Questions about using Elliptic Curve ciphers in OpenSSL

Nicola Tuveri nic.tuv at gmail.com
Tue Feb 18 14:50:09 UTC 2020


The ec parameters are public anyway, so there is no real need to store such
files somewhere with restricted reading access.

On the other hand, I want to reiterate that if you are using (and this is
highly recommended) one of the named curves (e.g. NIST P-256) you don't
really need at all to generate a ecparam file (which only contains the
name): the private key file already contains the very same name and fully
contains what you need to perform ECDSA signatures that can be validated
against a matching certificate.

In the same way, for the ECDHE part, pick curves that you want to support
(most TLS 1.2 and 1.3 clients will be happy to support P-256 and X25519 key
exchanges) from the named curves: also in this case there is no need to
generate a separate ecparam file.

Hope this helps!

Best regards,

Nicola Tuveri


On Tue, 18 Feb 2020 at 15:27, Jason Schultz <jetson23 at hotmail.com> wrote:

> This comment does spark another question though. Do I need to protect the
> ecparam file I created for us in generating the private key? I know the
> private key should reside in /etc/ssl/private/ as that directory has no
> read access. Right now I have the ecparam generated file in
> /etc/ssl/dsaparams/, which is readable. Should that file also reside in
> /etc/ssl/private/ so it's protected?
>
> Thanks.
>
>
> ------------------------------
> *From:* Kyle Hamilton <aerowolf at gmail.com>
> *Sent:* Sunday, February 16, 2020 10:49 PM
> *To:* Jason Schultz <jetson23 at hotmail.com>
> *Cc:* Thulasi Goriparthi <thulasi.goriparthi at gmail.com>; openssl-users <
> openssl-users at openssl.org>
> *Subject:* Re: Questions about using Elliptic Curve ciphers in OpenSSL
>
> Be aware that you just posted your certificate's private key, and thus you
> should regenerate a new keypair/certificate to use.  Otherwise, anyone who
> can manipulate traffic to your machine can execute a man-in-the-middle
> attack.
>
> -Kyle H
>
>
> On Fri, Feb 14, 2020, 07:40 Jason Schultz <jetson23 at hotmail.com> wrote:
>
>
> Thank you for your response Thulasi, this helped. I'm posting this back to
> the OpenSSL users list in case it helps anyone else, and in case anyone can
> help with my additional questions. While waiting for responses, I've been
> able to find out how my certificate and keys were generated. I'd like to
> walk through that to hopefully verify I'm handling things correctly.
>
> First, here is how my EC parameters file was generated:
>
> openssl ecparam -name prime256v1 -genkey -out myecparamsfile.pem
>
> And the resulting file:
>
> M640A-SAIL:/etc/ssl # openssl ecparam -in myecparamsfile.pem -text
>
> ASN1 OID: prime256v1
>
> NIST CURVE: P-256
>
> -----BEGIN EC PARAMETERS-----
>
> BggqhkjOPQMBBw==
>
> -----END EC PARAMETERS-----
>
>  # openssl ecparam -in myecparamsfile.pem -text
>
> ASN1 OID: prime256v1
>
> NIST CURVE: P-256
>
> -----BEGIN EC PARAMETERS-----
>
> BggqhkjOPQMBBw==
>
> -----END EC PARAMETERS-----
>
> Is this good so far? Do I need the -genkey?
>
> Then I take this file and use it when I generate my certificate and
> private key pair, here is the openssl command I used:
>
> openssl req -nodes -sha256 -newkey ec:/etc/ssl/private/myecparamsfile.pem
> -keyout mykeyout.pem -new -out mycertfileout.pem -config
> /etc/ssl/openssl.cnf -x509 -days 365 -outform pem
> Generating a EC private key
> writing new private key to 'mykeyout.pem'
> <parameter input snipped>
>
> And the resulting key:
>
> # cat mykeyout.pem
> -----BEGIN PRIVATE KEY-----
> MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbfUwVhomun9Q5IAY
> xTOAn+sDoXZ+k4UWkvUyfshPBJ6hRANCAAQsakFVUTV4JmfVJH31XOvHVhhBodnV
> 8evYCJSd2Jgo4uOomCSh3oekKL+Tia+LOmynygfvmneOX2YadoNr9uzH
> -----END PRIVATE KEY-----
>
> # openssl ec -noout -text -in mykeyout.pem
> read EC key
> Private-Key: (256 bit)
> priv:
>     6d:f5:30:56:1a:26:ba:7f:50:e4:80:18:c5:33:80:
>     9f:eb:03:a1:76:7e:93:85:16:92:f5:32:7e:c8:4f:
>     04:9e
> pub:
>     04:2c:6a:41:55:51:35:78:26:67:d5:24:7d:f5:5c:
>     eb:c7:56:18:41:a1:d9:d5:f1:eb:d8:08:94:9d:d8:
>     98:28:e2:e3:a8:98:24:a1:de:87:a4:28:bf:93:89:
>     af:8b:3a:6c:a7:ca:07:ef:9a:77:8e:5f:66:1a:76:
>     83:6b:f6:ec:c7
> ASN1 OID: prime256v1
> NIST CURVE: P-256
>
> And certificate:
>
> M740A-PMM1:/etc/ssl # openssl x509 -text -in mycertfileout.pem
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             e2:2f:c6:e4:bf:f1:de:20
>     Signature Algorithm: ecdsa-with-SHA256
>         Issuer: C=US, ST=NY, L=Loc, O=Org, OU=test, CN=My
> Name/emailAddress=test at example.com
>         Validity
>             Not Before: Feb 13 16:11:39 2020 GMT
>             Not After : Feb 12 16:11:39 2021 GMT
>         Subject: C=US, ST=NY, L=Loc, O=Org, OU=test, CN=My
> Name/emailAddress=test at example.com
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:2c:6a:41:55:51:35:78:26:67:d5:24:7d:f5:5c:
>                     eb:c7:56:18:41:a1:d9:d5:f1:eb:d8:08:94:9d:d8:
>                     98:28:e2:e3:a8:98:24:a1:de:87:a4:28:bf:93:89:
>                     af:8b:3a:6c:a7:ca:07:ef:9a:77:8e:5f:66:1a:76:
>                     83:6b:f6:ec:c7
>                 ASN1 OID: prime256v1
>                 NIST CURVE: P-256
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 D6:8A:F3:3B:4E:A1:F8:F8:34:C1:1B:7A:EC:BF:9B:58:7F:68:4A:D9
>             X509v3 Authority Key Identifier:
>
> keyid:D6:8A:F3:3B:4E:A1:F8:F8:34:C1:1B:7A:EC:BF:9B:58:7F:68:4A:D9
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: ecdsa-with-SHA256
>          30:44:02:20:37:f0:f7:f7:4a:b4:8e:8f:64:72:e4:d1:31:9f:
>          a1:36:c5:5d:f3:42:4c:24:37:75:cf:b6:55:b0:66:1b:6e:63:
>          02:20:39:18:81:f8:6c:86:3a:57:74:05:cc:99:6c:d9:dc:6a:
>          a2:20:98:4c:66:a1:97:d1:c7:ea:42:b4:01:1a:f7:b2
>
> Then I call the APIs as described in my first email to use them:
>
> ctx = SSL_CTX_new(TLS_method());
>
> status = SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);
> status = SSL_CTX_use_certificate_file(ctx, ,<certfile>,SSL_FILETYPE_PEM);
>
>
> // Verify the cert and key are a pair
> status = SSL_CTX_check_private_key(ctx);
>
>
> Then call the APIs to set the curves and allow the server to pick the
> appropriate curve for the client:
>
> status = SSL_CTX_set1_curves_list(ctx, "P-521:P-384:P-256");
> status = SSL_CTX_set_ecdh_auto(ctx, 1);
>
>
> That should be it, right? The EC parameters file has been used to generate
> the private key, it does not need to be read in by an API call.
>
> With the steps above, I get a successful TLS connection from a client
> using ECDHE-ECDSA-AES256-GCM-SHA384.
>
> And yes, I think my main confusion was on what to do with the DH
> parameters file. I thought using ECDHE key exchange was similar to DSA with
> DH. With ECDHE, I don't need to read in a parameters file at all.
>
> If there's anything wrong above, please let me know, otherwise, thanks for
> all the help!
>
>
> ------------------------------
> *From:* Thulasi Goriparthi <thulasi.goriparthi at gmail.com>
> *Sent:* Wednesday, February 12, 2020 8:29 AM
> *To:* jetson23 at hotmail.com <jetson23 at hotmail.com>
> *Cc:* rsalz at akamai.com <rsalz at akamai.com>
> *Subject:* Re: Questions about using Elliptic Curve ciphers in OpenSSL
>
> To clarify further, EC keys can be generated from either explicit (group)
> parameters or named curves which are standardized numbers to specific group
> parameters.
>
> Explicit/Custom EC parameters are not recommended/convenient/usual. Your
> key contains parameters in the form of a named curve (p-256).
>
> You are probably getting confused between dhparam used to generate
> ephemeral keys for DHE based key exchange and EC curve selection for ECDHE
> based key exchange.
>
> Curve selection for ECDHE will be done from the list of curves offered by
> the client and can be different from the curve used in the server's
> certificate(ECDSA).
>
> Thanks,
> Thulasi.
>
>
> On Tue, 11 Feb, 2020, 23:24 Salz, Rich via openssl-users, <
> openssl-users at openssl.org> wrote:
>
> I believe you just load your ECDSA cert and the other stuff – Dhparams!! –
> is not needed.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200218/ae542043/attachment-0001.html>


More information about the openssl-users mailing list