Ecdsa Keygen

0 views
Skip to first unread message

Young Vadlapatla

unread,
Aug 4, 2024, 9:40:16 PM8/4/24
to bahspectuci
Weoften see replies here about how someone is running an old version of Certbot, which many times is the latest version packaged for the host OS distribution. While I am not crazy about the somewhat recent trend of containerized applications, I understand it. It doesn't make me any more likely to install snapd on my servers, so I am glad the PIP method exists.

At some point I thought I bookmarked a reply that had a succinct PIP guide, possibly from @bruce5051, but I could mistaken since I am not finding such a bookmark in my profile. No matter, as I used the official Certbot PIP instructions to much success. I first removed my Debian provided Certbot, and I successfully tested my renewal with a dry-run. I also added an /etc/cron.d/certbot file containing both the recommended renewal command as well as monthly upgrade job.


The motivation for this post is to share the one thing that was unexpected after switching from the Debian packaged Certbot 1.12.0-2 for Bullseye to the PIP version 2.4.0. This Certbot instance runs to provide an RSA certificate for an MTA that has a commercial ECDSA certificate which some Proofpoint Essentials servers do not handle correctly. When the new PIP Certbot renewed the existing RSA key and certificate pair yesterday, it elected to obtain an ECDSA certificate instead.


The renewal file in etc/letsencrypt/renewal contained both rsa_key_size = 4096 and key_type = ecdsa. A certbot renew --key-type ecdsa --cert-name example.com --force-renewal as indicated in the current Certbot documentation worked as expected. An RSA key and certificate are now in place again, and the renewal file contains key_type = rsa as if it had been there all along.


I obviously don't require any assistance, but I did want to share my experience, since it may be relevant in certain narrow cases where one is moving from a distribution provided Certbot to the PIP version.


I definitely have an ECDSA key in the archive folder that was created at the time the renewal ran yesterday afternoon. All the previous keys were RSA 4096, as is the subsequent one that was generated when I reconfigured the key type today.


I realize this already been corroborated, but since I mentioned that I would examine a prior version of the renewal config file from a backup, I wanted to share my finding. The older file lacks the key_type = rsa declaration.


Already remove keys but not succeed (stop ssh then restart ssh again) then uninstall then install open ssh again but still not succeed. known_hosts both user and root is emty but connection is not still possible.(ecdsa-sha2-nistp256 host key mismatch for 192.168.4.61 !)


Hi,there.FIRST OF ALL,thanks Ron Eldor for answer my questions via Email.For wider share, I post my last question and his review below.

image1182420 26.5 KB

image1063262 12.1 KB

Now I can run the ECDSA signature on STM32F429 successfully.

Today my problem is that how I can set my private key unchangeable? As far as I concered, the dafault setting is to make the key pair CHANGED everytime. As you can see examples below.BUT I hope my private can be static. Any thoughts?Thanks a lot!






Hi Mengyan,

The example you are showing is from the gen_key sample application, which is an example for generating a key. Once you have a generated key, in a PEM \ DER format, you can store it in a secure location, to be used later for generating the signature.

You can look for example at the ecdsa sample application after the key generation for you to see how to sign a hashed message (you will still need to seed your DRBG function), or at the pk_sign example which uses the pk wrapper for the PK operations.

Regards,

Mbed TLS Team member

Ron


the signature is consisted of the concatenations of r and s , so if you change the input, then the signature should change.

Since you are using deterministic ecdsa, the drbg function that is used in the signature process, is HMAC, with the md parameter for the HMAC in the drbg.

You should check that the input message ( preferably hashed ) in fact changes when you see same signature.

Regards,

Mbed TLS Team member

Ron


When doing ssh -v example.com I can see debug1: Server host key: ecdsa-sha2-nistp256 SHA256:..., but this is not the same as the ssh-rsa key eventually stored in known_hosts after correcting the problem.


One pretty easy way is to use ssh-keyscan. This command will request keys from the remote server. For example if I wanted the rsa, ecdsa, and ed25519 host keys from demo.example.org I might use this command.


Host keys are generally found under /etc/ssh/ on the server you are trying to connect to. The server host key string printed in the verbose output is simply the fingerprint of the server's public key, not the actual key itself.


I'm working on authoring Ethereum transactions using ECDSA with SECP256K1. On the tail end of an Ethereum transaction is the V, R, and S values of signing a hash of the message. V is defined as chainID * 2 + 35 + RecoveryID where chainID is some value unrelated to this question and RecoveryID is somehow extracted from the signing process or signing keys.


I'm working with the mbedtls library to generate private keys, hash with keccak, and sign using the proper curve. However the output of the signature process is just the R and S values. I keep looking around and can't find a reputable source of what the RecoveryID value is and nothing in mbedtls's documentation talks about it.


In this random (poorly documented) library they check if the Y of the public key is odd. In that forum post they say it's the sign of the Y of the public key. I've tried both and for some private keys the V value works and others it fails to properly recover the public key.


During signing, a point is generated (X, Y) called R and a number called S. R's X goes on to become r and S becomes s. In order to generate the Recovery ID you take the one's bit from Y. If S is bigger than half the curve's N parameter you invert that bit. That bit is the Recovery ID. Ethereum goes on to manipulate it to indicate compressed or uncompressed addresses as well as indicate what chain the transaction was signed for (so the transaction can't be replayed on another Ethereum chain that the private key might be present on). These modifications to the Recovery ID become v.


There's also a super rare chance that you need to set the second bit of the recovery id meaning the recovery id could in theory be 0, 1, 2, or 3. But there's a 0.000000000000000000000000000000000000373% of needing to set the second bit according to a question on Bitcoin.SE.


Since the signature only includes the x coordinate of the point R, there are either 0, 1, 2, 3, or 4 matching y coordinates over the Secp256k1 elliptic curve. These four potential candidates are encoded in something called recovery_id.


There may be another method to determine the Recovery ID(rec_id). Since the Recovery ID can only have 4 possible values(0/1/2/3), if you already have the message to sign, public key, and signature, you can try each Recovery ID value and determine which one yields the correct public key value.


There is already an implementation of this function called "ecRecover". For example, in Python, you can use ecdsa_raw_recover from py_ecc library(source code). This function allows you to derive possible public key from the given Recovery ID:


This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at


The Working Group is actively seeking implementation feedback for thisspecification. In order to exit the Candidate Recommendation phase, theWorking Group has set the requirement of at least two independentimplementations for each mandatory feature in the specification. For detailson the conformance testing process, see the test suites listed in theimplementation report.


Publication as a Candidate Recommendation does not imply endorsement by W3C and its Members. A Candidate Recommendation Draft integrates changes from the previous Candidate Recommendation that the Working Group intends to include in a subsequent Candidate Recommendation Snapshot.


This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.


This specification defines a cryptographic suite for the purpose of creating,and verifying proofs for ECDSA signatures in conformance with theData Integrity [VC-DATA-INTEGRITY] specification. ECDSA signatures arespecified in [FIPS-186-5] with elliptic curves P-256 and P-384 specified in[NIST-SP-800-186]. [FIPS-186-5] includes the deterministic ECDSAalgorithm which is also specified in [RFC6979].


This specification uses either the RDF Dataset Canonicalization Algorithm[RDF-CANON] or the JSON Canonicalization Scheme [RFC8785] to transform theinput document into its canonical form. It uses one of two mechanisms to digestand sign: SHA-256 [RFC6234] as the message digest algorithm and ECDSA withCurve P-256 as the signature algorithm, or SHA-384 [RFC6234] as the messagedigest algorithm and ECDSA with Curve P-384 as the signature algorithm.


A conforming proof is any concrete expression of the data modelthat complies with the normative statements in this specification. Specifically,all relevant normative statements in Sections2. Data Model and 3. Algorithmsof this document MUST be enforced.


A conforming processor is any algorithm realizedas software and/or hardware that generates or consumes aconforming proof. Conforming processors MUST produce errors whennon-conforming documents are consumed.


This document contains examples of JSON and JSON-LD data. Some of these examplesare invalid JSON, as they include features such as inline comments (//)explaining certain portions and ellipses (...) indicating the omission ofinformation that is irrelevant to the example. Such parts need to beremoved if implementers want to treat the examples as valid JSON or JSON-LD.

3a8082e126
Reply all
Reply to author
Forward
0 new messages