Elliptic Curve Certificates
Elliptic Curve Cryptography (ECC) is a public-key cryptographic scheme. From a user perspective, it works similarly to RSA – there is a public key as well as a private key. In addition, for ECC the participants need to agree on the domain parameters making up the elliptic curve – typically these domain parameters are just referred to as “the curve.” These curves are generally not made up by the participants – instead they are chosen from lists of published curves. For example, a typical curve that is used is secp384r1, which was standardized by NIST in FIPS 186-4 (note: to make things slightly confusing NIST curves have two names – secp384r1 is referred to as P-384 in the NIST publication).
When creating a certificate that uses Elliptic Curve DSA (ECDSA) as the signature scheme, the curve is typically just referred to by name – meaning that in the ASN.1 representation of the X.509 certificate just the name of the curve is given. It is expected that all participants know the parameters of the well-known curves. An example certificate using ECDSA from the Zeek test suite looks like this (unnecessary details omitted):



This is the exact code that is used by our detection script.
The drawback of this package is the higher complexity. Furthermore the package requires OpenSSL 1.1.1 – which might not be available for your Zeek installation if you are on an older release of your Linux distribution.
Getting Involved
If you have any questions about this script – or if you use it and find exploit attempts – we would love to hear from you. The best way to contact us is to share feedback on our mailing list, or you can email me directly.