Security of passphrase-protected private key
With OpenSSL, OpenSSH and GPG/PGP the wrapping algorithm will be strong enough that you don't need to worry about it (and if you do need to worry about it then you have bigger problems, and this is the least of your worries).
Like any password or passphrase, it depends on the strength of the passphrase. A 40 character passphrase is as hard to brute force as a 256-bit key (since ASCII only uses 7 bits). The same rules for strong passwords apply here:
- Random is better
- Longer is stronger
Once an encrypted block of data is in the hands of an attacker, it is never secure forever - it's a question of how long and what means are available to crack it.
Here's things to consider:
strength of wrapping algorithm - I'm willing to believe bahamat about OpenSSL, OpenSSH and GPG/PGP - these are fairly well-vetted components.
size of key space - i.e. - size and complexity of password - the typical costs of brute force guessing apply. Of note, some forms of key storage limit the types of characters that can be used in a password - for example, JKS (the Java Key Store) eliminated quite a few special characters, reducing the potential size of the key space. Also be wary of systems that crop the key size to a certain number of characters.
cost of the attempt how computationally expensive is it to attempt to unwrap the key? That will slow down the brute force attempt.
what algorithm? - depends on how the secure file is stored - is it obvious what algorithm was used for encryption?
is there available cipher text to compare with? how will the attacker know he's successful - what is his test mechanism? One of the more powerful elements of capturing a key store is that the attacker may be able to test his attempts without further detection by the system storing the key.
how many resources are at the attacker's disposal? - generally threat analysis involves analyzing what the attacker's resources are. Does he have 1 computer? A bank of computers? And entire viral network of stolen CPU power at his disposal? Depends on whether you're talking about the 13 year old script kiddie next door or a rogue nation.
how long until the key is changed? & how long must the data stay protected? - if it takes the attacker longer to crack the password store than the usefulness of the data inside the store, then the store is considered secure enough
According to Martin Kleppmann:
the [default OpenSSH] private key protection has two weaknesses:
- The digest algorithm is hard-coded to be MD5, which means that without changing the format, it's not possible to upgrade to another hash function (e.g. SHA-1). This could be a problem if MD5 turns out not to be good enough.
- The hash function is only applied once --- there is no stretching. This is a problem because MD5 and AES are both fast to compute, and thus a short passphrase is quite easy to break with brute force.
If your private SSH key ever gets into the wrong hands [and if it was passphrase-protected using the default OpenSSH settings and if] your passphrase is a dictionary word, it can probably be [decrypted] in a matter of seconds. ... But there is good news: you can upgrade to a more secure private key format, and everything continues to work!
He then goes on to explain how to use "PKCS#8" as per RFC 5208 to obtain a more securely encrypted private key:
$ mv test_rsa_key test_rsa_key.old
$ openssl pkcs8 -topk8 -v2 des3 \
-in test_rsa_key.old -passin 'pass:super secret passphrase' \
-out test_rsa_key -passout 'pass:super secret passphrase'