Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Gaglia
Hi, first of all please accept my apologizes, I know this is a question
more related to OpenVPN, but I think that the problem lies in the cert
authority and client/server certificate generation step with OpenSSL, so
I'm also posting it here, hoping for a solution.

I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
and SHA-512 on Linux Debian. This seems to be very hard, I didn't find
any howto on the web :( if and when I will manage to get the whole thing
up and running I will write a detailed howto, so any help is appreciated!

As a premise: yes, I've recompiled OpenVPN using the latest OpenSSL
version (see below). My suspect is that I made some mistake in the
certificate generation process but I can't find it.

I also posted this issue at https://forums.openvpn.net/topic8404.html
but there I included a lot of information more strictly related to my
OpenVPN configuration, I will include here just the steps I used to
setup the PKI with OpenSSL. Here is what I did:


1) downloaded OpenSSL 1.0.0, configured and installed in
/usr/local/openssl (to avoid removing the already installed openssl
0.9.8 which looks like it's a crucial packet for everything on my
system) with:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
I am calling the new openssl version with the "openssl-new" alias

2) created a CA:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
openssl-new ecparam -out private/cakey_temp.pem -name sect571k1 -text
-genkey
openssl-new ec -in private/cakey_temp.pem -out private/cakey.pem -aes256
wipe -f private/cakey_temp.pem
openssl-new req -new -x509 -out cacert.pem -key private/cakey.pem -days
36500 -sha512 -extensions v3_ca
openssl-new x509 -text -in cacert.pem
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
with the last command I read: Signature Algorithm: ecdsa-with-SHA512

3) created a server key and certification request:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500
-out req.pem
chmod 600 privkey.pem
mv privkey.pem private/serverkey.pem
openssl-new req -in req.pem -text -verify -noout
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
again, I read: Signature Algorithm: ecdsa-with-SHA512

4) modified openssl.cnf accordingly and signed the request with the CA:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
openssl-new ca -config openssl.cnf -policy policy_anything -out
servercert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem
-infiles req.pem
rm req.pem
----8<--------8<--------8<--------8<--------8<--------8<--------8<----

5) created a client key and certification request:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500
-out req.pem
chmod 600 privkey.pem
mv privkey.pem private/clientkey.pem
----8<--------8<--------8<--------8<--------8<--------8<--------8<----

6) signed the request with the CA:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
openssl-new ca -config openssl.cnf -policy policy_anything -out
clientcert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem
-infiles req.pem
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
(I later moved client files in ~/.ssl )

7) created both ECDH and DH (for testing) parameters:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
openssl-new ecparam -out ecdh.pem -name sect571k1
openssl-new dhparam -out dh.pem 4096
----8<--------8<--------8<--------8<--------8<--------8<--------8<----


My OpenVPN configuration does not work, I receive this error in the logs:
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
----8<--------8<--------8<--------8<--------8<--------8<--------8<----
but, as I said, this is more related to OpenVPN and it is detailed in
the forum post I linked above. What I'd like to know from more
experienced OpenSSL users here is: did I perform correctly steps
1)...7)? Please help, I'm really in need of this ._. I will write a
complete and detailed howto as a small compensation for the community!

Thanks in advance
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Gaglia
On 07/05/2011 03:23 PM, Gaglia wrote:
> I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
> and SHA-512 on Linux Debian.

No idea anybody, really? :(
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

yyy-2
When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old.
 


Citējot Gaglia [hidden email]:
On 07/05/2011 03:23 PM, Gaglia wrote:
> I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
> and SHA-512 on Linux Debian.

No idea anybody, really? :(
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Gaglia
On 07/11/2011 05:27 AM, [hidden email] wrote:
>  When i searched on it, it seemed that ECDH requires specified named
>  curve

You need to specify the curve's name, like this:

        openssl ecparam -name sect571k1

but this should only be done in the parameters generation stage, the
generated certificates should contain this information by themselves, so
I don't think specifying it to OpenVPN should be needed.

> Also, it seems that ECDSA works only with SHA-1

This has been marked as a bug and it was fixed in the most recent
versions of OpenSSL. I've met this issue with OpenSSL 0.9.8x (I don't
remember the "x"), this version is indeed the deafult one for both
Debain Squeeze and Ubuntu Natty, so this is quite annoying (I like
Debian a lot, but its repos are often too much outdated). As I've
written before, I've manually compiled OpenSSL v1.0.0 and I can read the
following for my certificate, as expected:

        openssl x509 -text -in cacert.pem
        ...
        Signature Algorithm: ecdsa-with-SHA512


>  I searched about it few weeks
>  ago and relevant messages were few months old.

Same problem here :( it seems that if someone managed to solve the
problem, he/she didn't bother to write back the solution.

Thanks anyway for the reply, still waiting for further help, I can't
believe nobody managed to solve this issue :(

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Kyle Hamilton
In reply to this post by Gaglia
ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm.  DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data.

ANSI X9 has object identifiers for ECDSA with a variety of hashes.

1.2.840.10045.4.3. and then one of the following:

1: ECDSA with SHA-224
2: with SHA-256
3: SHA-384
4: SHA-512

The information on the curve in use is part of subjectPublicKeyInfo:

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub:
                    04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37:
                    a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0:
                    69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9:
                    cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6:
                    40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d:
                    b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa:
                    65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7:
                    01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9:
                    07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35
                Field Type: prime-field
                Prime:
                    01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff
                A:
                    01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:fc
                B:
                    51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
                    40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
                    f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
                    3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
                    d4:6b:50:3f:00
                Generator (uncompressed):
                    04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
                    23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
                    60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
                    c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
                    7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
                    c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
                    9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
                    5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
                    86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
                Order:
                    01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
                    48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
                    b7:1e:91:38:64:09
                Cofactor:  1 (0x1)
                Seed:
                    d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
                    aa:a0:da:64:ba
    Signature Algorithm: ecdsa-with-SHA256
        30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c:
        f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7:
        06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c:
        ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42:
        01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82:
        ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3:
        12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45:
        3f:5f:da:cd:80:45:c9:79:58:d3:79:a2

The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above).

(I included the hash to show that it is indeed legitimate to have a different hash size.  I should note that I didn't generate this with OpenSSL, and I don't know how OpenSSL generates the sPKI.)

Also, note the large number of 0xff bytes in the prime.  These can be eliminated if you're willing to pay Certicom's "point compression" patent license fee.

The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ is correct: the patent situation is the opposite of what was the case for DH and RSA: the algorithm itself is not specifically described in any particular patent, only particular efficient implementations of it -- such as 'an efficient algorithm using only left-shift and add instructions'.  The reason why there's murkiness is because everyone who does things is pretty much counseled to avoid looking at the patents -- if the patents are known, then it's evidence of willful (rather than accidental) infringement and any punitive damages for such are tripled.  However, Professer Dan J Bernstein says that his prime at 256 bits is unpatented and there's prior art from several years before the Certicom patents were filed -- and there was an infringement lawsuit brought by Certicom against Sony, which was dismissed in 2009.

Again, I'm not a lawyer.  I just read things.  See e.g. the links from http://en.wikipedia.org/wiki/ECC_patents , which do a reasonably comprehensive roundup of the issues involved for the layperson.

-Kyle H

On Sun, Jul 10, 2011 at 8:27 PM,  <[hidden email]> wrote:

> When i searched on it, it seemed that ECDH requires specified named curve,
> and openVPN does not have a means of specifying it. Also, it seems that
> ECDSA works only with SHA-1 (I also would like to know, why it cannot take
> any 160 bit hash). I searched about it few weeks ago and relevant messages
> were few months old.
>  
>
> Citējot Gaglia <[hidden email]>:
>
> On 07/05/2011 03:23 PM, Gaglia wrote:
>> I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
>> and SHA-512 on Linux Debian.
>
> No idea anybody, really? :(
>


Verify This Message with Penango.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Jeffrey Walton-3
On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton <[hidden email]> wrote:

> ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the
> Digital Signature Algorithm.  DSA was developed by the US National Security
> Agency as a means of creating prime-factorization-based signatures without
> providing code paths which would permit the encryption of arbitrary data.
>
> ANSI X9 has object identifiers for ECDSA with a variety of hashes.
>
> [SNIP]
>
> The patent situation around Elliptical Curve is a bit murky, but (IANAL) I
> am proceeding as though the narrow interpretation promoted by the RSA Crypto
> FAQ is correct: the patent situation is the opposite of what was the case
> for DH and RSA: the algorithm itself is not specifically described in any
> particular patent, only particular efficient implementations of it -- such
> as 'an efficient algorithm using only left-shift and add instructions'.  The
> reason why there's murkiness is because everyone who does things is pretty
> much counseled to avoid looking at the patents -- if the patents are known,
> then it's evidence of willful (rather than accidental) infringement and any
> punitive damages for such are tripled.  However, Professer Dan J Bernstein
> says that his prime at 256 bits is unpatented and there's prior art from
> several years before the Certicom patents were filed -- and there was an
> infringement lawsuit brought by Certicom against Sony, which was dismissed
> in 2009.
Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand
that feeds it.

Jeff

> On Sun, Jul 10, 2011 at 8:27 PM,  <[hidden email]> wrote:
>>
>> When i searched on it, it seemed that ECDH requires specified named curve,
>> and openVPN does not have a means of specifying it. Also, it seems that
>> ECDSA works only with SHA-1 (I also would like to know, why it cannot take
>> any 160 bit hash). I searched about it few weeks ago and relevant messages
>> were few months old.
>>
>>
>> Citējot Gaglia <[hidden email]>:
>>
>> On 07/05/2011 03:23 PM, Gaglia wrote:
>>>
>>> I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
>>> and SHA-512 on Linux Debian.
>>
>> No idea anybody, really? :(
>>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Kyle Hamilton
In reply to this post by Gaglia


On Thu, Jul 14, 2011 at 3:35 PM, Jeffrey Walton <[hidden email]> wrote:
> On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton <[hidden email]> wrote:
> Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand
> that feeds it.
>
> Jeff

Looking at the docket, it looks like they reached an agreement to dismiss without prejudice (meaning the suit could be refiled in the future).

-Kyle H

Verify This Message with Penango.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Gaglia
On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
> ...

Excuse me, I got lost somewhere... Does this mean that it is not
possible to use EC crypto with OpenSSL because the algorithms are
patented? If so, why OpenSSL does provide support to EC crypto?

Sorry, I don't want to start a religion war, but as an EU citizen (and
as like as many other humans too, I guess), I find unbelievably absurd
the idea of patenting the mathematical description of an algorithm.

Let's put it in this way: in the unlikely and deplorable event of an
user willing to illegally use patented EC cryptography with OpenSSL for
personal use (hence assuming responsibility for any consequence), could
he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto? I
guess yes, for (as in the first post of the thread) I managed to
apparently do a lot of things with the curve of my choice... My question
is, apart from legal considerations: did I do something wrong in the
certificate generation process?

Thanks for any help :)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

ECDSA public key token to/from binary

Ken Goldman-2
I have to extract a binary (unsigned char *) representation of a public key from an ECDSA openssl key structure.  Later, I want to use that binary to reconstruct an openssl public key structure that I can use to verify a signature.  The curve is fixed - P521.

I don't need any certificates, just a public key that I can embed in the verifier.

Can someone point me toward sample code?  Or, can someone give me some hints?

--
Ken Goldman   [hidden email]  
914-784-7646 (863-7646)
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

yyy-2
In reply to this post by Kyle Hamilton
Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1).
ECDH and ECDSA are not guaranteed to use the same curve. At least with s_server curve for ECDSA is specified in certificate, but curve for ECDH is specified by -named_curve argument. Other programs probably use something similar.
Last time i searched openvpn forums for anything ECC related, did not found anything (probably bad keywords, but also might be lack of ECC support).
 


Citējot Kyle Hamilton [hidden email]:
ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data.

ANSI X9 has object identifiers for ECDSA with a variety of hashes.

1.2.840.10045.4.3. and then one of the following:

1: ECDSA with SHA-224
2: with SHA-256
3: SHA-384
4: SHA-512

The information on the curve in use is part of subjectPublicKeyInfo:

Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37:
a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0:
69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9:
cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6:
40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d:
b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa:
65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7:
01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9:
07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c:
f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7:
06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c:
ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42:
01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82:
ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3:
12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45:
3f:5f:da:cd:80:45:c9:79:58:d3:79:a2

The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above).

(I included the hash to show that it is indeed legitimate to have a different hash size. I should note that I didn't generate this with OpenSSL, and I don't know how OpenSSL generates the sPKI.)

Also, note the large number of 0xff bytes in the prime. These can be eliminated if you're willing to pay Certicom's "point compression" patent license fee.

The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ is correct: the patent situation is the opposite of what was the case for DH and RSA: the algorithm itself is not specifically described in any particular patent, only particular efficient implementations of it -- such as 'an efficient algorithm using only left-shift and add instructions'. The reason why there's murkiness is because everyone who does things is pretty much counseled to avoid looking at the patents -- if the patents are known, then it's evidence of willful (rather than accidental) infringement and any punitive damages for such are tripled. However, Professer Dan J Bernstein says that his prime at 256 bits is unpatented and there's prior art from several years before the Certicom patents were filed -- and there was an infringement lawsuit brought by Certicom against Sony, which was dismissed in 2009.

Again, I'm not a lawyer. I just read things. See e.g. the links from http://en.wikipedia.org/wiki/ECC_patents , which do a reasonably comprehensive roundup of the issues involved for the layperson.

-Kyle H

On Sun, Jul 10, 2011 at 8:27 PM, <[hidden email]> wrote:
> When i searched on it, it seemed that ECDH requires specified named curve,
> and openVPN does not have a means of specifying it. Also, it seems that
> ECDSA works only with SHA-1 (I also would like to know, why it cannot take
> any 160 bit hash). I searched about it few weeks ago and relevant messages
> were few months old.
>  
>
> Citējot Gaglia <[hidden email]>:
>
> On 07/05/2011 03:23 PM, Gaglia wrote:
>> I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
>> and SHA-512 on Linux Debian.
>
> No idea anybody, really? :(
>



-- Tavs bezmaksas pasts Inbox.lv
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Dr. Stephen Henson
On Fri, Jul 15, 2011, [hidden email] wrote:

>
>  Version of ECDSA available in openssl 1.0.0d supports only SHA1.
>  (maybe there are patches, which adds other hash functions, but
>  default build on win32 supports only sha1).

What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in
things like certificates but 1.0.0 and later should support other hashes
such as SHA256.

Can you give an example where 1.0.0 is failing?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Kyle Hamilton
In reply to this post by Gaglia
On Fri, Jul 15, 2011 at 10:32 AM, Gaglia <[hidden email]> wrote:
> On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
>> ...
>
> Excuse me, I got lost somewhere... Does this mean that it is not
> possible to use EC crypto with OpenSSL because the algorithms are
> patented? If so, why OpenSSL does provide support to EC crypto?

EC is considered to be a patent minefield.  Some people (RSA Data
Security) say that it's possible to implement EC cryptography using
different types of algorithms which are not covered by the patents.
Other people (Bruce Schneier, US NSA) say that the mechanism itself is
patented, not simply specific algorithms for calculation.

The US NSA licensed from Certicom the right to sublicense the EC
algorithms used in "Suite B".  My understanding is that OpenSSL
received a gift from Sun Microsystems of its EC sublicense from NSA.

> Let's put it in this way: in the unlikely and deplorable event of an
> user willing to illegally use patented EC cryptography with OpenSSL for
> personal use (hence assuming responsibility for any consequence), could
> he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto?

Yes.  And, given OpenSSL's EC sublicense gift, the user of OpenSSL (if
my understanding is correct, IANAL!) is also licensed.

> I
> guess yes, for (as in the first post of the thread) I managed to
> apparently do a lot of things with the curve of my choice... My question
> is, apart from legal considerations: did I do something wrong in the
> certificate generation process?

Nobody can know unless you post the certificate in question, or at the
least the dump of the x509 structure you have.

One thing that might cause a problem is if you enabled EC point
compression in your OpenSSL compile, as I don't believe OpenSSL has a
license for that.

-Kyle H
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Steve Marquess-3
On 07/15/2011 05:36 PM, Kyle Hamilton wrote:
> ...
>
> EC is considered to be a patent minefield. Some people (RSA Data
> Security) say that it's possible to implement EC cryptography using
> different types of algorithms which are not covered by the patents.
> Other people (Bruce Schneier, US NSA) say that the mechanism itself
> is patented, not simply specific algorithms for calculation.


I'll make just one comment here: U.S. patent law, at least as applied to software, is a festering cesspool.

> The US NSA licensed from Certicom the right to sublicense the EC
> algorithms used in "Suite B". My understanding is that OpenSSL
> received a gift from Sun Microsystems of its EC sublicense from NSA.


OpenSSL (in the guise of its corporate manifestation, the OpenSSL Software Foundation), is a direct NSA sublicensee (http://opensslfoundation.com/testing/docs/NSA-PLA.pdf).  Note that sublicense only covers some prime field ECC; for the rest of it "seek competent legal advice".  Also note the license is nontransferrable.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Jeffrey Walton-3
In reply to this post by Kyle Hamilton
On Fri, Jul 15, 2011 at 5:36 PM, Kyle Hamilton <[hidden email]> wrote:

> On Fri, Jul 15, 2011 at 10:32 AM, Gaglia <[hidden email]> wrote:
>> On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
>>> ...
>>
>> Excuse me, I got lost somewhere... Does this mean that it is not
>> possible to use EC crypto with OpenSSL because the algorithms are
>> patented? If so, why OpenSSL does provide support to EC crypto?
>
> EC is considered to be a patent minefield.  Some people (RSA Data
> Security) say that it's possible to implement EC cryptography using
> different types of algorithms which are not covered by the patents.
Consider the source: RSA's strongest competition is ECC and Certicom
(or should we say ECC's past competition was RSA?). RSA Data Security
managed to implant RSA into DSA with heavy lobbying, but RSA's glory
days are behind them or gone. The SecurID scandal is another testament
to the fact.

I often wonder why open source implementations even care: (1) the
implementations are often available through out the world, where US
patent law does not apply, (2) for US domestic uses, push the burden
of licensing compliance onto the user (or #define out any code found
to be offense by *real* lawyers), and (3) most implementors don't have
the money to make it worthwhile to litigate.

For (3), Certicom most likely won't make a dime, so there's no
monetary relief or benefit even if they incur loss or damages. And at
best, they will probably be granted an injunction against US
distribution. Guess wheat folks will do in that case (what did they do
with RSA - download form Australia or Germany or ...).

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

yyy-2
In reply to this post by Dr. Stephen Henson
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Error setting context
5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.\c
rypto\ec\ec_pmeth.c:229:
 

Also, in documentation on pkeyutl program is mentioned, that ECDSA supports only sha1
http://www.openssl.org/docs/apps/pkeyutl.html#
(subsection "EC ALGORITHM")
Documentation on dgst program did not mention any limitations for choice of hash, there only was said, that sha1 is preferred choice.

That EC key used in failed example above is  based on secp521r1 and was generated by openssl.

Citējot Dr. Stephen Henson [hidden email]:
On Fri, Jul 15, 2011, [hidden email] wrote:

>
> Version of ECDSA available in openssl 1.0.0d supports only SHA1.
> (maybe there are patches, which adds other hash functions, but
> default build on win32 supports only sha1).

What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in
things like certificates but 1.0.0 and later should support other hashes
such as SHA256.

Can you give an example where 1.0.0 is failing?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]



-- Tavs bezmaksas pasts Inbox.lv
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Gaglia
On 07/16/2011 06:50 AM, [hidden email] wrote:
>  openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
>  WARNING: can't open config file: /usr/local/ssl/openssl.cnf
>  Error setting context

My premise is that we are considering only OpenSSL v 1.0.0. Under this
condition, as I wrote in the first post, I do something like:

# generate EC private key for curve sect571k1, no point compression
# (to enable point compression, use "-conv_form compressed" )
openssl ecparam -out cakey.pem -name sect571k1 -text -genkey

# generate EC certificate with the above private key with SHA512
# (note that the -sha512 arg has no effect if using v0.9.8, it
# will use SHA-1 instead)
openssl req -out cacert.pem -key cakey.pem -sha512 -x509 -new

# check that everything is OK
openssl x509 -text -in cacert.pem

Certificate:
...
        *Signature Algorithm: ecdsa-with-SHA512*
        Issuer:
...
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                pub:
                    02:3A:...
                ASN1 OID: sect571k1
        X509v3 extensions:
...
    *Signature Algorithm: ecdsa-with-SHA512*
        20:89:...
-----BEGIN CERTIFICATE-----
MIJ...
...
ASd45g==
-----END CERTIFICATE-----


Any wrongdoing up to here?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

Dr. Stephen Henson
In reply to this post by yyy-2
On Sat, Jul 16, 2011, [hidden email] wrote:

>
>  openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
>  WARNING: can't open config file: /usr/local/ssl/openssl.cnf
>  Error setting context
>  5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid
>  digest type:.c
>  ryptoecec_pmeth.c:229:

AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1
and SHA2 algorithms with ECC. So if you used -sha256 it should work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)

yyy-2
sha256 worked. (both for dgst and for req)
If i understand correctly, ECDSA algorithm only needs hash as a defined length
bitstring, so adapting ripemd in place of sha1 should have been easier than
sha256 (because ripemd has the same length as sha1, sha256 is longer).
 


Citējot Dr. Stephen Henson [hidden email]:
On Sat, Jul 16, 2011, [hidden email] wrote:

>
> openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
> WARNING: can't open config file: /usr/local/ssl/openssl.cnf
> Error setting context
> 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid
> digest type:.c
> ryptoecec_pmeth.c:229:

AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1
and SHA2 algorithms with ECC. So if you used -sha256 it should work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]



-- Tavs bezmaksas pasts Inbox.lv
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA public key token to/from binary

Billy Brumley
In reply to this post by Ken Goldman-2
Dear Ken,

One way to accomplish this is something along the lines of

EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);

where EC_KEY is the key structure, returning the point as an EC_POINT
structure, followed by

int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const
EC_POINT *, BIGNUM *x, BIGNUM *y, BN_CTX *);

where EC_GROUP is setup for P-521 (have a look at
EC_GROUP_new_by_curve_name), EC_POINT is the public key from the
previous call; it dumps the coordinates to x and y, where you can use
BN_bn2bin or whatever you like. You'd reverse it with

int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, const BIGNUM *y, BN_CTX *);

followed by

int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);

While this is the manual way to do it that you've asked for, there are
a few caveats that can affect security so if possible I'd consider
standard (ANSI? P1363?) methods like EC_POINT_point2bn and so on.
Those also easily allow point compression if that's needed. In
general, poke around in include/openssl/ec.h and there is lots of
useful functionality, although not as much documentation.

Sincerely,

Billy


On Fri, Jul 15, 2011 at 10:54 AM, Kenneth Goldman <[hidden email]> wrote:

> I have to extract a binary (unsigned char *) representation of a public key
> from an ECDSA openssl key structure.  Later, I want to use that binary to
> reconstruct an openssl public key structure that I can use to verify a
> signature.  The curve is fixed - P521.
>
> I don't need any certificates, just a public key that I can embed in the
> verifier.
>
> Can someone point me toward sample code?  Or, can someone give me some
> hints?
>
> --
> Ken Goldman   [hidden email]
> 914-784-7646 (863-7646)
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA public key token to/from binary

Ken Goldman-2
[hidden email] wrote on 07/18/2011 09:49:33 AM:

> From: Billy Brumley <[hidden email]>

> To: [hidden email]
> Date: 07/18/2011 10:00 AM
> Subject: Re: ECDSA public key token to/from binary
> Sent by: [hidden email]
>
> Dear Ken,
>
> One way to accomplish this is something along the lines of
>
> EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
>
> where EC_KEY is the key structure, returning the point as an EC_POINT
> structure, followed by

>
> int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const
> EC_POINT *, BIGNUM *x, BIGNUM *y, BN_CTX *);
>
> where EC_GROUP is setup for P-521 (have a look at
> EC_GROUP_new_by_curve_name), EC_POINT is the public key from the
> previous call; it dumps the coordinates to x and y, where you can use
> BN_bn2bin or whatever you like. You'd reverse it with

Thanks for the response.  Are X and Y the public key?

I tried this and it seems to work.  Error checking omitted for
easier reading.  Comments?

Getting the public key:

        group = EC_KEY_get0_group(eckey);
        ec_point = EC_KEY_get0_public_key(eckey);
        *publicKeyLength = EC_POINT_point2oct(group,
                                              ec_point,
                                              POINT_CONVERSION_UNCOMPRESSED,
                                              *publicKey,
                                              *publicKeyLength,
                                              NULL);
Setting the public key:

        *ecPubKey = EC_KEY_new();
        group = EC_GROUP_new_by_curve_name(nid);
        ec_point = EC_POINT_new(group);
        EC_KEY_set_group(*ecPubKey, group);
        EC_POINT_oct2point(group,
                                 ec_point,
                                 publicKey,
                                 publicKeyLength,
                                 NULL);
        EC_KEY_set_public_key(*ecPubKey, ec_point);

> int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
> const BIGNUM *x, const BIGNUM *y, BN_CTX *);
>
> followed by
>
> int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
>
> While this is the manual way to do it that you've asked for, there are
> a few caveats that can affect security so if possible I'd consider
> standard (ANSI? P1363?) methods like EC_POINT_point2bn and so on.
> Those also easily allow point compression if that's needed. In
> general, poke around in include/openssl/ec.h and there is lots of
> useful functionality, although not as much documentation.


I've been doing that poking.

12