Re: Questions about using Elliptic Curve ciphers in OpenSSL

Jason Schultz <jetson23@xxxxxxxxxxx> · Tue, 18 Feb 2020 18:45:32 +0000

Nicola-

Thanks for your response. It does help, but at the same time it also raises questions and maybe conflicts with what I thought I was doing correct earlier in this thread. I'm talking mostly about where I landed in this post:

https://www.mail-archive.com/openssl-users@xxxxxxxxxxx/msg87538.html

Re: Questions about using Elliptic Curve ciphers in OpenSSL

Thank you for your response Thulasi, this helped. I'm posting this back to the OpenSSL users list in case it helps anyone else, and in case anyone can help with my additional questions.

www.mail-archive.com

I am only using named curves. You also said:

"...you don't really need at all to generate a ecparam file (which only contains the name): the private key file already contains
 the very same name and fully contains what you need to perform ECDSA signatures that can be validated against a matching certificate."

Let me apply that and start from the beginning and outline everything (I think) I need to do in that case:

1 - Generate a certificate and private key pair. Using the OpenSSL command line:

openssl req -nodes -sha256 -newkey ec:<(openssl ecparam -name prime256v1) 
-keyout mykeyout.pem -new -out mycertfileout.pem -config /etc/ssl/openssl.cnf 
-x509 -days 365 -outform pem

Note: the "ec:" parameter basically substitutes the openssl command above with the file I had created and used in this command. Also, the "-genkey" parameter I included in the ecparam command was probably not needed, or potentially bad?

2 - Call the SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_file() to use the certificate and private key pair. (Same as before)

3 - Call the APIs to set the curves and allow the server to pick the appropriate curves for the client:

status = SSL_CTX_set1_curves_list(ctx, "P-521:P-384:P-256");
status = SSL_CTX_set_ecdh_auto(ctx, 1);

Do I have this right? Is the only difference combining the two commands into one in Step 1 above, instead of the intermediate ecparams file? Or is there something else I'm missing on the generation of certificate/private key
 pairs?

Thanks,

Jason

From: Nicola Tuveri <nic.tuv@xxxxxxxxx>

Sent: Tuesday, February 18, 2020 2:50 PM

To: Jason Schultz <jetson23@xxxxxxxxxxx>

Cc: Kyle Hamilton <aerowolf@xxxxxxxxx>; openssl-users <openssl-users@xxxxxxxxxxx>

Subject: Re: Questions about using Elliptic Curve ciphers in OpenSSL

The ec parameters are public anyway, so there is no real need to store such files somewhere with restricted reading access.

On the other hand, I want to reiterate that if you are using (and this is highly recommended) one of the named curves (e.g. NIST P-256) you don't really need at all to generate a ecparam file (which only contains the name): the private key file already contains
 the very same name and fully contains what you need to perform ECDSA signatures that can be validated against a matching certificate.

In the same way, for the ECDHE part, pick curves that you want to support (most TLS 1.2 and 1.3 clients will be happy to support P-256 and X25519 key exchanges) from the named curves: also in this case there is no need to generate a separate ecparam file.

Hope this helps!

Best regards,

Nicola Tuveri

On Tue, 18 Feb 2020 at 15:27, Jason Schultz <jetson23@xxxxxxxxxxx> wrote:

This comment does spark another question though. Do I need to protect the ecparam file I created for us in generating the private key? I know the private key should reside in /etc/ssl/private/ as that directory has no read access. Right now I have the ecparam
 generated file in /etc/ssl/dsaparams/, which is readable. Should that file also reside in /etc/ssl/private/ so it's protected?

Thanks.

From: Kyle Hamilton <aerowolf@xxxxxxxxx>

Sent: Sunday, February 16, 2020 10:49 PM

To: Jason Schultz <jetson23@xxxxxxxxxxx>

Cc: Thulasi Goriparthi <thulasi.goriparthi@xxxxxxxxx>; openssl-users <openssl-users@xxxxxxxxxxx>

Subject: Re: Questions about using Elliptic Curve ciphers in OpenSSL

Be aware that you just posted your certificate's private key, and thus you should regenerate a new keypair/certificate to use.  Otherwise, anyone who can manipulate traffic to your machine can execute a man-in-the-middle attack.

-Kyle H

On Fri, Feb 14, 2020, 07:40 Jason Schultz <jetson23@xxxxxxxxxxx> wrote:

Thank you for your response Thulasi, this helped. I'm posting this back to the OpenSSL users list in case it helps anyone else, and in case anyone can help with my additional questions. While waiting for responses, I've been able to find out how my certificate
 and keys were generated. I'd like to walk through that to hopefully verify I'm handling things correctly.

First, here is how my EC parameters file was generated:

openssl ecparam -name prime256v1 -genkey -out myecparamsfile.pem

And the resulting file:

M640A-SAIL:/etc/ssl # openssl ecparam -in

myecparamsfile.pem -text
ASN1 OID: prime256v1
NIST CURVE: P-256
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----

 # openssl ecparam -in myecparamsfile.pem -text
ASN1 OID: prime256v1
NIST CURVE: P-256
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----

Is this good so far? Do I need the -genkey?

Then I take this file and use it when I generate my certificate and private key pair, here is the openssl command I used:

openssl req -nodes -sha256 -newkey ec:/etc/ssl/private/myecparamsfile.pem -keyout mykeyout.pem -new -out mycertfileout.pem -config /etc/ssl/openssl.cnf -x509 -days 365 -outform pem

Generating a EC private key

writing new private key to 'mykeyout.pem'

<parameter input snipped>

And the resulting key:

# cat mykeyout.pem

-----BEGIN PRIVATE KEY-----

MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbfUwVhomun9Q5IAY

xTOAn+sDoXZ+k4UWkvUyfshPBJ6hRANCAAQsakFVUTV4JmfVJH31XOvHVhhBodnV

8evYCJSd2Jgo4uOomCSh3oekKL+Tia+LOmynygfvmneOX2YadoNr9uzH

-----END PRIVATE KEY-----

# openssl ec -noout -text -in mykeyout.pem

read EC key

Private-Key: (256 bit)

priv:

    6d:f5:30:56:1a:26:ba:7f:50:e4:80:18:c5:33:80:

    9f:eb:03:a1:76:7e:93:85:16:92:f5:32:7e:c8:4f:

    04:9e

pub:

    04:2c:6a:41:55:51:35:78:26:67:d5:24:7d:f5:5c:

    eb:c7:56:18:41:a1:d9:d5:f1:eb:d8:08:94:9d:d8:

    98:28:e2:e3:a8:98:24:a1:de:87:a4:28:bf:93:89:

    af:8b:3a:6c:a7:ca:07:ef:9a:77:8e:5f:66:1a:76:

    83:6b:f6:ec:c7

ASN1 OID: prime256v1

NIST CURVE: P-256

And certificate:

M740A-PMM1:/etc/ssl # openssl x509 -text -in mycertfileout.pem

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            e2:2f:c6:e4:bf:f1:de:20

    Signature Algorithm: ecdsa-with-SHA256

        Issuer: C=US, ST=NY, L=Loc,
 O=Org, OU=test, CN=My
 Name/emailAddress=test@example.com

        Validity

            Not Before: Feb 13 16:11:39 2020 GMT

            Not After : Feb 12 16:11:39 2021 GMT

        Subject: C=US, ST=NY, L=Loc, O=Org, OU=test, CN=My Name/emailAddress=test@example.com

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (256 bit)

                pub:

                    04:2c:6a:41:55:51:35:78:26:67:d5:24:7d:f5:5c:

                    eb:c7:56:18:41:a1:d9:d5:f1:eb:d8:08:94:9d:d8:

                    98:28:e2:e3:a8:98:24:a1:de:87:a4:28:bf:93:89:

                    af:8b:3a:6c:a7:ca:07:ef:9a:77:8e:5f:66:1a:76:

                    83:6b:f6:ec:c7

                ASN1 OID: prime256v1

                NIST CURVE: P-256

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                D6:8A:F3:3B:4E:A1:F8:F8:34:C1:1B:7A:EC:BF:9B:58:7F:68:4A:D9

            X509v3 Authority Key Identifier:

                keyid:D6:8A:F3:3B:4E:A1:F8:F8:34:C1:1B:7A:EC:BF:9B:58:7F:68:4A:D9

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: ecdsa-with-SHA256

         30:44:02:20:37:f0:f7:f7:4a:b4:8e:8f:64:72:e4:d1:31:9f:

         a1:36:c5:5d:f3:42:4c:24:37:75:cf:b6:55:b0:66:1b:6e:63:

         02:20:39:18:81:f8:6c:86:3a:57:74:05:cc:99:6c:d9:dc:6a:

         a2:20:98:4c:66:a1:97:d1:c7:ea:42:b4:01:1a:f7:b2

Then I call the APIs as described in my first email to use them:

ctx = SSL_CTX_new(TLS_method());
status = SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);
status = SSL_CTX_use_certificate_file(ctx, ,<certfile>,SSL_FILETYPE_PEM);

// Verify the cert and key are a pair
status = SSL_CTX_check_private_key(ctx);

Then call the APIs to set the curves and allow the server to pick the appropriate curve for the client:

status = SSL_CTX_set1_curves_list(ctx, "P-521:P-384:P-256");
status = SSL_CTX_set_ecdh_auto(ctx, 1);

That should be it, right? The EC parameters file has been used to generate the private key, it does not need to be read in by an API call.

With the steps above, I get a successful TLS connection from a client using ECDHE-ECDSA-AES256-GCM-SHA384.

And yes, I think my main confusion was on what to do with the DH parameters file. I thought using ECDHE key exchange was similar to DSA with DH. With ECDHE, I don't need to read in a parameters file at all.

If there's anything wrong above, please let me know, otherwise, thanks for all the help!

From: Thulasi Goriparthi <thulasi.goriparthi@xxxxxxxxx>

Sent: Wednesday, February 12, 2020 8:29 AM

To: 
jetson23@xxxxxxxxxxx <jetson23@xxxxxxxxxxx>

Cc: rsalz@xxxxxxxxxx <rsalz@xxxxxxxxxx>

Subject: Re: Questions about using Elliptic Curve ciphers in OpenSSL

To clarify further, EC keys can be generated from either explicit (group) parameters or named curves which are standardized numbers to specific group parameters.

Explicit/Custom EC parameters are not recommended/convenient/usual. Your key contains parameters in the form of a named curve (p-256).

You are probably getting confused between dhparam used to generate ephemeral keys for DHE based key exchange and EC curve selection for ECDHE based key exchange. 

Curve selection for ECDHE will be done from the list of curves offered by the client and can be different from the curve used in the server's certificate(ECDSA).

Thanks,
Thulasi.

On Tue, 11 Feb, 2020, 23:24 Salz, Rich via openssl-users, <openssl-users@xxxxxxxxxxx> wrote:

I believe you just load your ECDSA cert and the other stuff – Dhparams!! – is not needed.