Using PKINIT with ECC

Simo Sorce simo at redhat.com
Mon Jan 29 09:59:22 EST 2024 

On Fri, 2024-01-26 at 08:01 +0100, Goetz Golla wrote:
> On 1/11/24 15:41, Ken Hornstein wrote:
> > But here is some snippets of the PKCS#11 code in MIT Kerberos:
> > 
> > When specifying the search parameters to find the private key:
> > 
> >      keytype = CKK_RSA;
> >      attrs[nattrs].type = CKA_KEY_TYPE;
> >      attrs[nattrs].pValue = &keytype;
> >      attrs[nattrs].ulValueLen = sizeof keytype;
> >      nattrs++;
> > 
> > When setting the key signing mechanism:
> > 
> >      /*
> >       * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
> >       * historically many cards seem to be confused about whether they are
> >       * capable of mechanisms or not. The safe thing seems to be to ignore the
> >       * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
> >       * ourselves.
> >       */
> >      id_cryptoctx->mech = CKM_RSA_PKCS;
> > 
> > Those are all hardcoded use of RSA keys and signing mechanisms and it
> > doesn't handle ECC at all.  So unless the Yubico library ignored the
> > key type and mechanism (which I think would be extremely unlikely but
> > not impossible) I suspect you were using RSA back during your original
> > testing and didn't realize it.
> > 
> > --Ken
> 
> Its good to know the reason why MIT Kerberos cannot handle EC 
> certificates right now.

Whatever shortcomings there are the reason is low demand, or not enough
justification to spend the time on it.

> I know that NIST is happy with RSA 2048, but in Europe RSA >= 3072 is 
> already mandatory,
> 

Please cite the source of this statement, as far as I know only BSI
requires it for some German government stuff and there is no EU level
agency that requires this anywhere, just like in the USA NIAP requires
them for Common criteria certification.
A desired for 3k keys is understandable but it is unworkable given the
rest of the worldwide PKI infrastructure still relies on Intermediate
CAs that use 2k keys.

>  and this key size makes small devices like the 
> Yubikeys very slow when generating the keys. In fact, Yubikeys only 
> support RSA <=2048.
> 
> So is there a way to submit a feature request for ECDSA support in MIT 
> Kerberos ?

Ken provided reasonable answers for this part.

Simo.

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

More information about the Kerberos mailing list