Encryption Error
Brent Putman
putmanb at georgetown.edu
Wed Jul 6 18:36:27 EDT 2016
On 7/6/16 6:27 PM, Brent Putman wrote:
>
>
>
> On 7/6/16 5:40 PM, Cantor, Scott wrote:
>>
>> I don't think we're using GCM by default for XML Encryption though, are we?
>
> Not by default, but it would if the metadata said to via the
> algorithm extensions (which I think the Shib SP metadata does by
> default IIRC)
Yeah, the generated SP metadata is doing this by default, at least on
the version we have on shibboleth.net:
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
So the IdP will attempt to do GCM if it sees peer metadata like that,
and if it detects runtime support for GCM.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160706/a6e17150/attachment.html>
More information about the users
mailing list