Closed Bug 319327 Opened 19 years ago Closed 8 years ago

Applications using SSL should be able to choose the elliptic curve in an ECDHE key exchange

Categories

(NSS :: Libraries, enhancement, P2)

Product:
NSS
Component:
Libraries
Version:
3.11
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1296239

People

(Reporter: vipul.gupta, Assigned: nelson)

References

Details

(Whiteboard: ECC)

The IETF draft on "ECC cipher suites in TLS" defines several cipher suites using ECDHE-ECDSA and ECDHE-RSA key exchange mechanisms. Currently, the SSL server-side code in NSS uses a hardcoded value for the curve used to generate the ephemeral keys (see ssl3_CreateECDHEphemeralKeys(sslSocket *ss) in ssl3ecc.c). There ought be some sort of a callback mechanism that let's the application using the SSL server code to specify a curve.
OS: MacOS X → All
Priority: -- → P1
Target Milestone: --- → 3.12
Perhaps apps should be able to choose this, but some app/server developers think there are already way too many things they must configure with SSL. So, IMO, apps must not be required to choose this. There must be some reasonable default that gets chosen if the app doesn't choose it. Personally, I think it would be best to choose either: a) the same curve as used in the server's cert, or b) the smallest curve supported (believing that it is only ephemeral, after all).
(In reply to comment #1) I agree with your concern in general but the specific proposals have issues worth pointing out. > Personally, I think it would be best to choose either: > a) the same curve as used in the server's cert, or This wouldn't work for ECDHE-RSA ciphers because the server's cert has an RSA key. > b) the smallest curve supported (believing that it is only ephemeral, after > all). For now, I think choosing secp256r1 is a good option because it is a curve that will be supported in browsers we want to be interoperable with. Smaller curves are not likely to be widely supported. vipul
Taking bug.
Assignee: wtchang → nelson
Severity: normal → enhancement
Version: unspecified → 3.11
Ideally, this curve should not become the weakest link, and it just needs to be as strong as the weakest link.
reducing to P2. I don't think we'd stop the release for the absence of this feature. I think it's enough to make a good automatic choice on behalf of the app, at least for the initial release. Let me know if you disagree. Also, let me know if you think that NSS is not presently making a good choice for the ECDHE curve by default. THAT would be P1, I think.
Priority: P1 → P2
Whiteboard: ECC
I have a patch in bug 326482 which implements the scheme where the ECHDE key matches the ECDSA signing key, or an appropriate curve based on the RSA signing key. The code only needs to deal with the TLS curve extension (particularly in the case of the RSA signing key). bob
QA Contact: jason.m.reid → libraries
*** Bug 342557 has been marked as a duplicate of this bug. ***
Blocks: FIPS2008
No longer blocks: FIPS2008
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---
See Also: → 942585
Isn't this resolved now?
Indeed. This worked differently from the description in comment 0 for a while now and was fully resolved with allowing custom EC group preferences bug 1296239.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE

See the last table on this page, choosing Safe Curves: https://safecurves.cr.yp.to/index.html

The only perfectly secure curves are:

Curve1174
Curve25519 (the only secure curve in windows that I am aware of)
Curve41417 formerly named Curve3617
Curve383187 authors subsequently recommended switching to M-383
M-221 formerly named Curve2213
M-383
M-511 formerly named Curve511187
E-222
E-382
E-521
Ed448-Goldilocks

Insecure Curves include:

NIST P-224
NIST P-256
secp256k1
NIST P-384
Anomalous
BN(2,254)
brainpoolP256t1
ANSSI FRP256v1
brainpoolP384t1

SafeCurves is joint work by the following authors (alphabetical order):

Daniel J. Bernstein, University of Illinois at Chicago, USA, and Technische Universiteit Eindhoven, Netherlands
Tanja Lange, Technische Universiteit Eindhoven, Netherlands

Please include an option to chose and order curves; please prioritize Curve25519 above all if it has not been done so already.

I do not see any way of change EC in about:config, where is this and how do I do this?

You need to log in before you can comment on or make changes to this bug.