Undo deprecation of brainpool EC

Xuelei Fan xuelei.f at gmail.com
Mon Nov 21 06:48:47 UTC 2022 

Hi,

As I’m working on this area recently, I will see if I can contribute.  But it may be no easier than JDK 21.  If you don’t mind, I may ask for more requirement details later and help for testing.

Thanks,
Xuelei

> On Nov 15, 2022, at 11:23 PM, <benjamin.marwell at f-i.de> <benjamin.marwell at f-i.de> wrote:
> 
> Hi Xuelei and Sean,
> 
> We use/see mostly brainpoolP512r1. But it is not just us! 
> 
>> , although I will note that the IANA registry
>>   still lists them as not recommended for TLS [1].
> 
> I agree that brainpoolP512r1 are not particularly interesting when it comes to TLS,
> but we still see server certificates (not the TLS algo) created with brainpoolP512r1, as well as keystores.
> Not being able to connect due to certificate validation errors OR 
> not being able to read a (somewhat) recently created keystore was astonishing, to say the least.
> 
>> And with
>>   recently added support for EdDSA and the future with PQC, it's not
>>   likely we will circle back to them.
> 
> This is not about which algorithm is "better" or "can be replaced".
> It is only about "what should (still) be supported, because NIST and BSI still list them".
> 
>>    We are ok with a contribution,
> 
> In my opinion, this is a major breaking change for this reason and should not wait for contributions.
> 
> - Ben
> 
> 
> On 15.11.22, 15:35, "security-dev on behalf of Sean Mullan" <security-dev-retn at openjdk.org on behalf of sean.mullan at oracle.com> wrote:
> 
>    Hi,
> 
>    Thanks for your questions about brainpool. See below for more details.
> 
>    On 11/14/22 3:36 AM, benjamin.marwell at f-i.de wrote:
>> Hello everyone!
>> 
>> To our surprise, brainpool EC have been deprecated with Java 14+ [1].
>> However, JDK-8234924 [1] does not add any information on WHY they would have been deprecated.
>> In fact, neither NIST (USA) nor BSI (Germany) list them as deprecated.
>> On the contrary, both institutions list them as an acceptable cipher.
>> 
>> As a matter of fact, the deprecation notice seem to have originated by bad wording.
>> Please read this quote from Manfred Lochter, how works at the BSI:
>> 
>>> The unfortunate wording about the brainpool curves originated in TLS 1.3,
>>> however RFC 8734 makes the curves usable for TLS again.
>>> We will continue to recommend the Brainpool curves.
>>> It should also be noted that the arguments for the "modern formulas" have all been refuted by now.
>>> Especially the implementation of Curve 25519 requires more effort to protect against SCA;
>>> the deterministic signatures are vulnerable to fault injection.
>>> In the medium term, however, the switch to post-quantum cryptography is necessary;
>>> there are comprehensive recommendations on this at [2]
>> 
>> Now, european banking and health industry still do rely heavily on brainpool curves.
>> Given all these facts, I hereby request to undo the depracation of brainpool EC in OpenJDK.
>> 
>> Please let me know what lead to the assumption that brainpool ciphers were deprecated.
>> Neither NIST nor BSI seems to be the source. Given all the facts, it should still be included.
> 
>    The word "deprecated" may have been the wrong word to use when referring
>    to the brainpool curves, although I will note that the IANA registry
>    still lists them as not recommended for TLS [1].
> 
>    We don't have any issues with the brainpool curves as we do for
>    some of the other legacy curves. But, these curves were implemented in
>    native C code and we changed the structure of the JDK EC implementation
>    such that all curves that were implemented in C were removed. The
>    remaining curves that we do support are implemented in Java and use
>    modern techniques and complete formulas.
> 
>    It has not been a priority for us to re-implement brainpool. And with
>    recently added support for EdDSA and the future with PQC, it's not
>    likely we will circle back to them.
> 
>    We are ok with a contribution, but they would need to be done using
>    the current design structure and using complete formulas.
> 
>    --Sean
> 
>    [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
> 
>> 
>> References:
>> 
>> [1]: https://bugs.openjdk.org/browse/JDK-8234924
>> [2]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html
>> 
>> Mit freundlichen Grüßen
>> 
>> Benjamin Marwell
>>

More information about the security-dev mailing list