Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default to 2048-bit RSA now #3455

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

cipherboy
Copy link
Member

1024-bit RSA has been disallowed by our underlying libraries for a while
now. We should choose a better default. Currently 2048-bit works with
DEFAULT and FIPS, but FUTURE is defaulting to 3072. It isn't immediately
clear when FUTURE will become default, but we can always update again
later when that occurs.

Signed-off-by: Alexander Scheel <[email protected]>

@cipherboy cipherboy requested a review from jmagne February 11, 2021 12:34
Copy link
Contributor

@jmagne jmagne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. We've really needed to make 2048 the default in the TPS CS.cfg. Perhaps you might want to have cfu look at some of the code changes.

@cipherboy cipherboy requested a review from ladycfu February 15, 2021 21:31
1024-bit RSA has been disallowed by our underlying libraries for a while
now. We should choose a better default. Currently 2048-bit works with
DEFAULT and FIPS, but FUTURE is defaulting to 3072. It isn't immediately
clear when FUTURE will become default, but we can always update again
later when that occurs.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy force-pushed the better-rsa-key-sizes branch from 64f1976 to edbc59c Compare June 17, 2021 02:48
@cipherboy
Copy link
Member Author

@ladycfu and @jmagne : This has been rebased. :)

@cipherboy cipherboy requested a review from edewata June 17, 2021 02:49
@@ -17,7 +17,7 @@ Token profiles are defined using properties in the TPS configuration file.
The following property sets the size of the key the token should generate:

```
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keySize=2048
```

The maximum value is 1024.
Copy link
Contributor

@edewata edewata Jun 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with this, but if the maximum value is referring to the keySize parameter, would they be contradictory now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it depends on the key type? DSA has a strict 1024-bit maximum, ECDSA obviously differs based on curve type/size and isn't user controllable, and for RSA, most implementations top out around 8192-bit ish.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The valid algorithms are:

  • 2 - RSA
  • 5 - ECC
    For ECC, the valid key sizes are 256 and 384.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe this line should just be removed, and let the actual maximum be determined by the crypto library.

@ladycfu
Copy link
Contributor

ladycfu commented Jun 17, 2021

@jmagne , my memory may be a bit hazy on this, but wasn't there a time when some smart cards had issues with 2048 and that's why we set the default to be 1024 in TPS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants