I am sorry it took so long.
Our intention is to get rid of RSA < 2048b, because they are considered
too weak, 829 bits key was factorized in 2020 [1]. However the FIPS team
is aware it is technically permissible to do just verification with
smaller key size and is evaluating the impact. The FIPS team also thinks
adoption of strong enough algorithms in DNSSEC is very slow. Web PKI has
moved to 2048b keys in 2013 [2].
The legacy use in FIPS mode is not very well defined. The FIPS team
thinks legacy use should cover only signatures made when those keys were
considered secure, which would be application-specific and which might
not solve the DNSSEC problem as it is using smaller keys deliberately
because of technical limitations with larger keys. Not fresh signatures
with a short expiration period and refreshed periodically.
Also, NIST SP 800-131Ar2 document [3] mentions legacy use of any key
equal or above 1024 bits. But FIPS 140-3 Implementation Guidelines [4]
mention explicitly only keys exactly 1024 bits, otherwise only allowed
keys are those permitted to be generated. That would be >=2048 bits,
that is clear enough.
Fortunately NIST labs gave as a green flag and agreed legacy use is okay
also for higher sizes. It seems it would break on few shorter keys, but
most of domains still can be validated. I would try modification of
shipped validators to pass on shorter key.
Overall there is no sensation or critical breakage which I expected for
some time. I am sorry for a disturbance caused. Only minor issues will
arise. Thank you for your attention and I hope I haven't caused any harm.
Best Regards, Petr Menšík
1.
https://en.wikipedia.org/wiki/RSA_numbers#RSA-250
2.
https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
3.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3.pdf
<https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.3.pdf>
4.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf>
On 27. 04. 22 14:16, Petr Menšík wrote:
Thank you for those references, they are very useful.
I need to discuss our stance internally first. I think we should have a
better response prepared.
It may take a few days to formulate and explain our direction.
Thanks,
Petr
On 4/25/22 12:02, Bjørn Mork wrote:
Petr Menšík<pemen...@redhat.com> writes:
Our crypto team is
responsible for preparing RHEL 9 for FIPS 140-3 certification. They said
there is legal obligation to stop using all RSA signatures with keys
shorter than 2048 bits.
Either they're wrong or you're misquoting them by merging "signing" and
"verifying" into the confusing and misleading term "using". FIPS 140-3
is a bit more specific than that, fortunately.
See table 2 in
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
which shows the status of RSA keys with 1024 ≤ len(n) < 2048 for Digital
Signature Verification as "Legacy use".
The text following that table provides more detail:
Key lengths providing less than 112 bits of security that were
previously specified in FIPS 186 are allowed for legacy use when
verifying digital signatures.
and
RSA: See FIPS 186-239 and FIPS 186-4,40 which include modulus lengths
of 1024, 1280, 1536 and 1792 bits, may continue to be used for
signature verification but not signature generation
Bjørn
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
