HOWTO: Elliptic Curve Cryptography support in Rebex SSH and Rebex TLS/SSL
Introduction
Elliptic Curve Cryptography (ECC) is an attractive alternative to classic public-key algorithms based on modular exponentiation. Compared to the algortihms such as RSA, DSA or Diffie-Hellman, elliptic curve cryptography offers equivalent security with smaller key sizes.
Until recently, built-in support for ECC algorithms in Microsoft Windows and .NET Framework used to be limited. Before Windows 10, the OS only supported Elliptic Curve DSA (ECDSA) and Elliptic Curve Diffie Hellman (ECDH) based on NIST P-256, P-384 and P-521 curves. Additionally, MS CNG API implementation of ECDH was not suitable for SSH key exchange due to lack of support for compatible shared secret padding mode.
Supported algorithms
Due to the limitations mentioned above, Rebex libraries do not support all ECC algorithm out-of-the-box on all platforms. However, algorithms not provided by the OS or .NET can be easily enabled using an external plugin. The following table lists both natively-supported algorithms and those that require a plugin:
| Protocol | Libraries | Supported elliptic curve algorithms |
|---|---|---|
| TLS/SSL (client side and server side) |
Rebex HTTPS Rebex FTP Rebex WebSocket Rebex IMAP Rebex POP3 Rebex SMTP Rebex EWS Rebex Graph Rebex Telnet/SSL (part of Rebex SSH Shell) |
Built-in support: ECDSA with NIST P-256/P-384/P-521 curves - on Windows Vista (or higher), on Windows Embedded Compact 2013, on Linux (via .NET 5 or higher) ECDSA with Brainpool P-256 R1, P-384 R1 and P-512 R1 curves - on Windows 10/11 and Windows Server 2016 (or higher), on Linux (via .NET 5 or higher when available) ECDH with NIST P-256/P-384/P-521 curves in TLS 1.2 - on Windows 7 (or higher), on Windows Server 2008 R2 (or higher), on Linux (via .NET 5 or higher) ECDH with NIST P-256/P-384/P-521 curves in TLS 1.3/1.1/1.0 - on Windows Vista (or higher), on Windows Server 2008 R1 (or higher), on Windows Embedded Compact 2013, on Linux (via .NET 5 or higher) ECDH with Brainpool P-256 R1, P-384 R1 and P-512 R1 curves - on Windows 10/11 and Windows Server 2016 (or higher), on Linux (via .NET 5 or higher when available) ECDH with Curve25519 - on Windows 10/11 and Windows Server 2016 (or higher) |
|
With external plugins: ECDSA with NIST P-256/P-384/P-521 curves - on all platforms ECDH with NIST P-256/P-384/P-521 curves - on all platforms ECDH with Brainpool P-256 R1, P-384 R1 and P-512 R1 curves - on all platforms ECDH with Curve25519 - on all platforms |
||
| SSH |
Rebex SFTP Rebex SCP (part of Rebex SFTP) Rebex SSH Shell Rebex File Server |
Built-in support: ECDSA with NIST P-256/P-384/P-521 curves - on Windows Vista (or higher), on Windows Embedded Compact 2013, on Linux (via .NET 5 or higher) EdDSA with Ed25519 curve - on all platforms ECDH with NIST P-256/P-384/P-521 curves - on Windows 10/11, on Windows Server 2016 (or higher), on Linux (via .NET 5 or higher) ECDH with Curve25519 - on Windows 10/11 and Windows Server 2016 (or higher) (Note: ECDH is not supported on Windows 8.1 or earlier due to incompatible shared secred padding handling in MS CNG.) |
|
With external plugins: ECDSA with NIST P-256/P-384/P-521 curves - on all platforms ECDH with NIST P-256/P-384/P-521 curves - on all platforms ECDH with Curve25519 - on all platforms |
Enabling external ECC plugins
To make it simple to enable ECC support in Rebex libraries, we provide a set of plugins based on various open-source libraries. For more information, licensing details and supported platforms, visit Simple Elliptic Curve Libraries page.
The compiled plugins are available for download: RebexEllipticCurvePlugins.zip
To register and enable these plugins, reference the DLLs from the ZIP file suitable for your platform and add the following code:
C#
using Rebex.Security.Cryptography;
...
// register NIST and Brainpool curves
AsymmetricKeyAlgorithm.Register(EllipticCurveAlgorithm.Create);
// register Curve25519
AsymmetricKeyAlgorithm.Register(Curve25519.Create);
// register Ed25519
AsymmetricKeyAlgorithm.Register(Ed25519.Create);
VB.NET
Imports Rebex.Security.Cryptography ... ' register NIST and Brainpool curves AsymmetricKeyAlgorithm.Register(AddressOf EllipticCurveAlgorithm.Create) ' register Curve25519 AsymmetricKeyAlgorithm.Register(AddressOf Curve25519.Create) ' register Ed25519 AsymmetricKeyAlgorithm.Register(AddressOf Ed25519.Create)
The source code is available here: https://github.com/rebexnet/elliptic.