Suggested crypto libs for Diffie-Hellman and Eliptic Curve Diffie-Hellman
Andreas Schneider
asn at samba.org
Wed Nov 22 11:07:54 UTC 2023
On Thursday, 16 November 2023 07:08:59 CET Andrew Bartlett via samba-technical
wrote:
> For Group Managed service accounts, which we are working on, for
> reasons around RODCs and a few other things, Microsoft has decided to
> internally use a key-agreement between a 'root key' and a 'service
> key', both held in AD.
>
> The password comes, as I understand it, from the key agreement derived
> out of a Diffie-Hellman or Eliptic Curve Diffie-Hellman exchanges.
>
> This is all in MS-GKDI, referenced from
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/9cd2fc
> 5e-7305-4fb8-b233-2a60bc3eec68
>
> I just wanted to check if there are particularly cryptographic
> libraries we should consider for this work.
>
> In the past we have looked to libnettle when gnutls didn't provide the
> functions we wanted, but that was backed out fairly fast as another
> method was found (https://bugzilla.samba.org/show_bug.cgi?id=13276 0784
> 4a9a13506b4ca9181cfde05d9e4170208f88).
>
> Even so, for this case is libnettle still the best first place to look?
If something is missing in GnuTLS you need, open tickets at GnuTLS. They are
fairly quick implementing the stuff we need.
They implemented all the features we needed for Samba so far. Example:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1611/
Also AES-GMAC, AES-CCM, AES-CBF8 ...
They also fixed performance issues we discovered ...
Best regards
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list