Well, as I said, given my reading of the code, the newest version of EasyRSA
[line 861] shows the following:
local crypto="-des3"
It's in the set_pass function. [On further review of the code, this appears to
only be used by the "set-rsa-pass" or "set-ec-pass" functions, and I can't
determine what it uses to encrypt *new* CA/Server/Client keys instead of just
re-encrypting them.]
I'm certainly no bash guru, but it appears to only allow a 3DES encryption for
private keys
Again, all the thoughts about a tall fence, with a weak gate [i.e. attack the
end-device, instead of attacking the key by brute-forcing it, etc] all apply.
But even given those conditions, I think it's foolish choosing a weak
encryption for private keys when you don't absolutely need to do so. And
picking this in a "public-use" tool seems like a bad choice when many people
will use the tool [EasyRSA] believing that it's done using best practices.
All that said, I'm not entirely sure what it does use from reviewing the code.
[And I haven't had a reply to my query of the OpenVPN/EasyRSA folks, so I might
be entirely wrong.]
--On that note: Is there a way to determine from an encrypted key-file what
encryption was used to encrypt it? [I have the password, so it doesn't need to
be a blind test.]
If someone can give me that information, I can see what the EasyRSA code
actually produces. I can't find a way using OpenSSL - it will decrypt the key,
but doesn't tell me what it used to do so, or tell me about the encryption
method on the key. [But most of what the OpenSSL binaries do is far beyond my
very weak openssl-sauce, so that result isn't surprising.]
-Greg
I think it's safe to assume that 3DES is almost certainly a lousier choice than
AES or Camellia on multiple fronts.
Two key triple DES provides about 80-bits of security, and three key triple DES
provides 112-bits of security. Do you know which they are using? AES-128
provides about 128-bits of security; and AES-256 provides about 256-bits of
security.
If it was a new system, you probably would chose AES or Camellia. If they are
using three key triple DES with 112-bits of security, then there shouldn't be
any loud objections.
At those security levels, the adversary is not going to attack the block
cipher. They are going to attack the password or some other [weak] part in the
system.
Jeff
On Mon, Sep 8, 2014 at 4:00 PM, Gregory Sloop <gr...@sloop.net> wrote:
Continuing top posting. [Which doesn't bother me nearly as much as it seems to
bother others... ]
Yes! That was a fantastic answer.
...
[A while later]
So, I need to run this down, but it looks like the easy-rsa script uses 3DES to
do encryption - which seems incredibly foolish when we have aes-256 available.
[Though I suppose 3DES is less computationally expensive for weak processors -
but still a bad trade-off, IMO.... Actually more reading seems to indicate that
perhaps 3DES is harder for general purpose CPU, but with a smaller key-space.
I'd guess a DES vs. AES specific processor would make DES far more vulnerable
{pulling that guess from, well, you know where... :) }. ]
I think it's safe to assume that 3DES is almost certainly a lousier choice than
AES or Camellia on multiple fronts.
I've posed a question to the OpenVPN folks, about the EasyRSA script, and it
appears easy enough to change the encryption type in the script itself, which
I'll do if they don't.
Well, that was a fruitful question and personal research task. At least I
*know* more about the situation than I did before. It may, or may not, change
the entropy of my passwords, or make me do a lot different in the future - but
even if it doesn't - I'm a lot more knowledgeable about what's going on and can
make informed decisions about how to handle things from here on.
So, thanks to all for your input.
BTW, I especially like:
If they can do a trillion (10^9) decryptions a second, they're still looking at
around 10^22 years to recover the key. *They'll probably get bored before then.*
Sort of like the 3DES vs AES discussion here:
http://security.stackexchange.com/questions/26179/security-comparsion-of-3des-and-aes
...and quote ...
"AES uses 128-bit blocks, for a limit of 2^128/2 blocks, i.e. 2^68 bytes, also
known as "quite a lot of data"
Thanks again!
...
