Questions about secure curves

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about secure curves

Stephan Seitz
Hi!

I was looking at the output of „openssl ecparam -list_curves” and trying
to choose a curve for the web server together with letsencrypt.

It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1.

Then I found the site https://safecurves.cr.yp.to/.
I have problems mapping the openssl curves with the curve names from the
web site, but I have the feeling that none of the choices above are safe.

Or what am I missing?

Shade and sweet water!

        Stephan

--
|    If your life was a horse, you'd have to shoot it.    |
Reply | Threaded
Open this post in threaded view
|

Re: Questions about secure curves

OpenSSL - User mailing list
There is nothing known to be wrong with NIST P256.  If you don't have a known reason to use 384, then don't use it.

 

Reply | Threaded
Open this post in threaded view
|

Re: Questions about secure curves

Tomas Mraz-2
In reply to this post by Stephan Seitz
On Tue, 2019-10-15 at 15:43 +0200, Stephan Seitz wrote:

> Hi!
>
> I was looking at the output of „openssl ecparam -list_curves” and
> trying
> to choose a curve for the web server together with letsencrypt.
>
> It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1.
>
> Then I found the site https://safecurves.cr.yp.to/.
> I have problems mapping the openssl curves with the curve names from
> the
> web site, but I have the feeling that none of the choices above are
> safe.
>
> Or what am I missing?

They are not 'safe' in the sense the page above declares some elliptic
curves to be safe. In particular these curves do not have some good
properties the safe curves have. On the other hand that does not mean
these curves are inherently insecure.

--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]


Reply | Threaded
Open this post in threaded view
|

Re: Questions about secure curves

OpenSSL - User mailing list
In reply to this post by Stephan Seitz
On 15/10/2019 15:43, Stephan Seitz wrote:

> Hi!
>
> I was looking at the output of „openssl ecparam -list_curves” and
> trying to choose a curve for the web server together with letsencrypt.
>
> It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1.
>
> Then I found the site https://safecurves.cr.yp.to/.
> I have problems mapping the openssl curves with the curve names from
> the web site, but I have the feeling that none of the choices above
> are safe.
>

safecurves.cr.yp.to lists some curves that Daniel J. Bernstein
(who runs the cr.yp.to domain) wants to promote, and emphasizes
problems with many other popular curves.

prime256v1 = secp256r1 = P-256 and secp384r1 = P-384 are two curves
that the US government (NIST in cooperation with NSA) wants to
promote.

It so happens that the CA/Browser forum has mysteriously decided
that the big (US made) web browsers should only trust CAs that
only accept curves that the US government promotes.  So if you
want your SSL/TLS implementation to work with widely distributed
US Browsers (Chrome, Safari, Firefox, IE, Edge etc.) you have to
use the US government curves P-256 and P-384 .  The third US
governmentcurve P-521 is banned by Firefox, so no trusted CA can
support it.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Reply | Threaded
Open this post in threaded view
|

Re: Questions about secure curves

Mark Hack
I believe that Firefox does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.


On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl-users wrote:

> On 15/10/2019 15:43, Stephan Seitz wrote:
> > Hi!
> >
> > I was looking at the output of „openssl ecparam -list_curves” and
> > trying to choose a curve for the web server together with
> > letsencrypt.
> >
> > It seems, letsencrypt supports prime256v1, secp256r1, and
> > secp384r1.
> >
> > Then I found the site https://safecurves.cr.yp.to/.
> > I have problems mapping the openssl curves with the curve names
> > from
> > the web site, but I have the feeling that none of the choices
> > above
> > are safe.
> >
>
> safecurves.cr.yp.to lists some curves that Daniel J. Bernstein
> (who runs the cr.yp.to domain) wants to promote, and emphasizes
> problems with many other popular curves.
>
> prime256v1 = secp256r1 = P-256 and secp384r1 = P-384 are two curves
> that the US government (NIST in cooperation with NSA) wants to
> promote.
>
> It so happens that the CA/Browser forum has mysteriously decided
> that the big (US made) web browsers should only trust CAs that
> only accept curves that the US government promotes.  So if you
> want your SSL/TLS implementation to work with widely distributed
> US Browsers (Chrome, Safari, Firefox, IE, Edge etc.) you have to
> use the US government curves P-256 and P-384 .  The third US
> governmentcurve P-521 is banned by Firefox, so no trusted CA can
> support it.
>
>
> Enjoy
>
> Jakob

Reply | Threaded
Open this post in threaded view
|

Re: Questions about secure curves

Viktor Dukhovni
On Oct 15, 2019, at 1:02 PM, Mark Hack <[hidden email]> wrote:

I believe that Firefox does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.

The choice is optimized for reasonable security, performance and
interoperability.  There's little reason at present to prefer the
521-bit or 384-bit NIST curves.  If any of them are weak against
a secret new cryptanalytic attack, they possibly all are.  Barring
secret advances at NSA (or similar), all the curves are well ou
of reach of known realizable attacks (we don't have any scalable
quantum computers at present), so you may as well use one with
decent performance.

Similarly, IIRC Chrome prefers AES128 or AES256, ...

--
Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Questions about secure curves

OpenSSL - User mailing list
In reply to this post by Mark Hack
To clarify, Firefox/Mozilla the organization enforces an unexplained
policy of prohibiting all included CAs from issuing any P-521
certificate, thus effectively banning their use on public servers
regardless of technical abilities.

On 15/10/2019 19:02, Mark Hack wrote:

> I believe that Firefox does still support P-521 but Chrome does not.
> Also be aware that if you set server side cipher selection and use
> default curves, that OpenSSL orders the curves weakest to strongest (
> even with @STRENGTH) so you will end up forcing P-256.
>
>
> On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl-users wrote:
>> On 15/10/2019 15:43, Stephan Seitz wrote:
>>> Hi!
>>>
>>> I was looking at the output of „openssl ecparam -list_curves” and
>>> trying to choose a curve for the web server together with
>>> letsencrypt.
>>>
>>> It seems, letsencrypt supports prime256v1, secp256r1, and
>>> secp384r1.
>>>
>>> Then I found the site https://safecurves.cr.yp.to/.
>>> I have problems mapping the openssl curves with the curve names
>>> from
>>> the web site, but I have the feeling that none of the choices
>>> above
>>> are safe.
>>>
>> safecurves.cr.yp.to lists some curves that Daniel J. Bernstein
>> (who runs the cr.yp.to domain) wants to promote, and emphasizes
>> problems with many other popular curves.
>>
>> prime256v1 = secp256r1 = P-256 and secp384r1 = P-384 are two curves
>> that the US government (NIST in cooperation with NSA) wants to
>> promote.
>>
>> It so happens that the CA/Browser forum has mysteriously decided
>> that the big (US made) web browsers should only trust CAs that
>> only accept curves that the US government promotes.  So if you
>> want your SSL/TLS implementation to work with widely distributed
>> US Browsers (Chrome, Safari, Firefox, IE, Edge etc.) you have to
>> use the US government curves P-256 and P-384 .  The third US
>> governmentcurve P-521 is banned by Firefox, so no trusted CA can
>> support it.
>>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded