| < draft-ietf-tls-rfc4492bis-04.txt | draft-ietf-tls-rfc4492bis-05.txt > | |||
|---|---|---|---|---|
| TLS Working Group Y. Nir | TLS Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track S. Josefsson | Obsoletes: 4492 (if approved) S. Josefsson | |||
| Expires: April 21, 2016 SJD AB | Intended status: Standards Track SJD AB | |||
| M. Pegourie-Gonnard | Expires: May 7, 2016 M. Pegourie-Gonnard | |||
| Independent / PolarSSL | Independent / PolarSSL | |||
| October 19, 2015 | November 4, 2015 | |||
| Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer | Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer | |||
| Security (TLS) Versions 1.2 and Earlier | Security (TLS) Versions 1.2 and Earlier | |||
| draft-ietf-tls-rfc4492bis-04 | draft-ietf-tls-rfc4492bis-05 | |||
| Abstract | Abstract | |||
| This document describes key exchange algorithms based on Elliptic | This document describes key exchange algorithms based on Elliptic | |||
| Curve Cryptography (ECC) for the Transport Layer Security (TLS) | Curve Cryptography (ECC) for the Transport Layer Security (TLS) | |||
| protocol. In particular, it specifies the use of Ephemeral Elliptic | protocol. In particular, it specifies the use of Ephemeral Elliptic | |||
| Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the | Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the | |||
| use of Elliptic Curve Digital Signature Algorithm (ECDSA) as a new | use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards | |||
| authentication mechanism. | Digital Signature Algorithm (EdDSA) as new authentication mechanisms. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 21, 2016. | This Internet-Draft will expire on May 7, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 | |||
| 2. Key Exchange Algorithm . . . . . . . . . . . . . . . . . . . 4 | 2. Key Exchange Algorithm . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. ECDHE_ECDSA . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. ECDHE_ECDSA . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.2. ECDHE_RSA . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.2. ECDHE_RSA . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.3. ECDH_anon . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. ECDH_anon . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Client Authentication . . . . . . . . . . . . . . . . . . . . 7 | 3. Client Authentication . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.1. ECDSA_sign . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.1. ECDSA_sign . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. TLS Extensions for ECC . . . . . . . . . . . . . . . . . . . 8 | 4. TLS Extensions for ECC . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Data Structures and Computations . . . . . . . . . . . . . . 8 | 5. Data Structures and Computations . . . . . . . . . . . . . . 8 | |||
| 5.1. Client Hello Extensions . . . . . . . . . . . . . . . . . 9 | 5.1. Client Hello Extensions . . . . . . . . . . . . . . . . . 8 | |||
| 5.1.1. Supported Elliptic Curves Extension . . . . . . . . . 10 | 5.1.1. Supported Elliptic Curves Extension . . . . . . . . . 10 | |||
| 5.1.2. Supported Point Formats Extension . . . . . . . . . . 11 | 5.1.2. Supported Point Formats Extension . . . . . . . . . . 11 | |||
| 5.2. Server Hello Extension . . . . . . . . . . . . . . . . . 12 | 5.2. Server Hello Extension . . . . . . . . . . . . . . . . . 12 | |||
| 5.3. Server Certificate . . . . . . . . . . . . . . . . . . . 13 | 5.3. Server Certificate . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.4. Server Key Exchange . . . . . . . . . . . . . . . . . . . 14 | 5.4. Server Key Exchange . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.5. Certificate Request . . . . . . . . . . . . . . . . . . . 17 | 5.5. Certificate Request . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.6. Client Certificate . . . . . . . . . . . . . . . . . . . 18 | 5.6. Client Certificate . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.7. Client Key Exchange . . . . . . . . . . . . . . . . . . . 19 | 5.7. Client Key Exchange . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.8. Certificate Verify . . . . . . . . . . . . . . . . . . . 20 | 5.8. Certificate Verify . . . . . . . . . . . . . . . . . . . 20 | |||
| 5.9. Elliptic Curve Certificates . . . . . . . . . . . . . . . 21 | 5.9. Elliptic Curve Certificates . . . . . . . . . . . . . . . 22 | |||
| 5.10. ECDH, ECDSA, and RSA Computations . . . . . . . . . . . . 21 | 5.10. ECDH, ECDSA, and RSA Computations . . . . . . . . . . . . 22 | |||
| 5.11. Public Key Validation . . . . . . . . . . . . . . . . . . 22 | 5.11. Public Key Validation . . . . . . . . . . . . . . . . . . 23 | |||
| 6. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 23 | 6. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 25 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 10. Version History for This Draft . . . . . . . . . . . . . . . 26 | 10. Version History for This Draft . . . . . . . . . . . . . . . 26 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 27 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 27 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 28 | 11.2. Informative References . . . . . . . . . . . . . . . . . 28 | |||
| Appendix A. Equivalent Curves (Informative) . . . . . . . . . . 28 | Appendix A. Equivalent Curves (Informative) . . . . . . . . . . 29 | |||
| Appendix B. Differences from RFC 4492 . . . . . . . . . . . . . 29 | Appendix B. Differences from RFC 4492 . . . . . . . . . . . . . 30 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 1. Introduction | 1. Introduction | |||
| Elliptic Curve Cryptography (ECC) has emerged as an attractive | Elliptic Curve Cryptography (ECC) has emerged as an attractive | |||
| public-key cryptosystem, in particular for mobile (i.e., wireless) | public-key cryptosystem, in particular for mobile (i.e., wireless) | |||
| environments. Compared to currently prevalent cryptosystems such as | environments. Compared to currently prevalent cryptosystems such as | |||
| RSA, ECC offers equivalent security with smaller key sizes. This is | RSA, ECC offers equivalent security with smaller key sizes. This is | |||
| illustrated in the following table, based on [Lenstra_Verheul], which | illustrated in the following table, based on [Lenstra_Verheul], which | |||
| gives approximate comparable key sizes for symmetric- and asymmetric- | gives approximate comparable key sizes for symmetric- and asymmetric- | |||
| key cryptosystems based on the best-known algorithms for attacking | key cryptosystems based on the best-known algorithms for attacking | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 27 ¶ | |||
| TLS. All of them use Ephemeral ECDH (ECDHE) to compute the TLS | TLS. All of them use Ephemeral ECDH (ECDHE) to compute the TLS | |||
| premaster secret, and they differ only in the mechanism (if any) used | premaster secret, and they differ only in the mechanism (if any) used | |||
| to authenticate them. The derivation of the TLS master secret from | to authenticate them. The derivation of the TLS master secret from | |||
| the premaster secret and the subsequent generation of bulk | the premaster secret and the subsequent generation of bulk | |||
| encryption/MAC keys and initialization vectors is independent of the | encryption/MAC keys and initialization vectors is independent of the | |||
| key exchange algorithm and not impacted by the introduction of ECC. | key exchange algorithm and not impacted by the introduction of ECC. | |||
| Table 2 summarizes the new key exchange algorithms. All of these key | Table 2 summarizes the new key exchange algorithms. All of these key | |||
| exchange algorithms provide forward secrecy. | exchange algorithms provide forward secrecy. | |||
| +-------------+------------------------------------------+ | +-------------+------------------------------------------------+ | |||
| | Algorithm | Description | | | Algorithm | Description | | |||
| +-------------+------------------------------------------+ | +-------------+------------------------------------------------+ | |||
| | ECDHE_ECDSA | Ephemeral ECDH with ECDSA signatures. | | | ECDHE_ECDSA | Ephemeral ECDH with ECDSA or EdDSA signatures. | | |||
| | ECDHE_RSA | Ephemeral ECDH with RSA signatures. | | | ECDHE_RSA | Ephemeral ECDH with RSA signatures. | | |||
| | ECDH_anon | Anonymous ephemeral ECDH, no signatures. | | | ECDH_anon | Anonymous ephemeral ECDH, no signatures. | | |||
| +-------------+------------------------------------------+ | +-------------+------------------------------------------------+ | |||
| Table 2: ECC Key Exchange Algorithms | Table 2: ECC Key Exchange Algorithms | |||
| These key exchanges are analogous to DHE_DSS, DHE_RSA, and DH_anon, | These key exchanges are analogous to DHE_DSS, DHE_RSA, and DH_anon, | |||
| respectively. | respectively. | |||
| With ECDHE_RSA, a server can reuse its existing RSA certificate and | With ECDHE_RSA, a server can reuse its existing RSA certificate and | |||
| easily comply with a constrained client's elliptic curve preferences | easily comply with a constrained client's elliptic curve preferences | |||
| (see Section 4). However, the computational cost incurred by a | (see Section 4). However, the computational cost incurred by a | |||
| server is higher for ECDHE_RSA than for the traditional RSA key | server is higher for ECDHE_RSA than for the traditional RSA key | |||
| skipping to change at page 5, line 6 ¶ | skipping to change at page 5, line 6 ¶ | |||
| The anonymous key exchange algorithm does not provide authentication | The anonymous key exchange algorithm does not provide authentication | |||
| of the server or the client. Like other anonymous TLS key exchanges, | of the server or the client. Like other anonymous TLS key exchanges, | |||
| it is subject to man-in-the-middle attacks. Implementations of this | it is subject to man-in-the-middle attacks. Implementations of this | |||
| algorithm SHOULD provide authentication by other means. | algorithm SHOULD provide authentication by other means. | |||
| Note that there is no structural difference between ECDH and ECDSA | Note that there is no structural difference between ECDH and ECDSA | |||
| keys. A certificate issuer may use X.509 v3 keyUsage and | keys. A certificate issuer may use X.509 v3 keyUsage and | |||
| extendedKeyUsage extensions to restrict the use of an ECC public key | extendedKeyUsage extensions to restrict the use of an ECC public key | |||
| to certain computations. This document refers to an ECC key as ECDH- | to certain computations. This document refers to an ECC key as ECDH- | |||
| capable if its use in ECDH is permitted. ECDSA-capable is defined | capable if its use in ECDH is permitted. ECDSA-capable and EdDSA- | |||
| similarly. | capable are defined similarly. | |||
| Client Server | Client Server | |||
| ------ ------ | ------ ------ | |||
| ClientHello --------> | ClientHello --------> | |||
| ServerHello | ServerHello | |||
| Certificate* | Certificate* | |||
| ServerKeyExchange* | ServerKeyExchange* | |||
| CertificateRequest*+ | CertificateRequest*+ | |||
| <-------- ServerHelloDone | <-------- ServerHelloDone | |||
| Certificate*+ | Certificate*+ | |||
| skipping to change at page 5, line 45 ¶ | skipping to change at page 5, line 45 ¶ | |||
| CertificateRequest, the client's Certificate message, and the | CertificateRequest, the client's Certificate message, and the | |||
| CertificateVerify. Next, we describe the ECC key exchange algorithm | CertificateVerify. Next, we describe the ECC key exchange algorithm | |||
| in greater detail in terms of the content and processing of these | in greater detail in terms of the content and processing of these | |||
| messages. For ease of exposition, we defer discussion of client | messages. For ease of exposition, we defer discussion of client | |||
| authentication and associated messages (identified with a + in | authentication and associated messages (identified with a + in | |||
| Figure 1) until Section 3 and of the optional ECC-specific extensions | Figure 1) until Section 3 and of the optional ECC-specific extensions | |||
| (which impact the Hello messages) until Section 4. | (which impact the Hello messages) until Section 4. | |||
| 2.1. ECDHE_ECDSA | 2.1. ECDHE_ECDSA | |||
| In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA- | In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA- or | |||
| capable public key and be signed with ECDSA. | EdDSA-capable public key. | |||
| The server sends its ephemeral ECDH public key and a specification of | The server sends its ephemeral ECDH public key and a specification of | |||
| the corresponding curve in the ServerKeyExchange message. These | the corresponding curve in the ServerKeyExchange message. These | |||
| parameters MUST be signed with ECDSA using the private key | parameters MUST be signed with ECDSA or EdDSA using the private key | |||
| corresponding to the public key in the server's Certificate. | corresponding to the public key in the server's Certificate. | |||
| The client generates an ECDH key pair on the same curve as the | The client generates an ECDH key pair on the same curve as the | |||
| server's ephemeral ECDH key and sends its public key in the | server's ephemeral ECDH key and sends its public key in the | |||
| ClientKeyExchange message. | ClientKeyExchange message. | |||
| Both client and server perform an ECDH operation Section 5.10 and use | Both client and server perform an ECDH operation Section 5.10 and use | |||
| the resultant shared secret as the premaster secret. | the resultant shared secret as the premaster secret. | |||
| 2.2. ECDHE_RSA | 2.2. ECDHE_RSA | |||
| This key exchange algorithm is the same as ECDHE_ECDSA except that | This key exchange algorithm is the same as ECDHE_ECDSA except that | |||
| the server's certificate MUST contain an RSA public key authorized | the server's certificate MUST contain an RSA public key authorized | |||
| for signing, and that the signature in the ServerKeyExchange message | for signing, and that the signature in the ServerKeyExchange message | |||
| must be computed with the corresponding RSA private key. The server | must be computed with the corresponding RSA private key. | |||
| certificate MUST be signed with RSA. | ||||
| 2.3. ECDH_anon | 2.3. ECDH_anon | |||
| NOTE: Despite the name beginning with "ECDH_" (no E), the key used in | NOTE: Despite the name beginning with "ECDH_" (no E), the key used in | |||
| ECDH_anon is ephemeral just like the key in ECDHE_RSA and | ECDH_anon is ephemeral just like the key in ECDHE_RSA and | |||
| ECDHE_ECDSA. The naming follows the example of DH_anon, where the | ECDHE_ECDSA. The naming follows the example of DH_anon, where the | |||
| key is also ephemeral but the name does not reflect it. TBD: Do we | key is also ephemeral but the name does not reflect it. TBD: Do we | |||
| want to rename this so that it makes sense? | want to rename this so that it makes sense? | |||
| In ECDH_anon, the server's Certificate, the CertificateRequest, the | In ECDH_anon, the server's Certificate, the CertificateRequest, the | |||
| skipping to change at page 6, line 44 ¶ | skipping to change at page 6, line 43 ¶ | |||
| parameters MUST NOT be signed. | parameters MUST NOT be signed. | |||
| The client generates an ECDH key pair on the same curve as the | The client generates an ECDH key pair on the same curve as the | |||
| server's ephemeral ECDH key and sends its public key in the | server's ephemeral ECDH key and sends its public key in the | |||
| ClientKeyExchange message. | ClientKeyExchange message. | |||
| Both client and server perform an ECDH operation and use the | Both client and server perform an ECDH operation and use the | |||
| resultant shared secret as the premaster secret. All ECDH | resultant shared secret as the premaster secret. All ECDH | |||
| calculations are performed as specified in Section 5.10. | calculations are performed as specified in Section 5.10. | |||
| Note that while the ECDHE_ECDSA and ECDHE_RSA key exchange algorithms | This specification does not impose restrictions on signature schemes | |||
| require the server's certificate to be signed with a particular | used anywhere in the certificate chain. The previous version of this | |||
| signature scheme, this specification (following the similar cases of | document required the signatures to match, but this restriction, | |||
| DHE_DSS, and DHE_RSA in the TLS base documents) does not impose | originating in previous TLS versions is lifted here as it had been in | |||
| restrictions on signature schemes used elsewhere in the certificate | RFC 5246. | |||
| chain. (Often such restrictions will be useful, and it is expected | ||||
| that this will be taken into account in certification authorities' | ||||
| signing practices. However, such restrictions are not strictly | ||||
| required in general: Even if it is beyond the capabilities of a | ||||
| client to completely validate a given chain, the client may be able | ||||
| to validate the server's certificate by relying on a trusted | ||||
| certification authority whose certificate appears as one of the | ||||
| intermediate certificates in the chain.) | ||||
| 3. Client Authentication | 3. Client Authentication | |||
| This document defines a client authentication mechanism, named after | This document defines a client authentication mechanism, named after | |||
| the type of client certificate involved: ECDSA_sign. The ECDSA_sign | the type of client certificate involved: ECDSA_sign. The ECDSA_sign | |||
| mechanism is usable with any of the non-anonymous ECC key exchange | mechanism is usable with any of the non-anonymous ECC key exchange | |||
| algorithms described in Section 2 as well as other non-anonymous | algorithms described in Section 2 as well as other non-anonymous | |||
| (non-ECC) key exchange algorithms defined in TLS. | (non-ECC) key exchange algorithms defined in TLS. | |||
| The server can request ECC-based client authentication by including | The server can request ECC-based client authentication by including | |||
| skipping to change at page 7, line 42 ¶ | skipping to change at page 7, line 38 ¶ | |||
| determining an appropriate certificate and proving possession is | determining an appropriate certificate and proving possession is | |||
| different for each authentication mechanism and described below. | different for each authentication mechanism and described below. | |||
| NOTE: It is permissible for a server to request (and the client to | NOTE: It is permissible for a server to request (and the client to | |||
| send) a client certificate of a different type than the server | send) a client certificate of a different type than the server | |||
| certificate. | certificate. | |||
| 3.1. ECDSA_sign | 3.1. ECDSA_sign | |||
| To use this authentication mechanism, the client MUST possess a | To use this authentication mechanism, the client MUST possess a | |||
| certificate containing an ECDSA-capable public key and signed with | certificate containing an ECDSA- or EdDSA-capable public key. | |||
| ECDSA. | ||||
| The client proves possession of the private key corresponding to the | The client proves possession of the private key corresponding to the | |||
| certified key by including a signature in the CertificateVerify | certified key by including a signature in the CertificateVerify | |||
| message as described in Section 5.8. | message as described in Section 5.8. | |||
| 4. TLS Extensions for ECC | 4. TLS Extensions for ECC | |||
| Two new TLS extensions are defined in this specification: (i) the | Two new TLS extensions are defined in this specification: (i) the | |||
| Supported Elliptic Curves Extension, and (ii) the Supported Point | Supported Elliptic Curves Extension, and (ii) the Supported Point | |||
| Formats Extension. These allow negotiating the use of specific | Formats Extension. These allow negotiating the use of specific | |||
| skipping to change at page 10, line 12 ¶ | skipping to change at page 9, line 50 ¶ | |||
| Actions of the receiver: | Actions of the receiver: | |||
| A server that receives a ClientHello containing one or both of these | A server that receives a ClientHello containing one or both of these | |||
| extensions MUST use the client's enumerated capabilities to guide its | extensions MUST use the client's enumerated capabilities to guide its | |||
| selection of an appropriate cipher suite. One of the proposed ECC | selection of an appropriate cipher suite. One of the proposed ECC | |||
| cipher suites must be negotiated only if the server can successfully | cipher suites must be negotiated only if the server can successfully | |||
| complete the handshake while using the curves and point formats | complete the handshake while using the curves and point formats | |||
| supported by the client (cf. Section 5.3 and Section 5.4). | supported by the client (cf. Section 5.3 and Section 5.4). | |||
| NOTE: A server participating in an ECDHE-ECDSA key exchange may use | NOTE: A server participating in an ECDHE_ECDSA key exchange may use | |||
| different curves for the ECDSA key in its certificate, and for the | different curves for the ECDSA or EdDSA key in its certificate, and | |||
| ephemeral ECDH key in the ServerKeyExchange message. The server MUST | for the ephemeral ECDH key in the ServerKeyExchange message. The | |||
| consider the extensions in both cases. | server MUST consider the extensions in both cases. | |||
| If a server does not understand the Supported Elliptic Curves | If a server does not understand the Supported Elliptic Curves | |||
| Extension, does not understand the Supported Point Formats Extension, | Extension, does not understand the Supported Point Formats Extension, | |||
| or is unable to complete the ECC handshake while restricting itself | or is unable to complete the ECC handshake while restricting itself | |||
| to the enumerated curves and point formats, it MUST NOT negotiate the | to the enumerated curves and point formats, it MUST NOT negotiate the | |||
| use of an ECC cipher suite. Depending on what other cipher suites | use of an ECC cipher suite. Depending on what other cipher suites | |||
| are proposed by the client and supported by the server, this may | are proposed by the client and supported by the server, this may | |||
| result in a fatal handshake failure alert due to the lack of common | result in a fatal handshake failure alert due to the lack of common | |||
| cipher suites. | cipher suites. | |||
| 5.1.1. Supported Elliptic Curves Extension | 5.1.1. Supported Elliptic Curves Extension | |||
| RFC 4492 defined 25 different curves in the NamedCurve registry for | RFC 4492 defined 25 different curves in the NamedCurve registry for | |||
| use in TLS. Only three have seen any use. This specification is | use in TLS. Only three have seen any use. This specification is | |||
| deprecating the rest (with numbers 1-22). This specification also | deprecating the rest (with numbers 1-22). This specification also | |||
| deprecates the explicit curves with identifiers 0xFF01 and 0xFF02. | deprecates the explicit curves with identifiers 0xFF01 and 0xFF02. | |||
| It also adds the new curves defined in [CFRG-Curves]. The end result | It also adds the new curves defined in [CFRG-Curves] and | |||
| is as follows: | [CFRG-EdDSA]. The end result is as follows: | |||
| enum { | enum { | |||
| deprecated(1..22), | deprecated(1..22), | |||
| secp256r1 (23), secp384r1 (24), secp521r1 (25), | secp256r1 (23), secp384r1 (24), secp521r1 (25), | |||
| Curve25519(TBD1), | Curve25519(TBD1), | |||
| Curve448(TBD2), | Curve448(TBD2), | |||
| Ed25519(TBD3), | ||||
| Ed448(TBD4), | ||||
| reserved (0xFE00..0xFEFF), | reserved (0xFE00..0xFEFF), | |||
| deprecated(0xFF01..0xFF02), | deprecated(0xFF01..0xFF02), | |||
| (0xFFFF) | (0xFFFF) | |||
| } NamedCurve; | } NamedCurve; | |||
| Note that other specification have since added other values to this | Note that other specification have since added other values to this | |||
| enumeration. | enumeration. | |||
| secp256r1, etc: Indicates support of the corresponding named curve or | secp256r1, etc: Indicates support of the corresponding named curve or | |||
| class of explicitly defined curves. The named curves secp256r1, | class of explicitly defined curves. The named curves secp256r1, | |||
| secp384r1, and secp521r1 are specified in SEC 2 [SECG-SEC2]. These | secp384r1, and secp521r1 are specified in SEC 2 [SECG-SEC2]. These | |||
| curves are also recommended in ANSI X9.62 [ANSI.X9-62.2005] and FIPS | curves are also recommended in ANSI X9.62 [ANSI.X9-62.2005] and FIPS | |||
| 186-4 [FIPS.186-4]. Curve25519 and Curve448 are defined in | 186-4 [FIPS.186-4]. Curve25519 and Curve448 are defined in | |||
| [CFRG-Curves]. Ed25519 and Ed448 are signature-only curves defined | ||||
| [CFRG-Curves]. Values 0xFE00 through 0xFEFF are reserved for private | in [CFRG-EdDSA]. Values 0xFE00 through 0xFEFF are reserved for | |||
| use. | private use. | |||
| The NamedCurve name space is maintained by IANA. See Section 8 for | The NamedCurve name space is maintained by IANA. See Section 8 for | |||
| information on how new value assignments are added. | information on how new value assignments are added. | |||
| struct { | struct { | |||
| NamedCurve elliptic_curve_list<1..2^16-1> | NamedCurve elliptic_curve_list<1..2^16-1> | |||
| } EllipticCurveList; | } EllipticCurveList; | |||
| Items in elliptic_curve_list are ordered according to the client's | Items in elliptic_curve_list are ordered according to the client's | |||
| preferences (favorite choice first). | preferences (favorite choice first). | |||
| skipping to change at page 11, line 38 ¶ | skipping to change at page 11, line 32 ¶ | |||
| enum { uncompressed (0), ansiX962_compressed_prime (1), | enum { uncompressed (0), ansiX962_compressed_prime (1), | |||
| ansiX962_compressed_char2 (2), reserved (248..255) | ansiX962_compressed_char2 (2), reserved (248..255) | |||
| } ECPointFormat; | } ECPointFormat; | |||
| struct { | struct { | |||
| ECPointFormat ec_point_format_list<1..2^8-1> | ECPointFormat ec_point_format_list<1..2^8-1> | |||
| } ECPointFormatList; | } ECPointFormatList; | |||
| Three point formats were included in the definition of ECPointFormat | Three point formats were included in the definition of ECPointFormat | |||
| above. This specification deprecates all but the uncompressed point | above. This specification deprecates all but the uncompressed point | |||
| format. Implementations of this document MUST support the | format. Implementations of this document MUST support the | |||
| uncompressed format for all of their supported curves, and MUST | uncompressed format for all of their supported curves, and MUST NOT | |||
| support no other formats for curves defined in this specification. | support other formats for curves defined in this specification. For | |||
| For backwards compatibility purposes, the point format list extension | backwards compatibility purposes, the point format list extension | |||
| MUST still be included, and contain exactly one value: the | MUST still be included, and contain exactly one value: the | |||
| uncomptessed point format (0). | uncomptessed point format (0). | |||
| The ECPointFormat name space is maintained by IANA. See Section 8 | The ECPointFormat name space is maintained by IANA. See Section 8 | |||
| for information on how new value assignments are added. | for information on how new value assignments are added. | |||
| Items in ec_point_format_list are ordered according to the client's | Items in ec_point_format_list are ordered according to the client's | |||
| preferences (favorite choice first). | preferences (favorite choice first). | |||
| A client compliant with this specification that supports no other | A client compliant with this specification that supports no other | |||
| skipping to change at page 13, line 29 ¶ | skipping to change at page 13, line 27 ¶ | |||
| public keys MUST be encoded in certificates as described in | public keys MUST be encoded in certificates as described in | |||
| Section 5.9. | Section 5.9. | |||
| NOTE: The server's Certificate message is capable of carrying a chain | NOTE: The server's Certificate message is capable of carrying a chain | |||
| of certificates. The restrictions mentioned in Table 3 apply only to | of certificates. The restrictions mentioned in Table 3 apply only to | |||
| the server's certificate (first in the chain). | the server's certificate (first in the chain). | |||
| +-------------+-----------------------------------------------------+ | +-------------+-----------------------------------------------------+ | |||
| | Algorithm | Server Certificate Type | | | Algorithm | Server Certificate Type | | |||
| +-------------+-----------------------------------------------------+ | +-------------+-----------------------------------------------------+ | |||
| | ECDHE_ECDSA | Certificate MUST contain an ECDSA-capable public | | | ECDHE_ECDSA | Certificate MUST contain an ECDSA- or EdDSA-capable | | |||
| | | key. It MUST be signed with ECDSA. | | | | public key. | | |||
| | ECDHE_RSA | Certificate MUST contain an RSA public key | | | ECDHE_RSA | Certificate MUST contain an RSA public key | | |||
| | | authorized for use in digital signatures. It MUST | | | | authorized for use in digital signatures. | | |||
| | | be signed with RSA. | | ||||
| +-------------+-----------------------------------------------------+ | +-------------+-----------------------------------------------------+ | |||
| Table 3: Server Certificate Types | Table 3: Server Certificate Types | |||
| Structure of this message: | Structure of this message: | |||
| Identical to the TLS Certificate format. | Identical to the TLS Certificate format. | |||
| Actions of the sender: | Actions of the sender: | |||
| skipping to change at page 15, line 11 ¶ | skipping to change at page 15, line 4 ¶ | |||
| RFC 4492 had a specification for an ECCurve structure and an | RFC 4492 had a specification for an ECCurve structure and an | |||
| ECBasisType structure. Both of these are omitted now because they | ECBasisType structure. Both of these are omitted now because they | |||
| were only used with the now deprecated explicit curves. | were only used with the now deprecated explicit curves. | |||
| struct { | struct { | |||
| opaque point <1..2^8-1>; | opaque point <1..2^8-1>; | |||
| } ECPoint; | } ECPoint; | |||
| This is the byte string representation of an elliptic curve point | This is the byte string representation of an elliptic curve point | |||
| following the conversion routine in Section 4.3.6 of | following the conversion routine in Section 4.3.6 of | |||
| [ANSI.X9-62.2005]. This byte string may represent an elliptic curve | [ANSI.X9-62.2005]. This byte string may represent an elliptic curve | |||
| point in uncompressed or compressed format; it MUST conform to what | point in uncompressed or compressed format; it MUST conform to what | |||
| the client has requested through a Supported Point Formats Extension | the client has requested through a Supported Point Formats Extension | |||
| if this extension was used. For the Curve25519 and Curve448 curves, | if this extension was used. For the Curve25519 and Curve448 curves, | |||
| the only valid representation is the one specified in [CFRG-Curves] - | the only valid representation is the one specified in [CFRG-Curves] - | |||
| a 32- or 56-octet representation of the u value of the point. | a 32- or 56-octet representation of the u value of the point. This | |||
| structure MUST NOT be used with Ed25519 and Ed448 public keys. | ||||
| struct { | struct { | |||
| ECCurveType curve_type; | ECCurveType curve_type; | |||
| select (curve_type) { | select (curve_type) { | |||
| case named_curve: | case named_curve: | |||
| NamedCurve namedcurve; | NamedCurve namedcurve; | |||
| }; | }; | |||
| } ECParameters; | } ECParameters; | |||
| This identifies the type of the elliptic curve domain parameters. | This identifies the type of the elliptic curve domain parameters. | |||
| Specifies a recommended set of elliptic curve domain parameters. All | Specifies a recommended set of elliptic curve domain parameters. All | |||
| those values of NamedCurve are allowed that refer to a specific | those values of NamedCurve are allowed that refer to a curve capable | |||
| curve. Values of NamedCurve that indicate support for a class of | of Diffie-Hellman. With the deprecation of the explicit curves, this | |||
| explicitly defined curves are not allowed here (they are only | now includes all values of NamedCurve except Ed25519(TBD3) and | |||
| permissible in the ClientHello extension); this applies to | Ed448(TBD4). | |||
| arbitrary_explicit_prime_curves(0xFF01) and | ||||
| arbitrary_explicit_char2_curves(0xFF02). | ||||
| struct { | struct { | |||
| ECParameters curve_params; | ECParameters curve_params; | |||
| ECPoint public; | ECPoint public; | |||
| } ServerECDHParams; | } ServerECDHParams; | |||
| Specifies the elliptic curve domain parameters associated with the | Specifies the elliptic curve domain parameters associated with the | |||
| ECDH public key. | ECDH public key. | |||
| The ephemeral ECDH public key. | The ephemeral ECDH public key. | |||
| skipping to change at page 16, line 18 ¶ | skipping to change at page 16, line 12 ¶ | |||
| Signature signed_params; | Signature signed_params; | |||
| } ServerKeyExchange; | } ServerKeyExchange; | |||
| params: Specifies the ECDH public key and associated domain | params: Specifies the ECDH public key and associated domain | |||
| parameters. | parameters. | |||
| signed_params: A hash of the params, with the signature appropriate | signed_params: A hash of the params, with the signature appropriate | |||
| to that hash applied. The private key corresponding to the | to that hash applied. The private key corresponding to the | |||
| certified public key in the server's Certificate message is used | certified public key in the server's Certificate message is used | |||
| for signing. | for signing. | |||
| enum { ecdsa } SignatureAlgorithm; | enum { ecdsa(3), eddsa(TBD5) } SignatureAlgorithm; | |||
| select (SignatureAlgorithm) { | select (SignatureAlgorithm) { | |||
| case ecdsa: | case ecdsa: | |||
| digitally-signed struct { | digitally-signed struct { | |||
| opaque sha_hash[sha_size]; | opaque sha_hash[sha_size]; | |||
| }; | }; | |||
| case eddsa: | ||||
| digitally-signed struct { | ||||
| opaque rawdata[rawdata_size]; | ||||
| }; | ||||
| } Signature; | } Signature; | |||
| ServerKeyExchange.signed_params.sha_hash | ServerKeyExchange.signed_params.sha_hash | |||
| SHA(ClientHello.random + ServerHello.random + | SHA(ClientHello.random + ServerHello.random + | |||
| ServerKeyExchange.params); | ServerKeyExchange.params); | |||
| ServerKeyExchange.signed_params.rawdata | ||||
| ClientHello.random + ServerHello.random + | ||||
| ServerKeyExchange.params; | ||||
| NOTE: SignatureAlgorithm is "rsa" for the ECDHE_RSA key exchange | NOTE: SignatureAlgorithm is "rsa" for the ECDHE_RSA key exchange | |||
| algorithm and "anonymous" for ECDH_anon. These cases are defined in | algorithm and "anonymous" for ECDH_anon. These cases are defined in | |||
| TLS. SignatureAlgorithm is "ecdsa" for ECDHE_ECDSA. ECDSA | TLS. SignatureAlgorithm is "ecdsa" or "eddsa" for ECDHE_ECDSA. | |||
| signatures are generated and verified as described in Section 5.10, | ECDSA signatures are generated and verified as described in | |||
| and SHA in the above template for sha_hash accordingly may denote a | Section 5.10, and SHA in the above template for sha_hash accordingly | |||
| hash algorithm other than SHA-1. As per ANSI X9.62, an ECDSA | may denote a hash algorithm other than SHA-1. As per ANSI X9.62, an | |||
| signature consists of a pair of integers, r and s. The digitally- | ECDSA signature consists of a pair of integers, r and s. The | |||
| signed element is encoded as an opaque vector <0..2^16-1>, the | digitally-signed element is encoded as an opaque vector <0..2^16-1>, | |||
| contents of which are the DER encoding corresponding to the following | the contents of which are the DER encoding corresponding to the | |||
| ASN.1 notation. | following ASN.1 notation. | |||
| Ecdsa-Sig-Value ::= SEQUENCE { | Ecdsa-Sig-Value ::= SEQUENCE { | |||
| r INTEGER, | r INTEGER, | |||
| s INTEGER | s INTEGER | |||
| } | } | |||
| EdDSA signatures are generated and verified according to | ||||
| [CFRG-EdDSA]. The digitally-signed element is encoded as an opaque | ||||
| vector<0..2^16-1>, the contents of which is the octet string output | ||||
| of the EdDSA signing algorithm. | ||||
| Actions of the sender: | Actions of the sender: | |||
| The server selects elliptic curve domain parameters and an ephemeral | The server selects elliptic curve domain parameters and an ephemeral | |||
| ECDH public key corresponding to these parameters according to the | ECDH public key corresponding to these parameters according to the | |||
| ECKAS-DH1 scheme from IEEE 1363 [IEEE.P1363.1998]. It conveys this | ECKAS-DH1 scheme from IEEE 1363 [IEEE.P1363.1998]. It conveys this | |||
| information to the client in the ServerKeyExchange message using the | information to the client in the ServerKeyExchange message using the | |||
| format defined above. | format defined above. | |||
| Actions of the receiver: | Actions of the receiver: | |||
| skipping to change at page 18, line 37 ¶ | skipping to change at page 18, line 41 ¶ | |||
| NOTE: The client's Certificate message is capable of carrying a chain | NOTE: The client's Certificate message is capable of carrying a chain | |||
| of certificates. The restrictions mentioned in Table 4 apply only to | of certificates. The restrictions mentioned in Table 4 apply only to | |||
| the client's certificate (first in the chain). | the client's certificate (first in the chain). | |||
| +------------------+------------------------------------------------+ | +------------------+------------------------------------------------+ | |||
| | Client | Client Certificate Type | | | Client | Client Certificate Type | | |||
| | Authentication | | | | Authentication | | | |||
| | Method | | | | Method | | | |||
| +------------------+------------------------------------------------+ | +------------------+------------------------------------------------+ | |||
| | ECDSA_sign | Certificate MUST contain an ECDSA-capable | | | ECDSA_sign | Certificate MUST contain an ECDSA- or EdDSA- | | |||
| | | public key and be signed with ECDSA. | | | | capable public key. | | |||
| | ECDSA_fixed_ECDH | Certificate MUST contain an ECDH-capable | | | ECDSA_fixed_ECDH | Certificate MUST contain an ECDH-capable | | |||
| | | public key on the same elliptic curve as the | | | | public key on the same elliptic curve as the | | |||
| | | server's long-term ECDH key. This certificate | | | | server's long-term ECDH key. | | |||
| | | MUST be signed with ECDSA. | | | RSA_fixed_ECDH | The same as ECDSA_fixed_ECDH. The codepoints | | |||
| | RSA_fixed_ECDH | Certificate MUST contain an ECDH-capable | | | | meant different things, but due to changes in | | |||
| | | public key on the same elliptic curve as the | | | | TLS 1.2, both mean the same thing now. | | |||
| | | server's long-term ECDH key. This certificate | | ||||
| | | MUST be signed with RSA. | | ||||
| +------------------+------------------------------------------------+ | +------------------+------------------------------------------------+ | |||
| Table 4: Client Certificate Types | Table 4: Client Certificate Types | |||
| Structure of this message: | Structure of this message: | |||
| Identical to the TLS client Certificate format. | Identical to the TLS client Certificate format. | |||
| Actions of the sender: | Actions of the sender: | |||
| skipping to change at page 19, line 46 ¶ | skipping to change at page 20, line 4 ¶ | |||
| enum { implicit, explicit } PublicValueEncoding; | enum { implicit, explicit } PublicValueEncoding; | |||
| implicit, explicit: For ECC cipher suites, this indicates whether | implicit, explicit: For ECC cipher suites, this indicates whether | |||
| the client's ECDH public key is in the client's certificate | the client's ECDH public key is in the client's certificate | |||
| ("implicit") or is provided, as an ephemeral ECDH public key, in | ("implicit") or is provided, as an ephemeral ECDH public key, in | |||
| the ClientKeyExchange message ("explicit"). (This is "explicit" | the ClientKeyExchange message ("explicit"). (This is "explicit" | |||
| in ECC cipher suites except when the client uses the | in ECC cipher suites except when the client uses the | |||
| ECDSA_fixed_ECDH or RSA_fixed_ECDH client authentication | ECDSA_fixed_ECDH or RSA_fixed_ECDH client authentication | |||
| mechanism.) | mechanism.) | |||
| struct { | struct { | |||
| select (PublicValueEncoding) { | select (PublicValueEncoding) { | |||
| case implicit: struct { }; | case implicit: struct { }; | |||
| case explicit: ECPoint ecdh_Yc; | case explicit: ECPoint ecdh_Yc; | |||
| } ecdh_public; | } ecdh_public; | |||
| } ClientECDiffieHellmanPublic; | } ClientECDiffieHellmanPublic; | |||
| ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte | ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte | |||
| string ECPoint.point, which may represent an elliptic curve point | string ECPoint.point, which may represent an elliptic curve point | |||
| in uncompressed or compressed format. Here, the format MUST | in uncompressed or compressed format. Curves Ed25519 and Ed448 | |||
| conform to what the server has requested through a Supported Point | MUST NOT be used. Here, the format MUST conform to what the | |||
| Formats Extension if this extension was used, and MUST be | server has requested through a Supported Point Formats Extension | |||
| uncompressed if this extension was not used. | if this extension was used, and MUST be uncompressed if this | |||
| extension was not used. | ||||
| struct { | struct { | |||
| select (KeyExchangeAlgorithm) { | select (KeyExchangeAlgorithm) { | |||
| case ec_diffie_hellman: ClientECDiffieHellmanPublic; | case ec_diffie_hellman: ClientECDiffieHellmanPublic; | |||
| } exchange_keys; | } exchange_keys; | |||
| } ClientKeyExchange; | } ClientKeyExchange; | |||
| Actions of the sender: | Actions of the sender: | |||
| The client selects an ephemeral ECDH public key corresponding to the | The client selects an ephemeral ECDH public key corresponding to the | |||
| skipping to change at page 20, line 49 ¶ | skipping to change at page 21, line 7 ¶ | |||
| Meaning of the message: | Meaning of the message: | |||
| This message contains a signature that proves possession of the | This message contains a signature that proves possession of the | |||
| private key corresponding to the public key in the client's | private key corresponding to the public key in the client's | |||
| Certificate message. | Certificate message. | |||
| Structure of this message: | Structure of this message: | |||
| The TLS CertificateVerify message and the underlying Signature type | The TLS CertificateVerify message and the underlying Signature type | |||
| are defined in the TLS base specifications, and the latter is | are defined in the TLS base specifications, and the latter is | |||
| extended here in Section 5.4. For the ecdsa case, the signature | extended here in Section 5.4. For the ecdsa and eddsa cases, the | |||
| field in the CertificateVerify message contains an ECDSA signature | signature field in the CertificateVerify message contains an ECDSA or | |||
| computed over handshake messages exchanged so far, exactly similar to | EdDSA (respectively) signature computed over handshake messages | |||
| CertificateVerify with other signing algorithms: | exchanged so far, exactly similar to CertificateVerify with other | |||
| signing algorithms: | ||||
| CertificateVerify.signature.sha_hash | CertificateVerify.signature.sha_hash | |||
| SHA(handshake_messages); | SHA(handshake_messages); | |||
| CertificateVerify.signature.rawdata | ||||
| handshake_messages; | ||||
| ECDSA signatures are computed as described in Section 5.10, and SHA | ECDSA signatures are computed as described in Section 5.10, and SHA | |||
| in the above template for sha_hash accordingly may denote a hash | in the above template for sha_hash accordingly may denote a hash | |||
| algorithm other than SHA-1. As per ANSI X9.62, an ECDSA signature | algorithm other than SHA-1. As per ANSI X9.62, an ECDSA signature | |||
| consists of a pair of integers, r and s. The digitally-signed | consists of a pair of integers, r and s. The digitally-signed | |||
| element is encoded as an opaque vector <0..2^16-1>, the contents of | element is encoded as an opaque vector <0..2^16-1>, the contents of | |||
| which are the DER encoding [CCITT.X690] corresponding to the | which are the DER encoding [CCITT.X690] corresponding to the | |||
| following ASN.1 notation [CCITT.X680]. | following ASN.1 notation [CCITT.X680]. | |||
| Ecdsa-Sig-Value ::= SEQUENCE { | Ecdsa-Sig-Value ::= SEQUENCE { | |||
| r INTEGER, | r INTEGER, | |||
| s INTEGER | s INTEGER | |||
| } | } | |||
| EdDSA signatures are generated and verified according to | ||||
| [CFRG-EdDSA]. The digitally-signed element is encoded as an opaque | ||||
| vector<0..2^16-1>, the contents of which is the octet string output | ||||
| of the EdDSA signing algorithm. | ||||
| Actions of the sender: | Actions of the sender: | |||
| The client computes its signature over all handshake messages sent or | The client computes its signature over all handshake messages sent or | |||
| received starting at client hello and up to but not including this | received starting at client hello and up to but not including this | |||
| message. It uses the private key corresponding to its certified | message. It uses the private key corresponding to its certified | |||
| public key to compute the signature, which is conveyed in the format | public key to compute the signature, which is conveyed in the format | |||
| defined above. | defined above. | |||
| Actions of the receiver: | Actions of the receiver: | |||
| The server extracts the client's signature from the CertificateVerify | The server extracts the client's signature from the CertificateVerify | |||
| message, and verifies the signature using the public key it received | message, and verifies the signature using the public key it received | |||
| in the client's Certificate message. | in the client's Certificate message. | |||
| 5.9. Elliptic Curve Certificates | 5.9. Elliptic Curve Certificates | |||
| X.509 certificates containing ECC public keys or signed using ECDSA | X.509 certificates containing ECC public keys or signed using ECDSA | |||
| MUST comply with [RFC3279] or another RFC that replaces or extends | MUST comply with [RFC3279] or another RFC that replaces or extends | |||
| it. Clients SHOULD use the elliptic curve domain parameters | it. X.509 certificates containing ECC public keys or signed using | |||
| recommended in ANSI X9.62, FIPS 186-4, and SEC 2 [SECG-SEC2]. | EdDSA MUST comply with [PKIX-EdDSA]. Clients SHOULD use the elliptic | |||
| curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and | ||||
| SEC 2 [SECG-SEC2] or in [CFRG-EdDSA]. | ||||
| EdDSA keys using Ed25519 and Ed25519ph algorithms MUST use the | ||||
| Ed25519 curve, and Ed448 and Ed448ph keys MUST use the Ed448 curve. | ||||
| Curves Curve25519, Curve448, Ed25519 and Ed448 MUST NOT be used for | ||||
| ECDSA. | ||||
| 5.10. ECDH, ECDSA, and RSA Computations | 5.10. ECDH, ECDSA, and RSA Computations | |||
| All ECDH calculations for the NIST curves (including parameter and | All ECDH calculations for the NIST curves (including parameter and | |||
| key generation as well as the shared secret calculation) are | key generation as well as the shared secret calculation) are | |||
| performed according to [IEEE.P1363.1998] using the ECKAS-DH1 scheme | performed according to [IEEE.P1363.1998] using the ECKAS-DH1 scheme | |||
| with the identity map as key derivation function (KDF), so that the | with the identity map as key derivation function (KDF), so that the | |||
| premaster secret is the x-coordinate of the ECDH shared secret | premaster secret is the x-coordinate of the ECDH shared secret | |||
| elliptic curve point represented as an octet string. Note that this | elliptic curve point represented as an octet string. Note that this | |||
| octet string (Z in IEEE 1363 terminology) as output by FE2OSP, the | octet string (Z in IEEE 1363 terminology) as output by FE2OSP, the | |||
| skipping to change at page 22, line 28 ¶ | skipping to change at page 23, line 4 ¶ | |||
| corresponding public key x = Curve25519(d, G). Parties exchange | corresponding public key x = Curve25519(d, G). Parties exchange | |||
| their public keys and compute a shared secret as x_S = Curve25519(d, | their public keys and compute a shared secret as x_S = Curve25519(d, | |||
| x_peer). ECDHE for Curve448 works similarily, replacing Curve25519 | x_peer). ECDHE for Curve448 works similarily, replacing Curve25519 | |||
| with Curve448. The derived shared secret is used directly as the | with Curve448. The derived shared secret is used directly as the | |||
| premaster secret, which is always exactly 32 bytes when ECDHE with | premaster secret, which is always exactly 32 bytes when ECDHE with | |||
| Curve25519 is used and 56 bytes when ECDHE with Curve448 is used. | Curve25519 is used and 56 bytes when ECDHE with Curve448 is used. | |||
| All ECDSA computations MUST be performed according to ANSI X9.62 or | All ECDSA computations MUST be performed according to ANSI X9.62 or | |||
| its successors. Data to be signed/verified is hashed, and the result | its successors. Data to be signed/verified is hashed, and the result | |||
| run directly through the ECDSA algorithm with no additional hashing. | run directly through the ECDSA algorithm with no additional hashing. | |||
| The default hash function is SHA-1 [FIPS.180-2], and sha_size (see | The default hash function is SHA-1 [FIPS.180-2], and sha_size (see | |||
| Section 5.4 and Section 5.8) is 20. However, an alternative hash | Section 5.4 and Section 5.8) is 20. However, an alternative hash | |||
| function, such as one of the new SHA hash functions specified in FIPS | function, such as one of the new SHA hash functions specified in FIPS | |||
| 180-2 [FIPS.180-2], may be used instead. | 180-2 [FIPS.180-2], SHOULD be used instead. | |||
| All EdDSA computations MUST be performed according to [CFRG-EdDSA] or | ||||
| its succesors. Data to be signed/verified is run through the EdDSA | ||||
| algorithm wih no hashing (EdDSA will internally run the data through | ||||
| the PH function). | ||||
| RFC 4492 anticipated the standardization of a mechanism for | RFC 4492 anticipated the standardization of a mechanism for | |||
| specifying the required hash function in the certificate, perhaps in | specifying the required hash function in the certificate, perhaps in | |||
| the parameters field of the subjectPublicKeyInfo. Such | the parameters field of the subjectPublicKeyInfo. Such | |||
| standardization never took place, and as a result, SHA-1 is used in | standardization never took place, and as a result, SHA-1 is used in | |||
| TLS 1.1 and earlier. TLS 1.2 added a SignatureAndHashAlgorithm | TLS 1.1 and earlier (except for EdDSA, which uses identity function). | |||
| parameter to the DigitallySigned struct, thus allowing agility in | TLS 1.2 added a SignatureAndHashAlgorithm parameter to the | |||
| choosing the signature hash. | DigitallySigned struct, thus allowing agility in choosing the | |||
| signature hash. EdDSA signatures MUST have HashAlgorithm of 0 | ||||
| (None). | ||||
| All RSA signatures must be generated and verified according to | All RSA signatures must be generated and verified according to | |||
| [PKCS1] block type 1. | [PKCS1] block type 1. | |||
| 5.11. Public Key Validation | 5.11. Public Key Validation | |||
| With the NIST curves, each party must validate the public key sent by | With the NIST curves, each party must validate the public key sent by | |||
| its peer before performing cryptographic computations with it. | its peer before performing cryptographic computations with it. | |||
| Failing to do so allows attackers to gain information about the | Failing to do so allows attackers to gain information about the | |||
| private key, to the point that they may recover the entire private | private key, to the point that they may recover the entire private | |||
| key in a few requests, if that key is not really ephemeral. | key in a few requests, if that key is not really ephemeral. | |||
| Curve25519 was designed in a way that the result of Curve25519(x, d) | Curve25519 was designed in a way that the result of Curve25519(x, d) | |||
| will never reveal information about d, provided it was chosen as | will never reveal information about d, provided it was chosen as | |||
| prescribed, for any value of x. | prescribed, for any value of x (the same holds true for Curve448). | |||
| Let's define legitimate values of x as the values that can be | Let's define legitimate values of x as the values that can be | |||
| obtained as x = Curve25519(G, d') for some d, and call the other | obtained as x = Curve25519(G, d') for some d, and call the other | |||
| values illegitimate. The definition of the Curve25519 function shows | values illegitimate. The definition of the Curve25519 function shows | |||
| that legitimate values all share the following property: the high- | that legitimate values all share the following property: the high- | |||
| order bit of the last byte is not set. | order bit of the last byte is not set (for Ed448, any bit can be | |||
| set). | ||||
| Since there are some implementation of the Curve25519 function that | Since there are some implementation of the Curve25519 function that | |||
| impose this restriction on their input and others that don't, | impose this restriction on their input and others that don't, | |||
| implementations of Curve25519 in TLS SHOULD reject public keys when | implementations of Curve25519 in TLS SHOULD reject public keys when | |||
| the high-order bit of the last byte is set (in other words, when the | the high-order bit of the last byte is set (in other words, when the | |||
| value of the leftmost byte is greater than 0x7F) in order to prevent | value of the leftmost byte is greater than 0x7F) in order to prevent | |||
| implementation fingerprinting. | implementation fingerprinting. | |||
| Ed25519 and Ed448 internally do public key validation as part of | ||||
| signature verification. | ||||
| Other than this recommended check, implementations do not need to | Other than this recommended check, implementations do not need to | |||
| ensure that the public keys they receive are legitimate: this is not | ensure that the public keys they receive are legitimate: this is not | |||
| necessary for security with Curve25519. | necessary for security with Curve25519. | |||
| 6. Cipher Suites | 6. Cipher Suites | |||
| The table below defines new ECC cipher suites that use the key | The table below defines new ECC cipher suites that use the key | |||
| exchange algorithms specified in Section 2. | exchange algorithms specified in Section 2. | |||
| +---------------------------------------+----------------+ | +---------------------------------------+----------------+ | |||
| | CipherSuite | Identifier | | | CipherSuite | Identifier | | |||
| +---------------------------------------+----------------+ | +---------------------------------------+----------------+ | |||
| | TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } | | | TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } | | |||
| | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | { 0xC0, 0x07 } | | ||||
| | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x08 } | | | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x08 } | | |||
| | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x09 } | | | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x09 } | | |||
| | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x0A } | | | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x0A } | | |||
| | | | | | | | | |||
| | TLS_ECDHE_RSA_WITH_NULL_SHA | { 0xC0, 0x10 } | | | TLS_ECDHE_RSA_WITH_NULL_SHA | { 0xC0, 0x10 } | | |||
| | TLS_ECDHE_RSA_WITH_RC4_128_SHA | { 0xC0, 0x11 } | | ||||
| | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x12 } | | | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x12 } | | |||
| | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x13 } | | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x13 } | | |||
| | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x14 } | | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x14 } | | |||
| | | | | | | | | |||
| | TLS_ECDH_anon_WITH_NULL_SHA | { 0xC0, 0x15 } | | | TLS_ECDH_anon_WITH_NULL_SHA | { 0xC0, 0x15 } | | |||
| | TLS_ECDH_anon_WITH_RC4_128_SHA | { 0xC0, 0x16 } | | ||||
| | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x17 } | | | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x17 } | | |||
| | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | { 0xC0, 0x18 } | | | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | { 0xC0, 0x18 } | | |||
| | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | { 0xC0, 0x19 } | | | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | { 0xC0, 0x19 } | | |||
| +---------------------------------------+----------------+ | +---------------------------------------+----------------+ | |||
| Table 5: TLS ECC cipher suites | Table 5: TLS ECC cipher suites | |||
| The key exchange method, cipher, and hash algorithm for each of these | The key exchange method, cipher, and hash algorithm for each of these | |||
| cipher suites are easily determined by examining the name. Ciphers | cipher suites are easily determined by examining the name. Ciphers | |||
| (other than AES ciphers) and hash algorithms are defined in [RFC2246] | (other than AES ciphers) and hash algorithms are defined in [RFC2246] | |||
| skipping to change at page 26, line 9 ¶ | skipping to change at page 26, line 19 ¶ | |||
| values (ECPointFormat and ECCurveType) reserved for Private Use. Any | values (ECPointFormat and ECCurveType) reserved for Private Use. Any | |||
| additional assignments require IETF Review. | additional assignments require IETF Review. | |||
| NOTE: IANA, please update the registries to reflect the new policy | NOTE: IANA, please update the registries to reflect the new policy | |||
| name. | name. | |||
| NOTE: RFC editor please delete these two notes prior to publication. | NOTE: RFC editor please delete these two notes prior to publication. | |||
| IANA, please update these two registries to refer to this document. | IANA, please update these two registries to refer to this document. | |||
| IANA is requested to assign two values from the NamedCurve registry | IANA is requested to assign four values from the NamedCurve registry | |||
| with names Curve25519(TBD1) and Curve448(TBD2) with this document as | with names Curve25519(TBD1), Curve448(TBD2), Ed25519(TBD3) and | |||
| reference. | Ed448(TBD4) with this document as reference. | |||
| IANA is requested to assign one value from SignatureAlgorithm | ||||
| Registry with name eddsa(TBD5) with this document as reference. | ||||
| 9. Acknowledgements | 9. Acknowledgements | |||
| Most of the text is this document is taken from [RFC4492], the | Most of the text is this document is taken from [RFC4492], the | |||
| predecessor of this document. The authors of that document were: | predecessor of this document. The authors of that document were: | |||
| o Simon Blake-Wilson | o Simon Blake-Wilson | |||
| o Nelson Bolyard | o Nelson Bolyard | |||
| o Vipul Gupta | o Vipul Gupta | |||
| o Chris Hawk | o Chris Hawk | |||
| o Bodo Moeller | o Bodo Moeller | |||
| In the predecessor document, the authors acknowledged the | In the predecessor document, the authors acknowledged the | |||
| contributions of Bill Anderson and Tim Dierks. | contributions of Bill Anderson and Tim Dierks. | |||
| 10. Version History for This Draft | 10. Version History for This Draft | |||
| NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION | NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION | |||
| Changes from draft-ietf-tls-rfc4492bis-03 to draft-nir-tls- | ||||
| rfc4492bis-05: | ||||
| o Add support for CFRG curves and signatures work. | ||||
| Changes from draft-ietf-tls-rfc4492bis-01 to draft-nir-tls- | Changes from draft-ietf-tls-rfc4492bis-01 to draft-nir-tls- | |||
| rfc4492bis-03: | rfc4492bis-03: | |||
| o Removed unused curves. | o Removed unused curves. | |||
| o Removed unused point formats (all but uncompressed) | o Removed unused point formats (all but uncompressed) | |||
| Changes from draft-nir-tls-rfc4492bis-00 and draft-ietf-tls- | Changes from draft-nir-tls-rfc4492bis-00 and draft-ietf-tls- | |||
| rfc4492bis-00 to draft-nir-tls-rfc4492bis-01: | rfc4492bis-00 to draft-nir-tls-rfc4492bis-01: | |||
| o Merged errata | o Merged errata | |||
| skipping to change at page 27, line 12 ¶ | skipping to change at page 27, line 27 ¶ | |||
| o Moved RFC 4492 authors to acknowledgements. | o Moved RFC 4492 authors to acknowledgements. | |||
| o Removed list of required reading for ECC. | o Removed list of required reading for ECC. | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [ANSI.X9-62.2005] | [ANSI.X9-62.2005] | |||
| American National Standards Institute, "Public Key | American National Standards Institute, "Public Key | |||
| Cryptography for the Financial Services Industry, The | Cryptography for the Financial Services Industry, The | |||
| Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI | Elliptic Curve Digital Signature Algorithm (ECDSA)", | |||
| X9.62, 2005. | ANSI X9.62, 2005. | |||
| [CCITT.X680] | [CCITT.X680] | |||
| International Telephone and Telegraph Consultative | International Telephone and Telegraph Consultative | |||
| Committee, "Abstract Syntax Notation One (ASN.1): | Committee, "Abstract Syntax Notation One (ASN.1): | |||
| Specification of basic notation", CCITT Recommendation | Specification of basic notation", CCITT Recommendation | |||
| X.680, July 2002. | X.680, July 2002. | |||
| [CCITT.X690] | [CCITT.X690] | |||
| International Telephone and Telegraph Consultative | International Telephone and Telegraph Consultative | |||
| Committee, "ASN.1 encoding rules: Specification of basic | Committee, "ASN.1 encoding rules: Specification of basic | |||
| encoding Rules (BER), Canonical encoding rules (CER) and | encoding Rules (BER), Canonical encoding rules (CER) and | |||
| Distinguished encoding rules (DER)", CCITT Recommendation | Distinguished encoding rules (DER)", CCITT Recommendation | |||
| X.690, July 2002. | X.690, July 2002. | |||
| [CFRG-Curves] | [CFRG-Curves] | |||
| Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | |||
| for Security", draft-irtf-cfrg-curves-11 (work in | for Security", draft-irtf-cfrg-curves-11 (work in | |||
| progress), October 2015. | progress), October 2015. | |||
| [CFRG-EdDSA] | ||||
| Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | ||||
| Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-00 | ||||
| (work in progress), October 2015. | ||||
| [FIPS.186-4] | [FIPS.186-4] | |||
| National Institute of Standards and Technology, "Digital | National Institute of Standards and Technology, "Digital | |||
| Signature Standard", FIPS PUB 186-4, 2013, | Signature Standard", FIPS PUB 186-4, 2013, | |||
| <http://nvlpubs.nist.gov/nistpubs/FIPS/ | <http://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.186-4.pdf>. | NIST.FIPS.186-4.pdf>. | |||
| [PKCS1] RSA Laboratories, "RSA Encryption Standard, Version 1.5", | [PKCS1] RSA Laboratories, "RSA Encryption Standard, Version 1.5", | |||
| PKCS 1, November 1993. | PKCS 1, November 1993. | |||
| [PKIX-EdDSA] | ||||
| Josefsson, S. and N. Mavrogiannopoulos, "Using EdDSA in | ||||
| the Internet X.509 Public Key Infrastructure", draft- | ||||
| josefsson-pkix-eddsa-03 (work in progress), September | ||||
| 2015. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
| RFC 2246, January 1999. | RFC 2246, January 1999. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, April 2002. | (CRL) Profile", RFC 3279, April 2002. | |||
| skipping to change at page 28, line 16 ¶ | skipping to change at page 28, line 42 ¶ | |||
| (TLS) Protocol Version 1.1", RFC 4346, April 2006. | (TLS) Protocol Version 1.1", RFC 4346, April 2006. | |||
| [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., | [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., | |||
| and T. Wright, "Transport Layer Security (TLS) | and T. Wright, "Transport Layer Security (TLS) | |||
| Extensions", RFC 4366, April 2006. | Extensions", RFC 4366, April 2006. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [SECG-SEC2] | [SECG-SEC2] | |||
| CECG, "Recommended Elliptic Curve Domain Parameters", SEC | CECG, "Recommended Elliptic Curve Domain Parameters", | |||
| 2, 2000. | SEC 2, 2000. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [FIPS.180-2] | [FIPS.180-2] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-2, August 2002, | Hash Standard", FIPS PUB 180-2, August 2002, | |||
| <http://csrc.nist.gov/publications/fips/fips180-2/ | <http://csrc.nist.gov/publications/fips/fips180-2/ | |||
| fips180-2.pdf>. | fips180-2.pdf>. | |||
| [I-D.ietf-tls-tls13] | [I-D.ietf-tls-tls13] | |||
| skipping to change at page 30, line 7 ¶ | skipping to change at page 31, line 7 ¶ | |||
| TLS_ECDH_ECDSA_WITH_NULL_SHA | TLS_ECDH_ECDSA_WITH_NULL_SHA | |||
| TLS_ECDH_ECDSA_WITH_RC4_128_SHA | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | |||
| TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | |||
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | |||
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | |||
| TLS_ECDH_RSA_WITH_NULL_SHA | TLS_ECDH_RSA_WITH_NULL_SHA | |||
| TLS_ECDH_RSA_WITH_RC4_128_SHA | TLS_ECDH_RSA_WITH_RC4_128_SHA | |||
| TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | |||
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | |||
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | |||
| All the other RC4 ciphersuites | ||||
| Removed unused curves and all but the uncompressed point format. | Removed unused curves and all but the uncompressed point format. | |||
| Added Curve25519 and Curve448. | Added Curve25519 and Curve448. | |||
| Deprecated explicit curves. | Deprecated explicit curves. | |||
| Removed restriction on signature algorithm in certificate. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| Email: ynir.ietf@gmail.com | Email: ynir.ietf@gmail.com | |||
| End of changes. 57 change blocks. | ||||
| 115 lines changed or deleted | 161 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||