Re: [opensc-devel] OpenSC with or without OpenSSL - What is the direction?

Tue, 05 Oct 2010 08:56:50 -0700 


On 10/5/2010 10:04 AM, Martin Paljak wrote:
> Hello
> On Thu, Sep 30, 2010 at 18:07, Douglas E. Engert<deeng...@anl.gov>  wrote:
>
>> With OpenSSL-1.0.0a pkcs11-tool -M shows:
>>
>>   Supported mechanisms:
>>    RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, keypairgen
>
>>
>> Without OPenSSL, pkc11-tool -M
>>    RSA-PKCS, keySize={1024,3072}, sign, unwrap, decrypt
>>
>> Note that verify is not listed without OpenSSL, as the
>> pkcs11/openssl.c adds the OpenSSL hash and verify functions.
>
> Interesting. RSA-PKCS-KEY-PAIR-GEN should have nothing to do with
> OpenSSL.

Looks like pkcs11/framework-pkcs15.c line 1348 has #ifdef ENABLE_OPENSSL
that will add this mech.

  Also, OpenSC (and most smart cards) currently only do
> properly keys up to 2048 bits.

The NIST 800-73-1 (March 2006) specs called for the PIV applet to
optionally support 3072 bit keys. So that is what the driver says
is available. Since the ordinary user can not generate a key on the
card, and the only keys that can be used are tied to certificates,
the actual size of the key is determined from the certificate.

> opensc.h has #define SC_CARD_CAP_RSA_2048, JavaCard 2.2.2 has only
> KeyBuilder.LENGTH_RSA_2048
>
> The suggested key sizes apparently only double over years, so 4096
> seems more popular than 3072 for some reason :)

NIST 800-78-2 February 2010, has a nice chart of required key sizes
and 1024 bit keys are to be gone by 12/31/2013, in all cases. There
is no mention of 3072 bit keys, and I don't think there are any
PIV cards that support them today, but i don't think it hurt to say
the card supports 3072.

But 800-78-2 is also pushing for ECDSA p-256 and p-384 for certificates,
and ECDH for Key Management. So the trend appears to be to use EC keys
rather then larger and larger RSA keys.

>
>

-- 

  Douglas E. Engert  <deeng...@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to