[openssl-users] Better understanding of EC encryption API
Jeffrey Walton
noloader at gmail.com
Fri Nov 27 13:40:26 UTC 2015
> OpenSSL doesn't support it out of the box. What you're looking for
> is something akin to
> https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme.
+1 on ECIES.
If OpenSSL provided one additional, non core feature, ECIES would be
at the top of my list. Its hard to use incorrectly, and easy to use
correctly. Its also IND_CCA2, which provides a number of desirable
security properties.
In my day job, I recommend it whenever I come across a home grown
scheme rolled by the developers.
> Ladar Levison has written an implementation which uses OpenSSL as a
> backend. I tried finding it for you, but my connection (mobile, on
> train) is so bad that I couldn't be bothered to keep trying.
>
Speaking from experience, be careful of interop issues. I know of two
libraries that support ECIES out of the box. They are BouncyCastle and
Crypto++.
In the past BouncyCastle and Crypto++ could not interop even though
they both claim to follow P1363. IEEE did not publish test vectors, so
each library had a misinterpretation that ensured they did not
interop. Here were the issues for each library:
* BouncyCastle
- Label should be 8 octets
* Crypto++
- Length of the label specified in bits
BouncyCastle fixed their issue in version 1.53 (about 2 months ago).
Crypto++ is fixing their issue at 5.7 (in about 2 months).
If you need a "gold" standard, then use BouncyCastle's implementation,
version 5.7 or above.
Jeff
More information about the openssl-users
mailing list