this post was submitted on 09 Aug 2024
89 points (96.8% liked)

Technology

59534 readers
3199 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] shortwavesurfer@lemmy.zip 4 points 3 months ago (3 children)

You know, at least when I've had to generate RSA keys for SSH, it seems like the highest I can possibly do is 4096. Just makes me wonder why you can't generate a key of any links that's a multiple of 1024. Such as, what if I wanted a 20,480 bit key?

[–] umami_wasbi@lemmy.ml 5 points 3 months ago* (last edited 3 months ago)

I believe you can with openssl, but it will take lots of time both generating and using the key. Think you sign something with that key, and the other party is using a low end device. He might take few mintues to verify the signature. The drawbacks just outweight the benefits. Security is a balancing act between complexity and usability.

[–] solrize@lemmy.world 5 points 3 months ago (1 children)

Current recommendation is to stop using RSA in new deployments altogether. ECC is preferred now, and the major programs (OpenTLS, OpenSSH, etc.) support it.

[–] shortwavesurfer@lemmy.zip 3 points 3 months ago (2 children)

Thats ECDSA correct? Or is that something different?

ECDSA

Yup, that's an implementation that uses ECC (elliptic curve cryptography).

[–] solrize@lemmy.world 1 points 3 months ago* (last edited 3 months ago)

ECDSA is elliptic curve digital signature algorithm. Key exchange is usually done with ECDH (elliptic curve Diffie-Hellman). There has been some debate on the exact best way to do ECDH, but I think the FOSS world is currently settled on Curve25519. Anyway, it is best to leave stuff like that to specialists if you're not one yourself. As mentioned, OpenSSL and OpenSSH both provide working implementations so go ahead and use them. The NIST curve P256 is also perfectly fine as far as anyone can tell. It has a mathematical drawback that it's especially easy to make mistakes and screw up the security if you don't know what you're doing, but the deployed implementations that are out there have been checked carefully and should be ok to use. Bitcoin uses P256 so if anything were wrong with it, someone would have broken it and gotten pretty darn rich ;).