3

I need to generate the most secure private key.

Usually I use a command:

openssl genrsa -des3 -out mykey.key 2048

Is triple DES secure enough?

Is 2048 large enough?

Are there any other ways to make the private key stronger?

Maarten Bodewes
  • 4,562
  • 15
  • 29
sluge
  • 1,085
  • 1
  • 10
  • 9
  • 1
    Secure in what way? Triple DES is the cipher used to encrypt the private key, and has nothing to do with the 2048. – AndrolGenhald Feb 01 '19 at 14:28
  • 1
    There is no "most secure". One could always do better but at the cost of impacting usability and/or performance. This means one should instead try to achieve the best compromise for the specific use case and the expected risks - which of course depends on knowing the use case (which is not known in your question). – Steffen Ullrich Feb 01 '19 at 14:31
  • 2
    (1) Please read the OpenSSL manual to understand the command you are using. You can type "man openssl" to read it. (2) 3DES and RSA2048 are deprecated, you should not use them. The NIST and other organizations have published recommendations on good and safe cryptographic configurations : please read one of those to choose a configuration suited to your needs. (3) Come back here to ask specific questions if you have trouble to understand this material. – A. Hersean Feb 01 '19 at 14:55
  • @A.Hersean When was RSA2048 deprecated? Pretty sure it's still the most common recommendation, as RSA performance doesn't scale well with key size, and 2048 is still pretty good. – AndrolGenhald Feb 01 '19 at 15:07
  • @AndrolGenhald Currently NIST specifies RSA 2048 to be used up to 2030. Now if you just use the RSA keys for real time authentication then 2048 is plenty. However, if you would use it for keeping text confidential until after 2030 then yes, you can say it is not recommended anymore. Same for three-key 3DES. – Maarten Bodewes Feb 01 '19 at 15:12
  • @sluge I would request to generate a "more secure" private key using OpenSSL, this question is in danger to be closed as off topic / opinionated / too broad etc. – Maarten Bodewes Feb 01 '19 at 15:15
  • @AndrolGenhald It's deprecated by ECRYPT and the IAD-NSA. It's also deprecated for usages going after 2030 (almost everything except instant messaging) by the ANSSI. Source: https://www.keylength.com/en/compare/ – A. Hersean Feb 04 '19 at 08:57

2 Answers2

5

Using AES and 4096 bit RSA would certainly help. At least openssl uses 3 key triple DES but that means both the triple DES and the RSA private key are stuck at a security strength of 112 bits. See https://keylength.com for information on key strengths. 112 bit is just enough but a bit too close for comfort; I'd sleep better with 128 bit security.

openssl genrsa -aes128 -out mykey.key 4096

Note that 3DES is used in CBC mode, offering confidentiality only. That means that an adversary could change the value of your private key without you knowing it. If that's OK depends on your situation - an attacker may not be able to reach your private key or maybe you're just interested in keeping the private key / messages confidential.

You might consider storing the keys in a PKCS#12 container instead, which offers just a bit more security. You'd need a certificate with the public key to do so though. Unfortunately the genrsa command doesn't seem to allow any authenticated mode of encryption such as AES-GCM. Possibly you could place a signature over the generated private key (in case you have a different private key used for code signing around). Or you could store a hash over the private key file somewhere safe and compare before using it.

The weakest point of password encryption is always the password. Older command line openssl, before 1.0.0, uses a pretty weak password based key derivation function (with a single iteration count). Newer openssl fortunately uses PBKDF2 with a - still low but better - iteration count of 2048 (see the comment of Dave below). You may increase this count using -iter N command line option. More importantly, you can avoid issues by generating a very strong password, storing the strong password in a password manager of some sorts. Chances are that you won't be able to remember a really strong password (or the password may simply be not as strong as you assume).

Above advice can be used to generate a more secure private key; there is no such thing as a most secure private key. If there would be such a thing, then I would doubt that you could use (software only) OpenSSL command line to generate it.

Maarten Bodewes
  • 4,562
  • 15
  • 29
  • For fun, try and generate a few 16384 bit large RSA keys, just to get an idea of the practicality of those. They would of course be more secure than 4096 bit keys, offering up to a key strength of 256 bit, but yeah, not all that practical. – Maarten Bodewes Feb 01 '19 at 15:19
  • 1
    The most secure RSA private key is one that is generated on an unconnected system in a electrically shielded atomic bunker, which is blown up using a large fusion bomb put within the bunker *immediately* after generating the key pair. Availability: zero, access: ~zero, lifetime: ~zero. Usefulness: zero. – Maarten Bodewes Feb 01 '19 at 15:34
  • 2
    Not quite; OpenSSL both commandline and library uses the bad PBKDF (EVP_BytesToKey with one iteration) for **traditional** (i.e. not PKCS8) privatekey files, which `genrsa` writes, but (since 1.0.0 in 2010) `genpkey` writes PKCS8 using by default PBKDF2 with 2048 iterations, and (since 1.1.0 in 2016) piping to `pkcs8 -topk8 -iter N` can increase that. OpenSSL supports only CBC encryption of the keybag in PKCS12, but the _entire_ PKCS12 is protected by PBMAC _usually_ with the same password (you can change that with `-twopass` but the result is not very interoperable). – dave_thompson_085 Feb 02 '19 at 09:24
  • @dave_thompson_085 Thanks (again). I don't know all the intricacies of openssl and the ones I know are the ones I remember - sometimes those are already fixed. I've tried to include the minimum amount of info of your comment to correct the answer above, still focusing on a strong password, of course. – Maarten Bodewes Feb 02 '19 at 10:57
0

Secure enough for what? This really depends on your use case. From my own reading RSA 2048 is still generally considered secure for now based on time to break key using publically available methods, and is very widely used. For some use cases, as others have said, you may wish to consider longer key lengths. Be aware that some applications may only support RSA keys up to a certain size though.

As for 3DES I've not regarded it as secure for some years now. The AES family is well established and widely supported, and can provide equivalent security with much shorter key lengths than RSA. Other algorithms are also available too.

Richard N
  • 141
  • 3