EdDSA

From MgmtWiki
Jump to: navigation, search

Full Title

Edwards-curve Digital Signature Algorithm (EdDSA) scheme

Context

To get a certificate signed with EdDSA, you can use the Edwards-curve Digital Signature Algorithm (EdDSA) scheme. This algorithm is designed to be faster than existing digital signature schemes without sacrificing security. You can create a Certificate Authority (CA) using EdDSA keys both using the EJBCA Admin UI and the CLI1.<ref>Keyfactor EdDSA Keys and Signatures (retrieved 2021-12-23) https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/certificate-authority-overview/eddsa-keys-and-signatures</erf>

When generating a CA in EJBCA, up to three keys and certificates are generated: A CA signing key pair and certificate, an encryption key-pair, used for encrypting key recovery information, and an OCSP signer key-pair and certificate1. When using EdDSA keys, the CA signing keypair and the OCSP signer key-pair will be the EdDSA keytype you select when creating the CA. The CA signing and OCSP signing certificate will be signed using your selected signature algorithm. The encryption keypad will be RSA in the near term, using 1024 or 2048 bit key length.

Note that there were two solutions in 2023 Ed25519 and Ed448

Here is a sample CSR generation command for your clients using OpenSSL1: 

openssl genpkey -algorithm ED25519 -out ed25519.key.pem
openssl req -new -key ed25519.key.pem -out ed25519.csr.pem
openssl req -in ed25519.csr.pem -text

References

  • see Edwards-Curve Digital Signature Algorithm (EdDSA) RFC 8032
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=EdDSA&oldid=19384"