RE: Any issue in these instruction?

[mehroz]

Thankyou Dave Thompson for your detailed answer.

Being new with openssl stuff, i have very little knowledge of what these
instruction were actually doing.
I have extracted set of these instruction from a script doing rsa with SHA1,
and i wanted it to convert to ECC with SHA256 based encryption and that's is
all. So, i just thought to change key type (EC) , at first and then move on
with sha256.

Can you give me an example how can i acquire the desired results from those
instructions?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Any-issue-in-these-instruction-tp45673p45705.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Any issue in these instruction?

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of mehroz
 Sent: Friday, 21 June, 2013 10:45
 To: openssl-users@openssl.org
 Subject: Any issue in these instruction?
 
 openssl ecparam -name secp160r2 -out CA_CURVE.pem
 
 openssl req -out cacert.pem -new -x509 -keyout cakey.pem -newkey
 ec:CA_CURVE.pem -nodes -days 600 -sha1
 
 openssl req -new -out TMPFILE.req -newkey ec:CA_CURVE.pem -keyout
 TMPFILE.key -nodes -sha1
 
 openssl x509 -req -CAkey cakey.pem -CA cacert.pem -CAcreateserial -in
 TMPFILE.req -out TMPFILE.crt -days 600 -sha1
 
 Any problem here?
 
That's a very broad question.

If you have a good openssl from the last several years executable 
and openssl.cnf readable and curr dir writable, the above should 
create a key with that ECC curve and self-signed cert usable as 
an ad-hoc CA (subject maybe to extensions?), and another key with 
same curve and child cert under that ad-hoc CA, with DNs you 
typed (must be distinct and thus can't come from same openssl.cnf), 
and extensions as and if configured in openssl.cnf. Also .srl and 
leftover .req. If that's what you want, no problem. 

Depending on KU that keycert can be used for ECHDE-ECDSA or ECDH(static) 
suites with a supporting peer, but in openssl 0.9.8 not by default.

600 days is a rather odd validity period, but not necessarily wrong.

I don't know how ECC dlog analysis is going, or if it is even 
the same as integer dlog, but 80-bit strength in general is now 
considered too low by many, and as an important example disallowed 
for applying (for SSL/TLS presumably signing or agreement) 
beginning next year for US government use by NIST SP800-57 rev3.
As far as I know NIST doesn't prohibit products from supporting 
disallowed strengths any more than it does unapproved algorithms,
although it probably discourages *defaulting* to them.

Last I tested, Windows/IE Firefox and Chrome ECC implementations did not 
offer prime curves 256, and didn't handle p160k1 cert (the one I tried).

For that matter NIST also disallows SHA-1 as a signature hash 
beginning next year, nominally including certs although CA has 
enough control over cert-TBS to mitigate collisions, but I see 
little sign of public CAs implementing this, whereas they are 
doing RSA=2048 as also required (and not doing ECC at all).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Any issue in these instruction?

[mehroz]

openssl ecparam -name secp160r2 -out CA_CURVE.pem

openssl req -out cacert.pem -new -x509 -keyout cakey.pem -newkey
ec:CA_CURVE.pem -nodes -days 600 -sha1

openssl req -new -out TMPFILE.req -newkey ec:CA_CURVE.pem -keyout
TMPFILE.key -nodes -sha1

openssl x509 -req -CAkey cakey.pem -CA cacert.pem -CAcreateserial -in
TMPFILE.req -out TMPFILE.crt -days 600 -sha1

Any problem here?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Any-issue-in-these-instruction-tp45673.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org