draft-ietf-ipsec-ike-ecp-groups-01.txt   draft-ietf-ipsec-ike-ecp-groups-02.txt 
IPSec Working Group J. Solinas, NSA IPSec Working Group D. Fu, NSA
INTERNET-DRAFT INTERNET-DRAFT J. Solinas, NSA
Expires November 27, 2005 May 27, 2005 Expires March 30, 2006 September 30, 2005
ECP Groups For IKE ECP Groups For IKE and IKEv2
<draft-ietf-ipsec-ike-ecp-groups-01.txt> <draft-ietf-ipsec-ike-ecp-groups-02.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
skipping to change at page 1, line 34 skipping to change at page 1, line 34
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Abstract Abstract
This document describes new ECC groups for use in the Internet Key This document describes new ECC groups for use in the Internet Key
Exchange (IKE) protocol in addition to previously defined groups. Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols
Specifically, the new curve groups are based on modular arithmetic in addition to previously defined groups. Specifically, the new
rather than binary arithmetic. These new groups are defined to align curve groups are based on modular arithmetic rather than binary
IKE with other ECC implementations and standards, particularly NIST arithmetic. These new groups are defined to align IKE and IKEv2
with other ECC implementations and standards, particularly NIST
standards. In addition, the curves defined here can provide more standards. In addition, the curves defined here can provide more
efficient implementation than previously defined ECC groups. efficient implementation than previously defined ECC groups.
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3
2. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4
2.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 4
2.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 5
2.3. Twenty-First Group. . . . . . . . . . . . . . . . . . 6
3. Security Considerations . . . . . . . . . . . . . . . . . . 7
4. Alignment with Other Standards. . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 8
6. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8
6.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 8
6.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 9
6.3. Twenty-First Group. . . . . . . . . . . . . . . . . . 10
7. References. . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1 Normative . . . . . . . . . . . . . . . . . . . . . . 11
7.2. Informative . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
This document describes default groups for use in elliptic curve This document describes default Diffie-Hellman groups for use in
Diffie-Hellman in IKE in addition to the Oakley groups included in IKE and IKEv2 in addition to the Oakley groups included in [IKE] and
[IKE] and the groups defined in [RFC-3526] and [BBPS]. The document the additional groups defined since [IANA]. The document assumes
assumes that the reader is familiar with the IKE protocol and the that the reader is familiar with the IKE protocol and the concept of
concept of Oakley Groups, as defined in RFC 2409 [IKE]. Oakley Groups, as defined in RFC 2409 [IKE].
RFC 2409 [IKE] defines five standard Oakley Groups - three modular RFC 2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. exponentiation groups and two elliptic curve groups over GF[2^N].
One modular exponentiation group (768 bits - Oakley Group 1) is One modular exponentiation group (768 bits - Oakley Group 1) is
mandatory for all implementations to support, while the other four mandatory for all implementations to support, while the other four
are optional. Thirteen additional groups subsequently have are optional. Thirteen additional groups subsequently have been
been defined and assigned values by IANA. All of these additional defined and assigned values by IANA. All of these additional groups
groups are optional. Of the eighteen groups defined so far, eight are optional. Of the eighteen groups defined so far, eight are MODP
are modular exponentiation groups and ten are elliptic curve groups groups (exponentiation groups modulo a prime) and ten are EC2N groups
over GF[2^N]. (elliptic curve groups over GF[2^N]).
The purpose of this document is to expand the options available to The purpose of this document is to expand the options available to
implementers of elliptic curve groups by adding three new elliptic implementers of elliptic curve groups by adding three ECP groups
curve groups. Unlike the previous elliptic curve groups, the three (elliptic curve groups modulo a prime). The reasons for adding such
groups proposed in this document are defined over GF[p] with p prime. groups include the following.
The reasons for adding these new groups include the following.
- The groups proposed afford efficiency advantages in software - The groups proposed afford efficiency advantages in software
applications since the underlying arithmetic is integer arithmetic applications since the underlying arithmetic is integer arithmetic
modulo a prime rather than binary field arithmetic. (Additional modulo a prime rather than binary field arithmetic. (Additional
computational advantages for these groups are presented in [GMN].) computational advantages for these groups are presented in [GMN].)
- The groups proposed encourage alignment with other elliptic curve - The groups proposed encourage alignment with other elliptic curve
standards. The proposed groups are among those standardized by standards. The proposed groups are among those standardized by
NIST, by the SECG, by ISO, and by ANSI. (See section 3 for NIST, by the SECG, by ISO, and by ANSI. (See section 3 for
details.) details.)
skipping to change at page 3, line 4 skipping to change at page 4, line 4
implementations based upon elliptic curve groups. In addition, the implementations based upon elliptic curve groups. In addition, the
availability of standardized groups will result in optimizations for availability of standardized groups will result in optimizations for
a particular curve and field size as well as allowing precomputation a particular curve and field size as well as allowing precomputation
that could result in faster implementations. that could result in faster implementations.
It is anticipated that the groups proposed here will be assigned It is anticipated that the groups proposed here will be assigned
identifiers by IANA [IANA]. In that case the full list of assigned identifiers by IANA [IANA]. In that case the full list of assigned
values for the Group Description class within IKE will be the values for the Group Description class within IKE will be the
following. (The groups defined in this document are listed as following. (The groups defined in this document are listed as
19, 20, and 21.) 19, 20, and 21.)
Group Description Value IANA IANA NIST
----------------- ----- Value Group Type Identifier Group Description
Default 768-bit MODP group [IKE] 1 ----- ---------- ---------- -----------------
Alternate 1024-bit MODP group [IKE] 2 1 1 MODP 768-bit MODP group
EC2N group over GF[2^155] [IKE] 3 2 1 MODP 1024-bit MODP group
EC2N group over GF[2^185] [IKE] 4 3 3 EC2N Elliptic curve group over GF[2^155]
1536-bit MODP group [RFC-3526] 5 4 3 EC2N Elliptic curve group over GF[2^185]
EC2N group over GF[2^163] [BBPS] 6 5 1 MODP 1536-bit MODP group
EC2N group over GF[2^163] [BBPS] 7 6 3 EC2N B-163 Random curve group over GF[2^163]
EC2N group over GF[2^283] [BBPS] 8 7 3 EC2N K-163 Koblitz curve group over GF[2^163]
EC2N group over GF[2^283] [BBPS] 9 8 3 EC2N B-283 Random curve group over GF[2^283]
EC2N group over GF[2^409] [BBPS] 10 9 3 EC2N K-283 Koblitz curve group over GF[2^283]
EC2N group over GF[2^409] [BBPS] 11 10 3 EC2N B-409 Random curve group over GF[2^409]
EC2N group over GF[2^571] [BBPS] 12 11 3 EC2N K-409 Koblitz curve group over GF[2^409]
EC2N group over GF[2^571] [BBPS] 13 12 3 EC2N B-571 Random curve group over GF[2^571]
2048-bit MODP group [RFC-3526] 14 13 3 EC2N K-571 Koblitz curve group over GF[2^571]
3072-bit MODP group [RFC-3526] 15 14 1 MODP 2048-bit MODP group
4096-bit MODP group [RFC-3526] 16 15 1 MODP 3072-bit MODP group
6144-bit MODP group [RFC-3526] 17 16 1 MODP 4096-bit MODP group
8192-bit MODP group [RFC-3526] 18 17 1 MODP 6144-bit MODP group
256-bit ECP group (EC group modulo a 256-bit prime) 19 18 1 MODP 8192-bit MODP group
384-bit ECP group (EC group modulo a 384-bit prime) 20 19 2 ECP P-256 256-bit random curve group
521-bit ECP group (EC group modulo a 521-bit prime) 21 20 2 ECP P-384 384-bit random curve group
21 2 ECP P-521 521-bit random curve group
The IANA group type [IANA] of the three new groups is 2 (ECP -
elliptic curve group over GF(P)). The previous eighteen groups all
have group types 1 or 3.
In summary, due to the performance advantages of elliptic curve In summary, due to the performance advantages of elliptic curve
groups in IKE implementations and the need for further alignment with groups in IKE implementations and the need for further alignment with
other standards, this document defines three elliptic curve groups other standards, this document defines three elliptic curve groups
based on modular arithmetic. based on modular arithmetic.
2. Additional ECC Groups 2. Additional ECC Groups
The notation adopted in RFC2409 [IKE] is used below to describe the The notation adopted in RFC2409 [IKE] is used below to describe the
new groups proposed. new groups proposed.
2.1 Nineteenth Group 2.1 Nineteenth Group
IKE implementations SHOULD support an ECP group with the following IKE and IKEv2 implementations SHOULD support an ECP group with the
characteristics. This group is assigned id 19 (nineteen). The curve following characteristics. This group is assigned id 19 (nineteen).
is based on the integers modulo the generalized Mersenne prime p The curve is based on the integers modulo the generalized Mersenne
given by prime p given by
p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . p = 2^(256)-2^(224)+2^(192)+2^(96)-1 .
The equation for the elliptic curve is: The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b. y^2 = x^3 - 3 x + b.
Field size: Field size:
256 256
Group Prime/Irreducible Polynomial: Group Prime/Irreducible Polynomial:
FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
Group Curve b: Group Curve b:
5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B
Group Generator point P (x coordinate):
6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296
Group Generator point P (y coordinate):
4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5
Group order: Group order:
FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551
The group was chosen verifiably at random using SHA-1 as specified in The group was chosen verifiably at random using SHA-1 as specified in
[IEEE-1363] from the seed: [IEEE-1363] from the seed:
C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 C49D3608 86E70493 6A6678E1 139D26B7 819F7E90
The data in the KE payload when using this group represents the The generator for this group is given by g=(gx,gy) where
point on the curve obtained by taking the scalar multiple Ka*P,
where Ka is the randomly chosen secret. gx:
6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296
gy:
4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5
2.2 Twentieth Group 2.2 Twentieth Group
IKE implementations SHOULD support an ECP group with the following IKE implementations SHOULD support an ECP group with the following
characteristics. This group is assigned id 20 (twenty). The curve is characteristics. This group is assigned id 20 (twenty). The curve is
based on the integers modulo the generalized Mersenne prime p given by based on the integers modulo the generalized Mersenne prime p given by
p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . p = 2^(384)-2^(128)-2^(96)+2^(32)-1 .
The equation for the elliptic curve is: The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b. y^2 = x^3 - 3 x + b.
Field size: Field size:
384 384
Group Prime/Irreducible Polynomial: Group Prime/Irreducible Polynomial:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFF FFFFFFFF 00000000 00000000 FFFFFFFF
Group Curve b: Group Curve b:
B3312FA7 E23EE7E4 988E056B E3F82D19 B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A
181D9C6E FE814112 0314088F 5013875A C656398D 8A2ED19D 2A85C8ED D3EC2AEF C656398D 8A2ED19D 2A85C8ED D3EC2AEF
Group Generator point P (x coordinate):
AA87CA22 BE8B0537 8EB1C71E F320AD74
6E1D3B62 8BA79B98 59F741E0 82542A38 5502F25D BF55296C 3A545E38 72760AB7
Group Generator point P (y coordinate):
3617DE4A 96262C6F 5D9E98BF 9292DC29
F8F41DBD 289A147C E9DA3113 B5F0B8C0 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F
Group order: Group order:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF
FFFFFFFF FFFFFFFF C7634D81 F4372DDF 581A0DB2 48B0A77A ECEC196A CCC52973 581A0DB2 48B0A77A ECEC196A CCC52973
The group was chosen verifiably at random using SHA-1 as specified in The group was chosen verifiably at random using SHA-1 as specified in
[IEEE-1363] from the seed: [IEEE-1363] from the seed:
A335926A A319A27A 1D00896A 6773A482 7ACDAC73 A335926A A319A27A 1D00896A 6773A482 7ACDAC73
The data in the KE payload when using this group represents the The generator for this group is given by g=(gx,gy) where
point on the curve obtained by taking the scalar multiple Ka*P,
where Ka is the randomly chosen secret. gx:
AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38
5502F25D BF55296C 3A545E38 72760AB7
gy:
3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0
0A60B1CE 1D7E819D 7A431D7C 90EA0E5F
2.3 Twenty-First Group 2.3 Twenty-First Group
IKE implementations SHOULD support an ECP group with the following IKE implementations SHOULD support an ECP group with the following
characteristics. This group is assigned id 21 (twenty-one). The characteristics. This group is assigned id 21 (twenty-one). The
curve is based on the integers modulo the Mersenne prime p given by curve is based on the integers modulo the Mersenne prime p given by
p = 2^(521)-1 . p = 2^(521)-1 .
The equation for the elliptic curve is: The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b. y^2 = x^3 - 3 x + b.
Field size: Field size:
521 521
Group Prime/Irreducible Polynomial: Group Prime/Irreducible Polynomial:
000001FF 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFF
Group Curve b: Group Curve b:
00000051 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1
953EB961 8E1C9A1F 929A21A0 B68540EE A2DA725B 99B315F3 B8B48991 8EF109E1 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50
56193951 EC7E937B 1652C0BD 3BB1BF07 3573DF88 3D2C34F1 EF451FD4 6B503F00 3F00
Group Generator point P (x coordinate):
000000C6
858E06B7 0404E9CD 9E3ECB66 2395B442 9C648139 053FB521 F828AF60 6B4D3DBA
A14B5E77 EFE75928 FE1DC127 A2FFA8DE 3348B3C1 856A429B F97E7E31 C2E5BD66
Group Generator point P (y coordinate):
00000118
39296A78 9A3BC004 5C8A5FB4 2C7D1BD9 98F54449 579B4468 17AFBD17 273E662C
97EE7299 5EF42640 C550B901 3FAD0761 353C7086 A272C240 88BE9476 9FD16650
Group order: Group order:
000001FF 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFA FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138
51868783 BF2F966B 7FCC0148 F709A5D0 3BB5C9B8 899C47AE BB6FB71E 91386409 6409
The group was chosen verifiably at random using SHA-1 as specified in The group was chosen verifiably at random using SHA-1 as specified in
[IEEE-1363] from the seed: [IEEE-1363] from the seed:
D09E8800 291CB853 96CC6717 393284AA A0DA64BA D09E8800 291CB853 96CC6717 393284AA A0DA64BA
The data in the KE payload when using this group represents the The generator for this group is given by g=(gx,gy) where
point on the curve obtained by taking the scalar multiple Ka*P,
where Ka is the randomly chosen secret.
3. Alignment with Other Standards gx:
00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D
3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5
BD66
gy:
01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E
662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1
6650
3. Security Considerations
Since this document proposes new groups for use within IKE, many of
the security considerations contained within RFC 2409 apply here as
well.
The groups proposed in this document correspond to the symmetric key
sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key
exchange to offer security comparable with the AES algorithms [AES].
4. Alignment with Other Standards
The following table summarizes the appearance of these three The following table summarizes the appearance of these three
elliptic curve groups in other standards. elliptic curve groups in other standards.
Standard Group 19 Group 20 Group 21 Standard Group 19 Group 20 Group 21
NIST [DSS] P-256 P-384 P-521 NIST [DSS] P-256 P-384 P-521
ISO/IEC [ISO-15946-1] P-256 ISO/IEC [ISO-15946-1] P-256
skipping to change at page 7, line 31 skipping to change at page 8, line 5
ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7
ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6
Example 2 Example 2
SECG [SEC2] secp256r1 secp384r1 secp521r1 SECG [SEC2] secp256r1 secp384r1 secp521r1
See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and
[ISO-15946-4]. [ISO-15946-4].
4. Security Considerations
Since this document proposes new groups for use within IKE, many of
the security considerations contained within RFC 2409 apply here as
well.
The groups proposed in this document correspond to the symmetric key
sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key
exchange to offer security comparable with the AES algorithms [AES].
5. IANA Considerations 5. IANA Considerations
Before this document can become an RFC, it is required that IANA Before this document can become an RFC, it is required that IANA
update its registry of Diffie-Hellman groups for IKE in [IANA] to update its registry of Diffie-Hellman groups for IKE in [IANA] to
include the three groups defined above. include the three groups defined above.
6. References 6. Test Vectors
6.1 Normative The following are examples of the IKEv2 key exchange payload for each
of the three groups specified in this document.
We denote by g^n the scalar multiple of the point g by the
integer n; it is another point on the curve. In the literature, the
scalar multiple is typically denoted ng; the notation g^n is
used in order to conform to the notation used in [IKE] and [IKEv2].
6.1 Nineteenth Group
We suppose that the initiator's Diffie-Hellman private key is
i:
C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433
Then the public key is given by g^i=(gix,giy) where
gix:
DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180
giy:
5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 389E0577 B8990BB3
The KEi payload is as follows.
00000048 00130000 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF
945D0C37 72581180 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58
389E0577 B8990BB3
We suppose that the response Diffie-Hellman private key is
r:
C6EF9C5D 78AE012A 011164AC B397CE20 88685D8F 06BF9BE0 B283AB46 476BEE53
Then the public key is given by g^r=(grx,gry) where
grx:
D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 736FC755 4494BF63
gry:
56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 53E74F33 039872AB
The KEr payload is as follows.
00000048 00130000 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C
736FC755 4494BF63 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83
53E74F33 039872AB
The shared secret value g^ir=(girx,giry) where
girx:
D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE
giry:
522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2
These are concatenated to form
g^ir:
D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE
522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2
This is the value which is used in the formation of SKEYSEED.
6.2 Twentieth Group
We suppose that the initiator's Diffie-Hellman private key is
i:
099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655
E35B5380 41E649EE 3FAEF896 783AB194
Then the public key is given by g^i=(gix,giy) where
gix:
667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 1634FE72 B4C55EE6
DE3AC808 ACB4BDB4 C88732AE E95F41AA
giy:
9482ED1F C0EEB9CA FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E
EB9FCFF3 C2C947DA E69B4C63 4573A81C
The KEi payload is as follows.
00000068 00140000 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3
1634FE72 B4C55EE6 DE3AC808 ACB4BDB4 C88732AE E95F41AA 9482ED1F C0EEB9CA
FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E EB9FCFF3 C2C947DA
E69B4C63 4573A81C
We suppose that the response Diffie-Hellman private key is
r:
41CB0779 B4BDB85D 47846725 FBEC3C94 30FAB46C C8DC5060 855CC9BD A0AA2942
E0308312 916B8ED2 960E4BD5 5A7448FC
Then the public key is given by g^r=(grx,gry) where
grx:
E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 83CFA417 32BC509D
0D1AC43A 0336DEF9 6FDA41D0 774A3571
gry:
DCFBEC7A ACF31964 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF
F83FA401 42209DFF 5EAAD96D B9E6386C
The KEr payload is as follows.
00000068 00140000 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D
83CFA417 32BC509D 0D1AC43A 0336DEF9 6FDA41D0 774A3571 DCFBEC7A ACF31964
72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF F83FA401 42209DFF
5EAAD96D B9E6386C
The shared secret value g^ir=(girx,giry) where
girx:
11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4
D6031355 69B9E9D0 9CF5D4A2 70F59746
giry:
A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852
C983135D 4669F879 2F2C1D55 718AFBB4
These are concatenated to form
g^ir:
11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4
D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6
24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4
This is the value which is used in the formation of SKEYSEED.
6.3 Twenty-First Group
We suppose that the initiator's Diffie-Hellman private key is
i:
0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0
95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D
4A52
Then the public key is given by g^i=(gix,giy) where
gix:
0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE
E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C
ED3E
giy:
017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A
D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F
9582
The KEi payload is as follows.
0000008C 00150000 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B
D98BAB43 57C9ECBE E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4
601723C4 195D176C ED3E017C AE20B664 1D2EEB69 5786D8C9 46146239 D099E18E
1D5A514C 739D7CB4 A10AD8A7 88015AC4 05D7799D C75E7B7D 5B6CF226 1A6A7F15
07438BF0 1BEB6CA3 926F9582
We suppose that the response Diffie-Hellman private key is
r:
0145BA99 A847AF43 793FDD0E 872E7CDF A16BE30F DC780F97 BCCC3F07 8380201E
9C677D60 0B343757 A3BDBF2A 3163E4C2 F869CCA7 458AA4A4 EFFC311F 5CB15168
5EB9
Then the public key is given by g^r=(grx,gry) where
grx:
00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 728B5E57 39735A21
9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C ED2B6171 640012D9
460F
gry:
015C6822 6383956E 3BD066E7 97B623C2 7CE0EAC2 F551A10C 2C724D98 52077B87
220B6536 C5C408A1 D2AEBB8E 86D678AE 49CB5709 1F473229 6579AB44 FCD17F0F
C56A
The KEr payload is as follows.
0000008c 00150000 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39
728B5E57 39735A21 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C
ED2B6171 640012D9 460F015C 68226383 956E3BD0 66E797B6 23C27CE0 EAC2F551
A10C2C72 4D985207 7B87220B 6536C5C4 08A1D2AE BB8E86D6 78AE49CB 57091F47
32296579 AB44FCD1 7F0FC56A
The shared secret value g^ir=(girx,giry) where
girx:
01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04
D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3
DDEA
giry:
01B901E6 B17DB294 7AC017D8 53EF1C16 74E5CFE5 9CDA18D0 78E05D1B 5242ADAA
9FFC3C63 EA05EDB1 E13CE5B3 A8E50C3E B622E8DA 1B38E0BD D1F88569 D6C99BAF
FA43
These are concatenated to form
g^ir:
01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04
D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3
DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242
ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9
9BAFFA43
This is the value which is used in the formation of SKEYSEED.
7. References
7.1 Normative
[IANA] Internet Assigned Numbers Authority, Internet Key Exchange
(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry)
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409,
November 1998. November 1998.
6.2 Informative [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004,
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt
7.2 Informative
[AES] U.S. Department of Commerce/National Institute of Standards [AES] U.S. Department of Commerce/National Institute of Standards
and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, and Technology, Advanced Encryption Standard (AES), FIPS PUB 197,
November 2001. (http://csrc.nist.gov/publications/fips/index.html) November 2001. (http://csrc.nist.gov/publications/fips/index.html)
[BBPS] S. Blake-Wilson, D. Brown, Y. Poeluev, M. Salter, Additional
ECC Groups for IKE, draft-ietf-ipsec-ike-ecc-groups-04.txt,
July 2002.
[DSS] U.S. Department of Commerce/National Institute of Standards [DSS] U.S. Department of Commerce/National Institute of Standards
and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2,
January 2000. (http://csrc.nist.gov/publications/fips/index.html) January 2000. (http://csrc.nist.gov/publications/fips/index.html)
[GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics [GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics
and Optimization Research Report 99-39, 1999. and Optimization Research Report 99-39, 1999.
(http://www.cacr.math.uwaterloo.ca/) (http://www.cacr.math.uwaterloo.ca/)
[IANA] Internet Assigned Numbers Authority, Internet Key Exchange
(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry)
[IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
1363-2000, Standard for Public Key Cryptography. 1363-2000, Standard for Public Key Cryptography.
(http://grouper.ieee.org/groups/1363/index.html) (http://grouper.ieee.org/groups/1363/index.html)
[ISO-14888-3] International Organization for Standardization and [ISO-14888-3] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC First International Electrotechnical Commission, ISO/IEC First
Committee Draft 14888-3 (2nd ed.), Information Technology: Committee Draft 14888-3 (2nd ed.), Information Technology:
Security Techniques: Digital Signatures with Appendix: Part 3 - Security Techniques: Digital Signatures with Appendix: Part 3 -
Discrete Logarithm Based Mechanisms. Discrete Logarithm Based Mechanisms.
skipping to change at page 9, line 27 skipping to change at page 13, line 48
[ISO-18031] International Organization for Standardization and [ISO-18031] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC Final International Electrotechnical Commission, ISO/IEC Final
Committee Draft 18031, Information Technology: Security Committee Draft 18031, Information Technology: Security
Techniques: Random Bit Generation, October 2004. Techniques: Random Bit Generation, October 2004.
[NIST] U.S. Department of Commerce/National Institute of Standards [NIST] U.S. Department of Commerce/National Institute of Standards
and Technology. Recommendation for Key Establishment Schemes and Technology. Recommendation for Key Establishment Schemes
Using Discrete Logarithm Cryptography, NIST Special Publication Using Discrete Logarithm Cryptography, NIST Special Publication
800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) 800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html)
[RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential (MODP) [RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential MODP
Diffie-Hellman groups for Internet Key Exchange (IKE), RFC Diffie-Hellman groups for Internet Key Exchange (IKE), RFC
3526, May 2003. 3526, May 2003.
[SEC2] Standards for Efficient Cryptography Group. SEC 2 - [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000.
(http://www.secg.org) (http://www.secg.org)
[X9.62-1998] American National Standards Institute, X9.62-1998: [X9.62-1998] American National Standards Institute, X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm. January 1999. Elliptic Curve Digital Signature Algorithm. January 1999.
[X9.62-2003] American National Standards Institute, X9.62-1998: [X9.62-2003] American National Standards Institute, X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm, Elliptic Curve Digital Signature Algorithm,
Revised-Draft-2003-02-26, February 2003. Revised-Draft-2003-02-26, February 2003.
[X9.63] American National Standards Institute. X9.63-2001, [X9.63] American National Standards Institute. X9.63-2001,
skipping to change at page 10, line 5 skipping to change at page 14, line 18
[X9.62-2003] American National Standards Institute, X9.62-1998: [X9.62-2003] American National Standards Institute, X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm, Elliptic Curve Digital Signature Algorithm,
Revised-Draft-2003-02-26, February 2003. Revised-Draft-2003-02-26, February 2003.
[X9.63] American National Standards Institute. X9.63-2001, [X9.63] American National Standards Institute. X9.63-2001,
Public Key Cryptography for the Financial Services Industry: Key Public Key Cryptography for the Financial Services Industry: Key
Agreement and Key Transport using Elliptic Curve Cryptography. Agreement and Key Transport using Elliptic Curve Cryptography.
November 2001. November 2001.
7. Author's Address 7. Authors' Addresses
David E. Fu
National Information Assurance Research Laboratory
National Security Agency
defu@orion.ncsc.mil
Jerome A. Solinas Jerome A. Solinas
National Information Assurance Research Laboratory
National Security Agency National Security Agency
jasolin@orion.ncsc.mil jasolin@orion.ncsc.mil
Comments are solicited and should be addressed to the author. Comments are solicited and should be addressed to the author.
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Expires November 27, 2005 Expires March 30, 2006
 End of changes. 32 change blocks. 
126 lines changed or deleted 349 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/