New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#786 - Please, add support to ecdsa key type #7984
Comments
bjonglez: You can compile dropbear with the ''DROPBEAR_ECC'' option in menuconfig if you want ECDSA support. However, it adds 23 KB to the dropbear binary on MIPS, so this may be too much to enable it by default. From ''package/network/services/dropbear/Config.in'':
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
default n
help
Enables elliptic curve cryptography (ECC) support in key exchange and public key
authentication.
|
Uqbar: I think that 23Kb is not overkilling for all devices with 8+MB flash. |
NeoRaider: I agree that 23K are too much to enable by default. One option out would be to create two dropbear package variants, so opkg can be used to install one or the other. Then we //might// also select the default variant for each image separately based on the flaash size, but I don't really like that idea, because it would be a deliberate inconsistency between images of the same target. |
Uqbar: Well, the current default LuCi theme "bootstrap" is rather large (55kB) if compared to the original openwrt theme (20 kB). If I could vote, I would bright the "old theme" back in order to make room for better security by default. This is just my opinion, but I am supporting it with some real numbers. |
spitfire: It would be very useful for me - I'm trying to switch to [[https://github.com/ntrippar/sekey|sekey]] which would let me store my key in a more secure way, and it only supports ecdsa keys. |
metaquanta: Uqbar's argument is quite strong. It's absurd that LuCi's new theme is more important than including the latest public key crypto. I switched to ed25519 a while ago, and have found it a little annoying keeping around a wrt-only RSA key. However, it's recently come to my attention that ECC's strength lies only in key size and is actually weaker in a post quantum world than RSA. And we'll be living in a post quantum world sooner than any of us realize (possibly). I, personally, am switching back to RSA with largest supported key sizes. I hope you've heard the rumors that certain entities have been keeping recordings of our handshakes for some time due to the potential utility of all that old data once anyone can run Shor's. https://arxiv.org/abs/1706.06752 Even if Moore's law holds, that could still buy us an extra year. matt |
jow-: The size increase in dropbear after compression is ~12KB for x86. The size difference between luci-theme-bootstrap and luci-theme-openwrt after compression is ~1KB. |
Uqbar: In my personal case (IPv4 only, mips_24kc), for example I could remove:
which don't really give me anything useful. And I am not really sure on when the quantum world will be effective, though. |
IMHO size does not outweigh usability and purpose. You basically can't ssh into an OpenWRT router from a default Linux installation with a default key, which pretty everywhere is ECDSA, be it Debian, Ubuntu, Fedora/OpenSuse or Manjaro/Arch IMHO. I frequently can't believe that a router does not cope with that as default. |
+1 to support ECDSA in dropbear |
please add ECDSA |
+1 to support ECDSA in dropbear |
it's already working |
Hi @Djfe , thanks for passing by. Can you elaborate a little bit more where I can find information on how to use ECDSA keys? I just tried it again, added a key via LUCI that is correctly piped to /etc/dropbear/authorized_keys But still, the logs say
A quick try to generate a key brings:
Seems that Ed25519 is supported though... |
It looks like openwrt 22.03.3 still doesn't support ecdsa algorithm. All my debian 11 server can work well with my pubkey/privatekey pair but openwrt cannot work.
|
so sorry for getting anyone's hopes up I agree on the front that non-"tiny" target's probably have enough free space for ecdsa, but then again: inconsistencies and I don't have any clue of the implications on the build system (if this is even possible unless you have two dropbear packages where one is larger) Seems to me like the maintainers made a choice and we have to live with Ed25519-support |
If you require ecdsa, then compile your own image, I guess. According to the second post there is a way to enable it in menuconfig during the build. |
Thank for your work. Just now I disabled dropbear and using |
Can it be possible to at least add a warning in luci when one tries to add an unspecified key type? |
maybe you can open an issue with this feature request |
I use (non-exportable) ecdsa keys bounded to secure enclave on MacBook. The only supported key algorithm is ecdsa. It's unfortunate to see that dropbear on OpenWrt does not come with ecdsa support out-of-box. |
@LittleNewton |
Sorry to beat a dead horse, but it is not possible to add a |
Uqbar:
At the moment dropbear tool is compiled without the ecdsa key type support.
ECDSA (https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) is considere better than RSA as it requires fewer key bits to gain same security.
The text was updated successfully, but these errors were encountered: