Eliptic-Curve Cryptography and the Internet

1. Eliptic-Curve Cryptography and the Internet Dominik Joe Pantucek joe@joe.cz Trustica s.r.o. 7.12.2015 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 1 / 35

2. What is EC? Eliptic curve Looks nice 1D abelian variety Forms abelian group over 2D

3. nite

4. eld Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 2 / 35

5. What is EC? y2 = x3 2x + 2 EC in Weierstrass form. 10x2 + y2 = 1 + 6x2 y2 Twisted Edwards curve. Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 3 / 35

6. What is ECC? Eliptic-curve cryptography Public-key cryptography system Form abelian group over 2D

7. nite

8. eld Point addition: C = A + B Point duplication: B = A + A Point multiplication: B = n ¡ A Discrete logarithm problem on the EC group: Given points A and B,

9. nd n such that B = n ¡ A. Good luck ... Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 4 / 35

10. Why should we care? Security parameter: The bigger the better ... 80bit security is roughly 1024bit RSA The number of required brute-force attempts is approximately 2n 280 for 1024bit RSA Size: The smaller the better ... 1024bit RSA keys and values are 1024 bits long, i.e. 128 bytes Speed and/or latency impact during key exchange Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 5 / 35

11. Why should we care? Elliptic-curve cryptography: security parameter is n 2 n is typically 256 { 256bits per coordinate (2D) only one coordinate is needed +1 bit of the other one for checksum calculation 257 8 = 33 bytes for 128-bit security Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 6 / 35

12. What ECC is available? Curves: NIST { National Institute of Standards and Technology SECG { Standards for Ecient Cryptography Group Independent (Bernstein et al.) Authentication: ECDSA Encryption: ECDH/ECDHE Parameters: p; a; b; G; n Key pairs: dA; QA and dB; QB with QA = dAG and QB = dBG Commutativity: dAdBG = dBdAG Shared secret: dAQB = dBQA Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 7 / 35

13. Standard curves and algorithms $ o p e n s s l ecparam l i s t c u r v e s secp112r1 : SECG/WTLS curve over a 112 b i t prime f i e l d secp112r2 : SECG curve over a 112 b i t prime f i e l d secp128r1 : SECG curve over a 128 b i t prime f i e l d secp128r2 : SECG curve over a 128 b i t prime f i e l d secp160k1 : SECG curve over a 160 b i t prime f i e l d secp160r1 : SECG curve over a 160 b i t prime f i e l d secp160r2 : SECG/WTLS curve over a 160 b i t prime f i e l d secp192k1 : SECG curve over a 192 b i t prime f i e l d secp224k1 : SECG curve over a 224 b i t prime f i e l d secp224r1 : NIST/SECG curve over a 224 b i t prime f i e l d secp256k1 : SECG curve over a 256 b i t prime f i e l d secp384r1 : NIST/SECG curve over a 384 b i t prime f i e l d secp521r1 : NIST/SECG curve over a 521 b i t prime f i e l d . . . Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 8 / 35

14. Alternative curves and algorithms Curve25519 y2 = x3 + 486662x2 + x (mod 2255 19) Ed25519 x2 + y2 = 1 121665 121666 x2 y2 (mod 2255 19) X25519 (DH) EdDSA Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 9 / 35

15. Library support OpenSSL Microsoft Cryptography API: Next Generation LibreSSL GNUTLS NaCl Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 10 / 35

16. OpenSSL Since 0.9.8 (5 Jul 2005) ECDSA { ECDSA * *-ECDSA-* ECDH { ECDH * ECDH-* Example (con

17. guration string): ECDH-ECDSA-AES256-GCM-SHA384 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 11 / 35

18. Microsoft Cryptography API: Next Generation Windows Vista and newer, Windows Server 2008 and newer ECDSA { BCRYPT ECDSA P256 ALGORITHM ECDH { BCRYPT ECDH P256 ALGORITHM Example: TLS ECDHE ECDSA WITH AES 256 CBC SHA P384 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 12 / 35

19. LibreSSL Forked from OpenSSL by OpenBSD folks in 2014 API is the same New (preferred) libtls API uses same con

20. guration strings Example (con

21. guration string): ECDH-ECDSA-AES256-GCM-SHA384 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 13 / 35

22. GNUTLS GNU implementation Since 3.0.0. (29 Jul 2011) Con

23. guration strings { called priorities Example: ECDH-ECDSA-AES256-GCM-SHA384 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 14 / 35

24. NaCl [Salt] Daniel J. Bernstein et al. Ed25519 in the next release May support NIST-P256/SHA-512-based ECDSA Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 15 / 35

25. Application support Servers Clients Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 16 / 35

26. HTTP server support Apache IIS Nginx LigHTTPd Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 17 / 35

27. HTTP server support Supported only in TLS 1.0 and higher. Disabling SSL 2.0 and 3.0 is strongly recommended. Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 18 / 35

28. Apache mod ssl links against OpenSSL SSLCipherSuite ECDHE -ECDSA -AES128 -GCM -SHA256 SSLProtocol All -SSLv2 -SSLv3 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 19 / 35

29. IIS Supported since Windows Server 2008 Supports ECDHE RSA ECDHE ECDSA only with ECC certi

30. cates Cipher preferences (order) can be con

31. gured in: SSL Cipher Suite Order policy Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 20 / 35

32. Nginx Linked against OpenSSL ssl_ciphers ECDHE -ECDSA -AES128 -GCM -SHA256 ssl_protocols TLSv1 TLSv1 .1 TLSv1 .2; Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 21 / 35

33. LigHTTPd Once again ... linked against OpenSSL ssl.cipher -list = ECDHE -ECDSA -AES128 -GCM -SHA256 ssl.use -sslv2 = disable ssl.use -sslv3 = disable Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 22 / 35

34. HTTP client support Firefox Chrome Microsoft Internet Explorer Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 23 / 35

35. Firefox Uses NSPR and NSS Fully supported at least since 2009 All builds from last 5 years ... No manual con

36. guration needed Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 24 / 35

37. Chrome Fully supported with the same backend as Firefox All builds from last 5 years ... No manual con

39. Microsoft Internet Explorer Fully supported since version 9 No manual con

41. Other SSH/OpenSSH OpenPGP/GnuPG Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 27 / 35

42. SSH/OpenSSH ECDSA and ECDH supported since version 5.7 [23 Jan 2011] Ed25519 supported since 7 Dec 2013 snapshots Ocial support since version 6.5 [2 Feb 2014] It is preferred type of both server and client keys now ssh -keygen -t ed25519 -C My -Ed25519 -key -f generated -key Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 28 / 35

43. OpenPGP/GnuPG Suppors standardized ECC NIST P-256, P-384, and P-521 curves Brainpool P-256, P-384, and P-512 curves Both for signing and encryption Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 29 / 35

44. OpenPGP/GnuPG Experimental Ed25519/EdDSA support draft-koch-eddsa-for-openpgp-03 [Aug 28, 2015] 22 is probable id expires [Feb 29, 2016] draft-josefsson-eddsa-ed25519-03 [May 12, 2015] expired [Nov 13, 2015] draft-irtf-cfrg-eddsa-00 [Oct 7, 2015] expires [Apr 9, 2016] Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 30 / 35

45. OpenPGP/GnuPG $ gpg --expert --full -gen -key . . . Please s e l e c t what kind of key you want : . . . (10) ECC ( sign only ) . . . Your s e l e c t i o n ? 10 Please s e l e c t which e l l i p t i c curve you want : (1) Curve 25519 . . . Your s e l e c t i o n ? 1 gpg : WARNING: Curve25519 i s not yet part of the OpenPG Use t h i s curve anyway? ( y/N) y . . . Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 31 / 35

46. Conclusion By using ECC wisely you... get bigger security parameter, get smaller and faster handshakes, and make sure the future will be pretty twisted. Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 32 / 35

47. Questions Feel free to ask some ;-) Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 33 / 35

48. References Elaine Barker, Lily Chen, Allen Roginsky and Miles Smid: NIST Special Publication 800-56A Revision 2 { Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, May 2013 NIST: FIPS PUB 186-4 { Digital Signature Standard (DSS), July 2013 IETF work in progress drafts: W. Koch: EdDSA for OpenPGP (draft-koch-eddsa-for-openpgp-03), August 28, 2015 S. Josefsson and N. Moeller: EdDSA and Ed25519 (draft-josefsson-eddsa-ed25519-03), May 12, 2015 S. Josefsson and I. Liusvaara: Edwards-curve Digital Signature Algorithm (EdDSA) (draft-irtf-cfrg-eddsa-00), October 7, 2015 Me et al.: all elliptic curve images presented, December 2015 Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 34 / 35

49. Thank you. Dominik Joe Pantucek (Trustica s.r.o.) Eliptic-Curve Cryptography and the Internet 7.12.2015 35 / 35

Eliptic-Curve Cryptography and the Internet

More Related Content

Similar to Eliptic-Curve Cryptography and the Internet (20)

Recently uploaded (20)

Eliptic-Curve Cryptography and the Internet