Time for key stretching in encrypted private keys?

Damien Miller djm at mindrot.org
Fri May 24 21:44:30 EST 2013


On Fri, 24 May 2013, alexs wrote:

> > Ideally OpenSSL would make some PEM extension that uses a good KDF.
> > I don't include PBKDF2 with an inner hash of SHA* in this set :)
> > 
> > Barring that We'll probably roll a simple key format that uses bcrypt
> > as a KDF and includes some space to optionally bundle certificates.
> 
> It sounds like you have plans already :) Any idea what sort of time scale
> this might occur on?
> 
> PBKDF2 seems like it has a better chance at being backward compatible with
> existing installs, even if it's a few factors of 10 worse than [sb]crypt et
> al. I assume the 3DES -> AES change didn't break backwards compat,
> presumably with bcrypt you'll have to delay setting it as the default for a
> few releases first?

Backwards compat isn't so important for private keys, since they are
not widely copied between systems (hopefully). We just need some way to
convert to/from the new format (whether is an update to PEM or something
we do ourselves).

-d


More information about the openssh-unix-dev mailing list