Query minimum RSA key size?

Viktor Dukhovni openssl-users at dukhovni.org
Mon Sep 26 15:47:00 UTC 2022


On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote:

> > The security levels are documented.  You can set the security level
> > in the cipher string:
> > 
> >    DEFAULT:@SECLEVEL=1
> > 
> > or via the API.
> 
> Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you!

You can, if you wish, change the default security level in openssl.cnf.
IIRC the default from the upstream OpenSSL software is 1.  If your
system default is 2 or higher, that was done by your OS package
maintainers.

> I see that the API exposes SSL_CTX_get_security_level(); is that the
> best way to determine minimum RSA key size, or would there be anything
> more explicit?

The documentation for that function reads in part:

    Level 0
        Everything is permitted. This retains compatibility with
        previous versions of OpenSSL.

    Level 1
        The security level corresponds to a minimum of 80 bits of
        security. Any parameters offering below 80 bits of security are
        excluded. As a result RSA, DSA and DH keys shorter than 1024
        bits and ECC keys shorter than 160 bits are prohibited. Any
        cipher suite using MD5 for the MAC is also prohibited.  Any
        cipher suites using CCM with a 64 bit authentication tag are
        prohibited. Note that signatures using SHA1 and MD5 are also
        forbidden at this level as they have less than 80 security bits.
        Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all
        disabled at this level.

    Level 2
        Security level set to 112 bits of security. As a result RSA, DSA
        and DH keys shorter than 2048 bits and ECC keys shorter than 224
        bits are prohibited. In addition to the level 1 exclusions any
        cipher suite using RC4 is also prohibited. Compression is
        disabled.

    Level 3
        Security level set to 128 bits of security. As a result RSA, DSA
        and DH keys shorter than 3072 bits and ECC keys shorter than 256
        bits are prohibited. In addition to the level 2 exclusions
        cipher suites not offering forward secrecy are prohibited.
        Session tickets are disabled.

    Level 4
        Security level set to 192 bits of security. As a result RSA, DSA
        and DH keys shorter than 7680 bits and ECC keys shorter than 384
        bits are prohibited. Cipher suites using SHA1 for the MAC are
        prohibited.

    Level 5
        Security level set to 256 bits of security. As a result RSA, DSA
        and DH keys shorter than 15360 bits and ECC keys shorter than
        512 bits are prohibited.

Levels 4 and 5 are tantamount to making RSA and DSA unavailable.  Even
level 3 is too distruptive for interoperable use on the public Internet.

As you observed, Level 2 disables 1024-bit RSA.  The symmetric
equivalent bit strength of a particular public key can be queried via:
EVP_PKEY_security_bits(3):

    EVP_PKEY_security_bits() returns the number of security bits of the
    given pkey, bits of security is defined in NIST SP800-57.

-- 
    Viktor.


More information about the openssl-users mailing list