Support for EC crypto?
Cantor, Scott
cantor.2 at osu.edu
Sun Sep 13 20:54:51 EDT 2015
On 9/13/15, 4:35 PM, "users on behalf of Stefan Santesson" <users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:
>
>On the same subject, what about AEAD instead of CBC for encrypted Assertions?
If you mean AES-GCM, the answer is basically the same, and I'm somewhat more certain you won't find any significant support for it in most products.
On the Java side, you need Java 8 to get GCM support out of the JCE and I don't think interop between, say, Bouncy Castle's version and Oracle's has been proven. We haven't really tested my code against Java's either, so I don't even know if our own IdP and SP interoperate with it.
One of the significant changes that occurred is that Red Hat updated OpenSSL mid-release in RHEL6 to 1.0.1 and turned EC on. Both EC and GCM were missing in the original release, and that would have ended any conceivable window for either in open source software for a decade. They didn't manage the transition to 1.0.1 well, but they did deliver it early.
Bottom line, requiring GCM was a huge mistake by the W3C, which I argued against. The JOSE stack used an RFC that combines an HMAC with AES-CBC in a way that works with off the shelf CBC code and would have been immediately deployable by XML Signature libraries. I was angry about it, still am. GCM's a great thing, and I used it to implement our encryption-to-self code in V3 and it works fabulously, but in terms of library support, it's very bad.
-- Scott
More information about the users
mailing list