How to find out if a Shib SP would be able to decrypt using AES128-GCM?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to find out if a Shib SP would be able to decrypt using AES128-GCM?

Thomas Lenggenhager
The GCMEncryption wiki page [1] claims in the section 'Deployer Impact' that

> most Shibboleth SPs (usually recognizeable via entityID and by the /Shibboleth.sso paths in their endpoints) support GCM and most other SPs do not.

However, I haven't found any hint how I as SP administrator could easily
find out whether my SP would be able to decrypt AES128-GCM encrypted
assertions, if its metadata would publish support for this algorithm.

I guess it depends on the SP version as well as the OpenSSL version in
use. Any other dependencies?

We would like to start publishing AES128-GCM support for SPs registered
in SWITCHaai without causing too much overhead for the SP admins.

Has someone hands on experience with AES128-GCM on Shib SPs?

Any hints appreciated, thank you in advance,
Thomas

[1] https://wiki.shibboleth.net/confluence/display/IDP4/GCMEncryption

--
SWITCH
Thomas Lenggenhager, Trust & Identity
Werdstrasse 2, P.O. Box, 8021 Zurich, SWITZERLAND
phone +41 44 268 1515, direct +41 44 268 1541
https://www.switch.ch
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to find out if a Shib SP would be able to decrypt using AES128-GCM?

Cantor, Scott E.
On 1/13/21, 11:37 AM, "users on behalf of Thomas Lenggenhager" <[hidden email] on behalf of [hidden email]> wrote:

>    However, I haven't found any hint how I as SP administrator could easily
>    find out whether my SP would be able to decrypt AES128-GCM encrypted
>    assertions, if its metadata would publish support for this algorithm.

With few exceptions (I don't know of any, but it's theoretically possible), just hit /Shibboleth.sso/Metadata and if the supported algorithm extensions include it, it's going to work.

>    I guess it depends on the SP version as well as the OpenSSL version in
>    use. Any other dependencies?

The xml-security-c version also matters but normally is updated along with the SP anyway.

>    Has someone hands on experience with AES128-GCM on Shib SPs?

I've tagged most of my campus SPs and most of the InCommon SPs we use that support it. I ran into a few so rotted that they don't, which of course means they also have gaping security bugs anyway.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]