PIV: Support AES management keys #330
Comments
|
Hi all, I'm interested in working on this. One of the first questions I have is: the MgmKey struct now needs to either be a DES key or an AES key. If I turn it into an enum, I then have to bifurcate every method on MgmKey - I think this is the way I went the last time I (privately) attempted this. It works, but doesn't feel tidy. Alternately, maybe MgmKey could be a trait, and DesKey/AesKey could implement that? I'd hope with that approach that the code for different key types would be neatly separate, but I have no idea what the downsides to this are. Anyone have a recommendation? Or I can just wade in and see how it looks. |
|
Could go either way, although the trait-based approach sounds a bit nicer to me |
str4d
added a commit
to str4d/age-plugin-yubikey
that referenced
this issue
Dec 30, 2022
Supporting them is blocked on iqlusioninc/yubikey.rs#330.
This was referenced Dec 30, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Historically, YubiKey's PIV applet only supported 3DES management keys. However, YubiKeys with firmware 5.4 and up (produced starting from May 2021) support AES-128, AES-192, and AES-256 management keys, which are allowed at least as early as NIST SP 800-78-2 (released in 2010).
We should add support for AES management keys, to enable people who want to migrate away from the default 3DES keys to do so.
The text was updated successfully, but these errors were encountered: