Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5232
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Ken Hornstein <kenh@cmf.nrl.navy.mil> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: Using PKINIT with ECC |
| Date | Thu, 11 Jan 2024 09:41:06 -0500 |
| Organization | TNet Consulting |
| Lines | 40 |
| Message-ID | <mailman.5.1704984073.2322.kerberos@mit.edu> (permalink) |
| References | <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de> <ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu> <81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de> <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil> <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de> <202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil> <ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de> <202401111441.40BEf6HH019591@hedwig.cmf.nrl.navy.mil> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="us-ascii" |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="20109"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| Cc | kerberos@mit.edu |
| To | Goetz Golla <mit@sec4mail.de> |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=ahmSWig0; dkim=pass (2048-bit key, unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256 header.s=s2.dkim header.b=CYlao2je |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HXisin+oBdo+VKUQ77/oppqoM+KUVtCBnihlNGdjS1yGi+3SowfbcAbsrWKRtry3mxNR59l7sKGbNh6Xw9AWUU8XVx04Xz1M3WB8sLFqwbLV/kTzhW3BZ1Xn0n5Ri/8DXIhWDU218rtBUXhUGZW5HzVmV8YsVdwIFlVRFp4l9PrzM+xXc2UUJdyARDD6T+0nfy3MecHMg1YBNfIxq+bj5EawzjZIa26LdfSfi/2GHPLrH8xLxxnvfPenSC09DaBKdo5qhriZgeGydEO0Ebo4jj3RqqntO8fGnXZWCXS2I/Pr4yWrtlCEMpTrbH7IPdOYU7uP5Xx5yN1ksfnqzMNZtg== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lL5vGUqoG1KCRtf9EgQEWrt3EdybLclyfE7RzKyETGo=; b=YQZ3Aw90sH57idoN/qqSxFjJl57WvohLLW2areWRkBWFJJajWW1OtoVVHO1Lui6ewTPdU2ySOLwXQncygUXKh9+7bveR0L4wC7NqQd+jj8NaR5U+mRF1EvjnHEcVetYDmfAb0tEGh0/gR5siVCRE3fGhXUPbmc5t/TtfnkgNmacgEgxZER4ECxjK0B38VbYZ5KPFlBaL3PowHtdVonZp+pvBbMj7uTb7ThrNVhBBO+k9a9UJi6aF1Bx3vGL3pqL8ppk+wATB8gdu2GToSPXGKdo/e5I2qxCmY/wW9kne1uwNwwAWR9G953lv8BK9junzcIrZdPGBs0O/6yTK46tZqg== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified) header.d=nrl.navy.mil; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lL5vGUqoG1KCRtf9EgQEWrt3EdybLclyfE7RzKyETGo=; b=ahmSWig0yksKDyoRGlBLZEtR2z6zaX3nasS+rftDZAubA2CZsVHeJGtkEMXrnDBSCfOt0E0VH9BbI+VSLM8+T59B28G2jxB1vEc8nrkQVNC1CUo680v6oF6J10AQHptzL6GaaNRpwpKs7u9mZ2cHasT7HmClKK0mDssaZPiSFEw= |
| Authentication-Results | spf=pass (sender IP is 140.32.59.234) smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified) header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil; |
| Received-SPF | Pass (protection.outlook.com: domain of cmf.nrl.navy.mil designates 140.32.59.234 as permitted sender) receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil; h=message-id : from : to : cc : subject : in-reply-to : references : mime-version : content-type : date; s=s2.dkim; bh=lL5vGUqoG1KCRtf9EgQEWrt3EdybLclyfE7RzKyETGo=; b=CYlao2jePe1JVQynMjQZIAB9NKBowjWkPJGRKh09hMM3061i5jP4M6pulPUeTZCRRJXO eeCoXWXkn+hHKtdjpFTSajPCcFrs2/POn+w39xRKwo8QVfzC3NA2gBAuIXqqCd7VFxZV Izzwd2QuZqa1FTgfvoH0az6sVzFSfXhUu5jyhTS6Hjm9+zFsBHPRJU5P2H9dF42CHXz9 6SZkujCSun54zQBtQvc4otJmjqB/7ktj/o5Z16Ui4U3KOFDfZnZDMQFa7rwiI9jQ1sgU lrVkaIb7/UK+gcjktttkGbfA2Gp8jGoefuzHzaNU//j4eOa+BvbjM43gTOxL6O8UaJHh aA== |
| In-Reply-To | <ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de> |
| X-Face | "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e` |
| X-NRLCMF-Spam-Score | () hits=0 User Authenticated |
| X-NRLCMF-Virus-Scanned | |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | BL02EPF0001A101:EE_|BN0PR01MB7085:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | af7cbdd9-f023-4e4f-c218-08dc12b35992 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; |
| X-Microsoft-Antispam-Message-Info | oIKV/7MgL2lHaXIYU97Ub9dULuHHxH347jgc+eyELDAIYHCDId76JvmwMoiA3gPR9DT5Bh9QE8DCFz+lGuyrrtNvPqvLuWcc9LI+qVegZuR+/iAiEmGsg9pagwkkU2EsM7NM+cHOzhq0cZX8QrUpVy9IdVf12zXKd6eVKYtX6f0NH24mbzUqplufsZMsgw2jAnVgT4Blgb8miGPffWyxQF/6+gM/RTu1qTfrmDbwF4TM1LjgHC2BfGPCh/NTVLQG12iLnAtYcQuuegIip9fRZdwwvDMiP4vnZ5zC8s7E1Q9bK4o1vYIqgIJV8l3lLKTTWfhxN8nQUE5fqrpooQ/zv/qMoBDDS7TwxqjZ8h2/0rOjT1wbDHQ2HrbMXcpViql//+dez9MF2M+8xzX4N8a9NHtGu8zER8i0ZehyOOGpp7y3VYqvLbMPptF85jCCmsSgRvwUtwKi1j5sFCDbgFn01STp3Zln6ydX/IWemd9ad7fbVjI4WS7ECPesMN17ZBa0AlZCf3gF8YJiuY91KFItEXdyOX1dsFbvc59+z66BEY+VGmjsO917gQhadKgK+7xd/tpBoc+cXhPXAwdqzuKcOGcGXpsjlxt/L7qOQAm7sfl94yAmWnkI3Wzw5jibUXK7TrevNIPPKnMFvVNay8AaMg== |
| X-Forefront-Antispam-Report | CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE; SFS:(13230031)(4636009)(346002)(396003)(376002)(39860400002)(136003)(61400799012)(64100799003)(451199024)(48200799006)(83380400001)(70586007)(68406010)(356005)(7636003)(86362001)(3480700007)(1076003)(336012)(956004)(6862004)(26005)(426003)(4326008)(786003)(2906002)(498600001)(316002)(8676002)(5660300002); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 11 Jan 2024 14:41:08.9597 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | af7cbdd9-f023-4e4f-c218-08dc12b35992 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | BL02EPF0001A101.namprd05.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | BN0PR01MB7085 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <202401111441.40BEf6HH019591@hedwig.cmf.nrl.navy.mil> |
| X-Mailman-Original-References | <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de> <ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu> <81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de> <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil> <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de> <202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil> <ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de> |
| Xref | csiph.com comp.protocols.kerberos:5232 |
Show key headers only | View raw
>We had it working in November with Yubico's libykcs11 in a lab and in
>production tested by two independent people. Testing it again this year
>it failed. We are in the process of finding out what exactly we have
>tested in November.
>
>I am really confused now. I thought that the problem was in the opensc
>code and replacing it with Yubico's libykcs11, which officially supports
>ECC, should fix it.
>
>Now you seem to suggest that the problem is in the Kerberos code ?
Well, geez dude, this was back in November and I brought this up then.
But here is some snippets of the PKCS#11 code in MIT Kerberos:
When specifying the search parameters to find the private key:
keytype = CKK_RSA;
attrs[nattrs].type = CKA_KEY_TYPE;
attrs[nattrs].pValue = &keytype;
attrs[nattrs].ulValueLen = sizeof keytype;
nattrs++;
When setting the key signing mechanism:
/*
* We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
* historically many cards seem to be confused about whether they are
* capable of mechanisms or not. The safe thing seems to be to ignore the
* mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
* ourselves.
*/
id_cryptoctx->mech = CKM_RSA_PKCS;
Those are all hardcoded use of RSA keys and signing mechanisms and it
doesn't handle ECC at all. So unless the Yubico library ignored the
key type and mechanism (which I think would be extremely unlikely but
not impossible) I suspect you were using RSA back during your original
testing and didn't realize it.
--Ken
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: Using PKINIT with ECC Ken Hornstein <kenh@cmf.nrl.navy.mil> - 2024-01-11 09:41 -0500
csiph-web