Earlier this week, I released version 0.2.0 of my post-quantum cryptography helper library .NET, Strathweb.Dilithium, which introduces a new feature - automatic key management support in Duende Identity Server. This feature plugs into the automatic key management capabilities of Duende Identity Server, and allows you to automatically generate and manage Dilithium keys for token signing purposes, without having to manually handle the key generation and rotation.
Background π
Strathweb.Dilithium is a family of libraries facilitating and streamlining the integration of Crystals-Dilithium signature scheme (a Post-Quantum Cryptography suite) into ASP.NET Core projects - both for the purposes of token signing and their validation. You can read more about it in the original announcement post.
Automatic key management π
As already stated, release 0.2.0 of Strathweb.Dilithium, or more specifically, of Strathweb.Dilithium.DuendeIdentityServer (which is the specific library acting as an add-on for Duende Identity Server), introduces supports for automatic key management. It is a popular Duende IDP feature, which allows you do offload key management to the IDP completely, and let it automatically generate, rotate and manage keys for token signing purposes.
This is now possible with Dilithium keys as well, and, unless you supply a fixed static Dilithium key, key management is also enabled by default. The whole thing is as simple as just calling AddDilithiumSupport on your Identity Server builder:
builder.Services.AddIdentityServer()
.AddDilithiumSupport() // automatically manage Dilithium keys
// continue with the rest of Identity Server configuration
Such a setup instructs the library to create CRYDI3 Dilithium keys, store them securely using Duende Identity Server storage abstractions and rotate them according to the schedule configured in the IDP. By default, the keys are automatically rotated every 90 days, announced 14 days in advance, and retained for 14 days after it expires.
The normal customization of key management rules is still supported, and Strathweb.Dilithium.DuendeIdentityServer will conform to those rules. For example, the setup below introduces custom key rotation, announcement and retention intervals:
builder.Services.AddIdentityServer(options =>
{
// new key every 14 days
options.KeyManagement.RotationInterval = TimeSpan.FromDays(14);
// announce new key 3 days in advance in discovery
options.KeyManagement.PropagationTime = TimeSpan.FromDays(3);
// keep old key for 3 days in discovery for validation of tokens
options.KeyManagement.RetentionDuration = TimeSpan.FromDays(3);
})
.AddDilithiumSupport() // automatically manage Dilithium keys
// continue with the rest of Identity Server configuration
By default, the library also disallows any other keys than Dilithium, which means the built-in Identity Server behavior of generating RSA keys gets suppressed. It can be restored via the options. The same options can also be used to choose a different algorithm than CRYDI3
:
builder.Services.AddIdentityServer()
.AddDilithiumSupport(new DilithiumSupportOptions {
KeyManagementAlgorithm = "CRYDI5", // override the default "CRYDI3"
DisallowNonDilithiumKeys = false // allow RSA keys to co-exist
}) // automatically manage Dilithium keys
// continue with the rest of Identity Server configuration
With key management enabled, the IDP will serve more than one key in its discovery document, and the clients will be able to validate tokens signed with any of the keys. The key rotation process is fully automated and transparent to the clients.
In release 0.2.0, the BouncyCastle dependency was also updated to the latest one. You can grab the releases from Nuget and you can follow the project on Github.