Saturday, November 8, 2014

One way for creating a dsa key-pair greater than 1k bits using OpenSSL

If your familiar with  ssh , you will find out very quickly that dsa keys greater than 1k bits, are not readily obtainable with the standard ssh-keygen  utility under most platforms.

e.g The common error seen under most unix/linux OSes

I will show you a few quick ways with getting around this limitation. The complete process is quite simple & easy to execute.

Now b4 I start, I will not debate the  use of DSA over RSA or  any risks with regards dsa-key sizes & issues with random number generators attacks.  RSA is what I typically use, but some systems will only allow ssh access via dsa keys.

1st  you need to  generate a dsa parameter file . The bigger the key-size, means a longer the creation time for the dsa parameter file. But once created, the  keys generation is much quicker.

e.g creating a  dsa parameter file for 8k bit

Next, we will create an unencrypted  private-key. The dsaparam file will be called out during this creation process.

Next, we will create a pub-key by using the  private-key created earlier. 

Note: with the common unix ssh-keygen, it creates both the private and pub key in one operation. With openssl, we have to execute this operation 2x times ( once for the private-key and once for the public-key  creations )

Optionally if you have no need for a local dsaparam file, you can eliminate  "the 1st step" and generate the dsa-key directly.  The dsaparam once craft can be used for other key creation of the same size. But you can skip the local creation of this file by using the dsaparam with the -genkey switch. Just specify the out keyname and then craft  the public key off  this private-key. 

NOTE: Here I'm crafting a private-key in one go and checking the modulus ( fingerprint )

Lastly, if you fear the key-pair is corrupt, or just want to check that you have the matching priv/pub-key,  you can always validate by checking the modulus between the pairs.  It should match.

e.g  checking a dsa key pair modulus using openssl

And folks, that's how easily it is for crafting a  dsa-key pair &  with using openssl. So if you work on systems that requires dsa-keys and keysizes greater than 1024 bits, you can use  openssl for this function.

So to recap;
  •  some times you will finding yourself needing a larger key ( dsa )  larger than 1024 bits
  • ssh-keygen can craft dsa type keys but it's limited to  <1024 bit
  •  generate the dsaparam file  and crafting your keys off this file is one method
  •  the larger the bit size for the dsaparam file, will mean a longer creation time
  •  build the dsa private-key
  •  build the dsa public-key using material from the private-key
  •  compare the  2 keys modulus if in doubt (  optional  )
  •  always keep  the private-key safe ,  private & secured
  •  DSA is used for signature and not encryption ( RSA does both  )
  •  you don't have to generate the dsa parameter file unless you plan on building numerous key-pairs ( optional )
  •  but if you working with large dsa keys and want to build numerous key it might be quicker overall to have a static dsaparam file
  •  you can  also craft  the private-key directly without using a static dsaparam file
To learn more about DSA, please click the following wikipedia link

Being bore one night, I built various dsaparam files and graph the total creation time off my  mid- 2013 MacBookAir 1.3 GHz Intel Core i5, running  MACOSX 10.10 and with 4gb ram


( the  dsaparam file    creation times )

( the dsa private/pub  key creation time   e.g  openssl dsaparam -genkey -out <private keyname>   <bit size>  )

note: A >16k+ bit private-key would probably take hours to complete. 
But as the above graph shows, the public-key is created from keying material from the private-key and is always quicker. In the above examples are keys up to 16K took  less than a 1sec for creation of the matching public-key.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  +  - )=
      /  \

No comments:

Post a Comment