OpenSSH private key encryption: time for AES?

[Damien Miller]

On Tue, 20 Jan 2009, Jim Knoble wrote:

> Hi, all.
> 
> So, in reviewing my OpenSSH keypairs and evaluating the size my RSA keys
> should be, i realized that, if i update my 2048-bit keypairs to 4096
> bits, it really doesn't matter that much, because they're still
> only encrypted with 3DES, which provides an effective 112 bits of
> symmetric encryption strength:
> 
>     $ head -4 ~/.ssh/id_rsa
>     -----BEGIN RSA PRIVATE KEY-----
>     Proc-Type: 4,ENCRYPTED
>     DEK-Info: DES-EDE3-CBC,XXXXXXXXXXXXXXXX
> 
>     $ 
> 
> According to NIST[1][2], a minimum of 112-bit symmetric / 2048-bit
> asymmetric keystrength is recommended for protection up until about
> 2030.  For protection beyond 2030, or for the paranoid, larger keysizes
> are recommended.  Other recommendations (e.g., those of ECRYPT) vary in
> how long 112/2048-bit encryption should last.
> 
> With that in mind ... how can i encrypt my 4096-bit SSH RSA keypair with
> something like AES-128, AES-256, or Twofish instead of 3DES and still
> use it with OpenSSH?  Can ssh-add read (unencrypted) key data from stdin?

If you want to change it then you can do something like this. It
probably wouldn't hurt to change - new installations will still be able
to read old keys

Index: authfile.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/authfile.c,v
retrieving revision 1.76
diff -u -p -r1.76 authfile.c
--- authfile.c	3 Aug 2006 03:34:41 -0000	1.76
+++ authfile.c	20 Jan 2009 07:22:48 -0000
@@ -182,7 +182,7 @@ key_save_private_pem(Key *key, const cha
 	int success = 0;
 	int len = strlen(_passphrase);
 	u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
-	const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
+	const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_256_cbc() : NULL;
 
 	if (len > 0 && len <= 4) {
 		error("passphrase too short: have %d bytes, need > 4", len);