PKINIT: Support of MODP group 2?
jrische at redhat.com
Wed Aug 17 11:19:27 EDT 2022
Dear fellow Kerberos developers,
While working on a PKINIT interoperability issue between Heimdal and MIT
krb5, I realized OpenSSL was not supporting Diffie-Hellman MODP group 2.
RFC4556 defines MODP groups 2 and 14 support as mandatory, while group
16 is optional. MIT krb5 supports the three of them and uses group 14 by
default, while Heimdal supports the two mandatory groups (2 and 14), and uses
group 2 by default.
MS-PKCA does not mention which groups are supported by Active Directory. I
did some tests: group 14 works, but not group 16. It fails with MIT krb5 using
group 2, but I am not sure if this failure means it is not supported by AD or
if the error is coming from OpenSSL. I tried to test it with Heimdal, but I
didn't manage to get the configuration right.
I do not know when MODP group 2 support was dropped in OpenSSL. Actually I
doubt it has ever been supported, since it is not part of the original set of
supported well-known groups.
I had some exchanges with OpenSSL developers about this issue, and I have some
doubts they will accept to implement support for MODP group 2 as it is now
considered outdated. I opened an OpenSSL feature request too.
Atop of that, there are ongoing plans to deprecate IKEv1 formally in an RFC:
"IKEv1 systems most likely do not support modern algorithms such as AES-GCM or
CHACHA20_POLY1305 and quite often only support or have been configured to use
the very weak DiffieHellman Groups 2 and 5."
"[...] interoperability concerns mean that the defacto algorithms negotiated
by IKEv1 will consist of dated or deprecated algorithms like AES-CBC, SHA1,
and Diffie-Hellman groups 1 or 2."
In this context I am wondering if it is still relevant to keep MODP group 2 as
MTI. Maybe we should write an RFC to make its support optional and deprecate
If you agree with this point, and until such an RFC is accepted, I think in the
MIT case we should also decide if efforts to restore support for MODP group 2
would be justified. Either by pushing the OpenSSL development team to implement
support for it, or by making our own implementation.
Are you aware of some use cases having a strong dependency on group 2 that
wouldn't be able to use group 14 instead?
Regardless of the decision we make, I would like to ask the Heimdal development
team if it would be okay to switch the default group to 14 instead of 2. It
would reduce the reliance on a group that is considered cryptographically weak,
and simplify interoperability with MIT krb5.
Please let us know about your opinion and any extra piece of information that
would be relevant in that regard.
More information about the krbdev