Undo deprecation of brainpool EC

benjamin.marwell at f-i.de benjamin.marwell at f-i.de
Wed Nov 16 07:23:20 UTC 2022 

Hi Xuelei and Sean,

We use/see mostly brainpoolP512r1. But it is not just us! 

> , although I will note that the IANA registry
>    still lists them as not recommended for TLS [1].

I agree that brainpoolP512r1 are not particularly interesting when it comes to TLS,
but we still see server certificates (not the TLS algo) created with brainpoolP512r1, as well as keystores.
Not being able to connect due to certificate validation errors OR 
not being able to read a (somewhat) recently created keystore was astonishing, to say the least.

> And with
>    recently added support for EdDSA and the future with PQC, it's not
>    likely we will circle back to them.

This is not about which algorithm is "better" or "can be replaced".
It is only about "what should (still) be supported, because NIST and BSI still list them".

>     We are ok with a contribution,

In my opinion, this is a major breaking change for this reason and should not wait for contributions.

- Ben


On 15.11.22, 15:35, "security-dev on behalf of Sean Mullan" <security-dev-retn at openjdk.org on behalf of sean.mullan at oracle.com> wrote:

    Hi,

    Thanks for your questions about brainpool. See below for more details.

    On 11/14/22 3:36 AM, benjamin.marwell at f-i.de wrote:
    > Hello everyone!
    > 
    > To our surprise, brainpool EC have been deprecated with Java 14+ [1].
    > However, JDK-8234924 [1] does not add any information on WHY they would have been deprecated.
    > In fact, neither NIST (USA) nor BSI (Germany) list them as deprecated.
    > On the contrary, both institutions list them as an acceptable cipher.
    > 
    > As a matter of fact, the deprecation notice seem to have originated by bad wording.
    > Please read this quote from Manfred Lochter, how works at the BSI:
    > 
    >> The unfortunate wording about the brainpool curves originated in TLS 1.3,
    >> however RFC 8734 makes the curves usable for TLS again.
    >> We will continue to recommend the Brainpool curves.
    >> It should also be noted that the arguments for the "modern formulas" have all been refuted by now.
    >> Especially the implementation of Curve 25519 requires more effort to protect against SCA;
    >> the deterministic signatures are vulnerable to fault injection.
    >> In the medium term, however, the switch to post-quantum cryptography is necessary;
    >> there are comprehensive recommendations on this at [2]
    > 
    > Now, european banking and health industry still do rely heavily on brainpool curves.
    > Given all these facts, I hereby request to undo the depracation of brainpool EC in OpenJDK.
    > 
    > Please let me know what lead to the assumption that brainpool ciphers were deprecated.
    > Neither NIST nor BSI seems to be the source. Given all the facts, it should still be included.

    The word "deprecated" may have been the wrong word to use when referring
    to the brainpool curves, although I will note that the IANA registry
    still lists them as not recommended for TLS [1].

    We don't have any issues with the brainpool curves as we do for
    some of the other legacy curves. But, these curves were implemented in
    native C code and we changed the structure of the JDK EC implementation
    such that all curves that were implemented in C were removed. The
    remaining curves that we do support are implemented in Java and use
    modern techniques and complete formulas.

    It has not been a priority for us to re-implement brainpool. And with
    recently added support for EdDSA and the future with PQC, it's not
    likely we will circle back to them.

    We are ok with a contribution, but they would need to be done using
    the current design structure and using complete formulas.

    --Sean

    [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

    > 
    > References:
    > 
    > [1]: https://bugs.openjdk.org/browse/JDK-8234924
    > [2]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html
    > 
    > Mit freundlichen Grüßen
    > 
    > Benjamin Marwell
    > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5591 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20221116/d9cdab26/smime.p7s>

More information about the security-dev mailing list