[RFC] self-signed certificates for LuCI

Hauke Mehrtens hauke at hauke-m.de
Mon Aug 31 17:37:14 EDT 2020 

On 8/31/20 8:34 PM, Michael Richardson wrote:
> 
> Stijn Tintel <stijn at linux-ipv6.be> wrote:
>     >> The question came up if we really want RSA certificates for LuCI or if
>     >> the faster and "more modern" ECC P-256 wouldn't be a better choice.
>     >>
>     >> If px5g is added to the next release, certificates are generated on
>     >> first boot and most users are unlikely to manually recreate RSA ones,
>     >> not?
>     >>
>     >> So the question, shouldn't we drop all crypto options from the new
>     >> px5g implementation and _only_ offer P-256? Whoever wants something
>     >> else than the default may use px5g-mbedtls or some OpenSSL based tool?
> 
>     > I'm no expert, but I recently came across this article:
>     > https://gravitational.com/blog/comparing-ssh-keys/
>     > While it is about SSH keys, it talks mostly about algorithms used, and
>     > the article suggests using either RSA or Ed25519, not DSA or ECDSA.
> 
> Yes, both DSA and some forms of ECDSA require a good random number.
> If the random number can be predicted, then an observer can actually derive
> the *private* key from the signature!  Scared the pants off me when I learnt
> this 20 years ago.

The need for random numbers in ECDSA signatures is very bad, Sony did
this wrong in the Play station 3 and leaked their private signing key:
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security

> There are ways to use ECDSA where the number input is derived in a way that
> is not subject to this attack, and most libraries do that now.
> DSA/DSS has all sorts of other stupid things that make it way worse than RSA
> (despite what the GNUPG team said for a few years a decade ago)

There is deterministic ECDSA which avoids the need for random numbers
for signing, mbedtls supports this and we activated it some years ago.
https://tools.ietf.org/html/rfc6979
We should check if wolfssl also uses it.

>     > Additionally, https://safecurves.cr.yp.to/ claims neither P-256 nor
>     > P-384 are safe.
> 
> Bernstein has maintained for sometime that the NIST/Certicom curves were
> derived in a specific way that permitted some secret factorization.
> 
> I understand his concern, and given the choice, I would use EdDSA in new work rather than ECDSA.
> But, browsers do not support EdDSA well yet, so ECDSA it is for now.
> However, to date (despite Snowden) only the NSA knows what they did to
> P256/P384, if they did anything.  I would suspect that if they can do
> something, it's not that cheap, and they can't undo all communication
> magically. (Like in the movie _Sneakers_)

Yes the 3 curves specified by the NIST (p256, p384, and p521) are the
only ones supported by all browsers. If there are backdoors in them,
they are probably all affected, but such a backdoor should only allow to
do an activate MitM and not for passive eavesdropping.

>     > Based on this information, I would NAK this. Unless an expert proves me
>     > wrong.
> 
> I would NAK on _only_ P256.  I am fine with P-256 by default.
> I see no reason to support RSA.
> I would always want a second curve deployed, and for that I'd pick one of
> the brainpool curves: will browsers support them, I have no idea.
> EdDSA is really a different algorithm, and browsers do not support them yet.

I would just support RSA in addition, if all the NIST curves are broken,
I would not use the brainpool curves but something else.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200831/cdef4cc5/attachment.sig>

More information about the openwrt-devel mailing list