox.com
Created an attachment (id=1597)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1597)
Patch from Damien Miller to enable AES-256 in ssh-keygen
Date: Tue, 20 Jan 2009 01:06:35 -0500
From: Jim Knoble <jmknoble at pobox.com>
To: OpenSSH Devel <openssh-unix-dev at mindrot.org>
Subject: OpenSSH private key encryption: time for AES?
Message-ID: <20090120060635.GA29074 at crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev at mindrot.org>
Hi, all.
So, in reviewing my OpenSSH keypairs and evaluating the size my RSA
keys
should be, i realized that, if i update my 2048-bit keypairs to 4096
bits, it really doesn't matter that much, because they're still
only encrypted with 3DES, which provides an effective 112 bits of
symmetric encryption strength:
$ head -4 ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,XXXXXXXXXXXXXXXX
$
According to NIST[1][2], a minimum of 112-bit symmetric / 2048-bit
asymmetric keystrength is recommended for protection up until about
2030. For protection beyond 2030, or for the paranoid, larger keysizes
are recommended. Other recommendations (e.g., those of ECRYPT) vary in
how long 112/2048-bit encryption should last.
With that in mind ... how can i encrypt my 4096-bit SSH RSA keypair
with
something like AES-128, AES-256, or Twofish instead of 3DES and still
use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
____________________
[1] http://csrc.nist.gov/groups/ST/toolkit/key_management.html
[2]
http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:52 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550
--- Comment #1 from Jim Knoble <jmknoble at pobox.com> 2009-01-23
07:52:35 ---
Date: Tue, 20 Jan 2009 20:42:38 -0500
From: Jim Knoble <jmknoble at pobox.com>
To: OpenSSH Devel <openssh-unix-dev at mindrot.org>
Subject: Re: OpenSSH private key encryption: time for AES?
Message-ID: <20090121014237.GD29074 at crawfish.ais.com>
Mail-Followup-To: OpenSSH Devel <openssh-unix-dev at mindrot.org>
References: <20090120060635.GA29074 at crawfish.ais.com>
<alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org>
In-Reply-To: <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org>
Circa 2009-01-20 02:30 dixit Damien Miller:
: On Tue, 20 Jan 2009, Jim Knoble wrote:
:
: > [...]how can i encrypt my 4096-bit SSH RSA keypair with
: > something like AES-128, AES-256, or Twofish instead of 3DES and
still
: > use it with OpenSSH? Can ssh-add read (unencrypted) key data from
stdin?
Experimentation has shown that the following will add a key to a
running
ssh-agent (OpenSSH_4.6p1, Ubuntu 7.10):
$ cat id_rsa-unencrypted |ssh-add /dev/stdin
$ ssh-add -l |fgrep /dev/stdin
2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA)
$
However, the following will not remove the key from the agent:
$ cat id_rsa-unencrypted |ssh-add -d /dev/stdin
Bad key file /dev/stdin
$
If both operations worked, then one could use an external
encryption/decryption facility with one's private keys, e.g.:
openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin
(although it would take a passphrase to remove a key from ssh-agent).
: If you want to change it then you can do something like [a one-liner
: change to authfile.c]. It probably wouldn't hurt to change - new
: installations will still be able to read old keys
It would be nice for newer OpenSSH to be able to produce private keys
usable by older OpenSSH as well.
Any chance of an option in ssh-keygen to specify the cipher? E.g.:
# Use '-E' with any of: 3des-cbc, aes128-cbc, aes192-cbc,
aes256-cbc
ssh-keygen -t rsa -E aes256-cbc
Alternatively:
# Encrypt with AES-256:
ssh-keygen -t rsa -A
# Encrypt with 3DES:
ssh-keygen -t rsa -3
# Use default encryption:
ssh-keygen -t rsa
Finally:
# Encrypt with AES-256:
ssh-keygen -t rsa
# Encrypt with 3DES ('-O' for "old"):
ssh-keygen -t rsa -O:1
Cheers,
jim
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:54 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550 --- Comment #2 from Jim Knoble <jmknoble at pobox.com> 2009-01-23 07:54:11 --- Date: Wed, 21 Jan 2009 15:16:31 +1100 (EST) From: Damien Miller <djm at mindrot.org> To: Jim Knoble <jmknoble at pobox.com> Subject: Re: OpenSSH private key encryption: time for AES? In-Reply-To: <20090121014237.GD29074 at crawfish.ais.com> Message-ID: <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> References: <20090120060635.GA29074 at crawfish.ais.com> <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org> <20090121014237.GD29074 at crawfish.ais.com> Cc: OpenSSH Devel <openssh-unix-dev at mindrot.org> On Tue, 20 Jan 2009, Jim Knoble wrote:> Circa 2009-01-20 02:30 dixit Damien Miller: > > : On Tue, 20 Jan 2009, Jim Knoble wrote: > : > : > [...]how can i encrypt my 4096-bit SSH RSA keypair with > : > something like AES-128, AES-256, or Twofish instead of 3DES and still > : > use it with OpenSSH? Can ssh-add read (unencrypted) key data from stdin? > > Experimentation has shown that the following will add a key to a running > ssh-agent (OpenSSH_4.6p1, Ubuntu 7.10): > > $ cat id_rsa-unencrypted |ssh-add /dev/stdin > $ ssh-add -l |fgrep /dev/stdin > 2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA) > $ > > However, the following will not remove the key from the agent: > > $ cat id_rsa-unencrypted |ssh-add -d /dev/stdin > Bad key file /dev/stdin > $Does that work without the patch? I don't think it would even with the current cipher because it needs to reread the file IIRC.> If both operations worked, then one could use an external > encryption/decryption facility with one's private keys, e.g.: > > openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin > > (although it would take a passphrase to remove a key from ssh-agent).Wouldn't this just require the former to work? You'd be passing keys to ssh-agent in unencrypted form always, no?> : If you want to change it then you can do something like [a one-liner > : change to authfile.c]. It probably wouldn't hurt to change - new > : installations will still be able to read old keys > > It would be nice for newer OpenSSH to be able to produce private keys > usable by older OpenSSH as well.The key encryption for SSH protocol 2 keys is done by OpenSSL's PEM functions, so AES should be supported by any OpenSSL version that supports AES in PEM. IIRC this has been supported for a number of years.> Any chance of an option in ssh-keygen to specify the cipher? E.g.:No, I think that would be a microknob that add little value, and ssh-add has waaaay to many buttons already. If we change then it should be to the best encryption that is supported by widely deployed SSL/OpenSSH versions. -d -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:54 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550 --- Comment #3 from Jim Knoble <jmknoble at pobox.com> 2009-01-23 07:54:39 --- Message-ID: <4976A70C.2020305 at zip.com.au> Date: Wed, 21 Jan 2009 15:39:40 +1100 From: Darren Tucker <dtucker at zip.com.au> To: Damien Miller <djm at mindrot.org> Subject: Re: OpenSSH private key encryption: time for AES? References: <20090120060635.GA29074 at crawfish.ais.com> <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org> <20090121014237.GD29074 at crawfish.ais.com> <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> In-Reply-To: <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> Cc: Jim Knoble <jmknoble at pobox.com>, OpenSSH Devel <openssh-unix-dev at mindrot.org> Damien Miller wrote: [...]> If we change then it should be to the best encryption that is supported by > widely deployed SSL/OpenSSH versions.Don't forget some versions of the Solaris 10 OpenSSL package cripple all ciphers with a key length >128 bits. We work around that for the SSH ciphers but that's not going to help for the OpenSSL PEM functions. -- Darren Tucker (dtucker at zip.com.au) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:55 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550 --- Comment #4 from Jim Knoble <jmknoble at pobox.com> 2009-01-23 07:55:03 --- Message-ID: <4976A70C.2020305 at zip.com.au> Date: Wed, 21 Jan 2009 15:39:40 +1100 From: Darren Tucker <dtucker at zip.com.au> To: Damien Miller <djm at mindrot.org> Subject: Re: OpenSSH private key encryption: time for AES? References: <20090120060635.GA29074 at crawfish.ais.com> <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org> <20090121014237.GD29074 at crawfish.ais.com> <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> In-Reply-To: <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> Cc: Jim Knoble <jmknoble at pobox.com>, OpenSSH Devel <openssh-unix-dev at mindrot.org> Damien Miller wrote: [...]> If we change then it should be to the best encryption that is supported by > widely deployed SSL/OpenSSH versions.Don't forget some versions of the Solaris 10 OpenSSL package cripple all ciphers with a key length >128 bits. We work around that for the SSH ciphers but that's not going to help for the OpenSSL PEM functions. -- Darren Tucker (dtucker at zip.com.au) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:56 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550 --- Comment #5 from Jim Knoble <jmknoble at pobox.com> 2009-01-23 07:56:07 --- Date: Wed, 21 Jan 2009 16:01:35 +1100 (EST) From: Damien Miller <djm at mindrot.org> To: Darren Tucker <dtucker at zip.com.au> Subject: Re: OpenSSH private key encryption: time for AES? In-Reply-To: <4976A70C.2020305 at zip.com.au> Message-ID: <alpine.BSO.1.10.0901211556540.5581 at fuyu.mindrot.org> References: <20090120060635.GA29074 at crawfish.ais.com> <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org> <20090121014237.GD29074 at crawfish.ais.com> <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> <4976A70C.2020305 at zip.com.au> Cc: Jim Knoble <jmknoble at pobox.com>, OpenSSH Devel <openssh-unix-dev at mindrot.org> On Wed, 21 Jan 2009, Darren Tucker wrote:> Damien Miller wrote: > [...] > > If we change then it should be to the best encryption that is supported by > > widely deployed SSL/OpenSSH versions. > > Don't forget some versions of the Solaris 10 OpenSSL package cripple all > ciphers with a key length >128 bits. We work around that for the SSH > ciphers but that's not going to help for the OpenSSL PEM functions.Shouldn't this Just Work with our replacement EVP_aes_256_cbc in cipher-aes.c? We already switch it on for the OPENSSL_LOBOTOMISED_AES case (Obviously it would need to be tested...) -d -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-22 20:56 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550 --- Comment #6 from Jim Knoble <jmknoble at pobox.com> 2009-01-23 07:56:39 --- Date: Thu, 22 Jan 2009 14:49:01 -0500 From: Jim Knoble <jmknoble at pobox.com> To: OpenSSH Devel <openssh-unix-dev at mindrot.org> Subject: Re: OpenSSH private key encryption: time for AES? Message-ID: <20090122194901.GB22282 at crawfish.ais.com> Mail-Followup-To: OpenSSH Devel <openssh-unix-dev at mindrot.org> References: <20090120060635.GA29074 at crawfish.ais.com> <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org> <20090121014237.GD29074 at crawfish.ais.com> <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> In-Reply-To: <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org> Circa 2009-01-20 23:16 dixit Damien Miller: : On Tue, 20 Jan 2009, Jim Knoble wrote: : : > $ cat id_rsa-unencrypted |ssh-add /dev/stdin : > $ ssh-add -l |fgrep /dev/stdin : > 2048 xx:xx:xx:...:xx:xx:xx /dev/stdin (RSA) : > $ : : Does that work without the patch? I don't think it would even with : the current cipher because it needs to reread the file IIRC. It's an unpatched ssh-keygen (OpenSSH_4.6p1 Debian-5ubuntu0.6, OpenSSL 0.9.8e 23 Feb 2007). : > If both operations worked, then one could use an external : > encryption/decryption facility with one's private keys, e.g.: : > : > openssl enc -d -in ~/.ssh/id_rsa -aes-256-cbc |ssh-add /dev/stdin : > : > (although it would take a passphrase to remove a key from ssh-agent). : : Wouldn't this just require the former to work? You'd be passing keys : to ssh-agent in unencrypted form always, no? Not sure i understand. The only decryption would happen in the 'openssl | ssh-add' pipeline. In order to know which key to remove, ssh-add would need to read the unencrypted key, which would only be available by decrypting it in the pipeline, supplying a passphrase to the 'openssl' command. Currently, 'ssh-add -d' doesn't require a passphrase for an OpenSSH-encrypted private key. I like the flexibility of being able to use stdin with ssh-add (and i would prefer 'ssh-add -' rather than 'ssh-add /dev/stdin', but whatever). However, all the above may be moot in light of the discussion further below. : The key encryption for SSH protocol 2 keys is done by OpenSSL's PEM : functions, so AES should be supported by any OpenSSL version that supports : AES in PEM. IIRC this has been supported for a number of years. If older OpenSSH (to a point) would "just work" reading private keys encrypted with AES-256, then that's fantastic, and no need for any further options to ssh-keygen. : If we change then it should be to the best encryption that is supported by : widely deployed SSL/OpenSSH versions. Agreed. Private keys are short, and even if decryption happens frequently, it takes much longer to enter a passphrase than to decrypt the key (and both decryption and passphrase can be mitigated via ssh-agent). -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-10 02:14 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #7 from Damien Miller <djm at mindrot.org> 2009-11-10 13:14:32
EST ---
We now use AES-128 for private key encryption on systems that use
OpenSSL 0.9.7 and greater. This will be in OpenSSH 5.4.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-16 05:50 UTC
[Bug 1550] Move from 3DES to AES-256 for private key encryption
https://bugzilla.mindrot.org/show_bug.cgi?id=1550
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #8 from Damien Miller <djm at mindrot.org> 2010-04-16 15:50:55
EST ---
Mass move of bugs RESOLVED->CLOSED following the release of
openssh-5.5p1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.