IETF Logo Mail Archive

[DNSOP] FIPS 140-3 mode on RHEL 9 and RSA validation of <2048 keys

Petr Menšík <pemensik@redhat.com> Mon, 25 April 2022 09:20 UTC

Return-Path: <pemensik@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A423A14B1 for <dnsop@ietfa.amsl.com>; Mon, 25 Apr 2022 02:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.111
X-Spam-Level:
X-Spam-Status: No, score=-7.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnK2RP-RCUJN for <dnsop@ietfa.amsl.com>; Mon, 25 Apr 2022 02:20:29 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BD813A14B6 for <dnsop@ietf.org>; Mon, 25 Apr 2022 02:20:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650878427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SCZK0L3+LkoZkrYwWC1yht89Lz4JAegVnpzYIzFEw2Q=; b=MHgLyLnSMwJvE0UyioPJIBL4zZX1YBQMcCmnegb9Wb7/O45wlNA7BZKgZgjv7mB4wCmUsc am4mrwaFvSPt574T8LdO6yCKY7ZQH+ebHYaO9cE2fVX4GaN7jrLWBs0PCZhhxnLZbWIqRR 8UTYO+9FUPfwSXSpjuuGkdrnve4rcj0=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-365-C3aU3HAhN9ebiDOH3DM4ug-1; Mon, 25 Apr 2022 05:20:23 -0400
X-MC-Unique: C3aU3HAhN9ebiDOH3DM4ug-1
Received: by mail-wr1-f71.google.com with SMTP id j21-20020adfa555000000b0020adb9ac14fso566792wrb.13 for <dnsop@ietf.org>; Mon, 25 Apr 2022 02:20:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:from:organization:subject :content-transfer-encoding; bh=SCZK0L3+LkoZkrYwWC1yht89Lz4JAegVnpzYIzFEw2Q=; b=Qoob4YwRAKDsvOcysngr+NLoUkK6/UsFNCDBvzYex8bxcMcaWJJxG2PbOEdBF1eTzx musJVfhMbD/XPpq2mj3HDt4wRKp/Or40nabUyAaNose4pi/thngZlb35pj19Ld8ri3cp n16mMP4A4SzuPMzMn26w/dJZ9rcdm2wK1nqBBptR/NdAp8k0xkAHK5OWWb1Xwq9SddJH 6hRbmT8o5FIZBQht/HRhbTYpZIf5P1Va80/biB/5xRT/xwKyhEQejFlI7fD4WmWOOBGA 2w6Fgmk0ODltvFzwGEpaJ141AiG4cCNODr1vRtEwRyVdfu3sB55G28f6pkryrrhFgOFi PQCA==
X-Gm-Message-State: AOAM533WE0VELnyL7vP8tcS0c4DSugJmiE/B03dYs+PlxA3ohgLbKaLS tigdBddYjYBPklrY1ubrFXr6qazRNJyI3oBPQHI3K+Pu0QX0HQiSk0P5ugV9BhYMnEygO+dELtk IIEkDzLZoCvnXaidqNi8nIEQzQ9SbHXSmyAADd95Pppn+EoLJ8netkxo8gA==
X-Received: by 2002:a5d:6205:0:b0:1e4:b3fd:9ba8 with SMTP id y5-20020a5d6205000000b001e4b3fd9ba8mr13223906wru.426.1650878421720; Mon, 25 Apr 2022 02:20:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwdFH4Bkl5kU+yaCqenHZzb2cEd8Lo8wHanAE/+nunMbE2xk0UF/LzQsGq/Pgc4cysySVqG5g==
X-Received: by 2002:a5d:6205:0:b0:1e4:b3fd:9ba8 with SMTP id y5-20020a5d6205000000b001e4b3fd9ba8mr13223885wru.426.1650878421289; Mon, 25 Apr 2022 02:20:21 -0700 (PDT)
Received: from [192.168.88.164] ([46.149.126.14]) by smtp.gmail.com with ESMTPSA id o38-20020a05600c512600b00393ead99c5bsm3061417wms.26.2022.04.25.02.20.20 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Apr 2022 02:20:20 -0700 (PDT)
Message-ID: <356059e5-e973-3d6c-569c-9ff9d9fe16e6@redhat.com>
Date: Mon, 25 Apr 2022 11:20:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
To: "dnsop@ietf.org" <dnsop@ietf.org>
From: Petr Menšík <pemensik@redhat.com>
Organization: Red Hat
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pemensik@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Vk0tdPPmwgRJA6Hy-3ykIHB_-l8>
Subject: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA validation of <2048 keys
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 09:20:35 -0000

Hello,

I have sent already a notification about SHA-1 not validated in default
configuration. However that was not end of the story.

A new and even more severe issue has arisen. Our crypto team is
responsible for preparing RHEL 9 for FIPS 140-3 certification. They said
there is legal obligation to stop using all RSA signatures with keys
shorter than 2048 bits. I expect many of you already know especially
Zone Signing Keys often use 1280 or even 1024b keys without issues.

Current RHEL 9 validates such signatures well, but there is a bug [1]
filled to change that and start enforcing longer keys usage only.
Because it would be enforced at crypto library level (openssl), common
DNSSEC validation software would start failing. On quite a lot of
domains. And failing to resolve such names.

I am looking for the best way out of this. Once the above happens
without any changes to used DNS(SEC) software, the only way to keep
working DNS servers working would be either turning off FIPS more or
DNSSEC validation. I know the result seems quite ridiculous, because all
this has been done in order to increase the security. The only
alternative without changes would be disabling all RSA altogether and
providing a long list of ECDSA trust anchors for TLD domains, where at
least ECDSA would offer protection.

I think the only good way would be starting considering shorter keys as
insecure in FIPS mode. Anything above those domains would be without
DNSSEC protection, but at least single root key could be used. Do you
think it would be safe once the DS digest is checked on the key, that
key is then can be marked as insecure instead of bogus. Just as if the
algorithm were unsupported, but after checking the length of key.
Because the crypto library would refuse any operation, including
signature validation, on the given key. I think the library would not
even allow loading that key.

Do you think there might be possible attacks on such algorithm? Would it
be possible to take advantage of it and downgrade also names protected
by long enough keys? Would the behaviour mentioned above require updated
protocol or just modification of existing software? Is the described
behaviour forbidden by existing RFCs?

Any help or comments would be very welcome.

Best Regards,
Petr Menšík

1. https://bugzilla.redhat.com/show_bug.cgi?id=2077884

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

v2.23.0 | Report a Bug | By Email