Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raise the minimum RSA modulus size to 1024 bits. #25092

Open
ryancdotorg opened this issue Aug 5, 2024 · 4 comments
Open

Raise the minimum RSA modulus size to 1024 bits. #25092

ryancdotorg opened this issue Aug 5, 2024 · 4 comments
Labels
branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature

Comments

@ryancdotorg
Copy link

The first publicly known instance of a 512 bit RSA modulus being factored was in 1999.

In 2009, an individual cracked a 512 bit RSA modulus by themself with a single PC.

The "Factoring as a Service" paper, showing that such keys could be broken in a few hours for tens of dollars, came out in 2015.

In 2018, OpenSSL v1.1.1 set its minimum RSA modulus size to 512 bits. This is still the minimum as of OpenSSL v3.3.1.

People still use 512 bit RSA keys without realizing that they're catastrophically weak.

This should be easy to stop.

I propose the following deprecation stages:

  1. OpenSSL limits RSA key generation to a minimum of 1024 bits, but still allows such keys to be loaded/used.
  2. OpenSSL drops support for verifying signatures for RSA keys smaller than 1024 bits.
  3. OpenSSL fully drops support for RSA keys smaller than 1024 bits.

A more conservative approach could temporarily include an option in openssl.conf to temporarily re-enable dangerously weak keys while systems are updated.
@ryancdotorg ryancdotorg added the issue: bug report The issue was opened to report a bug label Aug 5, 2024
@nhorman
Copy link
Contributor

nhorman commented Aug 5, 2024

(1) seems pretty reasonable to do right now
(2) and (3) seem plausible, but I imagine that would likely want to be done on a major release boundary.

Would you be willing to submit a PR for this? (1) is likely pretty straightforward to accomplish by updating RSA_MIN_MODULUS_BITS

@ryancdotorg
Copy link
Author

RSA_MIN_MODULUS_BITS is checked in ossl_rsa_sp800_56b_check_public, which is in turn called from ossl_rsa_validate_public.

Doing some tests though, it doesn't seem like anything breaks when trying to load/use a 512 bit RSA key when compiled with RSA_MIN_MODULUS_BITS 1024.

I can definitely submit a PR to make that change, though I'd like to understand under what circumstances ossl_rsa_sp800_56b_check_public is called.

Might also be worth updating DH_MIN_MODULUS_BITS at the same time.

@ryancdotorg ryancdotorg mentioned this issue Aug 6, 2024
Open
2 tasks
@t8m t8m added triaged: feature The issue/pr requests/adds a feature branch: master Merge to master branch and removed issue: bug report The issue was opened to report a bug labels Aug 6, 2024
@FiloSottile FiloSottile mentioned this issue Aug 7, 2024
Open
@t8m
Copy link
Member

t8m commented Aug 13, 2024

openssl/project#809

@gilles-peskine-arm gilles-peskine-arm mentioned this issue Sep 2, 2024
Open
@gilles-peskine-arm
Copy link

As a data point on what the ecosystem is doing, Mbed TLS enforces 1024 bits for generation since 2023, i.e. it's already at stage 1. Our motivating example was a confusion between bits and bytes; it also solved the problem of confusing sensible ECC or symmetric bit-sizes with RSA bit-sizes. I've put stages 2/3 up for consideration on our planning board for our next major release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ryancdotorg @nhorman @t8m @gilles-peskine-arm