1

I am quite new and unexperienced in the field of Elliptic Curve cryptography. After some research I have determined unlike traditional DHE, ECDHE parameters should not be generated but rather chosen from a list of pre-defined curves (examples include 'P-521', 'prime192v3').

Whilst creating an network based security-sensitive application is it better (or even logical) to choose different curves randomly at runtime vs using a single hard-coded curve?

Also, is there such a concept of a stronger and weaker curves amongst all the curves to choose from?

So far, this is my code to initiating a ECDH exchange:

//For readability purposes exception checking code not shown, all code is properly exception-handled
SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG", "SUN");

X9ECParameters curve = ECNamedCurveTable.getByName("prime192v3");

ECDomainParameters domain = new ECDomainParameters(curve.getCurve(), curve.getG(), curve.getN(), curve.getH(), curve.getSeed());
ECKeyGenerationParameters ecgen = new ECKeyGenerationParameters(domain, rnd);

ECKeyPairGenerator kpgen = new ECKeyPairGenerator();

kpgen.init(ecgen);

AsymmetricCipherKeyPair kp = kpgen.generateKeyPair();

Is there anything wrong with this code so far?

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
initramfs
  • 8,275
  • 2
  • 36
  • 58
  • Most of the questions are more suited for crypto.stackexchange.com. You should always at least add a common tag such as cryptography to the question, this one went under the radar. – Maarten Bodewes Oct 30 '13 at 01:19

1 Answers1

2

With ECC cryptography, it takes a very long time to create domain parameters. It is also pretty hard to check the security of domain parameters, check for instance the SafeCurves research by Daniel J Bernstein and Tanja lange. Generating your own curve can be done, but probably not in real time. Furthermore, the security may be less than the ones pre-defined, and you may run into compatibility issues later on.

The size of the curve is obviously important, although anything 256 bit of over should provide enough security. It is still possible - although not that likely - that the NIST curves are generated using a scheme that could weaken security. If you are worried about that, choose a curve from the site above (e.g. the BrainpoolP384r1 curve), or one of the more "academic" curves. F(p) curves should probably be preferred over other curves.

Although this is not a code review site, there does not seem to be anything particularly wrong with the code you provided.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Regarding pre-defined named curves, should I stick to a single one or choose from a pool of pre-defined ones during runtime. Essentially is there any benefit of "randomizing" the curve used? (The curve used in a particular exchange will be transferred to the second party in plaintext just prior to the exchange so that both parties use the same curve) – initramfs Oct 30 '13 at 01:38
  • @CPUTerminator No that would not give you any benefit. Actually, you would run into problems if any of them was proven weak. – Maarten Bodewes Oct 30 '13 at 01:41