TLS "suite B" profile should not include RSA #8221

mpg · 2023-09-18T09:01:18Z

Summary

The "NSA Suite B" profile for TLS is defined in RFC 5430. One of its defining characteristic is that all the asymmetric crypto is based on elliptic curves - not RSA or FFDH.

However at some point it looks like we ended up adding RSA signatures to ssl_preset_suiteb_sig_algs and ssl_tls12_preset_suiteb_sig_algs in ssl_tls.c. This is wrong and should be fixed.

(Note: the "suite B" profile in X.509 is unaffected.)

The text was updated successfully, but these errors were encountered:

daverodgman · 2023-09-18T10:00:09Z

We should also review the rest of the suite B ssl_preset_suiteb_xxx presets to check that they match the RFC.

mpg added the bug label Sep 18, 2023

daverodgman added the size-s Estimated task size: small (~2d) label Sep 18, 2023

yanrayw self-assigned this Nov 22, 2023

yanrayw mentioned this issue Nov 22, 2023

TLS: remove RSA signature algorithms in suite B profile #8554

Merged

3 tasks

tom-cosgrove-arm closed this as completed in #8554 Jan 12, 2024

LiLongNXP mentioned this issue Aug 8, 2024

[toup] zephyr: crypto: Fix for embedtls zephyrproject-rtos/hostap#20

Closed

github-project-automation bot added this to Backlog for Mbed TLS Aug 30, 2024

github-project-automation bot moved this to [3.6] TLS 1.3 misc for LTS in Backlog for Mbed TLS Aug 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TLS "suite B" profile should not include RSA #8221

TLS "suite B" profile should not include RSA #8221

mpg commented Sep 18, 2023

daverodgman commented Sep 18, 2023

TLS "suite B" profile should not include RSA #8221

TLS "suite B" profile should not include RSA #8221

Comments

mpg commented Sep 18, 2023

Summary

daverodgman commented Sep 18, 2023