Query minimum RSA key size?
felipe at felipegasper.com
Mon Sep 26 15:50:11 UTC 2022
> On Sep 26, 2022, at 11:47, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote:
>>> The security levels are documented. You can set the security level
>>> in the cipher string:
>>> or via the API.
>> Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you!
> You can, if you wish, change the default security level in openssl.cnf.
> IIRC the default from the upstream OpenSSL software is 1. If your
> system default is 2 or higher, that was done by your OS package
>> I see that the API exposes SSL_CTX_get_security_level(); is that the
>> best way to determine minimum RSA key size, or would there be anything
>> more explicit?
> The documentation for that function reads in part:
> Level 0
> Everything is permitted. This retains compatibility with
> previous versions of OpenSSL.
> Level 1
> The security level corresponds to a minimum of 80 bits of
> security. Any parameters offering below 80 bits of security are
> excluded. As a result RSA, DSA and DH keys shorter than 1024
> bits and ECC keys shorter than 160 bits are prohibited. Any
> cipher suite using MD5 for the MAC is also prohibited. Any
> cipher suites using CCM with a 64 bit authentication tag are
> prohibited. Note that signatures using SHA1 and MD5 are also
> forbidden at this level as they have less than 80 security bits.
> Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all
> disabled at this level.
> Level 2
> Security level set to 112 bits of security. As a result RSA, DSA
> and DH keys shorter than 2048 bits and ECC keys shorter than 224
> bits are prohibited. In addition to the level 1 exclusions any
> cipher suite using RC4 is also prohibited. Compression is
> Level 3
> Security level set to 128 bits of security. As a result RSA, DSA
> and DH keys shorter than 3072 bits and ECC keys shorter than 256
> bits are prohibited. In addition to the level 2 exclusions
> cipher suites not offering forward secrecy are prohibited.
> Session tickets are disabled.
> Level 4
> Security level set to 192 bits of security. As a result RSA, DSA
> and DH keys shorter than 7680 bits and ECC keys shorter than 384
> bits are prohibited. Cipher suites using SHA1 for the MAC are
> Level 5
> Security level set to 256 bits of security. As a result RSA, DSA
> and DH keys shorter than 15360 bits and ECC keys shorter than
> 512 bits are prohibited.
> Levels 4 and 5 are tantamount to making RSA and DSA unavailable. Even
> level 3 is too distruptive for interoperable use on the public Internet.
> As you observed, Level 2 disables 1024-bit RSA. The symmetric
> equivalent bit strength of a particular public key can be queried via:
> EVP_PKEY_security_bits() returns the number of security bits of the
> given pkey, bits of security is defined in NIST SP800-57.
It sounds like I’ll still need to hard code the correlation between security level and minimum security bits (i.e., as I see OpenSSL does in multiple locations), but that’s pretty trivial.
More information about the openssl-users