draft-ietf-ipsec-ike-ecp-groups-03.txt   rfc4753.txt 
IPSec Working Group D. Fu, NSA Network Working Group D. Fu
INTERNET-DRAFT J. Solinas, NSA Request for Comments: 4753 J. Solinas
Expires November 15, 2006 May 15, 2006 Category: Informational NSA
January 2007
ECP Groups For IKE and IKEv2
<draft-ietf-ipsec-ike-ecp-groups-03.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any ECP Groups for IKE and IKEv2
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Status of This Memo
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months This memo provides information for the Internet community. It does
and may be updated, replaced, or obsoleted by other documents at any not specify an Internet standard of any kind. Distribution of this
time. It is inappropriate to use Internet-Drafts as reference memo is unlimited.
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Copyright Notice
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at Copyright (C) The IETF Trust (2007).
http://www.ietf.org/shadow.html
Abstract Abstract
This document describes new ECC groups for use in the Internet Key This document describes new Elliptic Curve Cryptography (ECC) groups
Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols for use in the Internet Key Exchange (IKE) and Internet Key Exchange
in addition to previously defined groups. Specifically, the new version 2 (IKEv2) protocols in addition to previously defined groups.
curve groups are based on modular arithmetic rather than binary Specifically, the new curve groups are based on modular arithmetic
arithmetic. These new groups are defined to align IKE and IKEv2 rather than binary arithmetic. These new groups are defined to align
with other ECC implementations and standards, particularly NIST IKE and IKEv2 with other ECC implementations and standards,
standards. In addition, the curves defined here can provide more particularly NIST standards. In addition, the curves defined here
efficient implementation than previously defined ECC groups. can provide more efficient implementation than previously defined ECC
groups.
Table of Contents Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................2
2. Requirements Terminology. . . . . . . . . . . . . . . . . . 4 2. Requirements Terminology ........................................3
3. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4 3. Additional ECC Groups ...........................................3
3.1 256-bit Random Curve Group. . . . . . . . . . . . . . 4 3.1. 256-bit Random ECP Group ...................................3
3.2. 384-bit Random Curve Group. . . . . . . . . . . . . . 5 3.2. 384-bit Random ECP Group ...................................4
3.3. 521-bit Random Curve Group. . . . . . . . . . . . . . 5 3.3. 521-bit Random ECP Group ...................................5
4. Security Considerations . . . . . . . . . . . . . . . . . . 6 4. Security Considerations .........................................6
5. Alignment with Other Standards. . . . . . . . . . . . . . . 7 5. Alignment with Other Standards ..................................6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations .............................................6
7. ECP Key Exchange Data Formats . . . . . . . . . . . . . . . 8 7. ECP Key Exchange Data Formats ...................................7
8. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8 8. Test Vectors ....................................................7
8.1 256-bit Random Curve Group. . . . . . . . . . . . . . 8 8.1. 256-bit Random ECP Group ...................................8
8.2. 384-bit Random Curve Group. . . . . . . . . . . . . . 9 8.2. 384-bit Random ECP Group ...................................9
8.3. 521-bit Random Curve Group. . . . . . . . . . . . . . 11 8.3. 521-bit Random ECP Group ..................................10
9. References. . . . . . . . . . . . . . . . . . . . . . . . . 13 9. References .....................................................12
9.1 Normative . . . . . . . . . . . . . . . . . . . . . . 13
9.2. Informative . . . . . . . . . . . . . . . . . . . . . 13
10. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document describes default Diffie-Hellman groups for use in This document describes default Diffie-Hellman groups for use in IKE
IKE and IKEv2 in addition to the Oakley groups included in [IKE] and and IKEv2 in addition to the Oakley groups included in [IKE] and the
the additional groups defined since [IANA-IKE]. This document additional groups defined since [IANA-IKE]. This document assumes
assumes that the reader is familiar with the IKE protocol and the that the reader is familiar with the IKE protocol and the concept of
concept of Oakley Groups, as defined in RFC 2409 [IKE]. Oakley Groups, as defined in RFC 2409 [IKE].
RFC 2409 [IKE] defines five standard Oakley Groups - three modular RFC 2409 [IKE] defines five standard Oakley Groups: three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. exponentiation groups and two elliptic curve groups over GF[2^N].
One modular exponentiation group (768 bits - Oakley Group 1) is One modular exponentiation group (768 bits - Oakley Group 1) is
mandatory for all implementations to support, while the other four mandatory for all implementations to support, while the other four
are optional. Thirteen additional groups subsequently have been are optional. Thirteen additional groups subsequently have been
defined and assigned values by IANA. All of these additional groups defined and assigned values by IANA. All of these additional groups
are optional. Of the eighteen groups defined so far, eight are MODP are optional. Of the eighteen groups defined so far, eight are MODP
groups (exponentiation groups modulo a prime) and ten are EC2N groups groups (exponentiation groups modulo a prime), and ten are EC2N
(elliptic curve groups over GF[2^N]). groups (elliptic curve groups over GF[2^N]). See [RFC3526] for more
information on MODP groups.
The purpose of this document is to expand the options available to The purpose of this document is to expand the options available to
implementers of elliptic curve groups by adding three ECP groups implementers of elliptic curve groups by adding three ECP groups
(elliptic curve groups modulo a prime). The reasons for adding such (elliptic curve groups modulo a prime). The reasons for adding such
groups include the following. groups include the following.
- The groups proposed afford efficiency advantages in software - The groups proposed afford efficiency advantages in software
applications since the underlying arithmetic is integer arithmetic applications since the underlying arithmetic is integer arithmetic
modulo a prime rather than binary field arithmetic. (Additional modulo a prime rather than binary field arithmetic. (Additional
computational advantages for these groups are presented in [GMN].) computational advantages for these groups are presented in [GMN].)
- The groups proposed encourage alignment with other elliptic curve - The groups proposed encourage alignment with other elliptic curve
standards. The proposed groups are among those standardized by standards. The proposed groups are among those standardized by
NIST, by the SECG, by ISO, and by ANSI. (See Section 3 for NIST, the Standards for Efficient Cryptography Group (SECG), ISO,
details.) and ANSI. (See Section 5 for details.)
- The groups proposed are capable of providing security consistent - The groups proposed are capable of providing security consistent
with the new Advanced Encryption Standard. with the new Advanced Encryption Standard.
These groups could also be defined using the New Group Mode but These groups could also be defined using the New Group Mode, but
including them in this RFC will encourage interoperability of IKE including them in this RFC will encourage interoperability of IKE
implementations based upon elliptic curve groups. In addition, the implementations based upon elliptic curve groups. In addition, the
availability of standardized groups will result in optimizations for availability of standardized groups will result in optimizations for
a particular curve and field size as well as allowing precomputation a particular curve and field size and allow precomputation that could
that could result in faster implementations. result in faster implementations.
In summary, due to the performance advantages of elliptic curve In summary, due to the performance advantages of elliptic curve
groups in IKE implementations and the need for further alignment with groups in IKE implementations and the need for further alignment with
other standards, this document defines three elliptic curve groups other standards, this document defines three elliptic curve groups
based on modular arithmetic. based on modular arithmetic.
2. Requirements Terminology 2. Requirements Terminology
Keywords "MUST" and "SHOULD" that appear in this document are to be The keywords "MUST" and "SHOULD" that appear in this document are to
interpreted as described in [RFC2119]. be interpreted as described in [RFC2119].
3. Additional ECC Groups 3. Additional ECC Groups
The notation adopted in RFC 2409 [IKE] is used below to describe the The notation adopted in RFC 2409 [IKE] is used below to describe the
new groups proposed. new groups proposed.
3.1 256-bit Random ECP Group 3.1. 256-bit Random ECP Group
IKE and IKEv2 implementations SHOULD support an ECP group with the IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics. The curve is based on the integers modulo following characteristics. The curve is based on the integers modulo
the generalized Mersenne prime p given by the generalized Mersenne prime p given by
p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . p = 2^(256)-2^(224)+2^(192)+2^(96)-1
The equation for the elliptic curve is: The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b. y^2 = x^3 - 3 x + b
Field size: Field Size:
256 256
Group Prime/Irreducible Polynomial: Group Prime/Irreducible Polynomial:
FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
Group Curve b: Group Curve b:
5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B
Group order: Group Order:
FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551
The group was chosen verifiably at random using SHA-1 as specified in The group was chosen verifiably at random using SHA-1 as specified in
[IEEE-1363] from the seed: [IEEE-1363] from the seed:
C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 C49D3608 86E70493 6A6678E1 139D26B7 819F7E90
The generator for this group is given by g=(gx,gy) where The generator for this group is given by g=(gx,gy) where
gx: gx:
6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296
gy: gy:
4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5
3.2 384-bit Random ECP Group 3.2. 384-bit Random ECP Group
IKE and IKEv2 implementations SHOULD support an ECP group with the IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics. The curve is based on the integers modulo following characteristics. The curve is based on the integers modulo
the generalized Mersenne prime p given by the generalized Mersenne prime p given by
p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . p = 2^(384)-2^(128)-2^(96)+2^(32)-1
The equation for the elliptic curve is: The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b. y^2 = x^3 - 3 x + b
Field size: Field Size:
384 384
Group Prime/Irreducible Polynomial: Group Prime/Irreducible Polynomial:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
FFFFFFFF 00000000 00000000 FFFFFFFF FFFFFFFF 00000000 00000000 FFFFFFFF
Group Curve b: Group Curve b:
B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A
C656398D 8A2ED19D 2A85C8ED D3EC2AEF C656398D 8A2ED19D 2A85C8ED D3EC2AEF
Group order: Group Order:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF
581A0DB2 48B0A77A ECEC196A CCC52973 581A0DB2 48B0A77A ECEC196A CCC52973
The group was chosen verifiably at random using SHA-1 as specified in The group was chosen verifiably at random using SHA-1 as specified in
[IEEE-1363] from the seed: [IEEE-1363] from the seed:
A335926A A319A27A 1D00896A 6773A482 7ACDAC73 A335926A A319A27A 1D00896A 6773A482 7ACDAC73
The generator for this group is given by g=(gx,gy) where The generator for this group is given by g=(gx,gy) where
gx: gx:
AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38
5502F25D BF55296C 3A545E38 72760AB7 5502F25D BF55296C 3A545E38 72760AB7
gy: gy:
3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0
0A60B1CE 1D7E819D 7A431D7C 90EA0E5F 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F
3.3 521-bit Random ECP Group 3.3. 521-bit Random ECP Group
IKE and IKEv2 implementations SHOULD support an ECP group with the IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics. The curve is based on the integers modulo following characteristics. The curve is based on the integers modulo
the Mersenne prime p given by the Mersenne prime p given by
p = 2^(521)-1 . p = 2^(521)-1
The equation for the elliptic curve is: The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b. y^2 = x^3 - 3 x + b
Field size: Field Size:
521 521
Group Prime/Irreducible Polynomial: Group Prime/Irreducible Polynomial:
01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFF FFFF
Group Curve b: Group Curve b:
0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1
09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50
3F00 3F00
Group order: Group Order:
01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138
6409 6409
The group was chosen verifiably at random using SHA-1 as specified in The group was chosen verifiably at random using SHA-1 as specified in
[IEEE-1363] from the seed: [IEEE-1363] from the seed:
D09E8800 291CB853 96CC6717 393284AA A0DA64BA D09E8800 291CB853 96CC6717 393284AA A0DA64BA
The generator for this group is given by g=(gx,gy) where The generator for this group is given by g=(gx,gy) where
skipping to change at page 7, line 7 skipping to change at page 6, line 17
Since this document proposes new groups for use within IKE and IKEv2, Since this document proposes new groups for use within IKE and IKEv2,
many of the security considerations contained within [IKE] and many of the security considerations contained within [IKE] and
[IKEv2] apply here as well. [IKEv2] apply here as well.
The groups proposed in this document correspond to the symmetric key The groups proposed in this document correspond to the symmetric key
sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key
exchange to offer security comparable with the AES algorithms [AES]. exchange to offer security comparable with the AES algorithms [AES].
5. Alignment with Other Standards 5. Alignment with Other Standards
The following table summarizes the appearance of these three The following table summarizes the appearance of these three elliptic
elliptic curve groups in other standards. curve groups in other standards.
256-bit 384-bit 521-bit 256-bit 384-bit 521-bit
Random Random Random Random Random Random
Standard ECP Group ECP Group ECP Group Standard ECP Group ECP Group ECP Group
----------- ------------ ------------ ------------ ----------- ------------ ------------ ------------
NIST [DSS] P-256 P-384 P-521 NIST [DSS] P-256 P-384 P-521
ISO/IEC [ISO-15946-1] P-256 ISO/IEC [ISO-15946-1] P-256
ISO/IEC [ISO-18031] P-256 P-384 P-521 ISO/IEC [ISO-18031] P-256 P-384 P-521
ANSI [X9.62-1998] Sect. J.5.3, ANSI [X9.62-1998] Sect. J.5.3,
Example 1 Example 1
ANSI [X9.62-2005] Sect. L.6.4.3 Sect. L.6.5.2 Sect. L.6.6.2
ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7
ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6
Example 2 Example 2
SECG [SEC2] secp256r1 secp384r1 secp521r1 SECG [SEC2] secp256r1 secp384r1 secp521r1
See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and
[ISO-15946-4]. [ISO-15946-4].
6. IANA Considerations 6. IANA Considerations
Before this document can become an RFC, it is required that IANA IANA has updated its registries of Diffie-Hellman groups for IKE in
update its registries of Diffie-Hellman groups for IKE in [IANA-IKE] [IANA-IKE] and for IKEv2 in [IANA-IKEv2] to include the groups
and for IKEv2 in [IANA-IKEv2] to include the groups defined above. defined above.
In [IANA-IKE], the groups are to appear as new entries in the list of In [IANA-IKE], the groups appear as new entries in the list of
Diffie-Hellman groups given by Group Description (attribute class 4). Diffie-Hellman groups given by Group Description (attribute class 4).
The descriptions are "256-bit random ECP group", "384-bit random ECP The descriptions are "256-bit random ECP group", "384-bit random ECP
group", and "521-bit random ECP group". In each case, the group type group", and "521-bit random ECP group". In each case, the group type
(attribute class 5) has the value 2 (ECP, elliptic curve group over (attribute class 5) has the value 2 (ECP, elliptic curve group over
GF[P]). GF[P]).
In [IANA-IKEv2], the groups are to appear as new entries in the list In [IANA-IKEv2], the groups appear as new entries in the list of
of IKEv2 transform type values for Transform Type 4 (Diffie-Hellman IKEv2 transform type values for Transform Type 4 (Diffie-Hellman
groups). groups).
7. ECP Key Exchange Data Formats 7. ECP Key Exchange Data Formats
In an ECP key exchange, the Diffie-Hellman public value passed in a In an ECP key exchange, the Diffie-Hellman public value passed in a
KE payload consists of two components, x and y, corresponding to the KE payload consists of two components, x and y, corresponding to the
coordinates of an elliptic curve point. Each component MUST have coordinates of an elliptic curve point. Each component MUST have bit
bit length as given in the following table. length as given in the following table.
Diffie-Hellman group component bit length Diffie-Hellman group component bit length
------------------------ -------------------- ------------------------ --------------------
256-bit Random ECP Group 256 256-bit Random ECP Group 256
384-bit Random ECP Group 384 384-bit Random ECP Group 384
521-bit Random ECP Group 528 521-bit Random ECP Group 528
This length is enforced, if necessary, by prepending the value with This length is enforced, if necessary, by prepending the value with
zeros. zeros.
skipping to change at page 8, line 33 skipping to change at page 7, line 40
and y values. and y values.
The format of the Diffie-Hellman shared secret value is the same as The format of the Diffie-Hellman shared secret value is the same as
that of the Diffie-Hellman public value. that of the Diffie-Hellman public value.
8. Test Vectors 8. Test Vectors
The following are examples of the IKEv2 key exchange payload for each The following are examples of the IKEv2 key exchange payload for each
of the three groups specified in this document. of the three groups specified in this document.
We denote by g^n the scalar multiple of the point g by the We denote by g^n the scalar multiple of the point g by the integer n;
integer n; it is another point on the curve. In the literature, the it is another point on the curve. In the literature, the scalar
scalar multiple is typically denoted ng; the notation g^n is multiple is typically denoted ng; the notation g^n is used in order
used in order to conform to the notation used in [IKE] and [IKEv2]. to conform to the notation used in [IKE] and [IKEv2].
8.1 256-bit Random ECP Group 8.1. 256-bit Random ECP Group
It is assumed for this example that this Diffie-Hellman group is IANA assigned the ID value 19 to this Diffie-Hellman group.
assigned the id number 19 by IANA.
We suppose that the initiator's Diffie-Hellman private key is We suppose that the initiator's Diffie-Hellman private key is
i: i:
C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433 C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433
Then the public key is given by g^i=(gix,giy) where Then the public key is given by g^i=(gix,giy) where
gix: gix:
DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180
skipping to change at page 9, line 44 skipping to change at page 9, line 18
giry: giry:
522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2
These are concatenated to form These are concatenated to form
g^ir: g^ir:
D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE
522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2
This is the value which is used in the formation of SKEYSEED. This is the value that is used in the formation of SKEYSEED.
8.2 384-bit Random ECP Group 8.2. 384-bit Random ECP Group
It is assumed for this example that this Diffie-Hellman group is IANA assigned the ID value 20 to this Diffie-Hellman group.
assigned the id number 20 by IANA.
We suppose that the initiator's Diffie-Hellman private key is We suppose that the initiator's Diffie-Hellman private key is
i: i:
099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655 099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655
E35B5380 41E649EE 3FAEF896 783AB194 E35B5380 41E649EE 3FAEF896 783AB194
Then the public key is given by g^i=(gix,giy) where Then the public key is given by g^i=(gix,giy) where
gix: gix:
skipping to change at page 11, line 16 skipping to change at page 10, line 38
A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852
C983135D 4669F879 2F2C1D55 718AFBB4 C983135D 4669F879 2F2C1D55 718AFBB4
These are concatenated to form These are concatenated to form
g^ir: g^ir:
11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4
D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6
24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4 24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4
This is the value which is used in the formation of SKEYSEED. This is the value that is used in the formation of SKEYSEED.
8.3 521-bit Random ECP Group 8.3. 521-bit Random ECP Group
It is assumed for this example that this Diffie-Hellman group is IANA assigned the ID value 21 to this Diffie-Hellman group.
assigned the id number 21 by IANA.
We suppose that the initiator's Diffie-Hellman private key is We suppose that the initiator's Diffie-Hellman private key is
i: i:
0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0
95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D 95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D
4A52 4A52
Then the public key is given by g^i=(gix,giy) where Then the public key is given by g^i=(gix,giy) where
gix: gix:
0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE
E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C
ED3E ED3E
giy: giy:
017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A 017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A
D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F
skipping to change at page 12, line 51 skipping to change at page 12, line 25
These are concatenated to form These are concatenated to form
g^ir: g^ir:
01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04
D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3
DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242 DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242
ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9 ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9
9BAFFA43 9BAFFA43
This is the value which is used in the formation of SKEYSEED. This is the value that is used in the formation of SKEYSEED.
9. References 9. References
9.1 Normative 9.1. Normative References
[IANA-IKE] Internet Assigned Numbers Authority, Internet Key Exchange [IANA-IKE] Internet Assigned Numbers Authority, Internet Key
(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) Exchange (IKE) Attributes.
(http://www.iana.org/assignments/ipsec-registry)
[IANA-IKEv2] IKEv2 Parameters. [IANA-IKEv2] IKEv2 Parameters.
(http://www.iana.org/assignments/ikev2-parameters) (http://www.iana.org/assignments/ikev2-parameters)
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
November 1998. (IKE)", RFC 2409, November 1998.
[IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, RFC 4306, [IKEv2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
December 2005. RFC 4306, December 2005.
9.2 Informative [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[AES] U.S. Department of Commerce/National Institute of Standards 9.2. Informative References
and Technology, Advanced Encryption Standard (AES), FIPS PUB 197,
November 2001. (http://csrc.nist.gov/publications/fips/index.html)
[DSS] U.S. Department of Commerce/National Institute of Standards [AES] U.S. Department of Commerce/National Institute of
and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, Standards and Technology, Advanced Encryption Standard
January 2000. (http://csrc.nist.gov/publications/fips/index.html) (AES), FIPS PUB 197, November 2001.
(http://csrc.nist.gov/publications/fips/index.html)
[GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics [DSS] U.S. Department of Commerce/National Institute of
and Optimization Research Report 99-39, 1999. Standards and Technology, Digital Signature Standard
(http://www.cacr.math.uwaterloo.ca/) (DSS), FIPS PUB 186-2, January 2000.
(http://csrc.nist.gov/publications/fips/index.html)
[IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE [GMN] J. Solinas, Generalized Mersenne Numbers,
1363-2000, Standard for Public Key Cryptography. Combinatorics and Optimization Research Report 99-39,
1999. (http://www.cacr.math.uwaterloo.ca/)
[IEEE-1363] Institute of Electrical and Electronics Engineers.
IEEE 1363-2000, Standard for Public Key Cryptography.
(http://grouper.ieee.org/groups/1363/index.html) (http://grouper.ieee.org/groups/1363/index.html)
[ISO-14888-3] International Organization for Standardization and [ISO-14888-3] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC First International Electrotechnical Commission, ISO/IEC
Committee Draft 14888-3 (2nd ed.), Information Technology: 14888-3:2006, Information Technology: Security
Security Techniques: Digital Signatures with Appendix: Part 3 - Techniques: Digital Signatures with Appendix: Part 3
Discrete Logarithm Based Mechanisms. - Discrete Logarithm Based Mechanisms.
[ISO-15946-1] International Organization for Standardization and [ISO-15946-1] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-1: International Electrotechnical Commission, ISO/IEC
2002-12-01, Information Technology: Security Techniques: 15946-1: 2002-12-01, Information Technology: Security
Cryptographic Techniques based on Elliptic Curves: Part 1 - Techniques: Cryptographic Techniques based on Elliptic
General. Curves: Part 1 - General.
[ISO-15946-2] International Organization for Standardization and [ISO-15946-2] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-2: International Electrotechnical Commission, ISO/IEC
2002-12-01, Information Technology: Security Techniques: 15946-2: 2002-12-01, Information Technology: Security
Cryptographic Techniques based on Elliptic Curves: Part 2 - Techniques: Cryptographic Techniques based on Elliptic
Digital Signatures. Curves: Part 2 - Digital Signatures.
[ISO-15946-3] International Organization for Standardization and [ISO-15946-3] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-3: International Electrotechnical Commission, ISO/IEC
2002-12-01, Information Technology: Security Techniques: 15946-3: 2002-12-01, Information Technology: Security
Cryptographic Techniques based on Elliptic Curves: Part 3 - Techniques: Cryptographic Techniques based on Elliptic
Key Establishment. Curves: Part 3 - Key Establishment.
[ISO-15946-4] International Organization for Standardization and [ISO-15946-4] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-4: International Electrotechnical Commission, ISO/IEC
2004-10-01, Information Technology: Security Techniques: 15946-4: 2004-10-01, Information Technology: Security
Cryptographic Techniques based on Elliptic Curves: Part 4 - Techniques: Cryptographic Techniques based on Elliptic
Digital Signatures giving Message Recovery. Curves: Part 4 - Digital Signatures giving Message
Recovery.
[ISO-18031] International Organization for Standardization and [ISO-18031] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC Final International Electrotechnical Commission, ISO/IEC
Committee Draft 18031, Information Technology: Security 18031:2005, Information Technology: Security
Techniques: Random Bit Generation, October 2004. Techniques: Random Bit Generation.
[NIST] U.S. Department of Commerce/National Institute of Standards [NIST] U.S. Department of Commerce/National Institute of
and Technology. Recommendation for Key Establishment Schemes Standards and Technology. Recommendation for Pair-
Using Discrete Logarithm Cryptography, NIST Special Publication Wise Key Establishment Schemes Using Discrete
800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) Logarithm Cryptography, NIST Special Publication
Publication 800-56A, March 2006.
(http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html)
[RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential MODP [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential
Diffie-Hellman groups for Internet Key Exchange (IKE), RFC (MODP) Diffie-Hellman groups for Internet Key Exchange
3526, May 2003. (IKE)", RFC 3526, May 2003.
[SEC2] Standards for Efficient Cryptography Group. SEC 2 - [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. Recommended Elliptic Curve Domain Parameters, v. 1.0,
(http://www.secg.org) 2000. (http://www.secg.org)
[X9.62-1998] American National Standards Institute, X9.62-1998: [X9.62-1998] American National Standards Institute, X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The Public Key Cryptography for the Financial Services
Elliptic Curve Digital Signature Algorithm. January 1999. Industry: The Elliptic Curve Digital Signature
Algorithm. January 1999.
[X9.62-2003] American National Standards Institute, X9.62-1998: [X9.62-2005] American National Standards Institute, X9.62:2005:
Public Key Cryptography for the Financial Services Industry: The Public Key Cryptography for the Financial Services
Elliptic Curve Digital Signature Algorithm, Industry: The Elliptic Curve Digital Signature
Revised-Draft-2003-02-26, February 2003. Algorithm (ECDSA).
[X9.63] American National Standards Institute. X9.63-2001, [X9.63] American National Standards Institute. X9.63-2001,
Public Key Cryptography for the Financial Services Industry: Key Public Key Cryptography for the Financial Services
Agreement and Key Transport using Elliptic Curve Cryptography. Industry: Key Agreement and Key Transport using
November 2001. Elliptic Curve Cryptography. November 2001.
10. Authors' Addresses Authors' Addresses
David E. Fu David E. Fu
National Information Assurance Research Laboratory National Information Assurance Research Laboratory
National Security Agency National Security Agency
defu@orion.ncsc.mil
EMail: defu@orion.ncsc.mil
Jerome A. Solinas Jerome A. Solinas
National Information Assurance Research Laboratory National Information Assurance Research Laboratory
National Security Agency National Security Agency
jasolin@orion.ncsc.mil
Comments are solicited and should be addressed to the author. EMail: jasolin@orion.ncsc.mil
Copyright (C) The Internet Society (2006). Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
skipping to change at page 15, line 46 skipping to change at page 16, line 42
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at
ipr@ietf.org. ietf-ipr@ietf.org.
Expires November 15, 2006 Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 76 change blocks. 
179 lines changed or deleted 174 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/