ECDHE Security with Bouncy Castle

StackOverflow https://stackoverflow.com/questions/19604390

Question

I am quite new and unexperienced in the field of Elliptic Curve cryptography. After some research I have determined unlike traditional DHE, ECDHE parameters should not be generated but rather chosen from a list of pre-defined curves (examples include 'P-521', 'prime192v3').

Whilst creating an network based security-sensitive application is it better (or even logical) to choose different curves randomly at runtime vs using a single hard-coded curve?

Also, is there such a concept of a stronger and weaker curves amongst all the curves to choose from?

So far, this is my code to initiating a ECDH exchange:

//For readability purposes exception checking code not shown, all code is properly exception-handled
SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG", "SUN");

X9ECParameters curve = ECNamedCurveTable.getByName("prime192v3");

ECDomainParameters domain = new ECDomainParameters(curve.getCurve(), curve.getG(), curve.getN(), curve.getH(), curve.getSeed());
ECKeyGenerationParameters ecgen = new ECKeyGenerationParameters(domain, rnd);

ECKeyPairGenerator kpgen = new ECKeyPairGenerator();

kpgen.init(ecgen);

AsymmetricCipherKeyPair kp = kpgen.generateKeyPair();

Is there anything wrong with this code so far?

Was it helpful?

Solution

With ECC cryptography, it takes a very long time to create domain parameters. It is also pretty hard to check the security of domain parameters, check for instance the SafeCurves research by Daniel J Bernstein and Tanja lange. Generating your own curve can be done, but probably not in real time. Furthermore, the security may be less than the ones pre-defined, and you may run into compatibility issues later on.

The size of the curve is obviously important, although anything 256 bit of over should provide enough security. It is still possible - although not that likely - that the NIST curves are generated using a scheme that could weaken security. If you are worried about that, choose a curve from the site above (e.g. the BrainpoolP384r1 curve), or one of the more "academic" curves. F(p) curves should probably be preferred over other curves.

Although this is not a code review site, there does not seem to be anything particularly wrong with the code you provided.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top