Page MenuHome GnuPG
Create Task
Maniphest T5975

Allow signature verification using specific RSA keys <2k in FIPS mode
Closed, ResolvedPublic
Actions

Description

The FIPS specified a "legacy mode", which is up to the application to decide. In this mode, usage of RSA keys of size 1024b, 1280b, 1536b, and 1792b should be allowed only for verification.

In addition, I would like to re-raise the issue if it would make sense to limit RSA key size generation and usage generally (previously mentioned in https://dev.gnupg.org/T5512#151635). Right now, there are no lower bounds for RSA key usage and tests happily use many 512b RSA keys. My suggestion would be to allow only 1024 bits and larger by default. The change is also attached in the following merge request as well as in attachment here.

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/3

libgcrypt-rsa-verify.patch5 KBDownload

Details

Version
master

Revisions and Commits

rC libgcrypt
rCca2afc9fb64d cipher: Allow verification of small RSA signatures in FIPS mode

Related Objects

Event Timeline

Jakuje created this task.May 12 2022, 2:53 PM
werner triaged this task as Normal priority.May 13 2022, 8:00 AM
werner added a project: patch.
werner added a subscriber: werner.

I can imagine thar there are use cases for this. Thus I see no problems for the first part.

The second part is imho not a good idea. Libgcrypt is a building block for all kind of software and there are for sure legitimate reasons to use rsa512 (MCUs, short living keys, etc). Thus I think that the decision on the key size should be done by the software using libgcrypt.

Jakuje added a comment.May 13 2022, 11:17 AM

Ok. Thank you for the clarification. I will drop the second part and keep only the FIPS change in the patch. Merge request already updated.

libgcrypt-rsa-verify.patch1 KBDownload

werner moved this task from Backlog to Next on the FIPS board.May 17 2022, 11:12 AM
gniibe added a commit: rCca2afc9fb64d: cipher: Allow verification of small RSA signatures in FIPS mode.May 19 2022, 3:48 AM
gniibe claimed this task.May 19 2022, 3:50 AM
gniibe added a project: Restricted Project.
gniibe added a subscriber: gniibe.

Pushed the change (master and 1.10).

DemiMarie added a subscriber: DemiMarie.May 23 2022, 5:56 PM
In T5975#158113, @werner wrote:

I can imagine thar there are use cases for this. Thus I see no problems for the first part.

The second part is imho not a good idea. Libgcrypt is a building block for all kind of software and there are for sure legitimate reasons to use rsa512 (MCUs, short living keys, etc). Thus I think that the decision on the key size should be done by the software using libgcrypt.

RSA512 is already broken; there have been public demonstrations of this. MCUs should be using ECC instead.

gniibe moved this task from Next to Ready for release on the FIPS board.May 31 2022, 11:16 AM
gniibe added a project: backport.Jul 12 2022, 10:21 AM
werner changed the task status from Open to Testing.Sep 22 2022, 10:56 AM
werner removed a project: Restricted Project.
gniibe closed this task as Resolved.Apr 13 2023, 3:20 AM

Fixed in 1.10.2.

werner mentioned this in T5905: Release Libgcrypt 1.10.2.Nov 14 2023, 12:55 PM