Hi there! Brainpool curves are mandatory for products/projects in which the German government is a stakeholder. BSI Technical Guidelines require the use of brainpoolP256r1, brainpoolP384r1, and the brainpoolP512r1 that Benjamin already mentioned (thanks, Benjamin, for raising this issue). As for use cases, ECDSA and TLS are a must.
It would be very convenient to see the brainpool curves re-introduced to OpenJDK! Thank you for considering this. Alexander On Mon, Nov 21, 2022 at 7:49 AM Xuelei Fan <xuele...@gmail.com> wrote: > > Hi, > > As I’m working on this area recently, I will see if I can contribute. But it > may be no easier than JDK 21. If you don’t mind, I may ask for more > requirement details later and help for testing. > > Thanks, > Xuelei > > > On Nov 15, 2022, at 11:23 PM, <benjamin.marw...@f-i.de> > > <benjamin.marw...@f-i.de> wrote: > > > > Hi Xuelei and Sean, > > > > We use/see mostly brainpoolP512r1. But it is not just us! > > > >> , although I will note that the IANA registry > >> still lists them as not recommended for TLS [1]. > > > > I agree that brainpoolP512r1 are not particularly interesting when it comes > > to TLS, > > but we still see server certificates (not the TLS algo) created with > > brainpoolP512r1, as well as keystores. > > Not being able to connect due to certificate validation errors OR > > not being able to read a (somewhat) recently created keystore was > > astonishing, to say the least. > > > >> And with > >> recently added support for EdDSA and the future with PQC, it's not > >> likely we will circle back to them. > > > > This is not about which algorithm is "better" or "can be replaced". > > It is only about "what should (still) be supported, because NIST and BSI > > still list them". > > > >> We are ok with a contribution, > > > > In my opinion, this is a major breaking change for this reason and should > > not wait for contributions. > > > > - Ben > > > > > > On 15.11.22, 15:35, "security-dev on behalf of Sean Mullan" > > <security-dev-r...@openjdk.org on behalf of sean.mul...@oracle.com> wrote: > > > > Hi, > > > > Thanks for your questions about brainpool. See below for more details. > > > > On 11/14/22 3:36 AM, benjamin.marw...@f-i.de wrote: > >> Hello everyone! > >> > >> To our surprise, brainpool EC have been deprecated with Java 14+ [1]. > >> However, JDK-8234924 [1] does not add any information on WHY they would > >> have been deprecated. > >> In fact, neither NIST (USA) nor BSI (Germany) list them as deprecated. > >> On the contrary, both institutions list them as an acceptable cipher. > >> > >> As a matter of fact, the deprecation notice seem to have originated by bad > >> wording. > >> Please read this quote from Manfred Lochter, how works at the BSI: > >> > >>> The unfortunate wording about the brainpool curves originated in TLS 1.3, > >>> however RFC 8734 makes the curves usable for TLS again. > >>> We will continue to recommend the Brainpool curves. > >>> It should also be noted that the arguments for the "modern formulas" have > >>> all been refuted by now. > >>> Especially the implementation of Curve 25519 requires more effort to > >>> protect against SCA; > >>> the deterministic signatures are vulnerable to fault injection. > >>> In the medium term, however, the switch to post-quantum cryptography is > >>> necessary; > >>> there are comprehensive recommendations on this at [2] > >> > >> Now, european banking and health industry still do rely heavily on > >> brainpool curves. > >> Given all these facts, I hereby request to undo the depracation of > >> brainpool EC in OpenJDK. > >> > >> Please let me know what lead to the assumption that brainpool ciphers were > >> deprecated. > >> Neither NIST nor BSI seems to be the source. Given all the facts, it > >> should still be included. > > > > The word "deprecated" may have been the wrong word to use when referring > > to the brainpool curves, although I will note that the IANA registry > > still lists them as not recommended for TLS [1]. > > > > We don't have any issues with the brainpool curves as we do for > > some of the other legacy curves. But, these curves were implemented in > > native C code and we changed the structure of the JDK EC implementation > > such that all curves that were implemented in C were removed. The > > remaining curves that we do support are implemented in Java and use > > modern techniques and complete formulas. > > > > It has not been a priority for us to re-implement brainpool. And with > > recently added support for EdDSA and the future with PQC, it's not > > likely we will circle back to them. > > > > We are ok with a contribution, but they would need to be done using > > the current design structure and using complete formulas. > > > > --Sean > > > > [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml > > > >> > >> References: > >> > >> [1]: https://bugs.openjdk.org/browse/JDK-8234924 > >> [2]: > >> https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html > >> > >> Mit freundlichen Grüßen > >> > >> Benjamin Marwell > >> >
