Open Bug 1305243 Opened 8 years ago Updated 2 years ago

Support for X448

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: jan, Unassigned)

References

(
URL
)

Details

(Keywords: nightly-community)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20160923030450 Steps to reproduce: Enhancement request Actual results: Currently not implemented Expected results: As curve25519 was added in bug 957105, which has a equivalent security level as 128 bit symmetric encryption ( https://www.keylength.com/en/3/ ), there should be a safe curve for long-term protection with a similar security level as 256 bit symmetric encryption: curve448 ( https://tools.ietf.org/html/rfc7748#section-6.2 ). "The ~224-bit security level of curve448 is a trade-off between performance and paranoia."
URL: https://tools.ietf.org/html/rfc7748#s...
Severity: normal → enhancement
OS: Unspecified → All
Hardware: Unspecified → All
Depends on: curve25519
No longer depends on: curve25519
NSS supports P-521 already, so, perfectly happy to have X448 but it's probably not going to be a high priority.
(In reply to Eric Rescorla (:ekr) from comment #1) > NSS supports P-521 already, so, perfectly happy to have X448 but it's > probably not going to be a high priority. Then it would be consequent to close bug 1128792 as wontfix.
Priority: -- → P3
> /usr/local/ssl/bin/openssl s_server -key rsa.key -cert rsa.crt -accept 8000 -www -cipher TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256 -groups X448 -serverpref I can confirm that s_client can connect via X448, but Nightly not (SSL_ERROR_NO_CYPHER_OVERLAP).
Severity: enhancement → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nightly-community
See Also: → 1306582
Summary: (curve448) Add support for curve448 key exchange → Support for X448
Some clarification would be useful. When TLS 1.3 is enabled, it appears that fragile less-than-PFS modes are currently enabled. User configuration should be available so that only SafeCurves are enabled (see: https://safecurves.cr.yp.to/ ) with the entire suite being more robust (ie not brittle-- see: https://www.synopsys.com/blogs/software-security/tls-1-3/ ). At the moment, when TLS 1.3 is enabled, the output seen at "https://www.ssllabs.com/ssltest/viewMyClient.html" cipher suite output is confusing. In short, based on the above references, there should be a configurable mode with only SafeCurves enabled. Right now that would appear to be x25519 and x448.
NSS has an API to individually configure each curve on and off with SSL_NamedGroupConfig(). With that said, if you disable all curves but X25519 and X448, you will not be able to connect to a great many servers.
It should be enough if X448 and Ed448 would be supported as OpenSSL does and if bug 1306582 would allow to set a named group preference (e.g. X448:X25519:ffdhe3072:ffdhe2048:P-384:P-256) on about:config. It's important because for TLS 1.3 OpenSSL always respects the client's curve order. With bug 1322748 one can write an extension to warn about personally unpreferred curves. And EdDSA is on its way: https://github.com/letsencrypt/boulder/issues/3649.
As I said in c1, X448 isn't a high priority for us. Our crypto efforts are currently focused on moving as much as possible to HACL*, and so the first thing to do would be to get it in HACL*. With that said, bug 1306582 is not going to be a high priority for the Firefox team, so if you want that done, you should probably think about submitting a patch.
Type: defect → enhancement
QA Contact: jjones
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.