Query minimum RSA key size?

Felipe Gasper felipe at felipegasper.com
Mon Sep 26 15:50:11 UTC 2022 


> On Sep 26, 2022, at 11:47, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> 
> On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote:
> 
>>> The security levels are documented.  You can set the security level
>>> in the cipher string:
>>> 
>>>   DEFAULT:@SECLEVEL=1
>>> 
>>> or via the API.
>> 
>> Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you!
> 
> You can, if you wish, change the default security level in openssl.cnf.
> IIRC the default from the upstream OpenSSL software is 1.  If your
> system default is 2 or higher, that was done by your OS package
> maintainers.
> 
>> I see that the API exposes SSL_CTX_get_security_level(); is that the
>> best way to determine minimum RSA key size, or would there be anything
>> more explicit?
> 
> The documentation for that function reads in part:
> 
>    Level 0
>        Everything is permitted. This retains compatibility with
>        previous versions of OpenSSL.
> 
>    Level 1
>        The security level corresponds to a minimum of 80 bits of
>        security. Any parameters offering below 80 bits of security are
>        excluded. As a result RSA, DSA and DH keys shorter than 1024
>        bits and ECC keys shorter than 160 bits are prohibited. Any
>        cipher suite using MD5 for the MAC is also prohibited.  Any
>        cipher suites using CCM with a 64 bit authentication tag are
>        prohibited. Note that signatures using SHA1 and MD5 are also
>        forbidden at this level as they have less than 80 security bits.
>        Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all
>        disabled at this level.
> 
>    Level 2
>        Security level set to 112 bits of security. As a result RSA, DSA
>        and DH keys shorter than 2048 bits and ECC keys shorter than 224
>        bits are prohibited. In addition to the level 1 exclusions any
>        cipher suite using RC4 is also prohibited. Compression is
>        disabled.
> 
>    Level 3
>        Security level set to 128 bits of security. As a result RSA, DSA
>        and DH keys shorter than 3072 bits and ECC keys shorter than 256
>        bits are prohibited. In addition to the level 2 exclusions
>        cipher suites not offering forward secrecy are prohibited.
>        Session tickets are disabled.
> 
>    Level 4
>        Security level set to 192 bits of security. As a result RSA, DSA
>        and DH keys shorter than 7680 bits and ECC keys shorter than 384
>        bits are prohibited. Cipher suites using SHA1 for the MAC are
>        prohibited.
> 
>    Level 5
>        Security level set to 256 bits of security. As a result RSA, DSA
>        and DH keys shorter than 15360 bits and ECC keys shorter than
>        512 bits are prohibited.
> 
> Levels 4 and 5 are tantamount to making RSA and DSA unavailable.  Even
> level 3 is too distruptive for interoperable use on the public Internet.
> 
> As you observed, Level 2 disables 1024-bit RSA.  The symmetric
> equivalent bit strength of a particular public key can be queried via:
> EVP_PKEY_security_bits(3):
> 
>    EVP_PKEY_security_bits() returns the number of security bits of the
>    given pkey, bits of security is defined in NIST SP800-57.

Thank you!

It sounds like I’ll still need to hard code the correlation between security level and minimum security bits (i.e., as I see OpenSSL does in multiple locations), but that’s pretty trivial.

cheers,
-Felipe

More information about the openssl-users mailing list