< draft-ietf-ipsec-ike-auth-ecdsa-05.txt   draft-ietf-ipsec-ike-auth-ecdsa-06.txt >
IPSec Working Group D. Fu, NSA IPSec Working Group D. Fu, NSA
INTERNET-DRAFT J. Solinas, NSA INTERNET-DRAFT J. Solinas, NSA
Expires March 30, 2006 September 30, 2005 Expires January 14, 2007 July 14, 2006
IKE and IKEv2 Authentication Using ECDSA IKE and IKEv2 Authentication Using ECDSA
<draft-ietf-ipsec-ike-auth-ecdsa-05.txt> <draft-ietf-ipsec-ike-auth-ecdsa-06.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
skipping to change at page 1, line 39 skipping to change at page 1, line 40
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Abstract Abstract
This document describes how the Elliptic Curve Digital Signature This document describes how the Elliptic Curve Digital Signature
Algorithm (ECDSA) may be used as the authentication method within Algorithm (ECDSA) may be used as the authentication method within
the Internet Key Exchange (IKE) and Internet Key Exchange version 2 the Internet Key Exchange (IKE) and Internet Key Exchange version 2
(IKEv2) protocols. ECDSA may provide benefits including (IKEv2) protocols. ECDSA may provide benefits including
computational efficiency, small signature sizes, and minimal computational efficiency, small signature sizes, and minimal
bandwidth compared to other available digital signature methods. bandwidth compared to other available digital signature methods.
This document adds ECDSA capability to IKE without introducing any This document adds ECDSA capability to IKE and IKEv2 without
changes to existing IKE operation. introducing any changes to existing IKE operation.
Table of Contents Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3
2. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Terminology. . . . . . . . . . . . . . . . . . 3
3. Specifying ECDSA within IKE and IKEv2 . . . . . . . . . . . 3 3. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . 4 4. Specifying ECDSA within IKE and IKEv2 . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . 4
6. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 5
6.1 Authentication Method 9 . . . . . . . . . . . . . . . 6 7. ECDSA Data Formats. . . . . . . . . . . . . . . . . . . . . 5
6.2 Authentication Method 10. . . . . . . . . . . . . . . 7 8. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 5
6.3 Authentication Method 11. . . . . . . . . . . . . . . 10 8.1 ECDSA-256 . . . . . . . . . . . . . . . . . . . . . . 6
7. References. . . . . . . . . . . . . . . . . . . . . . . . . 11 8.2 ECDSA-384 . . . . . . . . . . . . . . . . . . . . . . 8
7.1 Normative . . . . . . . . . . . . . . . . . . . . . . 11 8.3 ECDSA-521 . . . . . . . . . . . . . . . . . . . . . . 10
7.2. Informative . . . . . . . . . . . . . . . . . . . . . 11 9. References. . . . . . . . . . . . . . . . . . . . . . . . . 13
9.1 Normative . . . . . . . . . . . . . . . . . . . . . . 13
9.2. Informative . . . . . . . . . . . . . . . . . . . . . 14
10. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
The Internet Key Exchange, or IKE [IKE], is a key agreement and The Internet Key Exchange, or IKE [IKE], is a key agreement and
security negotiation protocol; it is used for key establishment in security negotiation protocol; it is used for key establishment in
IPSec. In the initial set of exchanges, both parties must IPSec. In the initial set of exchanges, both parties must
authenticate each other using a negotiated authentication method. In authenticate each other using a negotiated authentication method. In
the original version of IKE, this occurs in Phase 1; in IKEv2, it the original version of IKE, this occurs in Phase 1; in IKEv2, it
occurs in the exchange called IKE-AUTH. One option for the occurs in the exchange called IKE-AUTH. One option for the
authentication method is digital signatures using public key authentication method is digital signatures using public key
cryptography. Currently, there are two digital signature methods cryptography. Currently, there are two digital signature methods
defined for use within Phase 1 and IKE-AUTH: RSA signatures and DSA defined for use within Phase 1 and IKE-AUTH: RSA signatures and DSA
(DSS) signatures. This document introduces ECDSA signatures as a (DSS) signatures. This document introduces ECDSA signatures as a
third method. third method.
For any given level of security against the best attacks known, ECDSA For any given level of security against the best attacks known, ECDSA
signatures are smaller than RSA signatures and ECDSA keys require signatures are smaller than RSA signatures, and ECDSA keys require
less bandwidth than DSA keys; there are also advantages of less bandwidth than DSA keys [LV]; there are also advantages of
computational speed and efficiency in many settings. Additional computational speed and efficiency in many settings. Additional
efficiency may be gained by simultaneously using ECDSA for IKE efficiency may be gained by simultaneously using ECDSA for IKE/IKEv2
authentication and using elliptic curve groups for the IKE key authentication and using elliptic curve groups for the IKE/IKEv2 key
exchange. Implementers of IPSec and IKE may therefore find it exchange. Implementers of IPSec and IKE/IKEv2 may therefore find it
desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method. desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method.
2. ECDSA 2. Requirements Terminology
Keywords "MUST" and "SHOULD" that appear in this document are to be
interpreted as described in [RFC2119].
3. ECDSA
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the The Elliptic Curve Digital Signature Algorithm (ECDSA) is the
elliptic curve analogue of the DSA (DSS) signature method [DSS]. It elliptic curve analogue of the DSA (DSS) signature method [DSS]. It
is defined in the ANSI X9.62 standard [X9.62-2003]. Other compatible is defined in the ANSI X9.62 standard [X9.62-2003]. Other compatible
specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE
1363A [IEEE-1363A], and SEC1 [SEC1]. 1363A [IEEE-1363A], and SEC1 [SEC].
ECDSA signatures are smaller than RSA signatures of similar ECDSA signatures are smaller than RSA signatures of similar
cryptographic strength. ECDSA public keys (and certificates) are cryptographic strength. ECDSA public keys (and certificates) are
smaller than similar strength DSA keys, resulting in improved smaller than similar strength DSA keys, resulting in improved
communications efficiency. Furthermore, on many platforms ECDSA communications efficiency. Furthermore, on many platforms ECDSA
operations can be computed more quickly than similar strength RSA or operations can be computed more quickly than similar strength RSA or
DSA operations (see [LV] for a security analysis of key sizes across DSA operations (see [LV] for a security analysis of key sizes across
public key algorithms). These advantages of signature size, public key algorithms). These advantages of signature size,
bandwidth, and computational efficiency may make ECDSA an attractive bandwidth, and computational efficiency may make ECDSA an attractive
choice for many IKE implementations. choice for many IKE and IKEv2 implementations.
3. Specifying ECDSA within IKE and IKEv2 4. Specifying ECDSA within IKE and IKEv2
The original IKE key negotiation protocol consists of two phases, The original IKE key negotiation protocol consists of two phases,
Phase 1 and Phase 2. Within Phase 1, the two negotiating parties Phase 1 and Phase 2. Within Phase 1, the two negotiating parties
authenticate each other using either pre-shared keys, digital authenticate each other using either pre-shared keys, digital
signatures, or public-key encryption. signatures, or public-key encryption.
The IKEv2 key negotiation protocol begins with two exchanges, The IKEv2 key negotiation protocol begins with two exchanges,
IKE-SA-INIT and IKE-AUTH. When not using extensible authentication, IKE-SA-INIT and IKE-AUTH. When not using extensible authentication,
the IKE-AUTH exchange includes a digital signature or MAC on a block the IKE-AUTH exchange includes a digital signature or MAC on a block
of data. of data.
The IANA-assigned attribute number for authentication using generic The IANA-assigned attribute number for authentication using generic
ECDSA is 8 (see [IANA]), but the parameters and associated hash ECDSA in IKE is 8 (see [IANA-IKE]), but the corresponding list of
functions are not specified. The document defines the following IKEv2 authentication methods does not include ECDSA (see
authentication algorithms along with their anticipated IANA [IANA-IKEv2]). Moreover, ECDSA cannot be specified for IKEv2
attribute numbers. independently of an associated hash function since IKEv2 does not
have a transform type for hash functions. For this reason, it is
necessary to specify the hash function as part of the signature
algorithm. Furthermore, the elliptic curve group must be specified
since the choice of hash function depends on it as well. As a
result, it is necessary to specify three signature algorithms,
named ECDSA-256, ECDSA-384, and ECDSA-521. Each of these algorithms
represents an instantiation of the ECDSA algorithm using a
particular elliptic curve group and hash function. For reasons of
consistency, this document defines the signatures for IKE in the
same way.
Digital Diffie- Digital
IANA Signature Hellman Hash Signature
Value Algorithm Group Function Algorithm Elliptic Curve Group Hash Function
----- --------- ------------ ------------- ----------- -------------------------- ---------------
9 ECDSA P-256 [19] SHA-256 [4] ECDSA-256 256-bit random ECP group SHA2-256
10 ECDSA P-384 [20] SHA-384 [5] ECDSA-384 384-bit random ECP group SHA2-384
11 ECDSA P-521 [21] SHA-512 [6] ECDSA-521 521-bit random ECP group SHA2-512
The numbers in brackets are the IANA identifiers for the Diffie- The elliptic curve groups, including their base points, are specified
Hellman groups and the hash functions. in [IKE-ECP].
The Diffie-Hellman group is understood to use the base points 5. Security Considerations
supplied in [IKE-ECP]. Therefore the selection of IANA identifier
from the above table completely specifies the parameters necessary
for verifying the signature.
When ECDSA is used as the digital signature in IKE, the signature Since this document proposes new digital signatures for use within
payload SHALL contain an encoding of the computed signature IKE and IKEv2, many of the security considerations contained within
consisting of the concatenation of a pair of integers s and t. The [IKE] and [IKEv2] apply here as well. Implementers should ensure
definition of s and t are given in Section 6 of this document. that appropriate security measures are in place when they deploy
ECDSA within IKE or IKEv2.
Implementers may find it convenient, when using ECDSA as the ECDSA-256, ECDSA-384, and ECDSA-521 are designed to offer security
authentication method, to specify the hash used by ECDSA as the comparable with the AES-128, AES-192, and AES-256 respectively.
value of the hash algorithm attribute. Implementers may also find
it convenient to use ECDSA authentication in conjunction with an
elliptic curve group for the IKE Diffie-Hellman key agreement; see
[IKE-ECP] for some specific curves for the key agreement.
4. Security Considerations 6. IANA Considerations
Implementers should ensure that appropriate security measures are in Before this document can become an RFC, it is required that IANA
place when they deploy ECDSA within IKE. In particular, the security update its registry of IPSEC authentication methods in [IANA-IKE] and
of ECDSA requires the careful selection of both key sizes and its registry of IKEv2 authentication methods in [IANA-IKEv2] to
elliptic curve domain parameters. Selection guidelines for these include ECDSA-256, ECDSA-384, and ECDSA-521.
parameters and some specific recommended curves that are considered
safe are provided in ANSI X9.62 [X9.62], FIPS 186-2 [DSS], and SEC 2
[SEC2].
5. IANA Considerations 7. ECDSA Data Formats
Before this document can become an RFC, it is required that IANA When ECDSA-256, ECDSA-384, or ECDSA-521 is used as the digital
update its registry of IKE authentication methods in [IANA] to signature in IKE or IKEv2, the signature payload SHALL contain an
include the three options defined in Section 3 of this document. encoding of the computed signature consisting of the concatenation
of a pair of integers r and s. The definitions of r and s are given
in Section 6 of this document.
6. Test Vectors Digital
signature Bit lengths Bit length
algorithm of r and s of signature
----------- ------------- --------------
The following are examples of the IKEv2 key exchange payload for each ECDSA-256 256 512
of the three groups specified in this document. ECDSA-384 384 768
ECDSA-521 528 1056
The bit lengths of r and s are enforced, if necessary, by
pre-pending the value with zeros.
8. Test Vectors
The following are examples of the IKEv2 authentication payload for
each of the three signatures specified in this document.
The following notation is used. The Diffie-Hellman group is given by The following notation is used. The Diffie-Hellman group is given by
the elliptic curve y^2 = x^3 - 3 x + b modulo p. If (x,y) is a the elliptic curve y^2 = (x^3 - 3 x + b) modulo p. If (x,y) is a
point on the curve (i.e. x and y satisfy the above equation), then point on the curve (i.e. x and y satisfy the above equation), then
(x,y)^n denotes the scalar multiple of the point (x,y) by the (x,y)^n denotes the scalar multiple of the point (x,y) by the
integer n; it is another point on the curve. In the literature, the integer n; it is another point on the curve. In the literature, the
scalar multiple is typically denoted n(x,y); the notation (x,y)^n is scalar multiple is typically denoted n(x,y); the notation (x,y)^n is
used in order to conform to the notation used in [IKE], [IKEv2], and used in order to conform to the notation used in [IKE], [IKEv2], and
[IKE-ECP]. [IKE-ECP].
The group order for the Diffie-Hellman group is denoted q. The The group order for the curve group is denoted q. The generator is
generator is denoted g=(gx,gy). The hash of the message is denoted denoted g=(gx,gy). The hash of the message is denoted h. The
h. The signer's static private key is denoted w; it is an integer signer's static private key is denoted w; it is an integer between
between zero and q. The signer's static public key is zero and q. The signer's static public key is g^w=(gwx,gwy). The
g^w=(gwx,gwy). The ephemeral private key is denoted k; it is an ephemeral private key is denoted k; it is an integer between zero
integer between zero and q. The ephemeral public key is and q. The ephemeral public key is g^k=(gkx,gky). The quantity
g^k=(gkx,gky). The quantity kinv is the integer between zero and kinv is the integer between zero and q such that k*kinv = 1 modulo q.
q such that k*kinv = 1 modulo q. The first signature component is The first signature component is denoted r; it is equal to gkx
denoted s; it is equal to gkx reduced modulo q. The second signature reduced modulo q. The second signature component is denoted s; it is
component is denoted t; it is equal to (h+s*w)*kinv reduced modulo q. equal to (h+r*w)*kinv reduced modulo q.
The test vectors below also include the data for verifying the ECDSA The test vectors below also include the data for verifying the ECDSA
signature. The verifier computes h and the quantity tinv, which is signature. The verifier computes h and the quantity sinv, which is
the integer between zero and q such that t*tinv = 1 modulo q. The the integer between zero and q such that s*sinv = 1 modulo q. The
verifier computes verifier computes
u = h*tinv modulo q u = h*sinv modulo q
and and
v = s*tinv modulo q. v = r*sinv modulo q.
The verifier computes (gx,gy)^u = (gux,guy) and The verifier computes (gx,gy)^u = (gux,guy) and
(gwx,gwy)^v = (gwvx,gwvy). The verifier computes the sum (gwx,gwy)^v = (gwvx,gwvy). The verifier computes the sum
(sumx,sumy) = (gux,guy) + (gwvx,gwvy) (sumx,sumy) = (gux,guy) + (gwvx,gwvy)
where + denotes addition of points on the elliptic curve. The where + denotes addition of points on the elliptic curve. The
signature is verified if signature is verified if
sumx modulo q = s. sumx modulo q = r.
6.1 Authentication Method 9 8.1 ECDSA-256
The parameters for Diffie-Hellman group 19 are It is assumed for this example that ECDSA-256 is assigned the id
number 9 by IANA.
The parameters for the group for this signature are
p: p:
FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
b: b:
5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B
q: q:
FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551
skipping to change at page 6, line 44 skipping to change at page 7, line 17
k: k:
9E56F509 196784D9 63D1C0A4 01510EE7 ADA3DCC5 DEE04B15 4BF61AF1 D5A6DECE 9E56F509 196784D9 63D1C0A4 01510EE7 ADA3DCC5 DEE04B15 4BF61AF1 D5A6DECE
gkx: gkx:
CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C
gky: gky:
2B57C023 5FB74897 68D058FF 4911C20F DBE71E36 99D91339 AFBB903E E17255DC 2B57C023 5FB74897 68D058FF 4911C20F DBE71E36 99D91339 AFBB903E E17255DC
The SHA-256 hash of the message "abc" (hex 616263) is The SHA2-256 hash of the message "abc" (hex 616263) is
h: h:
BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C B410FF61 F20015AD BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C B410FF61 F20015AD
The signature of the message is (s,t) where The signature of the message is (r,s) where
kinv: kinv:
AFA27894 5AF74B1E 295008E0 3A8984E2 E1C69D9B BBC74AF1 4E3AC4E4 21ABFA61 AFA27894 5AF74B1E 295008E0 3A8984E2 E1C69D9B BBC74AF1 4E3AC4E4 21ABFA61
s: r:
CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C
t: s:
86FA3BB4 E26CAD5B F90B7F81 899256CE 7594BB1E A0C89212 748BFF3B 3D5B0315 86FA3BB4 E26CAD5B F90B7F81 899256CE 7594BB1E A0C89212 748BFF3B 3D5B0315
The quantities required for verification of the signature are The quantities required for verification of the signature are
tinv: sinv:
33BDC294 E90CFAD6 2A9F2FD1 F8741DA7 7C02A573 E1B53BA1 7A60BA90 4F491952 33BDC294 E90CFAD6 2A9F2FD1 F8741DA7 7C02A573 E1B53BA1 7A60BA90 4F491952
u: u:
C3875E57 C85038A0 D60370A8 7505200D C8317C8C 534948BE A6559C7C 18E6D4CE C3875E57 C85038A0 D60370A8 7505200D C8317C8C 534948BE A6559C7C 18E6D4CE
v: v:
3B4E49C4 FDBFC006 FF993C81 A50EAE22 1149076D 6EC09DDD 9FB3B787 F85B6483 3B4E49C4 FDBFC006 FF993C81 A50EAE22 1149076D 6EC09DDD 9FB3B787 F85B6483
gux: gux:
4F749762 9362EFBB EE591206 D036568F 239789B2 34960635 C6607EC6 99062600 4F749762 9362EFBB EE591206 D036568F 239789B2 34960635 C6607EC6 99062600
skipping to change at page 7, line 37 skipping to change at page 8, line 11
gwvy: gwvy:
0C10CBA8 DD2620C1 12A4F9BE 578E4BE1 E64DC0F7 D1D526CA 167749F9 CEC0DF08 0C10CBA8 DD2620C1 12A4F9BE 578E4BE1 E64DC0F7 D1D526CA 167749F9 CEC0DF08
sumx: sumx:
CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C
sumy: sumy:
2B57C023 5FB74897 68D058FF 4911C20F DBE71E36 99D91339 AFBB903E E17255DC 2B57C023 5FB74897 68D058FF 4911C20F DBE71E36 99D91339 AFBB903E E17255DC
The signature is valid since sumx modulo q equals s. The signature is valid since sumx modulo q equals r.
If the signature (s,t) were the one appearing in the authentication If the signature (r,s) were the one appearing in the authentication
payload, then the payload would be as follows. payload, then the payload would be as follows.
00000048 00090000 CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 00000048 00090000 CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E
97566EA1 C066957C 86FA3BB4 E26CAD5B F90B7F81 899256CE 7594BB1E A0C89212 97566EA1 C066957C 86FA3BB4 E26CAD5B F90B7F81 899256CE 7594BB1E A0C89212
748BFF3B 3D5B0315 748BFF3B 3D5B0315
6.2 Authentication Method 10 8.2 ECDSA-384
The parameters for Diffie-Hellman group 20 are It is assumed for this example that ECDSA-384 is assigned the id
number 10 by IANA.
The parameters for the group for this signature are
p: p:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
FFFFFFFF 00000000 00000000 FFFFFFFF FFFFFFFF 00000000 00000000 FFFFFFFF
b: b:
B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A
C656398D 8A2ED19D 2A85C8ED D3EC2AEF C656398D 8A2ED19D 2A85C8ED D3EC2AEF
q: q:
skipping to change at page 8, line 47 skipping to change at page 9, line 25
854D7FA9 92F934D9 27376285 E63414FA 854D7FA9 92F934D9 27376285 E63414FA
gkx: gkx:
FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E
08E07C9C 63F2D21A 07DCB56A 6AF56EB3 08E07C9C 63F2D21A 07DCB56A 6AF56EB3
gky: gky:
2C735822 48686C41 8485E7B7 4E707625 A1832769 F7F56E81 7CF83B1E 4690E782 2C735822 48686C41 8485E7B7 4E707625 A1832769 F7F56E81 7CF83B1E 4690E782
65B7AD37 BC2F865F DC290DB6 15CDF17F 65B7AD37 BC2F865F DC290DB6 15CDF17F
The SHA-384 hash of the message "abc" (hex 616263) is The SHA2-384 hash of the message "abc" (hex 616263) is
h: h:
CB00753F 45A35E8B B5A03D69 9AC65007 272C32AB 0EDED163 1A8B605A 43FF5BED CB00753F 45A35E8B B5A03D69 9AC65007 272C32AB 0EDED163 1A8B605A 43FF5BED
8086072B A1E7CC23 58BAECA1 34C825A7 8086072B A1E7CC23 58BAECA1 34C825A7
The signature of the message is (s,t) where The signature of the message is (r,s) where
kinv: kinv:
EB12876B F6191A29 1AA5780A 3887C3BF E7A5C7E3 21CCA674 886B1228 D9BB3D52 EB12876B F6191A29 1AA5780A 3887C3BF E7A5C7E3 21CCA674 886B1228 D9BB3D52
918EF19F E5CE67E9 80BEDC1E 613D39C0 918EF19F E5CE67E9 80BEDC1E 613D39C0
s: r:
FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E
08E07C9C 63F2D21A 07DCB56A 6AF56EB3 08E07C9C 63F2D21A 07DCB56A 6AF56EB3
t: s:
B263A130 5E057F98 4D38726A 1B468741 09F417BC A112674C 528262A4 0A629AF1 B263A130 5E057F98 4D38726A 1B468741 09F417BC A112674C 528262A4 0A629AF1
CBB9F516 CE0FA7D2 FF630863 A00E8B9F CBB9F516 CE0FA7D2 FF630863 A00E8B9F
The quantities required for verification of the signature are The quantities required for verification of the signature are
tinv: sinv:
06EFACEE 8A657F77 584C5A03 9F7E2720 D61DF84C 8FAC6FA4 9A06F6C4 6E8CDA28 06EFACEE 8A657F77 584C5A03 9F7E2720 D61DF84C 8FAC6FA4 9A06F6C4 6E8CDA28
6ADD7D3B 90E1CDA4 79BD899B EE14B99D 6ADD7D3B 90E1CDA4 79BD899B EE14B99D
u: u:
CA5E3714 B4B68BB8 5AF0BC69 E12B16C8 8FAFA26A A6598D7E 2D5C3C40 26F7A944 CA5E3714 B4B68BB8 5AF0BC69 E12B16C8 8FAFA26A A6598D7E 2D5C3C40 26F7A944
7D731721 ABE62CC0 1165ABFD 847088E9 7D731721 ABE62CC0 1165ABFD 847088E9
v: v:
1342C935 5F1A4563 5435899A C24AEF06 3947CA47 951E89F6 83D73172 F964C359 1342C935 5F1A4563 5435899A C24AEF06 3947CA47 951E89F6 83D73172 F964C359
69E75EF9 06DA2396 2C747C04 A01137B8 69E75EF9 06DA2396 2C747C04 A01137B8
skipping to change at page 9, line 55 skipping to change at page 10, line 33
173F1ABF F3980DF1 F7EC4335 B185CEBF 173F1ABF F3980DF1 F7EC4335 B185CEBF
sumx: sumx:
FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E
08E07C9C 63F2D21A 07DCB56A 6AF56EB3 08E07C9C 63F2D21A 07DCB56A 6AF56EB3
sumy: sumy:
2C735822 48686C41 8485E7B7 4E707625 A1832769 F7F56E81 7CF83B1E 4690E782 2C735822 48686C41 8485E7B7 4E707625 A1832769 F7F56E81 7CF83B1E 4690E782
65B7AD37 BC2F865F DC290DB6 15CDF17F 65B7AD37 BC2F865F DC290DB6 15CDF17F
The signature is valid since sumx modulo q equals s. The signature is valid since sumx modulo q equals r.
If the signature (s,t) were the one appearing in the authentication If the signature (r,s) were the one appearing in the authentication
payload, then the payload would be as follows. payload, then the payload would be as follows.
00000068 000A0000 FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 00000068 000A0000 FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994
8084E293 0F1C8F7E 08E07C9C 63F2D21A 07DCB56A 6AF56EB3 B263A130 5E057F98 8084E293 0F1C8F7E 08E07C9C 63F2D21A 07DCB56A 6AF56EB3 B263A130 5E057F98
4D38726A 1B468741 09F417BC A112674C 528262A4 0A629AF1 CBB9F516 CE0FA7D2 4D38726A 1B468741 09F417BC A112674C 528262A4 0A629AF1 CBB9F516 CE0FA7D2
FF630863 A00E8B9F FF630863 A00E8B9F
6.3 Authentication Method 11 8.3 ECDSA-521
The parameters for Diffie-Hellman group 21 are It is assumed for this example that ECDSA-521 is assigned the id
number 11 by IANA.
The parameters for the group for this signature are
p: p:
01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFF FFFF
b: b:
0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1
09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50
3F00 3F00
skipping to change at page 11, line 24 skipping to change at page 12, line 4
gkx: gkx:
0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339
B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055
2251 2251
gky: gky:
006D073D 72B272EA 86388D86 8EF64D4C 300A67AC 2981C0F8 E6710AEF A2FCF845 006D073D 72B272EA 86388D86 8EF64D4C 300A67AC 2981C0F8 E6710AEF A2FCF845
8117B05E B91BA11C 68BCFC1B C24587E3 A1D0CA2A FE398CDB CFD79CB3 0B36B218 8117B05E B91BA11C 68BCFC1B C24587E3 A1D0CA2A FE398CDB CFD79CB3 0B36B218
B437 B437
The hash of the message "abc" (hex 616263) is The hash of the message "abc" (hex 616263) is
SHA-512(616263): SHA2-512(616263):
DDAF35A1 93617ABA CC417349 AE204131 12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A DDAF35A1 93617ABA CC417349 AE204131 12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A
2192992A 274FC1A8 36BA3C23 A3FEEBBD 454D4423 643CE80E 2A9AC94F A54CA49F 2192992A 274FC1A8 36BA3C23 A3FEEBBD 454D4423 643CE80E 2A9AC94F A54CA49F
Therefore the quantity h is Therefore the quantity h is
h: h:
0000DDAF 35A19361 7ABACC41 7349AE20 413112E6 FA4E89A9 7EA20A9E EEE64B55 0000DDAF 35A19361 7ABACC41 7349AE20 413112E6 FA4E89A9 7EA20A9E EEE64B55
D39A2192 992A274F C1A836BA 3C23A3FE EBBD454D 4423643C E80E2A9A C94FA54C D39A2192 992A274F C1A836BA 3C23A3FE EBBD454D 4423643C E80E2A9A C94FA54C
A49F A49F
The signature of the message is (s,t) where The signature of the message is (r,s) where
kinv: kinv:
00E90EF3 CE52F8D1 E5A4EEBD 0905F425 2400B0AE 73B49E33 23BCE258 A55F507D 00E90EF3 CE52F8D1 E5A4EEBD 0905F425 2400B0AE 73B49E33 23BCE258 A55F507D
7C45F3A2 DE3A3EA2 E51D9343 46D71593 A80C8C62 FE229DDF 5D2B64B7 AF4A0837 7C45F3A2 DE3A3EA2 E51D9343 46D71593 A80C8C62 FE229DDF 5D2B64B7 AF4A0837
0D32 0D32
s: r:
0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339
B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055
2251 2251
t: s:
017705A7 030290D1 CEB605A9 A1BB03FF 9CDD521E 87A696EC 926C8C10 C8362DF4 017705A7 030290D1 CEB605A9 A1BB03FF 9CDD521E 87A696EC 926C8C10 C8362DF4
97536710 1F67D1CF 9BCCBF2F 3D239534 FA509E70 AAC851AE 01AAC68D 62F86647 97536710 1F67D1CF 9BCCBF2F 3D239534 FA509E70 AAC851AE 01AAC68D 62F86647
2660 2660
The quantities required for verification of the signature are The quantities required for verification of the signature are
tinv: sinv:
00DDA6B8 83CB36BF CB21D5B0 B7D1F443 9D3C7797 B23A8D73 58032D5C C917142E 00DDA6B8 83CB36BF CB21D5B0 B7D1F443 9D3C7797 B23A8D73 58032D5C C917142E
3F6778BD 977D8460 867853AE 9C74EF5E 417CFA96 F7C937C1 418D9343 738A1BA8 3F6778BD 977D8460 867853AE 9C74EF5E 417CFA96 F7C937C1 418D9343 738A1BA8
78E0 78E0
u: u:
019E5FDB ECC2A88B 72679233 11B27868 427AE2B8 83ED0346 9CBABE65 ACD3F2F8 019E5FDB ECC2A88B 72679233 11B27868 427AE2B8 83ED0346 9CBABE65 ACD3F2F8
D74FA657 8A23C85D 598D1DC6 C1DA074E 0AB83852 BDAAE2F1 857713D3 5BB9BDB7 D74FA657 8A23C85D 598D1DC6 C1DA074E 0AB83852 BDAAE2F1 857713D3 5BB9BDB7
32D8 32D8
v: v:
skipping to change at page 12, line 50 skipping to change at page 13, line 30
sumx: sumx:
0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339
B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055
2251 2251
sumy: sumy:
006D073D 72B272EA 86388D86 8EF64D4C 300A67AC 2981C0F8 E6710AEF A2FCF845 006D073D 72B272EA 86388D86 8EF64D4C 300A67AC 2981C0F8 E6710AEF A2FCF845
8117B05E B91BA11C 68BCFC1B C24587E3 A1D0CA2A FE398CDB CFD79CB3 0B36B218 8117B05E B91BA11C 68BCFC1B C24587E3 A1D0CA2A FE398CDB CFD79CB3 0B36B218
B437 B437
The signature is valid since sumx modulo q equals s. The signature is valid since sumx modulo q equals r.
If the signature (s,t) were the one appearing in the authentication If the signature (r,s) were the one appearing in the authentication
payload, then the payload would be as follows. payload, then the payload would be as follows.
0000008C 000B0000 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 0000008C 000B0000 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6
AAAAB68E 2E6F4339 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 AAAAB68E 2E6F4339 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936
2CAEACEE 54432055 22510177 05A70302 90D1CEB6 05A9A1BB 03FF9CDD 521E87A6 2CAEACEE 54432055 22510177 05A70302 90D1CEB6 05A9A1BB 03FF9CDD 521E87A6
96EC926C 8C10C836 2DF49753 67101F67 D1CF9BCC BF2F3D23 9534FA50 9E70AAC8 96EC926C 8C10C836 2DF49753 67101F67 D1CF9BCC BF2F3D23 9534FA50 9E70AAC8
51AE01AA C68D62F8 66472660 51AE01AA C68D62F8 66472660
7. References 9. References
7.1 Normative 9.1 Normative
[IANA] Internet Assigned Numbers Authority, Internet Key Exchange [IANA-IKE] Internet Assigned Numbers Authority, Internet Key Exchange
(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry)
[IANA-IKEv2] IKEv2 Parameters.
(http://www.iana.org/assignments/ikev2-parameters)
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409,
November 1998. November 1998.
[IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004, [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, RFC 4306,
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt December 2005.
[IKE-ECP] D. Fu and J. Solinas, ECP Groups For IKE and IKEv2, 2005. [IKE-ECP] D. Fu and J. Solinas, ECP Groups For IKE and IKEv2, 2006.
(draft-ietf-ipsec-ike-ecp-groups-02.txt) (draft-ietf-ipsec-ike-ecp-groups-03.txt)
[SHS] FIPS 180-2, "Secure Hash Standard", National Institute of [SHS] FIPS 180-2, "Secure Hash Standard", National Institute of
Standards and Technology, 2002. Standards and Technology, 2002.
[X9.62-2003] American National Standards Institute, X9.62-1998: [X9.62-2003] American National Standards Institute, X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm, Elliptic Curve Digital Signature Algorithm,
Revised-Draft-2003-02-26, February 2003. Revised-Draft-2003-02-26, February 2003.
7.2 Informative 9.2 Informative
[DSS] U.S. Department of Commerce/National Institute of Standards [DSS] U.S. Department of Commerce/National Institute of Standards
and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2,
January 2000. (http://csrc.nist.gov/publications/fips/index.html) January 2000. (http://csrc.nist.gov/publications/fips/index.html)
[IEEE-1363] Institute of Electrical and Electronics Engineers. [IEEE-1363] Institute of Electrical and Electronics Engineers.
IEEE 1363-2000, Standard for Public Key Cryptography. IEEE 1363-2000, Standard for Public Key Cryptography.
(http://grouper.ieee.org/groups/1363/index.html) (http://grouper.ieee.org/groups/1363/index.html)
[IEEE-1363A] Institute of Electrical and Electronics Engineers. [IEEE-1363A] Institute of Electrical and Electronics Engineers.
IEEE 1363A-2004, Standard for Public Key Cryptography - IEEE 1363A-2004, Standard for Public Key Cryptography -
Amendment 1: Additional Techniques. Amendment 1: Additional Techniques.
(http://grouper.ieee.org/groups/1363/index.html) (http://grouper.ieee.org/groups/1363/index.html)
[LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key [LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key
Sizes", Journal of Cryptology 14 (2001), pp. 255-293. Sizes", Journal of Cryptology 14 (2001), pp. 255-293.
[RFC-3279] Bassham, L., Housley, R., and Polk, W., RFC 3279, [SEC] Standards for Efficient Cryptography Group. SEC 1 - Elliptic
Algorithms and Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List (CRL)
Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt)
[RFC-3280] Housley, R., Polk, W., Ford, W. and D. Solo, RFC 3280,
Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile, 2002.
(http://www.ietf.org/rfc/rfc3279.txt)
[SEC1] Standards for Efficient Cryptography Group. SEC 1 - Elliptic
Curve Cryptography, v. 1.0, 2000. (http://www.secg.org) Curve Cryptography, v. 1.0, 2000. (http://www.secg.org)
[SEC2] Standards for Efficient Cryptography Group. SEC 2 - 10. Authors' Addresses
Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000.
(http://www.secg.org)
7. Authors' Addresses
David E. Fu David E. Fu
National Information Assurance Research Laboratory National Information Assurance Research Laboratory
National Security Agency National Security Agency
defu@orion.ncsc.mil defu@orion.ncsc.mil
Jerome A. Solinas Jerome A. Solinas
National Information Assurance Research Laboratory National Information Assurance Research Laboratory
National Security Agency National Security Agency
jasolin@orion.ncsc.mil jasolin@orion.ncsc.mil
Comments are solicited and should be addressed to the authors. Comments are solicited and should be addressed to the authors.
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Expires March 30, 2006 Expires January 14, 2007
 End of changes. 68 change blocks. 
135 lines changed or deleted 156 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/