CODEWITHSUNDEEP
copensslpublic-key-encryption
hDan
hDan

Reputation: 467

Openssl cipher suite explanation

I want to use the cipher suite, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, for openssl in fips mode and I wan't to know the details for this.

Looking at the source code in openssl 1.0.2k, I see it has the parameterss3_lib.c:

  /* Cipher C014 */
{
 1,
 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 SSL_kEECDH,
 SSL_aRSA,
 SSL_AES256,
 SSL_SHA1,
 SSL_TLSV1,
 SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
 256,
 256,
 },

What I do not understand is that it uses SSL_kEECDH, for key exchange. My question is what eliptic curve it uses and what is the key size ? I plan on using RSA 4096.

EDIT

Looking at openssl source code, in file t1_lib.c, I see the suite B mention, but this is for GCM mode, so if I use prime256v1 or secp384r1 for CBC these primes should also be FIPS 140-2 approved ?

if (tls1_suiteb(s)) {
        /*
         * For Suite B ciphersuite determines curve: we already know
         * these are acceptable due to previous checks.
         */
        unsigned long cid = s->s3->tmp.new_cipher->id;
        if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
            return NID_X9_62_prime256v1; /* P-256 */
        if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
            return NID_secp384r1; /* P-384 */
        /* Should never happen */
        return NID_undef;
    }

Upvotes: 0

Views: 466

Answers (1)

dave_thompson_085
dave_thompson_085

Reputation: 38771

If you are the client, ECDHE_{RSA,ECDSA} key exchange must use the 'curve' chosen by the server, and OpenSSL does so; DHE similarly uses server parameters. (Modified somewhat in draft1.3 protocol expected/planned in version 1.1.1.) If you are the server, OpenSSL has several different ways of choosing the 'curve' depending on code you didn't show us:

  • 1.0.x supports SSL_{CTX_,}set_tmp_ecdh and SSL_{CTX_,}set_tmp_ecdh_callback which don't have man pages but work equivalently to the _dh versions which do.

  • 1.0.2 adds SSL_{CTX_,}set_ecdh_auto which sets a mode that automatically chooses the 'first' (according to client or server list, using the same option as for ciphersuite preference) curve acceptable to both client and server

  • 1.1.0 makes ecdh_auto the default and no longer supports the tmp_ecdh_callback options, but allows tmp_ecdh to be set with the new text-based and file-based config options as well as direct code.

In SUITEB mode, which is (IIUC) not the same thing as 'FIPS' mode (meaning FIPS-140), but is often required for the same users who are subject to the whole range of FIPS and other NIST 'guidance', the only supported curves are P-256 and/or P-384 depending on the option set.

(Technically what we loosely call a 'curve' for EC cryptography is actually a curve with suitable characteristics, defined by coefficients of an equation over an underlying field, plus a base point aka generator, plus the point order and cofactor. Careful or accurate people, like cryptographers, call this a parameter set or an EC group rather than a curve. OpenSSL implements it as typedef EC_GROUP.)

TLS represents the public key as a point in X9.62 (and SEC1) uncompressed (usually) or optionally compressed (rare) format, both of which have fixed sizes depending on the size of the underlying field.

Upvotes: 2

Related Questions