HOWTO: Elliptic Curve Cryptography support in Rebex SSH and Rebex TLS/SSL

Introduction

Elliptic Curve Cryptography (ECC) is an attractive alternative to classic public-key algorithms based on modular exponentiation. Compared to the algortihms such as RSA, DSA or Diffie-Hellman, elliptic curve cryptography offers equivalent security with smaller key sizes.

Unfortunately, built-in support for ECC algorithms in Microsoft Windows and .NET Framework is very limited. Before Windows 10, it only supported Elliptic Curve DSA (ECDSA) and Elliptic Curve Diffie Hellman (ECDH) based on NIST P-256, P-384 and P-521 curves. Additionally, MS CNG API is rather limited and its implementation of Elliptic Curve Diffie Hellman is not quite suitable for SSH due to lack of support for compatible shared secret padding methods. On top of this, there is a bug in MS CNG implementation of ECDH related to handling of shared secret padding, which can occasionally lead to TLS/SSL negotiation failures.

Supported algorithms

Due to these limitations mentioned above, Rebex components only supports some algorithms out-of-the-box, and only on some platforms. However, additional algorithms can easily be enabled using an external plugin. The following table lists both the natively-supported algorithms and those that require a plugin:

Protocol Components Supported elliptic curve algorithms
TLS/SSL
(client side
and
server side)
Rebex FTP/SSL
Rebex IMAP (part of Rebex Secure Mail)
Rebex EWS (part of Rebex Secure Mail)
Rebex POP3 (part of Rebex Secure Mail)
Rebex SMTP (part of Rebex Secure Mail)
Rebex Telnet/SSL (part of Terminal Emulation)
Built-in support:
ECDSA with NIST P-256/P-384/P-521 curves - on Windows Vista (or higher), or Windows Embedded Compact 2013
ECDSA with Brainpool P-256 R1, P-384 R1 and P-512 R1 curves - on Windows 10 and Windows Server 2016 (or higher)
ECDH with NIST P-256/P-384/P-521 curves in TLS 1.2 - on Windows 7 (or higher), on Windows Server 2008 R2 (or higher), on Windows Embedded Compact 2013
ECDH with NIST P-256/P-384/P-521 curves in TLS 1.1 and 1.0 - on Windows Vista (or higher), on Windows Server 2008 R1 (or higher), on Windows Embedded Compact 2013
ECDH with Brainpool P-256 R1, P-384 R1 and P-512 R1 curves - on Windows 10 and Windows Server 2016 (or higher)
With external plugins:
ECDSA with NIST P-256/P-384/P-521 curves - on all platforms
ECDH with NIST P-256/P-384/P-521 curves in TLS 1.x - on all platforms
ECDH with Brainpool P-256 R1, P-384 R1 and P-512 R1 curves in TLS 1.x - on all platforms
ECDH with Curve25519 (on all platforms) in TLS 1.x - on all platforms
SSH
(client-side)
Rebex SFTP
Rebex SCP (part of Rebex SFTP)
Rebex SSH Shell (part of Terminal Emulation)
Built-in support:
ECDSA with NIST P-256/P-384/P-521 curves - on Windows Vista (or higher), on Windows Embedded Compact 2013
ECDH with NIST P-256/P-384/P-521 curves - on Windows Vista (or higher), on Windows Embedded Compact 2013
(Note: Due to incompatible ECDH shared secred padding handling in MS CNG, negotiation failures may occasionally occur and are worked around automatically)
With external plugins:
ECDSA with NIST P-256/P-384/P-521 curves - on all platforms
ECDH with NIST P-256/P-384/P-521 curves - on all platforms
ECDH with Curve25519 - on all platforms
SSH
(server-side)
Rebex File Server
Built-in support:
ECDSA with NIST P-256/P-384/P-521 curves - on Windows Vista (or higher), on Windows Embedded Compact 2013.
(Note: ECDH is not supported due to incompatible shared secred padding handling in MS CNG.)
With external plugins:
ECDSA with NIST P-256/P-384/P-521 curves - on all platforms
EdDSA with ED25519 curve - on all platforms except .NET CF
ECDH with NIST P-256/P-384/P-521 curves - on all platforms
ECDH with Curve25519 - on all platforms

Enabling external ECC plugins

To make it simple to enable ECC support in Rebex components, we provide a set of plugins based on various open-source libraries. For more information, licensing details and supported platforms, visit Simple Elliptic Curve Libraries on Rebex Labs.

The compiled plugins are available for download: RebexEllipticCurvePlugins.zip

To register and enable these plugins, reference the DLLs from the ZIP file suitable for your platform and add the following code:

C#

using Rebex.Security.Cryptography;
...
	
	
// import NIST and Brainpool curves
AsymmetricKeyAlgorithm.Register(EllipticCurveAlgorithm.Create);
	
// import Curve25519
AsymmetricKeyAlgorithm.Register(Curve25519.Create);
	
// import Ed25519
AsymmetricKeyAlgorithm.Register(Ed25519.Create);

VB.NET

Imports Rebex.Security.Cryptography
...


' import NIST and Brainpool curves
AsymmetricKeyAlgorithm.Register(AddressOf EllipticCurveAlgorithm.Create)

' import Curve25519
AsymmetricKeyAlgorithm.Register(AddressOf Curve25519.Create)

' import Ed25519
AsymmetricKeyAlgorithm.Register(AddressOf Ed25519.Create)

The source code is available here: https://github.com/rebexnet/elliptic.