Disabled brainpool curves

Tue Dec 13 07:39:44 UTC 2022

Hi everyone!

I just stumbled over “Disable weak named curves”, e.g.

• https://bugs.openjdk.org/browse/JDK-8235540 
• http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.00/src/share/lib/security/java.security-aix.udiff.html

Interestingly, brainpoolP512r1 is on that list.
Just a few weeks ago I cited someone from the German BSI who debunked the myth that brainpool ciphers are weak [1]].
They are only weak on TLSv1.3 if used not properly.

Please revert this change ASAP. It will break a lot of cryptography for no reason.
Additionally, JDK-8235540 doesn't even mention how this list was chosen.

Here's the quote again from Manfred Lochter, how works at the BSI:

> The unfortunate wording about the brainpool curves originated in TLS 1.3,
> however RFC 8734 makes the curves usable for TLS again.
> We will continue to recommend the Brainpool curves.
> It should also be noted that the arguments for the "modern formulas" have all been refuted by now.
> Especially the implementation of Curve 25519 requires more effort to protect against SCA;
> the deterministic signatures are vulnerable to fault injection.
> In the medium term, however, the switch to post-quantum cryptography is necessary;
> there are comprehensive recommendations on this at [2]

Please be aware that other users are already +1'd this [3].

- Ben

[1]: https://mail.openjdk.org/pipermail/security-dev/2022-November/033108.html 
[2]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html
[3]: https://mail.openjdk.org/pipermail/security-dev/2022-November/033428.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5591 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20221213/8f08b0c1/smime-0001.p7s>