Undo deprecation of brainpool EC

Alexander Krumeich alexander.krumeich at gmail.com
Tue Nov 22 09:56:54 UTC 2022


Hi there!

Brainpool curves are mandatory for products/projects in which the
German government is a stakeholder. BSI Technical Guidelines require
the use of brainpoolP256r1, brainpoolP384r1, and the brainpoolP512r1
that Benjamin already mentioned (thanks, Benjamin, for raising this
issue). As for use cases, ECDSA and TLS are a must.

It would be very convenient to see the brainpool curves re-introduced
to OpenJDK!

Thank you for considering this.


   Alexander

On Mon, Nov 21, 2022 at 7:49 AM Xuelei Fan <xuelei.f at gmail.com> wrote:
>
> Hi,
>
> As I’m working on this area recently, I will see if I can contribute.  But it may be no easier than JDK 21.  If you don’t mind, I may ask for more requirement details later and help for testing.
>
> Thanks,
> Xuelei
>
> > On Nov 15, 2022, at 11:23 PM, <benjamin.marwell at f-i.de> <benjamin.marwell at f-i.de> wrote:
> >
> > Hi Xuelei and Sean,
> >
> > We use/see mostly brainpoolP512r1. But it is not just us!
> >
> >> , although I will note that the IANA registry
> >>   still lists them as not recommended for TLS [1].
> >
> > I agree that brainpoolP512r1 are not particularly interesting when it comes to TLS,
> > but we still see server certificates (not the TLS algo) created with brainpoolP512r1, as well as keystores.
> > Not being able to connect due to certificate validation errors OR
> > not being able to read a (somewhat) recently created keystore was astonishing, to say the least.
> >
> >> And with
> >>   recently added support for EdDSA and the future with PQC, it's not
> >>   likely we will circle back to them.
> >
> > This is not about which algorithm is "better" or "can be replaced".
> > It is only about "what should (still) be supported, because NIST and BSI still list them".
> >
> >>    We are ok with a contribution,
> >
> > In my opinion, this is a major breaking change for this reason and should not wait for contributions.
> >
> > - Ben
> >
> >
> > On 15.11.22, 15:35, "security-dev on behalf of Sean Mullan" <security-dev-retn at openjdk.org on behalf of sean.mullan at oracle.com> wrote:
> >
> >    Hi,
> >
> >    Thanks for your questions about brainpool. See below for more details.
> >
> >    On 11/14/22 3:36 AM, benjamin.marwell at f-i.de wrote:
> >> Hello everyone!
> >>
> >> To our surprise, brainpool EC have been deprecated with Java 14+ [1].
> >> However, JDK-8234924 [1] does not add any information on WHY they would have been deprecated.
> >> In fact, neither NIST (USA) nor BSI (Germany) list them as deprecated.
> >> On the contrary, both institutions list them as an acceptable cipher.
> >>
> >> As a matter of fact, the deprecation notice seem to have originated by bad wording.
> >> Please read this quote from Manfred Lochter, how works at the BSI:
> >>
> >>> The unfortunate wording about the brainpool curves originated in TLS 1.3,
> >>> however RFC 8734 makes the curves usable for TLS again.
> >>> We will continue to recommend the Brainpool curves.
> >>> It should also be noted that the arguments for the "modern formulas" have all been refuted by now.
> >>> Especially the implementation of Curve 25519 requires more effort to protect against SCA;
> >>> the deterministic signatures are vulnerable to fault injection.
> >>> In the medium term, however, the switch to post-quantum cryptography is necessary;
> >>> there are comprehensive recommendations on this at [2]
> >>
> >> Now, european banking and health industry still do rely heavily on brainpool curves.
> >> Given all these facts, I hereby request to undo the depracation of brainpool EC in OpenJDK.
> >>
> >> Please let me know what lead to the assumption that brainpool ciphers were deprecated.
> >> Neither NIST nor BSI seems to be the source. Given all the facts, it should still be included.
> >
> >    The word "deprecated" may have been the wrong word to use when referring
> >    to the brainpool curves, although I will note that the IANA registry
> >    still lists them as not recommended for TLS [1].
> >
> >    We don't have any issues with the brainpool curves as we do for
> >    some of the other legacy curves. But, these curves were implemented in
> >    native C code and we changed the structure of the JDK EC implementation
> >    such that all curves that were implemented in C were removed. The
> >    remaining curves that we do support are implemented in Java and use
> >    modern techniques and complete formulas.
> >
> >    It has not been a priority for us to re-implement brainpool. And with
> >    recently added support for EdDSA and the future with PQC, it's not
> >    likely we will circle back to them.
> >
> >    We are ok with a contribution, but they would need to be done using
> >    the current design structure and using complete formulas.
> >
> >    --Sean
> >
> >    [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
> >
> >>
> >> References:
> >>
> >> [1]: https://bugs.openjdk.org/browse/JDK-8234924
> >> [2]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html
> >>
> >> Mit freundlichen Grüßen
> >>
> >> Benjamin Marwell
> >>
>


More information about the security-dev mailing list