[SSH] Added key size selection #1608
Conversation
Test Results 1 308 files - 447 1 308 suites - 447 1h 34m 54s ⏱️ - 9m 45s Results for commit bc15516. ± Comparison against base commit d9eeb60. This pull request removes 1035 tests.♻️ This comment has been updated with latest results. |
There was a problem hiding this comment.
Thank you for this follow-up. Nice work, it works well.
I just have a few remarks below.
In general what do you think about setting the initial value to the recommended size of 4kBi for RSA and 3kBi for DSA and just allow lowering the value?
Are higher values possible for RSA too? If yes, I think we should also make that possible.
Additionally please make sure that you have formatted all new lines according to the formatter settings (unfortunately the existing code does not adhere to them). E.g. there should be a space before and after a equal-sign.
team/bundles/org.eclipse.jsch.ui/src/org/eclipse/jsch/internal/ui/messages.properties
Outdated
Show resolved
Hide resolved
.../bundles/org.eclipse.jsch.ui/src/org/eclipse/jsch/internal/ui/preference/PreferencePage.java
Outdated
Show resolved
Hide resolved
.../bundles/org.eclipse.jsch.ui/src/org/eclipse/jsch/internal/ui/preference/PreferencePage.java
Outdated
Show resolved
Hide resolved
.../bundles/org.eclipse.jsch.ui/src/org/eclipse/jsch/internal/ui/preference/PreferencePage.java
Outdated
Show resolved
Hide resolved
axmanalad
force-pushed
the
team-alex-shawn-chelsy
branch
3 times, most recently
from
3fe39fe
to
ec8253a
Compare
I think this is a good idea as it initially sets it to the more secured key size than 2048 bits for developers to acknowledge. I changed the initial value to 4096 bits.
I have fixed the formatting. Thank you for clarification.
Higher values for RSA are possible. The current RSA algorithm does not seem to have a limit for the max key size it can generate. However, the main drawbacks with generating larger RSA key lengths include CPU overhead and performance issues. As you generate a larger key length, CPU runtime increases dramatically. A high-end computer could easily generate larger keys, but I would not recommend it for low-end computers. Because of the overhead and performance, it is best to recommend using an ECC encryption for keys larger than 4096 bits since it provides an equivalent level of encryption strength as RSA with smaller key sizes and faster performance. For example, an ECC key size of 512 bits is equivalent to an RSA key size of 15360 bits. I am not sure how implementing ECC would work but it is only a thought I think would improve performance in generating keys. I changed the max RSA key size you can generate to 15360 bits as it is equivalent to 256 security bits (really strong in security encryption); generally, higher than 15360 bits is not recommended for the sake of runtime. |
axmanalad
force-pushed
the
team-alex-shawn-chelsy
branch
from
ec8253a
to
5a92d31
Compare
There was a problem hiding this comment.
Thanks for the update and sorry for the deplayed reply.
I just have a few minor style remarks below.
Technically this is fine. 👍🏽
But we are currently in the quiet-period before the December release and have to await the start of the next development cycle, which should start in one to two weeks, before this can be submitted. But in the meantime we can make it ready.
Because of the overhead and performance, it is best to recommend using an ECC encryption for keys larger than 4096 bits since it provides an equivalent level of encryption strength as RSA with smaller key sizes and faster performance. For example, an ECC key size of 512 bits is equivalent to an RSA key size of 15360 bits. I am not sure how implementing ECC would work but it is only a thought I think would improve performance in generating keys.
It would be great if we could also generated more modern keys and if you are interested in looking into it, you are more than welcome.
I'm not sure, but I fear that the currently used library is not capable of these newer algorithms.
In fact we actually would like to replace JSCH with something that's maintained better and more up-to-date, but havn't done it yet due to a lack of known simple replacements, see
But if you are interested in that please don't hesitate to look into it. :)
| private static final int RSA_KEY_SIZE = 15360; | ||
| private static final int DSA_KEY_SIZE = 3072; |
There was a problem hiding this comment.
Let's add a MAX segment in these names to reflect that these are the maximum values:
| private static final int RSA_KEY_SIZE = 15360; | |
| private static final int DSA_KEY_SIZE = 3072; | |
| private static final int RSA_MAX_KEY_SIZE = 15360; | |
| private static final int DSA_MAX_KEY_SIZE = 3072; |
| private static final int MAX_KEY_SIZE = RSA_KEY_SIZE; | ||
| private static final int MAX_KEY_SIZE_DIGIT_COUNT = 0; |
There was a problem hiding this comment.
These constants are not needed.
| private static final int MAX_KEY_SIZE = RSA_KEY_SIZE; | |
| private static final int MAX_KEY_SIZE_DIGIT_COUNT = 0; |
| keySizeValue.setValues(INITIAL_KEY_SIZE, MIN_KEY_SIZE, MAX_KEY_SIZE, MAX_KEY_SIZE_DIGIT_COUNT, | ||
| KEY_SIZE_INCREMENT, KEY_SIZE_INCREMENT); |
There was a problem hiding this comment.
This can be structured a bit more to prevent an over-long line and two constants:
| keySizeValue.setValues(INITIAL_KEY_SIZE, MIN_KEY_SIZE, MAX_KEY_SIZE, MAX_KEY_SIZE_DIGIT_COUNT, | |
| KEY_SIZE_INCREMENT, KEY_SIZE_INCREMENT); | |
| int maxKeySize = Math.max(DSA_MAX_KEY_SIZE, RSA_MAX_KEY_SIZE); | |
| keySizeValue.setValues(INITIAL_KEY_SIZE, MIN_KEY_SIZE, maxKeySize, 0, KEY_SIZE_INCREMENT, KEY_SIZE_INCREMENT); |
| if (keySizeValue.getSelection() > DSA_KEY_SIZE) { | ||
| keySizeValue.setSelection(DSA_KEY_SIZE); |
There was a problem hiding this comment.
Adapt to new constant names
| if (keySizeValue.getSelection() > DSA_KEY_SIZE) { | |
| keySizeValue.setSelection(DSA_KEY_SIZE); | |
| if (keySizeValue.getSelection() > DSA_MAX_KEY_SIZE) { | |
| keySizeValue.setSelection(DSA_MAX_KEY_SIZE); |
axmanalad
force-pushed
the
team-alex-shawn-chelsy
branch
2 times, most recently
from
1f1548b
to
57e2ce9
Compare
This implementation allows to select the key size of the generated key ranging from 2048-15360 bits incremented by 1024 bits. (DSA has a max limit of 3072 bits)
axmanalad
force-pushed
the
team-alex-shawn-chelsy
branch
from
1f1548b
to
bc15516
Compare
|
No worries, it is understandable. I reformatted the variables as requested.
While looking in the #958, I believe replacing the JSch library is a major change to be made. I lack the knowledge to knowing how to make these replacements however. In the meantime, I looked deeper into the codebase to find that there exists an ECC algorithm in the JSch library known as ECDSA before the library became outdated. This is a type of ECC algorithm that does exactly what I previously stated and is found within "com.jcraft.jsch.KeyPairECDSA". Maybe after this PR, I can make a third contribution to add the feature of generating ECDSA keys in a new PR, which is why I added a "TODO" comment on Line 509. |
This implementation allows to select the key size of the generated key ranging from 2048-4096 bits, which is using a Spinner to increment by 1024 bits. (DSA is limited to 3072 bits)
Refer to #1464