Elliptic Curve Cryptography (ECC) Support

Adoption of Curve25519 ECDH will probably happen substantially before adoption of Ed25519 EdDSA, since it’s easier.

Currently this is the applicable draft, which is due to be adopted by the CURDLE WG. https://tools.ietf.org/html/draft-josefsson-pkix-newcurves-01

Of course this doesn’t obstruct implementations prior to ratification. In fact, this appears to have happened already: https://www.chromestatus.com/feature/5682529109540864

Edit: Confirming that BoringSSL, Google’s OpenSSL fork, supports Curve25519 ECDH.

1 Like

Wow, I didn’t know some of the browsers out there were this far with these curves :smiley:

Can’t wait for draft-josefsson-pkix-newcurves to be finalized :smiley:

Hi, the draft is not about ECDH instead they define the OID’S for X509 need for signing i think ?
I do not know how wide the support is but with the “arbitrary curve” in ssl handshake it should be
possible to use Curve25519 and Curve448 already for ECDHE.

New RFC:
https://www.rfc-editor.org/rfc/rfc7748.txt for Curve25519 and Curve448

Artikel about it http://www.heise.de/newsticker/meldung/Verschluesselung-IETF-standardisiert-zwei-weitere-elliptische-Kurven-3084830.html

1 Like

Time for OpenSSL to support them! Time for 1.1.0, so we can use ChaCha20/PolySomething without patches ánd have these new curves supported, hopefully! :smile:

Hi, my page already support it and by the way CHACHA20_POLY1305 is not and EC curve.
And there exists 2 Variants.

then what is chacha?

[quote=“Osiris, post:126, topic:34”]
Time for OpenSSL to support them! Time for 1.1.0, so we can use ChaCha20/PolySomething without patches ánd have these new curves supported, hopefully! :smile:
[/quote] I compile Nginx against LibreSSL 2.2.5 instead of OpenSSL 1.0.2 to get chacha20 support :slight_smile:

1 Like

Please use https://community.letsencrypt.org/t/chacha20-poly1305/ for CHACHA discussions.

1 Like

Yeah. :+1:
To explain it in short: The IETF standardised Curve25519 and Curve447 in this RFC. However the usage in TLS is still a draft, but one Chromium developer already announced to implement the key exchange method X25519. That’s said on the Chrome status side:

Curve25519, designed by Prof. Dan Bernstein, is one of the two curves
selected by the CFRG for recommendation. When compared to P-256, the
most commonly used curve in TLS today, it admits simpler, faster
implementations that are more naturally resistant to side-channels.

In Chrome 50, we will be adding support for X25519, the Diffie-Hellman
primitive over curve25519, to TLS.

So at least this won’t take so long. What matters for Let’s Encrypt is obviously the use of this curve for signing and this is not standardised yet.

The draft actually says that you can’t negotiate these curves with arbitrary_explicit_prime_curves.

The reason for this restriction is that explicit_prime is only suited
to the so-called Short Weierstrass representation of elliptic curves,
while Curve25519 and Curve448 uses a different representation for
performance and security reasons.

1 Like

@janitor ok i did not read in deep how the explicit curve is represented.
@rugk what implementation is used for 25519 ? “Montgomery” ?

Just quoting the Wikipedia article on this curve:

The curve used is y² = x³ + 486662x² + x, a Montgomery curve, over the prime field defined by the prime number 2255 − 19, and it uses the base point x = 9.

So Montgomery curves are the group this special curve belongs to. This is no implementation.

There was missing some math symbols:

The curve used is y^2 = x^3 + 486662*x^2 + x, a Montgomery curve, over the prime field defined by the prime number 2^255 − 19, and it uses the base point x = 9.

By the way the prime number without the math signs give the curve the name.

things that use curve25519

https://ianix.com/pub/curve25519-deployment.html

1 Like

So, is EC certificate generation possible using Let’s Encypt now? Or do appropriate intermediates (EC signed) have to be generated by the ISRG? How can I use LE Client to get an EC-521 certificate?

Yes.

No, not necessarily.

See

It should be mentioned that EC is only possible on staging right now.
Production currently say: {“type”:“urn:acme:error:malformed”,“detail”:“ECDSA curve P-256 not allowed”,“status”:400}
Would be nice it there would be an update when it will be enabled on production.
Since now also the Profiles depending on the key types are possible.

2 Likes

Update: We’ve enabled signing of end-entity certificates containing EC public keys in production.

Big thanks to @hlandau and @selecadm for their help on this!

6 Likes

Cool it works :slight_smile:
-> https://suche.org/ had an problem with HPKP :frowning:

And here the test result: https://www.ssllabs.com/ssltest/analyze.html?d=suche.org

1 Like