Bug 1067697

Summary: Enable prime192v1 and secp224r1 elliptic curves
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 22CC: cickumqt, hkario, jorti, peter.meier, redhat-bugzilla, sergio, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-14 09:54:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 182235, 1019390    

Description Orion Poplawski 2014-02-20 21:21:54 UTC
Description of problem:

The python-ecdsa package tests itself against openssl.  It implements the prime192v1 and secp224r1 curves which are not currently enabled in openssl.  Can these be enabled please?

Comment 1 Jaroslav Reznik 2015-03-03 15:30:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:

Comment 2 Sergio Basto 2015-12-12 04:31:33 UTC
as bug #1019390 said you should reenable all ECC/ECDHE/EC/ECDSA/elliptic curves and not just some .

I'd like have sect233k1 

In [1]: import M2Crypto
In [2]: ec_keypair = M2Crypto.EC.gen_params(M2Crypto.EC.NID_sect233k1)
ValueError: Received a NULL pointer.

Comment 3 Tomas Mraz 2015-12-14 09:54:01 UTC
I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug.

Comment 4 Hubert Kario 2015-12-14 12:40:40 UTC
+1 to the WONTFIX

They are too weak to support. And since most applications have no way to control which ones are enabled, we would need to enable them by default too, that would be serious security regression (even 256 bit curves have a shadow of doubt on them).

Enabling them will bring serious security issues with little to no additional compatibility.

Comment 5 Sergio Basto 2015-12-16 04:34:13 UTC
The work of Proos and Zalka show how a quantum computer for breaking 2048-bit RSA requires roughly 4096 qubits, while a quantum computer to break the equivalently secure 224-bit Elliptic Curve Cryptography requires between 1300 and 1600 qubits. Depending on the growth rate of quantum computers in the future, elliptic curve cryptosystems may become attackable by a quantum computer many years before an equivalently secure RSA scheme.[37]

To avoid quantum computing concerns, an elliptic curve-based alternative to Elliptic Curve Diffie Hellman which is not susceptible to Shor's attack is the Supersingular Isogeny Diffie–Hellman Key Exchange of De Feo, Jao and Plut. It uses elliptic curve isogenies to create a drop-in replacement for the quantum attackable Diffie–Hellman and Elliptic curve Diffie–Hellman key exchanges. This key exchange uses the same elliptic curve computational primitives of existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems.[38]


So you concerned with quantum computing ? 
You shouldn't decide this by your own, you should open a ticket in fesco or something like that, the problem wasn't safety, was legal, some algorithms have patents and now you are not implement this because is not safe !?! 
The problem is: this ECC (that we are requesting here to enabled) are used in 3rd software like tribler or acestream or tor or others and won't run in Fedora because you are illuminated .

I think you are confusing the key length with curve over a 233 bit prime field , 256 is 2^8 and 233 is prime number .

Moreover openssl.spec [1] is a mess , you have patches over patches, a own implementation of ec_curve.c and this could have make sense when legal department decide remove ECC (by legal reasons) but not anymore. What I though was that by legal reasons we couldn't enable all ECC and we have to analyse them one by one, now invoke a security reason doesn't make sense . 

[1] https://pkgs.fedoraproject.org/cgit/openssl.git/tree/

Comment 6 Tomas Mraz 2015-12-17 08:17:35 UTC
AFAIK there is no blank approval for any elliptic curves by legal anyway. You need to explicitly ask for approval for each.

If you dispute it, feel free opening tickets in FESCo.

Comment 7 Orion Poplawski 2015-12-17 15:24:00 UTC
Well, that was the original intent of this bug - to get approval for those curves.

Comment 8 Hubert Kario 2015-12-21 10:53:45 UTC
Point is that even if there was approval for all curves from legal, we would be against enabling them. If you want curves smaller than 256 bit in Fedora, please open ticket in FESCo. If FESCo overrides our position, we can then ask legal.