#illumos

04:05

jbk

hrmm.. i suspect github.com/illumos/illumos-gate/blo…mon/softAttributeUtil.c#L2834-L2837 is what's generating the error... though github.com/illumos/illumos-gate/blo…ommon/crypto/des/des_impl.h#L81-L82 suggests that maybe it should be ok with 128 bits as well...
04:10

jbk

though the keysize is coming from softSlotToken.c
04:11

jbk

and the 'relaxation' seems to have originated with 6831413
04:11

jbk

so my guess is maybe they just missed a spot?
04:19

jbk

also looks like google's pkcs11 test suite doesn't check that either
04:19

jbk

(granted we fail it miserably already)
04:27

jbk

though it's been a few years since i've touched any of it
07:08

tsoome

we still have des enabled? "A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, led to NIST deprecating DES and 3DES for new applications in 2017, and for all applications by the end of 2023."
07:08

tsoome

do not fix it, drop it.
12:14

nbjoerg

better question would be "for what"
12:16

otis

tsoome: or if not drop it, then at least "turn it off in default installation"
12:17

otis

alas, not everyone might/can/will update their hashes in legacy system(s). on the other side, it's 2023, 3DES is so '80s
12:26

tsoome

it is not just about being '80s, it is security issue.
12:28

otis

in early '80s the common security awareness was not as hight as it is today
12:29

tsoome

today, if you have no security awareness, you should not be connected to network;)
12:29

otis

i know of some *big* networks where they use public IPs on workstations and they do not have any firewall in place.
12:31

tsoome

well, that alone is no problem, but if you add there "no patching" policy too, then it is problem.
12:48

otis

patching can add only illusory sense of security. but probably still better than nothing (leaving apart the fact that on those big networks there are windows workstations and workers want to connect via RDP directly from home, without any VPN)
12:48

otis

anyway, not my business. 3DES should be deprecated.
13:34

sjorge

otis $work being one of them, there is just a basic global acl set
13:34

sjorge

but unless you jump through hoops everything gets a pub ipv4
15:54

sommerfeld

otis: so my vague recollection was that des was 80's, 3des was 90's. IMHO should be disabled by default but for things like file encryption, etc., there should be a "break glass to reenable DES/3DES to decrypt your advisor's old thesis data files" config option

3 years ago

« a day earlier

a day later »

today »