wdiff draft-ietf-ipsec-ike-auth-ecdsa-02.txt draft-ietf-ipsec-ike-auth-ecdsa-03.txt

IPSec Working Group S. Blake-Wilson and P. Fahn J. Solinas, NSA
INTERNET-DRAFT Certicom Corp.
Expires: September 14, 2001
Expires October 2, 2005 March 15, 2001 31, 2005

IKE Authentication Using ECDSA
<draft-ietf-ipsec-ike-auth-ecdsa-02.txt>
<draft-ietf-ipsec-ike-auth-ecdsa-03.txt>

Status of this Memo

This document

By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is an Internet-Draft aware
have been or will be disclosed, and is any of which he or she becomes
aware will be disclosed, in full conformance accordance with all
provisions of Section 10 6 of RFC2026. BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
http://www.ietf.org/1id-abstracts.html

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
http://www.ietf.org/shadow.html

Abstract

This document describes how the Elliptic Curve Digital Signature
Algorithm (ECDSA) may be used as the authentication method within
the Internet Key Exchange (IKE) protocol. ECDSA may provide benefits
including computational efficiency, small signature sizes, and
minimal bandwidth, bandwidth compared to other available digital signature
methods. This document adds ECDSA capability to IKE without
introducing any changes to existing IKE operation.

Table of Contents

1. Introduction ................................................. 2
2. ECDSA ........................................................ 2
3. Specifying ECDSA within IKE .................................. 3
4. Security Considerations ...................................... 4
5. Intellectual Property Rights ................................. 4
6. Acknowledgments .............................................. 4
7. References ................................................... 5
8. Authors' Addresses ........................................... 6
9. Full Copyright Statement ..................................... 6

1. Introduction

The Internet Key Exchange, or IKE [RFC2409], [IKE], is a key agreement and
security negotiation protocol; it is used for key establishment in
IPSec. In Phase 1 of IKE, both parties must authenticate each other
using a negotiated authentication method. One option for the
authentication method is digital signatures using public key
cryptography. Currently, there are two digital signature methods
defined for use within Phase 1: RSA signatures and DSA (DSS)
signatures. This document introduces ECDSA signatures as a third
method.

For any given level of security against the best attacks known, ECDSA
signatures are smaller than RSA signatures and ECDSA keys require
less bandwidth than DSA keys; there are also advantages of
computational speed and efficiency in many settings. Additional
efficiency may be gained by simultaneously using ECDSA for IKE
authentication and using elliptic curve groups for the IKE key
exchange. Implementers of IPSec and IKE may therefore find it
desirable to use ECDSA as the Phase 1 authentication method.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].

2. ECDSA

The Elliptic Curve Digital Signature Algorithm (ECDSA) is the
elliptic curve analogue of the DSA (also called DSS) (DSS) signature method
[FIPS186-2]. The Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS]. It
is defined in the ANSI X9.62 standard [ANSIX962]; [X9.62]. Other compatible
specifications include FIPS 186-2 [FIPS186-2], [DSS], IEEE 1363 [IEEE-1363], IEEE P1363 [IEEEP1363],
1363A [IEEE-1363A], and SEC 1 SEC1 [SEC1]. The

Like DSA, ECDSA incorporates the use of a hash function. [SHS]
specifies hash functions that are appropriate for use with ECDSA.
Implementations of IKE using ECDSA in X.509 certificates is described
in IETF PKIX [PKIX-ALG]. SHOULD use one of these hash
functions.

ECDSA signatures are smaller than RSA signatures of similar
cryptographic strength; see [KEYS] for a security analysis of key
sizes across public key algorithms. strength. ECDSA public keys (and certificates) are
smaller than similar strength DSA keys, resulting in improved
communications efficiency. Furthermore, on many platforms ECDSA
operations can be computed faster more quickly than similar strength RSA or
DSA operations. operations (see [LV] for a security analysis of key sizes across
public key algorithms). These advantages of signature size,
bandwidth, and computational efficiency may make ECDSA an attractive
choice for many IKE
implementions. implementations.

Recommended elliptic curve domain parameters for use with ECDSA are
given in FIPS 186-2 [FIPS186-2] [DSS], ANSI X9.62 [X9.62], and SEC 2 [SEC2].

Implementations of IKE using ECDSA MAY use one of these domain
parameters. A subset of these parameters are recommended in [ECC-GR]
[IKE-ECP] for use in the IKE key exchange.

Like DSA, ECDSA incorporates the use of a hash function; currently,
the only hash function defined These parameters MAY
be used for use with ECDSA is the SHA-1 message
digest algorithm [FIPS180-1]. as well.

3. Specifying ECDSA within IKE

The IKE key negotiation protocol consists of two phases, Phase 1 and
Phase 2. Within Phase 1, the two negotiating parties authenticate
each other, using either pre-shared keys, digital signatures, or
public-key encryption. For digital signatures and public-key
encryption methods, there are multiple options. The authentication method is specified as
an attribute in the negotiated Phase 1 Security Association (SA).

Until now, there have been a total of seven specific authentication
methods in Phase 1. We now add an eighth option: ECDSA signatures,
specified by attribute value 8 in the SA. The new list of IANA-assigned
attribute numbers number for Phase 1 authentication is:

- Authentication Method
pre-shared key 1
DSS signatures 2
RSA signatures 3
Encryption with RSA 4
Revised encryption with RSA 5
Encryption with El-Gamal 6
Revised encryption with El-Gamal 7 using ECDSA signatures is 8

values 9-65000 are reserved to IANA. Values 65001-65535 are for
private use among mutually consenting parties. (see
[IANA]).

Phase 1 can be either Main Mode or Agressive Aggressive Mode. The use and
specification of ECDSA signatures as the authentication method
applies to both modes. The sequence of Phase 1 message payloads is
the same with ECDSA signatures as with DSS or RSA signatures.

When ECDSA is used in IKE, the signature payload shall SHALL contain an
encoding of the computed signature, consisting of a pair of integers
r and s, encoded as a byte string using the ASN.1 syntax
"ECDSA-Sig-Value" with DER encoding rules as specified in ANSI X9.62 [ANSIX962].

Note also that, like
[X9.62].

As with the other digital signature methods, ECDSA authentication
requires the parties to know and trust each other's public key. This
can be done by exchanging certificates, possibly within the Phase 1
negotiation, if the public keys of the parties are not already known
to each other. The use of Internet X.509 public key infrastructure
certificates [PKIX-CERT] [RFC-3280] is recommended; the representation of ECDSA
keys in X.509 certificates is specified in
[PKIX-ALG].

Since ECDSA requires the use of the SHA-1 hash function,
implemententers [RFC-3279]. This
representation SHOULD be used if X.509 certificates are used.

Implemententers may find it convenient convenient, when using ECDSA as the
authentication method, to specify SHA-1 the hash used by ECDSA as the
value of the hash algorithm attribute when using ECDSA as the authentication
method. attribute. Implementers may also find
it convenient to use ECDSA authentication in conjunction with an
elliptic curve group for the IKE Diffie-Hellman key agreement; see [ECC-GR]
[IKE-ECP] for some specific curves for the key agreement.

4. Security Considerations

Implementors should ensure that appropriate security measures are in
place when they deploy ECDSA within IKE. In particular, the security
of ECDSA requires the careful selection of both key sizes and
elliptic curve domain parameters. Selection guidelines for these
parameters and some specific recommended curves that are considered
safe are provided in ANSI X9.62 [ANSIX962], [X9.62], FIPS 186-2 [FIPS186-2], [DSS], and SEC 2
[SEC2].

5. Intellectual Property Rights

The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document. For more
information, consult the online list of claimed rights
(http://www.ietf.org/ipr.html).

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this IANA Considerations

This document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission no actions for the use of such proprietary
rights by implementors or users of this specification can be obtained
from the IETF Secretariat. IANA.

6. Acknowledgments References

6.1 Normative

[IKE] D. Harkins and D. Carrel, The authors would like to thank Paul Lambert Internet Key Exchange, RFC 2409,
November 1998.

[RFC-3279] Bassham, L., Housley, R., and Polk, W., RFC 3279,
Algorithms and Prakash Panjwani Identifiers for
their comments the Internet X.509 Public Key
Infrastructure Certificate and suggestions.

7. References

[ANSIX962] ANSI X9.62-1999, "Public Certificate Revocation List (CRL)
Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt)

[RFC-3280] Housley, R., Polk, W., Ford, W. and D. Solo, RFC 3280,
Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile, 2002.
(http://www.ietf.org/rfc/rfc3279.txt)

[X9.62] American National Standards Institute, ANS X9.62-1998:
Public Key Cryptography For The for the Financial Services Industry: The
Elliptic Curve Digital Signature
Algorithm (ECDSA)", Americal National Standards Institute,
1998.

[ECC-GR] S. Blake-Wilson, M. Salter, and Y. Poeluev, "Additional
ECC Groups for IKE", IPSEC Working Group Internet-Draft
draft-ietf-ipsec-ike-ecc-groups-03.txt. September Algorithm. January 1999.

[FIPS180-1] FIPS 180-1, "Secure Hash Standard", National

6.2 Informative

[DSS] U.S. Department of Commerce/National Institute of Standards
and Technology, 1995.

[FIPS186-2] Digital Signature Standard (DSS), FIPS PUB 186-2, "Digital Signature Standard", National
January 2000. (http://csrc.nist.gov/publications/fips/index.html)

[IANA] Internet Assigned Numbers Authority, Internet Key Exchange
(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry)

[IEEE-1363] Institute of Standards Electrical and Technology, 2000.

[IEEEP1363] Electronics Engineers.
IEEE P1363, "Standard Specifications 1363-2000, Standard for Public Key
Cryptography", Cryptography.
(http://grouper.ieee.org/groups/1363/index.html)

[IEEE-1363A] Institute of Electrical and Electronics
Engineers, 2000.

[KEYS] Engineers.
IEEE 1363A-2004, Standard for Public Key Cryptography -
Amendment 1: Additional Techniques.
(http://grouper.ieee.org/groups/1363/index.html)

[IKE-ECP] J. Solinas, ECP Groups For IKE, 2005.
(draft-ietf-ipsec-ike-ecc-groups-05.txt)

[LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key
Sizes", October 1999. Presented at Public Key Cryptography
Conference, Melbourne, Australia, January 2000. Available
at <http://www.cryptosavvy.com/>.

[PKIX-ALG] L. Bassham, R. Housley and W. Polk, "Algorithms and
Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and CRL Profile", PKIX Working
Group Internet-Draft, draft-ietf-pkix-ipki-pkalgs-02.txt,
March 2001.

[PKIX-CERT] W. Ford, R. Housley, W. Polk and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and CRL Profile", PKIX
Working Group Internet-Draft,
draft-ietf-pkix-new-part1-05.txt, March 2001.

[RFC2409] D. Harkins and D. Carrel, "The Internet Key Exchange",
IETF RFC 2409, November 1998. Journal of Cryptology 14 (2001), pp. 255-293.

[SEC1] SEC 1, "Elliptic Curve Cryptography", Standards for Efficient Cryptography Group, 2000.

[SEC2] Group. SEC 2, "Recommended 1 - Elliptic
Curve Domain Parameters", Cryptography, v. 1.0, 2000. (http://www.secg.org)

[SEC2] Standards for Efficient Cryptography Group, Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000.

8.
(http://www.secg.org)

[SHS] FIPS 180-2, "Secure Hash Standard", National Institute of
Standards and Technology, 2002.

7. Author's Address

Simon Blake-Wilson
Certicom Corp.
sblake-wilson@certicom.com

Paul Fahn
Certicom Corp.
pfahn@certicom.com

9. Full Copyright Statement

Jerome A. Solinas
National Security Agency
jsolinas@orion.ncsc.mil

Comments are solicited and should be addressed to the author.

This document and translations of it may be copied and furnished is subject to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies rights, licenses and derivative works. However, this
document itself may not be modified restrictions
contained in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, BCP 78, and except as needed for set forth therein, the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.

The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. authors
retain all their rights.

This document and the information contained herein is are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Expires October 2, 2005