Elliptic Curve. Elliptic Curve Cryptography (ECC) is a newer alternative to public key cryptography. ECC operates on elliptic curves over finite fields. The main advantage of elliptic curves is their efficiency. They can offer the same level of security for modular arithmetic operations over much smaller prime fields. Mar 10, 2014 Key pair generation in elliptic curve follows the same principles as the other algorithms, the main difference being that, unlike algorithms such as RSA, elliptic curve keys exist only in the context of a particular elliptic curve and require to have curve parameters associated with them to be of any use.

- Key Generation In Elliptic Curve Cryptography
- Elliptic Curve Key Generation
- Elliptic Curve Cryptography Key Generation 2

## Introduction

This document describes the configuration of Next Generation Encryption (NGE) from Cisco Unified Communications Manager (CUCM) 11.0 and later to meet the enhanced security and performance requirements.

## Prerequisites

### Requirements

Cisco recommends that you have knowledge of these topics:

- Cisco CallManager security basics
- Cisco CallManager certificate management

### Components Used

The information in this document is based on Cisco CUCM 11.0, where Elliptic Curve Digital Signature Algorithm (ECDSA) certificates are only supported for CallManager (CallManager-ECDSA).

**Note**: CUCM 11.5 and later supports tomcat-ECDSA certificates as well.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

### Related Products

This document can also be used with these software products and versions that support ECDSA certificates:

- Cisco Unified CM IM and Presence 11.5
- Cisco Unity Connection 11.5

## Background Information

Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography is the same level of security provided by keys of smaller size.

Common Criteria (CC) provides assurance that security features operate correctly within the solution being evaluated. This is achieved through testing and meeting extensive documentation requirements.

It is accepted and supported by 26 countries worldwide via Common Criteria Recognition Arrangement (CCRA).

Cisco Unified Communications Manager Release 11.0 supports Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

These certificates are stronger than the RSA-based certificates and are required for products that have CC certifications. The US government Commercial Solutions for Classified Systems (CSfC) program requires the CC certification and so, it is included in Cisco Unified Communications Manager Release 11.0 and later.

The ECDSA certificates are available along with the existing RSA certificates in these areas:

- Certificate Management
- Certificate Authority Proxy Function (CAPF)
- Transport Layer Security (TLS) Tracing
- Secure Session Initiation Protocol (SIP) Connections
- Computer Telephony Integration (CTI) Manager
- HTTP
- Entropy

The next sections provide more detailed information on each of these seven areas.

## Certificate Management

### Generate Certificates with Elliptical Curve Encryption

Support for ECC from CUCM 11.0 and later to generate CallManager certificate with Elliptical Curve (EC) encryption:

- The new option
**CallManager-ECDSA**is available as shown in the image. - It requires the host portion of the common name to end in
**–EC**. This prevents having the same common name as the**CallManager**certificate. - In case of Multi Server SAN certificate, this must end in
**–EC-ms**. - Both the self-signed certificate request and the CSR request limit the hash algorithm choices depending on the EC key size.
- For an EC 256 key size the hash algorithm can be SHA256, SHA384, or SHA512. For an EC 384 key size the hash algorithm can be SHA384 or SHA512. For an EC 521 key size the only option is SHA512.
- The default key size is 384 and default hashing algorithm is SHA384, which can be changed. The options available are based on the chosen key size.

### CLI Configuration

A new certificate unit named **CallManager-ECDSA** has been added for the CLI commands

`set cert regen [unit]`

– regenerates self-signed certificate`set cert import own trust [unit]`

– imports CA signed certificate`set csr gen [unit]`

– generates certificate signing request(CSR) for specified uni**t**`set bulk export consolidate import tftp`

– When tftp is the unit name, CallManager-ECDSA certificates get auto-included with CallManager RSA certificates in bulk operations.

### CTL and ITL Files

- Both Certificate Trust List (CTL) and Identify Trust List (ITL) files have
**CallManager-ECDSA**present. - The CallManager-ECDSA certificate have the Function of CCM+TFTP in both the ITL and CTL file.
- You can use the

or**show ctl**

command to view this information as shown in this image:**show itl** - You can use the
**utils ctl update**command to generate the CTL file.

## Certificate Authority Proxy Function

- The Certificate Authority Proxy Function (CAPF) Version 3.0 in CUCM 11 provides support for EC Key Sizes along with RSA.
- The additional CAPF options provided in addition to the existing CAPF fields are Key Order and EC Key Size (bits).
- The existing Key Size (bits) option has been changed to RSA Key Size (bits).
- The Key Order provides support for RSA Only, EC Only and EC Preferred, RSA backup options.
- The EC Key Size provides support for key sizes of 256, 384, and 521 bits.
- The RSA Key Size provides support for 512, 1024, and 2048 bits.
- When Key Order of RSA Only is selected, only RSA Key Size can be selected. When EC only is selected, only EC Key Size can be selected. When EC Preferred, RSA backup is selected, both RSA and EC Key Size can be selected.

**Note**: Currently no Cisco endpoint supports CAPF Version 3, so do not select the EC Only option. However, administrators who want to support ECDSA Locally Significant Certificates (LSCs) later can configure their devices with the EC Preferred RSA Backup option. When the endpoints begin to support CAPF Version 3 for ECDSA LSCs, the administrators need to reinstall their LSC.

Additional CAPF options for Phone, Phone Security Profile, End User, and Application User Pages are shown here:

**Device > Phone > Related Links**

Navigate to **System > Security > Phone security profile**

**User Management > User Settings > Application User CAPF Profile**

Navigate to** User Management > User Settings > End User CAPF Profile.**

## TLS Ciphers Enterprise Parameters

- The Enterprise Parameter TLS Ciphers has been updated to support ECDSA Ciphers.
- The Enterprise Parameter TLS Ciphers now sets the TLS Ciphers for SIP Line, SIP Trunk, and Secure CTI Manager.

## SIP ECDSA Support

- Cisco Unified Communications Manager Release 11.0 includes ECDSA support for SIP lines and SIP trunk interfaces.
- The connection between Cisco Unified Communications Manager and an endpoint phone or video device is a SIP line connection whereas the connection between two Cisco Unified Communications Managers is a SIP trunk connection.
- All SIP connections support the ECDSA ciphers and use ECDSA certificates.

The Secure SIP interface was updated to support these two ciphers:

- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

These are the scenarios when SIP makes TLS connections:

- When SIP acts as a TLS server
When the SIP trunk interface of Cisco Unified Communications Manager acts as a TLS server for incoming secure SIP connection, the SIP trunk interface determines if the CallManager-ECDSA certificate exists on disk. If the certificate exists on the disk, the SIP trunk interface uses the CallManager-ECDSA certificate if the selected cipher suite is

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

- When SIP acts as a TLS client
When the SIP trunk interface acts as a TLS client, the SIP trunk interface sends a list of requested cipher suites to the server based on the TLS Ciphers field (which also includes the ECDSA ciphers option) in the CUCM Enterprise Parameters

**The TLS Ciphers**. This configuration determines the TLS client cipher suite list and the supported cipher suites in order of preference.

**Notes**:

- Devices that use an ECDSA cipher to make a connection to CUCM must have the CallManager-ECDSA certificate in their Identity Trust List (ITL) file.

- The SIP trunk interface support RSA TLS cipher suites for connections from clients that do not support ECDSA cipher suites or when a TLS connection is established with an earlier version of CUCM, that do not support ECDSA.

## Secure CTI Manager ECDSA Support

The Secure CTI Manager interface was updated to support these four ciphers:

- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

The Secure CTI Manager interface loads both the CallManager and CallManager-ECDSA certificate. This allows the Secure CTI Manager interface to support the new ciphers along with the existing RSA cipher.

Similar to the SIP interface, the Enterprise Parameter TLS Ciphers option in Cisco Unified Communications Manager is used to configure the TLS ciphers that are supported on the CTI Manager secure interface.

## HTTPS Support for Configuration Download

- For secure configuration download (for example, Jabber clients), Cisco Unified Communications Manager Release 11.0 is enhanced to support HTTPS in addition to the HTTP and TFTP interfaces that were used in the earlier releases.
- If required, both client and server use mutual authentication. However, the clients that are enrolled with ECDSA LSCs and Encrypted TFTP configurations are required to present their LSC.
- The HTTPS interface uses both the CallManager and the CallManager-ECDSA certificates as the server certificates.

**Notes**:

- When you update CallManager, CallManager ECDSA, or Tomcat certificates, you must deactivate and reactivate the TFTP service.

- Port 6971 is used for authentication of the CallManager and CallManager-ECDSA certificates, used by Phones.

- Port 6972 is used for the authentication of the Tomcat certificates, used by Jabber.

## Entropy

Entropy is a measure of randomness of data and helps in determining the minimum threshold for common criteria requirements. To have strong encryption, a robust source of entropy is required. If a strong encryption algorithm, such as ECDSA, uses a weak source of entropy, the encryption can be easily broken.

In Cisco Unified Communications Manager Release 11.0, the entropy source for Cisco Unified Communications Manager is improved.

Entropy Monitoring Daemon is a built-in feature that does not require configuration. However, you can turn it off through the Cisco Unified Communications Manager CLI.

Use these CLI commands in order to control the Entropy Monitoring Daemon service:

## Related Information

- Cryptography Tutorial

- Cryptography Useful Resources

- Selected Reading

## Public Key Cryptography

Unlike symmetric key cryptography, we do not find historical use of public-key cryptography. It is a relatively new concept.

Symmetric cryptography was well suited for organizations such as governments, military, and big financial corporations were involved in the classified communication.

With the spread of more unsecure computer networks in last few decades, a genuine need was felt to use cryptography at larger scale. The symmetric key was found to be non-practical due to challenges it faced for key management. This gave rise to the public key cryptosystems.

The process of encryption and decryption is depicted in the following illustration −

The most important properties of public key encryption scheme are −

Different keys are used for encryption and decryption. This is a property which set this scheme different than symmetric encryption scheme.

Each receiver possesses a unique decryption key, generally referred to as his private key.

Receiver needs to publish an encryption key, referred to as his public key.

Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by adversary as the receiver. Generally, this type of cryptosystem involves trusted third party which certifies that a particular public key belongs to a specific person or entity only.

Encryption algorithm is complex enough to prohibit attacker from deducing the plaintext from the ciphertext and the encryption (public) key.

Though private and public keys are related mathematically, it is not be feasible to calculate the private key from the public key. In fact, intelligent part of any public-key cryptosystem is in designing a relationship between two keys.

There are three types of Public Key Encryption schemes. We discuss them in following sections −

## RSA Cryptosystem

This cryptosystem is one the initial system. It remains most employed cryptosystem even today. The system was invented by three scholars **Ron Rivest, Adi Shamir,** and **Len Adleman** and hence, it is termed as RSA cryptosystem.

We will see two aspects of the RSA cryptosystem, firstly generation of key pair and secondly encryption-decryption algorithms.

### Generation of RSA Key Pair

Each person or a party who desires to participate in communication using encryption needs to generate a pair of keys, namely public key and private key. The process followed in the generation of keys is described below −

**Generate the RSA modulus (n)**Select two large primes, p and q.

Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically a minimum of 512 bits.

**Find Derived Number (e)**Number

**e**must be greater than 1 and less than (p − 1)(q − 1).There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words two numbers e and (p – 1)(q – 1) are coprime.

**Form the public key**The pair of numbers (n, e) form the RSA public key and is made public.

Interestingly, though n is part of the public key, difficulty in factorizing a large prime number ensures that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of RSA.

**Generate the private key**Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.

Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q - 1).

This relationship is written mathematically as follows −

The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.

### Example

An example of generating RSA Key pair is given below. (For ease of understanding, the primes p & q taken here are small values. Practically, these values are very high).

Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.

Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p − 1)(q − 1) = 6 × 12 = 72, except for 1.

The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone whom we wish to be able to send us encrypted messages.

Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.

Check that the d calculated is correct by computing −

Hence, public key is (91, 5) and private keys is (91, 29).

### Encryption and Decryption

Once the key pair has been generated, the process of encryption and decryption are relatively straightforward and computationally easy.

Interestingly, RSA does not directly operate on strings of bits as in case of symmetric key encryption. It operates on numbers modulo n. Hence, it is necessary to represent the plaintext as a series of numbers less than n.

### RSA Encryption

Suppose the sender wish to send some text message to someone whose public key is (n, e).

The sender then represents the plaintext as a series of numbers less than n.

To encrypt the first plaintext P, which is a number modulo n. The encryption process is simple mathematical step as −

In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and then reduced modulo n. This means that C is also a number less than n.

Returning to our Key Generation example with plaintext P = 10, we get ciphertext C −

### RSA Decryption

The decryption process for RSA is also very straightforward. Suppose that the receiver of public-key pair (n, e) has received a ciphertext C.

Receiver raises C to the power of his private key d. The result modulo n will be the plaintext P.

Returning again to our numerical example, the ciphertext C = 82 would get decrypted to number 10 using private key 29 −

### RSA Analysis

The security of RSA depends on the strengths of two separate functions. The RSA cryptosystem is most popular public-key cryptosystem strength of which is based on the practical difficulty of factoring the very large numbers.

**Encryption Function**− It is considered as a one-way function of converting plaintext into ciphertext and it can be reversed only with the knowledge of private key d.**Key Generation**− The difficulty of determining a private key from an RSA public key is equivalent to factoring the modulus n. An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key unless he can factor n. It is also a one way function, going from p & q values to modulus n is easy but reverse is not possible.

If either of these two functions are proved non one-way, then RSA will be broken. In fact, if a technique for factoring efficiently is developed then RSA will no longer be safe.

The strength of RSA encryption drastically goes down against attacks if the number p and q are not large primes and/ or chosen public key e is a small number.

## ElGamal Cryptosystem

Along with RSA, there are other public-key cryptosystems proposed. Many of them are based on different versions of the Discrete Logarithm Problem.

ElGamal cryptosystem, called Elliptic Curve Variant, is based on the Discrete Logarithm Problem. It derives the strength from the assumption that the discrete logarithms cannot be found in practical time frame for a given number, while the inverse operation of the power can be computed efficiently.

Let us go through a simple version of ElGamal that works with numbers modulo p. In the case of elliptic curve variants, it is based on quite different number systems.

### Generation of ElGamal Key Pair

Each user of ElGamal cryptosystem generates the key pair through as follows −

**Choosing a large prime p.**Generally a prime number of 1024 to 2048 bits length is chosen.**Choosing a generator element g.**This number must be between 1 and p − 1, but cannot be any number.

It is a generator of the multiplicative group of integers modulo p. This means for every integer m co-prime to p, there is an integer k such that g

^{k}=a mod n.For example, 3 is generator of group 5 (Z

_{5}= {1, 2, 3, 4}).

N | 3^{n} | 3^{n} mod 5 |
---|---|---|

1 | 3 | 3 |

2 | 9 | 4 |

3 | 27 | 2 |

4 | 81 | 1 |

**Choosing the private key.**The private key x is any number bigger than 1 and smaller than p−1.**Computing part of the public key.**The value y is computed from the parameters p, g and the private key x as follows −

**Obtaining Public key.**The ElGamal public key consists of the three parameters (p, g, y).For example, suppose that p = 17 and that g = 6 (It can be confirmed that 6 is a generator of group Z

_{17}). The private key x can be any number bigger than 1 and smaller than 71, so we choose x = 5. The value y is then computed as follows −

Thus the private key is 62 and the public key is (17, 6, 7).

### Encryption and Decryption

The generation of an ElGamal key pair is comparatively simpler than the equivalent process for RSA. But the encryption and decryption are slightly more complex than RSA.

### ElGamal Encryption

Suppose sender wishes to send a plaintext to someone whose ElGamal public key is (p, g, y), then −

Sender represents the plaintext as a series of numbers modulo p.

To encrypt the first plaintext P, which is represented as a number modulo p. The encryption process to obtain the ciphertext C is as follows −

- Randomly generate a number k;
- Compute two values C1 and C2, where −

## Key Generation In Elliptic Curve Cryptography

Send the ciphertext C, consisting of the two separate values (C1, C2), sent together.

Referring to our ElGamal key generation example given above, the plaintext P = 13 is encrypted as follows −

- Randomly generate a number, say k = 10
- Compute the two values C1 and C2, where −

Send the ciphertext C = (C1, C2) = (15, 9).

### ElGamal Decryption

To decrypt the ciphertext (C1, C2) using private key x, the following two steps are taken −

Compute the modular inverse of (C1)

^{x}modulo p, which is (C1)^{-x }, generally referred to as decryption factor.Obtain the plaintext by using the following formula −

In our example, to decrypt the ciphertext C = (C1, C2) = (15, 9) using private key x = 5, the decryption factor is

Extract plaintext P = (9 × 9) mod 17 = 13.

## Elliptic Curve Key Generation

### ElGamal Analysis

## Elliptic Curve Cryptography Key Generation 2

In ElGamal system, each user has a private key x. and has **three components** of public key − **prime modulus p, generator g, and public Y = g ^{x} mod p**. The strength of the ElGamal is based on the difficulty of discrete logarithm problem.

The secure key size is generally > 1024 bits. Today even 2048 bits long key are used. On the processing speed front, Elgamal is quite slow, it is used mainly for key authentication protocols. Due to higher processing efficiency, Elliptic Curve variants of ElGamal are becoming increasingly popular.

## Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography (ECC) is a term used to describe a suite of cryptographic tools and protocols whose security is based on special versions of the discrete logarithm problem. It does not use numbers modulo p.

ECC is based on sets of numbers that are associated with mathematical objects called elliptic curves. There are rules for adding and computing multiples of these numbers, just as there are for numbers modulo p.

ECC includes a variants of many cryptographic schemes that were initially designed for modular numbers such as ElGamal encryption and Digital Signature Algorithm.

It is believed that the discrete logarithm problem is much harder when applied to points on an elliptic curve. This prompts switching from numbers modulo p to points on an elliptic curve. Also an equivalent security level can be obtained with shorter keys if we use elliptic curve-based variants.

The shorter keys result in two benefits −

- Ease of key management
- Efficient computation

These benefits make elliptic-curve-based variants of encryption scheme highly attractive for application where computing resources are constrained.

## RSA and ElGamal Schemes – A Comparison

Let us briefly compare the RSA and ElGamal schemes on the various aspects.

RSA | ElGamal |
---|---|

It is more efficient for encryption. | It is more efficient for decryption. |

It is less efficient for decryption. | It is more efficient for decryption. |

For a particular security level, lengthy keys are required in RSA. | For the same level of security, very short keys are required. |

It is widely accepted and used. | It is new and not very popular in market. |