On Fri, 30 May 2014 sparks@fedoraproject.org wrote:
diff --git a/Securing_TLS/en-US/OpenSSL.xml b/Securing_TLS/en-US/OpenSSL.xml index 191564f..df458d9 100644 --- a/Securing_TLS/en-US/OpenSSL.xml +++ b/Securing_TLS/en-US/OpenSSL.xml @@ -160,5 +160,36 @@ EXP-KRB5-RC4-MD5 SSLv3 </para> </section>
</section> + <section id="sect-Fedora_Security_Team-Securing_TLS-OpenSSL-Generating_Crypto"> + <title>Generating Crypto</title> + <para>Properly generating keys and certificates is as important as the ciphers suite being used to secure the circuit. The best cipher can be broken with improperly generated keys.</para> + + <section id="sect-Fedora_Security_Team-Securing_TLS-OpenSSL-Generating_Crypto-RSA"> + <title>Generating RSA keys</title> + <para>RSA keys are the most common key type used to secure SSL and TLS circuits. It's relatively simple to generate keys and we'll describe how and why now.</para> + <para> +<screen> +openssl genrsa -aes128 -out key_name.key 3072 +</screen> +This will generate a 3072-bit RSA key that is sufficently large for true 128 bits of security. To obtain 256 bits of security the RSA key will need to be 15360 bits. If you require that type of security, however, a ECDSA key should be utilized. +<important><para>The industry standard 2048-bit RSA key only provides 112 bits of security.<footnote><para>NIST SP 800-57 Part 1, Rev 3 <ulink url="http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf" /></para></footnote></para></important>
etc... but "OpenSSL pitfalls" in defensive-coding/en-US/Features-TLS.xml warns that
OpenSSL command-line commands, such as <command>openssl genrsa</command>, do not ensure that physical entropy is used for key generation--they obtain entropy from <filename>/dev/urandom</filename> and other sources, but not from <filename>/dev/random</filename>. This can result in weak keys if the system lacks a proper entropy source (e.g., a virtual machine with solid state storage). Depending on local policies, keys generated by these OpenSSL tools should not be used in high-value, critical functions.
I think such warning (and perhaps an advice to use -randfile /dev/random?) should be reflected in documents telling people to use openssl genrsa et al. to generate keys.
Come to think of it, maybe it would also be a good idea to patch these commands to print the warning when they are used to generate new keys without a good source of entropy.