弱算法或受损算法的支持
crypto
模块仍然支持一些已经被破坏并且目前不推荐使用的算法。
API 还允许使用对于安全使用来说太弱的小密钥大小的密码和散列。
用户应根据自己的安全要求对选择加密算法和密钥大小负全部责任。
基于 NIST SP 800-131A 的建议:
- MD5 和 SHA-1 在需要抗碰撞性(例如数字签名)的情况下不再被接受。
- RSA、DSA 和 DH 算法使用的密钥建议至少 2048 位,ECDSA 和 ECDH 的曲线至少 224 位,才能安全使用几年。
modp1
、modp2
、modp5
的 DH 组密钥长度小于 2048 位,不推荐使用。
有关其他建议和详细信息,请参阅参考资料。
The crypto
module still supports some algorithms which are already
compromised and are not currently recommended for use. The API also allows
the use of ciphers and hashes with a small key size that are too weak for safe
use.
Users should take full responsibility for selecting the crypto algorithm and key size according to their security requirements.
Based on the recommendations of NIST SP 800-131A:
- MD5 and SHA-1 are no longer acceptable where collision resistance is required such as digital signatures.
- The key used with RSA, DSA, and DH algorithms is recommended to have at least 2048 bits and that of the curve of ECDSA and ECDH at least 224 bits, to be safe to use for several years.
- The DH groups of
modp1
,modp2
andmodp5
have a key size smaller than 2048 bits and are not recommended.
See the reference for other recommendations and details.