EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Brainpool P256 R1 in SBB TLS ?

Posted: 12/05/2014 05:33:49
by Octavian Enache (Basic support level)
Joined: 12/05/2014
Posts: 3


I am working on a project related to information security in the energy sector ( smart metering networks, more specifically ). I am trying out some features of the TLS client of the SecureBlackBox,as it seems to be a mature and well-maintained product.

I am currently testing TLS 1.2 communication and features with the test-client. So far so good but it is possible that some endpoints in the systems will require support for BrainpoolP256R1 curves for the TLS communication and I am wondering if this is supported in SecureBlackBox as of now , or if there is some way to integrate this type of curve ?

I have fiddled around with the configuration of the SecureClient from the demo solutions provided with the trial version of SBB, but I am unable to find this curve specification and how to enable it. Searching the forums and knowledgebase for this specific curve has also yielded no results ...

I would also like to mention I am using the .NET version .

Thank you very much for your time!

Octavian Enache
Msc 16 CSE Jacobs University Bremen
Werkstudent BTC-AG Oldenburg
Posted: 12/05/2014 05:45:55
by Eugene Mayevski (Team)

SSL/TLS defines so-called ciphersuites that include certain combination of algorithms. Is Brainpool a part of some ciphersuite?

Sincerely yours
Eugene Mayevski
Posted: 12/05/2014 06:06:16
by Octavian Enache (Basic support level)
Joined: 12/05/2014
Posts: 3

Hello and thank you for your reply -

I am unsure if brainpool is part of a cipher suite itself, but the same standard that these devices follow defines a "minimum" list of cipher suites which must be enabled and this is actually just the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 , along with EC-parameters NIST P-256 ( SECP256) and brainpoolp256R1 .

I believe this cipher suite is available in SBB,and I have enabled it on my client like so:

secureClient.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_ECDHE_ECDSA_AES128_SHA256, true);

I have also enabled the GCM version and some other cipher suites as they are part of the "extended" recommendations list of the standard I am following.

Brainpool curves are first mentioned in RFC 5639 ,if this is any help, and they are under the NamedCurve namespace . The BP256R1 curve has hash functions SHA256,SHA384 and SHA512 .

Later edit:
IANA numbers for the EC Named Curves registry of TLS params has value 26 for brainPoolP256R1 . Perhaps this is useful information as well ...
Posted: 12/05/2014 06:41:35
by Ken Ivanov (Team)

Hi Octavian,

The set of Brainpool curves is currently not supported in SecureBlackbox, sorry. Yet we do have the corresponding entry featured in our to do list and I hope we will manage to offer support for the brainpool curves somewhere within SecureBlackbox 13 lifeline.

In fact, our experience shows that TLS servers rarely restrict themselves with support for a single type of key exchange or signature algorithm or EC curve type, in order to provide maximal compatibility. So it is very unlikely that you will ever come across a server that only supports brainpool curves and does not support any other (SECP or SECT) curve types.

Posted: 12/05/2014 06:49:24
by Octavian Enache (Basic support level)
Joined: 12/05/2014
Posts: 3

Hello ,

Thank you for your answer !

Indeed, the "fallback" is SECP256 ,for which I believe there is no problem with support .

Best regards,
Posted: 12/05/2014 07:02:28
by Ken Ivanov (Team)

That's right, SECP256 is fully supported.





Topic viewed 969 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!