Elliptic-Curve Cryptography for Solaris [PSARC/2007/446 Self Review]

Krishna Yenduri bhargava.yenduri at sun.com
Thu Aug 2 10:34:03 PDT 2007 

Mark,

 This looks good. I have a couple of comments below ...

> 2. Project Summary
>    2.1. Project Description:
> 	This project will add Elliptic-Curve Cryptography (ECC) to the
> 	Solaris Encryption Framework. ECC will be available to kernel
> 	and user-level consumers.
>   

 One potential kernel consumer is kernel SSL since TLS can use ECC cipher
 suites.

>    3.6. How will you know when you are done?:
> 	When we can use pkcs11 on Apache for ECC.
>   

 Does this mean this project will modify OpenSSL PKCS #11 engine to
 add the support for ECC mechanisms? You might want to test with Sun Java
 System web server too.

> 4. Technical Description:
>     4.1. Details:
> 	The Solaris Crypto Framework has loadable software modules that
> 	provides cryptographic algorithms for kernel consumers. These offer
> 	algorithms such as AES and RSA. The framework also has a softtoken
> 	library that implements algorithms for user-level consumers. This
> 	project introduces a new module offering ECC. It also adds ECC to
> 	the softtoken library.
>
> 	The low-level implemention of ECC that we will use was originally
> 	developed by Sun Labs and subsequently given to NSS. Legal approval
> 	to use this code under Mozilla Public License v. 1.1 has been
> 	obtained.
>
> 	Supported PKCS#11 mechanisms are: CKM_EC_KEY_PAIR_GEN, CKM_ECDSA,
> 	CKM_ECDSA_SHA1, and CKM_ECDH1_DERIVE.

 I assume this list is for the softtoken library. What mechanisms will 
the kernel
 ecc software provider support?

Thanks,
-Krishna


> NSS implements 51 ECC curves,
> 	all of which will be supported. They are:
>
> 	secp112r1,  secp112r2,  secp128r1,  secp128r2,  secp160k1,  secp160r1,
> 	secp160r2,  secp192k1,  secp224k1,  secp224r1,  secp256k1,  secp384r1,
> 	secp521r1,  sect113r1,  sect113r2,  sect131r1,  sect131r2,  sect163k1,
> 	sect163r1,  sect163r2,  sect193r1,  sect193r2,  sect233k1,  sect233r1,
> 	sect239k1,  sect283k1,  sect283r1,  sect409k1,  sect409r1,  sect571k1,
> 	sect571r1,  c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
> 	c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
> 	c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v1,
> 	prime192v2, prime192v3, prime256v1
>
>     4.2. Bug/RFE Number(s):
> 	5066901 Offer the PKCS#11 Elliptic Curve based mechanisms in Solaris
> 	6562402 kernel software provider for Elliptic Curve mechanisms 
>     
>     4.3. In Scope:
>
>     4.4. Out of Scope:
>     
>     4.5. Interfaces:
> 	Changes to softtoken will not affect the interface to softtoken.
> 	The only visible change will be four new PKCS#11 mechanisms that
> 	are visible when the capabilities of the softtoken are queried.
> 	The loadable module will introduce the following:
> 	/kernel/crypto/ecc
> 	/kernel/crypto/amd64/ecc
> 	/kernel/crypto/sparcv9/ecc
>
>

More information about the opensolaris-arc mailing list