TLS Working GroupSimon Blake-Wilson INTERNET-DRAFT Tim DierksV. Gupta Internet-Draft Sun Labs Expires:September 14, 2001 ChrisFebruary 27, 2003 S. Blake-Wilson BCI B. Moeller Technische Universitaet Darmstadt C. HawkCerticom Corp. 15 March 2001Independent Consultant August 29, 2002 ECC Cipher Suites for TLS<draft-ietf-tls-ecc-01.txt><draft-ietf-tls-ecc-02.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents asInternet-Drafts.Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Draftsmaycan befoundaccessed athttp://www.ietf.org/ietf/1id-abstracts.txthttp:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directoriesmaycan befoundaccessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on February 27, 2003. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document describesadditions to TLS to supportnew key exchange algorithms based on Elliptic Curve Cryptography(ECC).(ECC) for the TLS (Transport Layer Security) protocol. Inparticularparticular, itdefines new key exchange algorithms whichspecifies the use of Elliptic Curve Diffie-Hellman (ECDH) key agreement in a TLS handshake and the use of Elliptic Curve Digital Signature Algorithm (ECDSA)and the Elliptic Curve Diffie-Hellman Key Agreement Scheme (ECDH), and it defines how to perform clientas a new authenticationwith ECDSA and ECDH.mechanism. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119[MUST].[1]. Please send comments on this document to the TLS mailing list. Table of Contents 1. Introduction................................................. 2. . . . . . . . . . . . . . . . . . . . . . . . . 3 2.Elliptic CurveKey Exchange Algorithms....................... 4 2.1. ECDH_ECDSA ................................................... 5 2.2. ECDH_ECDSA_EXPORT ............................................. . . . . . . . . . . . . . . . . . . 52.3. ECDH_RSA ..................................................... 6 2.4. ECDH_RSA_EXPORT ..............................................2.1 ECDH_ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 62.5.2.2 ECDHE_ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3 ECDH_RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 ECDHE_RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.5 ECDH_anon.................................................... 6 2.6. ECDH_anon_EXPORT ............................................. 6. . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.ECCClient Authentication.................................... 7 3.1.. . . . . . . . . . . . . . . . . . . . 9 3.1 ECDSA_sign................................................... 7 3.2.. . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 ECDSA_fixed_ECDH............................................. 8 3.3.. . . . . . . . . . . . . . . . . . . . . . . 10 3.3 RSA_fixed_ECDH............................................... 9. . . . . . . . . . . . . . . . . . . . . . . . 10 4. Data Structures and Computations............................. 9 4.1.. . . . . . . . . . . . . . . 11 4.1 Server Certificate.......................................... 10 4.2.. . . . . . . . . . . . . . . . . . . . . . 11 4.2 Server Key Exchange......................................... 11 4.3.. . . . . . . . . . . . . . . . . . . . . 12 4.3 Certificate Request......................................... 15 4.4.. . . . . . . . . . . . . . . . . . . . . 17 4.4 Client Certificate.......................................... 15 4.5.. . . . . . . . . . . . . . . . . . . . . . 18 4.5 Client Key Exchange......................................... 16 4.6.. . . . . . . . . . . . . . . . . . . . . 19 4.6 Certificate Verify.......................................... 18 4.7. Computing the Master Secret ................................. 19. . . . . . . . . . . . . . . . . . . . . . 20 4.7 Elliptic Curve Certificates . . . . . . . . . . . . . . . . . 22 4.8 ECDH, ECDSA and RSA Computations . . . . . . . . . . . . . . . 22 5. Cipher Suites............................................... 19. . . . . . . . . . . . . . . . . . . . . . . . 24 6. Security Considerations..................................... 20. . . . . . . . . . . . . . . . . . . 26 7. Intellectual Property Rights................................ 20. . . . . . . . . . . . . . . . . 27 8. Acknowledgments............................................. 21 9.. . . . . . . . . . . . . . . . . . . . . . . 28 References.................................................. 21 10.. . . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses.......................................... 22. . . . . . . . . . . . . . . . . . . . . . 30 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 31 1. IntroductionThis document describes additions to TLS to supportElliptic Curve Cryptography(ECC). In particular, it defines: - new key exchange algorithms which use the Elliptic Curve Digital Signature Algorithm (ECDSA), and the Elliptic Curve Diffie-Hellman Key Agreement Scheme (ECDH); and - new client authentication methods which use ECDSA and ECDH. In order to enable the use of these features within TLS, the document defines enhanced data structures to convey the information that the mechanisms need to exchange, the computational procedures involved in the operation of the mechanisms, and new cipher suites based on the mechanisms. Use of ECC within TLS may provide both bandwidth and computational savings compared to other(ECC) is emerging as an attractive public-keycryptographic techniques. Furthermore, the efficiencies provided by ECC may increasecryptosystem for mobile/wireless environments. Compared to currently prevalent cryptosystems such as RSA, ECC offers equivalent securityrequirements increase based on Moore's law - thiswith smaller key sizes. This is illustratedbyin the following table, based on[LEN],[2], which gives approximate comparable key sizes forsymmetric systems, ECC systems,symmetric- andDH/DSA/RSA systemsasymmetric-key cryptosystems based on therunning times of the bestbest-known algorithmsknown today.for attacking them. Symmetric | ECC | DH/DSA/RSA -------------+---------+------------ 80 | 163 | 1024 128 | 283 | 3072 192 | 409 | 7680 256 | 571 | 15360 Table 1: Comparable key sizes (in bits)TheSmaller key sizes result in power, bandwidth and computational savings that make ECCmay offer are likely to become increasingly desirable with the widespread use of TLS by wireless devices - discussed,especially attractive forexample, in [TLS-EXT].constrained environments. This documentassumes the reader is familiar with both ECC and TLS. ECC is described in ANSI X9.62 [ANSIX962], FIPS 186-2 [FIPS186-2], IEEE 1363 [IEEE1363], and SEC 1 [SEC1].describes additions to TLSis described in RFC 2246 [TLS]. The choice of mechanisms included in this document was motivated by a desiretoprovide mechanisms which are secure, which are as efficient as possible, and which are capable of replicating all of the functionality and operating modes found insupport ECC. In particular, it defines o theexisting TLS mechanisms based on integer factorization and discrete logarithm cryptographic systems. TLS includes a substantial variety of functionality and operating modes in considerationuse of thevariety of applicationsElliptic Curve Diffie-Hellman (ECDH) key agreement scheme withwhich TLS is used. The desire described above led to the inclusion of a substantial number of ECC-based mechanisms. In orderlong-term or ephemeral keys toencourage interoperability, a small subset ofestablish themechanisms are identified as "recommended" - these mechanisms are capable of meetingTLS premaster secret, and o therequirementsuse ofmany applicationsfixed-ECDH certificates andthey should therefore be used unless an application profileECDSA for authentication ofthis document states otherwise, or unless in a particular environment considerations such as export regulations mandate otherwise.TLS peers. The remainder of this document is organized as follows. Section 2specifiesprovides an overview of ECC-based key exchange algorithms forTLS using ECC.TLS. Section 3specifies howdescribes the use of ECC certificates for clientauthentication is performed using ECC.authentication. Section 4describes the TLS-specificspecifies various data structuresand computations involvedneeded for an ECC-based handshake, their encoding in TLS messages and theoperationprocessing ofthe ECC mechanisms.those messages. Section 5 defines new ECC-based cipher suitesbased on the ECC key exchange algorithms. Sections 6-8 discussand identifies a small subset of these as recommended for all implementations of this specification. Section 6, Section 7 and Section 8 mention security considerations, intellectual property rights, andacknowledgementsacknowledgments, respectively.Section 9 suppliesThis is followed by a list of references citedelsewhereinthe document,this document andSection 10 givesthe authors' contactdetails.information. Implementation of this specification requires familiarity with both TLS [3] and ECC [5][6][7][8] . 2.Elliptic CurveKey Exchange Algorithms This documentdefines sixintroduces five new ECC-based key exchange algorithmsbased on ECCforuse withinTLS. All of them use ECDH to compute the TLS premaster secret and differ only in the lifetime of ECDH keys (long-term or ephemeral) and the mechanism (if any) used to authenticate them. The derivation of the TLS master secret from the premaster secret and the subsequent generation of bulk encryption/MAC keys and initialization vectors is independent of the key exchange algorithm and not impacted by the introduction of ECC. The table below summarizes the new key exchangealgorithms.algorithms which mimic DH_DSS, DH_RSA, DHE_DSS, DHE_RSA and DH_anon (see [3]), respectively. Key Exchange Algorithm DescriptionKey size limit--------- ----------- ECDH_ECDSA Fixed ECDH withECDSA signatures None ECDH_ECDSA_EXPORTECDSA-signed certificates. ECDHE_ECDSA Ephemeral ECDH with ECDSAsignatures ECDH=163 bits, ECDSA=nonesignatures. ECDH_RSA Fixed ECDH withRSA signatures None ECDH_RSA_EXPORTRSA-signed certificates. ECDHE_RSA Ephemeral ECDH with RSAsignatures ECDH=163 bits, RSA = nonesignatures. ECDH_anon Anonymous ECDH, nosignatures None ECDH_anon_EXPORT Anonymous ECDH, no signatures ECDH=163 bitssignatures. Table 2:KeyECC key exchange algorithms Note that the anonymous key exchangealgorithms marked "anon" doalgorithm does not provide authentication of the server or theclient, and, likeclient. Like other"anon"anonymous TLS keyexchange algorithms, may beexchanges, it is subject to man-in-the-middle attacks. Implementations ofthese algorithmsthis algorithm SHOULD provide authentication by other means.The remainder of this section describes these key exchange algorithms in detail. For each key exchange algorithm, this involves specification of the contents of the handshake messages related to key exchange - server certificate, server key exchange, client certificate, and client key exchange - as well as specification of the computations involved in the calculation of the master secret. 2.1. ECDH_ECDSA ECDHNote that there isusedno structural difference between ECDH and ECDSA keys. A certificate issuer may use X509.v3 keyUsage and extendedKeyUsage extensions tocomputerestrict themaster secret. The server is authenticated via a certificate containinguse of anECDHECC public keysigned with ECDSA. Specifically thisto certain computations. This document refers to an ECC keyexchange algorithm MUST proceedasfollows: - The server provides a staticECDH- capable if its use in ECDHpublic keyis permitted. ECDSA-capable is defined similarly. Client Server ------ ------ ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest*+ <-------- ServerHelloDone Certificate*+ ClientKeyExchange CertificateVerify*+ [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Figure 1: Message flow inthe server certificatea full TLS handshake * messageusing the format described in Section 4.1. The certificateissigned using ECDSA. - The server key exchangenot sent under some conditions + message is notsent. - Unlesssent unless the clientauthentication using ECDHisperformed as specifiedauthenticated Figure 1 shows all messages involved inSections 3.2 and 3.3,theclient provides an ephemeral ECDH publicTLS keyinestablishment protocol (aka full handshake). The addition of ECC has direct impact only on theclientthe server's Certificate message, the ServerKeyExchange, the ClientKeyExchange, the CertificateRequest, the client's Certificate message, and the CertificateVerify. Next, we describe each ECC key exchangemessage usingalgorithm in greater detail in terms of theformat describedcontent and processing of these messages. For ease of exposition, we defer discussion of client authentication and associated messages (identified with a + in Figure 1) until Section4.5.3. 2.1 ECDH_ECDSA Inthis case,ECDH_ECDSA, theclientserver's certificate MUST contain an ECDH-capable public key andcertificate verify message are notbe signed with ECDSA. A ServerKeyExchange MUST NOT be sentunless client authentication is performed using ECDSA as specified in Section 3.1, or another signature algorithm. - If(the server's certificate contains all the necessary keying information required by the clientauthentication using ECDH is performed,to arrive at the premaster secret). The clientprovides a staticMUST generate an ECDH key pair on the same curve as the server's long-term public key and send its public key in theclient certificateClientKeyExchange message (except when usingthe format describedclient authentication algorithm ECDSA_fixed_ECDH or RSA_fixed_ECDH, inSection 4.4. In thiswhich casean empty client key exchange message is sent usingtheformat described inmodifications from section Section4.5, and the certificate verify message is not sent. - The3.2 or Section 3.3 apply). Both client and servercomputeMUST perform an ECDH operation and use themasterresultant shared secretusing theiras the premaster secret. All ECDHkey pairscalculations are performed as specified in Section4.7. ECDH computations for this key exchange algorithm are performed according to IEEE 1363 [IEEE1363] - using the ECKAS-DH1 scheme with the ECSVDP-DH secret value derivation primitive, and the KDF1 key derivation primitive using SHA-1 [FIPS180-1]. ECDSA computations are performed according to ANSI X9.62 [ANSIX962] using the hash function SHA-1 [FIPS180-1]. 2.2. ECDH_ECDSA_EXPORT Export-strength ECDH is used to compute4.8 2.2 ECDHE_ECDSA In ECDHE_ECDSA, themaster secret. The server is authenticated via aserver's certificatecontainingMUST contain anECDHECDSA- capable public key and be signed with ECDSA.This key exchange algorithmThe server MUSTproceed in the same way as ECDH_ECDSA, except that the key size forsend its ephemeral ECDH publickeys is constrained to 163 bits or less. Here thekeysizeand a specification ofan ellipticthe corresponding curvepublicin the ServerKeyExchange message. These parameters MUST be signed with ECDSA using the private keyreferscorresponding to thesize ofpublic key in theunderlying finite field over whichserver's Certificate. The client MUST generate an ECDH key pair on theellipticsame curveis defined. 2.3. ECDH_RSAas the server's ephemeral ECDHis used to computekey and send its public key in themaster secret. TheClientKeyExchange message. Both client and serveris authenticated via a certificate containingMUST perform an ECDHpublic key signed with RSA.operation (Section 4.8) and use the resultant shared secret as the premaster secret. 2.3 ECDH_RSA This key exchangeMUST proceed inalgorithm is the samewayasECDH_ECDSA,ECDH_ECDSA exceptthatthe server's certificateis signed with RSA. 2.4. ECDH_RSA_EXPORT Export-strength ECDH is used to compute the master secret. The server is authenticated via a certificate containing an ECDH public keyMUST be signed withRSA.RSA rather than ECDSA. 2.4 ECDHE_RSA This key exchange algorithmMUST proceed inis the samewayasECDH_RSA,ECDHE_ECDSA exceptthatthe server's certificate MUST contain an RSA public keysizeauthorized forECDH public keys is constrained to be 163 bits or less. 2.5. ECDH_anon Anonymous ECDH is used to computesigning and themaster secret. Specifically this key exchange algorithmsignature in the ServerKeyExchange message MUSTproceed as follows: -be computed with the corresponding RSA private key. The server certificatemessage is notMUST be signed with RSA. 2.5 ECDH_anon In ECDH_anon, the server's Certificate, the CertificateRequest, the client's Certificate, and the CertificateVerify messages MUST NOT be sent.-The serverprovidesMUST send an ephemeral ECDH public keyin the server key exchange message usingand a specification of theformat describedcorresponding curve inSection 4.2. - The client certificate message is not sent. -the ServerKeyExchange message. These parameters MUST NOT be signed. The clientprovidesMUST generate an ECDH key pair on the same curve as the server's ephemeral ECDH key and send its public key in theclient key exchange message using the format described in Section 4.5. - TheClientKeyExchange message. Both client and servercomputeMUST perform an ECDH operation and use themasterresultant shared secretusing their ECDH key pairsasspecified in Section 4.7.the premaster secret. All ECDHcomputations for this key exchange algorithmcalculations are performedaccording to IEEE 1363 [IEEE1363] - using the ECKAS-DH1 scheme with the ECSVDP-DH secret value derivation primitive, and the KDF1 key derivation primitive using SHA-1 [FIPS180-1]. 2.6. ECDH_anon_EXPORT Export-strength, anonymous ECDH is used to compute the master secret. This key exchange algorithm MUST proceed in the same wayasECDH_anon, except that the key size for ECDH public keys is constrained to 163 bits or less.specified in Section 4.8 3.ECCClient Authentication This document defines three newECC-basedclient authenticationmethods -mechanisms named after the type of client certificate involved: ECDSA_sign,ECDSA_fixed_ECDH,ECDSA_fixed_ECDH and RSA_fixed_ECDH.To encourage interoperability, implementations SHOULD support ECDSA_fixed_ECDH. Implementations MAY supportThe ECDSA_sign mechanism is usable with any of the non-anonymous ECC key exchange algorithms described in Section 2 as well as otherclient authentication methods. The remainder of this section specifies these ECC-based client authentication methods. The following information is provided for each method: whichnon-anonymous (non-ECC) key exchange algorithmsthe method may be used with, what constraints apply to the method,defined in TLS [3]. The ECDSA_fixed_ECDH and RSA_fixed_ECDH mechanisms are usable with ECDH_ECDSA and ECDH_RSA. Their use with ECDHE_ECDSA and ECDHE_RSA is prohibited because theformatsuse ofthe certificate request, client certificate,a long-term ECDH client keyexchange, and certificate verify messages. 3.1. ECDSA_signwould jeopardize the forward secrecy property of these algorithms. The server can request ECC-based clientsupplies a certificate containing an ECDSA public key, and authenticates itselfauthentication bysigning theincluding one or more of these certificateverify message withtypes in itsECDSA key pair. This client authentication methodCertificateRequest message. The server MUSTproceed as follows. Applicable key exchange algorithms: - This client authentication method is eligibleNOT include any certificate types that are prohibited foruse with all the non-anonymous ECC-based key exchange algorithms specified in Section 2, and alltheexisting non-anonymous TLSnegotiated key exchangealgorithms specified in [TLS]. Restrictions: - In order to perform this method, thealgorithm. The client mustpossesscheck if it possesses acertified ECDSA public key. Message exchange: - The server requests usecertificate appropriate for any of theECDSA_sign methodmethods suggested bysendingthe server and is willing to use it for authentication. If these conditions are not met, the client should send acertificate requestclient Certificate message containing no certificates. In this case, thevalue "ecdsa_sign" using the formatClientKeyExchange should be sent as described in Section4.3. When2 and the CertificateVerify should not be sent. If the server requires clientreceives this request,authentication, itchecks that it possessesmay respond with a fatal handshake failure alert. If the client has an appropriate certificate andthat itis willing toproceed. - If the client proceeds,use itsends itsfor authentication, it MUST send that certificatecontaining its ECDSA public keyin theclient certificateclient's Certificate messageusing the format described in(as per Section4.4. It signs the handshake messages exchanged so far with its ECDSA key pair4.4) andconveysprove possession of theresulting signatureprivate key corresponding to theserver in thecertified key. The process of determining an appropriate certificateverify message using the format specified in Section 4.6. - (If the client does not proceed, it may perform clientand proving possession is different for each authenticationusing another method suggested by themechanism and described below. NOTE: It is permissible for a serverin the certificateto requestmessage in which case the client certificate and the certificate verify message are sent in accordance with the selected method, or it may proceed with(and thekey exchange withoutclientauthentication - in which case theto send) a client certificateand certificate verify messages are not sent.) ECDSA computations forof a different type than the server certificate. 3.1 ECDSA_sign To use thisclientauthenticationmethod are performed according to ANSI X9.62 [ANSIX962] usingmechanism, thehash function SHA-1 [FIPS180-1]. 3.2. ECDSA_fixed_ECDH Theclientsupplies an ECDSA-signedMUST possess a certificate containing anECDHECDSA-capable public keyusing the same elliptic curve domain parameters as the server's ECDH public key.and signed with ECDSA. The clientauthenticates itself by computing the master secret and the finished message. (This achieves authentication because these computations can only be performed by a party possessingMUST prove possession of the private key corresponding toone oftheECDH public keys exchanged.) This client authentication method MUST proceed as follows. Applicablecertified keyexchange algorithms: - This method is eligible for use with allby including a signature in thenon-anonymous ECC-based key exchange algorithms specifiedCertificateVerify message as described in Section2. Restrictions: - In order to perform4.6. 3.2 ECDSA_fixed_ECDH To use thisclientauthenticationmethod,mechanism, the clientmustMUST possessan ECDSA-signeda certificate containing anECDHECDH-capable public keyusingand that certificate MUST be signed with ECDSA. Furthermore, the client's ECDH key MUST be on the same elliptic curvedomain parametersas the server's long-term (certified) ECDHpublic key supplied by the server in the server certificate message. Message exchange: - The server requests use of the ECDSA_fixed_ECDH method by sending a certificate request message containing the value "ecdsa_fixed_ecdh" using the format described in Section 4.3.key. Whenthe client receivesusing thisrequest, it checks that it possesses an appropriate certificate and that it is willing to proceed. - If the client proceeds, it sends its certificate containing its ECDH public key inauthentication mechanism, the clientcertificate message using the format described in Section 4.4. It sendsMUST send an emptyclient key exchange message using the formatClientKeyExchange as described in Section4.5. It does not4.5 and MUST NOT send thecertificate verifyCertificateVerify message.It uses its static ECDH key pair, along withThe ClientKeyExchange is empty since theserver'sclient's ECDH publickey) when computing the master secret and finished message. - (If the client does not proceed, it may perform client authentication using another method suggestedkey required by the serverin the certificate request message, or it may proceed with the key exchange without client authentication - in which case the client certificate and certificate verify messages are not sent.) ECDH computations for this key exchange algorithm are performed accordingtoIEEE 1363 [IEEE1363] - using the ECKAS-DH1 scheme withcompute theECSVDP-DHpremaster secretvalue derivation primitive, and the KDF1 key derivation primitive using SHA-1 [FIPS180-1]. ECDSA computations are performed according to ANSI X9.62 [ANSIX962] usingis available inside thehash function SHA-1 [FIPS180-1]. 3.3. RSA_fixed_ECDHclient's certificate. Theclient supplies an RSA-signed certificate containing an ECDH public key usingclient's ability to arrive at the sameelliptic curve domain parameters as the server's ECDH public key. The client authenticates itself by computing the masterpremaster secretandas thefinished message. (This achieves authentication because these computations can only be performedserver (demonstrated by aparty possessingsuccessful exchange of Finished messages) proves possession of the private key corresponding toone oftheECDHcertified publickeys exchanged.)key and the CertificateVerify message is unnecessary. 3.3 RSA_fixed_ECDH Thisclientauthenticationmethod MUST proceed in the same manner as themechanism is identical to ECDSA_fixed_ECDHmethod,exceptthatthe client's certificatemustMUST be signed withRSA, and the server requests use of the method by sending a certificate request message containing the value "rsa_fixed_ecdh".RSA. 4. Data Structures and Computations This section specifies the data structures and computations used bytheECC-based key mechanisms specified inSectionsSection 2 and Section 3. The presentation language used here is the same as that used inRFC 2246 [TLS]. Because these specifications extend theTLSprotocol specification,[3]. Since this specification extends TLS, these descriptions should be merged with those in the TLS specification andinanyother specifications whichothers that extend TLS. This means that enum types may not specify allthepossible values and structures with multiple formats chosen with a select() clause may not indicate allthepossible cases.4.1.4.1 Server Certificate When this message is sent: This message is sent inthe following key exchange algorithms: All theall non-anonymous ECC-based key exchangealgorithms specified in Section 2.algorithms. Meaning of this message: This message is used to authentically convey the server's static public key to the client. The following table shows the server certificate type appropriate for each key exchange algorithm. ECC public keys must be encoded in certificates as described in Section 4.7. NOTE: The server's Certificate message is capable of carrying a chain of certificates. The restrictions mentioned in Table 3 apply only to the server's certificatetypes are given(first in thefollowing table.chain). Key Exchange Algorithm Server Certificate Type ---------------------- ----------------------- ECDH_ECDSAECC public key; the certificateCertificate mustallow the key to be used for key agreement. The certificatecontain an ECDH-capable public key. It must be signed with ECDSA.ECDH_ECDSA_EXPORT ECC public key which can be used for key agreement; key size must be 163 bits or less.ECDHE_ECDSA Certificate must contain an ECDSA-capable public key. It must be signed with ECDSA. ECDH_RSAECC public key which can be used for key agreement.Certificate must contain an ECDH-capable public key. It must be signed with RSA.ECDH_RSA_EXPORT ECCECDHE_RSA Certificate must contain an RSA public keywhich can be usedauthorized forkey agreement; key size must be 163 bits or less. Certificateuse in digital signatures. It must be signed with RSA. Table 3: Server certificate types[PKIX-ALG] specifies how ECC keys and ECDSA signatures are placed in X.509 certificates. Servers SHOULD use the elliptic curve domain parameters recommended in ANSI X9.62 [ANSIX962], FIPS 186-2 [FIPS186-2], and SEC 2 [SEC2]. Note that - as with RSA - the same identifier is used for all ECC keys in "SubjectPublicKeyInfo". The key usage extension may be used to further delimit the use of the key. When a key usage extension is present, the "keyAgreement" bit MUST be set for ECDH certificates.Structure of this message: Identical to the TLS Certificate format. Actions of the sender: The server constructs an appropriate certificate chain and conveys it to the client in the Certificate message. Actions of the receiver: The client validates the certificate chain, extracts the server's public key, and checks that the keyis of the correcttype is appropriate for the negotiated key exchange algorithm.4.2.4.2 Server Key Exchange When this message is sent: This message is sentin the following key exchange algorithms: Bothwhen using theanonymous ECC-basedECDHE_ECDSA, ECDHE_RSA and ECDH_anon key exchangealgorithms specified in Section 2.algorithms. Meaning of this message: This message is used to convey the server's ephemeral ECDH public key (and the corresponding elliptic curve domain parameters) to the client. Structure of this message:The TLS ServerKeyExchange message is extended as follows. enum { ec_diffie_hellman } KeyExchangeAlgorithm; ec_diffie_hellman Indicates the ServerKeyExchange message is to contain an ECDH public key.enum { explicit_prime (1), explicit_char2 (2), named_curve (3), (255) } ECCurveType;explicit_primeexplicit_prime: Indicates the elliptic curve domain parameterswill beare conveyed verbosely, andthatthe underlying finite field is a prime field.explicit_char2explicit_char2: Indicates the elliptic curve domain parameterswill beare conveyed verbosely, andthatthe underlying finite field is a characteristic 2 field.named_curvenamed_curve: Indicates that a named curvewill beis used.The use of thisThis optionis strongly recommended.SHOULD be used when applicable. struct { opaque a <1..2^8-1>; opaque b <1..2^8-1>; opaque seed <0..2^8-1>; } ECCurve; a,bb: These parameters specify the coefficients of the elliptic curve. Each value contains the byte string representation of a field element following the conversion routine in[X9.62], section 4.3.3. seedSection 4.3.3 of ANSI X9.62 [7]. seed: This is an optional parameter used to derive the coefficients of a randomly generated elliptic curve. struct { opaque point <1..2^8-1>; } ECPoint;pointpoint: This is the byte string representation of an elliptic curve point following the conversion routine in[X9.62], section 4.3.6.Section 4.3.6 of ANSI X9.62 [7]. Note that this byte string may represent an elliptic curve point in compressed or uncompressed form. Implementations of this specification MUST support the uncompressed form and MAY support the compressed form. enum { ec_basis_trinomial, ec_basis_pentanomial } ECBasisType;ec_basis_trinomialec_basis_trinomial: Indicates representation of a characteristic two field using a trinomial basis.ec_basis_pentanomialec_basis_pentanomial: Indicates representation of a characteristic two field using a pentanomial basis. enum { sect163k1 (1), sect163r1 (2), sect163r2 (3), sect193r1 (4), sect193r2 (5), sect233k1 (6), sect233r1 (7), sect239k1 (8), sect283k1 (9), sect283r1 (10), sect409k1 (11), sect409r1 (12), sect571k1 (13), sect571r1 (14), secp160k1 (15), secp160r1 (16), secp160r2 (17), secp192k1 (18), secp192r1 (19), secp224k1 (20), secp224r1 (21), secp256k1 (22), secp256r1 (23), secp384r1 (24), secp521r1 (25), reserved (240..247), (255) } NamedCurve; sect163k1,etcetc: Indicates use of the correspondingrecommendednamed curve specified in SEC 2[SEC2].[12]. Note that many of these curves are also recommended in ANSI X9.62[ANSIX962],[7], and FIPS 186-2[FIPS186-2].[9]. Values 240 through 247 are reserved for private use. struct { ECCurveType curve_type; select (curve_type) { case explicit_prime: opaque prime_p <1..2^8-1>; ECCurve curve; ECPoint base; opaque order <1..2^8-1>; opaque cofactor <1..2^8-1>; case explicit_char2: uint16 m; ECBasisType basis; select (basis) { case ec_trinomial: opaque k <1..2^8-1>; case ec_pentanomial: opaque k1 <1..2^8-1>; opaque k2 <1..2^8-1>; opaque k3 <1..2^8-1>; }; ECCurve curve; ECPoint base; opaque order <1..2^8-1>; opaque cofactor <1..2^8-1>; case named_curve: NamedCurve namedcurve; }; } ECParameters;curve_typecurve_type: This identifies the type of the elliptic curve domain parameters.prime_pprime_p: This is the odd prime defining the field Fp.curvecurve: Specifies the coefficients a and b (and optional seed) of the elliptic curve E.basebase: Specifies the base point G on the elliptic curve.orderorder: Specifies the order n of the base point.cofactorcofactor: Specifies the cofactor h = #E(Fq)/n, where #E(Fq) represents the number of points on the elliptic curve E defined over the field Fq.mm: This is the degree of the characteristic-two field F2^m.kk: The exponent k for the trinomial basis representationx^m+x^k+1.x^m + x^k +1. k1, k2,k3k3: The exponents for the pentanomial representationx^m+x^k3+x^k2+x^k1+1. namedcurvex^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). namedcurve: Specifies a recommended set of elliptic curve domain parameters. struct { ECParameters curve_params; ECPoint public; } ServerECDHParams;curve_paramscurve_params: Specifies the elliptic curve domain parameters associated with the ECDH public key.publicpublic: The ephemeral ECDH public key. The ServerKeyExchange message is extended as follows. enum { ec_diffie_hellman } KeyExchangeAlgorithm; ec_diffie_hellman: Indicates the ServerKeyExchange message contains an ECDH public key. select (KeyExchangeAlgorithm) { case ec_diffie_hellman: ServerECDHParams params; Signature signed_params; } ServerKeyExchange;paramsparams: Specifies the ECDH public key and associated domain parameters.signed_params This elementsigned_params: A hash of the params, with the signature appropriate to that hash applied. The private key corresponding to the certified public key in the server's Certificate message isemptyused for signing. enum { ecdsa } SignatureAlgorithm; select (SignatureAlgorithm) { case ecdsa: digitally-signed struct { opaque sha_hash[20]; }; } Signature; NOTE: SignatureAlgorithm is 'rsa' forallthe ECDHE_RSA key exchangealgorithms specifiedalgorithm and 'anonymous' for ECDH_anon. These cases are defined inthis document.TLS [3]. SignatureAlgorithm is 'ecdsa' for ECDHE_ECDSA. ECDSA signatures are generated and verified as described in Section 4.8. Actions of the sender: The server selects elliptic curve domain parameters and an ephemeral ECDH public key corresponding to these parameters according to the ECKAS-DH1 scheme from IEEE 1363[IEEE1363].[6]. It conveys this information to the client in the ServerKeyExchange message using the format defined above. Actions of the recipient: The client verifies the signature (when present) and retrieves the server's elliptic curve domain parameters and ephemeral ECDH public key from the ServerKeyExchange message.4.3.4.3 Certificate Request When this message is sent: This message is sent when requestingthe following client authentication methods: Any of the ECC-basedclientauthentication methods specified in Section 3.authentication. Meaning of this message: The server uses this message toindicate whichsuggest acceptable client authenticationmethods the server would like to use.methods. Structure of this message: The TLS CertificateRequest message is extended as follows. enum {ecdsa_sign (5), rsa_fixed_ecdh (6),ecdsa_sign(5), rsa_fixed_ecdh(6), ecdsa_fixed_ecdh(7), (255) } ClientCertificateType; ecdsa_sign, etc Indicates that the server would like to use the corresponding client authentication method specified in Section 3. NOTE: SSL 3.0 [4] assigns values 5 and 6 differently (rsa_ephemeral_dh and dss_ephemeral_dh); these ClientCertificateType values are not used by TLS. Actions of the sender: The server decides which client authentication methods it would like to use, and conveys this information to the client using the format defined above. Actions of the receiver: The client determines whether it has an appropriate certificate for use with any of the requested methods, and decides whether or not to proceed with client authentication.4.4.4.4 Client Certificate When this message is sent: This message is sent inthe following client authentication methods: All the ECC-basedresponse to a CertificateRequest when a clientauthentication methods specified in Section 3.has a suitable certificate. Meaning of this message: This message is used to authentically convey the client's static public key to the server. Theappropriatefollowing table summarizes what client certificate types aregivenappropriate for the ECC-based client authentication mechanisms described in Section 3. ECC public keys must be encoded in certificates as described in Section 4.7. NOTE: The client's Certificate message is capable of carrying a chain of certificates. The restrictions mentioned in Table 4 apply only to thefollowing table.client's certificate (first in the chain). Client Authentication Method Client Certificate TypeMethod--------------------- ----------------------- ECDSA_signECCCertificate must contain an ECDSA-capable public keywhich canand beused for signing.signed with ECDSA. ECDSA_fixed_ECDHECCCertificate must contain an ECDH-capable public keywhich can be used for key agreement. Certificateon the same elliptic curve as the server's long-term ECDH key. This certificate must be signed with ECDSA. RSA_fixed_ECDHECCCertificate must contain an ECDH-capable public keywhich can be used for key agreement. Certificateon the same elliptic curve as the server's long-term ECDH key. This certificate must be signed with RSA. Table 4: Client certificate types[PKIX-ALG] specifies how ECC keys and ECDSA signatures are placed in X.509 certificates. Clients SHOULD use the elliptic curve domain parameters recommended in ANSI X9.62 [ANSIX962], FIPS 186-2 [FIPS186-2], and SEC 2 [SEC2]. Note that - as with RSA - the same identifier is used for all ECC keys in "SubjectPublicKeyInfo". The key usage extension may be used to further delimit the use of the key. When a key usage extension is present, the "keyAgreement" bit MUST be set for ECDH certificates, and the "digitalSignature" bit MUST be set for ECDSA certificates.Structure of this message: Identical to the TLS client Certificate format. Actions of the sender: The client constructs an appropriate certificate chain, and conveys it to the server in the Certificate message. Actions of the receiver: The TLS server validates the certificate chain, extracts the client's public key, and checks that the keyis of the correcttype is appropriate for the client authentication method.4.5.4.5 Client Key Exchange When this message is sent: This message is sent inthe following key exchange algorithms: All the ECC-basedall key exchangealgorithms specified in Section 2.algorithms. If client authentication withfixed ECDHECDSA_fixed_ECDH or RSA_fixed_ECDH isnot beingused,thethis message is empty. Otherwise, it contains the client's ephemeral ECDH publickey, otherwise the message is empty.key. Meaning of the message: This message is used to convey ephemeral data relating to the key exchange belonging to the client (such as its ephemeral ECDH public key). Structure of this message: The TLS ClientKeyExchange message is extended as follows. enum { yes, no } EphemeralPublicKey; yes,nono: Indicates whether or not the client is providing an ephemeral ECDH public key. (In ECC ciphersuites, this is "yes" except when the client uses the ECDSA_fixed_ECDH or RSA_fixed_ECDH client authentication mechanism.) struct { select (EphemeralPublicKey) { case yes: ECPoint ecdh_Yc; case no: struct { }; } ecdh_public; } ClientECDiffieHellmanPublic;ecdh_Ycecdh_Yc: Contains the client's ephemeral ECDH public key. struct { select (KeyExchangeAlgorithm) { case ec_diffie_hellman: ClientECDiffieHellmanPublic; } exchange_keys; } ClientKeyExchange; Actions of the sender: The client selects an ephemeral ECDH public key corresponding to the parameters it received from the server according to the ECKAS-DH1 scheme from IEEE 1363[IEEE1363].[6]. It conveys this information to the client in the ClientKeyExchange message using the format defined above. Actions of the recipient: The server retrieves the client's ephemeral ECDH public key from theServerKeyExchangeClientKeyExchange message and checks that it is on thepublic key represents a point of thesame ellipticcurve. 4.6.curve as the server's ECDH key. 4.6 Certificate Verify When this message is sent: This message is sentinwhen thefollowingclientauthentication methods:sends a client certificate containing a public key usable for digital signatures, e.g. when the client is authenticated using the ECDSA_sign mechanism. Meaning of the message: This message containsan ECDSAa signatureonthat proves possession of thehandshake messages in orderprivate key corresponding toauthenticatetheclient topublic key in theserver.client's Certificate message. Structure of this message: The TLS CertificateVerify message is extended as follows. enum {ec_dsaecdsa } SignatureAlgorithm; select (SignatureAlgorithm) { caseec_dsa:ecdsa: digitally-signed struct { opaque sha_hash[20]; }; } Signature;InFor theCertificateVerify message,ecdsa case, the signature fieldcontainsin theclient'sCertificateVerify message contains an ECDSA signatureon thecomputed over handshake messages exchanged so far.According to [ANSIX962], theECDSA signatures are computed as described in Section 4.8. As per ANSI X9.62, an ECDSA signature consists of a pair of integers r and s. These integers are both converted into byte strings of the same length as the curve order n using the conversion routine specified in Section 4.3.1 of[ANSIX962], the[7]. The two byte strings are concatenated, and the result is placed in the signature field. Actions of the sender: The client computes its signature overtheall handshake messagesexchanged so far using its ECDSA key pair with ECDSA computations performed as specified in [ANSIX962] with the hash function SHA-1 [FIPS186-2]. Thesent or received starting at clientconveyshello up to but not including this message. It uses the private key corresponding to itssignaturecertified public key to compute theserversignature which is conveyed in theCertificateVerify message using theformat defined above. Actions of the receiver: The server extracts the client's signature from the CertificateVerify message, and verifies the signature using theclient's ECDSApublic keythatit received in theClientCertificateclient's Certificate message.4.7. Computing the Master Secret In all4.7 Elliptic Curve Certificates X509 certificates containing ECC public keys or signed using ECDSA MUST comply with [14]. Clients SHOULD use theECC-based key exchange algorithms specifiedelliptic curve domain parameters recommended inSection 2, the clientANSI X9.62 [7], FIPS 186-2 [9], and SEC 2 [12]. 4.8 ECDH, ECDSA and RSA Computations All ECDH calculations (including parameter andserver compute the masterkey generation asfollows: - They both compute a singlewell as the shared secretK of length 20 bytes using their ECDH key pairs with ECDH computationscalculation) MUST be performedas specified byaccording to [6] using the ECKAS-DH1 schemein [IEEE1363]with the ECSVDP-DH secret value derivation primitive, and the KDF1 key derivationprimitivefunction using SHA-1[FIPS180-1]. - They both use K[9]. The output of this scheme, i.e. the 20-byte SHA-1 output from the KDF, is the premaster secret. DISCUSSION POINT: Using KDF1 with SHA-1 limits the security to at most 160 bits, independently of the elliptic curve used for ECDH. An alternative way to define the protocol would be to employ the identity map as key derivation function (in other words, omit thepre_master_secret,SHA-1 step andcomputedirectly use the octet string representation of the x coordinate of themaster_secretelliptic curve point resulting from thepre_master_secretECDH computation asspecifiedpremaster secret). This is similar to conventional DH in[TLS].TLS [3], and it is appropriate for TLS given that TLS already defines a PRF for determining the actual symmetric keys. The TLS PRF (which is used to derive the master secret from the premaster secret and the symmetric keys from the master secret) has an internal security limit of at most 288 bits (128 + 160 for MD5 and SHA-1), so the use of KDF1 with SHA-1 can be seen to actually weaken the theoretical security of the protocol. Options to solve this problem include the following: o Omit the SHA-1 step as describe above. (BM) o Continue to use KDF1 with SHA-1 for curves up to, say, 288 bits (more precisely: for curves where FE2OSP returns an octet string up to 36 octets) and omit the SHA-1 step only for larger curves. (SBW/BM) o Continue to use KDF1 with SHA-1 for curves up to, say, 288 bits and use KDF1 with SHA-256 or SHA-384 or SHA-512 for larger curves. (SBW) The first solution will break compatibility with existing implementations based on draft-ietf-tls-ecc-01.txt. The second and third solutions are somewhat of a kludge, but maintain compatibility (in a large range). OPEN QUESTION: We invite comments on which of these solutions would be preferred. END OF DISCUSSION POINT. All ECDSA computations MUST be performed according to ANSI X9.62 [7] using the SHA-1 [9] hash function. The 20 bytes of the SHA-1 are run directly through the ECDSA algorithm with no additional hashing. All RSA signatures must be generated and verified according to PKCS#1 [10]. 5. Cipher Suites The table below definesthenew ECC cipher suitesspecified in this document forthat usewiththe key exchange algorithms specified in Section 2. CipherSuite TLS_ECDH_ECDSA_WITH_NULL_SHA = { 0x00, 0x47 } CipherSuite TLS_ECDH_ECDSA_WITH_RC4_128_SHA = { 0x00, 0x48 } CipherSuite TLS_ECDH_ECDSA_WITH_DES_CBC_SHA = { 0x00, 0x49 } CipherSuite TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x4A } CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = { 0x00, 0x4B } CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = { 0x00, 0x4C } CipherSuiteTLS_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHATLS_ECDHE_ECDSA_WITH_NULL_SHA = { 0x00,0x4B0x?? } CipherSuiteTLS_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHATLS_ECDHE_ECDSA_WITH_RC4_128_SHA = { 0x00,0x4C0x?? } CipherSuiteTLS_ECDH_RSA_WITH_NULL_SHATLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x4D0x?? } CipherSuiteTLS_ECDH_RSA_WITH_RC4_128_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = { 0x00,0x4E0x?? } CipherSuiteTLS_ECDH_RSA_WITH_DES_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = { 0x00,0x4F0x?? } CipherSuite TLS_ECDH_RSA_WITH_NULL_SHA = { 0x00, 0x?? } CipherSuite TLS_ECDH_RSA_WITH_RC4_128_SHA = { 0x00, 0x?? } CipherSuite TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x500x?? } CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x510x?? } CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x520x?? } CipherSuiteTLS_ECDH_RSA_EXPORT_WITH_RC4_40_SHATLS_ECDHE_RSA_WITH_NULL_SHA = { 0x00,0x530x?? } CipherSuiteTLS_ECDH_RSA_EXPORT_WITH_RC4_56_SHATLS_ECDHE_RSA_WITH_RC4_128_SHA = { 0x00,0x540x?? } CipherSuiteTLS_ECDH_anon_NULL_WITH_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x550x?? } CipherSuiteTLS_ECDH_anon_WITH_RC4_128_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x?? } CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x560x?? } CipherSuiteTLS_ECDH_anon_WITH_DES_CBC_SHATLS_ECDH_anon_NULL_WITH_SHA = { 0x00,0x570x?? } CipherSuite TLS_ECDH_anon_WITH_RC4_128_SHA = { 0x00, 0x?? } CipherSuite TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x580x?? } CipherSuiteTLS_ECDH_anon_EXPORT_WITH_DES40_CBC_SHATLS_ECDH_anon_WITH_AES_128_CBC_SHA = { 0x00,0x590x?? } CipherSuiteTLS_ECDH_anon_EXPORT_WITH_RC4_40_SHATLS_ECDH_anon_WITH_AES_256_CBC_SHA = { 0x00,0x5A0x?? } Table 5: TLS ECC cipher suites The key exchange method, cipher, and hash algorithm for each of these cipher suites are easily determined by examining the name. Ciphers other than AES ciphers, and hash algorithms are defined in[TLS].[3]. AES ciphers are defined in[TLS-AES]. The cipher suites which use the "NULL" cipher or one of the "EXPORT" key exchange algorithms are considered to be "exportable" cipher suites for the purposes of the TLS protocol. Use of the following cipher suites is recommended in general - server[11]. Server implementations SHOULD support all ofthesethe following cipher suites, and client implementations SHOULD support at least one of them:TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Implementations MAY support any of the other cipher suites.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. 6. Security Considerations This document is entirely concerned with security mechanisms. This document is based on[TLS], [ANSIX9.62], and [IEEE1363][3], [6], [7] andthe[11]. The appropriate security considerations of those documents apply.In addition implementers should take care to ensure that code which controls security mechanisms is free of errors which might be exploited by attackers.7. Intellectual Property Rights The IETF has been notified of intellectual property rights claimed in regard to the specification contained in this document. For more information, consult the online list of claimed rights(http://www.ietf.org/ipr.html).(http:// www.ietf.org/ipr.html). The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found inBCP-11.[13]. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. 8. Acknowledgments The authors wish to thank BillAnderson, Paul Fahn, Gilles Garon, John Kennedy,Anderson andBrian Minard for their help preparing this document. 9.Tim Dierks. References[ANSIX9.62] ANSI X9.62-1999,[1] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [2] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key Sizes", Journal of Cryptology 14 (2001) 255-293, <http:// www.cryptosavvy.com/>. [3] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [4] Freier, A., Karlton, P. and P. Kocher, "The SSL Protocol Version 3.0", November 1996, <http://wp.netscape.com/eng/ssl3/ draft302.txt>. [5] SECG, "Elliptic Curve Cryptography", SEC 1, 2000, <http:// www.secg.org/>. [6] IEEE, "Standard Specifications for Public Key Cryptography", IEEE 1363, 2000. [7] ANSI, "Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)",American National Standards Institute,ANSI X9.62, 1998.[FIPS180][8] NIST, "Digital Signature Standard", FIPS 180-1, 2000. [9] NIST, "Secure Hash Standard",National Institute of Standards and Technology, 1995. [FIPS186-2]FIPS 186-2,"Digital Signature Standard", National Institute of Standards and Technology, 2000. [IEEE1363] IEEE 1363, "Standard Specifications1995. [10] RSA Laboratories, "PKCS#1: RSA Encryption Standard version 1.5", PKCS 1, November 1993. [11] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites forPublic Key Cryptography", Institute of ElectricalTransport Layer Security (TLS)", RFC 3268, June 2002. [12] SECG, "Recommended Elliptic Curve Domain Parameters", SEC 2, 2000, <http://www.secg.org/>. [13] Hovey, R. andElectronics Engineers, 2000. [MUST]S. Bradner,"Key Words for Use"The Organizations Involved inRFCs to Indicate Requirement Levels",the IETF Standards Process", RFC2119, March 1997. [PKIX-ALG] L. Bassham,2028, BCP 11, October 1996. [14] Polk, T., Housley, R.HousleyandW. Polk,L. Bassham, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate andCRL Profile", PKIX Working Group Internet-Draft, draft-ietf-pkix-ipki-pkalgs-02.txt, March 2001. [PKIX-CERT] W. Ford, R. Housley, W. Polk and D. Solo, "Internet X.509 Public Key InfrastructureCertificateand CRLRevocation List (CRL) Profile",PKIX Working Group Internet-Draft, draft-ietf-pkix-new-part1-05.txt, March 2001. [SEC1] SEC 1, "Elliptic Curve Cryptography", Standards for Efficient Cryptography Group, 2000. [SEC2] SEC 2, "Recommended Elliptic Curve Domain Parameters", Standards for Efficient Cryptography Group, 2000. [TLS] T. Dierks and C. Allen, "The TLS Protocol - Version 1.0," IETFRFC2246, January 1999. [TLS-AES] P. Chown, "AES Ciphersuites for TLS", TLS Working Group Internet-Draft, draft-ietf-tls-ciphersuite-03.txt, January 2001. [TLS-EXT] S. Blake-Wilson and M. Nystrom, "Wireless Extensions to TLS", TLS Working Group Internet-Draft, draft-ietf-tls-wireless-00.txt, November 2000. 10.3279, April 2002. Authors' AddressesAuthors:Vipul Gupta Sun Microsystems Laboratories 2600 Casey Avenue MS UMTV29-235 Mountain View, CA 94303 USA Phone: +1 650 336 1681 EMail: vipul.gupta@sun.com Simon Blake-WilsonCerticom Corp. sblake-wilson@certicom.com Tim Dierks Certicom Corp. timd@consensus.comBasic Commerce & Industries, Inc. 96 Spandia Ave Unit 606 Toronto, ON M6G 2T6 Canada Phone: +1 416 214 5961 EMail: sblakewilson@bcisse.com Bodo Moeller Technische Universitaet Darmstadt Alexanderstr. 10 64283 Darmstadt Germany Phone: +49 6151 16 6628 EMail: moeller@cdc.informatik.tu-darmstadt.de Chris HawkCerticom Corp. chawk@certicom.comIndependent Consultant EMail: chris@socialeng.com Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.