Going down an elliptically curved rabbit hole

Yesterday I posted a guide to securing your nginx server with some good SSL settings. As I mentioned in that post, I am eager to get rid of RSA entirely, because it is going to be broken at some point in the not so distant future. So I spent part of the day researching the possibility of using Elliptic Curve Cryptography for my site, below are some of my findings.

The first part of the story was figuring out whether there was any Certificate Authority which can issue Elliptic Curve certificates. It turns out that both Comodo and Symantec/Verisign actually have Elliptic Curve root certificates, and that they offer these for sale, also through resellers.

In the Netherlands there is the very nice Xolphin sslcertificaten.nl store where you can buy certificates cheaply from these CAs. They have also told me that they support ECDSA certificates if you generate a CSR yourself, and mention ECDSA when you pay.

This gave me some good hope, and I was eager to try this out. But I wanted to get to the bottom of this, and make sure that I was using the right tools to generate a CSR securely, and that the certificate itself would be as secure as possible, so that I could post this here.

This was partly instigated by some help of @okoeroo who reminded me of the SafeCurves work of Dan Bernstein and Tanja Lange. Dan and Tanja are incredibly knowledgable in this field, have helped develop the NaCL that I’ve discussed in the post about TinySSH. So I trust their judgement, especially in this matter.

The SafeCurves page shows the analyses of known elliptic curves as defined by ANSI, NIST, IEEE, and many others. The page shows how these are analysed, where possible weak points are and whether these curves should be considered safe or not. Unfortunately, there is currently no overlap in what openssl supports and what is considered safe on the SafeCurves page. You can check this yourself by comparing the output of openssl ecparam -list_curves with the overview on SafeCurves.

So, I’m forced to conclude that at the moment there does not seem to be a safe way of using ECDSA certificates yet. So, I’m not going to use Elliptic Curve DSA certificates for this site yet.

2 comments on “Going down an elliptically curved rabbit hole

  1. Jeroen, you just saved me quite a lot of time. This is exactly what i was looking for.
    Still no match between OpenSSL and SafeCurves.

    One question though, you still prefer clasic RSA certificate over non-safe curves ??

    • I would really like to use EC-crypto. There are lots of reasons for using it, such as being a newer crypto algorithm that has been pretty well-studied already, and it is also more efficient.

      However, with the whole NIST affair surrounding EC_DUAL_RNG, and the analysis of Bernstein and Lange, I still prefer RSA over non-safe curves.

Comments are closed.