< draft-merkle-ikev2-ke-brainpool-03.txt		draft-merkle-ikev2-ke-brainpool-06.txt >
	Network Working Group J. Merkle		Network Working Group J. Merkle
	Internet-Draft secunet Security Networks		Internet-Draft secunet Security Networks
	Intended status: Informational M. Lochter		Intended status: Informational M. Lochter
	Expires: August 11, 2013 Bundesamt fuer Sicherheit in der		Expires: October 25, 2013 Bundesamt fuer Sicherheit in der
	Informationstechnik (BSI)		Informationstechnik (BSI)
	February 7, 2013		April 23, 2013
	Using the ECC Brainpool Curves for IKEv2 Key Exchange		Using the ECC Brainpool Curves for IKEv2 Key Exchange
	draft-merkle-ikev2-ke-brainpool-03		draft-merkle-ikev2-ke-brainpool-06
	Abstract		Abstract
	This document specifies the use of ECC Brainpool elliptic curve		This document specifies the use of ECC Brainpool elliptic curve
	groups for key exchange in the Internet Key Exchange version 2		groups for key exchange in the Internet Key Exchange version 2
	(IKEv2) protocol.		(IKEv2) protocol.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This Internet-Draft is submitted in full conformance with the
	skipping to change at page 1, line 34 ¶		skipping to change at page 1, line 34 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on August 11, 2013.		This Internet-Draft will expire on October 25, 2013.
	Copyright Notice		Copyright Notice
	Copyright (c) 2013 IETF Trust and the persons identified as the		Copyright (c) 2013 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 15 ¶		skipping to change at page 2, line 15 ¶
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
	1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3		1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
	2. IKEv2 Key Exchange using the ECC Brainpool Curves . . . . . . 4		2. IKEv2 Key Exchange using the ECC Brainpool Curves . . . . . . 4
	2.1. Diffie-Hellman Group Transform IDs . . . . . . . . . . . . 4		2.1. Diffie-Hellman Group Transform IDs . . . . . . . . . . . . 4
	2.2. Using the Twisted Brainpool Curves Internally . . . . . . 4		2.2. Using the Twisted Brainpool Curves Internally . . . . . . 4
	2.3. Key Exchange Payload and Shared Secret . . . . . . . . . . 4		2.3. Key Exchange Payload and Shared Secret . . . . . . . . . . 4
	3. Security Considerations . . . . . . . . . . . . . . . . . . . 6		3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
	4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7		4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
	5. Intellectual Property Rights . . . . . . . . . . . . . . . . . 8		5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
	6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9		5.1. Normative References . . . . . . . . . . . . . . . . . . . 8
	6.1. Normative References . . . . . . . . . . . . . . . . . . . 9		5.2. Informative References . . . . . . . . . . . . . . . . . . 8
	6.2. Informative References . . . . . . . . . . . . . . . . . . 9		Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10
	Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11		A.1. 224 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 10
	A.1. 224 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 11		A.2. 256 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 11
	A.2. 256 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 12		A.3. 384 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 11
	A.3. 384 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 12		A.4. 512 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 12
	A.4. 512 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 13
	1. Introduction		1. Introduction
	In [RFC5639], a new set of elliptic curve groups over finite prime		In [RFC5639], a new set of elliptic curve groups over finite prime
	fields for use in cryptographic applications was specified. These		fields for use in cryptographic applications was specified. These
	groups, denoted as ECC Brainpool curves, were generated in a		groups, denoted as ECC Brainpool curves, were generated in a
	verifiably pseudo-random way and comply with the security		verifiably pseudo-random way and comply with the security
	requirements of relevant standards from ISO [ISO1] [ISO2], ANSI		requirements of relevant standards from ISO [ISO1] [ISO2], ANSI
	[ANSI1], NIST [FIPS], and SecG [SEC2].		[ANSI1], NIST [FIPS], and SecG [SEC2].
	skipping to change at page 4, line 18 ¶		skipping to change at page 4, line 18 ¶
	In order to use the ECC Brainpool curves for key exchange within		In order to use the ECC Brainpool curves for key exchange within
	IKEv2, the Diffie-Hellman Group Transform IDs (Transform Type 4)		IKEv2, the Diffie-Hellman Group Transform IDs (Transform Type 4)
	listed in the following table are to be registered with IANA		listed in the following table are to be registered with IANA
	[IANA-IKE2]. The parameters associated with these curves are defined		[IANA-IKE2]. The parameters associated with these curves are defined
	in RFC 5639 [RFC5639].		in RFC 5639 [RFC5639].
	+-----------------+--------------+		+-----------------+--------------+
	| Curve | Transform ID |		| Curve | Transform ID |
	+-----------------+--------------+		+-----------------+--------------+
	| brainpoolP224r1 | TBD1 |		| brainpoolP224r1 | 27 |
	| | |		| | |
	| brainpoolP256r1 | TBD2 |		| brainpoolP256r1 | 28 |
	| | |		| | |
	| brainpoolP384r1 | TBD3 |		| brainpoolP384r1 | 29 |
	| | |		| | |
	| brainpoolP512r1 | TBD4 |		| brainpoolP512r1 | 30 |
	+-----------------+--------------+		+-----------------+--------------+
	Table 1		Table 1
	Test vectors for the groups defined by the ECC Brainpool curves are		Test vectors for the groups defined by the ECC Brainpool curves are
	provided in Appendix A		provided in Appendix A
	2.2. Using the Twisted Brainpool Curves Internally		2.2. Using the Twisted Brainpool Curves Internally
	In [RFC5639] for each random curve, a "twisted curve" (defined by a		In [RFC5639] for each random curve, a "twisted curve" (defined by a
	skipping to change at page 6, line 10 ¶		skipping to change at page 6, line 10 ¶
	In particular, the shared secret value MUST be computed from the x		In particular, the shared secret value MUST be computed from the x
	coordinate of the Diffie-Hellman common value using the FieldElement-		coordinate of the Diffie-Hellman common value using the FieldElement-
	to-OctetString conversion method specified in [SEC1] and MUST have		to-OctetString conversion method specified in [SEC1] and MUST have
	bit length as indicated in the Table 2.		bit length as indicated in the Table 2.
	3. Security Considerations		3. Security Considerations
	The security considerations of [RFC5996] apply accordingly.		The security considerations of [RFC5996] apply accordingly.
	In order to thwart certain active attacks, the validity of the other		In order to thwart certain active attacks, the validity of the other
	peer's public Diffie-Hellmann key recovered from the received key		peer's public Diffie-Hellmann value (x,y) recovered from the received
	exchange payload needs to be verified. In particular, the		key exchange payload needs to be verified. In particular, it MUST be
	recomendations and requirements of [IKE_DH_Req] MUST be observed.		verified that the coordinates x and y of the public value satisfy the
	For the curves listed in Table 1, Section 2.3 of [IKE_DH_Req]		curve equation. For additional information we refer to [IKE_DH_Req].
	applies.
	The confidentiality, authenticity and integrity of a secure		The confidentiality, authenticity and integrity of a secure
	communication based on IKEv2 is limited by the weakest cryptographic		communication based on IKEv2 is limited by the weakest cryptographic
	primitive applied. In order to achieve a maximum security level when		primitive applied. In order to achieve a maximum security level when
	using one of the elliptic curves from Table 1 for key exchange, the		using one of the elliptic curves from Table 1 for key exchange, the
	key derivation function, the algorithms and key lengths of symmetric		key derivation function, the algorithms and key lengths of symmetric
	encryption and message authentication as well as the algorithm, bit		encryption and message authentication as well as the algorithm, bit
	length and hash function used for signature generation should be		length and hash function used for signature generation should be
	chosen according to the recommendations of [NIST800-57] and		chosen according to the recommendations of [NIST800-57] and
	[RFC5639]. Furthermore, the private Diffie-Hellman keys should be		[RFC5639]. Furthermore, the private Diffie-Hellman keys should be
	selected with the same bit length as the order of the group generated		selected with the same bit length as the order of the group generated
	by the base point G and with approximately maximum entropy.		by the base point G and with approximately maximum entropy.
	Implementations of elliptic curve cryptography for IKEv2 may be		Implementations of elliptic curve cryptography for IKEv2 could be
	susceptible to side-channel attacks. Particular care should be taken		susceptible to side-channel attacks. Particular care should be taken
	for implementations that internally use the corresponding twisted		for implementations that internally use the corresponding twisted
	curve to take advantage of an efficient arithmetic for the special		curve to take advantage of an efficient arithmetic for the special
	parameters (A = -3): although the twisted curve itself offers the		parameters (A = -3): although the twisted curve itself offers the
	same level of security as the corresponding random curve (through		same level of security as the corresponding random curve (through
	mathematical equivalence), an arithmetic based on small curve		mathematical equivalence), an arithmetic based on small curve
	parameters may be harder to protect against side-channel attacks.		parameters could be harder to protect against side-channel attacks.
	General guidance on resistence of elliptic curve cryptography		General guidance on resistence of elliptic curve cryptography
	implementations against side-channel-attacks is given in [BSI1] and		implementations against side-channel-attacks is given in [BSI1] and
	[HMV].		[HMV].
	4. IANA Considerations		4. IANA Considerations
	Before this document can become an RFC, IANA is required to assign		IANA has updated its Transform Type 4 (Diffie-Hellman Group
	Transform Type 4 (Diffie-Hellman Group Transform) IDs to the groups		Transform) registry in [IANA-IKE2] to include the groups listed in
	specified in Table 1 for the Internet Key Exchange Version 2 (IKEv2)		Table 1.
	Parameters registry [IANA-IKE2]. For the new entries in the table of
	the Transform Type 4 repository, a reference to Section 2.3 of
	[IKE_DH_Req] shall be included in the column named "Recipient Tests"
	indicating the required checks for the other peer's Diffie-Hellman
	public keys.
	Another I-D is being submitted for publication as RFC [BP_IKE]
	requesting assignment for the same groups in the corresponding
	registry for IKEv1; in order to keep the registries for IKEv1 and
	IKEv2 in accordance, IANA is requested to assign the same values in
	both registries.
	5. Intellectual Property Rights
	Although, the authors have no knowledge about any intellectual
	property rights which cover the general usage of the ECP groups
	defined herein, implementations based on these domain parameters may
	require use of inventions covered by patent rights. In particular,
	techniques for an efficient arithmetic based on the special
	parameters of the twisted curves as explained in Section 2.1 may be
	covered by patents.
	6. References		5. References
	6.1. Normative References		5.1. Normative References
	[IANA-IKE2] Internet Assigned Numbers Authority, "Internet Key		[IANA-IKE2] Internet Assigned Numbers Authority, "Internet Key
	Exchange Version 2 (IKEv2) Parameters",		Exchange Version 2 (IKEv2) Parameters",
	<http://www.iana.org/assignments/ikev2-parameters>.		<http://www.iana.org/assignments/ikev2-parameters>.
	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119, March 1997.		Requirement Levels", BCP 14, RFC 2119, March 1997.
	[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,		[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
	"Internet Key Exchange Protocol Version 2 (IKEv2)",		"Internet Key Exchange Protocol Version 2 (IKEv2)",
	RFC 5996, September 2010.		RFC 5996, September 2010.
	[RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography		[RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography
	(ECC) Brainpool Standard Curves and Curve Generation",		(ECC) Brainpool Standard Curves and Curve Generation",
	RFC 5639, March 2010.		RFC 5639, March 2010.
	[IKE_DH_Req] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman		[SEC1] Certicom Research, "Elliptic Curve Cryptography",
	Tests for IKEv2 (work in progress)",		Standards for Efficient Cryptography (SEC) 1,
	draft-ietf-ipsecme-dh-checks-00 (work in progress),		September 2000.
	January 2013.
	6.2. Informative References		5.2. Informative References
	[ANSI1] American National Standards Institute, "Public Key		[ANSI1] American National Standards Institute, "Public Key
	Cryptography For The Financial Services Industry: The		Cryptography For The Financial Services Industry: The
	Elliptic Curve Digital Signature Algorithm (ECDSA)",		Elliptic Curve Digital Signature Algorithm (ECDSA)",
	ANSI X9.62, 2005.		ANSI X9.62, 2005.
	[BSI1] Bundesamt fuer Sicherheit in der Informationstechnik,		[BSI1] Bundesamt fuer Sicherheit in der Informationstechnik,
	"Minimum Requirements for Evaluating Side-Channel		"Minimum Requirements for Evaluating Side-Channel
	Attack Resistance of Elliptic Curve Implementations",		Attack Resistance of Elliptic Curve Implementations",
	July 2011.		July 2011.
	[FIPS] National Institute of Standards and Technology,		[FIPS] National Institute of Standards and Technology,
	"Digital Signature Standard (DSS)", FIPS PUB 186-2,		"Digital Signature Standard (DSS)", FIPS PUB 186-2,
	December 1998.		December 1998.
	[BP_IKE] Harkins, D., "Brainpool Elliptic Curves for the IKE
	Group Description Registry (work in progress)",
	draft-harkins-brainpool-ike-groups-04 (work in
	progress), August 2012.
	[HMV] Hankerson, D., Menezes, A., and S. Vanstone, "Guide to		[HMV] Hankerson, D., Menezes, A., and S. Vanstone, "Guide to
	Elliptic Curve Cryptography", Springer Verlag, 2004.		Elliptic Curve Cryptography", Springer Verlag, 2004.
			[IKE_DH_Req] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman
			Tests for IKEv2 (work in progress)",
			draft-ietf-ipsecme-dh-checks-00 (work in progress),
			January 2013.
	[ISO1] International Organization for Standardization,		[ISO1] International Organization for Standardization,
	"Information Technology - Security Techniques - Digital		"Information Technology - Security Techniques - Digital
	Signatures with Appendix - Part 3: Discrete Logarithm		Signatures with Appendix - Part 3: Discrete Logarithm
	Based Mechanisms", ISO/IEC 14888-3, 2006.		Based Mechanisms", ISO/IEC 14888-3, 2006.
	[ISO2] International Organization for Standardization,		[ISO2] International Organization for Standardization,
	"Information Technology - Security Techniques -		"Information Technology - Security Techniques -
	Cryptographic Techniques Based on Elliptic Curves -		Cryptographic Techniques Based on Elliptic Curves -
	Part 2: Digital signatures", ISO/IEC 15946-2, 2002.		Part 2: Digital signatures", ISO/IEC 15946-2, 2002.
	skipping to change at page 10, line 28 ¶		skipping to change at page 9, line 26 ¶
	March 2007.		March 2007.
	[RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a		[RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a
	Prime (ECP Groups) for IKE and IKEv2", RFC 5903,		Prime (ECP Groups) for IKE and IKEv2", RFC 5903,
	June 2010.		June 2010.
	[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental		[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental
	Elliptic Curve Cryptography Algorithms", RFC 6090,		Elliptic Curve Cryptography Algorithms", RFC 6090,
	February 2011.		February 2011.
	[SEC1] Certicom Research, "Elliptic Curve Cryptography",
	Standards for Efficient Cryptography (SEC) 1,
	September 2000.
	[SEC2] Certicom Research, "Recommended Elliptic Curve Domain		[SEC2] Certicom Research, "Recommended Elliptic Curve Domain
	Parameters", Standards for Efficient Cryptography		Parameters", Standards for Efficient Cryptography
	(SEC) 2, September 2000.		(SEC) 2, September 2000.
	Appendix A. Test Vectors		Appendix A. Test Vectors
	This section provides some test vectors for example Diffie-Hellman		This section provides some test vectors for example Diffie-Hellman
	key exchanges using each of the curves defined in Section 2 . In all		key exchanges using each of the curves defined in Section 2 . In all
	of the following sections the following notation is used:		of the following sections the following notation is used:
End of changes. 20 change blocks.
	64 lines changed or deleted		36 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/