- edited description
minimum length for EC keys?
Issue #683
resolved
In Sec 5.4. Cryptography and Secrets of the FAPI 2.0 Security Profile it says:
Elliptic curve keys shall have a minimum length of 160 bits
Why 160 bits? The text above for JWTs has “ES256, or EdDSA (using the Ed25519 subtype)” which are 256 bit. So JWT EC usage is already required to be more bits. Is this for TLS? Or something else/more? And shouldn’t it match up to the strength of the minimum RSA key length? Which AFAIK would be 224 for EC to be of similar bit strength to RSA 2048 that the internet tells me provides 112 bits of security. Also AFAIK a 160 bit EC key provides like 80 bits of security, which is probably not sufficient at all. IANAC but from what I understand, a minimum of 3072 for RSA and 256 for EC would seem more appropriate.
It’d be great, if someone out there in FAPI land could explain this (maybe I’m just misunderstanding!). And/or maybe the 160 bit number needs to be changed?
Comments (11)
-
reporter
-
reporter
- edited description
-
reporter
- edited description
- changed title to minimum length for EC keys?
-
reporter
- edited description
-
We discussed - the 160 bits is from FAPI1 and we’re not sure where the source before that was.
Those on the call today agreed with 224 for EC.
However it would be good to get more feedback on whether we should move to 3072/256
-
- changed status to open
-
sha1 hmac is 160
-
Just so we remember where these numbers came from, moving to at least a 224 minimum as agreed on the call was based on the TLS BCP, https://www.rfc-editor.org/rfc/rfc9325.html which says:
With regard to ECDH keys, implementers are referred to the IANA "TLS Supported Groups" registry (formerly known as the "EC Named Curve Registry") within the "Transport Layer Security (TLS) Parameters" registry [IANA_TLS] and in particular to the "recommended" groups. Curves of less than 224 bits MUST NOT be used. This recommendation is in line with the latest revision of [NIST.SP.800-56A].
-
reporter
Thanks for that context Joseph. I wasn’t able to connect those dots. FAPI2 already references that TLS BCP so arguably a few items could just be removed from https://openid.net/specs/fapi-2_0-security-profile-03.html#section-5.4 but just changing that 160 to 224 for EC there is probably the way to go at this stage.
-
-
- changed status to resolved
PR merged
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 1
