| < draft-ietf-ipsec-ike-ecp-groups-02.txt | draft-ietf-ipsec-ike-ecp-groups-03.txt > | |||
|---|---|---|---|---|
| IPSec Working Group D. Fu, NSA | IPSec Working Group D. Fu, NSA | |||
| INTERNET-DRAFT J. Solinas, NSA | INTERNET-DRAFT J. Solinas, NSA | |||
| Expires March 30, 2006 September 30, 2005 | Expires November 15, 2006 May 15, 2006 | |||
| ECP Groups For IKE and IKEv2 | ECP Groups For IKE and IKEv2 | |||
| <draft-ietf-ipsec-ike-ecp-groups-02.txt> | <draft-ietf-ipsec-ike-ecp-groups-03.txt> | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| skipping to change at page 2, line 8 ¶ | skipping to change at page 2, line 8 ¶ | |||
| in addition to previously defined groups. Specifically, the new | in addition to previously defined groups. Specifically, the new | |||
| curve groups are based on modular arithmetic rather than binary | curve groups are based on modular arithmetic rather than binary | |||
| arithmetic. These new groups are defined to align IKE and IKEv2 | arithmetic. These new groups are defined to align IKE and IKEv2 | |||
| with other ECC implementations and standards, particularly NIST | with other ECC implementations and standards, particularly NIST | |||
| standards. In addition, the curves defined here can provide more | standards. In addition, the curves defined here can provide more | |||
| efficient implementation than previously defined ECC groups. | efficient implementation than previously defined ECC groups. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4 | 2. Requirements Terminology. . . . . . . . . . . . . . . . . . 4 | |||
| 2.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 4 | 3. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 5 | 3.1 256-bit Random Curve Group. . . . . . . . . . . . . . 4 | |||
| 2.3. Twenty-First Group. . . . . . . . . . . . . . . . . . 6 | 3.2. 384-bit Random Curve Group. . . . . . . . . . . . . . 5 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . 7 | 3.3. 521-bit Random Curve Group. . . . . . . . . . . . . . 5 | |||
| 4. Alignment with Other Standards. . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 8 | 5. Alignment with Other Standards. . . . . . . . . . . . . . . 7 | |||
| 6. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 8 | 7. ECP Key Exchange Data Formats . . . . . . . . . . . . . . . 8 | |||
| 6.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 9 | 8. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.3. Twenty-First Group. . . . . . . . . . . . . . . . . . 10 | 8.1 256-bit Random Curve Group. . . . . . . . . . . . . . 8 | |||
| 7. References. . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8.2. 384-bit Random Curve Group. . . . . . . . . . . . . . 9 | |||
| 7.1 Normative . . . . . . . . . . . . . . . . . . . . . . 11 | 8.3. 521-bit Random Curve Group. . . . . . . . . . . . . . 11 | |||
| 7.2. Informative . . . . . . . . . . . . . . . . . . . . . 11 | 9. References. . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.1 Normative . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 9.2. Informative . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 10. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes default Diffie-Hellman groups for use in | This document describes default Diffie-Hellman groups for use in | |||
| IKE and IKEv2 in addition to the Oakley groups included in [IKE] and | IKE and IKEv2 in addition to the Oakley groups included in [IKE] and | |||
| the additional groups defined since [IANA]. The document assumes | the additional groups defined since [IANA-IKE]. This document | |||
| that the reader is familiar with the IKE protocol and the concept of | assumes that the reader is familiar with the IKE protocol and the | |||
| Oakley Groups, as defined in RFC 2409 [IKE]. | concept of Oakley Groups, as defined in RFC 2409 [IKE]. | |||
| RFC 2409 [IKE] defines five standard Oakley Groups - three modular | RFC 2409 [IKE] defines five standard Oakley Groups - three modular | |||
| exponentiation groups and two elliptic curve groups over GF[2^N]. | exponentiation groups and two elliptic curve groups over GF[2^N]. | |||
| One modular exponentiation group (768 bits - Oakley Group 1) is | One modular exponentiation group (768 bits - Oakley Group 1) is | |||
| mandatory for all implementations to support, while the other four | mandatory for all implementations to support, while the other four | |||
| are optional. Thirteen additional groups subsequently have been | are optional. Thirteen additional groups subsequently have been | |||
| defined and assigned values by IANA. All of these additional groups | defined and assigned values by IANA. All of these additional groups | |||
| are optional. Of the eighteen groups defined so far, eight are MODP | are optional. Of the eighteen groups defined so far, eight are MODP | |||
| groups (exponentiation groups modulo a prime) and ten are EC2N groups | groups (exponentiation groups modulo a prime) and ten are EC2N groups | |||
| (elliptic curve groups over GF[2^N]). | (elliptic curve groups over GF[2^N]). | |||
| skipping to change at page 3, line 35 ¶ | skipping to change at page 3, line 35 ¶ | |||
| (elliptic curve groups modulo a prime). The reasons for adding such | (elliptic curve groups modulo a prime). The reasons for adding such | |||
| groups include the following. | groups include the following. | |||
| - The groups proposed afford efficiency advantages in software | - The groups proposed afford efficiency advantages in software | |||
| applications since the underlying arithmetic is integer arithmetic | applications since the underlying arithmetic is integer arithmetic | |||
| modulo a prime rather than binary field arithmetic. (Additional | modulo a prime rather than binary field arithmetic. (Additional | |||
| computational advantages for these groups are presented in [GMN].) | computational advantages for these groups are presented in [GMN].) | |||
| - The groups proposed encourage alignment with other elliptic curve | - The groups proposed encourage alignment with other elliptic curve | |||
| standards. The proposed groups are among those standardized by | standards. The proposed groups are among those standardized by | |||
| NIST, by the SECG, by ISO, and by ANSI. (See section 3 for | NIST, by the SECG, by ISO, and by ANSI. (See Section 3 for | |||
| details.) | details.) | |||
| - The groups proposed are capable of providing security consistent | - The groups proposed are capable of providing security consistent | |||
| with the new Advanced Encryption Standard. | with the new Advanced Encryption Standard. | |||
| These groups could also be defined using the New Group Mode but | These groups could also be defined using the New Group Mode but | |||
| including them in this RFC will encourage interoperability of IKE | including them in this RFC will encourage interoperability of IKE | |||
| implementations based upon elliptic curve groups. In addition, the | implementations based upon elliptic curve groups. In addition, the | |||
| availability of standardized groups will result in optimizations for | availability of standardized groups will result in optimizations for | |||
| a particular curve and field size as well as allowing precomputation | a particular curve and field size as well as allowing precomputation | |||
| that could result in faster implementations. | that could result in faster implementations. | |||
| It is anticipated that the groups proposed here will be assigned | ||||
| identifiers by IANA [IANA]. In that case the full list of assigned | ||||
| values for the Group Description class within IKE will be the | ||||
| following. (The groups defined in this document are listed as | ||||
| 19, 20, and 21.) | ||||
| IANA IANA NIST | ||||
| Value Group Type Identifier Group Description | ||||
| ----- ---------- ---------- ----------------- | ||||
| 1 1 MODP 768-bit MODP group | ||||
| 2 1 MODP 1024-bit MODP group | ||||
| 3 3 EC2N Elliptic curve group over GF[2^155] | ||||
| 4 3 EC2N Elliptic curve group over GF[2^185] | ||||
| 5 1 MODP 1536-bit MODP group | ||||
| 6 3 EC2N B-163 Random curve group over GF[2^163] | ||||
| 7 3 EC2N K-163 Koblitz curve group over GF[2^163] | ||||
| 8 3 EC2N B-283 Random curve group over GF[2^283] | ||||
| 9 3 EC2N K-283 Koblitz curve group over GF[2^283] | ||||
| 10 3 EC2N B-409 Random curve group over GF[2^409] | ||||
| 11 3 EC2N K-409 Koblitz curve group over GF[2^409] | ||||
| 12 3 EC2N B-571 Random curve group over GF[2^571] | ||||
| 13 3 EC2N K-571 Koblitz curve group over GF[2^571] | ||||
| 14 1 MODP 2048-bit MODP group | ||||
| 15 1 MODP 3072-bit MODP group | ||||
| 16 1 MODP 4096-bit MODP group | ||||
| 17 1 MODP 6144-bit MODP group | ||||
| 18 1 MODP 8192-bit MODP group | ||||
| 19 2 ECP P-256 256-bit random curve group | ||||
| 20 2 ECP P-384 384-bit random curve group | ||||
| 21 2 ECP P-521 521-bit random curve group | ||||
| In summary, due to the performance advantages of elliptic curve | In summary, due to the performance advantages of elliptic curve | |||
| groups in IKE implementations and the need for further alignment with | groups in IKE implementations and the need for further alignment with | |||
| other standards, this document defines three elliptic curve groups | other standards, this document defines three elliptic curve groups | |||
| based on modular arithmetic. | based on modular arithmetic. | |||
| 2. Additional ECC Groups | 2. Requirements Terminology | |||
| Keywords "MUST" and "SHOULD" that appear in this document are to be | ||||
| interpreted as described in [RFC2119]. | ||||
| 3. Additional ECC Groups | ||||
| The notation adopted in RFC 2409 [IKE] is used below to describe the | The notation adopted in RFC 2409 [IKE] is used below to describe the | |||
| new groups proposed. | new groups proposed. | |||
| 2.1 Nineteenth Group | 3.1 256-bit Random ECP Group | |||
| IKE and IKEv2 implementations SHOULD support an ECP group with the | IKE and IKEv2 implementations SHOULD support an ECP group with the | |||
| following characteristics. This group is assigned id 19 (nineteen). | following characteristics. The curve is based on the integers modulo | |||
| The curve is based on the integers modulo the generalized Mersenne | the generalized Mersenne prime p given by | |||
| prime p given by | ||||
| p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . | p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . | |||
| The equation for the elliptic curve is: | The equation for the elliptic curve is: | |||
| y^2 = x^3 - 3 x + b. | y^2 = x^3 - 3 x + b. | |||
| Field size: | Field size: | |||
| 256 | 256 | |||
| skipping to change at page 5, line 30 ¶ | skipping to change at page 5, line 5 ¶ | |||
| C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 | C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 | |||
| The generator for this group is given by g=(gx,gy) where | The generator for this group is given by g=(gx,gy) where | |||
| gx: | gx: | |||
| 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 | 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 | |||
| gy: | gy: | |||
| 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 | 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 | |||
| 2.2 Twentieth Group | 3.2 384-bit Random ECP Group | |||
| IKE implementations SHOULD support an ECP group with the following | IKE and IKEv2 implementations SHOULD support an ECP group with the | |||
| characteristics. This group is assigned id 20 (twenty). The curve is | following characteristics. The curve is based on the integers modulo | |||
| based on the integers modulo the generalized Mersenne prime p given by | the generalized Mersenne prime p given by | |||
| p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . | p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . | |||
| The equation for the elliptic curve is: | The equation for the elliptic curve is: | |||
| y^2 = x^3 - 3 x + b. | y^2 = x^3 - 3 x + b. | |||
| Field size: | Field size: | |||
| 384 | 384 | |||
| Group Prime/Irreducible Polynomial: | Group Prime/Irreducible Polynomial: | |||
| FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE | FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE | |||
| FFFFFFFF 00000000 00000000 FFFFFFFF | FFFFFFFF 00000000 00000000 FFFFFFFF | |||
| skipping to change at page 6, line 24 ¶ | skipping to change at page 5, line 47 ¶ | |||
| The generator for this group is given by g=(gx,gy) where | The generator for this group is given by g=(gx,gy) where | |||
| gx: | gx: | |||
| AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 | AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 | |||
| 5502F25D BF55296C 3A545E38 72760AB7 | 5502F25D BF55296C 3A545E38 72760AB7 | |||
| gy: | gy: | |||
| 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 | 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 | |||
| 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F | 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F | |||
| 2.3 Twenty-First Group | 3.3 521-bit Random ECP Group | |||
| IKE implementations SHOULD support an ECP group with the following | IKE and IKEv2 implementations SHOULD support an ECP group with the | |||
| characteristics. This group is assigned id 21 (twenty-one). The | following characteristics. The curve is based on the integers modulo | |||
| curve is based on the integers modulo the Mersenne prime p given by | the Mersenne prime p given by | |||
| p = 2^(521)-1 . | p = 2^(521)-1 . | |||
| The equation for the elliptic curve is: | The equation for the elliptic curve is: | |||
| y^2 = x^3 - 3 x + b. | y^2 = x^3 - 3 x + b. | |||
| Field size: | Field size: | |||
| 521 | 521 | |||
| skipping to change at page 7, line 5 ¶ | skipping to change at page 6, line 30 ¶ | |||
| 3F00 | 3F00 | |||
| Group order: | Group order: | |||
| 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF | |||
| FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 | FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 | |||
| 6409 | 6409 | |||
| The group was chosen verifiably at random using SHA-1 as specified in | The group was chosen verifiably at random using SHA-1 as specified in | |||
| [IEEE-1363] from the seed: | [IEEE-1363] from the seed: | |||
| D09E8800 291CB853 96CC6717 393284AA A0DA64BA | D09E8800 291CB853 96CC6717 393284AA A0DA64BA | |||
| The generator for this group is given by g=(gx,gy) where | The generator for this group is given by g=(gx,gy) where | |||
| gx: | gx: | |||
| 00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D | 00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D | |||
| 3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5 | 3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5 | |||
| BD66 | BD66 | |||
| gy: | gy: | |||
| 01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E | 01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E | |||
| 662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1 | 662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1 | |||
| 6650 | 6650 | |||
| 3. Security Considerations | 4. Security Considerations | |||
| Since this document proposes new groups for use within IKE, many of | Since this document proposes new groups for use within IKE and IKEv2, | |||
| the security considerations contained within RFC 2409 apply here as | many of the security considerations contained within [IKE] and | |||
| well. | [IKEv2] apply here as well. | |||
| The groups proposed in this document correspond to the symmetric key | The groups proposed in this document correspond to the symmetric key | |||
| sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key | sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key | |||
| exchange to offer security comparable with the AES algorithms [AES]. | exchange to offer security comparable with the AES algorithms [AES]. | |||
| 4. Alignment with Other Standards | 5. Alignment with Other Standards | |||
| The following table summarizes the appearance of these three | The following table summarizes the appearance of these three | |||
| elliptic curve groups in other standards. | elliptic curve groups in other standards. | |||
| Standard Group 19 Group 20 Group 21 | 256-bit 384-bit 521-bit | |||
| Random Random Random | ||||
| Standard ECP Group ECP Group ECP Group | ||||
| ----------- ------------ ------------ ------------ | ||||
| NIST [DSS] P-256 P-384 P-521 | NIST [DSS] P-256 P-384 P-521 | |||
| ISO/IEC [ISO-15946-1] P-256 | ISO/IEC [ISO-15946-1] P-256 | |||
| ISO/IEC [ISO-18031] P-256 P-384 P-521 | ISO/IEC [ISO-18031] P-256 P-384 P-521 | |||
| ANSI [X9.62-1998] Sect. J.5.3, | ANSI [X9.62-1998] Sect. J.5.3, | |||
| Example 1 | Example 1 | |||
| ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 | ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 | |||
| ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 | ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 | |||
| Example 2 | Example 2 | |||
| SECG [SEC2] secp256r1 secp384r1 secp521r1 | SECG [SEC2] secp256r1 secp384r1 secp521r1 | |||
| See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and | See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and | |||
| [ISO-15946-4]. | [ISO-15946-4]. | |||
| 5. IANA Considerations | 6. IANA Considerations | |||
| Before this document can become an RFC, it is required that IANA | Before this document can become an RFC, it is required that IANA | |||
| update its registry of Diffie-Hellman groups for IKE in [IANA] to | update its registries of Diffie-Hellman groups for IKE in [IANA-IKE] | |||
| include the three groups defined above. | and for IKEv2 in [IANA-IKEv2] to include the groups defined above. | |||
| 6. Test Vectors | In [IANA-IKE], the groups are to appear as new entries in the list of | |||
| Diffie-Hellman groups given by Group Description (attribute class 4). | ||||
| The descriptions are "256-bit random ECP group", "384-bit random ECP | ||||
| group", and "521-bit random ECP group". In each case, the group type | ||||
| (attribute class 5) has the value 2 (ECP, elliptic curve group over | ||||
| GF[P]). | ||||
| In [IANA-IKEv2], the groups are to appear as new entries in the list | ||||
| of IKEv2 transform type values for Transform Type 4 (Diffie-Hellman | ||||
| groups). | ||||
| 7. ECP Key Exchange Data Formats | ||||
| In an ECP key exchange, the Diffie-Hellman public value passed in a | ||||
| KE payload consists of two components, x and y, corresponding to the | ||||
| coordinates of an elliptic curve point. Each component MUST have | ||||
| bit length as given in the following table. | ||||
| Diffie-Hellman group component bit length | ||||
| ------------------------ -------------------- | ||||
| 256-bit Random ECP Group 256 | ||||
| 384-bit Random ECP Group 384 | ||||
| 521-bit Random ECP Group 528 | ||||
| This length is enforced, if necessary, by prepending the value with | ||||
| zeros. | ||||
| The Diffie-Hellman public value is obtained by concatenating the x | ||||
| and y values. | ||||
| The format of the Diffie-Hellman shared secret value is the same as | ||||
| that of the Diffie-Hellman public value. | ||||
| 8. Test Vectors | ||||
| The following are examples of the IKEv2 key exchange payload for each | The following are examples of the IKEv2 key exchange payload for each | |||
| of the three groups specified in this document. | of the three groups specified in this document. | |||
| We denote by g^n the scalar multiple of the point g by the | We denote by g^n the scalar multiple of the point g by the | |||
| integer n; it is another point on the curve. In the literature, the | integer n; it is another point on the curve. In the literature, the | |||
| scalar multiple is typically denoted ng; the notation g^n is | scalar multiple is typically denoted ng; the notation g^n is | |||
| used in order to conform to the notation used in [IKE] and [IKEv2]. | used in order to conform to the notation used in [IKE] and [IKEv2]. | |||
| 6.1 Nineteenth Group | 8.1 256-bit Random ECP Group | |||
| It is assumed for this example that this Diffie-Hellman group is | ||||
| assigned the id number 19 by IANA. | ||||
| We suppose that the initiator's Diffie-Hellman private key is | We suppose that the initiator's Diffie-Hellman private key is | |||
| i: | i: | |||
| C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433 | C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433 | |||
| Then the public key is given by g^i=(gix,giy) where | Then the public key is given by g^i=(gix,giy) where | |||
| gix: | gix: | |||
| DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180 | DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180 | |||
| skipping to change at page 9, line 27 ¶ | skipping to change at page 9, line 46 ¶ | |||
| 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 | 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 | |||
| These are concatenated to form | These are concatenated to form | |||
| g^ir: | g^ir: | |||
| D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE | D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE | |||
| 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 | 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 | |||
| This is the value which is used in the formation of SKEYSEED. | This is the value which is used in the formation of SKEYSEED. | |||
| 6.2 Twentieth Group | 8.2 384-bit Random ECP Group | |||
| It is assumed for this example that this Diffie-Hellman group is | ||||
| assigned the id number 20 by IANA. | ||||
| We suppose that the initiator's Diffie-Hellman private key is | We suppose that the initiator's Diffie-Hellman private key is | |||
| i: | i: | |||
| 099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655 | 099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655 | |||
| E35B5380 41E649EE 3FAEF896 783AB194 | E35B5380 41E649EE 3FAEF896 783AB194 | |||
| Then the public key is given by g^i=(gix,giy) where | Then the public key is given by g^i=(gix,giy) where | |||
| gix: | gix: | |||
| skipping to change at page 10, line 45 ¶ | skipping to change at page 11, line 18 ¶ | |||
| These are concatenated to form | These are concatenated to form | |||
| g^ir: | g^ir: | |||
| 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 | 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 | |||
| D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 | D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 | |||
| 24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4 | 24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4 | |||
| This is the value which is used in the formation of SKEYSEED. | This is the value which is used in the formation of SKEYSEED. | |||
| 6.3 Twenty-First Group | 8.3 521-bit Random ECP Group | |||
| It is assumed for this example that this Diffie-Hellman group is | ||||
| assigned the id number 21 by IANA. | ||||
| We suppose that the initiator's Diffie-Hellman private key is | We suppose that the initiator's Diffie-Hellman private key is | |||
| i: | i: | |||
| 0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 | 0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 | |||
| 95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D | 95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D | |||
| 4A52 | 4A52 | |||
| Then the public key is given by g^i=(gix,giy) where | Then the public key is given by g^i=(gix,giy) where | |||
| gix: | gix: | |||
| 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE | 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE | |||
| E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C | E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C | |||
| ED3E | ED3E | |||
| giy: | giy: | |||
| 017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A | 017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A | |||
| D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F | D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F | |||
| skipping to change at page 12, line 25 ¶ | skipping to change at page 13, line 5 ¶ | |||
| g^ir: | g^ir: | |||
| 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 | 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 | |||
| D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 | D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 | |||
| DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242 | DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242 | |||
| ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9 | ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9 | |||
| 9BAFFA43 | 9BAFFA43 | |||
| This is the value which is used in the formation of SKEYSEED. | This is the value which is used in the formation of SKEYSEED. | |||
| 7. References | 9. References | |||
| 7.1 Normative | 9.1 Normative | |||
| [IANA] Internet Assigned Numbers Authority, Internet Key Exchange | [IANA-IKE] Internet Assigned Numbers Authority, Internet Key Exchange | |||
| (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) | (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) | |||
| [IANA-IKEv2] IKEv2 Parameters. | ||||
| (http://www.iana.org/assignments/ikev2-parameters) | ||||
| [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, | [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, | |||
| November 1998. | November 1998. | |||
| [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004, | [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, RFC 4306, | |||
| http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt | December 2005. | |||
| 7.2 Informative | 9.2 Informative | |||
| [AES] U.S. Department of Commerce/National Institute of Standards | [AES] U.S. Department of Commerce/National Institute of Standards | |||
| and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, | and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, | |||
| November 2001. (http://csrc.nist.gov/publications/fips/index.html) | November 2001. (http://csrc.nist.gov/publications/fips/index.html) | |||
| [DSS] U.S. Department of Commerce/National Institute of Standards | [DSS] U.S. Department of Commerce/National Institute of Standards | |||
| and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, | and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, | |||
| January 2000. (http://csrc.nist.gov/publications/fips/index.html) | January 2000. (http://csrc.nist.gov/publications/fips/index.html) | |||
| [GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics | [GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics | |||
| skipping to change at page 14, line 19 ¶ | skipping to change at page 14, line 49 ¶ | |||
| [X9.62-2003] American National Standards Institute, X9.62-1998: | [X9.62-2003] American National Standards Institute, X9.62-1998: | |||
| Public Key Cryptography for the Financial Services Industry: The | Public Key Cryptography for the Financial Services Industry: The | |||
| Elliptic Curve Digital Signature Algorithm, | Elliptic Curve Digital Signature Algorithm, | |||
| Revised-Draft-2003-02-26, February 2003. | Revised-Draft-2003-02-26, February 2003. | |||
| [X9.63] American National Standards Institute. X9.63-2001, | [X9.63] American National Standards Institute. X9.63-2001, | |||
| Public Key Cryptography for the Financial Services Industry: Key | Public Key Cryptography for the Financial Services Industry: Key | |||
| Agreement and Key Transport using Elliptic Curve Cryptography. | Agreement and Key Transport using Elliptic Curve Cryptography. | |||
| November 2001. | November 2001. | |||
| 7. Authors' Addresses | 10. Authors' Addresses | |||
| David E. Fu | David E. Fu | |||
| National Information Assurance Research Laboratory | National Information Assurance Research Laboratory | |||
| National Security Agency | National Security Agency | |||
| defu@orion.ncsc.mil | defu@orion.ncsc.mil | |||
| Jerome A. Solinas | Jerome A. Solinas | |||
| National Information Assurance Research Laboratory | National Information Assurance Research Laboratory | |||
| National Security Agency | National Security Agency | |||
| jasolin@orion.ncsc.mil | jasolin@orion.ncsc.mil | |||
| Comments are solicited and should be addressed to the author. | Comments are solicited and should be addressed to the author. | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Expires March 30, 2006 | Intellectual Property | |||
| The IETF takes no position regarding the validity or scope of any | ||||
| Intellectual Property Rights or other rights that might be claimed to | ||||
| pertain to the implementation or use of the technology described in | ||||
| this document or the extent to which any license under such rights | ||||
| might or might not be available; nor does it represent that it has | ||||
| made any independent effort to identify any such rights. Information | ||||
| on the procedures with respect to rights in RFC documents can be | ||||
| found in BCP 78 and BCP 79. | ||||
| Copies of IPR disclosures made to the IETF Secretariat and any | ||||
| assurances of licenses to be made available, or the result of an | ||||
| attempt made to obtain a general license or permission for the use of | ||||
| such proprietary rights by implementers or users of this | ||||
| specification can be obtained from the IETF on-line IPR repository at | ||||
| http://www.ietf.org/ipr. | ||||
| The IETF invites any interested party to bring to its attention any | ||||
| copyrights, patents or patent applications, or other proprietary | ||||
| rights that may cover technology that may be required to implement | ||||
| this standard. Please address the information to the IETF at ietf- | ||||
| ipr@ietf.org. | ||||
| Expires November 15, 2006 | ||||
| End of changes. 37 change blocks. | ||||
| 88 lines changed or deleted | 114 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||