RavenDB Security ReportNon-high Strength RSA Keys

time to read 1 min | 151 words

imageThe RavenDB Security Report called out the fact that we were using 2048 bits RSA keys when we were generating certificates. RavenDB generates certificates during automatic setup and when you want to generate client certificates directly from RavenDB.

Now, 2048 bits RSA has no known attacks, it seems that there wouldn’t be any shock and awe at the cryptographic community if it would be broken at sometimes in the future.

Because of that, the general recommendation is to use at least 3072 bits, but I don’t like that number, so RavenDB is now using 4096 bits RSA keys when it needs to generate a certificate. This significantly increases the certificate generation time (to the point where it is humanly observable!), but that is a very rare operation, so we don’t really care.

More posts in "RavenDB Security Report" series:

  1. (06 Apr 2018) Collision in Certificate Serial Numbers
  2. (05 Apr 2018) Man in the middle for customer domains
  3. (04 Apr 2018) Non-high Strength RSA Keys
  4. (30 Mar 2018) Inconsistent Use of KDF and Master Key
  5. (29 Mar 2018) Redundant or Missing Authentication