Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Does CanoKey have the opportunity to support the RSA4096 algorithm in PIV mode #76

Closed
PIKACHUIM opened this issue Dec 28, 2023 · 6 comments
Closed

[Feature request] Does CanoKey have the opportunity to support the RSA4096 algorithm in PIV mode #76

PIKACHUIM opened this issue Dec 28, 2023 · 6 comments

Comments

@PIKACHUIM
Copy link

I have noticed that RSA-4096 is supported in GPG mode. Can the algorithm of RSA-4096 also be supported in PIV mode?
Unfortunately, I am not familiar with the code and related encryption algorithms of this project and do not know how to add them.
If you would like to add RSA-4096, I would greatly appreciate it.
@dangfan
Copy link
Member

dangfan commented Dec 28, 2023

Hi, please refer to this branch: https://github.com/canokeys/canokey-core/tree/feature/algo_ext

@Headcrabed
Copy link

I have noticed that RSA-4096 is supported in GPG mode. Can the algorithm of RSA-4096 also be supported in PIV mode? Unfortunately, I am not familiar with the code and related encryption algorithms of this project and do not know how to add them. If you would like to add RSA-4096, I would greatly appreciate it.

RSA-4096 is not officially supported in PIV spec, but NIST SP 800-78-5 (Initial Public Draft), which released in September 2023, added RSA-3072 to PIV spec, and algo_ext branch already enabled that.

@dangfan
Copy link
Member

dangfan commented Jan 2, 2024

Fixed by #78

@dangfan dangfan closed this as completed Jan 2, 2024
@PIKACHUIM
Copy link
Author

PIKACHUIM commented Jan 3, 2024
edited
Loading

Sincere thanks!

I would like to discuss whether the algorithm for hardware keys needs to comply with standards (or drafts) from NIST.
Here are some of my insights:

  1. NIST seems to be currently discussing the need to support RSA4096, and in fact, RSA4096 is already widely used elsewhere (usually referring to non hardware key devices)

    NIST requests feedback on the potential need to support RSA with 4096-bit keys, or for the need to add support for the EdDSA signature algorithm that is now specified in FIPS 186-5.

  2. As a PIV function of a hardware key device, some functions (such as code/document/digital signature or identity authentication) can replace HSM devices, and the above functions have been widely used with the RSA4096 algorithm

The discussions or insights I have put forward may not be correct. Feel free to share your opinions and perspectives with me.

@dangfan
Copy link
Member

dangfan commented Jan 3, 2024

Thank you for your advice. Let me clarify that we actually support several non NIST algorithms before this draft. Since this commit, algorithm IDs can be configured dynamically. And the ID for RSA-3072 by default is the value from the draft standard. Hope you enjoy the extension.

@PIKACHUIM
Copy link
Author

Thank you for your support.
Looking forward to CanoKey products that support RSA3076, RSA4096, and ECC P521 appearing in my shopping cart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dangfan @PIKACHUIM @Headcrabed