8

Is using "SHA-256 with RSA-2048 Encryption" a secure certificate hashing algorithm? I don't think it is. Two examples: nsa.gov [careers site] give.wfp.org

noɥʇʎԀʎzɐɹƆ
  • 416
  • 1
  • 3
  • 15
  • 9
    Yes, this is the current standard. – Xander May 02 '16 at 20:44
  • 1
    What issues, exactly, do you think this scheme suffers from? – Polynomial May 02 '16 at 21:16
  • @Polynomial Security researchers recently cracked the NSA certificate and were able perform a MITM attack. – noɥʇʎԀʎzɐɹƆ May 04 '16 at 00:13
  • 1
    @JamesLu: Citation please? Nothing obvious in search results; they're all about the NSA doing MitM on Google using fraudulent certs, not about anybody breaking the NSA public key or certificate hash. – CBHacking May 04 '16 at 00:41
  • @CBHacking http://motherboard.vice.com/read/a-group-hacked-the-nsa-website-to-demonstrate-widespread-bug-freak – noɥʇʎԀʎzɐɹƆ Jul 18 '16 at 15:25
  • @uoɥʇʎPʎzɐɹC: Um... did you actually read that article? It had nothing to do with the NSA's certificate - the word never appears in the article, in fact - and certainly nothing to do with hashing algorithms. It was a bug ("FREAK") in OpenSSL and other TLS libraries - but only the libraries, not the actual SSL or TLS protocols - that allowed the negotiation of a weaker ("EXPORT") key than should have been allowed by the configuration. The existence of EXPORT keys is the NSA's fault, 20 years ago, but FREAK was exploitable against a huge number of sites, and had nothing to do with certs. – CBHacking Jul 18 '16 at 18:25

1 Answers1

19

The technical answer is actually "no, because SHA-256 with RSA-2048 Encryption is not a certificate hashing algorithm. However, SHA-256 is a perfectly good secure hashing algorithm and quite suitable for use on certificates, and 2048-bit RSA is a good signing algorithm (signing is not the same as encrypting). Using 2048-bit RSA with SHA-256 is a secure signing scheme for a certificate. Why would you think otherwise?

SHA-256 is a member of the SHA2 family of secure hash functions, and there are not currently any cryptographic weaknesses publicly known for SHA2. It might be less secure than SHA-512, but 256 bits is already completely impractical to brute force (we're talking about timeframes of hundreds of years even with the resources of a nation-state and assuming Moore's Law continues on track, or billions of years for currently-established technology). The only viable attacks would require finding a weakness in the hash algorithm itself, and it's not necessarily the case that SHA-512 would be more resistant to such an attack than SHA-256. There is a new SHA3 standard, but it's not yet widely implemented so your browser probably wouldn't be able to verify the certificate's signature at all if they used SHA3 in the signing algorithm.

RSA is a current standard for public-key cryptography, and a properly-generated 2048-bit RSA key is strong enough to resist factoring for decades. You could use a 4096-bit key if you want to (it'll take a lot longer to generate, and slightly longer to use, but once the certificate's signature is verified that doesn't matter anymore), and that would take even longer to break. However, neither certificate is valid for more than two years anyhow. If you want a signature you can trust for 30 years or more, you might want to use something stronger than 2048-bit RSA, but for now that's fine.

CBHacking
  • 42,359
  • 3
  • 76
  • 107
  • See my above comment. – noɥʇʎԀʎzɐɹƆ May 04 '16 at 00:14
  • I'v seen many rainbow tables for SHA256. – noɥʇʎԀʎzɐɹƆ May 04 '16 at 00:15
  • 2
    A rainbow table for a hash function means literally nothing in terms of the security of the function. I could create a rainbow table for MD5 (cryptographically broken, also the shortest digest still in use) and for SHA3-512 (the longest-digest version of the brand-new successor to SHA2) with exactly the same amount of effort. The MD5 one would build faster and use less space, but not by huge factors in either case. They would be equally useless in creating forged certificates, though, because rainbow tables don't include anything close to the length of an X.509 certificate. – CBHacking May 04 '16 at 00:35
  • 1
    If you don't understand how the existence of a rainbow table is totally irrelevant to the security of a certificate signing scheme, I recommend you ask a new question about that. The short version, though, is that A) passwords and certificates are very different lengths, and B) most rainbow tables don't have collisions (much less collisions for an arbitrary specific digest) anyhow, and that's what you would need. – CBHacking May 04 '16 at 00:39
  • By "signing is not the same as encrypting", do you imply that 2048 bit key for RSA is not necessarily enough for encryption (for example, for PGP/SSH)? – Franklin Yu Oct 15 '17 at 18:37
  • @FranklinYu Not at all. I simply mean that, in terms of the mathematical operations, the purpose of doing those operations, and which (part of) the key you use (remember, "an RSA key" is actually two distinct but related things, the *public* key and the *private* key), encryption and signing are not the same. Encryption uses the public key and is done to provide confidentiality. Signing uses the private key and is done to provide authenticity (identity and integrity). 2048-bit RSA public keys are, at present, reasonable choices for public-key encryption. – CBHacking Oct 15 '17 at 20:12
  • @CBHacking Actually I'm looking at the RSA public key for root certificates. For example, the root certificate for this site, "DigiCert High Assurance EV Root CA", expires in 2031. Would we be able to crack the root certificate before it expires? – Franklin Yu Oct 15 '17 at 22:14
  • Hard to say. Via simple brute-force using conventional computers, we probably won't crack a 2048-bit RSA public key in the next 14 years(unless we throw a hell of a lot of resources at it), though that's perhaps closer than I'd like. If quantum computing ever gets off the ground, that will be a game-changer for algorithms like RSA, though. – CBHacking Oct 16 '17 at 05:18
  • Signing is the same as encrypting, at least, for RSA. – Michael Chourdakis Oct 28 '18 at 22:02
  • @Michael No, [it's really not](https://security.stackexchange.com/a/87373/151903). – AndrolGenhald Jan 25 '19 at 15:25