Page MenuHome GnuPG

Allow signature verification using specific RSA keys <2k in FIPS mode
Open, NormalPublic

Description

The FIPS specified a "legacy mode", which is up to the application to decide. In this mode, usage of RSA keys of size 1024b, 1280b, 1536b, and 1792b should be allowed only for verification.

In addition, I would like to re-raise the issue if it would make sense to limit RSA key size generation and usage generally (previously mentioned in https://dev.gnupg.org/T5512#151635). Right now, there are no lower bounds for RSA key usage and tests happily use many 512b RSA keys. My suggestion would be to allow only 1024 bits and larger by default. The change is also attached in the following merge request as well as in attachment here.

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/3

Details

Version
master

Related Objects

Event Timeline

werner triaged this task as Normal priority.May 13 2022, 8:00 AM
werner added a project: patch.
werner added a subscriber: werner.

I can imagine thar there are use cases for this. Thus I see no problems for the first part.

The second part is imho not a good idea. Libgcrypt is a building block for all kind of software and there are for sure legitimate reasons to use rsa512 (MCUs, short living keys, etc). Thus I think that the decision on the key size should be done by the software using libgcrypt.

Ok. Thank you for the clarification. I will drop the second part and keep only the FIPS change in the patch. Merge request already updated.

gniibe added a project: Testing.
gniibe added a subscriber: gniibe.

Pushed the change (master and 1.10).

I can imagine thar there are use cases for this. Thus I see no problems for the first part.

The second part is imho not a good idea. Libgcrypt is a building block for all kind of software and there are for sure legitimate reasons to use rsa512 (MCUs, short living keys, etc). Thus I think that the decision on the key size should be done by the software using libgcrypt.

RSA512 is already broken; there have been public demonstrations of this. MCUs should be using ECC instead.