ECDSA is fantastic for all the reasons touched on in this article, but I’m sure the use of NIST curves will draw some criticism. As far as I know, no cryptographer seriously believes the curves to be backdoored, but nonetheless seems to be a hot topic of online discussion. DJB lists them as “unsafe”. Of course, other curve parameters like 25519 don’t have the same widespread deployment that the NIST curves enjoy, so this is a very sensible choice.
Even better than curve25519, I would prefer to see the related curve448 supported. I haven't heard any reason to prefer the NIST curves when open alternatives exist. From what I understand, curve25519 is significantly faster than the NIST curves, in addition to being better understood.
The only real advantage I know of with the NIST curves is that they might be more widely supported, which you mentioned, and which is all the more reason why it would be good for an organization like Let's Encrypt to push the industry forward with regards to curve448 support.
I wouldn't mind if they offered options for what kind of certificate you would like them to issue, so people who favor NIST curves could get a certificate signed that way, and people who prefer curve25519 or curve448 could get a certificate signed that way, but I also realize that more maintenance burden is never fun.
But, those are just my thoughts on the issue... maybe I'm completely wrong.
Other keys violate the Baseline Requirements which are common rules agreed between the major CAs and Browser vendors. Now, a CA could choose to just disregard the BRs, but then they're automatically in violation of the root trust programme rules for the major root trust programmes - at least Microsoft, Apple, Mozilla, Google, then arguably Oracle (because Java) and some other smaller outfits. So that's probably the end of that Certificate Authority, at least for the Web PKI.
Individual root programmes also have their own rules, and so in this case Mozilla's rules are important because they further restrict keys to RSA or ECDSA P-256 or P-384 only.
Now, those are just policies, you can change policies, but that's not up to Let's Encrypt. If you believe Mozilla needs to support Curve 25519 then that's a bunch of software development you can volunteer to do, followed by lobbying all their competitors because it's futile if only Firefox supports it anyway.
The reasons for using the NIST curve might have less to do with technical merits or security aspects, and more with regulations and certifications. Certifying something including cryptography already certified (NIST curve) is easier/cheaper than otherwise.
As for backdoors, nobody really knows .. the nature of the algorithm itself makes it practically impossible to even detect a backdoor, even when there is one. So far, no evidence of that though. So if there is a backdoor, then whoever has knowledge of it is damned good in keeping it a secret. In my opinion a bit too good to be likely. That said, NIST has been caught before with their pants down. Rather awkward, since that's the organization supposed to certify such things. One can even wonder what worth or real meaning certifications still have, after they got caught with what they did. I'd personally consider it mostly a national US affair, but the reality is that the rest of the world is still dominated by US standards when it comes to the internet.
All in all, the reasons for using the NIST curve might be more economical and people doing security by marking check boxes, rather than about actual security or efficiency.
Stodgy, conservative organisations like banks and the military created the market for hardware security modules, FIPS-140 dongles, smartcards, TPMs and so on.
And they couldn't care less about sticking it to the NSA by rejecting the NIST curves. Whereas if you say "government standards compliant military grade encryption" they like that a lot.
If you aren't one of those organisations, but you'd still like to use a HSM/TPM/smartcard, no Curve25519 for you.
In modern times, the keys on a SSL certificate don't directly encrypt the session key used to protect communications between your browser and web-server. Instead the key only signs the diffie-helman share that a web server uses. Web-server operators are free to use 25519 for their ECDH shares if they want to, the curve used there does not have to match the certificate's curve.
Even if the NIST curves are backdoored, the backdoor wouldn't be able to passively decrypt TLS sessions. At best it might allow someone with knowledge of the backdoor to impersonate a web-server, but that's an active attack and it would be very risky for the attacker. They'd run a huge risk of disclosing their back door capability.
Active attacks are effective and not that risky. For most web services, the attacker only needs to intercept a single transaction in order to get the session cookies and then you are pwned. Since they only need one, they can hit you with a DNS cache poisoning attack and simultaneous clickjacking attack while you're on a public WiFi.
In general, I'm skeptical of any "this attack isn't really practical" arguments. They have a way of becoming practical enough for high-value targets, so it's not something I want to use.
This feels like a trap people fall into when considering how attacks work. You're right, any one instance of active TLS interception is vanishingly unlikely to be detected. But an adversary conducting that attack at any kind of scale will be deploying instances of that attack regularly. The cost of detection can be very high --- it's not "public opprobrium", as so often seems to be the mental model on HN, but rather disclosure of sources and methods to other adversaries, who are themselves exquisitely well equipped both to detect stuff and also to work back to expand the scope of tradecraft lapses in drastic and surprising ways.
Here, though, it's even simpler: you're positing an attacker who is exploiting a cryptographic vulnerability unknown to science simply in order to conduct an individual TLS interception. The consequences of the disclosure of such an attack --- one that would be discernible by amateurs --- go far beyond what curves people select in the future.
The US and a few others routinely sink billions of dollars into weapons systems they'll only ever be able to use once, like strategic nuclear submarines.
So the fact that a backdoor could only be used briefly until it was discovered, doesn't mean that some agency wouldn't invest a lot of effort into developing it, just in case.
Can you link to a config example for nginx for what you’re describing in your first paragraph? Or a web framework in any language? I’ve never seen that done before, where the DH shares don’t match the certificate type. But, I’m definitely not an expert on the low level details of TLS.
All your DH shares don't match the certificate type already because you use ECDH with either NIST P-256 or X25519 and you likely use an RSA certificate.
The two asymmetric systems (one for key exchange and one for authentication) have nothing to do with each other, you can mix and match them freely (e.g. post-quantum key exchange experiments ran by google and cloudflare).
FIPS 186-5 and SP 800-186 (currently in final draft) will have new curves:
> NIST is proposing updates to its standards on digital signatures and elliptic curve cryptography to align with existing and emerging industry standards. As part of these updates, NIST is proposing to adopt two new elliptic curves, Ed25519 and Ed448, for use with EdDSA. EdDSA is a deterministic elliptic curve signature scheme currently specified in the Internet Research Task Force (IRTF) RFC 8032, Edwards-Curve Digital Signature Algorithm. NIST further proposes adopting a deterministic variant of ECDSA, which is currently specified in RFC 6979, Deterministic Usage of the Digital Signature Algorithm and Elliptic Curve Digital Signature Algorithm. Finally, based on feedback received on the adoption of the current elliptic curve standards, the draft standards deprecate curves over binary fields due to their limited use by industry.
Yes, there isn't adequate browser (or other client) support to use Curve25519 signatures in a public CA's certificate.
I'm actually kind of confused about exactly what would be required and exactly what the state of it is, so maybe someone can chime in -- I just know it's not ready.
Another thing I don't understand is what the threat model looks like for applying hypothetically backdoored curves. That is, can you interactively or offline attack ECDHE, ECDSA, or both? Can you derive the private key from the public key, by inspection and calculation, by observing random signatures, by obtaining chosen signatures, or something else?
"Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It requires mandatory support for X25519, Ed25519, X448, and Ed448 algorithms.[24]"
I haven't confirmed this myself, but it seems like anything that supports TLS 1.3 (a lot of things, relatively speaking) supports both curve25519 and curve448.
> Another thing I don't understand is what the threat model looks like for applying hypothetically backdoored curves.
Obviously, no one has proof that the NIST curves are backdoored, so who knows what kind of backdoor they would have? No one really wants to find out the hard way, though.
> "Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It requires mandatory support for X25519, Ed25519, X448, and Ed448 algorithms.[24]"
This is oversold, if not simply factually incorrect.
RFC 8446 says
> A TLS-compliant application MUST support digital signatures with rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A TLS-compliant application MUST support key exchange with secp256r1(NIST P-256) and SHOULD support key exchange with X25519
x448 is not mandatory. x25519 is not mandatory, it's only a SHOULD. In addition, key exchange is for diffie-hellman ephemeral keys; that's separate from the keys used in the certificate. I don't think there's widespread support for X25519 (or X448) in X.509 certificates.
There’s a small point of terminology that’s important for getting a clear idea of the state of support for curve25519 in IETF protocols.
X25519 is the name used for key exchange (Diffie-Hellman) which has been widely supported for some years now since it was added to TLS.
Ed25519 is the name used for digital signatures (Ed is short for Edwards) which is what you need for certificates. It was a few years later to arrive in OpenSSL because TLS didn’t need it.
Note that this document is (of course) not an implementation, or even an explanation of how to implement support for this, but only a description of how to spell X25519 in ASN.1 in order to write it into a PKIX X.509 certificate.
So this document is a precursor to widespread support for X25519 in certificates only in the same way that coming up with a name for your kid is a precursor to giving birth. It's not strictly necessary, and it's certainly not the most important thing you needed to do, but I guess it can be part of the process.
> A lot of things, but probably not enough things for a certificate authority that has to support pretty much everything in widespread use to use.
TLS 1.3 is - in browser-centric scenarios - about 50% of clients today. Put another way: at least half of the internet does not support TLS 1.3, and that is larger still if you are in the embedded, large enterprise or similar spaces.
It will take a while to close out that last 50%, and I do not blame Let’s Encrypt for taking the clearly practical approach here (by far).
Could a certificate authority not have several root certificates? I really don't see any reason they would have to have only one root certificate.
They could let people choose what kind of certificate they want issued to them, and the default could be whichever is most widely supported or whatever.
People can already choose what kind of certificate they want issued to them, because the CA does not generate your private keys.
Them giving you a certificate with an RSA public key in it is impossible if you submit a Certificate Signing Request with an ECDSA public key in it (or vice versa).
Then it's only down to what intermediate certificate you want to serve. That's the constraining factor; since you don't get to choose which private key the CA signs your certificate with, you have to use the intermediate certificate whose public key corresponds to the private key that made that signature.
The sensible thing for a CA to do is to sign with (and supply) an ECDSA intermediate if they get handed an ECDSA CSR, and an RSA intermediate if they get handed an RSA CSR. I imagine this is what Let's Encrypt does already.
It can't be what they do already because Let's Encrypt does not currently operate an ECDSA intermediate. This document describes a hierarchy they've just recently issued, and which is not yet in production use.
If you present a CSR for an ECDSA public key today, Let's Encrypt will issue a certificate signed by their RSA intermediate Let's Encrypt Authority X3, for your ECDSA key.
They haven't actually specified whether you'll get certificates in the new ECDSA hierarchy from the same API endpoint or need to use a different endpoint.
Supporting a variety of options instead of just doing one thing has its own costs in terms of added complexity and maintenance. Maybe they thought about it and decided it wasn't worth it, at least not for now. There's nothing prohibiting them from offering more curves in the future.
I disagree: DJB and others have researched how backdoors in elliptic-curve cryptography (and other algorithms) could work. In Dual_EC_DRBG we even know exactly how they would work.
While I don't believe there's any publication that explains the exact mathematics of a backdoor that could have been used in the NIST curves, I think the likely algorithmic consequences for EC security assumptions probably are understood -- just not by me. :-)
I'm sure this is about the mathematical soundness of the prime numbers used in elliptic curve cryptography, but wouldn't it be much easier to access half the internet's traffic if root certificates were compromised instead?
When you say access, do you mean intercept and decrypt?
I’m fairly sure root certificates are only affect the browser’s trust of a server’s public key and is not involved in the security of encryption—for that you’d still need the server’s individual private key.
And even then I’m still not sure if the private key is sufficient given modern encryption protocols. Hopefully someone else can chime in to elaborate here.
Regarding your last point, even if you can monitor (but not alter) all traffic on the Internet, in real-time, all of the time, forever, that does not let you decrypt any traffic (now or in the future) if the parties are using forward-secret ciphersuites (those whose key exchange is performed with ephemeral private keys, instead of the key corresponding to the public key in the certificate).
At the moment, these are the DHE- and ECDHE- ciphersuites in TLS1.2 and below, and are mandatory in TLS1.3 (RSA key exchange was removed).
This only becomes a concern if your adversary can alter traffic in real-time (because they can use a compromised root to obtain their own certificate for the service you're talking to, and pretend to be them to you, and you will then negotiate your keying material with them instead, which naturally gives them the ability to decrypt the traffic before forwarding it along to its intended destination). Several technologies, such as HPKP, CAA, and CT, are designed to eliminate or mitigate this.
If you can obtain the theoretically short-lived but certainly not truly ephemeral STEK (Session Ticket Encryption Key) from a server, then any sessions which enabled session tickets even if those tickets were never used can be decrypted using the STEK.
"As far as I know, no cryptographer seriously believes the curves to be backdoored, but nonetheless seems to be a hot topic of online discussion. DJB lists them as “unsafe”."
I'm not very well educated in this space. Is DJB historically prone to exaggeration?
the NIST curves are unsafe, regardless of if they are backdoored. In order to use them safely, you have to carefully prepare your private key, because some keys are unsuitable. for curve 25519, you just need a decent secure random, all keys in the keyspace are good.
Apart from clamping not being fully and clearly justified in most of the earliest specs and papers (which led to a few broken and/or insecure implementations), it makes the whole narrative of the curve being "safe" quite arguable and leaving a flavor of marketing in the mouth (NIST P curves have cofactor 1 so they are "safer" in that respect).
"NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic interests of U.S. companies"
Because it would destroy their credibility in this field forever. Like, it's not impossible, but it'd have to be "burn all this accumulated trust right down" important. They can advance the US' interests in more subtle ways by just being above board.
Not that that's any guarantee with this administration, of course, but in general it's sound.
...While also making it more resistant to differential cryptanalysis (called DCA from now on). DES died because of the small keyspace. Without the NSA/NBS changes it would have been insecure from the start and would have been a lot easier to crack once DCA was out in public.
The changes proposed made DES harder to crack for the NSA, but less "future safe" once computational power caught up. I don't know enough about DCA to know whether DCA-weak-DES could have been made safer with something like 3des, but I wouldn't want to bet on it.
Working in the finance sector, I haven't seen push back because I haven't seen anybody or anything use ECDSA. ^^
Usage and support is relatively low. Most people have no idea what ECDSA is or how to use it. There are some issues in java versions (7 or 8) if you try to use ECDSA. I personally don't find the elliptic curves and parameters easy to grasp and I have a math background (multiplying large numbers was much more palatable), I think a developer would quickly hit a roadblock if they tried to work with it.
Long story short. There is no benefits to ECDSA (over RSA) so there is really no reason to push for it.
The only place where DSA is somewhat used is SSH keys. SSH has its own crypto routines, they've added support and pushed DSA for some time. Keys are a bit shorter so it's nicer to copy paste to github or digital ocean.
(Not sure people realized this is sarcasm.) Right because if they believe something crazy like there being a backdoor in something recommended by the government then people will just say they are not a real cryptographer. Because of course no part of our government ever does anything tricky like backdoors and even if one part of the government did, it could never influence another part that made recommendations to the public for what security algorithms to use. And of course anyone suggesting that such a thing might be possible is just an insane conspiracy theorist.
