draft-ietf-ipsec-ike-ecp-groups-01.txt | draft-ietf-ipsec-ike-ecp-groups-02.txt | |||
---|---|---|---|---|

IPSec Working Group J. Solinas, NSA | IPSec Working Group D. Fu, NSA | |||

INTERNET-DRAFT | INTERNET-DRAFT J. Solinas, NSA | |||

Expires November 27, 2005 May 27, 2005 | Expires March 30, 2006 September 30, 2005 | |||

ECP Groups For IKE | ECP Groups For IKE and IKEv2 | |||

<draft-ietf-ipsec-ike-ecp-groups-01.txt> | <draft-ietf-ipsec-ike-ecp-groups-02.txt> | |||

Status of this Memo | Status of this Memo | |||

By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||

applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||

have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||

aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||

skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||

The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||

http://www.ietf.org/1id-abstracts.html | http://www.ietf.org/1id-abstracts.html | |||

The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||

http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||

Abstract | Abstract | |||

This document describes new ECC groups for use in the Internet Key | This document describes new ECC groups for use in the Internet Key | |||

Exchange (IKE) protocol in addition to previously defined groups. | Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols | |||

Specifically, the new curve groups are based on modular arithmetic | in addition to previously defined groups. Specifically, the new | |||

rather than binary arithmetic. These new groups are defined to align | curve groups are based on modular arithmetic rather than binary | |||

IKE with other ECC implementations and standards, particularly NIST | arithmetic. These new groups are defined to align IKE and IKEv2 | |||

with other ECC implementations and standards, particularly NIST | ||||

standards. In addition, the curves defined here can provide more | standards. In addition, the curves defined here can provide more | |||

efficient implementation than previously defined ECC groups. | efficient implementation than previously defined ECC groups. | |||

Table of Contents | ||||

1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 | ||||

2. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4 | ||||

2.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 4 | ||||

2.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 5 | ||||

2.3. Twenty-First Group. . . . . . . . . . . . . . . . . . 6 | ||||

3. Security Considerations . . . . . . . . . . . . . . . . . . 7 | ||||

4. Alignment with Other Standards. . . . . . . . . . . . . . . 7 | ||||

5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 8 | ||||

6. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||

6.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 8 | ||||

6.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 9 | ||||

6.3. Twenty-First Group. . . . . . . . . . . . . . . . . . 10 | ||||

7. References. . . . . . . . . . . . . . . . . . . . . . . . . 11 | ||||

7.1 Normative . . . . . . . . . . . . . . . . . . . . . . 11 | ||||

7.2. Informative . . . . . . . . . . . . . . . . . . . . . 11 | ||||

1. Introduction | 1. Introduction | |||

This document describes default groups for use in elliptic curve | This document describes default Diffie-Hellman groups for use in | |||

Diffie-Hellman in IKE in addition to the Oakley groups included in | IKE and IKEv2 in addition to the Oakley groups included in [IKE] and | |||

[IKE] and the groups defined in [RFC-3526] and [BBPS]. The document | the additional groups defined since [IANA]. The document assumes | |||

assumes that the reader is familiar with the IKE protocol and the | that the reader is familiar with the IKE protocol and the concept of | |||

concept of Oakley Groups, as defined in RFC 2409 [IKE]. | Oakley Groups, as defined in RFC 2409 [IKE]. | |||

RFC 2409 [IKE] defines five standard Oakley Groups - three modular | RFC 2409 [IKE] defines five standard Oakley Groups - three modular | |||

exponentiation groups and two elliptic curve groups over GF[2^N]. | exponentiation groups and two elliptic curve groups over GF[2^N]. | |||

One modular exponentiation group (768 bits - Oakley Group 1) is | One modular exponentiation group (768 bits - Oakley Group 1) is | |||

mandatory for all implementations to support, while the other four | mandatory for all implementations to support, while the other four | |||

are optional. Thirteen additional groups subsequently have | are optional. Thirteen additional groups subsequently have been | |||

been defined and assigned values by IANA. All of these additional | defined and assigned values by IANA. All of these additional groups | |||

groups are optional. Of the eighteen groups defined so far, eight | are optional. Of the eighteen groups defined so far, eight are MODP | |||

are modular exponentiation groups and ten are elliptic curve groups | groups (exponentiation groups modulo a prime) and ten are EC2N groups | |||

over GF[2^N]. | (elliptic curve groups over GF[2^N]). | |||

The purpose of this document is to expand the options available to | The purpose of this document is to expand the options available to | |||

implementers of elliptic curve groups by adding three new elliptic | implementers of elliptic curve groups by adding three ECP groups | |||

curve groups. Unlike the previous elliptic curve groups, the three | (elliptic curve groups modulo a prime). The reasons for adding such | |||

groups proposed in this document are defined over GF[p] with p prime. | groups include the following. | |||

The reasons for adding these new groups include the following. | ||||

- The groups proposed afford efficiency advantages in software | - The groups proposed afford efficiency advantages in software | |||

applications since the underlying arithmetic is integer arithmetic | applications since the underlying arithmetic is integer arithmetic | |||

modulo a prime rather than binary field arithmetic. (Additional | modulo a prime rather than binary field arithmetic. (Additional | |||

computational advantages for these groups are presented in [GMN].) | computational advantages for these groups are presented in [GMN].) | |||

- The groups proposed encourage alignment with other elliptic curve | - The groups proposed encourage alignment with other elliptic curve | |||

standards. The proposed groups are among those standardized by | standards. The proposed groups are among those standardized by | |||

NIST, by the SECG, by ISO, and by ANSI. (See section 3 for | NIST, by the SECG, by ISO, and by ANSI. (See section 3 for | |||

details.) | details.) | |||

skipping to change at page 3, line 4 | skipping to change at page 4, line 4 | |||

implementations based upon elliptic curve groups. In addition, the | implementations based upon elliptic curve groups. In addition, the | |||

availability of standardized groups will result in optimizations for | availability of standardized groups will result in optimizations for | |||

a particular curve and field size as well as allowing precomputation | a particular curve and field size as well as allowing precomputation | |||

that could result in faster implementations. | that could result in faster implementations. | |||

It is anticipated that the groups proposed here will be assigned | It is anticipated that the groups proposed here will be assigned | |||

identifiers by IANA [IANA]. In that case the full list of assigned | identifiers by IANA [IANA]. In that case the full list of assigned | |||

values for the Group Description class within IKE will be the | values for the Group Description class within IKE will be the | |||

following. (The groups defined in this document are listed as | following. (The groups defined in this document are listed as | |||

19, 20, and 21.) | 19, 20, and 21.) | |||

Group Description Value | IANA IANA NIST | |||

----------------- ----- | Value Group Type Identifier Group Description | |||

Default 768-bit MODP group [IKE] 1 | ----- ---------- ---------- ----------------- | |||

Alternate 1024-bit MODP group [IKE] 2 | 1 1 MODP 768-bit MODP group | |||

EC2N group over GF[2^155] [IKE] 3 | 2 1 MODP 1024-bit MODP group | |||

EC2N group over GF[2^185] [IKE] 4 | 3 3 EC2N Elliptic curve group over GF[2^155] | |||

1536-bit MODP group [RFC-3526] 5 | 4 3 EC2N Elliptic curve group over GF[2^185] | |||

EC2N group over GF[2^163] [BBPS] 6 | 5 1 MODP 1536-bit MODP group | |||

EC2N group over GF[2^163] [BBPS] 7 | 6 3 EC2N B-163 Random curve group over GF[2^163] | |||

EC2N group over GF[2^283] [BBPS] 8 | 7 3 EC2N K-163 Koblitz curve group over GF[2^163] | |||

EC2N group over GF[2^283] [BBPS] 9 | 8 3 EC2N B-283 Random curve group over GF[2^283] | |||

EC2N group over GF[2^409] [BBPS] 10 | 9 3 EC2N K-283 Koblitz curve group over GF[2^283] | |||

EC2N group over GF[2^409] [BBPS] 11 | 10 3 EC2N B-409 Random curve group over GF[2^409] | |||

EC2N group over GF[2^571] [BBPS] 12 | 11 3 EC2N K-409 Koblitz curve group over GF[2^409] | |||

EC2N group over GF[2^571] [BBPS] 13 | 12 3 EC2N B-571 Random curve group over GF[2^571] | |||

2048-bit MODP group [RFC-3526] 14 | 13 3 EC2N K-571 Koblitz curve group over GF[2^571] | |||

3072-bit MODP group [RFC-3526] 15 | 14 1 MODP 2048-bit MODP group | |||

4096-bit MODP group [RFC-3526] 16 | 15 1 MODP 3072-bit MODP group | |||

6144-bit MODP group [RFC-3526] 17 | 16 1 MODP 4096-bit MODP group | |||

8192-bit MODP group [RFC-3526] 18 | 17 1 MODP 6144-bit MODP group | |||

256-bit ECP group (EC group modulo a 256-bit prime) 19 | 18 1 MODP 8192-bit MODP group | |||

384-bit ECP group (EC group modulo a 384-bit prime) 20 | 19 2 ECP P-256 256-bit random curve group | |||

521-bit ECP group (EC group modulo a 521-bit prime) 21 | 20 2 ECP P-384 384-bit random curve group | |||

21 2 ECP P-521 521-bit random curve group | ||||

The IANA group type [IANA] of the three new groups is 2 (ECP - | ||||

elliptic curve group over GF(P)). The previous eighteen groups all | ||||

have group types 1 or 3. | ||||

In summary, due to the performance advantages of elliptic curve | In summary, due to the performance advantages of elliptic curve | |||

groups in IKE implementations and the need for further alignment with | groups in IKE implementations and the need for further alignment with | |||

other standards, this document defines three elliptic curve groups | other standards, this document defines three elliptic curve groups | |||

based on modular arithmetic. | based on modular arithmetic. | |||

2. Additional ECC Groups | 2. Additional ECC Groups | |||

The notation adopted in RFC2409 [IKE] is used below to describe the | The notation adopted in RFC2409 [IKE] is used below to describe the | |||

new groups proposed. | new groups proposed. | |||

2.1 Nineteenth Group | 2.1 Nineteenth Group | |||

IKE implementations SHOULD support an ECP group with the following | IKE and IKEv2 implementations SHOULD support an ECP group with the | |||

characteristics. This group is assigned id 19 (nineteen). The curve | following characteristics. This group is assigned id 19 (nineteen). | |||

is based on the integers modulo the generalized Mersenne prime p | The curve is based on the integers modulo the generalized Mersenne | |||

given by | prime p given by | |||

p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . | p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . | |||

The equation for the elliptic curve is: | The equation for the elliptic curve is: | |||

y^2 = x^3 - 3 x + b. | y^2 = x^3 - 3 x + b. | |||

Field size: | Field size: | |||

256 | 256 | |||

Group Prime/Irreducible Polynomial: | Group Prime/Irreducible Polynomial: | |||

FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF | FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF | |||

Group Curve b: | Group Curve b: | |||

5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B | 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B | |||

Group Generator point P (x coordinate): | ||||

6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 | ||||

Group Generator point P (y coordinate): | ||||

4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 | ||||

Group order: | Group order: | |||

FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 | FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 | |||

The group was chosen verifiably at random using SHA-1 as specified in | The group was chosen verifiably at random using SHA-1 as specified in | |||

[IEEE-1363] from the seed: | [IEEE-1363] from the seed: | |||

C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 | C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 | |||

The data in the KE payload when using this group represents the | The generator for this group is given by g=(gx,gy) where | |||

point on the curve obtained by taking the scalar multiple Ka*P, | ||||

where Ka is the randomly chosen secret. | gx: | |||

6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 | ||||

gy: | ||||

4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 | ||||

2.2 Twentieth Group | 2.2 Twentieth Group | |||

IKE implementations SHOULD support an ECP group with the following | IKE implementations SHOULD support an ECP group with the following | |||

characteristics. This group is assigned id 20 (twenty). The curve is | characteristics. This group is assigned id 20 (twenty). The curve is | |||

based on the integers modulo the generalized Mersenne prime p given by | based on the integers modulo the generalized Mersenne prime p given by | |||

p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . | p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . | |||

The equation for the elliptic curve is: | The equation for the elliptic curve is: | |||

y^2 = x^3 - 3 x + b. | y^2 = x^3 - 3 x + b. | |||

Field size: | Field size: | |||

384 | 384 | |||

Group Prime/Irreducible Polynomial: | Group Prime/Irreducible Polynomial: | |||

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE | |||

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFF | FFFFFFFF 00000000 00000000 FFFFFFFF | |||

Group Curve b: | Group Curve b: | |||

B3312FA7 E23EE7E4 988E056B E3F82D19 | B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A | |||

181D9C6E FE814112 0314088F 5013875A C656398D 8A2ED19D 2A85C8ED D3EC2AEF | C656398D 8A2ED19D 2A85C8ED D3EC2AEF | |||

Group Generator point P (x coordinate): | ||||

AA87CA22 BE8B0537 8EB1C71E F320AD74 | ||||

6E1D3B62 8BA79B98 59F741E0 82542A38 5502F25D BF55296C 3A545E38 72760AB7 | ||||

Group Generator point P (y coordinate): | ||||

3617DE4A 96262C6F 5D9E98BF 9292DC29 | ||||

F8F41DBD 289A147C E9DA3113 B5F0B8C0 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F | ||||

Group order: | Group order: | |||

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF | |||

FFFFFFFF FFFFFFFF C7634D81 F4372DDF 581A0DB2 48B0A77A ECEC196A CCC52973 | 581A0DB2 48B0A77A ECEC196A CCC52973 | |||

The group was chosen verifiably at random using SHA-1 as specified in | The group was chosen verifiably at random using SHA-1 as specified in | |||

[IEEE-1363] from the seed: | [IEEE-1363] from the seed: | |||

A335926A A319A27A 1D00896A 6773A482 7ACDAC73 | A335926A A319A27A 1D00896A 6773A482 7ACDAC73 | |||

The data in the KE payload when using this group represents the | The generator for this group is given by g=(gx,gy) where | |||

point on the curve obtained by taking the scalar multiple Ka*P, | ||||

where Ka is the randomly chosen secret. | gx: | |||

AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 | ||||

5502F25D BF55296C 3A545E38 72760AB7 | ||||

gy: | ||||

3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 | ||||

0A60B1CE 1D7E819D 7A431D7C 90EA0E5F | ||||

2.3 Twenty-First Group | 2.3 Twenty-First Group | |||

IKE implementations SHOULD support an ECP group with the following | IKE implementations SHOULD support an ECP group with the following | |||

characteristics. This group is assigned id 21 (twenty-one). The | characteristics. This group is assigned id 21 (twenty-one). The | |||

curve is based on the integers modulo the Mersenne prime p given by | curve is based on the integers modulo the Mersenne prime p given by | |||

p = 2^(521)-1 . | p = 2^(521)-1 . | |||

The equation for the elliptic curve is: | The equation for the elliptic curve is: | |||

y^2 = x^3 - 3 x + b. | y^2 = x^3 - 3 x + b. | |||

Field size: | Field size: | |||

521 | 521 | |||

Group Prime/Irreducible Polynomial: | Group Prime/Irreducible Polynomial: | |||

000001FF | 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | |||

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | ||||

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | |||

FFFF | ||||

Group Curve b: | Group Curve b: | |||

00000051 | 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1 | |||

953EB961 8E1C9A1F 929A21A0 B68540EE A2DA725B 99B315F3 B8B48991 8EF109E1 | 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50 | |||

56193951 EC7E937B 1652C0BD 3BB1BF07 3573DF88 3D2C34F1 EF451FD4 6B503F00 | 3F00 | |||

Group Generator point P (x coordinate): | ||||

000000C6 | ||||

858E06B7 0404E9CD 9E3ECB66 2395B442 9C648139 053FB521 F828AF60 6B4D3DBA | ||||

A14B5E77 EFE75928 FE1DC127 A2FFA8DE 3348B3C1 856A429B F97E7E31 C2E5BD66 | ||||

Group Generator point P (y coordinate): | ||||

00000118 | ||||

39296A78 9A3BC004 5C8A5FB4 2C7D1BD9 98F54449 579B4468 17AFBD17 273E662C | ||||

97EE7299 5EF42640 C550B901 3FAD0761 353C7086 A272C240 88BE9476 9FD16650 | ||||

Group order: | Group order: | |||

000001FF | 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | |||

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFA | FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 | |||

51868783 BF2F966B 7FCC0148 F709A5D0 3BB5C9B8 899C47AE BB6FB71E 91386409 | 6409 | |||

The group was chosen verifiably at random using SHA-1 as specified in | The group was chosen verifiably at random using SHA-1 as specified in | |||

[IEEE-1363] from the seed: | [IEEE-1363] from the seed: | |||

D09E8800 291CB853 96CC6717 393284AA A0DA64BA | D09E8800 291CB853 96CC6717 393284AA A0DA64BA | |||

The data in the KE payload when using this group represents the | The generator for this group is given by g=(gx,gy) where | |||

point on the curve obtained by taking the scalar multiple Ka*P, | ||||

where Ka is the randomly chosen secret. | ||||

3. Alignment with Other Standards | gx: | |||

00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D | ||||

3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5 | ||||

BD66 | ||||

gy: | ||||

01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E | ||||

662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1 | ||||

6650 | ||||

3. Security Considerations | ||||

Since this document proposes new groups for use within IKE, many of | ||||

the security considerations contained within RFC 2409 apply here as | ||||

well. | ||||

The groups proposed in this document correspond to the symmetric key | ||||

sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key | ||||

exchange to offer security comparable with the AES algorithms [AES]. | ||||

4. Alignment with Other Standards | ||||

The following table summarizes the appearance of these three | The following table summarizes the appearance of these three | |||

elliptic curve groups in other standards. | elliptic curve groups in other standards. | |||

Standard Group 19 Group 20 Group 21 | Standard Group 19 Group 20 Group 21 | |||

NIST [DSS] P-256 P-384 P-521 | NIST [DSS] P-256 P-384 P-521 | |||

ISO/IEC [ISO-15946-1] P-256 | ISO/IEC [ISO-15946-1] P-256 | |||

skipping to change at page 7, line 31 | skipping to change at page 8, line 5 | |||

ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 | ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 | |||

ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 | ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 | |||

Example 2 | Example 2 | |||

SECG [SEC2] secp256r1 secp384r1 secp521r1 | SECG [SEC2] secp256r1 secp384r1 secp521r1 | |||

See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and | See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and | |||

[ISO-15946-4]. | [ISO-15946-4]. | |||

4. Security Considerations | ||||

Since this document proposes new groups for use within IKE, many of | ||||

the security considerations contained within RFC 2409 apply here as | ||||

well. | ||||

The groups proposed in this document correspond to the symmetric key | ||||

sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key | ||||

exchange to offer security comparable with the AES algorithms [AES]. | ||||

5. IANA Considerations | 5. IANA Considerations | |||

Before this document can become an RFC, it is required that IANA | Before this document can become an RFC, it is required that IANA | |||

update its registry of Diffie-Hellman groups for IKE in [IANA] to | update its registry of Diffie-Hellman groups for IKE in [IANA] to | |||

include the three groups defined above. | include the three groups defined above. | |||

6. References | 6. Test Vectors | |||

6.1 Normative | The following are examples of the IKEv2 key exchange payload for each | |||

of the three groups specified in this document. | ||||

We denote by g^n the scalar multiple of the point g by the | ||||

integer n; it is another point on the curve. In the literature, the | ||||

scalar multiple is typically denoted ng; the notation g^n is | ||||

used in order to conform to the notation used in [IKE] and [IKEv2]. | ||||

6.1 Nineteenth Group | ||||

We suppose that the initiator's Diffie-Hellman private key is | ||||

i: | ||||

C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433 | ||||

Then the public key is given by g^i=(gix,giy) where | ||||

gix: | ||||

DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180 | ||||

giy: | ||||

5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 389E0577 B8990BB3 | ||||

The KEi payload is as follows. | ||||

00000048 00130000 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF | ||||

945D0C37 72581180 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 | ||||

389E0577 B8990BB3 | ||||

We suppose that the response Diffie-Hellman private key is | ||||

r: | ||||

C6EF9C5D 78AE012A 011164AC B397CE20 88685D8F 06BF9BE0 B283AB46 476BEE53 | ||||

Then the public key is given by g^r=(grx,gry) where | ||||

grx: | ||||

D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 736FC755 4494BF63 | ||||

gry: | ||||

56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 53E74F33 039872AB | ||||

The KEr payload is as follows. | ||||

00000048 00130000 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C | ||||

736FC755 4494BF63 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 | ||||

53E74F33 039872AB | ||||

The shared secret value g^ir=(girx,giry) where | ||||

girx: | ||||

D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE | ||||

giry: | ||||

522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 | ||||

These are concatenated to form | ||||

g^ir: | ||||

D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE | ||||

522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 | ||||

This is the value which is used in the formation of SKEYSEED. | ||||

6.2 Twentieth Group | ||||

We suppose that the initiator's Diffie-Hellman private key is | ||||

i: | ||||

099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655 | ||||

E35B5380 41E649EE 3FAEF896 783AB194 | ||||

Then the public key is given by g^i=(gix,giy) where | ||||

gix: | ||||

667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 1634FE72 B4C55EE6 | ||||

DE3AC808 ACB4BDB4 C88732AE E95F41AA | ||||

giy: | ||||

9482ED1F C0EEB9CA FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E | ||||

EB9FCFF3 C2C947DA E69B4C63 4573A81C | ||||

The KEi payload is as follows. | ||||

00000068 00140000 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 | ||||

1634FE72 B4C55EE6 DE3AC808 ACB4BDB4 C88732AE E95F41AA 9482ED1F C0EEB9CA | ||||

FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E EB9FCFF3 C2C947DA | ||||

E69B4C63 4573A81C | ||||

We suppose that the response Diffie-Hellman private key is | ||||

r: | ||||

41CB0779 B4BDB85D 47846725 FBEC3C94 30FAB46C C8DC5060 855CC9BD A0AA2942 | ||||

E0308312 916B8ED2 960E4BD5 5A7448FC | ||||

Then the public key is given by g^r=(grx,gry) where | ||||

grx: | ||||

E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 83CFA417 32BC509D | ||||

0D1AC43A 0336DEF9 6FDA41D0 774A3571 | ||||

gry: | ||||

DCFBEC7A ACF31964 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF | ||||

F83FA401 42209DFF 5EAAD96D B9E6386C | ||||

The KEr payload is as follows. | ||||

00000068 00140000 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D | ||||

83CFA417 32BC509D 0D1AC43A 0336DEF9 6FDA41D0 774A3571 DCFBEC7A ACF31964 | ||||

72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF F83FA401 42209DFF | ||||

5EAAD96D B9E6386C | ||||

The shared secret value g^ir=(girx,giry) where | ||||

girx: | ||||

11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 | ||||

D6031355 69B9E9D0 9CF5D4A2 70F59746 | ||||

giry: | ||||

A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852 | ||||

C983135D 4669F879 2F2C1D55 718AFBB4 | ||||

These are concatenated to form | ||||

g^ir: | ||||

11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 | ||||

D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 | ||||

24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4 | ||||

This is the value which is used in the formation of SKEYSEED. | ||||

6.3 Twenty-First Group | ||||

We suppose that the initiator's Diffie-Hellman private key is | ||||

i: | ||||

0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 | ||||

95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D | ||||

4A52 | ||||

Then the public key is given by g^i=(gix,giy) where | ||||

gix: | ||||

0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE | ||||

E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C | ||||

ED3E | ||||

giy: | ||||

017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A | ||||

D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F | ||||

9582 | ||||

The KEi payload is as follows. | ||||

0000008C 00150000 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B | ||||

D98BAB43 57C9ECBE E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 | ||||

601723C4 195D176C ED3E017C AE20B664 1D2EEB69 5786D8C9 46146239 D099E18E | ||||

1D5A514C 739D7CB4 A10AD8A7 88015AC4 05D7799D C75E7B7D 5B6CF226 1A6A7F15 | ||||

07438BF0 1BEB6CA3 926F9582 | ||||

We suppose that the response Diffie-Hellman private key is | ||||

r: | ||||

0145BA99 A847AF43 793FDD0E 872E7CDF A16BE30F DC780F97 BCCC3F07 8380201E | ||||

9C677D60 0B343757 A3BDBF2A 3163E4C2 F869CCA7 458AA4A4 EFFC311F 5CB15168 | ||||

5EB9 | ||||

Then the public key is given by g^r=(grx,gry) where | ||||

grx: | ||||

00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 728B5E57 39735A21 | ||||

9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C ED2B6171 640012D9 | ||||

460F | ||||

gry: | ||||

015C6822 6383956E 3BD066E7 97B623C2 7CE0EAC2 F551A10C 2C724D98 52077B87 | ||||

220B6536 C5C408A1 D2AEBB8E 86D678AE 49CB5709 1F473229 6579AB44 FCD17F0F | ||||

C56A | ||||

The KEr payload is as follows. | ||||

0000008c 00150000 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 | ||||

728B5E57 39735A21 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C | ||||

ED2B6171 640012D9 460F015C 68226383 956E3BD0 66E797B6 23C27CE0 EAC2F551 | ||||

A10C2C72 4D985207 7B87220B 6536C5C4 08A1D2AE BB8E86D6 78AE49CB 57091F47 | ||||

32296579 AB44FCD1 7F0FC56A | ||||

The shared secret value g^ir=(girx,giry) where | ||||

girx: | ||||

01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 | ||||

D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 | ||||

DDEA | ||||

giry: | ||||

01B901E6 B17DB294 7AC017D8 53EF1C16 74E5CFE5 9CDA18D0 78E05D1B 5242ADAA | ||||

9FFC3C63 EA05EDB1 E13CE5B3 A8E50C3E B622E8DA 1B38E0BD D1F88569 D6C99BAF | ||||

FA43 | ||||

These are concatenated to form | ||||

g^ir: | ||||

01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 | ||||

D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 | ||||

DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242 | ||||

ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9 | ||||

9BAFFA43 | ||||

This is the value which is used in the formation of SKEYSEED. | ||||

7. References | ||||

7.1 Normative | ||||

[IANA] Internet Assigned Numbers Authority, Internet Key Exchange | ||||

(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) | ||||

[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, | [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, | |||

November 1998. | November 1998. | |||

6.2 Informative | [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004, | |||

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt | ||||

7.2 Informative | ||||

[AES] U.S. Department of Commerce/National Institute of Standards | [AES] U.S. Department of Commerce/National Institute of Standards | |||

and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, | and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, | |||

November 2001. (http://csrc.nist.gov/publications/fips/index.html) | November 2001. (http://csrc.nist.gov/publications/fips/index.html) | |||

[BBPS] S. Blake-Wilson, D. Brown, Y. Poeluev, M. Salter, Additional | ||||

ECC Groups for IKE, draft-ietf-ipsec-ike-ecc-groups-04.txt, | ||||

July 2002. | ||||

[DSS] U.S. Department of Commerce/National Institute of Standards | [DSS] U.S. Department of Commerce/National Institute of Standards | |||

and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, | and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, | |||

January 2000. (http://csrc.nist.gov/publications/fips/index.html) | January 2000. (http://csrc.nist.gov/publications/fips/index.html) | |||

[GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics | [GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics | |||

and Optimization Research Report 99-39, 1999. | and Optimization Research Report 99-39, 1999. | |||

(http://www.cacr.math.uwaterloo.ca/) | (http://www.cacr.math.uwaterloo.ca/) | |||

[IANA] Internet Assigned Numbers Authority, Internet Key Exchange | ||||

(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) | ||||

[IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE | [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE | |||

1363-2000, Standard for Public Key Cryptography. | 1363-2000, Standard for Public Key Cryptography. | |||

(http://grouper.ieee.org/groups/1363/index.html) | (http://grouper.ieee.org/groups/1363/index.html) | |||

[ISO-14888-3] International Organization for Standardization and | [ISO-14888-3] International Organization for Standardization and | |||

International Electrotechnical Commission, ISO/IEC First | International Electrotechnical Commission, ISO/IEC First | |||

Committee Draft 14888-3 (2nd ed.), Information Technology: | Committee Draft 14888-3 (2nd ed.), Information Technology: | |||

Security Techniques: Digital Signatures with Appendix: Part 3 - | Security Techniques: Digital Signatures with Appendix: Part 3 - | |||

Discrete Logarithm Based Mechanisms. | Discrete Logarithm Based Mechanisms. | |||

skipping to change at page 9, line 27 | skipping to change at page 13, line 48 | |||

[ISO-18031] International Organization for Standardization and | [ISO-18031] International Organization for Standardization and | |||

International Electrotechnical Commission, ISO/IEC Final | International Electrotechnical Commission, ISO/IEC Final | |||

Committee Draft 18031, Information Technology: Security | Committee Draft 18031, Information Technology: Security | |||

Techniques: Random Bit Generation, October 2004. | Techniques: Random Bit Generation, October 2004. | |||

[NIST] U.S. Department of Commerce/National Institute of Standards | [NIST] U.S. Department of Commerce/National Institute of Standards | |||

and Technology. Recommendation for Key Establishment Schemes | and Technology. Recommendation for Key Establishment Schemes | |||

Using Discrete Logarithm Cryptography, NIST Special Publication | Using Discrete Logarithm Cryptography, NIST Special Publication | |||

800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) | 800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) | |||

[RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential (MODP) | [RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential MODP | |||

Diffie-Hellman groups for Internet Key Exchange (IKE), RFC | Diffie-Hellman groups for Internet Key Exchange (IKE), RFC | |||

3526, May 2003. | 3526, May 2003. | |||

[SEC2] Standards for Efficient Cryptography Group. SEC 2 - | [SEC2] Standards for Efficient Cryptography Group. SEC 2 - | |||

Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. | Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. | |||

(http://www.secg.org) | (http://www.secg.org) | |||

[X9.62-1998] American National Standards Institute, X9.62-1998: | [X9.62-1998] American National Standards Institute, X9.62-1998: | |||

Public Key Cryptography for the Financial Services Industry: The | Public Key Cryptography for the Financial Services Industry: The | |||

Elliptic Curve Digital Signature Algorithm. January 1999. | Elliptic Curve Digital Signature Algorithm. January 1999. | |||

[X9.62-2003] American National Standards Institute, X9.62-1998: | [X9.62-2003] American National Standards Institute, X9.62-1998: | |||

Public Key Cryptography for the Financial Services Industry: The | Public Key Cryptography for the Financial Services Industry: The | |||

Elliptic Curve Digital Signature Algorithm, | Elliptic Curve Digital Signature Algorithm, | |||

Revised-Draft-2003-02-26, February 2003. | Revised-Draft-2003-02-26, February 2003. | |||

[X9.63] American National Standards Institute. X9.63-2001, | [X9.63] American National Standards Institute. X9.63-2001, | |||

skipping to change at page 10, line 5 | skipping to change at page 14, line 18 | |||

[X9.62-2003] American National Standards Institute, X9.62-1998: | [X9.62-2003] American National Standards Institute, X9.62-1998: | |||

Public Key Cryptography for the Financial Services Industry: The | Public Key Cryptography for the Financial Services Industry: The | |||

Elliptic Curve Digital Signature Algorithm, | Elliptic Curve Digital Signature Algorithm, | |||

Revised-Draft-2003-02-26, February 2003. | Revised-Draft-2003-02-26, February 2003. | |||

[X9.63] American National Standards Institute. X9.63-2001, | [X9.63] American National Standards Institute. X9.63-2001, | |||

Public Key Cryptography for the Financial Services Industry: Key | Public Key Cryptography for the Financial Services Industry: Key | |||

Agreement and Key Transport using Elliptic Curve Cryptography. | Agreement and Key Transport using Elliptic Curve Cryptography. | |||

November 2001. | November 2001. | |||

7. Author's Address | 7. Authors' Addresses | |||

David E. Fu | ||||

National Information Assurance Research Laboratory | ||||

National Security Agency | ||||

defu@orion.ncsc.mil | ||||

Jerome A. Solinas | Jerome A. Solinas | |||

National Information Assurance Research Laboratory | ||||

National Security Agency | National Security Agency | |||

jasolin@orion.ncsc.mil | jasolin@orion.ncsc.mil | |||

Comments are solicited and should be addressed to the author. | Comments are solicited and should be addressed to the author. | |||

Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||

This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||

contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||

retain all their rights. | retain all their rights. | |||

This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||

"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||

OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||

ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||

INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||

INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||

Expires November 27, 2005 | Expires March 30, 2006 | |||

End of changes. 32 change blocks. | ||||

126 lines changed or deleted | | 349 lines changed or added | ||

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |