Opened 5 months ago

Last modified 8 weeks ago

#1479 assigned Feature Wish

Add support of X448 and X25519 key exchange algorithm, and prefer using X448/X25519

Reported by: A Owned by: plaisthos
Priority: major Milestone:
Component: Crypto Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Nowadays, OpenVPN doesn't support X448 (Ed448-Goldilocks) and X25519, which are recommend by SafeCurves? and RFC 7748:

RFC 7748: Elliptic Curves for Security

https://datatracker.ietf.org/doc/html/rfc7748

SafeCurves?: choosing safe curves for elliptic-curve cryptography
https://safecurves.cr.yp.to/

But until OpenVPN 2.5.7, OpenVPN supports none of them:

secp224r1
secp256k1
secp384r1
secp521r1
prime256v1

In fact, OpenSSL 3.0.1 has been supports X25519 and X448:

openssl list -key-exchange-algorithms

{ 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
{ 1.3.101.110, X25519 } @ default
{ 1.3.101.111, X448 } @ default
ECDH @ default
TLS1-PRF @ default
HKDF @ default
{ 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default

I wish OpenVPN supports them. Last but not least, prefer using X448, X25519, then using other curves.

In https://bench.cr.yp.to/results-dh.html

amd64; Zen3 (a20f10); 2020 AMD Ryzen 9 5950X; 16 x 3400MHz; zen3, supercop-20220213 section, we can see:

curve25519 (X25519) only need 102495 cycles to generate a key pair, 110991 cycles to compute a shared secret;

ed448goldilocks (X448) only need 159723 cycles to generate a key pair, 527032 cycles to compute a shared secret;

compare with NIST P-curves:

nistp256 (P-256) need 223320 cycles to generate a key pair, 603146 cycles to compute a shared secret, it is the same security level of X25519 (in fact, it's less),

nist521gs (P-521) need 884294 cycles to generate a key pair, 887358 cycles to compute a shared secret.

Change History (1)

comment:1 Changed 8 weeks ago by Gert Döring

Owner: changed from Steffan Karger to plaisthos
Status: newassigned

Is this something we need to tell to OpenSSL? Or should it do that automatically (for TLS)?

Note: See TracTickets for help on using tickets.