Open
Bug 1305243
Opened 8 years ago
Updated 2 years ago
Support for X448
Categories
(NSS :: Libraries, enhancement, P3)
NSS
Libraries
Tracking
(Not tracked)
NEW
People
(Reporter: jan, Unassigned)
References
()
Details
(Keywords: nightly-community)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20160923030450
Steps to reproduce:
Enhancement request
Actual results:
Currently not implemented
Expected results:
As curve25519 was added in bug 957105, which has a equivalent security level as 128 bit symmetric encryption ( https://www.keylength.com/en/3/ ), there should be a safe curve for long-term protection with a similar security level as 256 bit symmetric encryption: curve448 ( https://tools.ietf.org/html/rfc7748#section-6.2 ). "The ~224-bit security level of curve448 is a trade-off between performance and paranoia."
Reporter | ||
Updated•8 years ago
|
Severity: normal → enhancement
OS: Unspecified → All
Hardware: Unspecified → All
Reporter | ||
Updated•8 years ago
|
Depends on: curve25519
Reporter | ||
Updated•8 years ago
|
No longer depends on: curve25519
Comment 1•8 years ago
|
||
NSS supports P-521 already, so, perfectly happy to have X448 but it's probably not going to be a high priority.
Reporter | ||
Comment 2•8 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #1)
> NSS supports P-521 already, so, perfectly happy to have X448 but it's
> probably not going to be a high priority.
Then it would be consequent to close bug 1128792 as wontfix.
Updated•7 years ago
|
Priority: -- → P3
Reporter | ||
Comment 3•7 years ago
|
||
> /usr/local/ssl/bin/openssl s_server -key rsa.key -cert rsa.crt -accept 8000 -www -cipher TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256 -groups X448 -serverpref
I can confirm that s_client can connect via X448, but Nightly not (SSL_ERROR_NO_CYPHER_OVERLAP).
Severity: enhancement → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nightly-community
See Also: → 1306582
Summary: (curve448) Add support for curve448 key exchange → Support for X448
Comment 4•6 years ago
|
||
Some clarification would be useful. When TLS 1.3 is enabled, it appears that fragile less-than-PFS modes are currently enabled. User configuration should be available so that only SafeCurves are enabled (see: https://safecurves.cr.yp.to/ ) with the entire suite being more robust (ie not brittle-- see: https://www.synopsys.com/blogs/software-security/tls-1-3/ ). At the moment, when TLS 1.3 is enabled, the output seen at "https://www.ssllabs.com/ssltest/viewMyClient.html" cipher suite output is confusing.
In short, based on the above references, there should be a configurable mode with only SafeCurves enabled. Right now that would appear to be x25519 and x448.
Comment 5•6 years ago
|
||
NSS has an API to individually configure each curve on and off with SSL_NamedGroupConfig(). With that said, if you disable all curves but X25519 and X448, you will not be able to connect to a great many servers.
Reporter | ||
Comment 6•6 years ago
|
||
It should be enough if X448 and Ed448 would be supported as OpenSSL does and if bug 1306582 would allow to set a named group preference (e.g. X448:X25519:ffdhe3072:ffdhe2048:P-384:P-256) on about:config. It's important because for TLS 1.3 OpenSSL always respects the client's curve order. With bug 1322748 one can write an extension to warn about personally unpreferred curves. And EdDSA is on its way: https://github.com/letsencrypt/boulder/issues/3649.
Comment 7•6 years ago
|
||
As I said in c1, X448 isn't a high priority for us. Our crypto efforts are currently focused on moving as much as possible to HACL*, and so the first thing to do would be to get it in HACL*. With that said, bug 1306582 is not going to be a high priority for the Firefox team, so if you want that done, you should probably think about submitting a patch.
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Reporter | ||
Updated•6 years ago
|
Type: defect → enhancement
QA Contact: jjones
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•