I currently have certbot installed and functioning properly. I’m wondering, how would I go about configuring it to issue certificates with stronger than 128 bit keys? Not that I think they’re really necessary, I’m just curious. It’s been a while since I set it up, but best of my recollection, that was never an option it asked for input on.
With “128 bit keys”, that refers to the size of the TLS session key. 128 bits of security (how that relates to key size varies by stream cipher) is considered more than enough for modern security.
Your certificate doesn’t determine or limit what the type, or size of this key is. That’s purely a negotation between the webserver and the browser. The only thing that influences that is the ciphersuite configuration of the webserver, and what the overlap with the client’s supported ciphersuites are. You can make sure you have the best ciphersuites configured by using something like https://ssl-config.mozilla.org.
Where your certificate key size does come into play is during the negotiation of that TLS session key. The stronger your key is, the harder it is for an attacker to interject into the key exchange process and figure out what the session key is.
To that end, you can increase the strength of your certificate’s private key. With Certbot, for example, you could increase the size from the default of 2048-bits:
But keep in mind that key exchange involving 4096-bit key is noticably slower than for a 2048-bit key, especially for very weak devices like old smartphones.
browsers support only 4 versions:
RSA with 2048 / 4096 bytes.
EC with 256 / 384 bytes.
So it’s not only a question of Letsencrypt / the certbot client, it’s more a question of the browser and server support.
If you want to have smaller certificates, switch to EC.
We should also note that there’s no evidence that there are currently any attackers who are able to perform this attack against 2048-bit RSA keys.
(@_az’s explanation and analysis are totally correct, but a reader might get the mistaken impression from “the harder it is” that there’s currently somebody for whom it’s not that hard. As far as we know, it’s pretty darn hard for everybody in the world at the moment.)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.