Re: [Fed-Talk] Smartcard decryption not working under Sonoma
Re: [Fed-Talk] Smartcard decryption not working under Sonoma
- Subject: Re: [Fed-Talk] Smartcard decryption not working under Sonoma
- From: "Rowe, Walter P. \(Fed\) via Fed-talk" <email@hidden>
- Date: Wed, 31 Jan 2024 17:21:24 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hCXL3KzvqyfTJjhrTciRofKG7nUKaJ6fXeTK4Http58=; b=DoVgIz45j2MQXlCRYniGemll7ITyyN15fYqWryDDT94PZf+LHz+ULfl4NVZlvycRxyOhL7yLnfCdy1evG24J4J9b6d08Wradc1T4Y90lcS20CNcE+uNVsaTHnMAqciqazAS5ZzjKBhjwbDWm4ws7Kohmw9M5V/qfxMa5VB55wYjSggxSjs01OMTmV3NchVnMEVErXv1i374OIacRPjbEZbJLPGrs8cezrHOnOd+bvq7+1lGxhPptVhbvHeKA1sCreCcIdZN1qR7lR57sS2TFzhMPDB6L8nrnzBDvheSYA1MvnxFjdJ23FYF/RE7R82CtrktAitpCxaMDmd6O9e/hxQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UlR79Umb4tWLDG823xb8FokazlJzL7fJAMRWX+fV+8HyOAlKCeQKqtXjgOXJLCIIe0JvuRvkk6wSMWA0QGPVm2g5Xyje0vQy9fHPuJiwBc3QzHBHRUUb8TBo9vDXLncEP3umKmhQqKeIWYomkCkbE1fm9IJvOy125TfZ6vnRLDv/JiYuorDbF4luyedv/heD2EwYM4intC1nVV3MOZGGCQ1QpDrONpHq2LLJNasEvw2KEIhHSryyH1lfiy8lSXioIHwDyt/aXXssjg46Oqa7FqD69yY46qbvBZz/+e5OUOaBelXb6eEzgURf1QaEI+rTgAcOxuRWXR3zBvpa8CxudQ==
- Thread-topic: [Fed-Talk] Smartcard decryption not working under Sonoma
I have it on good authority that Apple is aware of the issue and it is a P1
priority. No time frame given for resolution as per usual Apple protocol.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services Division
Mobile: 202.355.4123
On Jan 31, 2024, at 10:51 AM, Neely, Lee via Fed-talk
<email@hidden> wrote:
I have the same issue, Outlook or Apple Mail. Per my local Mac team, this is a
bug in 14.3. (I didn’t test earlier versions of Sonoma, but there fix to
CoreCrypto in 14.3 addressing a timing side-channel attack CVE-2024-23218.) It
is not fixed in the developer release of 14.4.
What’s worse is there are use cases where it will briefly decode and display
the message in the Outlook preview pane before it goes back to a blank with the
S/MIME attachment. (A tease). Encryption appears to work fine. This feels
like either a timeout or driver crash. (Agree deep in the internals of the
subsystem, and given the nature of the update to CoreCrypto….)
For me, the “fix” has been to map my smartcard (shared not exclusively) to a
Windows VM and run Outlook there. Not perfect but better than being unable to
read/reply as I’m not able to download a soft cert to put in my keychain. As
far as I can tell, non-smartcard decrypt works.
Signing works properly. (Email or Adobe). As does Smartcard Authentication.
Lee Neely
Senior Cyber Advisor
Cyber Security Program, LLNL
From: Ken Hornstein via Fed-talk
<email@hidden<mailto:email@hidden>>
Date: Tuesday, January 30, 2024 at 6:17 PM
To: email@hidden<mailto:email@hidden>
<email@hidden<mailto:email@hidden>>
Subject: [Fed-Talk] Smartcard decryption not working under Sonoma
I have yet to do a deep dive into this issue, but I am wondering if anyone
else has seen this problem.
As far as I can tell, RSA decryption using a Smartcard (e.g., decrypting
a S/MIME email using your CAC/PIV card) is failing on Sonoma. I had a
co-worker tell me that Outlook was not working for them on Sonoma
for decrypting messages, so I gave them a few things to try by hand
(the one fallback I always use is the "security cms" command). But
that didn't work either, and I came to realize after some testing that
ALL apps that use decryption with a key on a Smartcard failed; at first
I was testing apps that used keychain-pkcs11 so I thought that code
was the problem, but some further digging showed that the same issue
affected Apple native apps as well. The error seems to be coming
from deep within the Security framework and unfortunately doesn't
seem to be helpful (from memory it was something like "incorrect
parameter suppled").
In our case the user reported that they were able to successfully decrypt
those messages if they downloaded the decryption certificate and key from
the key escrow site, but that was massively inconvenient as you have to
remove your smartcard for apps to find that key (and if you've configured
your system to STIG specifications, the screen locks when you remove
your smartcard).
If anyone else has seen this or has any more information about this, I'd
love to hear it.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden