<div dir="ltr">I would have to wonder, that if the NSA has some sort of back door or trick to crack openSSL at 1024 bits, then they would probably have the same backdoor or trick for 2048 or more bits. Just a thought, I'm certainly not trying to put down the idea of using encryption!<div>
<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 20 April 2014 13:50, Jonathan Poole <span dir="ltr"><<a href="mailto:jpoole@digitaljedi.ca" target="_blank">jpoole@digitaljedi.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Oh and of course, ensure you’re using an openssl version not affected, or patched.<div>
<br><div><div>On Apr 20, 2014, at 1:47 PM, Jonathan Poole <<a href="mailto:jpoole@digitaljedi.ca" target="_blank">jpoole@digitaljedi.ca</a>> wrote:</div><br><blockquote type="cite"><div style="word-wrap:break-word">
How paranoid do you want to be?<div><br></div><div>At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits shouldn’t generate too much load decrypting. </div><div><br></div><div>if you want, generate a new cert everyday if you want.</div>
<div><strong><br></strong></div><div><strong>openssl genrsa -out ca.key 4096</strong><br><div><div><p><strong>openssl req -new -x509 -days 180 -key ca.key -out ca.crt</strong></p></div><div><div>On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr"><div><div>Needless to say that recent events and government actions warrants more paranoia ...<br><br></div>So, to that effect, what options should one use to have the SSH keys stronger?<br>
</div><div>How many bits? What options for ssh key gen should be used?<br>
<br></div>And for SSL certificates, what options do you use to make the certificates as strong as they can be?<br>For example, I use the following script for self signed certificates. How can this be improved?<br><br>#!/bin/sh<br>
<br>KEY=server.key<br>REQ=server.csr<br>CRT=server.crt<br><br>cd ~/cert<br># Generate a key<br>openssl genpkey -algorithm rsa -out $KEY<br># Generate a certificate signing request<br>openssl req -new -sha1 -nodes -key $KEY -out $REQ<br>
# Create a self signed certificate<br>openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT<br># Copy it to the server<br>cp $CRT /etc/ssl/certs<br>cp $KEY /etc/ssl/private<br><br clear="all"><div><br>-- <br>
Khalid M. Baheyeldin</div><div><br></div></div></blockquote></div></div></div></div></blockquote></div></div></div></blockquote></div><br></div></div>