Re: Choice of ECC curve on usb token
Hi Damien, I was referring to the discussion around RSA vs. ECC in https://crypto.stackexchange.com/questions/60392/choice-of-ecc-curve-on-usb-token/60394#60394 I read several texts of people preferring RSA over ECC. That's an excellent answer, thanks for posting this! I've came up with the same exact answer when deciding on the key type for my primary key (I used RSA 4096). As for subkeys: they can fortunately be rotated so you can use anything (ECC, and if it's broken, rotate the key, [0]; RSA 2048 if 4096 is too slow; just mind the key expiry dates). There is one argument brought in favor of ECC in context of OpenPGP - that you could share the primary public keys directly, instead of fingerprints, but that in my opinion protects only against the hash function being broken, as the primary public key cannot (usually) be used alone (one needs the subkeys and signatures). Kind regards, Wiktor [0]: as a side note I haven't seen tamper resistant devices with ECC, e.g. YubiKey supports NIST curves via PIV applet but not OpenPGP one :( -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
Phil Pennock writes: > On 2018-06-29 at 18:07 +0200, Damien Cassou wrote: >> I'm not sure I want ECC after reading this: >> https://crypto.stackexchange.com/a/60394/60027 > > Curve25519 is not NIST ECC. It is ECC. I was referring to the discussion around RSA vs. ECC in https://crypto.stackexchange.com/questions/60392/choice-of-ecc-curve-on-usb-token/60394#60394 I read several texts of people preferring RSA over ECC. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
On Fri, 29 Jun 2018 18:07, dam...@cassou.me said: > Moreover, Nitrokey Storage only supports NIST and Brainpool, nothing > else. That is because the Nitrokey token includes a Zeitcontrol card which only implements the government approved curves. If that ever changes we can close the feature request https://dev.gnupg.org/T4004 . Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpZ9w9hnI2oq.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
On 2018-06-29 at 18:07 +0200, Damien Cassou wrote: > NIIBE Yutaka writes: > > Why not Curve25519, if you use ECC? > > I'm not sure I want ECC after reading this: > https://crypto.stackexchange.com/a/60394/60027 Curve25519 is not NIST ECC. It is ECC. "ECC" = "Elliptic Curve Cryptography", it covers an entire class of "how public/private pairs are related and calculated". There are various different algorithms within ECC. Some of those are published by NIST, with input from various agencies, and there is reasonable concern as to the provenance of the specifications, as that page notes. The IETF, amongst other groups, has been moving towards Curve25519 for public key cryptography because it is ECC and it's not NIST. It currently looks, with a wet finger in the air and an array of chicken entrails before us, from every known species of chicken, as though Curve25519 is likely to be good for a while to come; up until the much heralded practical quantum computers one day arrive and possibly change everything. So for new deployments today, where interoperability with ancient OpenPGP implementations (such as GnuPG v1) is not a concern, you're probably looking at Curve25519 and, if eager, keeping half an eye on the news about post-quantum cryptography for the next step after that. If you need more specific guidance than that, pay a professional cryptographer to analyse your requirements and make a recommendation. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
Hello Damien, Am 2018-06-29 um 18:07 schrieb Damien Cassou: > Moreover, Nitrokey Storage only supports NIST and Brainpool, nothing > else. Im not fully sure but i guess for your purposes you would need Nitrokey Pro[1] best regards Juergen [1] https://shop.nitrokey.com/de_DE/shop/product/nitrokey-pro-3 -- Juergen M. Bruckner juer...@bruckner.tk smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
NIIBE Yutaka writes: > Why not Curve25519, if you use ECC? I'm not sure I want ECC after reading this: https://crypto.stackexchange.com/a/60394/60027 Moreover, Nitrokey Storage only supports NIST and Brainpool, nothing else. > Quite interesting opinion. [...] thank you for the information. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Choice of ECC curve on usb token
Hello, Why not Curve25519, if you use ECC? Damien Cassou wrote: > curves and (2) Bernstein’s Curve 25519 is hard to protect against side > channel attacks when being implemented in embedded devices. Quite interesting opinion. I wonder what kinds of side channel attacks are discussed there. Well, it's the first time for me to hear such an opinion. Are there some confusions? Curve25519 is designed against side channel attacks in mind. Also, it comes with a reference implementation. Even if an implementation doesn't use the methodology directly, it is a bit harder to write weaker implementation (against side channel attack), if an implementer understands Curve25519 correctly. <-- this is my own opinion. I wrote Curve25519 implementation for libgcrypt. So far, libgcrypt doesn't have field specific methods, but libgcrypt 1.9.x will have those for Curve25519. If we compare curves in libgcrypt, I think that Curve25519 is good one. I also wrote Curve25519 implementation for Gnuk. Well, I also wrote ones of NIST P-256 and secp256k1 for Gnuk. I believe Curve25519 is the best among those (and RSA). Gnuk runs on STM32F103 @ 72MHz (or GD32F103 @ 96MHz). This is an embedded device, of my daily use. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Choice of ECC curve on usb token
Hi, I would like to get a usb token to secure my keys. My use case is protection of 3 GnuPG keys that I will be using 10 times per day at least. I plan to create a new key ring from scratch. Because ECC seems more future-oriented than RSA, this is what I chose to use. I'm wondering which usb token to choose as well as which curve. On https://www.gnupg.org/(it)/faq/whats-new-in-2.1.html 2 it is said that many people think NIST and Brainpool have a doubtful origin therefore they recommend the non-standardized Bernstein’s Curve 25519. On https://support.nitrokey.com/t/choice-of-curves-on-the-storage-2/1192/3, the author says that (1) he is not aware of profound critic on Brainpool curves and (2) Bernstein’s Curve 25519 is hard to protect against side channel attacks when being implemented in embedded devices. As a result, I'm a bit lost in what key/curve to choose. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users