Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store longer keys on Yubikeys #446

Open
renatav opened this issue Jun 11, 2024 · 3 comments
Open

Store longer keys on Yubikeys #446

renatav opened this issue Jun 11, 2024 · 3 comments

Comments

@renatav
Copy link
Collaborator

renatav commented Jun 11, 2024

There should no longer be a limitation of 2048 bits.

@n-dusan
Copy link
Contributor

n-dusan commented Aug 12, 2024

  • Remove the command for setting up yubikey;
    • Point to Yubico official tooling instead

@renatav renatav moved this from Todo to In Progress in TAF Planning Oct 4, 2024
@renatav renatav self-assigned this Oct 4, 2024
@renatav
Copy link
Collaborator Author

renatav commented Oct 14, 2024

After diving deeper into this, here is what I discovered:

  • As previously mentioned, PIV has a limitation of 2048 bits. Our current YubiKeys utilize a PIV slot.
  • The YubiKeys we use are compatible with OpenPGP. For detailed information on setting up the keys, see the official docs.
  • I managed to generate 4096-bit keys on my Windows machine, but this required setting key-attr as described in the official documentation.

However, even though I succeeded in generating these longer keys, our code still utilizes the PIV slot. I discovered this when implementing a command to export key-description data (which calculates key size based on the public key's length). This means that to start signing with longer keys, we'll need to completely rework our YubiKey code. Another issue is that the Python library's support is more limited compared to what the ykman CLI and other tools like GnuPG offer. Therefore, we can't easily replace the signing code that relies on PIV.

We could invoke the ykman CLI using a subprocess, but that would require users to install additional tools on their machines and will certainly be slower.

I am going to add the BIG DEAL label and move this to the backlog for now. We should conduct further research and have a discussion.

@renatav renatav removed their assignment Oct 14, 2024
@renatav renatav moved this from In Progress to Backlog in TAF Planning Oct 14, 2024
@renatav
Copy link
Collaborator Author

renatav commented Dec 3, 2024

Another possible solution is to use a different signing scheme. This might require some refactoring, but should be doable. Something like ECC P-384 seems to be supported by piv and is more secure than RSA 2048

@renatav renatav moved this from Backlog to Todo in TAF Planning Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Todo
Development

No branches or pull requests

2 participants