Menu
▾
▴
[Ejbca-develop] Why ECDSA keys require a minimum size of 224 bits for Crypto Token key pair generation?
|
From: Jaime H. <hab...@gm...> - 2018-12-22 18:04:43
|
In EJBCA 6.10.1.2+, if you create a Crypto Token from the Admin GUI and then you try to generate an EC keypair for it, you find that certain curves are not availabe, e.g. B-163, even when the documentation indicates support for them (see https://www.ejbca.org/docs/ECDSA_Keys_and_Signatures.html#src-16224742_id-.ECDSAKeysandSignaturesv6.12.0-Named_curves ). Looking at the source code I can see the cause for it is in the following method, org.cesecore.keys.util.KeyTools#checkValidKeyLength: public static void checkValidKeyLength(final String keyAlg, final int len) throws InvalidKeyException { ... if (*isEcdsa *|| isGost3410 || isDstu4145) { ... if ((len > 0) && (*len < 224)*) { final String msg = intres.getLocalizedMessage("catoken.invalidkeylength", "ECDSA", "224", Integer.valueOf(len)); *throw new InvalidKeyException(msg);* } } ... } But, why is it so?. Are there potentials problems with EC curves with a key size smaller than 224 bits?. PS: I'm a total ignorant of EC cryptography. -- Jaime Hablutzel - RPC 994690880 |
