Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ECC curve other than 256-bit curve in gRPC SSL transport security #23083

Closed
jiangtaoli2016 opened this issue May 28, 2020 · 7 comments
Closed

Support ECC curve other than 256-bit curve in gRPC SSL transport security #23083

jiangtaoli2016 opened this issue May 28, 2020 · 7 comments
Assignees
@jiangtaoli2016
Labels
disposition/stale kind/enhancement lang/core priority/P2

Comments

@jiangtaoli2016
Copy link

Right now, SSL transport security in gRPC only support 256-bit curve (hardcoded). See code. We shall revise to support more curves.
@jiangtaoli2016 jiangtaoli2016 self-assigned this May 28, 2020
@stale
Copy link

stale bot commented Sep 16, 2020

This issue/PR has been automatically marked as stale because it has not had any update (including commits, comments, labels, milestones, etc) for 30 days. It will be closed automatically if no further update occurs in 7 day. Thank you for your contributions!

@stale stale bot closed this as completed Sep 23, 2020
@danielywong
Copy link

Jiangtao and Mark, any update on this?

@jiangtaoli2016
Copy link
Author

Daniel, do you have a use case?

@jiangtaoli2016
Copy link
Author

@ZhenLian FYI

@danielywong
Copy link

We do have a potential use case. An ETA will be much appreciated. Thank you!

@danielywong
Copy link

use case of ed25519

@ZhenLian
Copy link
Contributor

Foremost, the link in the original issue seems out of date. This should point to

{
    EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
    if (!SSL_CTX_set_tmp_ecdh(context, ecdh)) {
      gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key.");
      EC_KEY_free(ecdh);
      return TSI_INTERNAL_ERROR;
    }
    SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
    EC_KEY_free(ecdh);
}

in ssl_transport_security.cc.

It has been discussed more frequently about the key algorithms used in gRPC these days, so I spent some time to read the code/articles talking about this. Let me quickly summarize what I have found so far:

  1. it seems what is hardcoded is actually the DH parameter used when doing the ECDH key exchange. We could consider supporting more curves, or even more key exchange algorithms(e.g. PSK, as in TLS-PSK #24238), either by using an environmental variable(like how cipher suites are configured nowadays), or through a programatic parameter
  2. the feature @danielywong wants, as I have learned, is to support loading more public key algorithms on the certificates. This is the algorithm we use to generate key-cert pairs, and it is not clear to me whether gRPC supports that. The point is, this problem is different from the original issue we wanted to track here. We did receive some feedback from @tavishvaidya saying gRPC couldn't load ECDSA P384 private key though. It probably has something to do with the key loading in OpenSSL/BoringSSL, but not the above code snippet happening during key exchange.

rshearman added a commit to rshearman/grpc that referenced this issue Oct 1, 2021
@rshearman
Expand elliptic curves supported for TLS ephemeral ECDH key (grpc#23083)
23f1323 
When the code was originally OpenSSL didn't have any support for
automatically using one or a list of elliptic curves for the TLS
ephemeral ECDH key, and instead required specifying one manually and
P-256 was a reasonable choice.

However, now next-generation cryptography guidance, such as CNSA
Suite, recommends using ECC P-384 instead of P-256, so to provide
interoperability with peers that only support ECC P-384, or more
secure, then make OpenSSL use automatic curve selection out of a
pre-defined list of appropriate curves. For OpenSSL 1.0.2 this is done
by calling SSL_CTX_set_ecdh_auto, but for OpenSSL 1.1.0 and newer this
is done just by not calling SSL_CTX_set_tmp_ecdh to force a particular
curve.

The default groups in OpenSSL and BoringSSL are all curves of equal or
greater in bits of security than P-256, so using the extended set of
groups doesn't open up an opportunity for a less secure curve to be
used.
rshearman added a commit to rshearman/grpc that referenced this issue Oct 4, 2021
@rshearman
Expand elliptic curves supported for TLS ephemeral ECDH key (grpc#23083)
f601b44 
When the code was originally OpenSSL didn't have any support for
automatically using one or a list of elliptic curves for the TLS
ephemeral ECDH key, and instead required specifying one manually and
P-256 was a reasonable choice.

However, now next-generation cryptography guidance, such as CNSA
Suite, recommends using ECC P-384 instead of P-256, so to provide
interoperability with peers that only support ECC P-384, or more
secure, then make OpenSSL use automatic curve selection out of a
pre-defined list of appropriate curves. For OpenSSL 1.0.2 this is done
by calling SSL_CTX_set_ecdh_auto, but for OpenSSL 1.1.0 and newer this
is done just by not calling SSL_CTX_set_tmp_ecdh to force a particular
curve.

The default groups in OpenSSL and BoringSSL are all curves of equal or
greater in bits of security than P-256, so using the extended set of
groups doesn't open up an opportunity for a less secure curve to be
used.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiangtaoli2016 jiangtaoli2016

Labels
disposition/stale kind/enhancement lang/core priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danielywong @markdroth @jiangtaoli2016 @ZhenLian