Security considerations of "openssl pkcs12 -export -legacy"

[Wall, Stephen]

What are the ramifications of using the “-legacy” options to “pkcs12 -export” from a security perspective?  I’ve been told by another engineer that older versions of Android (10, 11) are not able to parse the format that OpenSSL 3 defaults to, and am considering implementing an option to allow users to export PKCS12 files using the older format, but I’m concerned with how bad of a security risk that is.  It doesn’t seem like Sweet32 is really applicable, as that requires large amounts of data to exercise. Is there a real vulnerability here that could compromise users private keys?

 

Thanks.

- Steve

[Viktor Dukhovni]

[ Off the cuff response, not deeply analysed. ]

If the passphrase has sufficient entropy to not require much PBKDF2
hardening against brute-force attacks, then in legacy mode you get
roughly 112-bit security via 3DES-CBC which should be sufficient to
protect typical private keys.

--
Viktor.