On Fri, 30 May 2014 sparks(a)fedoraproject.org wrote:
diff --git a/Securing_TLS/en-US/OpenSSL.xml
b/Securing_TLS/en-US/OpenSSL.xml
index 191564f..df458d9 100644
--- a/Securing_TLS/en-US/OpenSSL.xml
+++ b/Securing_TLS/en-US/OpenSSL.xml
@@ -160,5 +160,36 @@ EXP-KRB5-RC4-MD5 SSLv3
</para>
</section>
</section>
+ <section
id="sect-Fedora_Security_Team-Securing_TLS-OpenSSL-Generating_Crypto">
+ <title>Generating Crypto</title>
+ <para>Properly generating keys and certificates is as important as the ciphers
suite being used to secure the circuit. The best cipher can be broken with improperly
generated keys.</para>
+
+ <section
id="sect-Fedora_Security_Team-Securing_TLS-OpenSSL-Generating_Crypto-RSA">
+ <title>Generating RSA keys</title>
+ <para>RSA keys are the most common key type used to secure SSL and TLS
circuits. It's relatively simple to generate keys and we'll describe how and why
now.</para>
+ <para>
+<screen>
+openssl genrsa -aes128 -out key_name.key 3072
+</screen>
+This will generate a 3072-bit RSA key that is sufficently large for true 128 bits of
security. To obtain 256 bits of security the RSA key will need to be 15360 bits. If you
require that type of security, however, a ECDSA key should be utilized.
+<important><para>The industry standard 2048-bit RSA key only provides 112
bits of security.<footnote><para>NIST SP 800-57 Part 1, Rev 3 <ulink
url="http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part...
/></para></footnote></para></important>
etc... but "OpenSSL pitfalls" in defensive-coding/en-US/Features-TLS.xml
warns that
OpenSSL command-line commands, such as <command>openssl
genrsa</command>, do not ensure that physical entropy is used
for key generation--they obtain entropy from
<filename>/dev/urandom</filename> and other sources, but not
from <filename>/dev/random</filename>. This can result in
weak keys if the system lacks a proper entropy source (e.g., a
virtual machine with solid state storage). Depending on local
policies, keys generated by these OpenSSL tools should not be
used in high-value, critical functions.
I think such warning (and perhaps an advice to use -randfile /dev/random?)
should be reflected in documents telling people to use openssl genrsa et
al. to generate keys.
Come to think of it, maybe it would also be a good idea to patch these
commands to print the warning when they are used to generate new keys
without a good source of entropy.
--
Pavel Kankovsky aka Peak "Que sais-je?"