X25519 Unlisted by -list_curves and Any Trusted Python Code for X, Y Coordinates

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

X25519 Unlisted by -list_curves and Any Trusted Python Code for X, Y Coordinates

OpenSSL - User mailing list
Hello,

I've done some research of other peoples opinions and that's the best I can do. Please advise SVP.

I want to us ECDSA for my Web server's SSL certificate via an ACME client to Let's Encrypt and maybe later BuyPass.

I thought that EC is better than RSA, but now I don't think so. The answer seems to be: it depends.

Safe Curves (SafeCurves: Introduction) says that the NIST curves are P-224, P-256 (ye prime256v1 and what I was trying to implement with Python3 ACME client), and P-384 and NOT SAFE. They did not mention RSA. They give key type Curve25519 a fully passing grade. I think that is ye X25519, also know as ed25519. Linux program ssh has ed25519. I don't trust NIST 'cause I don't trust NSA.






So my conclusion is to prefer in descending order of preference: ed25519, RSA-4096 (I suppose RSA-8196 is sorta overkill maybe. I suspect quantum computers would make it not overkill, but then mobile devises might not like it for the overhead.)

My local version of openssl is:
OpenSSL 1.1.1d  10 Sep 2019

When I openssl ecparam -list_curves I do NOT get X25519.

However, I was apple to generate a private key per ye documentation (manpage for genpkey): /docs/man1.1.0/man1/genpkey.html


Hey, I have that manpage on my linux. So whadayouknow? My remote virtual machine has OpenSSL 1.0.2g  1 Mar 2016 and no X25519.

On my local machine, the CSR generation fails only for the X25519 private key:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Two-letter Country Code [US]:
139873970037888:error:0608D096:digital envelope routines:EVP_PKEY_sign_init:operation not supported for this keytype:../crypto/evp/pmeth_fn.c:40:

Supposing I can get a resolution to using X25519, anybody know of how to get the X and Y coordinates of a public key of type X29915 in the Python3 language? The PYPI repository has python-jose, which uses pyca/cryptography, which is in PYPI as plain, old 'cryptography 2.8'. My exploration of pyca/cryptography's documentation is what led me to the safe curves webpage. Maybe I can get the x and y coordinates with it. Looks scary.

So any informed assessments on:
(1) key types RSA, PRIME-256, and ed25519,
(2) on openssl and X25519, or
(3) getting the X and Y coordinates of the ed25519 public key for making a JSON Web Key (JWK) for a ACME client in Python3.

The ACME protocol is rfc8555 and refers to 'the "EdDSA" signature algorithm using the "Ed25519" variant'. Interestingly, rfc 7518 for JWA (A is for Algorithms) does not have ed25519--though I can't rule out a standards repository somewhere could have it as an addition, for all I know--and does have the curves P-256, P-384, and P-521.

Emhhm.

Maybe I should just use RSA and likewise regress to ed for all my editing needs. I knew a consultant who used ed and was quite good. My supervisor joked about rubbing two sticks together. I'm sure there's lot of vi fans here. 'Twas the night before Christmas and I was stirring. Stirring I tell ya. Me and a mouse.

Douglas Morris
Reply | Threaded
Open this post in threaded view
|

Re: X25519 Unlisted by -list_curves and Any Trusted Python Code for X, Y Coordinates

OpenSSL - User mailing list
  • I want to us ECDSA for my Web server's SSL certificate via an ACME client to Let's Encrypt and maybe later BuyPass.

 

That’s fine.

 

  • I thought that EC is better than RSA, but now I don't think so. The answer seems to be: it depends.

 

There are trade-offs.  The biggest one is that EC gives equivalent security with a much smaller keysize.

 

 

FWIW, SafeCurves is mostly the guy behind 25519 :) This is not a slam against djb, who’s kinda brilliant.

 

If you’re not sure what to do, perhaps follow what the browsers do.  That way if something’s wrong you’ll just be going up in flames with the rest of the world.

 

If you don’t trust the NSA and therefore don’t trust NIST, do you accept AES? What about when they approve 25519?

 

Reply | Threaded
Open this post in threaded view
|

Re: X25519 Unlisted by =?iso-8859-1?Q?-list=5Fcurves_and_Any_Trusted_Python_Code_for_X, _Y_Coordi?= nates

Hubert Kario
On Thursday, 26 December 2019 00:50:29 CET, Salz, Rich via openssl-users
wrote:

>   *   I want to us ECDSA for my Web server's SSL certificate
> via an ACME client to Let's Encrypt and maybe later BuyPass.
>
> That’s fine.
>
>
>   *   I thought that EC is better than RSA, but now I don't
> think so. The answer seems to be: it depends.
>
> There are trade-offs.  The biggest one is that EC gives
> equivalent security with a much smaller keysize.
>
>
>   *   Safe Curves (SafeCurves:
> Introduction<https://urldefense.proofpoint.com/v2/url?u=https-3A__safecurves.cr.yp.to_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=FZ0AXmFqGUcUdZYm5wdvA4_d71tTi9iIRfHWFcL8wRo&s=ntsSs3tKgynp0pN2J8Yxf8Cd1wrWobKgA4jQ_PLgtPY&e=>)
> says …
>
> FWIW, SafeCurves is mostly the guy behind 25519 :) This is not
> a slam against djb, who’s kinda brilliant.
>
> If you’re not sure what to do, perhaps follow what the browsers
> do.  That way if something’s wrong you’ll just be going up in
> flames with the rest of the world.
>
> If you don’t trust the NSA and therefore don’t trust NIST, do
> you accept AES? What about when they approve 25519?

there's also the difference between a "is the curve a safe generic
cryptographic
primitive?" and "is the curve safe when used in X.509 and TLS?"

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic