ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data.
ANSI X9 has object identifiers for ECDSA with a variety of hashes.
1.2.840.10045.4.3. and then one of the following:
1: ECDSA with SHA-224
2: with SHA-256
3: SHA-384
4: SHA-512
The information on the curve in use is part of subjectPublicKeyInfo:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37:
a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0:
69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9:
cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6:
40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d:
b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa:
65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7:
01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9:
07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c:
f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7:
06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c:
ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42:
01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82:
ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3:
12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45:
3f:5f:da:cd:80:45:c9:79:58:d3:79:a2
The curve in use can be named (reducing the size of the subjectPublicKeyInfo),
or it can be specified explicitly (like the above).
(I included the hash to show that it is indeed legitimate to have a different
hash size. I should note that I didn't generate this with OpenSSL, and I don't
know how OpenSSL generates the sPKI.)
Also, note the large number of 0xff bytes in the prime. These can be eliminated if
you're willing to pay Certicom's "point compression" patent license fee.
The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am
proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ
is correct: the patent situation is the opposite of what was the case for DH
and RSA: the algorithm itself is not specifically described in any particular
patent, only particular efficient implementations of it -- such as 'an
efficient algorithm using only left-shift and add instructions'. The reason
why there's murkiness is because everyone who does things is pretty much
counseled to avoid looking at the patents -- if the patents are known, then
it's evidence of willful (rather than accidental) infringement and any punitive
damages for such are tripled. However, Professer Dan J Bernstein says that his
prime at 256 bits is unpatented and there's prior art from several years before
the Certicom patents were filed -- and there was an infringement lawsuit
brought by Certicom against Sony, which was dismissed in 2009.
Again, I'm not a lawyer. I just read things. See e.g. the links from
http://en.wikipedia.org/wiki/ECC_patents , which do a reasonably comprehensive
roundup of the issues involved for the layperson.
-Kyle H
On Sun, Jul 10, 2011 at 8:27 PM, <y...@inbox.lv> wrote:
When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old. Citējot Gaglia <san...@paranoici.org>: On 07/05/2011 03:23 PM, Gaglia wrote:I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian.No idea anybody, really? :(
Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature
