ECDSA curve used in new protocol has suspicious seed value

[Markus Teufelberger]

Hi there,

As I'm sure you are aware, there are suspicions (as usual) against the NSA
potentially weakening crypto around the globe. This time it is about a
cipher that is/will be used in the new tinc protocol: ECDSA

According to
https://github.com/gsliepen/tinc/blob/1.1/src/openssl/ecdsagen.c you use
the secp521r1 curve, which is derived (according to
http://www.secg.org/collateral/sec2_final.pdf - page 18) from the seed
value "D09E8800 291CB853 96CC6717 393284AA A0DA64BA". There is suspicion
around, that this seed value might weaken a ECDSA curve (as it is not
explained where it actually comes from and how/why it was selected) to an
attack not yet known to the public, chosen potentially by brute force to
make this attack easier.

Unfortunately, there is no alternative curve defined for these key sizes in
Fp, as far as I'm aware (for 256 bits, one could use secp256k1 for example,
which does not use an unexplained seed value), so this is mainly a heads-up
and maybe a request to change to any widely accepted curve that might
emerge in the future for that key size.

I don't know enough about ECDSA to give any more input than: The next
largest Koblitz-curve would be sect571k which still has 256 bit strength,
maybe it would be possible to use this one. I'll let people more intimate
with crypto in general, openssl in particular and tinc sort this out
though, since it uses a different finite field (F2^m).

Stay safe and thank you for tinc,
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130914/dcdebf33/attachment.html>