Menu
▾
▴
Re: [Ejbca-develop] Why ECDSA keys require a minimum size of 224 bits for Crypto Token key pair generation?
|
From: Jaime H. <hab...@gm...> - 2018-12-28 19:46:53
|
On Sat, Dec 22, 2018 at 1:59 PM Andreas Kuehne <ku...@tr...> wrote: > Hi Jaime, > > interesting finding! Due to https://safecurves.cr.yp.to/ there are at > least two curves with (slightly) shorter key length. On the other hand the > NIST-224 is considered insecure ... > Thanks for pointing out this resource. > > Are there any specific reasons for implementing this restriction? > I'm asking the same myself. I can trace back that change to the following old (5 years ago) commit, https://github.com/rgorosito/ejbca/commit/49a8e1c5ff448c3d27c132e46675ed27ef7cb65b#diff-52fc78614bcdfb702e0bf5b66a3ffbfc, but the motivation for it is no clear to me at first glance. > > Greetings, > > Andreas > > In EJBCA 6.10.1.2+, if you create a Crypto Token from the Admin GUI and > then you try to generate an EC keypair for it, you find that certain curves > are not availabe, e.g. B-163, even when the documentation indicates support > for them (seehttps://www.ejbca.org/docs/ECDSA_Keys_and_Signatures.html#src-16224742_id-.ECDSAKeysandSignaturesv6.12.0-Named_curves > ). > > Looking at the source code I can see the cause for it is in the following > method, org.cesecore.keys.util.KeyTools#checkValidKeyLength: > > public static void checkValidKeyLength(final String keyAlg, final int len) > throws InvalidKeyException { > ... > if (*isEcdsa *|| isGost3410 || isDstu4145) { > ... > if ((len > 0) && (*len < 224)*) { > final String msg = > intres.getLocalizedMessage("catoken.invalidkeylength", "ECDSA", "224", > Integer.valueOf(len)); > *throw new InvalidKeyException(msg);* > } > } ... > } > > But, why is it so?. Are there potentials problems with EC curves with a key > size smaller than 224 bits?. > > PS: I'm a total ignorant of EC cryptography. > > > > _______________________________________________ > Ejbca-develop mailing lis...@li...://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > -- > Andreas Kühne > phone: +49 177 293 24 97 > mailto: ku...@tr... > > Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 > > Director Andreas Kühne > > Company UK Company No: 5218868 Registered in England and Wales > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Jaime Hablutzel - RPC 994690880 |
