[kwlug-disc] Stronger SSH keys and SSL certificates

CrankyOldBugger crankyoldbugger at gmail.com
Sun Apr 20 13:59:51 EDT 2014


I would have to wonder, that if the NSA has some sort of back door or trick
to crack openSSL at 1024 bits, then they would probably have the same
backdoor or trick for 2048 or more bits.  Just a thought, I'm certainly not
trying to put down the idea of using encryption!



On 20 April 2014 13:50, Jonathan Poole <jpoole at digitaljedi.ca> wrote:

> Oh and of course, ensure you’re using an openssl version not affected, or
> patched.
>
> On Apr 20, 2014, at 1:47 PM, Jonathan Poole <jpoole at digitaljedi.ca> wrote:
>
> How paranoid do you want to be?
>
> At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits
> shouldn’t generate too much load decrypting.
>
> if you want, generate a new cert everyday if you want.
>
> *openssl genrsa -out ca.key 4096*
>
> *openssl req -new -x509 -days 180 -key ca.key -out ca.crt*
> On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
> Needless to say that recent events and government actions warrants more
> paranoia ...
>
> So, to that effect, what options should one use to have the SSH keys
> stronger?
> How many bits? What options for ssh key gen should be used?
>
> And for SSL certificates, what options do you use to make the certificates
> as strong as they can be?
> For example, I use the following script for self signed certificates. How
> can this be improved?
>
> #!/bin/sh
>
> KEY=server.key
> REQ=server.csr
> CRT=server.crt
>
> cd ~/cert
> # Generate a key
> openssl genpkey -algorithm rsa -out $KEY
> # Generate a certificate signing request
> openssl req -new -sha1 -nodes -key $KEY -out $REQ
> # Create a self signed certificate
> openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT
> # Copy it to the server
> cp $CRT /etc/ssl/certs
> cp $KEY /etc/ssl/private
>
>
> --
> Khalid M. Baheyeldin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140420/10e82e70/attachment.html>


More information about the kwlug-disc mailing list