Well, as I said, given my reading of the code, the newest version of EasyRSA [line 861] shows the following: local crypto="-des3"
It's in the set_pass function. [On further review of the code, this appears to only be used by the "set-rsa-pass" or "set-ec-pass" functions, and I can't determine what it uses to encrypt *new* CA/Server/Client keys instead of just re-encrypting them.] I'm certainly no bash guru, but it appears to only allow a 3DES encryption for private keys Again, all the thoughts about a tall fence, with a weak gate [i.e. attack the end-device, instead of attacking the key by brute-forcing it, etc] all apply. But even given those conditions, I think it's foolish choosing a weak encryption for private keys when you don't absolutely need to do so. And picking this in a "public-use" tool seems like a bad choice when many people will use the tool [EasyRSA] believing that it's done using best practices. All that said, I'm not entirely sure what it does use from reviewing the code. [And I haven't had a reply to my query of the OpenVPN/EasyRSA folks, so I might be entirely wrong.] --On that note: Is there a way to determine from an encrypted key-file what encryption was used to encrypt it? [I have the password, so it doesn't need to be a blind test.] If someone can give me that information, I can see what the EasyRSA code actually produces. I can't find a way using OpenSSL - it will decrypt the key, but doesn't tell me what it used to do so, or tell me about the encryption method on the key. [But most of what the OpenSSL binaries do is far beyond my very weak openssl-sauce, so that result isn't surprising.] -Greg I think it's safe to assume that 3DES is almost certainly a lousier choice than AES or Camellia on multiple fronts. Two key triple DES provides about 80-bits of security, and three key triple DES provides 112-bits of security. Do you know which they are using? AES-128 provides about 128-bits of security; and AES-256 provides about 256-bits of security. If it was a new system, you probably would chose AES or Camellia. If they are using three key triple DES with 112-bits of security, then there shouldn't be any loud objections. At those security levels, the adversary is not going to attack the block cipher. They are going to attack the password or some other [weak] part in the system. Jeff On Mon, Sep 8, 2014 at 4:00 PM, Gregory Sloop <gr...@sloop.net> wrote: Continuing top posting. [Which doesn't bother me nearly as much as it seems to bother others... ] Yes! That was a fantastic answer. ... [A while later] So, I need to run this down, but it looks like the easy-rsa script uses 3DES to do encryption - which seems incredibly foolish when we have aes-256 available. [Though I suppose 3DES is less computationally expensive for weak processors - but still a bad trade-off, IMO.... Actually more reading seems to indicate that perhaps 3DES is harder for general purpose CPU, but with a smaller key-space. I'd guess a DES vs. AES specific processor would make DES far more vulnerable {pulling that guess from, well, you know where... :) }. ] I think it's safe to assume that 3DES is almost certainly a lousier choice than AES or Camellia on multiple fronts. I've posed a question to the OpenVPN folks, about the EasyRSA script, and it appears easy enough to change the encryption type in the script itself, which I'll do if they don't. Well, that was a fruitful question and personal research task. At least I *know* more about the situation than I did before. It may, or may not, change the entropy of my passwords, or make me do a lot different in the future - but even if it doesn't - I'm a lot more knowledgeable about what's going on and can make informed decisions about how to handle things from here on. So, thanks to all for your input. BTW, I especially like: If they can do a trillion (10^9) decryptions a second, they're still looking at around 10^22 years to recover the key. *They'll probably get bored before then.* Sort of like the 3DES vs AES discussion here: http://security.stackexchange.com/questions/26179/security-comparsion-of-3des-and-aes ...and quote ... "AES uses 128-bit blocks, for a limit of 2^128/2 blocks, i.e. 2^68 bytes, also known as "quite a lot of data" Thanks again! ...