000032299 - Difference between ECCP and ECCPWithParams Elliptic Curve Types in RSA Certificate Manager 6.8 and 6.9

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000032299
Applies ToRSA Product Set: Digital Certificate Solutions
RSA Product/Service Type: Certificate Manager
RSA Version/Condition: 6.8, 6.9
IssuePlease review page 30 of the RSA Certificate Manager API 6.9 Reference Manual (p. 37) for information on the following curve types that are supported:
  • XudaCryptoECCCurvesA BSAFE “A” elliptic curves.
  • XudaCryptoECCCurvesB BSAFE “B” elliptic curves.
  • XudaCryptoECCCurvesP “P” elliptic curves with curve OID.
  • XudaCryptoECCCurvesPWithParams BSAFE “P” elliptic curves with explicit curve parameters.

When creating a new certificate authority (CA) within the RSA Certificate Manager Administration Console, these appear as Signing Algorithms ECCA, ECCB, ECCP and ECCPwithParams, respectively:
Signing Algorithms

What is the difference between the "P" curves with (ECCPWithParams) and without Params (ECCP)?
Resolution

The P and PwithParams options are for the same curves P-256, P-384 and P-521.  The only difference is the way the curve is represented in the certificate itself.  For the “P”(ECCP)  options, the curve is identified by ASN.1 OID (implicitly listed in the certificate by specifying the standardized name of the curve).  For the “PwithParams” (ECCPWithParams) options, the specific parameters of the curve are listed (the curve is explicitly defined in the certificate).
This is explained in the section 2.3.5 ECDSA and ECDH Keys of RFC 3279 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, as follows.


ECDSA and ECDH require use of certain parameters with the public key.  The parameters may be inherited from the issuer, implicitly included through reference to a "named curve," or explicitly included in the certificate.
      EcpkParameters ::= CHOICE {
        ecParameters  ECParameters,
        namedCurve    OBJECT IDENTIFIER,
        implicitlyCA  NULL }
When the parameters are inherited, the parameters field SHALL contain implictlyCA, which is the ASN.1 value NULL.  When parameters are specified by reference, the parameters field SHALL contain the named-Curve choice, which is an object identifier.  When the parameters are explicitly included, they SHALL be encoded in the  ASN.1 structure ECParameters


An extract of two example certificates of each type are below.  The full certificates are attached for your reference.


ASN.1 output for an example certificate with ECCP algorithm issued from RCM:


0 438: SEQUENCE {
  4 277:   SEQUENCE {
  8  17:     INTEGER 00 F9 44 6F 9A 36 9D 30 D8 EA 6E 34 43 EF 11 6D 5F
27  12:     SEQUENCE {
29   8:       OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4)
39   0:       NULL
       :       }
41  25:     SEQUENCE {
43  23:       SET {
45  21:         SEQUENCE {
47   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
52  14:           PrintableString 'TestCAWithECCP'
       :           }
       :         }
       :       }
68  30:     SEQUENCE {
70  13:       UTCTime 06/11/2015 09:10:27 GMT
85  13:       UTCTime 06/11/2018 09:10:28 GMT
       :       }
100  25:     SEQUENCE {
102  23:       SET {
104  21:         SEQUENCE {
106   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
111  14:           PrintableString 'TestCAWithECCP'
       :           }
       :         }
       :       }
127 155:     SEQUENCE {
130  16:       SEQUENCE {
132   7:         OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
141   5:         OBJECT IDENTIFIER secp521r1 (1 3 132 0 35)
       :         }
148 134:       BIT STRING
       :         04 01 37 22 FD 16 C6 4B EA 4D BD 22 01 DB D7 D4
       :         F3 44 09 F5 37 E1 B1 05 8D 5D 13 93 A1 8B BF 16
       :         24 31 9E 9A E8 70 61 17 4C 61 8B 73 11 46 35 30
       :         A9 58 F0 95 F3 35 88 0B 2D BB 0D 49 E2 35 C9 24
       :         FC 2E 23 01 0B 15 97 74 0E F1 72 87 35 5D E9 24
       :         F6 A1 D4 B4 0B 0C 2F AD 78 4A 4E 3F FC A4 5B 1E
       :         ED 22 56 E9 4B E2 3D 39 6C 3E 25 1B 32 17 FB B5
       :         05 84 AB CC C6 14 00 AA DF 2B 1F F7 39 2D B3 A3
       :         8F 2C 5D 21 82
       :       }
       :     }
285  12:   SEQUENCE {
287   8:     OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4)
297   0:     NULL
       :     }
299 140:   BIT STRING
       :     30 81 88 02 42 01 5F 63 74 29 64 52 6F D4 CE 31
       :     3D D8 8C A8 E3 69 AA 8D 05 D6 4B 41 51 A7 7A D9
       :     5F D1 3F 51 CA F7 17 5D 55 CF 32 60 49 F3 1E 5B
       :     BF 6B DD F0 EA C4 96 03 89 20 BB 9D 72 E5 BB 26
       :     27 8F 43 5C CE 19 60 02 42 01 96 0C F4 D9 B0 EC
       :     1B 3D 1B 2A B9 8B 5E 2C D1 59 C8 C7 55 6E C8 91
       :     1C 0E 6B 23 F4 95 AC 97 69 04 13 C5 ED 96 71 DE
       :     E5 DA EE 28 A2 C0 E9 C1 82 0F FD 79 09 BA 7C 9F
       :     08 76 68 B0 0E B0 E0 9B B2 7F 4B
       :   }
ASN.1 output for an example certificate with ECCPWithParams algorithm issued from RCM:
0 884: SEQUENCE {
  4 724:   SEQUENCE {
  8  16:     INTEGER 69 C4 30 DA D8 6C 22 35 8C F4 AE 12 26 C0 A3 8D
26  12:     SEQUENCE {
28   8:       OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4)
38   0:       NULL
       :       }
40  35:     SEQUENCE {
42  33:       SET {
44  31:         SEQUENCE {
46   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
51  24:           PrintableString 'TestCAWithECCPWithParams'
       :           }
       :         }
       :       }
77  30:     SEQUENCE {
79  13:       UTCTime 06/11/2015 09:03:48 GMT
94  13:       UTCTime 06/11/2018 09:03:48 GMT
       :       }
109  35:     SEQUENCE {
111  33:       SET {
113  31:         SEQUENCE {
115   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
120  24:           PrintableString 'TestCAWithECCPWithParams'
       :           }
       :         }
       :       }
146 582:     SEQUENCE {
150 441:       SEQUENCE {
154   7:         OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
163 428:         SEQUENCE {
167   1:           INTEGER 1
170  77:           SEQUENCE {
172   7:             OBJECT IDENTIFIER prime-field (1 2 840 10045 1 1)
181  66:             INTEGER
       :               01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF
       :             }
249 136:           SEQUENCE {
252  66:             OCTET STRING
       :               01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :               FF FC
320  66:             OCTET STRING
       :               00 51 95 3E B9 61 8E 1C 9A 1F 92 9A 21 A0 B6 85
       :               40 EE A2 DA 72 5B 99 B3 15 F3 B8 B4 89 91 8E F1
       :               09 E1 56 19 39 51 EC 7E 93 7B 16 52 C0 BD 3B B1
       :               BF 07 35 73 DF 88 3D 2C 34 F1 EF 45 1F D4 6B 50
       :               3F 00
       :             }
388 133:           OCTET STRING
       :             04 00 C6 85 8E 06 B7 04 04 E9 CD 9E 3E CB 66 23
       :             95 B4 42 9C 64 81 39 05 3F B5 21 F8 28 AF 60 6B
       :             4D 3D BA A1 4B 5E 77 EF E7 59 28 FE 1D C1 27 A2
       :             FF A8 DE 33 48 B3 C1 85 6A 42 9B F9 7E 7E 31 C2
       :             E5 BD 66 01 18 39 29 6A 78 9A 3B C0 04 5C 8A 5F
       :             B4 2C 7D 1B D9 98 F5 44 49 57 9B 44 68 17 AF BD
       :             17 27 3E 66 2C 97 EE 72 99 5E F4 26 40 C5 50 B9
       :             01 3F AD 07 61 35 3C 70 86 A2 72 C2 40 88 BE 94
       :             76 9F D1 66 50
524  66:           INTEGER
       :             01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :             FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
       :             FF FA 51 86 87 83 BF 2F 96 6B 7F CC 01 48 F7 09
       :             A5 D0 3B B5 C9 B8 89 9C 47 AE BB 6F B7 1E 91 38
       :             64 09
592   1:           INTEGER 1
       :           }
       :         }
595 134:       BIT STRING
       :         04 00 F7 80 32 9D 28 CA E4 E7 24 B7 98 32 37 37
       :         0A 77 B4 8D A6 A0 63 05 77 98 83 9C 1F 39 91 D5
       :         53 E0 83 B4 3D 2F 86 22 5C 21 AF D9 2B FD 27 8D
       :         AD 68 F2 4F 42 EC BF B3 C5 87 16 BE 16 2D 1C F6
       :         E4 F3 D3 00 8F 78 79 D4 FF E7 AD C1 F6 B3 47 1A
       :         F5 3B D3 50 D1 46 76 7C 56 89 D9 3B F3 C8 58 B3
       :         E3 6A DB D7 1F 4C 55 28 9E E4 BF 7A EE 8B E8 D3
       :         9C 5A FE 08 23 20 91 52 AB 9F DE 16 87 67 AA 52
       :         4E 73 2B 52 AF
       :       }
       :     }
732  12:   SEQUENCE {
734   8:     OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4)
744   0:     NULL
       :     }
746 139:   BIT STRING
       :     30 81 87 02 42 01 9F DB 8F 00 41 67 10 22 19 64
       :     DB 6F FE 55 46 37 3B B8 CE 54 79 DA 5F 81 41 18
       :     14 23 FA 58 DD A2 BE 68 A4 7B 33 E2 73 19 36 B9
       :     C8 17 E2 0B FF 76 71 E0 F2 5D 83 8F 70 CA A6 0D
       :     D9 1A 2B 78 38 B7 EB 02 41 59 FF 55 C8 00 4C 81
       :     71 4C 49 1A AE 22 7F C7 17 4D 99 5E 85 22 85 9A
       :     D8 6E D8 21 8E A4 D0 5B 64 91 71 2A 74 67 BA 8B
       :     FA 99 F6 41 CB A2 AF B5 ED 0D D4 03 03 6A AA A3
       :     4E 0F 47 9A 24 EE 72 2A 94 4A
       :   }

 
Notes

Reference:
Bassham, L., Polk, W., and R. Housley, Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 3279, DOI 10.17487/RFC3279, April 2002, <http://www.rfc-editor.org/info/rfc3279>.

Attachments

Outcomes