Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5242
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Simo Sorce <simo@redhat.com> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: Using PKINIT with ECC |
| Date | Mon, 29 Jan 2024 09:59:22 -0500 |
| Organization | Red Hat |
| Lines | 74 |
| Message-ID | <mailman.15.1706540370.2322.kerberos@mit.edu> (permalink) |
| References | <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de> <ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu> <81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de> <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil> <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de> <202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil> <ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de> <202401111441.40BEf6HH019591@hedwig.cmf.nrl.navy.mil> <81773b85-0be5-4412-9d64-ca94b2cdd2b7@sec4mail.de> <a194a3ddb44324cc884984f06b6584cf2fb3e414.camel@redhat.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | 8bit |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="32152"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| User-Agent | Evolution 3.48.4 (3.48.4-1.fc38) |
| To | Goetz Golla <mit@sec4mail.de>, kerberos@mit.edu |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=RdxGaUzX; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=R881T/D3 |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VImC6VfiU238lhYxzQrDNr2Ge9C2eYqUhkzsmCg8o4g8c+1l5jMWuNRruAcPJwGt+E2TtUC+FOYgtw20+AQXvKGYz440dCscvL8Zv67TcpIOOslk+scekxOTTotmnQObOAkOhOZHggv2lVPeEfXwBSB2cqt8/j/HrTe8XEBrbqeNV7BXBRKEjIMSSX50/GZY6qm6gomKXqe3aTjbERvLHK7RuXdetEBXt9a3FDg8ZGL19kR8TQopv/uYRX8GAYeQO8Wc7oxIMSPWlF+AaJj/88VDjNDWvJSJI3JtWrWWTL8d4XwNAUk9I+uznjWEDMdh5fpJhrwdF8IFcIAv4R63TQ== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=35318V8IxZuPkC54ngtNZ/muV8bjeRUOTCbM06bz32w=; b=Bogb2IRtMFwSsBZlKv7ysfSnMIhRNeUjkMn//LZ0wi/YdkJ8z3Yqnzs7oPWb7GOR+zWqp4XofcgzQc2Q5p5a0KYVCrR2xiGRQ9FZS1IVMoGF/jOFeAMJzlsn9CyNARJdjPF0UVCzBVVnwGIGfBEwgBvFq0RIBA0RnCemtvpVSs4v9eiY0yx8jSSz5k/z8HCnSEC61XHDEj5x8qG88ZPuWkv2lBoHpwD9G1hVEo8uOQYZ5XYnRH5PrhLLuQcjmPR8BBUeOY7/qZZniehEYpHOoGDENmAOVE2BWsG1JaZ4VtCY4AHnZc1kqwQabbL8utI2yiY+3MpdRbsAirlAq+Ecig== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 170.10.129.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com; dkim=pass (signature was verified) header.d=redhat.com; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=35318V8IxZuPkC54ngtNZ/muV8bjeRUOTCbM06bz32w=; b=RdxGaUzXExj6+u5uHfUENKxWDd/dQm9dnhyKhjbGZHS/9+wKXvF2UCVO6hDQ5WjouIT6ooJnTHXMD/YE5acdkLrc6exfQvOX8i9eNxIS5LMevQ3CcZTZzx2X1xm/llm/Gd2nDeUMhQnmG+UEjwwcL2LhKobrxnEafHJp3RO0Jiw= |
| Authentication-Results | spf=pass (sender IP is 170.10.129.124) smtp.mailfrom=redhat.com; dkim=pass (signature was verified) header.d=redhat.com;dmarc=pass action=none header.from=redhat.com; |
| Received-SPF | Pass (protection.outlook.com: domain of redhat.com designates 170.10.129.124 as permitted sender) receiver=protection.outlook.com; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706540365; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=35318V8IxZuPkC54ngtNZ/muV8bjeRUOTCbM06bz32w=; b=R881T/D3x/yfkm+HL3Q5MybtED20MNC9JXJ8rwREVYjce8AtmjFVebKywi0RhtR5fO2wBA Gk2TdnYOe0VTPKrJVgNtu5rOqURXDs76VSJh9WxTriecLCnGePmytn6Is+H6Xv3Es18qPB 3+eCqDMTfUHtCyvsKZLHe1ZweDVPrOs= |
| X-MC-Unique | rH_3sfZKMLypcThGqXCn-Q-1 |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706540364; x=1707145164; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mozwTRVBeUL/EhZISfvD19ooesgEFA2aUQ1N4nGjH/Y=; b=vbP7rckMOmbokjIVRM7hdni/xcqObDz3vtw/8mlIl7Jk0so1ldjbmKdeCqBzBUbOwn Cc1Aaa42AK9XO5+wTXahC8tVbdDanoXsGUYWBdvgV/Oc3/cfPRzcsPRhuHEoCnOPjM62 Jz9gjijpmGfz7bb4NeNpm9uZAnVTM45T0wwPE/K2mKEmlFmGxj/hVUeBlgoF0oy9rAgg mwEBGCaWnXnJyMKU3nOa2+Sp8pD1o586BkBiyc1S01g6Cl+4ZmAUhpzfgO0yRb07f8tU sk54ulR3pHg5YkU/adrkDsRvPrQPjCzbJzF4ZeYclns7UdfUXRhDDCm9wYFjG0FvZHJK 4xBA== |
| X-Gm-Message-State | AOJu0YzSkWxh/W7abKH0/vVnwIg3DeX7OKW6gd9g0gjK9bF4Dr+GPcnr WQ3jeZdCze8KiKMl7LqD/jxMXSDKTDpnBIzLBgoqs04adgDVakmknbb5Bw975JjJRmHkl5L1AgZ f4HZzB8CRvj/VpxvaDQifOUH9K4gOKM51Eae9w5zetC7+C6FkMRIAOg== |
| X-Received | by 2002:a05:622a:195:b0:42a:b147:87c8 with SMTP id s21-20020a05622a019500b0042ab14787c8mr149956qtw.92.1706540363901; Mon, 29 Jan 2024 06:59:23 -0800 (PST) |
| X-Google-Smtp-Source | AGHT+IHpzKzlpgARM8p/59wF9KVEuolV4l+M/yAIjf6zmDJKAgp8Mnkp4d/gG2tLYC7pYZ4hj4gcuw== |
| X-Received | by 2002:a05:622a:195:b0:42a:b147:87c8 with SMTP id s21-20020a05622a019500b0042ab14787c8mr149946qtw.92.1706540363589; Mon, 29 Jan 2024 06:59:23 -0800 (PST) |
| In-Reply-To | <81773b85-0be5-4412-9d64-ca94b2cdd2b7@sec4mail.de> |
| X-Mimecast-Spam-Score | 0 |
| X-Mimecast-Originator | redhat.com |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | BN1PEPF0000468B:EE_|PH7PR01MB7773:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | b5c45376-8079-4663-8c04-08dc20dae2f4 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; |
| X-Microsoft-Antispam-Message-Info | eMYQvCFi9xdZ7cbbssXzwBLdDQ7zWAn8mfNSgV4M3e1e6BTQHlx53R1Z7jtAaigf9Hzr2UHqpsJQcKnW6OWzyYVnvidBTrlGZebzRANcNPUOCEIrdS9T6mQslQB8jea94bkmDhKs0CCvCwEpej8zbnT17MjrHdk0tskHj8JjlzgPfLO0UvC0FZyiE6bGVwBBMKVTk+es9N9YVjO4e0zpfZ4J6vdZt7L5w2XO8agYpMDcrQdl01X/fVW/LEfawSRZ4fqUSJkPec/IHEW+k5G3M4YEH8JADo0cAo4t8ge6RV14XJlc/IryekjWDaMraRhaxJEbfKdsi3gUPAe5suIznAMtQYBlZzhkbCPu8LPj0faUusolr3Ja5uyuEaR2ODoL3q79UumHAN2R3SE1UBL5SlqiAdLfnDj27IIa9mtMxg26QjkVS+8kCnufTHIKybkz0ekOP7AzQhkemT/hDvdT0ELNnykOOSjwVpRvicd+z+fX2V1l7uXnzj+ttwcki2sOoCSvWTiJ/06epOmFYL9TmVoa9rzVSehHGu2VZpiCHw6+Gas0jWGl+sScfoCgcY5UoIurg3orUJjuv9Prv1SRJ0FABj6fZKr2x964QIwI2coKBXS9H7J+hYeOY1JY5N1z2488g00EqEttJNMmmRNrIQ== |
| X-Forefront-Antispam-Report | CIP:170.10.129.124; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com; PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE; SFS:(13230031)(4636009)(136003)(376002)(39860400002)(396003)(346002)(64100799003)(48200799006)(451199024)(61400799012)(26005)(83380400001)(36916002)(7696005)(336012)(53546011)(36756003)(86362001)(356005)(7596003)(7636003)(5660300002)(8676002)(3480700007)(316002)(68406010)(498600001)(2616005)(786003)(2906002)(70586007); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 29 Jan 2024 14:59:26.1779 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | b5c45376-8079-4663-8c04-08dc20dae2f4 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | BN1PEPF0000468B.namprd05.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | PH7PR01MB7773 |
| X-MIME-Autoconverted | from quoted-printable to 8bit by mailman.mit.edu id 40TExRtc1876084 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <a194a3ddb44324cc884984f06b6584cf2fb3e414.camel@redhat.com> |
| X-Mailman-Original-References | <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de> <ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu> <81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de> <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil> <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de> <202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil> <ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de> <202401111441.40BEf6HH019591@hedwig.cmf.nrl.navy.mil> <81773b85-0be5-4412-9d64-ca94b2cdd2b7@sec4mail.de> |
| Xref | csiph.com comp.protocols.kerberos:5242 |
Show key headers only | View raw
On Fri, 2024-01-26 at 08:01 +0100, Goetz Golla wrote: > On 1/11/24 15:41, Ken Hornstein wrote: > > But here is some snippets of the PKCS#11 code in MIT Kerberos: > > > > When specifying the search parameters to find the private key: > > > > keytype = CKK_RSA; > > attrs[nattrs].type = CKA_KEY_TYPE; > > attrs[nattrs].pValue = &keytype; > > attrs[nattrs].ulValueLen = sizeof keytype; > > nattrs++; > > > > When setting the key signing mechanism: > > > > /* > > * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but > > * historically many cards seem to be confused about whether they are > > * capable of mechanisms or not. The safe thing seems to be to ignore the > > * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest > > * ourselves. > > */ > > id_cryptoctx->mech = CKM_RSA_PKCS; > > > > Those are all hardcoded use of RSA keys and signing mechanisms and it > > doesn't handle ECC at all. So unless the Yubico library ignored the > > key type and mechanism (which I think would be extremely unlikely but > > not impossible) I suspect you were using RSA back during your original > > testing and didn't realize it. > > > > --Ken > > Its good to know the reason why MIT Kerberos cannot handle EC > certificates right now. Whatever shortcomings there are the reason is low demand, or not enough justification to spend the time on it. > I know that NIST is happy with RSA 2048, but in Europe RSA >= 3072 is > already mandatory, > Please cite the source of this statement, as far as I know only BSI requires it for some German government stuff and there is no EU level agency that requires this anywhere, just like in the USA NIAP requires them for Common criteria certification. A desired for 3k keys is understandable but it is unworkable given the rest of the worldwide PKI infrastructure still relies on Intermediate CAs that use 2k keys. > and this key size makes small devices like the > Yubikeys very slow when generating the keys. In fact, Yubikeys only > support RSA <=2048. > > So is there a way to submit a feature request for ECDSA support in MIT > Kerberos ? Ken provided reasonable answers for this part. Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: Using PKINIT with ECC Simo Sorce <simo@redhat.com> - 2024-01-29 09:59 -0500
csiph-web