IPSec Working Group J. Solinas, NSA INTERNET-DRAFT Expires October 2, 2005 March 31, 2005 IKEv2 Authentication Using ECDSA Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document describes how the Elliptic Curve Digital Signature Algorithm (ECDSA) may be used as the authentication method within the Internet Key Exchange protocol, version 2 (IKEv2). ECDSA may provide benefits including computational efficiency, small signature sizes, and minimal bandwidth, compared to other available digital signature methods. This document adds ECDSA capability to IKEv2 without introducing any changes to existing IKEv2 operation. Solinas [Page 1] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 1. Introduction The Internet Key Exchange version 2, or IKEv2 [IKEv2], is a key agreement and security negotiation protocol; it is used for key establishment in IPSec. In the authentication exchange IKE_AUTH of IKEv2, both parties must authenticate each other using a negotiated authentication method. The defined methods are as follows: RSA Digital Signature 1 Shared Key Message Integrity Code 2 DSS Digital Signature 3 The numbers corresponding to each method are used to identify the method in the authentication payload ([IKEv2], sect. 3.8). This draft defines a fourth option: ECDSA Digital Signature 4 For any given level of security against the best attacks known, ECDSA signatures are smaller than RSA signatures and ECDSA keys require less bandwidth than DSA keys; there are also advantages of computational speed and efficiency in many settings. Additional efficiency may be gained by simultaneously using ECDSA for IKEv2 authentication and using elliptic curve groups for the IKEv2 key exchange. Implementers of IPSec and IKEv2 may therefore find it desirable to use ECDSA as the IKE_AUTH authentication method. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. ECDSA The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the DSA (DSS) signature method [DSS]. It is defined in the ANSI X9.62 standard [X9.62]. Other compatible specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE 1363A [IEEE-1363A], and SEC1 [SEC1]. Like DSA, ECDSA incorporates the use of a hash function. [SHS] specifies hash functions that are appropriate for use with ECDSA. Implementations of IKEv2 using ECDSA SHOULD use one of these hash functions. ECDSA signatures are smaller than RSA signatures of similar cryptographic strength. ECDSA public keys (and certificates) are smaller than similar strength DSA keys, resulting in improved communications efficiency. Furthermore, on many platforms ECDSA operations can be computed more quickly than similar strength RSA Solinas [Page 2] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 or DSA operations (see [LV] for a security analysis of key sizes across public key algorithms). These advantages of signature size, bandwidth, and computational efficiency may make ECDSA an attractive choice for many IKE implementations. Recommended elliptic curve domain parameters for use with ECDSA are given in FIPS 186-2 [DSS], ANSI X9.62 [X9.62], and SEC 2 [SEC2]. Implementations of IKEv2 using ECDSA MAY use one of these domain parameters. A subset of these parameters are recommended in [IKEv2-ECC] for use in the IKEv2 key exchange. These parameters MAY be used for ECDSA as well. 3. Specifying ECDSA within IKEv2 The sequence of IKE_AUTH message payloads is the same with ECDSA signatures as with DSS or RSA signatures. When ECDSA is used in IKEv2, the signature payload SHALL contain an encoding of the computed signature, consisting of a pair of integers r and s, encoded as a byte string using the ASN.1 syntax "ECDSA-Sig-Value" with DER encoding rules as specified in ANSI X9.62 [X9.62]. As with the other digital signature methods, ECDSA authentication requires the parties to know and trust each other's public key. This can be done by exchanging certificates if the public keys of the parties are not already known to each other. The use of Internet X.509 public key infrastructure certificates [RFC-3280] is recommended; the representation of ECDSA keys in X.509 certificates is specified in [RFC-3279]. This representation SHOULD be used if X.509 certificates are used. The certificates MAY be exchanged as part of the IKE_AUTH exchange (see [IKEv2], sect. 2.15). Implemententers may find it convenient, when using ECDSA as the authentication method, to specify the hash used by ECDSA as the value of the hash algorithm attribute. Implementers may also find it convenient to use ECDSA authentication in conjunction with an elliptic curve group for the IKEv2 Diffie-Hellman key agreement; see [IKEv2-ECC] for some specific curves for the key agreement. 4. Security Considerations Implementors should ensure that appropriate security measures are in place when they deploy ECDSA within IKEv2. In particular, the security of ECDSA requires the careful selection of both key sizes and elliptic curve domain parameters. Selection guidelines for these parameters and some specific recommended curves that are considered safe are provided in ANSI X9.62 [X9.62], FIPS 186-2 [DSS], and SEC 2 [SEC2]. Solinas [Page 3] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 5. IANA Considerations This document has no actions for IANA. 6. References 6.1 Normative [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004, http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt [X9.62] American National Standards Institute, ANS X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm. January 1999. 6.2 Informative [DSS] U.S. Department of Commerce/National Institute of Standards and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, January 2000. (http://csrc.nist.gov/publications/fips/index.html) [IANA] Internet Assigned Numbers Authority, Internet Key Exchange (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 1363-2000, Standard for Public Key Cryptography. (http://grouper.ieee.org/groups/1363/index.html) [IEEE-1363A] Institute of Electrical and Electronics Engineers. IEEE 1363A-2004, Standard for Public Key Cryptography - Amendment 1: Additional Techniques. (http://grouper.ieee.org/groups/1363/index.html) [IKEv2-ECC] J. Solinas, ECC Groups For IKEv2, 2005. (draft-ietf-ipsec-ikev2-ecc-groups-00.txt) [LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key Sizes", Journal of Cryptology 14 (2001), pp. 255-293. [RFC-3279] Bassham, L., Housley, R., and Polk, W., RFC 3279, Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt) [RFC-3280] Housley, R., Polk, W., Ford, W. and D. Solo, RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt) Solinas [Page 4] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 [SEC1] Standards for Efficient Cryptography Group. SEC 1 - Elliptic Curve Cryptography, v. 1.0, 2000. (http://www.secg.org) [SEC2] Standards for Efficient Cryptography Group. SEC 2 - Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. (http://www.secg.org) [SHS] FIPS 180-2, "Secure Hash Standard", National Institute of Standards and Technology, 2002. Solinas [Page 5] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 7. Author's Address Jerome A. Solinas National Security Agency jsolinas@orion.ncsc.mil Comments are solicited and should be addressed to the author. Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Expires October 2, 2005 Solinas [Page 6] IPSec Working Group J. Solinas, NSA INTERNET-DRAFT Expires October 2, 2005 March 31, 2005 IKEv2 Authentication Using ECDSA Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document describes how the Elliptic Curve Digital Signature Algorithm (ECDSA) may be used as the authentication method within the Internet Key Exchange protocol, version 2 (IKEv2). ECDSA may provide benefits including computational efficiency, small signature sizes, and minimal bandwidth, compared to other available digital signature methods. This document adds ECDSA capability to IKEv2 without introducing any changes to existing IKEv2 operation. Solinas [Page 1] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 1. Introduction The Internet Key Exchange version 2, or IKEv2 [IKEv2], is a key agreement and security negotiation protocol; it is used for key establishment in IPSec. In the authentication exchange IKE_AUTH of IKEv2, both parties must authenticate each other using a negotiated authentication method. The defined methods are as follows: RSA Digital Signature 1 Shared Key Message Integrity Code 2 DSS Digital Signature 3 The numbers corresponding to each method are used to identify the method in the authentication payload ([IKEv2], sect. 3.8). This draft defines a fourth option: ECDSA Digital Signature 4 For any given level of security against the best attacks known, ECDSA signatures are smaller than RSA signatures and ECDSA keys require less bandwidth than DSA keys; there are also advantages of computational speed and efficiency in many settings. Additional efficiency may be gained by simultaneously using ECDSA for IKEv2 authentication and using elliptic curve groups for the IKEv2 key exchange. Implementers of IPSec and IKEv2 may therefore find it desirable to use ECDSA as the IKE_AUTH authentication method. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. ECDSA The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the DSA (DSS) signature method [DSS]. It is defined in the ANSI X9.62 standard [X9.62]. Other compatible specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE 1363A [IEEE-1363A], and SEC1 [SEC1]. Like DSA, ECDSA incorporates the use of a hash function. [SHS] specifies hash functions that are appropriate for use with ECDSA. Implementations of IKEv2 using ECDSA SHOULD use one of these hash functions. ECDSA signatures are smaller than RSA signatures of similar cryptographic strength. ECDSA public keys (and certificates) are smaller than similar strength DSA keys, resulting in improved communications efficiency. Furthermore, on many platforms ECDSA operations can be computed more quickly than similar strength RSA Solinas [Page 2] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 or DSA operations (see [LV] for a security analysis of key sizes across public key algorithms). These advantages of signature size, bandwidth, and computational efficiency may make ECDSA an attractive choice for many IKE implementations. Recommended elliptic curve domain parameters for use with ECDSA are given in FIPS 186-2 [DSS], ANSI X9.62 [X9.62], and SEC 2 [SEC2]. Implementations of IKEv2 using ECDSA MAY use one of these domain parameters. A subset of these parameters are recommended in [IKEv2-ECC] for use in the IKEv2 key exchange. These parameters MAY be used for ECDSA as well. 3. Specifying ECDSA within IKEv2 The sequence of IKE_AUTH message payloads is the same with ECDSA signatures as with DSS or RSA signatures. When ECDSA is used in IKEv2, the signature payload SHALL contain an encoding of the computed signature, consisting of a pair of integers r and s, encoded as a byte string using the ASN.1 syntax "ECDSA-Sig-Value" with DER encoding rules as specified in ANSI X9.62 [X9.62]. As with the other digital signature methods, ECDSA authentication requires the parties to know and trust each other's public key. This can be done by exchanging certificates if the public keys of the parties are not already known to each other. The use of Internet X.509 public key infrastructure certificates [RFC-3280] is recommended; the representation of ECDSA keys in X.509 certificates is specified in [RFC-3279]. This representation SHOULD be used if X.509 certificates are used. The certificates MAY be exchanged as part of the IKE_AUTH exchange (see [IKEv2], sect. 2.15). Implemententers may find it convenient, when using ECDSA as the authentication method, to specify the hash used by ECDSA as the value of the hash algorithm attribute. Implementers may also find it convenient to use ECDSA authentication in conjunction with an elliptic curve group for the IKEv2 Diffie-Hellman key agreement; see [IKEv2-ECC] for some specific curves for the key agreement. 4. Security Considerations Implementors should ensure that appropriate security measures are in place when they deploy ECDSA within IKEv2. In particular, the security of ECDSA requires the careful selection of both key sizes and elliptic curve domain parameters. Selection guidelines for these parameters and some specific recommended curves that are considered safe are provided in ANSI X9.62 [X9.62], FIPS 186-2 [DSS], and SEC 2 [SEC2]. Solinas [Page 3] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 5. IANA Considerations This document has no actions for IANA. 6. References 6.1 Normative [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004, http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt [X9.62] American National Standards Institute, ANS X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm. January 1999. 6.2 Informative [DSS] U.S. Department of Commerce/National Institute of Standards and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, January 2000. (http://csrc.nist.gov/publications/fips/index.html) [IANA] Internet Assigned Numbers Authority, Internet Key Exchange (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 1363-2000, Standard for Public Key Cryptography. (http://grouper.ieee.org/groups/1363/index.html) [IEEE-1363A] Institute of Electrical and Electronics Engineers. IEEE 1363A-2004, Standard for Public Key Cryptography - Amendment 1: Additional Techniques. (http://grouper.ieee.org/groups/1363/index.html) [IKEv2-ECC] J. Solinas, ECC Groups For IKEv2, 2005. (draft-ietf-ipsec-ikev2-ecc-groups-00.txt) [LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key Sizes", Journal of Cryptology 14 (2001), pp. 255-293. [RFC-3279] Bassham, L., Housley, R., and Polk, W., RFC 3279, Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt) [RFC-3280] Housley, R., Polk, W., Ford, W. and D. Solo, RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt) Solinas [Page 4] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 [SEC1] Standards for Efficient Cryptography Group. SEC 1 - Elliptic Curve Cryptography, v. 1.0, 2000. (http://www.secg.org) [SEC2] Standards for Efficient Cryptography Group. SEC 2 - Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. (http://www.secg.org) [SHS] FIPS 180-2, "Secure Hash Standard", National Institute of Standards and Technology, 2002. Solinas [Page 5] INTERNET-DRAFT IKEv2 Authentication Using ECDSA March 2005 7. Author's Address Jerome A. Solinas National Security Agency jsolinas@orion.ncsc.mil Comments are solicited and should be addressed to the author. Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Expires October 2, 2005 Solinas [Page 6]