SOLVED

b26010 - BY DESIGN - Typo in Cryptographic ECDSA providers

MVP

There is an issue with the name of the elliptic curves provider ECDSA_P521 Smartcard + MS Key Storage Provider. 

This could be an very unfortunate typo, as renaming the crypoprovider might break things when already in use, hoping though that these strong providers are not widely in use as certain application do not support ECDSA, or not in this high security value.

I believe this issue reaches back from vNext to WS 2019. Hope this one can be fixed, still.
Tested in latest WS 2022 and vNext.

Repro Steps: 
Install Windows Server 2019 / 2022 / vNext with GUI option (for simplicity, also affects Server Manager remotely)
Install AD CS role, Certification Authority
run the post deployment wizard
at the point where to choose the root ca certificate open the cryptographic options dropdown


K_WesterEbbinghaus_0-1704000706649.png

 

 

expected behaviour:
The correct name should be ECDSA_P512#xxxxx

*512 for the bit strenght

2 Replies
best response confirmed by Karl_Wester-Ebbinghaus (MVP)
Solution

Hi @Karl_Wester-Ebbinghaus, I think there might be a misunderstanding about what "P521" represents in that key storage provider. P521 (along with P256 and P384) are elliptic curves that have been defined by the U.S. National Institute of Standards and Technology (NIST) in FIPS 186-4, section D.1.2.5, as well as in SP 800-186, section 3.2.1.5.  "P521" is actually the correct name to represent this elliptic curve in that key storage provider.

Great to learn about that Troy! I thought it is like cipher, hash lenght and 256 would be followed by a multiple of these.
1 best response

Accepted Solutions
best response confirmed by Karl_Wester-Ebbinghaus (MVP)
Solution

Hi @Karl_Wester-Ebbinghaus, I think there might be a misunderstanding about what "P521" represents in that key storage provider. P521 (along with P256 and P384) are elliptic curves that have been defined by the U.S. National Institute of Standards and Technology (NIST) in FIPS 186-4, section D.1.2.5, as well as in SP 800-186, section 3.2.1.5.  "P521" is actually the correct name to represent this elliptic curve in that key storage provider.

View solution in original post