Opened 21 months ago
Last modified 10 months ago
#1479 assigned Feature Wish
Add support of X448 and X25519 key exchange algorithm, and prefer using X448/X25519
Reported by: | A | Owned by: | plaisthos |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Crypto | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Nowadays, OpenVPN doesn't support X448 (Ed448-Goldilocks) and X25519, which are recommend by SafeCurves? and RFC 7748:
RFC 7748: Elliptic Curves for Security
https://datatracker.ietf.org/doc/html/rfc7748
SafeCurves?: choosing safe curves for elliptic-curve cryptography
https://safecurves.cr.yp.to/
But until OpenVPN 2.5.7, OpenVPN supports none of them:
secp224r1
secp256k1
secp384r1
secp521r1
prime256v1
In fact, OpenSSL 3.0.1 has been supports X25519 and X448:
openssl list -key-exchange-algorithms
{ 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
{ 1.3.101.110, X25519 } @ default
{ 1.3.101.111, X448 } @ default
ECDH @ default
TLS1-PRF @ default
HKDF @ default
{ 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default
I wish OpenVPN supports them. Last but not least, prefer using X448, X25519, then using other curves.
In https://bench.cr.yp.to/results-dh.html
amd64; Zen3 (a20f10); 2020 AMD Ryzen 9 5950X; 16 x 3400MHz; zen3, supercop-20220213 section, we can see:
curve25519 (X25519) only need 102495 cycles to generate a key pair, 110991 cycles to compute a shared secret;
ed448goldilocks (X448) only need 159723 cycles to generate a key pair, 527032 cycles to compute a shared secret;
compare with NIST P-curves:
nistp256 (P-256) need 223320 cycles to generate a key pair, 603146 cycles to compute a shared secret, it is the same security level of X25519 (in fact, it's less),
nist521gs (P-521) need 884294 cycles to generate a key pair, 887358 cycles to compute a shared secret.
Change History (3)
comment:1 follow-ups: 2 3 Changed 17 months ago by
Owner: | changed from Steffan Karger to plaisthos |
---|---|
Status: | new → assigned |
comment:2 Changed 10 months ago by
Replying to Gert Döring:
Is this something we need to tell to OpenSSL? Or should it do that automatically (for TLS)?
Sorry for the delay. I forgot to subscribe email of this forum, and it has been a long time since I last login.
OpenSSL has been supports X25519 and X448, at least 3.0.1, and I don't think we need to tell to OpenSSL.
comment:3 Changed 10 months ago by
Replying to Gert Döring:
Is this something we need to tell to OpenSSL? Or should it do that automatically (for TLS)?
Sorry for the delay. I forgot to subscribe email of this forum, and it has been a long time since I last login.
OpenSSL has been supports X25519 and X448, at least 3.0.1, and I don't think we need to tell to OpenSSL.
Is this something we need to tell to OpenSSL? Or should it do that automatically (for TLS)?