Page 1 of 1

Support for "safe" elliptic curves

Posted: Wed Feb 06, 2019 11:36 pm
by Zorro123987
Hi all,

I'd like to do a pure elliptic curve crypto setup and use an elliptic curve that has been rated safe on http://safecurves.cr.yp.to.

Calling "openvpn --show-curves" on OpenVPN 2.4.6 gives me this result:

secp112r1
secp112r2
secp128r1
secp128r2
secp160k1
secp160r1
secp160r2
secp192k1
secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
prime192v1
prime192v2
prime192v3
prime239v1
prime239v2
prime239v3
prime256v1
sect113r1
sect113r2
sect131r1
sect131r2
sect163k1
sect163r1
sect163r2
sect193r1
sect193r2
sect233k1
sect233r1
sect239k1
sect283k1
sect283r1
sect409k1
sect409r1
sect571k1
sect571r1
c2pnb163v1
c2pnb163v2
c2pnb163v3
c2pnb176v1
c2tnb191v1
c2tnb191v2
c2tnb191v3
c2pnb208w1
c2tnb239v1
c2tnb239v2
c2tnb239v3
c2pnb272w1
c2pnb304w1
c2tnb359v1
c2pnb368w1
c2tnb431r1
wap-wsg-idm-ecid-wtls1
wap-wsg-idm-ecid-wtls3
wap-wsg-idm-ecid-wtls4
wap-wsg-idm-ecid-wtls5
wap-wsg-idm-ecid-wtls6
wap-wsg-idm-ecid-wtls7
wap-wsg-idm-ecid-wtls8
wap-wsg-idm-ecid-wtls9
wap-wsg-idm-ecid-wtls10
wap-wsg-idm-ecid-wtls11
wap-wsg-idm-ecid-wtls12
Oakley-EC2N-3
Oakley-EC2N-4
brainpoolP160r1
brainpoolP160t1
brainpoolP192r1
brainpoolP192t1
brainpoolP224r1
brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1

I couldn't find any safe curve like Curve25519 or Curve448 in this list. A lot of currently supported curves were developed by NIST and other institutes which you better shouldn't trust.

Can you please tell me when any safe curve will be implemented in OpenVPN?

Thanks so much for your reply.

Best,
Zorro

Re: Support for safe elliptic curves

Posted: Thu Feb 07, 2019 10:17 pm
by TinCanTech
The website you have chosen clearly states the following:
"Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."
So, it is unlikely their opinions will have any influence until they gain some clear support.

Also, OpenVPN Community Edition is bought to you by volunteers, who don't have time for such claims.

Re: Support for "safe" elliptic curves

Posted: Thu Feb 07, 2019 10:47 pm
by Zorro123987
Oh, great! I did not expect *SUCH* a friendly response. Thank you so much!

Re: Support for "safe" elliptic curves

Posted: Wed May 08, 2019 7:43 am
by cwest
Try the following curve:

Code: Select all

X25519
That should be the same as Curve25519 on the website you linked.

I am not really an OpenVPN user, but that one works for me on nginx (1.16.0) with my OpenSSL (1.1.1b) even without it explicitly being displayed as a supported curve. It might be similar with OpenVPN.