Re: OpenSSL as a general purpose encryption tool

[Seth Arnold <sarnold@willamette.edu>]

* Chris Foote <chris@zeus.foote.com.au> [010209 17:26]:
> hmm... I've always found the user level docs to be quite good

Hmm, I must agree with the original poster -- the OpenSSL docs are less
than wonderful. I am glad to hear of their improvement. :)

> You should probably be using something like GNU PG instead
> (/usr/ports/security/gnupg), since the key is much larger (e.g.
> 1024 bits), and the key is protected by a password which you can
> change over time.

Ack! No!

Comparing key sizes between public key and symmetric cryptography is
*not* kosher. 1024 bits of RSA key is roughly equivalent to 64 bits of
symmetric strength, for a good symmetric cipher. Tough to do right now,
but not to be considered safe for data that must live more than a few
months. (Paranoids such as myself would say ``a day or so''.)

If one intends to keep data secret for long, symmetric keys of 128 bits
or more are needed, and RSA of 2048 is probably good. (Something such as
133 or so bits of ECC are probably equivalent to 1024 bits of RSA.)

Protecting a large key with a small key is only as strong as the small
key. If it is only four characters long, then you have bought yourself
four characters of security. Changing the small key may be good -- but
it also means there is the overhead of changing the small key regularly,
and the security problems that can result from the overhead.

-- 
Earthlink: The #1 provider of unsolicited bulk email to the Internet.