Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to 2048-bit RSA now #3455

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Default to 2048-bit RSA now #3455

wants to merge 1 commit into from

Conversation

cipherboy
Copy link
Member

1024-bit RSA has been disallowed by our underlying libraries for a while
now. We should choose a better default. Currently 2048-bit works with
DEFAULT and FIPS, but FUTURE is defaulting to 3072. It isn't immediately
clear when FUTURE will become default, but we can always update again
later when that occurs.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

jmagne
jmagne approved these changes Feb 12, 2021
View reviewed changes
Copy link
Contributor

@jmagne jmagne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. We've really needed to make 2048 the default in the TPS CS.cfg. Perhaps you might want to have cfu look at some of the code changes.

@cipherboy
Default to 2048-bit RSA now
edbc59c 
1024-bit RSA has been disallowed by our underlying libraries for a while
now. We should choose a better default. Currently 2048-bit works with
DEFAULT and FIPS, but FUTURE is defaulting to 3072. It isn't immediately
clear when FUTURE will become default, but we can always update again
later when that occurs.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
@cipherboy
Copy link
Member Author

@ladycfu and @jmagne : This has been rebased. :)

@cipherboy cipherboy requested a review from edewata June 17, 2021 02:49
edewata
edewata reviewed Jun 17, 2021
View reviewed changes
docs/manuals/man5/pki-tps-profile.5.md
@@ -17,7 +17,7 @@ Token profiles are defined using properties in the TPS configuration file.
The following property sets the size of the key the token should generate:

```
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keySize=2048
```

The maximum value is 1024.
Copy link
Contributor

@edewata edewata Jun 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with this, but if the maximum value is referring to the keySize parameter, would they be contradictory now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it depends on the key type? DSA has a strict 1024-bit maximum, ECDSA obviously differs based on curve type/size and isn't user controllable, and for RSA, most implementations top out around 8192-bit ish.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The valid algorithms are:

  • 2 - RSA
  • 5 - ECC
    For ECC, the valid key sizes are 256 and 384.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe this line should just be removed, and let the actual maximum be determined by the crypto library.

@ladycfu
Copy link
Contributor

ladycfu commented Jun 17, 2021

@jmagne , my memory may be a bit hazy on this, but wasn't there a time when some smart cards had issues with 2048 and that's why we set the default to be 1024 in TPS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edewata edewata edewata left review comments

@jmagne jmagne jmagne approved these changes

@ladycfu ladycfu Awaiting requested review from ladycfu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cipherboy @ladycfu @edewata @jmagne