e.g The common error seen under most unix/linux OSes
I will show you a few quick ways with getting around this limitation. The complete process is quite simple & easy to execute.
Now b4 I start, I will not debate the use of DSA over RSA or any risks with regards dsa-key sizes & issues with random number generators attacks. RSA is what I typically use, but some systems will only allow ssh access via dsa keys.
1st you need to generate a dsa parameter file . The bigger the key-size, means a longer the creation time for the dsa parameter file. But once created, the keys generation is much quicker.
e.g creating a dsa parameter file for 8k bit
Next, we will create an unencrypted private-key. The dsaparam file will be called out during this creation process.
Next, we will create a pub-key by using the private-key created earlier.
Note: with the common unix ssh-keygen, it creates both the private and pub key in one operation. With openssl, we have to execute this operation 2x times ( once for the private-key and once for the public-key creations )
Optionally if you have no need for a local dsaparam file, you can eliminate "the 1st step" and generate the dsa-key directly. The dsaparam once craft can be used for other key creation of the same size. But you can skip the local creation of this file by using the dsaparam with the -genkey switch. Just specify the out keyname and then craft the public key off this private-key.
NOTE: Here I'm crafting a private-key in one go and checking the modulus ( fingerprint )
Lastly, if you fear the key-pair is corrupt, or just want to check that you have the matching priv/pub-key, you can always validate by checking the modulus between the pairs. It should match.
e.g checking a dsa key pair modulus using openssl
And folks, that's how easily it is for crafting a dsa-key pair & with using openssl. So if you work on systems that requires dsa-keys and keysizes greater than 1024 bits, you can use openssl for this function.
So to recap;
- some times you will finding yourself needing a larger key ( dsa ) larger than 1024 bits
- ssh-keygen can craft dsa type keys but it's limited to <1024 bit
- generate the dsaparam file and crafting your keys off this file is one method
- the larger the bit size for the dsaparam file, will mean a longer creation time
- build the dsa private-key
- build the dsa public-key using material from the private-key
- compare the 2 keys modulus if in doubt ( optional )
- always keep the private-key safe , private & secured
- DSA is used for signature and not encryption ( RSA does both )
- you don't have to generate the dsa parameter file unless you plan on building numerous key-pairs ( optional )
- but if you working with large dsa keys and want to build numerous key it might be quicker overall to have a static dsaparam file
- you can also craft the private-key directly without using a static dsaparam file
To learn more about DSA, please click the following wikipedia link
Being bore one night, I built various dsaparam files and graph the total creation time off my mid- 2013 MacBookAir 1.3 GHz Intel Core i5, running MACOSX 10.10 and with 4gb ram
Enjoy;
( the dsaparam file creation times )
( the dsa private/pub key creation time e.g openssl dsaparam -genkey -out <private keyname> <bit size> )
note: A >16k+ bit private-key would probably take hours to complete.
But as the above graph shows, the public-key is created from keying material from the private-key and is always quicker. In the above examples are keys up to 16K took less than a 1sec for creation of the matching public-key.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( + - )=
o
/ \
No comments:
Post a Comment