Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44995

Deprecate DSA and SEED in NSS in RHEL 10

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Create New Vers...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • 1
    • rhel-security-crypto
    • ssg_security
    • 24
    • 27
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC1) SEED and DSA are not available anymore and cannot be use din NSS applications.

      Show
      AC1) SEED and DSA are not available anymore and cannot be use din NSS applications.
    • Pass
    • Enabled
    • Automated
    • Removed Functionality
    • Hide
      .DSA and SEED algorithms have been removed from NSS

      The Digital Signature Algorithm (DSA), which was created by the National Institute of Standards and Technology (NIST) and is now completely deprecated by NIST, is removed from the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA and ECDSA.

      The SEED algorithm, which was created by the Korea Information Security Agency (KISA) and has been previously disabled upstream, is removed from the NSS cryptographic library.
      Show
      .DSA and SEED algorithms have been removed from NSS The Digital Signature Algorithm (DSA), which was created by the National Institute of Standards and Technology (NIST) and is now completely deprecated by NIST, is removed from the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA and ECDSA. The SEED algorithm, which was created by the Korea Information Security Agency (KISA) and has been previously disabled upstream, is removed from the NSS cryptographic library.
    • Done
    • All
    • None

      Several old algorithms that have little to no use and are disabled by default need to be disabled completely:

      1) SEED, the former national cipher of Korea. This has been disabled upstream for several years. A single #define in the SPEC file will disable it for NSS.
      2) DSA, this is a signing aglorithm, created by NIST and now completely deprecated by NIST in favor of RSA and ECDSA (and eventually SHB-DSA, ML-DSA and FN-DSA). This requires disabling CKM_DSA_XXX in PKCS #11 (under a #define) and including that #define in the SPEC. It will also require dropping or modifying tests in NSS upstream tests of DSA.

      NOTE: DSA parameter gen is used extensively in testing of weak Diffie-Helman code (mostly to make sure we properly reject weak Diffie-Helman by default, so it will stay until we deprecate DH.

              rrelyea Robert Relyea
              rrelyea Robert Relyea
              Robert Relyea Robert Relyea
              Ondrej Moris Ondrej Moris
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: