Elliptic curves in tinc

Guus Sliepen guus at tinc-vpn.org
Tue Mar 25 23:27:21 CET 2014


On Tue, Mar 25, 2014 at 06:41:38PM +0100, Julien Muchembled wrote:

> There has been a recent discussion on debian-devel on this subject:
>   RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
> 
> In particular:
> 
> * http://thread.gmane.org/gmane.linux.debian.devel.announce/1893/focus=191567
> 
>   We can read that 4096-bit RSA should be preferred over ECDSA.

No, that email discusses RSA versus ECDSA in the context of PGP keys. Since not
all PGP software handles ECDSA keys yet, RSA keys are preferred for now.

> * http://thread.gmane.org/gmane.linux.debian.devel.announce/1893/focus=191567
> 
>   How is ECDSA used in Tinc ? It seems a proper implementation is to not rely on a RNG, as described by RFC 6979.

It currently is implemented using the ECDSA functions provided by OpenSSL. I
don't think it uses the method from RFC 6979 yet.

>   http://safecurves.cr.yp.to/ does not list P-521 but there's no reason to think it does not have any flaw of other NIST curves. E-521 may be a better choice but it seems too new.

Currently I'm strongly thinking about moving to Ed25519 keys, for several
reasons: it has a very nice design (efficient constant-time implementation is
easy, curve is generated in a non-suspect way), and I can easily add the
reference implementation to tinc's source code, just like the OpenSSH folks
did.

> Then I wonder: would it be possible to choose the algo to use in the new tinc protocol ?

The new protocol will not support choosing arbitrary algorithms. I'm focussing
on only one ciphersuite now (ECDHE-ECDSA-AES256GCM), although I think after
that has stabilized I will add a second suite as a fallback in case the main
one is not trustworthy anymore.

> (BTW, when testing ExperimentalProtocol=yes, I was surprised to see that tincd refuses to start if there's no private RSA key)

That will be fixed before 1.1.0 is released.

> About performance:
>                               sign    verify    sign/s verify/s
>  521 bit ecdsa (nistp521)   0.0005s   0.0012s   1891.0    829.8
>  rsa 4096 bits              0.010225s 0.000164s   97.8   6100.3
> 
> I guess Tinc uses both operations equally, so RSA would be slower.

That's correct.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140325/af149c0a/attachment.sig>


More information about the tinc mailing list