Hi,
On Sat, May 25, 2013 at 10:37:44AM -0500, Jonathan Brown wrote:
> Please also increase the iteration amount to be optionally user specified.
> This way you we can dramaticly slow down a potential brute force attack
> against a captured key.
While using OpenSSL to increase the security of OpenSSH private keys
by adding PBKDF2 iterations to it, I also hit that issue - and built a
small patch for OpenSSL to be able to specify the number of rounds.
More details in my blog posting:
http://sys4.de/de/blog/2013/05/04/rounds-and-iterations-for-ssh-and-other-keys/
http://sys4.de/de/blog/2013/05/03/rounds-und-iterations-bei-ssh-und-anderen-private-keys/
(German version)
Patch attached... Should apply to most versions, as not much has changed
there in recent time, but of course: use at own risk ;) Feedback welcome!
New option: pkcs8 -iters <n>
For example to convert an OpenSSH private key to pkcs8 with 100K iterations:
$ openssl pkcs8 -topk8 -v2 des3 -iters 100000 -in id_rsa.old -out id_rsa
(OpenSSH will still accept that key! Of course this also can be used to
increase security of httpd, OpenVPN and all other keys which only use
the 2048 default iterations of OpenSSL so far).
The attached patch is a little bigger than the one in the blog post,
as it also covers the pkcs12 command (I used only the pkcs8 for changing
my OpenSSH keys). The pkcs12 command also has the MAC iterations, I tried
to keep it "fool proof", meaning that changing the -iters alone will also
automatically increase the MAC iterations. If somebody wants to have
a different value for maciters (uncommon usecase I expect) it can be
changed by setting a -maciters <n> AFTER the -iters <n>.
It would be great if that or a similar patch could be included in the
official OpenSSL sourcecode. Please let me know if I can help with that in
any way by resubmitting it in another form or adding a patch to the
documentation or whatever...
Greetings,
Florian
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
diff -Nbaurp openssl-1.0.0.o/apps/pkcs12.c openssl-1.0.0/apps/pkcs12.c
--- openssl-1.0.0.o/apps/pkcs12.c 2013-03-28 21:18:25.809506448 +0100
+++ openssl-1.0.0/apps/pkcs12.c 2013-03-28 21:21:10.268408328 +0100
@@ -184,8 +184,38 @@ int MAIN(int argc, char **argv)
else if (!strcmp (*args, "-noiter")) iter = 1;
else if (!strcmp (*args, "-maciter"))
maciter = PKCS12_DEFAULT_ITER;
+ else if (!strcmp (*args, "-iters")) {
+ if (args[1])
+ {
+ args++;
+ iter = atol(*args); maciter = iter;
+ if (iter < 0)
+ {
+ BIO_printf(bio_err,
+ "Illegal iter count %s\n",
+ *args);
+ badarg = 1;
+ }
+ }
+ else badarg = 1;
+ }
else if (!strcmp (*args, "-nomaciter"))
maciter = 1;
+ else if (!strcmp (*args, "-maciters")) {
+ if (args[1])
+ {
+ args++;
+ maciter = atol(*args);
+ if (maciter < 0)
+ {
+ BIO_printf(bio_err,
+ "Illegal iter count %s\n",
+ *args);
+ badarg = 1;
+ }
+ }
+ else badarg = 1;
+ }
else if (!strcmp (*args, "-nomac"))
maciter = -1;
else if (!strcmp (*args, "-macalg"))
@@ -320,6 +350,8 @@ int MAIN(int argc, char **argv)
#endif
BIO_printf (bio_err, "-nodes don't encrypt private keys\n");
BIO_printf (bio_err, "-noiter don't use encryption iteration\n");
+ BIO_printf (bio_err, "-iters n use n encryption+MAC iterations\n");
+ BIO_printf (bio_err, "-maciters n use n MAC iterations even if iters
is specified\n");
BIO_printf (bio_err, "-nomaciter don't use MAC iteration\n");
BIO_printf (bio_err, "-maciter use MAC iteration\n");
BIO_printf (bio_err, "-nomac don't generate MAC\n");
diff -Nbaurp openssl-1.0.0.o/apps/pkcs8.c openssl-1.0.0/apps/pkcs8.c
--- openssl-1.0.0.o/apps/pkcs8.c 2010-01-22 21:17:29.000000000 +0100
+++ openssl-1.0.0/apps/pkcs8.c 2013-03-28 21:20:43.894056284 +0100
@@ -157,6 +157,21 @@ int MAIN(int argc, char **argv)
topk8 = 1;
else if (!strcmp (*args, "-noiter"))
iter = 1;
+ else if (!strcmp (*args, "-iters")) {
+ if (args[1])
+ {
+ args++;
+ iter = atol(*args);
+ if (iter < 0)
+ {
+ BIO_printf(bio_err,
+ "Illegal iter count %s\n",
+ *args);
+ badarg = 1;
+ }
+ }
+ else badarg = 1;
+ }
else if (!strcmp (*args, "-nocrypt"))
nocrypt = 1;
else if (!strcmp (*args, "-nooct"))
