CryptoSys PKI Pro Manual

Security options for encrypted private keys

Private keys are created and saved by default in a PKCS#8 encrypted format, protected by a password. The default algorithm is "pbeWithSHAAnd3-KeyTripleDES-CBC" from PKCS#12.

To increase security use one of the stronger PBES2 encryption schemes from PKCS#5 v2 using the key derivation function PBKDF2:

  1. PKI_PBE_PBKDF2_DESEDE3 for PBKDF2 using des-EDE3-CBC
  2. PKI_PBE_PBKDF2_AES128 for PBKDF2 using aes128-CBC
  3. PKI_PBE_PBKDF2_AES192 for PBKDF2 using aes192-CBC
  4. PKI_PBE_PBKDF2_AES256 for PBKDF2 using aes256-CBC

[Changed in v11.0] The above option values are a simplified alternative to PKI_PBE_PBES2+PKI_BC_AES128, etc.

The default pseudorandom function (PRF) for PBKDF2 is hmacWithSHA1. To use a stronger HMAC function from the SHA-2 family in the PRF for PBKDF2, add one of the following options

  1. PKI_HMAC_SHA224 for hmacWithSHA224
  2. PKI_HMAC_SHA256 for hmacWithSHA256
  3. PKI_HMAC_SHA384 for hmacWithSHA384
  4. PKI_HMAC_SHA512 for hmacWithSHA512

For legacy applications, you can still use the old, less secure, PBES1 schemes using DES from PKCS#5 v1.5. These are definitely not recommended for new applications. Not available for ECC private keys.

[Changed in v11.0] note that the values for these flags have changed.

Remember that the security of all these schemes is limited by the strength of the password used. Other applications may not support all the alternatives provided here.

[Contents] [Index]

[PREV: Internal key strings...]   [Contents]   [Index]   
   [NEXT: Elliptic Curve Cryptography (ECC)...]

Copyright © 2004-24 D.I. Management Services Pty Ltd. All rights reserved. Generated 2024-01-01T11:51:59Z.