Add support for RFC 5349 "Elliptic Curve PKINIT"

[SteveSyfuhs]

Is your feature request related to a problem? Please describe. The base PKINIT spec supports straight Diffie Hellman using MODP 2 or 14 parameters. This is inefficient and leads to potential interop problems. ECC support was spec'ed shortly after PKINIT and introduces ECDH for key exchange and certificate signatures. This will have better performance implications as well as better cross-platform support as ECDH is supported in .NET Core.

Describe the solution you'd like Introduce logic into AsymmetricKerberosCredential that detects if the client certificate is EC, and force everything into using EC.

Add a new property to the credential that indicates the key exchange should prefer ECDH over DH (should it be default?).

Additional context https://tools.ietf.org/html/rfc5349

[EnsignKilos]

Is there any news on this? I'm looking to try and build my own version of this for a test lab, and don't really have the skill and this library has helped me understand Kerberos much better.

[SteveSyfuhs]

Nope. Hasn't really been any demand for this. .NET Standard 2.0 doesn't expose the ECC APIs so this requires doing everything through reflection similar to Rfc2898DeriveBytes: https://github.com/dotnet/Kerberos.NET/blob/develop/Kerberos.NET/Crypto/Pal/Rfc2898DeriveBytes.cs

It can be done, but it requires some effort.