Time for key stretching in encrypted private keys?
alexs
alexs at prol.etari.at
Thu May 23 19:41:29 EST 2013
In 0.9.7 the private key encryption was switched from 3DES to AES,
(https://bugzilla.mindrot.org/show_bug.cgi?id=1550) the motivation for this
being that 128-bits of security is better than the 112 or so you get from
3DES these days. Interestingly that bug is about upgrading to AES-256, but
we ended up with AES-128. Presumably due to the Solaris crippling?
However ssh-keygen still uses a relatively weak KDF of MD5(IV[:8] . PWORD)
which makes dictionary attacks quite feasible and means you need a much
longer password to mitigate them. Seems like it might be useful if OpenSSH
at least had the option of using an encoding with some decent key
stretching to me. Is there any good reason not to, and to not have it as
the default?
OpenSSH seems quite happy to accept PKCS8 keys with PBKDF2 currently, it
just doesn't generate them. You just need to do it yourself e.g.
http://martin.kleppmann.com/ssh-keys.html The keys generated in that
article are also 3DES unfortunately but that's only because it's the
default cipher here.
More information about the openssh-unix-dev
mailing list