Transport Layer SecurityTLS Working GroupT. DierksSimon Blake-Wilson INTERNET-DRAFTConsensus Development Corp. Expires September, 1998 B. AndersonTim Dierks Expires: September 14, 2001 Chris Hawk Certicom Corp. 15 March13, 19982001 ECC Cipher SuitesForfor TLSdraft-ietf-tls-ecc-00.txt 1.<draft-ietf-tls-ecc-01.txt> Status of this Memo This document is anInternet-Draft.Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, ormade obsoleteobsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than aswork"work inprogress. To learn theprogress." The list of currentstatusInternet-Drafts may be found at http://www.ietf.org/ietf/1id-abstracts.txt The list ofany Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet DraftsInternet-Draft Shadow Directorieson ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 2. Introductionmay be found at http://www.ietf.org/shadow.html. Abstract This document describes additions to TLS to supporttheElliptic CurveCryptosystemCryptography (ECC).The document assumes that the reader is familiar with the TLS protocol. The documentIn particular it definescipher suitesnew key exchange algorithms which use the Elliptic CurveEncryption Scheme (ECES), the Elliptic CurveDigital Signature Algorithm(ECDSA), the Elliptic Curve Nyberg-Rueppel Signature Scheme with Appendix (ECNRA),(ECDSA) and the Elliptic Curve Diffie-Hellman Key Agreement Scheme (ECDH), andthe Elliptic Curve Menezes-Qu-Vanstone Key Agreement (ECMQV)it defines how to perform client authentication with ECDSA and ECDH. The keyestablishment algorithms. Referenceswords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are tothese algorithms canbefoundinterpreted as described insection 13. 3.RFC 2119 [MUST]. Please send comments on this document to the TLS mailing list. Table of Contents 1.Status of this Memo ........................................ 1 2.Introduction............................................... 1 3. Table of Contents .......................................... 2 4. Rationale ................................................................................................... 25.2. Elliptic Curve KeyEstablishment Methods ................... 3 6. Key Establishment Operation ................................Exchange Algorithms ....................... 4 2.1. ECDH_ECDSA ................................................... 56.1. ECES_ECDSA .................................................2.2. ECDH_ECDSA_EXPORT ............................................ 5 2.3. ECDH_RSA ..................................................... 66.2. ECES_ECNRA .................................................2.4. ECDH_RSA_EXPORT .............................................. 66.3. ECDHE_ECDSA ................................................2.5. ECDH_anon .................................................... 66.4. ECDHE_ECDSA_EXPORT ......................................... 7 6.5. ECDHE_ECNRA ................................................ 7 6.6. ECDHE_ECNRA_EXPORT .........................................2.6. ECDH_anon_EXPORT ............................................. 6 3. ECC Client Authentication .................................... 76.7. ECDH_ECDSA .................................................3.1. ECDSA_sign ................................................... 76.8. ECDH_ECNRA ................................................. 8 6.9. ECMQV_ECDSA ................................................3.2. ECDSA_fixed_ECDH ............................................. 86.10. ECMQV_ECNRA ................................................ 9 6.11. ECDH_anon .................................................. 9 6.12. ECDH_anon_EXPORT ........................................... 9 7. Client Certification .......................................3.3. RSA_fixed_ECDH ............................................... 98.4. Data Structures...........................................and Computations ............................. 9 4.1. Server Certificate .......................................... 108.1.4.2. Server Key Exchange....................................... 10 8.2.......................................... 11 4.3. Certificate Request....................................... 13 8.3.......................................... 15 4.4. Client Certificate .......................................... 15 4.5. Client Key Exchange....................................... 14 8.4.......................................... 16 4.6. Certificate Verify........................................ 15 9. Elliptic Curve Certificates ............................... 15 10. Cipher Suites ............................................. 16 11. Elliptic Curve Cryptography Definitions ................... 17 12. Recommended.......................................... 18 4.7. Computing the Master Secret ................................. 19 5. Cipher Suites................................. 17 13. References ................................................ 17 14................................................ 19 6. Security Considerations................................... 18 15...................................... 20 7. Intellectual Property Rights ................................ 20 8. Acknowledgments ............................................. 21 9. References .................................................. 21 10. Authors' Addresses........................................ 18 4. Rationale Several design goals drove our choice of key establishment algorithms:.......................................... 22 1.A desireIntroduction This document describes additions toreplicate all of the functionality and operating modes found in the currentTLScipher suites based on integer factorization and discret log cryptographic algorithms. 2. While we wishedtodefine cipher suites which use export-strength cryptography, we did not want to define any cipher suites which would require certificates with export-strength keys; thus, exportable cipher suites are only defined for thosesupport Elliptic Curve Cryptography (ECC). In particular, it defines: - new keyestablishment mechanismsexchange algorithms which use thecertificate key for authentication rather than for key establishment. These criteria for key establishment algorithms, when combined with a number of symmetric algorithms, led to a large number of possible cipher suites. This is problematic in that it could lead to a lack of interoperability due to implementors supporting different subsets ofElliptic Curve Digital Signature Algorithm (ECDSA), and theavailable cipher suites.Elliptic Curve Diffie-Hellman Key Agreement Scheme (ECDH); and - new client authentication methods which use ECDSA and ECDH. In order toalleviate this, we have indicated twoenable the use of these features within TLS, thetotal cipher suites as recommended (see section 12). Unless there are specific reasonsdocument defines enhanced data structures tochoose other cipher suites, implementors should implementconvey therecommended suites first. 5. Elliptic Curve Key Establishment Methods Key establishment is the terminology used in ISO standards to refer toinformation that themethods of establishing a shared key between two or more parties. Within key establishment there are two classifications: The operation is called key transport when only one party contributesmechanisms need to exchange, thegeneration ofcomputational procedures involved in theshared key. Theoperationis called key agreement when 2 or more parties contribute to the generationof theshared key. Formechanisms, and new cipher suites based on thepurposesmechanisms. Use ofthis definition, the key in question is the premaster secret:ECC within TLSuses the master secret generation process to ensure thatmay provide bothparties contributebandwidth and computational savings compared to other public-key cryptographic techniques. Furthermore, theeventual master secret. The cipher suites defined here useefficiencies provided by ECC may increase as security requirements increase based on Moore's law - this is illustrated by the following table, based on [LEN], which gives approximate comparable keyestablishment methods: ECES_ECDSA Elliptic-curve encryption is usedsizes for symmetric systems, ECC systems, and DH/DSA/RSA systems based on thekey transport; the server's certificate is signed using ECDSA. ECES_ECNRA Elliptic-curve encryption is used forrunning times of the best algorithms known today. Symmetric | ECC | DH/DSA/RSA 80 | 163 | 1024 128 | 283 | 3072 192 | 409 | 7680 256 | 571 | 15360 Table 1: Comparable keytransport;sizes (in bits) The savings that ECC may offer are likely to become increasingly desirable with theserver's certificate is signed using ECNRA. ECDHE_ECDSA Ephemeral elliptic-curve Diffie-Hellman is usedwidespread use of TLS by wireless devices - discussed, for example, in [TLS-EXT]. This document assumes thekey agreement; the server signs the parametersreader is familiar withan ECDSA keyboth ECC and TLS. ECC isauthenticated with a certificate signed with ECDSA. ECDHE_ECDSA_EXPORT Ephemeral elliptic-curve Diffie-Hellmandescribed inexport strengthANSI X9.62 [ANSIX962], FIPS 186-2 [FIPS186-2], IEEE 1363 [IEEE1363], and SEC 1 [SEC1]. TLS isused for the key agreement;described in RFC 2246 [TLS]. The choice of mechanisms included in this document was motivated by a desire to provide mechanisms which are secure, which are as efficient as possible, and which are capable of replicating all of theserver signsfunctionality and operating modes found in theparameters with an ECDSA keyexisting TLS mechanisms based on integer factorization andis authenticated withdiscrete logarithm cryptographic systems. TLS includes acertificate signedsubstantial variety of functionality and operating modes in consideration of the variety of applications withECDSA. ECDHE_ECNRA Ephemeral elliptic-curve Diffie-Hellmanwhich TLS isused forused. The desire described above led to thekey agreement;inclusion of a substantial number of ECC-based mechanisms. In order to encourage interoperability, a small subset of theserver signsmechanisms are identified as "recommended" - these mechanisms are capable of meeting theparameters with an ECNRA keyrequirements of many applications andis authenticated with a certificate signed with ECNRA. ECDHE_ECNRA_EXPORT Ephemeral elliptic-curve Diffie-Hellmanthey should therefore be used unless an application profile of this document states otherwise, or unless in a particular environment considerations such as exportstrengthregulations mandate otherwise. The remainder of this document isusedorganized as follows. Section 2 specifies key exchange algorithms for TLS using ECC. Section 3 specifies how client authentication is performed using ECC. Section 4 describes thekey agreement;TLS-specific data structures and computations involved in theserver signsoperation of theparameters with an ECNRA key and is authenticated with a certificate signed with ECNRA. ECDH_ECDSA Fixed elliptic-curve Diffie-Hellman is used forECC mechanisms. Section 5 defines cipher suites based on the ECC keyagreement;exchange algorithms. Sections 6-8 discuss security considerations, intellectual property rights, and acknowledgements respectively. Section 9 supplies references cited elsewhere in theserver's certificate is signed with ECDSA. ECDH_ECNRA Fixed elliptic-curve Diffie-Hellman is used fordocument, and Section 10 gives the authors' contact details. 2. Elliptic Curve Key Exchange Algorithms This document defines six new keyagreement; the server's certificate is signed with ECNRA. ECMQV_ECDSA Ephemeral elliptic-curve MQV is usedexchange algorithms based on ECC forkey agreement and authentication;use within TLS. The table below summarizes theserver is authenticatednew key exchange algorithms. Key Exchange Algorithm Description Key size limit ECDH_ECDSA ECDH witha certificate signedECDSA signatures None ECDH_ECDSA_EXPORT ECDH withECDSA. ECMQV_ECNRA Ephemeral elliptic-curve MQV is used for key agreement and authentication; the server is authenticatedECDSA signatures ECDH=163 bits, ECDSA=none ECDH_RSA ECDH witha certificate signedRSA signatures None ECDH_RSA_EXPORT ECDH withECNRA.RSA signatures ECDH=163 bits, RSA = none ECDH_anon Anonymouselliptic-curve Diffie-Hellman is used for the key agreement.ECDH, no signatures None ECDH_anon_EXPORT Anonymouselliptic-curve Diffie-Hellman in export strength is used for the key agreement.ECDH, no signatures ECDH=163 bits Table 2: Keyestablishment mechanisms which indicateexchange algorithms Note thatthey are for export strength should use an ECC key forthe keyagreementexchange algorithms marked "anon" do not provide authentication ofno more than 113 bits. A 113-bit ECC key provides security that is roughly equivalent to a 512-bit RSAthe server or the client, and, like other "anon" TLS keyand is expected toexchange algorithms, may beeligible for export. The following table relates ECC key sizessubject toRSA key sizesman-in-the-middle attacks. Implementations ofequivalent security. Thesethese algorithms SHOULD provide authentication by other means. The remainder of this section describes these keysizes are considered equivalentexchange algorithms interms of work factor required to recover the privatedetail. For each keyusing currently known fastest methods for solvingexchange algorithm, this involves specification of theunderlying mathematical problemscontents ofECC and RSA. ECC RSA Timethe handshake messages related tobreak (MIPS-years) ________ _________ __________________________ 106 bits 512 bits 1E4 MY 132 bits 768 bits 1E8 MY 160 bits 1024 bits 1E11 MY 191 bits 1536 bits 1E14 MY 211 bits 2048 bits 1E20 MY Table 1: ECC and RSAkeysizes for equivalent security 6. Key Establishment Operation The TLSexchange - server certificate, server keyestablishment protocol involves this message exchange: Client Server __________________ ___________________ ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Figure 1: Message flow in a full TLS handshake *exchange, client certificate, and client key exchange -Message is not sent under some conditions Of these messages,as well as specification of theonescomputations involved in thekey establishment itself are the server's Certificate message, the ServerKeyExchange, the client's Certificate message, andcalculation of theClientKeyExchange. In ordermaster secret. 2.1. ECDH_ECDSA ECDH is used tospecify the ECC cipher suites, we must specifycompute thefollowing elements for eachmaster secret. The server is authenticated via a certificate containing an ECDH public keyestablishment algorithm:signed with ECDSA. Specifically this key exchange algorithm MUST proceed as follows: - Theformat ofserver provides a static ECDH public key in theserver's certificate.server certificate message using the format described in Section 4.1. The certificate is signed using ECDSA. - Theformat of theserver key exchange message is not sent. -For methodsUnless client authentication using ECDH is performed as specified inwhichSections 3.2 and 3.3, theclient's certificate can participateclient provides an ephemeral ECDH public key in the client keyagreement,exchange message using the formatofdescribed in Section 4.5. In this case, theclient'sclient certificate andthe criteria for deciding if thiscertificate verify message are not sent unless client authentication iseligible to participateperformed using ECDSA as specified inthe key agreement.Section 3.1, or another signature algorithm. -The format ofIf client authentication using ECDH is performed, the client provides a static ECDH public keyexchange message - How to arrive atin thepremaster secret given allclient certificate message using thepreceding information. Several different key establishment modes are available.format described in Section 4.4. Inorder to allow full negotiation of supported algorithms,this case an empty client key exchange message is sent using thesignature algorithm used forformat described in Section 4.5, and theserver's X.509certificate verify message isencoded intonot sent. - The client and server compute thecipher suite for thosemaster secret using their ECDH keyestablishment mechanisms where no signature algorithm is used;pairs as specified in Section 4.7. ECDH computations forthosethis keyestablishments which utilize signature algorithms, the certificate signatureexchange algorithmis expectedare performed according tobeIEEE 1363 [IEEE1363] - using thesame asECKAS-DH1 scheme with thealgorithm used inECSVDP-DH secret value derivation primitive, and the KDF1 keyestablishment. 6.1. ECES_ECDSA In ECES_ECDSA,derivation primitive using SHA-1 [FIPS180-1]. ECDSA computations are performed according to ANSI X9.62 [ANSIX962] using the hash function SHA-1 [FIPS180-1]. 2.2. ECDH_ECDSA_EXPORT Export-strength ECDH is used to compute the master secret. The serversendsis authenticated via a certificatewithcontaining anECES-capableECDH public keyin it. The server's certificate should besigned with ECDSA.A ServerKeyExchange message is not sent because the server's certificate contains all the necessary keying information for the client to complete theThis keyestablishment. The client's certificate is not involvedexchange algorithm MUST proceed in the same way as ECDH_ECDSA, except that the keyestablishmentsize forthis method, although the client can still be authenticated via the normal mechanism. The client generates a 48 byte premaster secret, encrypts it using ECES usingECDH public keys is constrained to 163 bits or less. Here the key size of an elliptic curve public keyfrom the server's certificate, and sends itrefers to theserver insize of theClientKeyExchange message (see section 8.3). This premaster secret is decrypted byunderlying finite field over which theserver and both sides use itelliptic curve is defined. 2.3. ECDH_RSA ECDH is used togeneratecompute the mastersecret for this TLS session. 6.2. ECES_ECNRA ECES_ECNRAsecret. The server is authenticated via a certificate containing an ECDH public key signed with RSA. This key exchange MUST proceed in the same way asECES_ECDSAECDH_ECDSA, exceptfor the factthat the server's certificate is signedby its CAwithECNRA. 6.3. ECDHE_ECDSA In ECDHE_ECDSA,RSA. 2.4. ECDH_RSA_EXPORT Export-strength ECDH is used to compute theserver'smaster secret. The server is authenticated via a certificatehascontaining anECDSAECDH public keyand is, in turn,signedby its CAwithECDSA. The ServerKeyExchange message contains an ephemeral ECDHRSA. This keyand a specification ofexchange algorithm MUST proceed in thecurvesame way as ECDH_RSA, except that the key size forthis key. (see section 8.1). These parameters are signed withECDH public keys is constrained to be 163 bits or less. 2.5. ECDH_anon Anonymous ECDH is used to compute theserver's authenticated ECDSA key.master secret. Specifically this key exchange algorithm MUST proceed as follows: - Theclient'sserver certificate message is notinvolvedsent. - The server provides an ephemeral ECDH public key in the server keyestablishment for this method, although the client can still be authenticated viaexchange message using thenormal mechanism.format described in Section 4.2. - The clientshould verify the signature on the ServerKeyExchangecertificate messageand generateis not sent. - The client provides an ephemeral ECDH public keyon the same curve asin theserver's ephemeral key. Theclientencodes the public half of thatkeyinto the ClientKeyExchangeexchange messageand sends it tousing theserver.format described in Section 4.5. - The client and serverperform an ECDH key agreement using their private keys andcompute thepublic keys they have sent to each other. The resultant sharedmaster secretis the premaster secret. 6.4. ECDHE_ECDSA_EXPORT ECDHE_ECDSA_EXPORT is the sameusing their ECDH key pairs asECDHE_ECDSA exceptspecified in Section 4.7. ECDH computations for this key exchange algorithm are performed according to IEEE 1363 [IEEE1363] - using thefact that the curve used forECKAS-DH1 scheme with theserver's ephemeral ECDH key should be no longer than 113 bits. BecauseECSVDP-DH secret value derivation primitive, and theserver's certifiedKDF1 key derivation primitive using SHA-1 [FIPS180-1]. 2.6. ECDH_anon_EXPORT Export-strength, anonymous ECDH isonlyusedfor authentication, its length is unrestricted. 6.5. ECDHE_ECNRA ECDHE_ECNRA is the same as ECDHE_ECDSA except for the fact thatto compute theserver's public key is an ECNRAmaster secret. This keyand the server's certificate is signed by its CA with ECNRA. 6.6. ECDHE_ECNRA_EXPORT ECDHE_ECNRA_EXPORT isexchange algorithm MUST proceed in the same way asECDHE_ECNRAECDH_anon, exceptfor the factthat thecurve used for the server's ephemeral ECDH key should be no longer than 113 bits. Because the server's certifiedkeyis only usedsize forauthentication, its length is unrestricted. 6.7. ECDH_ECDSA In ECDH_ECDSA, the server's certificate contains anECDH publickey. This certificatekeys issigned byconstrained to 163 bits or less. 3. ECC Client Authentication This document defines three new ECC-based client authentication methods - ECDSA_sign, ECDSA_fixed_ECDH, and RSA_fixed_ECDH. To encourage interoperability, implementations SHOULD support ECDSA_fixed_ECDH. Implementations MAY support any of theserver's CA using ECDSA.other client authentication methods. TheServerKeyExchange message is not sent because the server's certificate contains all the necessary keyingremainder of this section specifies these ECC-based client authentication methods. The following information is provided for each method: which key exchange algorithms theclientmethod may be used with, what constraints apply tocompletethekey establishment. If the server requests client authenticationmethod, andincludestheecdsa_fixed_dh or ecnra_fixed_dh clientformats of the certificatetypes (see section 8.2)request, client certificate, client key exchange, andthecertificate verify messages. 3.1. ECDSA_sign The clienthassupplies a certificatewhich containscontaining anECDH key on the same curve as the server'sECDSA public key, andthisauthenticates itself by signing the certificate verify message with its ECDSA key pair. This client authentication method MUST proceed as follows. Applicable key exchange algorithms: - This client authentication method isotherwiseeligibleto be usedforclient authentication, thenuse with all theclient's certified publicnon-anonymous ECC-based keyis usedexchange algorithms specified inconjunction withSection 2, and all theserver's public key to do an ECDHexisting non-anonymous TLS keyagreement; the resultant shared secret is the premaster key.exchange algorithms specified in [TLS]. Restrictions: - In order to perform thissituation,method, the clientkey exchange message is empty when sent andmust possess a certified ECDSA public key. Message exchange: - The server requests use of theclient CertificateVerifyECDSA_sign method by sending a certificate request messageis not sent, as bothcontaining theclient andvalue "ecdsa_sign" using theserver are authenticated by their ability to arrive atformat described in Section 4.3. When thesame premaster secret. Ifclientcertificationreceives this request, it checks that it possesses an appropriate certificate and that it isnot requested or ifwilling to proceed. - If the clientdoes not have aproceeds, it sends its certificatewith a suitable ECDHcontaining its ECDSA publickey,key in the clientcan generate an ephemeral key oncertificate message using thesame curve asformat described in Section 4.4. It signs theserver's public key. Thishandshake messages exchanged so far with its ECDSA keyis encoded into the ClientKeyExchange message (see section 8.3)pair andused in conjunction withconveys theserver's keyresulting signature tocompletetheECDH key agreement, yieldingserver in thepremaster secret. 6.8. ECDH_ECNRA ECDH_ECNRA iscertificate verify message using thesame as ECDH_ECDSA except forformat specified in Section 4.6. - (If thefact thatclient does not proceed, it may perform client authentication using another method suggested by the server in theserver'scertificateis signed by its CA with ECNRA. 6.9. ECMQV_ECDSA In ECMQV_ECDSA,request message in which case theserver'sclient certificatecontains an ECMQV keyandis signed bytheserver's CAcertificate verify message are sent in accordance withECDSA. The server then generates an temporary key pair and sendsthepublic half ofselected method, or it may proceed with thetemporarykeyin the ServerKeyExchange message (see section 8.1). If the server requestsexchange without client authenticationand includes- in which case theecdsa_mqv or ecnra_mqvclient certificatetypes (see section 8.2)and certificate verify messages are not sent.) ECDSA computations for this client authentication method are performed according to ANSI X9.62 [ANSIX962] using the hash function SHA-1 [FIPS180-1]. 3.2. ECDSA_fixed_ECDH The clienthas asupplies an ECDSA-signed certificatewhich containscontaining anECMQVECDH public keyonusing the same elliptic curve domain parameters as the server's ECDH publickey, and this certificate is otherwise eligible to be used forkey. The clientauthentication, thenauthenticates itself by computing theclient should send that certificate, then generate a temporary keymaster secret andsendthepublic half of that key infinished message. (This achieves authentication because these computations can only be performed by a party possessing theClientKeyExchange message (see section 8.3). The client and server then perform an MQV key agreement using theirprivatekeys and their peer's public keys (for each party, both the certified and temporarykeypairs are used). The resultant shared secret iscorresponding to one of thepremaster secret. TheECDH public keys exchanged.) This clientCertificateVerify message is not sent,authentication method MUST proceed asboth the client andfollows. Applicable key exchange algorithms: - This method is eligible for use with all theserver are authenticated by their abilitynon-anonymous ECC-based key exchange algorithms specified in Section 2. Restrictions: - In order toarrive at the same premaster secret. Ifperform this clientcertification is not requested or ifauthentication method, the clientdoes not have amust possess an ECDSA-signed certificatewith a suitable ECMQVcontaining an ECDH publickey, the client should generate two temporarykeypairs onusing the same elliptic curve domain parameters as theserver's public key. TheECDH publichalves of these temporary key pairs are encoded into the ClientKeyExchange message. One key pair is the usual temporarykeyused for MQV andsupplied by theother takesserver in theplaceserver certificate message. Message exchange: - The server requests use of thecertified key. Each side performs an MQV key agreement using the peer's public keys and its own private keys, yieldingECDSA_fixed_ECDH method by sending a certificate request message containing thepremaster secret. 6.10. ECMQV_ECNRA ECMQV_ECNRA isvalue "ecdsa_fixed_ecdh" using thesame as ECMQV_ECDSA except forformat described in Section 4.3. When thefactclient receives this request, it checks thatthe server's certificate is signed by its CA with ECNRA. 6.11. ECDH_anon In ECDH_anon,it possesses ananonymous Elliptic-Curve Diffie-Hellman operation is used to arrive at the premaster secret. In this case, the server is not authenticatedappropriate certificate andmay not requestthatthe client authenticate itself. The server's Certificate messageit isnot sent. The ServerKeyExchange message containswilling to proceed. - If thespecification of a curve and a Diffie-Hellman public key (see section 8.1). Theclientresponds with a ClientKeyExchange messageproceeds, it sends its certificate containinga Diffie-Hellmanits ECDH public keyon the same curve;in thepremaster secret isclient certificate message using theshared secret resulting fromformat described in Section 4.4. It sends anElliptic Curve Diffie-Hellmanempty client keyagreement with these keys. 6.12. ECDH_anon_EXPORT ECDH_anon_EXPORT is the same as ECDH_anon except forexchange message using thefact thatformat described in Section 4.5. It does not send thecurve used forcertificate verify message. It uses its static ECDH key pair, along with the server'sephemeralECDHkey should be no longer than 113 bits. 7. Client Certification Six new client certificate types have been added: ecdsa_sign, ecnra_sign, ecdsa_fixed_dh, ecnra_fixed_dh, ecdsa_mqv, and ecnra_mqv. As noted above,public key) when computing thefixed_dhmaster secret andmqv types are used in key establishment methods which allow the client's certified key to participate in key agreement. In these cases,finished message. - (If theCertificateVerify message isclient does notsent; the client's ability to arrive at the same premaster secret asproceed, it may perform client authentication using another method suggested by the serverdemonstrates its control over the private half of the certified public key. One of these certificates is eligible for usein thekey agreement operation ifcertificate request message, or ithas amay proceed with the key exchange without client authentication - in whichcan be used with that algorithm. Because elliptic curve keys havecase thesame mathematical propertiesclient certificate and certificate verify messages are not sent.) ECDH computations forall the algorithms discussed inthisspecification, a certificate could have akeywhich was authorized for use in any of several algorithms or for only a particular algorithm. In additionexchange algorithm are performed according tothe key's eligibility, it must be definedIEEE 1363 [IEEE1363] - using thesame curve parameters as the server's key to be used in a operationECKAS-DH1 scheme withit. Of course,theuse of a certificate is always subject to anyECSVDP-DH secret value derivation primitive, andall policy constraints placed on it. In these certificates,theecdsa or ecnra refers to the algorithm which the CA usesKDF1 key derivation primitive using SHA-1 [FIPS180-1]. ECDSA computations are performed according tosignANSI X9.62 [ANSIX962] using theclient's certificate.hash function SHA-1 [FIPS180-1]. 3.3. RSA_fixed_ECDH Theecdsa_sign and ecnra_signclient supplies an RSA-signed certificatetypes are used in othercontaining an ECDH public keyestablishment methods and in cases whereusing the same elliptic curve domain parameters as the server's ECDH public key. The client authenticates itself by computing the master secret and the finished message. (This achieves authentication because these computations cannot or chooses not to supplyonly be performed by asuitable certificateparty possessing the private key corresponding toparticipate inone of theabove methods. In these cases, theECDH public keys exchanged.) This clientmust send a CertificateVerify message to demonstrate its control ofauthentication method MUST proceed in theprivate half key ofsame manner as thecertified key pair. (See section 8.4). Certificates requested withECDSA_fixed_ECDH method, except that theecdsa_sign ClientCertificateTypeclient's certificate mustinclude an ECDSA public key andbe signedby the CAwithECDSA; ecnra_sign certificates must include an ECNRA keyRSA, andbe signed with ECNRA. With all key establishment methods, it is permissible to request a client certificate using a different algorithm than the one used fortheserver's certificate; for example, aserverdoingrequests use of the method by sending aECDHE_ECDSA or ECMQV_ECDSA key establishment could stillcertificate requestan ECNRA client certificate. 8.message containing the value "rsa_fixed_ecdh". 4. Data StructuresHere the descriptions ofand Computations This section specifies the data structuresexchanged are given.and computations used by the ECC-based mechanisms specified in Sections 2 and 3. The presentation language used here is the same as that used inthe TLS specification.RFC 2246 [TLS]. Because these specifications extend the TLS protocol specification, these descriptions should be merged with those in TLS and in any other specifications which extend TLS. This means that enum types may not specify all the possible values and structures with multiple formats chosen with a select() clause may not indicate all the possible cases.8.1.4.1. Server Certificate This message is sent in the following key exchange algorithms: All the non-anonymous ECC-based key exchange algorithms specified in Section 2. Meaning of this message: This message is used to authentically convey the server's static public key to the client. The appropriate certificate types are given in the following table. Key Exchange Algorithm Certificate Type ECDH_ECDSA ECC public key; the certificate must allow the key to be used for key agreement. The certificate must be signed with ECDSA. ECDH_ECDSA_EXPORT ECC public key which can be used for key agreement; key size must be 163 bits or less. Certificate must be signed with ECDSA. ECDH_RSA ECC public key which can be used for key agreement. Certificate must be signed with RSA. ECDH_RSA_EXPORT ECC public key which can be used for key agreement; key size must be 163 bits or less. Certificate must be signed with RSA. Table 3: Server certificate types [PKIX-ALG] specifies how ECC keys and ECDSA signatures are placed in X.509 certificates. Servers SHOULD use the elliptic curve domain parameters recommended in ANSI X9.62 [ANSIX962], FIPS 186-2 [FIPS186-2], and SEC 2 [SEC2]. Note that - as with RSA - the same identifier is used for all ECC keys in "SubjectPublicKeyInfo". The key usage extension may be used to further delimit the use of the key. When a key usage extension is present, the "keyAgreement" bit MUST be set for ECDH certificates. Structure of this message: Identical to the TLS Certificate format. Actions of the sender: The server constructs an appropriate certificate chain and conveys it to the client in the Certificate message. Actions of the receiver: The client validates the certificate chain, extracts the server's public key, and checks that the key is of the correct type for the key exchange algorithm. 4.2. Server Key Exchange Thismessagesmessage is sent in the following keyestablishment methods: ECDHE_ECDSA ECDHE_ECDSA_EXPORT ECDHE_ECNRA ECDHE_ECNRA_EXPORT ECMQV_ECDSA ECMQV_ECNRA ECDH_anon ECDH_anon_EXPORT It can containexchange algorithms: Both the anonymous ECC-based key exchange algorithms specified in Section 2. Meaning of this message: This message is used to convey the server's ephemeral ECDH public key (and the corresponding elliptic curveDiffie-Hellman keys, either signed or unsigned, or MQV parameters.domain parameters) to the client. Structure of this message: The TLS ServerKeyExchange message is extended as follows. enum {ec_eces, ec_diffie_hellman, ec_menezes_qu_vanstoneec_diffie_hellman } KeyExchangeAlgorithm; ec_diffie_hellman Indicates the ServerKeyExchange message is to contain an ECDH public key. enum {ec_prime_pexplicit_prime (1),ec_characteristic_twoexplicit_char2 (2), named_curve (3), (255) }ECFieldID; enum { ec_basis_onb, ec_basis_trinomial, ec_basis_pentanomial } ECBasisType;ECCurveType; explicit_prime Indicates the elliptic curve domain parameters will be conveyed verbosely, and that the underlying finite field is a prime field. explicit_char2 Indicates the elliptic curve domain parameters will be conveyed verbosely, and that the underlying finite field is a characteristic 2 field. named_curve Indicates that a named curve will be used. The use of this option is strongly recommended. struct { opaque a <1..2^8-1>; opaque b <1..2^8-1>; opaque seed <0..2^8-1>; } ECCurve; a,b:b These parameters specify the coefficients of the elliptic curve. Each valueshall becontains theoctetbyte string representation of a field element following the conversion routine in [X9.62], section4.3.1. seed:4.3.3. seed This is an optional parameter used to derive the coefficients of a randomly generated elliptic curve. struct { opaque point <1..2^8-1>; } ECPoint;point:point This is theoctetbyte string representation of an elliptic curve point following the conversion routine in [X9.62], section4.4.2.a. The4.3.6. enum { ec_basis_trinomial, ec_basis_pentanomial } ECBasisType; ec_basis_trinomial Indicates representationformat is defined followingof a characteristic two field using a trinomial basis. ec_basis_pentanomial Indicates representation of a characteristic two field using a pentanomial basis. enum { sect163k1 (1), sect163r1 (2), sect163r2 (3), sect193r1 (4), sect193r2 (5), sect233k1 (6), sect233r1 (7), sect239k1 (8), sect283k1 (9), sect283r1 (10), sect409k1 (11), sect409r1 (12), sect571k1 (13), sect571r1 (14), secp160k1 (15), secp160r1 (16), secp160r2 (17), secp192k1 (18), secp192r1 (19), secp224k1 (20), secp224r1 (21), secp256k1 (22), secp256r1 (23), secp384r1 (24), secp521r1 (25), (255) } NamedCurve; sect163k1, etc Indicates use of thedefinitioncorresponding recommended curve specified in[X9.62], section 4.4.SEC 2 [SEC2]. Note that many of these curves are also recommended in ANSI X9.62 [ANSIX962], and FIPS 186-2 [FIPS186-2]. struct {ECFieldID field;ECCurveType curve_type; select(field)(curve_type) { caseec_prime_p:explicit_prime: opaque prime_p <1..2^8-1>; ECCurve curve; ECPoint base; opaque order <1..2^8-1>; opaque cofactor <1..2^8-1>; caseec_characteristic_two:explicit_char2: uint16 m; ECBasisType basis; select (basis) { caseec_basis_onb: struct { }; caseec_trinomial: opaque k <1..2^8-1>; case ec_pentanomial: opaque k1 <1..2^8-1>; opaque k2 <1..2^8-1>; opaque k3 <1..2^8-1>; };};ECCurve curve; ECPoint base; opaque order <1..2^8-1>; opaque cofactor <1..2^8-1>; case named_curve: NamedCurve namedcurve; }; } ECParameters;field:curve_type This identifies thefinite field over whichtype of the elliptic curveis defined. prime_p:domain parameters. prime_p This is the odd prime defining the field Fp.m: This is the degree of the characteristic-two field F2^m. k: The exponent k for the trinomical basis representation x^m + x^k + 1. k1, k2, k3: The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1. curve:curve Specifies the coefficients a and b of the elliptic curve E.base: Thebase Specifies the base pointPG on the elliptic curve.order: Theorder Specifies the order n of the base point.The order of a point P iscofactor Specifies thesmallest possible integer n such that nP = 0 (the point at infinity). cofactor: The integercofactor h = #E(Fq)/n, where #E(Fq) represents the number of points on the elliptic curve E defined over the field Fq. m This is the degree of the characteristic-two field F2^m. k The exponent k for the trinomial basis representation x^m+x^k+1. k1, k2, k3 The exponents for the pentanomial representation x^m+x^k3+x^k2+x^k1+1. namedcurve Specifies a recommended set of elliptic curve domain parameters. struct { ECParameters curve_params; ECPoint public; } ServerECDHParams;curve_params: This specifiescurve_params Specifies the elliptic curveon whichdomain parameters associated with theelliptic-curve Diffie-Hellman key agreement is to occur. public: The ephemeralECDH public key. publickey for the elliptic-curve Diffie- Hellman key agreement. struct { ECPoint temp_public; } ServerMQVParams; temp_public:Thetemporary MQVephemeral ECDH publickey; the curve on which the MQV operation will take place is specified by the server's certificate. enum { ec_dsa, ec_nra } SignatureAlgorithm; select (SignatureAlgorithm) { case ec_dsa: digitally-signed struct { opaque sha_hash[20]; }; case ec_nra: digitally-signed struct { opaque sha_hash[20]; }; } Signature;key. select (KeyExchangeAlgorithm) { case ec_diffie_hellman: ServerECDHParams params; Signature signed_params;case ec_menezes_qu_vanstone: ServerMQVParams params;} ServerKeyExchange;Note: The anonymous case for Signatureparams Specifies the ECDH public key and associated domain parameters. signed_params This element isusedempty forECDH_anon and ECDH_anon_EXPORTall the keyestablishment methods:exchange algorithms specified in thiscase,document. Actions of theSignature element is empty. 8.2. Certificate Requestsender: Theonly additionserver selects elliptic curve domain parameters and an ephemeral ECDH public key corresponding to these parameters according to the ECKAS-DH1 scheme from IEEE 1363 [IEEE1363]. It conveys this information to the client in the ServerKeyExchange message using the format defined above. Actions of the recipient: The client retrieves the server's elliptic curve domain parameters and ephemeral ECDH public key from the ServerKeyExchange message. 4.3. Certificate Request This message issix new types forsent when requesting the following client authentication methods: Any of the ECC-based client authentication methods specified in Section 3. Meaning of this message: The server uses this message to indicate which clientcertificate.authentication methods the server would like to use. Structure of this message: The TLS CertificateRequest message is extended as follows. enum {ecdsa_sign(5), ecnra_sign(6), ecdsa_fixed_dh(7), ecnra_fixed_dh(8), ecdsa_mqv (9), ecnra_mqv (10),ecdsa_sign (5), rsa_fixed_ecdh (6), ecdsa_fixed_ecdh(7), (255) } ClientCertificateType;8.3.ecdsa_sign, etc Indicates that the server would like to use the corresponding client authentication method specified in Section 3. Actions of the sender: The server decides which client authentication methods it would like to use, and conveys this information to the client using the format defined above. Actions of the receiver: The client determines whether it has an appropriate certificate for use with any of the requested methods, and decides whether or not to proceed with client authentication. 4.4. ClientKey ExchangeCertificate This message is sent inallthe following client authentication methods: All the ECC-based client authentication methods specified in Section 3. Meaning of this message: This message is used to authentically convey the client's static public keyexchanges. Itto the server. The appropriate certificate types are given in the following table. Client Authentication Certificate Type Method ECDSA_sign ECC public key which cancontain either an ECES encrypted secret, an ECDHbe used for signing. ECDSA_fixed_ECDH ECC public key(for use in ECDHE or ECDH_anonwhich can be used for keyestablishment methods), an ECMQV temporaryagreement. Certificate must be signed with ECDSA. RSA_fixed_ECDH ECC publickey, or two temporary keyskey which can be used for key agreement. Certificate must be signed with RSA. Table 4: Client certificate types [PKIX-ALG] specifies how ECC keys and ECDSA signatures are placed in X.509 certificates. Clients SHOULD use the elliptic curve domain parameters recommended in ANSI X9.62 [ANSIX962], FIPS 186-2 [FIPS186-2], and SEC 2 [SEC2]. Note that - as withMQV whenRSA - theclient does not havesame identifier is used for all ECC keys in "SubjectPublicKeyInfo". The key usage extension may be used to further delimit the use of the key. When asuitable certificate.key usage extension is present, the "keyAgreement" bit MUST be set for ECDH certificates, and the "digitalSignature" bit MUST be set for ECDSA certificates. Structure of this message:struct { select (PublicValueEncoding) { case implicit: struct { }; case explicit: ECPoint ecdh_Yc; } ecdh_public; } ClientECDiffieHellmanPublic; IfIdentical to the TLS Certificate format. Actions of the sender: The clienthas sent aconstructs an appropriate certificate chain, and conveys it to the server in the Certificate message. Actions of the receiver: The TLS server validates the certificate chain, extracts the client's public key, and checks that the key is of the correct type for the client authentication method. 4.5. Client Key Exchange This message is sent in the following key exchange algorithms: All the ECC-based key exchange algorithms specified in Section 2. If client authentication withanfixed ECDHkey,is not being used, thePublicValueEncoding will be implicit and thismessagewill be empty. Otherwise, ecdh_Yc will becontains the client's ephemeral ECDH publicvalue forkey, otherwise the message is empty. Meaning of the message: This message is used to convey ephemeral data relating to theDiffie- Hellmankeyagreement.exchange belonging to the client (such as its ephemeral ECDH public key). Structure of this message: The TLS ClientKeyExchange message is extended as follows. enum { yes, no } EphemeralPublicKey; yes, no Indicates whether or not the client is providing an ephemeral ECDH public key. struct { select(PublicValueEncoding)(EphemeralPublicKey) { caseimplicit:yes: ECPoint ecdh_Yc; case no: struct { };case explicit: ECPoint ecmqv;}ecmqv_public; ECPoint ecmqv_temp;ecdh_public; }ClientECMQVPublic; If the client has sent a certificate with an MQV key, the PublicValueEncoding will be implicit and the ecmqv_public field will be empty; otherwise, ecmqv will containClientECDiffieHellmanPublic; ecdh_Yc Contains the client'sMQV public value. In either case, ecmqv_temp will contain the temporary public key for the MQV operation. In the explicit case, the cost of an additional key generation can be saved by generating only oneephemeralkey and sending two copies: one in ecmqv and one in ecmqv_temp.ECDH public key. struct { select (KeyExchangeAlgorithm) { caseec_eces: EncryptedPreMasterSecret; caseec_diffie_hellman: ClientECDiffieHellmanPublic;case ec_menezes_qu_vanstone: ClientECMQVPublic;} exchange_keys; } ClientKeyExchange;InActions of theECES case,sender: The client selects an ephemeral ECDH public key corresponding to thepremaster secret will be sent encrypted withparameters it received from theserver's public key.server according to the ECKAS-DH1 scheme from IEEE 1363 [IEEE1363]. It conveys this information to the client in the ClientKeyExchange message using the format defined above. Actions of the recipient: Thestandard TLS definitionserver retrieves the client's ephemeral ECDH public key from the ServerKeyExchange message and checks that the public key represents a point ofEncryptedPreMasterSecret is suitable for this transmission. 8.4.the elliptic curve. 4.6. Certificate Verify This message is sentwhenin the following clienthas sent a certificate which did not participate in a Diffie-Hellman or Menezes-Qu-Vanstone key agreement. This type needs no new definition:authentication methods: ECDSA_sign Meaning of theCertificateVerifymessage: This message contains an ECDSA signature on the handshake messages inTLS usesorder to authenticate theSignature type, which we haveclient to the server. Structure of this message: The TLS CertificateVerify message is extendedforas follows. enum { ec_dsa } SignatureAlgorithm; select (SignatureAlgorithm) { case ec_dsa: digitally-signed struct { opaque sha_hash[20]; }; } Signature; In the CertificateVerify message, the signature field contains the client's ECDSAand ECNRA (see section 8.1). 9. Elliptic Curve Certificates All X.509 certificates must be in compliance withsignature on thePKIX profile ofhandshake messages exchanged so far. According to [ANSIX962], theX.509 standard [PKIX]. Elliptic curve keys should be encodedsignature consists of a pair of integers r and s. These integers are both converted intoX.509 certificatesbyte strings of the same length as the curve order n using the conversion routine specified in[PKIX-ECDSA]. However, this document currently only specifies formats for ECDSA keys and signatures. When this document refers to a certificate with an ECDSA, ECNRA, ECES, ECDH, or ECMQV key, it means a public key which is capableSection 4.3.1 ofperforming a particular algorithm[ANSIX962], the two byte strings are concatenated, andwhich is permitted bythepolicy encodedresult is placed in thecertificate to participate in this algorithm. This may be asignature field. Actions of the sender: The client computes its signature over the handshake messages exchanged so far using its ECDSA keywhich is specifically indicatedpair with ECDSA computations performed asbeing useful for a particular algorithm or a general-purpose elliptic curve key which is allowed to perform a particular operation.specified in [ANSIX962] with the hash function SHA-1 [FIPS186-2]. TheX.509 key usage extension encodes functions a key is allowedclient conveys its signature toperform.the server in the CertificateVerify message using the format defined above. Actions of the receiver: Therelevantserver extracts the client's signature from the CertificateVerify message, and verifies the signature using the client's ECDSA public keyusage bits forthat it received in the ClientCertificate message. 4.7. Computing the Master Secret In all the ECC-based key exchange algorithmsare: Algorithm Key Usage Bit _________ ________________ ECDSA digitalSignature ECNRA digitalSignature ECES keyEncipherment ECDH keyAgreement ECMQV keyAgreement Table 2: Pertinent X.509specified in Section 2, the client and server compute the master keyusage bits A TLS entity shall not presentas follows: - They both compute acertificate which is not eligible to participatesingle shared secret K of length 20 bytes using their ECDH key pairs with ECDH computations performed as specified by the ECKAS-DH1 scheme in [IEEE1363] with thenegotiated cipher suiteECSVDP-DH secret value derivation primitive, andshall refuse to communicate with a TLS peer which presents such a certificate. 10.the KDF1 key derivation primitive using SHA-1 [FIPS180-1]. - They both use K as the pre_master_secret, and compute the master_secret from the pre_master_secret as specified in [TLS]. 5. Cipher Suites Thefollowingtable below defines the cipher suitesare defined: CipherSuite TLS_ECES_ECDSA_NULL_SHA = { 0x00, 0x2C } CipherSuite TLS_ECES_ECDSA_WITH_RC4_128_SHA = { 0x00, 0x2D } CipherSuite TLS_ECES_ECDSA_WITH_DES_CBC_SHA = { 0x00, 0x2E } CipherSuite TLS_ECES_ECDSA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x2F } CipherSuite TLS_ECES_ECNRA_NULL_SHA = { 0x00, 0x30 } CipherSuite TLS_ECES_ECNRA_WITH_RC4_128_SHA = { 0x00, 0x31 } CipherSuite TLS_ECES_ECNRA_WITH_DES_CBC_SHA = { 0x00, 0x32 } CipherSuite TLS_ECES_ECNRA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x33 } CipherSuite TLS_ECDHE_ECDSA_NULL_SHA = { 0x00, 0x34 } CipherSuite TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = { 0x00, 0x36 } CipherSuite TLS_ECDHE_ECDSA_WITH_DES_CBC_SHA = { 0x00, 0x37 } CipherSuite TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x38 } CipherSuite TLS_ECDHE_ECDSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00, 0x39 } CipherSuite TLS_ECDHE_ECDSA_EXPORT_WITH_RC4_40_SHA = { 0x00, 0x40 } CipherSuite TLS_ECDHE_ECNRA_NULL_SHA = { 0x00, 0x41 } CipherSuite TLS_ECDHE_ECNRA_WITH_RC4_128_SHA = { 0x00, 0x42 } CipherSuite TLS_ECDHE_ECNRA_WITH_DES_CBC_SHA = { 0x00, 0x43 } CipherSuite TLS_ECDHE_ECNRA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x44 }specified in this document for use with the key exchange algorithms specified in Section 2. CipherSuiteTLS_ECDHE_ECNRA_EXPORT_WITH_DES40_CBC_SHATLS_ECDH_ECDSA_WITH_NULL_SHA = { 0x00,0x450x47 } CipherSuiteTLS_ECDHE_ECNRA_EXPORT_WITH_RC4_40_SHATLS_ECDH_ECDSA_WITH_RC4_128_SHA = { 0x00,0x460x48 } CipherSuiteTLS_ECDH_ECDSA_NULL_SHATLS_ECDH_ECDSA_WITH_DES_CBC_SHA = { 0x00,0x470x49 } CipherSuiteTLS_ECDH_ECDSA_WITH_RC4_128_SHATLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x480x4A } CipherSuiteTLS_ECDH_ECDSA_WITH_DES_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = { 0x00,0x490x4B } CipherSuiteTLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = { 0x00,0x4A0x4C } CipherSuiteTLS_ECDH_ECNRA_NULL_SHATLS_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA = { 0x00, 0x4B } CipherSuiteTLS_ECDH_ECNRA_WITH_RC4_128_SHATLS_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA = { 0x00, 0x4C } CipherSuiteTLS_ECDH_ECNRA_WITH_DES_CBC_SHATLS_ECDH_RSA_WITH_NULL_SHA = { 0x00, 0x4D } CipherSuiteTLS_ECDH_ECNRA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_RC4_128_SHA = { 0x00, 0x4E } CipherSuiteTLS_ECMQV_ECDSA_NULL_SHATLS_ECDH_RSA_WITH_DES_CBC_SHA = { 0x00, 0x4F } CipherSuiteTLS_ECMQV_ECDSA_WITH_RC4_128_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x50 } CipherSuiteTLS_ECMQV_ECDSA_WITH_DES_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x51 } CipherSuiteTLS_ECMQV_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x52 } CipherSuiteTLS_ECMQV_ECNRA_NULL_SHATLS_ECDH_RSA_EXPORT_WITH_RC4_40_SHA = { 0x00, 0x53 } CipherSuiteTLS_ECMQV_ECNRA_WITH_RC4_128_SHATLS_ECDH_RSA_EXPORT_WITH_RC4_56_SHA = { 0x00, 0x54 } CipherSuiteTLS_ECMQV_ECNRA_WITH_DES_CBC_SHA = { 0x00, 0x55 } CipherSuite TLS_ECMQV_ECNRA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x56 } CipherSuiteTLS_ECDH_anon_NULL_WITH_SHA = { 0x00,0x570x55 } CipherSuite TLS_ECDH_anon_WITH_RC4_128_SHA = { 0x00,0x580x56 } CipherSuite TLS_ECDH_anon_WITH_DES_CBC_SHA = { 0x00,0x590x57 } CipherSuite TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x5A0x58 } CipherSuite TLS_ECDH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x5B0x59 } CipherSuite TLS_ECDH_anon_EXPORT_WITH_RC4_40_SHA = { 0x00,0x5C0x5A } Table3:5: TLS ECC cipher suites The keyestablishmentexchange method, cipher, and hash algorithm for each of these ciphersuitesuites are easily determined by examining the name.ThoseCiphers other than AES ciphers, and hash algorithms are defined in [TLS]. AES ciphers are defined in [TLS-AES]. The cipher suites which use the "NULL" cipher or one of the "EXPORT" keyestablishment mechanismsexchange algorithms are considered to be "exportable" cipher suites for the purposes of the TLS protocol.11. Elliptic Curve Cryptography Definitions These definitions provide a quick reference forUse of theelliptic curve terms. Elliptic curve Definition to come. Elliptic curve point Definition to come. EC parameters Definition to come. EC private key Definition to come. EC public key Definition to come. EC key pair Definition to come. 12. Recommended Cipher Suites In order to promote common interoperability, twofollowing cipher suitesareis recommendedfor initial implementation: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_ECDSA_EXPORT_WITH_RC4_40_SHA. Implementing these two gives a basisin general - server implementations SHOULD support all ofcryptographic strength, perfect forward secrecy, and well-accepted algorithms. 13. References [ECDH] IEEE P1363 Working Draft, February, 1997. [ECDSA] IEEE P1363 Working Draft, February, 1997. [ECDSA] ANSI X9.62 Working Draft, November 17, 1997. [ECES] ANSI X9.63 Working Draft. [ECMQV] IEEE P1363 Working Draft, February, 1997. [ECNRA] IEEE P1363 Working Draft, February, 1997. [PKIX] R. Housley, W. Ford, W. Polk, D. Solo, Internet Public Key Infrastructure: Part I: X.509 Certificatethese cipher suites, andCRL Profile, <draft- ietf-pkix-ipki-part1-06.txt>, October 1997. [PKIX-ECDSA] L. Bassham, D. Johnson, W. Polk, Representationclient implementations SHOULD support at least one ofElliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates <draft-ietf-pkix-ipki-ecdsa-01.txt>, November 1997. [X9.62] ANSI X9.62 Working Draft, November 17, 1997. 14.them: TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Implementations MAY support any of the other cipher suites. 6. Security Considerations This document is entirely concerned with security mechanisms.ImplementorsThis document is based on [TLS], [ANSIX9.62], and [IEEE1363] and the appropriate security considerations of those documents apply. In addition implementers should take care to ensure that code which controls security mechanisms is free of errors which might be exploited by attackers.15.7. Intellectual Property Rights The IETF has been notified of intellectual property rights claimed in regard to the specification contained in this document. For more information, consult the online list of claimed rights (http://www.ietf.org/ipr.html). The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. 8. Acknowledgments The authors wish to thank Bill Anderson, Paul Fahn, Gilles Garon, John Kennedy, and Brian Minard for their help preparing this document. 9. References [ANSIX9.62] ANSI X9.62-1999, "Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", American National Standards Institute, 1998. [FIPS180] FIPS 180-1, "Secure Hash Standard", National Institute of Standards and Technology, 1995. [FIPS186-2] FIPS 186-2, "Digital Signature Standard", National Institute of Standards and Technology, 2000. [IEEE1363] IEEE 1363, "Standard Specifications for Public Key Cryptography", Institute of Electrical and Electronics Engineers, 2000. [MUST] S. Bradner, "Key Words for Use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [PKIX-ALG] L. Bassham, R. Housley and W. Polk, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile", PKIX Working Group Internet-Draft, draft-ietf-pkix-ipki-pkalgs-02.txt, March 2001. [PKIX-CERT] W. Ford, R. Housley, W. Polk and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", PKIX Working Group Internet-Draft, draft-ietf-pkix-new-part1-05.txt, March 2001. [SEC1] SEC 1, "Elliptic Curve Cryptography", Standards for Efficient Cryptography Group, 2000. [SEC2] SEC 2, "Recommended Elliptic Curve Domain Parameters", Standards for Efficient Cryptography Group, 2000. [TLS] T. Dierks and C. Allen, "The TLS Protocol - Version 1.0," IETF RFC 2246, January 1999. [TLS-AES] P. Chown, "AES Ciphersuites for TLS", TLS Working Group Internet-Draft, draft-ietf-tls-ciphersuite-03.txt, January 2001. [TLS-EXT] S. Blake-Wilson and M. Nystrom, "Wireless Extensions to TLS", TLS Working Group Internet-Draft, draft-ietf-tls-wireless-00.txt, November 2000. 10. Authors' Addresses Authors: Simon Blake-Wilson Certicom Corp. sblake-wilson@certicom.com Tim DierksConsensus DevelopmentCerticom Corp. timd@consensus.comBill AndersonChris Hawk Certicombanderson@certicom.com Contributors: Gilles Garon ggaron@aol.comCorp. chawk@certicom.com