EC curve preferences

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Nov 20 18:03:22 UTC 2020


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Skip
> Carter
> Sent: Friday, 20 November, 2020 09:44
>
> What are the preferred ECDH curves for a given keysize ?  Which curves
> are considered obsolete/deprecated/untrustworthy ?

For TLSv1.3, this is easy. RFC 8446 B.3.1.4 only allows the following: secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), x25519(0x001D), x448(0x001E). Those are your choices. If you want interoperability, enable them all; if you want maximum security, only use X25519 and X448. See safecurves.cr.yp.to for the arguments in favor of the latter position.

Frankly, unless you're dealing with something of very high value or that needs to resist breaking for a long time, I don't see any real-world risk in using the SEC 2 curves. You might want to disallow just secp256r1 if you're concerned about that key size becoming tractable under new attacks or quantum computing within your threat timeframe. Ultimately, this is a question for your threat model.


For TLSv1.2, well...

- Some people recommend avoiding non-prime curves (i.e. over binary fields, such as the sect* ones) for intellectual-property reasons. I'm not going to try to get into that, because IANAL and even if I were, I wouldn't touch that without a hefty retainer.

- Current consensus, more or less, seems to be to use named curves and not custom ones. The arguments for that seem pretty persuasive to me. So don't use custom curves.

- Beyond that? Well, here's one Stack Exchange response from Thomas Pornin (who knows a hell of a lot more about this stuff than I do) where he suggests using just prime256v1 (which is the same as secp256r1 I believe?) and secp384r1:

https://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use

Those are the curves in Suite B, before the NSA decided to emit vague warnings about ECC. They subsequently decided P384 aka secp384r1 is OK until post-quantum primitives are standardized. So if your application prefers secp384r1 for TLSv1.2, then you can decide whether to also allow prime256v1 for interoperability. Again, that's a question for your threat model.

All that said, some people will have different, and quite possibly better-informed, opinions on this.

--
Michael Wojcik


More information about the openssl-users mailing list