The security considerations of [RFC 8446
] apply accordingly.
The confidentiality, authenticity, and integrity of the TLS communication is limited by the weakest cryptographic primitive applied. In order to achieve a maximum security level when using one of the elliptic curves from Table 1
for key exchange and/or one of the signature algorithms from Table 2
for authentication in TLS, parameters of other deployed cryptographic schemes should be chosen at commensurate strengths, for example, according to the recommendations of [NIST800-57
] and [RFC 5639
]. In particular, this applies to (a) the key derivation function, (b) the algorithms and key length of symmetric encryption and message authentication, and (c) the algorithm, bit length, and hash function for signature generation. Furthermore, the private Diffie-Hellman keys should be generated from a random keystream with a length equal to the length of the order of the group E(GF(p)) defined in [RFC 5639
]. The value of the private Diffie-Hellman keys should be less than the order of the group E(GF(p)).
When using ECDHE key agreement with the curves brainpoolP256r1tls13, brainpoolP384r1tls13, or brainpoolP512r1tls13, the peers MUST
validate each other's public value Q by ensuring that the point is a valid point on the elliptic curve. If this check is not conducted, an attacker can force the key exchange into a small subgroup, and the resulting shared secret can be guessed with significantly less effort.
Implementations of elliptic curve cryptography for TLS may be susceptible to side-channel attacks. Particular care should be taken for implementations that internally transform curve points to points on the corresponding "twisted curve", using the map (x',y') = (x*Z^2, y*Z^3) with the coefficient Z specified for that curve in [RFC 5639
], in order to take advantage of an efficient arithmetic based on the twisted curve's special parameters (A = -3). Although the twisted curve itself offers the same level of security as the corresponding random curve (through mathematical equivalence), arithmetic based on small curve parameters may be harder to protect against side-channel attacks. General guidance on resistance of elliptic curve cryptography implementations against side-channel attacks is given in [BSI1
] and [HMV