Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4902

[RFE] Add ECDH support for PKINIT (RFC5349) [rhel-9]

XMLWordPrintable

    • krb5-1.21.1-6.el9
    • None
    • 4
    • rhel-sst-idm-ipa
    • ssg_idm
    • 26
    • 5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q4-Bravo-S7, 2025-Q1-Bravo-S1, 2025-Q1-Bravo-S2, 2025-Q1-Bravo-S3
    • Enhancement
    • Hide
      Feature, enhancement:

      MIT krb5 now supports elliptic curve Diffie-Hellman key agreement method as defined by RFC5349, in addition to the finite field Diffie-Hellman one.

      Reason:

      This diversifies the number of PKINIT methods available.

      Result:

      The "pkinit_dh_min_bits" krb5.conf setting can now be set with "P-256", "P-384", or "P-521" to use ECDH by default.
      Show
      Feature, enhancement: MIT krb5 now supports elliptic curve Diffie-Hellman key agreement method as defined by RFC5349, in addition to the finite field Diffie-Hellman one. Reason: This diversifies the number of PKINIT methods available. Result: The "pkinit_dh_min_bits" krb5.conf setting can now be set with "P-256", "P-384", or "P-521" to use ECDH by default.
    • Proposed
    • None

      MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:

      • md5WithRSAEncryption (since Windows Server 2003)
      • sha1WithRSAEncryption (newer than Windows Server 2003)
      • ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)

      Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.

      [1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
      [2] https://www.rfc-editor.org/rfc/rfc5349.html

              jrische@redhat.com Julien Rische
              jrische@redhat.com Julien Rische
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Michal Stubna Michal Stubna
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: