EC Cryptography Tutorials - Herong's Tutorial Examples - v1.03, by Herong Yang
"keytool -groupname ..." - Select Curve Name
This section provides a tutorial example on how to using 'keytool -groupname ...' option to select a different elliptic curve when generating EC private-public key pairs.
How To Select a Different Curve with "keytool"? If you don't like the default elliptic curve, secp256r1, used by "keytool", you can use the "-groupname ..." to specify a different elliptic curve.
Older versions of "keytool" also allows you to use the "-keysize ..." to specify a different key size, which will force "keytool" to use a different elliptic curve.
1. Generate an EC private-public key pair with "-groupname secp521r1" option to select a different curve.
herong> keytool -genkeypair -keyalg EC -groupname secp521r1 -alias 2nd_ec \ -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: Herong ... Is CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US correct? [no]: yes Generating 521 bit EC (secp521r1) key pair and self-signed certificate (SHA512withECDSA) with a validity of 90 days for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US
2. Generate an EC private-public key pair with "-keysize 521" option to select a different curve. Notice that "keytool" gives me a warning on the "-keysize ..." option. It tells my to use the "-groupname ..." option.
herong> keytool -genkeypair -keyalg EC -keysize 521 -alias 3rd_ec \ -keystore herong.jks Enter keystore password: HerongJKS Warning: Specifying -keysize for generating EC keys is deprecated, please use "-groupname secp521r1" instead. What is your first and last name? [Unknown]: Herong ... Generating 521 bit EC (secp521r1) key pair and self-signed certificate (SHA512withECDSA) with a validity of 90 days for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US
3. Generate an EC private-public key pair with "-groupname secp192r1" option to select a different curve. But I am getting an error this time. Too bad, "keytool" does not support the "secp192r1" curve. It considers "secp192r1" as too short and not secure enough.
herong> keytool -genkeypair -keyalg EC -groupname secp192r1 -alias 4th_ec \ -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: Herong ... keytool error: java.lang.IllegalArgumentException: Curve not supported: secp192r1 [NIST P-192,X9.62 prime192v1] (1.2.840.10045.3.1.1)
4. Generate an EC private-public key pair with "-groupname my_curve" option to see what will happen. I am getting the "Unknown curve name: my_curve", as expected.
herong> keytool -genkeypair -keyalg EC -groupname my_curve -alias 5th_ec \ -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: Herong ... keytool error: java.lang.IllegalArgumentException: Unknown curve name: my_curve
Table of Contents
Geometric Introduction to Elliptic Curves
Algebraic Introduction to Elliptic Curves
Abelian Group and Elliptic Curves
Discrete Logarithm Problem (DLP)
Generators and Cyclic Subgroups
tinyec - Python Library for ECC
ECDH (Elliptic Curve Diffie-Hellman) Key Exchange
ECDSA (Elliptic Curve Digital Signature Algorithm)
ECES (Elliptic Curve Encryption Scheme)
"keytool -keyalg EC" - Generate EC Key Pair
►"keytool -groupname ..." - Select Curve Name
Java Program to Generate EC Keys