4

BouncyCastle includes many symmetric encryption engines, as well as RSA and ElGamal encryption engines (asymmetric engines). It also has a lot of online resources about how to use these engines to perform encryption/decryption processes. However, a bouncy castle provides no Elliptic Curve engine (check github/bc). After reviewing the code, all asymmetric engines implement the AsymmetricBlockCipher interface and none of them is an EC engine.

This is somehow confusing since BouncyCastle provides the ability to generate EC key pairs with different key strength based on predefined and well-known curves, like the example below:

public static AsymmetricCipherKeyPair GenerateKeys(int keySize)
{
    DerObjectIdentifier oid;
    switch (keySize)
    {
        case 192:
            oid = X9ObjectIdentifiers.Prime192v1;
            break;
        case 224:
            oid = SecObjectIdentifiers.SecP224r1;
            break;
        case 128:
            oid = SecObjectIdentifiers.SecP128r1;
            break;
        case 239:
            oid = X9ObjectIdentifiers.Prime239v1;
            break;
        case 256:
            oid = X9ObjectIdentifiers.Prime256v1;
            break;
        case 384:
            oid = SecObjectIdentifiers.SecP384r1;
            break;
        case 521:
            oid = SecObjectIdentifiers.SecP521r1;
            break;
        default:
            throw new InvalidParameterException("unknown key size.");
    }

    ECKeyPairGenerator gen = new ECKeyPairGenerator();
    SecureRandom secureRandom = new SecureRandom();
    X9ECParameters ecps = CustomNamedCurves.GetByOid(oid);
    ECDomainParameters ecDomainParameters = new ECDomainParameters(ecps.Curve, ecps.G, ecps.N, ecps.H, ecps.GetSeed());
    ECKeyGenerationParameters ecKeyGenerationParameters = new ECKeyGenerationParameters(ecDomainParameters, secureRandom);
    gen.Init(ecKeyGenerationParameters);
    return gen.GenerateKeyPair();
}

There are some engines, like IESEngine, that provides a public/private EC agreement on top of the encryption/decryption process (e.g. ECDHBasicAgreement), however, it doesn't use the public/private keys directly, instead, it calculates a new symmetric key from both keys that are then used to encrypt the plaintext message using a predefined symmetric cipher.

My question:

  1. Is BC really not providing an easy to use EC Engine like ElGamalEngine and RSAEngine?
  2. If yes, how to implement a safe EC encryption/decryption process using directly the ECKeyParameters generated using the above function (if possible)?

Thanks in advance.

peter bence
  • 782
  • 3
  • 14
  • 34
  • 2
    Please do not format arbitrary names as `code`. – Uwe Keim Jan 01 '20 at 14:33
  • 1
    you may want to read the following Wiki article on different encryption algorithms and there security : https://en.wikipedia.org/wiki/Transport_Layer_Security. Elliptical is one method in the article. RFC5289 (a reference in Wiki) can be found here : https://tools.ietf.org/html/rfc5289 – jdweng Jan 01 '20 at 14:44
  • 4
    @jdweng This has nothing to do with TLS, why did you even bring that up? – Maarten Bodewes Jan 01 '20 at 19:39
  • *includes too many symmetric encryption engines...* Why too many? What's the right number? – President James K. Polk Jan 01 '20 at 20:28
  • @ Maarten - reinstate Monica : Look at the link and the different types of encrption modes that TLC supports including Elliptic mode. And the op asked "how to implement a safe EC encryption/decryption process" And the Wiki article compares the different encryption methods and there strength. – jdweng Jan 01 '20 at 21:25
  • @jdweng thanks but this Wiki article cannot help me implement an EC engine – peter bence Jan 02 '20 at 11:30
  • Why did you choose BoundcyCastle? Why did you choose EC? Was it because you found code on the Net? The Wiki articles says EC is older encryption that can be decrypted by hackers (Insecure). – jdweng Jan 02 '20 at 11:44
  • 1
    @jdweng no this is not the issue, developers uses BouncyCastle or OpenSSL since these libraries support EC Curves, Encryption algorithms with different key strength, Hash and HMac algorithms, and more that are not implemented in Microsoft's Crypto lib..... Concerning EC I have a good background about the algorithm and I've read too much before choosing it and I believe that is secure..thanks again!! – peter bence Jan 02 '20 at 12:07
  • A lot of times people develop libraries because the Net Library does not implement an algorithm (or Microsoft has errors in their library). Later Microsoft fixes the issues. Then the developers library is no longer needed. Your code from GitHub may not bee needed. The RFC link I provided give the option so you an use Net SHA is you set the parameter correctly. – jdweng Jan 02 '20 at 12:07
  • 1
    I'm not saying it is not secure. Just that there are better/newer methods that are less prone to hackers. Believe what NSA says, it is accurate from the WIki article. The strength of an algorithm is based on the time is would take a hacker to decrypt and the speed of the machine used to break the algorithm. So using longer keys, faster machines, and eliminating the known threats all change the time it takes hackers to break. – jdweng Jan 02 '20 at 12:13

2 Answers2

2

Is BC really not providing an easy to use EC Engine like ElGamalEngine and RSAEngine?

Correct, because there aren't any. In principle you could use ElGamal encryption with ECC, but that has such serious input limitations (requiring a point rather than normal plaintext) that it is hardly useful to do so. Furthermore, using it directly will lead to an insecure scheme. That's not specific to Bouncy Castle, by the way.

If yes, how to implement a safe EC encryption/decryption process using directly the ECKeyParameters generated using the above function (if possible)?

Unless you are a cryptographer / mathematician, you don't. You use ECIES.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • 1
    Feel free to browse the [cryptography site](https://crypto.stackexchange.com) site about EC encryption / ElGamal of course, and if a (more specific) question about it is not there, feel free to ask. – Maarten Bodewes Jan 02 '20 at 11:30
  • thanks for your attention, however your answer disappoints me, I really need to implement an EC engine, using ECIES is not good for me, since it is using a symmetric cipher inside... and btw using ElGamalEngine for encryption the way implemented in the link you referenced, might not be safe.. can you please at least redirect me to a good point (site, git repo, book...) to start with? – peter bence Jan 02 '20 at 11:39
  • 1
    I think I just did, and feel free to [chat](https://chat.stackexchange.com/?tab=site&host=crypto.stackexchange.com) there as well. This is a programming site, and posting an implementation here might not be the best idea - as you've already noted, directly using ElGamal might not be secure and secure versions would not fit most use cases. – Maarten Bodewes Jan 02 '20 at 11:49
2

After some research, I found that BouncyCastle has its own SM2Engine that implements the SM2 Digital Signature Algorithm and uses the ECKeyParameters (Elliptic curve key parameters) to provide encryption/decryption abilities.

Edit: please note that SM2 is not yet verified to be totally secure, where there has been relatively little analysis of the SM2 signature scheme that I can find in the anglophone cryptography literature beyond some side channel attacks. So use it upon your own responsibility.

        SM2Engine sm2Engine  = new SM2Engine();
        sm2Engine.init(true, new ParametersWithRandom((ECKeyParameters) publicKey, new SecureRandom()));
        byte[] enc1 = sm2Engine.processBlock(plainText, 0, plainText.length);
        System.out.println("Cipher Text (SM2Engine): " + Hex.toHexString(enc1));
        
        sm2Engine  = new SM2Engine();
        sm2Engine.init(false, (ECKeyParameters) privateKey);
        byte[] dec1 = sm2Engine.processBlock(enc1, 0, enc1.length);
        System.out.println("Plain Text (SM2Engine): " + Hex.toHexString(dec1));
Community
  • 1
  • 1
peter bence
  • 782
  • 3
  • 14
  • 34
  • 1
    How did you determine that using a Chinse signature algorithm to encrypt is in any way secure? If you did determine this fact, could you indicate it in the answer? You may lead other people into using an insecure algorithm if you don't have good reason. – Maarten Bodewes Jan 03 '20 at 23:55
  • @Maarten-reinstateMonica, SM2 seems to be widely used in China, although this doesn't assure that it is secure but being used by many Chinese cryptographers makes me feel comfortable. Anyway thanks for your note, I will edit my answer to mention that – peter bence Jan 06 '20 at 13:59
  • Well, yes, but you mention *encryption / decryption* in your question, right? How did you determine that a *signature* algorithm is secure for that, Chinese or not? – Maarten Bodewes Jan 06 '20 at 17:35