Going down an elliptically curved rabbit hole

Posted in Research Security with tags cryptography ecdsa elliptic curve -

Yesterday I posted a guide to securing your nginx server with some good SSL settings. As I mentioned in that post, I am eager to get rid of RSA entirely, because it is going to be broken at some point in the not so distant future. So I spent part of the day researching the possibility of using Elliptic Curve Cryptography for my site, below are some of my findings.

The first part of the story was figuring out whether there was any Certificate Authority which can issue Elliptic Curve certificates. It turns out that both Comodo and Symantec/Verisign actually have Elliptic Curve root certificates, and that they offer these for sale, also through resellers.

In the Netherlands there is the very nice Xolphin sslcertificaten.nl store where you can buy certificates cheaply from these CAs. They have also told me that they support ECDSA certificates if you generate a CSR yourself, and mention ECDSA when you pay.

This gave me some good hope, and I was eager to try this out. But I wanted to get to the bottom of this, and make sure that I was using the right tools to generate a CSR securely, and that the certificate itself would be as secure as possible, so that I could post this here.

This was partly instigated by some help of @okoeroo who reminded me of the SafeCurves work of Dan Bernstein and Tanja Lange. Dan and Tanja are incredibly knowledgable in this field, have helped develop the NaCL that I’ve discussed in the post about TinySSH. So I trust their judgement, especially in this matter.

The SafeCurves page shows the analyses of known elliptic curves as defined by ANSI, NIST, IEEE, and many others. The page shows how these are analysed, where possible weak points are and whether these curves should be considered safe or not. Unfortunately, there is currently no overlap in what openssl supports and what is considered safe on the SafeCurves page. You can check this yourself by comparing the output of openssl ecparam -list_curves with the overview on SafeCurves.

So, I’m forced to conclude that at the moment there does not seem to be a safe way of using ECDSA certificates yet. So, I’m not going to use Elliptic Curve DSA certificates for this site yet.

Written by
Later article
Interview on YouTube