| < draft-ietf-tls-rfc4492bis-05.txt | draft-ietf-tls-rfc4492bis-06.txt > | |||
|---|---|---|---|---|
| TLS Working Group Y. Nir | TLS Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Obsoletes: 4492 (if approved) S. Josefsson | Obsoletes: 4492 (if approved) S. Josefsson | |||
| Intended status: Standards Track SJD AB | Intended status: Standards Track SJD AB | |||
| Expires: May 7, 2016 M. Pegourie-Gonnard | Expires: August 5, 2016 M. Pegourie-Gonnard | |||
| Independent / PolarSSL | Independent / PolarSSL | |||
| November 4, 2015 | February 2, 2016 | |||
| Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer | Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer | |||
| Security (TLS) Versions 1.2 and Earlier | Security (TLS) Versions 1.2 and Earlier | |||
| draft-ietf-tls-rfc4492bis-05 | draft-ietf-tls-rfc4492bis-06 | |||
| Abstract | Abstract | |||
| This document describes key exchange algorithms based on Elliptic | This document describes key exchange algorithms based on Elliptic | |||
| Curve Cryptography (ECC) for the Transport Layer Security (TLS) | Curve Cryptography (ECC) for the Transport Layer Security (TLS) | |||
| protocol. In particular, it specifies the use of Ephemeral Elliptic | protocol. In particular, it specifies the use of Ephemeral Elliptic | |||
| Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the | Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the | |||
| use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards | use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards | |||
| Digital Signature Algorithm (EdDSA) as new authentication mechanisms. | Digital Signature Algorithm (EdDSA) as new authentication mechanisms. | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 7, 2016. | This Internet-Draft will expire on August 5, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 31 ¶ | skipping to change at page 2, line 31 ¶ | |||
| 5. Data Structures and Computations . . . . . . . . . . . . . . 8 | 5. Data Structures and Computations . . . . . . . . . . . . . . 8 | |||
| 5.1. Client Hello Extensions . . . . . . . . . . . . . . . . . 8 | 5.1. Client Hello Extensions . . . . . . . . . . . . . . . . . 8 | |||
| 5.1.1. Supported Elliptic Curves Extension . . . . . . . . . 10 | 5.1.1. Supported Elliptic Curves Extension . . . . . . . . . 10 | |||
| 5.1.2. Supported Point Formats Extension . . . . . . . . . . 11 | 5.1.2. Supported Point Formats Extension . . . . . . . . . . 11 | |||
| 5.2. Server Hello Extension . . . . . . . . . . . . . . . . . 12 | 5.2. Server Hello Extension . . . . . . . . . . . . . . . . . 12 | |||
| 5.3. Server Certificate . . . . . . . . . . . . . . . . . . . 13 | 5.3. Server Certificate . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.4. Server Key Exchange . . . . . . . . . . . . . . . . . . . 14 | 5.4. Server Key Exchange . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.5. Certificate Request . . . . . . . . . . . . . . . . . . . 17 | 5.5. Certificate Request . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.6. Client Certificate . . . . . . . . . . . . . . . . . . . 18 | 5.6. Client Certificate . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.7. Client Key Exchange . . . . . . . . . . . . . . . . . . . 19 | 5.7. Client Key Exchange . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.8. Certificate Verify . . . . . . . . . . . . . . . . . . . 20 | 5.8. Certificate Verify . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.9. Elliptic Curve Certificates . . . . . . . . . . . . . . . 22 | 5.9. Elliptic Curve Certificates . . . . . . . . . . . . . . . 22 | |||
| 5.10. ECDH, ECDSA, and RSA Computations . . . . . . . . . . . . 22 | 5.10. ECDH, ECDSA, and RSA Computations . . . . . . . . . . . . 22 | |||
| 5.11. Public Key Validation . . . . . . . . . . . . . . . . . . 23 | 5.11. Public Key Validation . . . . . . . . . . . . . . . . . . 23 | |||
| 6. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 24 | 6. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 25 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 25 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 10. Version History for This Draft . . . . . . . . . . . . . . . 26 | 10. Version History for This Draft . . . . . . . . . . . . . . . 27 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 27 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 28 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 28 | 11.2. Informative References . . . . . . . . . . . . . . . . . 29 | |||
| Appendix A. Equivalent Curves (Informative) . . . . . . . . . . 29 | Appendix A. Equivalent Curves (Informative) . . . . . . . . . . 30 | |||
| Appendix B. Differences from RFC 4492 . . . . . . . . . . . . . 30 | Appendix B. Differences from RFC 4492 . . . . . . . . . . . . . 30 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 1. Introduction | 1. Introduction | |||
| Elliptic Curve Cryptography (ECC) has emerged as an attractive | Elliptic Curve Cryptography (ECC) has emerged as an attractive | |||
| public-key cryptosystem, in particular for mobile (i.e., wireless) | public-key cryptosystem, in particular for mobile (i.e., wireless) | |||
| environments. Compared to currently prevalent cryptosystems such as | environments. Compared to currently prevalent cryptosystems such as | |||
| RSA, ECC offers equivalent security with smaller key sizes. This is | RSA, ECC offers equivalent security with smaller key sizes. This is | |||
| illustrated in the following table, based on [Lenstra_Verheul], which | illustrated in the following table, based on [Lenstra_Verheul], which | |||
| skipping to change at page 5, line 29 ¶ | skipping to change at page 5, line 29 ¶ | |||
| CertificateVerify*+ | CertificateVerify*+ | |||
| [ChangeCipherSpec] | [ChangeCipherSpec] | |||
| Finished --------> | Finished --------> | |||
| [ChangeCipherSpec] | [ChangeCipherSpec] | |||
| <-------- Finished | <-------- Finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| * message is not sent under some conditions | * message is not sent under some conditions | |||
| + message is not sent unless client authentication | + message is not sent unless client authentication | |||
| is desired | is desired | |||
| Figure 1: Message flow in a full TLS handshake | Figure 1: Message flow in a full TLS 1.2 handshake | |||
| Figure 1 shows all messages involved in the TLS key establishment | Figure 1 shows all messages involved in the TLS key establishment | |||
| protocol (aka full handshake). The addition of ECC has direct impact | protocol (aka full handshake). The addition of ECC has direct impact | |||
| only on the ClientHello, the ServerHello, the server's Certificate | only on the ClientHello, the ServerHello, the server's Certificate | |||
| message, the ServerKeyExchange, the ClientKeyExchange, the | message, the ServerKeyExchange, the ClientKeyExchange, the | |||
| CertificateRequest, the client's Certificate message, and the | CertificateRequest, the client's Certificate message, and the | |||
| CertificateVerify. Next, we describe the ECC key exchange algorithm | CertificateVerify. Next, we describe the ECC key exchange algorithm | |||
| in greater detail in terms of the content and processing of these | in greater detail in terms of the content and processing of these | |||
| messages. For ease of exposition, we defer discussion of client | messages. For ease of exposition, we defer discussion of client | |||
| authentication and associated messages (identified with a + in | authentication and associated messages (identified with a + in | |||
| skipping to change at page 9, line 20 ¶ | skipping to change at page 9, line 20 ¶ | |||
| Meaning of these extensions: | Meaning of these extensions: | |||
| These extensions allow a client to enumerate the elliptic curves it | These extensions allow a client to enumerate the elliptic curves it | |||
| supports and/or the point formats it can parse. | supports and/or the point formats it can parse. | |||
| Structure of these extensions: | Structure of these extensions: | |||
| The general structure of TLS extensions is described in [RFC4366], | The general structure of TLS extensions is described in [RFC4366], | |||
| and this specification adds two new types to ExtensionType. | and this specification adds two new types to ExtensionType. | |||
| enum { elliptic_curves(10), ec_point_formats(11) } ExtensionType; | enum { | |||
| elliptic_curves(10), | ||||
| ec_point_formats(11) | ||||
| } ExtensionType; | ||||
| elliptic_curves (Supported Elliptic Curves Extension): Indicates the | elliptic_curves (Supported Elliptic Curves Extension): Indicates the | |||
| set of elliptic curves supported by the client. For this | set of elliptic curves supported by the client. For this | |||
| extension, the opaque extension_data field contains | extension, the opaque extension_data field contains | |||
| EllipticCurveList. See Section 5.1.1 for details. | EllipticCurveList. See Section 5.1.1 for details. | |||
| ec_point_formats (Supported Point Formats Extension): Indicates the | ec_point_formats (Supported Point Formats Extension): Indicates the | |||
| set of point formats that the client can parse. For this | set of point formats that the client can parse. For this | |||
| extension, the opaque extension_data field contains | extension, the opaque extension_data field contains | |||
| ECPointFormatList. See Section 5.1.2 for details. | ECPointFormatList. See Section 5.1.2 for details. | |||
| skipping to change at page 10, line 18 ¶ | skipping to change at page 10, line 21 ¶ | |||
| Extension, does not understand the Supported Point Formats Extension, | Extension, does not understand the Supported Point Formats Extension, | |||
| or is unable to complete the ECC handshake while restricting itself | or is unable to complete the ECC handshake while restricting itself | |||
| to the enumerated curves and point formats, it MUST NOT negotiate the | to the enumerated curves and point formats, it MUST NOT negotiate the | |||
| use of an ECC cipher suite. Depending on what other cipher suites | use of an ECC cipher suite. Depending on what other cipher suites | |||
| are proposed by the client and supported by the server, this may | are proposed by the client and supported by the server, this may | |||
| result in a fatal handshake failure alert due to the lack of common | result in a fatal handshake failure alert due to the lack of common | |||
| cipher suites. | cipher suites. | |||
| 5.1.1. Supported Elliptic Curves Extension | 5.1.1. Supported Elliptic Curves Extension | |||
| RFC 4492 defined 25 different curves in the NamedCurve registry for | RFC 4492 defined 25 different curves in the NamedCurve registry (now | |||
| use in TLS. Only three have seen any use. This specification is | renamed the "Supported Groups" registry, although the enumeration | |||
| deprecating the rest (with numbers 1-22). This specification also | below is still named NamedCurve) for use in TLS. Only three have | |||
| deprecates the explicit curves with identifiers 0xFF01 and 0xFF02. | seen much use. This specification is deprecating the rest (with | |||
| It also adds the new curves defined in [CFRG-Curves] and | numbers 1-22). This specification also deprecates the explicit | |||
| [CFRG-EdDSA]. The end result is as follows: | curves with identifiers 0xFF01 and 0xFF02. It also adds the new | |||
| curves defined in [RFC7748] and [CFRG-EdDSA]. The end result is as | ||||
| follows: | ||||
| enum { | enum { | |||
| deprecated(1..22), | deprecated(1..22), | |||
| secp256r1 (23), secp384r1 (24), secp521r1 (25), | secp256r1 (23), secp384r1 (24), secp521r1 (25), | |||
| Curve25519(TBD1), | ecdh_x25519(TBD1), ecdh_x448(TBD2), | |||
| Curve448(TBD2), | eddsa_ed25519(TBD3), eddsa_ed448(TBD4), | |||
| Ed25519(TBD3), | ||||
| Ed448(TBD4), | ||||
| reserved (0xFE00..0xFEFF), | reserved (0xFE00..0xFEFF), | |||
| deprecated(0xFF01..0xFF02), | deprecated(0xFF01..0xFF02), | |||
| (0xFFFF) | (0xFFFF) | |||
| } NamedCurve; | } NamedCurve; | |||
| Note that other specification have since added other values to this | Note that other specification have since added other values to this | |||
| enumeration. | enumeration. | |||
| secp256r1, etc: Indicates support of the corresponding named curve or | secp256r1, etc: Indicates support of the corresponding named curve or | |||
| class of explicitly defined curves. The named curves secp256r1, | class of explicitly defined curves. The named curves secp256r1, | |||
| secp384r1, and secp521r1 are specified in SEC 2 [SECG-SEC2]. These | secp384r1, and secp521r1 are specified in SEC 2 [SECG-SEC2]. These | |||
| curves are also recommended in ANSI X9.62 [ANSI.X9-62.2005] and FIPS | curves are also recommended in ANSI X9.62 [ANSI.X9-62.2005] and FIPS | |||
| 186-4 [FIPS.186-4]. Curve25519 and Curve448 are defined in | 186-4 [FIPS.186-4]. ecdh_x25519 and ecdh_x448 are defined in | |||
| [CFRG-Curves]. Ed25519 and Ed448 are signature-only curves defined | [RFC7748]. eddsa_ed25519 and eddsa_ed448 are signature-only curves | |||
| in [CFRG-EdDSA]. Values 0xFE00 through 0xFEFF are reserved for | defined in [CFRG-EdDSA]. Values 0xFE00 through 0xFEFF are reserved | |||
| private use. | for private use. | |||
| The NamedCurve name space is maintained by IANA. See Section 8 for | The NamedCurve name space is maintained by IANA. See Section 8 for | |||
| information on how new value assignments are added. | information on how new value assignments are added. | |||
| struct { | struct { | |||
| NamedCurve elliptic_curve_list<1..2^16-1> | NamedCurve elliptic_curve_list<1..2^16-1> | |||
| } EllipticCurveList; | } EllipticCurveList; | |||
| Items in elliptic_curve_list are ordered according to the client's | Items in elliptic_curve_list are ordered according to the client's | |||
| preferences (favorite choice first). | preferences (favorite choice first). | |||
| skipping to change at page 11, line 22 ¶ | skipping to change at page 11, line 25 ¶ | |||
| As an example, a client that only supports secp256r1 (aka NIST P-256; | As an example, a client that only supports secp256r1 (aka NIST P-256; | |||
| value 23 = 0x0017) and secp384r1 (aka NIST P-384; value 24 = 0x0018) | value 23 = 0x0017) and secp384r1 (aka NIST P-384; value 24 = 0x0018) | |||
| and prefers to use secp256r1 would include a TLS extension consisting | and prefers to use secp256r1 would include a TLS extension consisting | |||
| of the following octets. Note that the first two octets indicate the | of the following octets. Note that the first two octets indicate the | |||
| extension type (Supported Elliptic Curves Extension): | extension type (Supported Elliptic Curves Extension): | |||
| 00 0A 00 06 00 04 00 17 00 18 | 00 0A 00 06 00 04 00 17 00 18 | |||
| 5.1.2. Supported Point Formats Extension | 5.1.2. Supported Point Formats Extension | |||
| enum { uncompressed (0), ansiX962_compressed_prime (1), | enum { | |||
| ansiX962_compressed_char2 (2), reserved (248..255) | uncompressed (0), | |||
| ansiX962_compressed_prime (1), | ||||
| ansiX962_compressed_char2 (2), | ||||
| reserved (248..255) | ||||
| } ECPointFormat; | } ECPointFormat; | |||
| struct { | struct { | |||
| ECPointFormat ec_point_format_list<1..2^8-1> | ECPointFormat ec_point_format_list<1..2^8-1> | |||
| } ECPointFormatList; | } ECPointFormatList; | |||
| Three point formats were included in the definition of ECPointFormat | Three point formats were included in the definition of ECPointFormat | |||
| above. This specification deprecates all but the uncompressed point | above. This specification deprecates all but the uncompressed point | |||
| format. Implementations of this document MUST support the | format. Implementations of this document MUST support the | |||
| uncompressed format for all of their supported curves, and MUST NOT | uncompressed format for all of their supported curves, and MUST NOT | |||
| support other formats for curves defined in this specification. For | support other formats for curves defined in this specification. For | |||
| backwards compatibility purposes, the point format list extension | backwards compatibility purposes, the point format list extension | |||
| MUST still be included, and contain exactly one value: the | MUST still be included, and contain exactly one value: the | |||
| uncomptessed point format (0). | uncompressed point format (0). | |||
| The ECPointFormat name space is maintained by IANA. See Section 8 | The ECPointFormat name space is maintained by IANA. See Section 8 | |||
| for information on how new value assignments are added. | for information on how new value assignments are added. | |||
| Items in ec_point_format_list are ordered according to the client's | Items in ec_point_format_list are ordered according to the client's | |||
| preferences (favorite choice first). | preferences (favorite choice first). | |||
| A client compliant with this specification that supports no other | A client compliant with this specification that supports no other | |||
| curves MUST send the following octets; note that the first two octets | curves MUST send the following octets; note that the first two octets | |||
| indicate the extension type (Supported Point Formats Extension): | indicate the extension type (Supported Point Formats Extension): | |||
| skipping to change at page 14, line 31 ¶ | skipping to change at page 14, line 35 ¶ | |||
| This message is used to convey the server's ephemeral ECDH public key | This message is used to convey the server's ephemeral ECDH public key | |||
| (and the corresponding elliptic curve domain parameters) to the | (and the corresponding elliptic curve domain parameters) to the | |||
| client. | client. | |||
| The ECCCurveType enum used to have values for explicit prime and for | The ECCCurveType enum used to have values for explicit prime and for | |||
| explicit char2 curves. Those values are now deprecated, so only one | explicit char2 curves. Those values are now deprecated, so only one | |||
| value remains: | value remains: | |||
| Structure of this message: | Structure of this message: | |||
| enum { deprecated (1..2), named_curve (3), reserved(248..255) | enum { | |||
| deprecated (1..2), | ||||
| named_curve (3), | ||||
| reserved(248..255) | ||||
| } ECCurveType; | } ECCurveType; | |||
| The value named_curve indicates that a named curve is used. This | The value named_curve indicates that a named curve is used. This | |||
| option SHOULD be used when applicable. | option SHOULD be used when applicable. | |||
| Values 248 through 255 are reserved for private use. | Values 248 through 255 are reserved for private use. | |||
| The ECCurveType name space is maintained by IANA. See Section 8 for | The ECCurveType name space is maintained by IANA. See Section 8 for | |||
| information on how new value assignments are added. | information on how new value assignments are added. | |||
| skipping to change at page 15, line 4 ¶ | skipping to change at page 15, line 11 ¶ | |||
| RFC 4492 had a specification for an ECCurve structure and an | RFC 4492 had a specification for an ECCurve structure and an | |||
| ECBasisType structure. Both of these are omitted now because they | ECBasisType structure. Both of these are omitted now because they | |||
| were only used with the now deprecated explicit curves. | were only used with the now deprecated explicit curves. | |||
| struct { | struct { | |||
| opaque point <1..2^8-1>; | opaque point <1..2^8-1>; | |||
| } ECPoint; | } ECPoint; | |||
| This is the byte string representation of an elliptic curve point | This is the byte string representation of an elliptic curve point | |||
| following the conversion routine in Section 4.3.6 of | following the conversion routine in Section 4.3.6 of | |||
| [ANSI.X9-62.2005]. This byte string may represent an elliptic curve | [ANSI.X9-62.2005]. This byte string may represent an elliptic curve | |||
| point in uncompressed or compressed format; it MUST conform to what | point in uncompressed or compressed format; it MUST conform to what | |||
| the client has requested through a Supported Point Formats Extension | the client has requested through a Supported Point Formats Extension | |||
| if this extension was used. For the Curve25519 and Curve448 curves, | if this extension was used. For the X25519 and X448 curves, the only | |||
| the only valid representation is the one specified in [CFRG-Curves] - | valid representation is the one specified in [RFC7748] - a 32- or | |||
| a 32- or 56-octet representation of the u value of the point. This | 56-octet representation of the u value of the point. This structure | |||
| structure MUST NOT be used with Ed25519 and Ed448 public keys. | MUST NOT be used with Ed25519 and Ed448 public keys. | |||
| struct { | struct { | |||
| ECCurveType curve_type; | ECCurveType curve_type; | |||
| select (curve_type) { | select (curve_type) { | |||
| case named_curve: | case named_curve: | |||
| NamedCurve namedcurve; | NamedCurve namedcurve; | |||
| }; | }; | |||
| } ECParameters; | } ECParameters; | |||
| This identifies the type of the elliptic curve domain parameters. | This identifies the type of the elliptic curve domain parameters. | |||
| Specifies a recommended set of elliptic curve domain parameters. All | Specifies a recommended set of elliptic curve domain parameters. All | |||
| those values of NamedCurve are allowed that refer to a curve capable | those values of NamedCurve are allowed that refer to a curve capable | |||
| of Diffie-Hellman. With the deprecation of the explicit curves, this | of Diffie-Hellman. With the deprecation of the explicit curves, this | |||
| now includes all values of NamedCurve except Ed25519(TBD3) and | now includes all values of NamedCurve except eddsa_ed25519(TBD3) and | |||
| Ed448(TBD4). | eddsa_ed448(TBD4). | |||
| struct { | struct { | |||
| ECParameters curve_params; | ECParameters curve_params; | |||
| ECPoint public; | ECPoint public; | |||
| } ServerECDHParams; | } ServerECDHParams; | |||
| Specifies the elliptic curve domain parameters associated with the | Specifies the elliptic curve domain parameters associated with the | |||
| ECDH public key. | ECDH public key. | |||
| The ephemeral ECDH public key. | The ephemeral ECDH public key. | |||
| The ServerKeyExchange message is extended as follows. | The ServerKeyExchange message is extended as follows. | |||
| enum { ec_diffie_hellman } KeyExchangeAlgorithm; | enum { | |||
| ec_diffie_hellman | ||||
| } KeyExchangeAlgorithm; | ||||
| ec_diffie_hellman: Indicates the ServerKeyExchange message contains | ec_diffie_hellman: Indicates the ServerKeyExchange message contains | |||
| an ECDH public key. | an ECDH public key. | |||
| select (KeyExchangeAlgorithm) { | select (KeyExchangeAlgorithm) { | |||
| case ec_diffie_hellman: | case ec_diffie_hellman: | |||
| ServerECDHParams params; | ServerECDHParams params; | |||
| Signature signed_params; | Signature signed_params; | |||
| } ServerKeyExchange; | } ServerKeyExchange; | |||
| params: Specifies the ECDH public key and associated domain | params: Specifies the ECDH public key and associated domain | |||
| parameters. | parameters. | |||
| signed_params: A hash of the params, with the signature appropriate | signed_params: A hash of the params, with the signature appropriate | |||
| to that hash applied. The private key corresponding to the | to that hash applied. The private key corresponding to the | |||
| certified public key in the server's Certificate message is used | certified public key in the server's Certificate message is used | |||
| for signing. | for signing. | |||
| enum { ecdsa(3), eddsa(TBD5) } SignatureAlgorithm; | enum { | |||
| ecdsa(3), | ||||
| eddsa(TBD5) | ||||
| } SignatureAlgorithm; | ||||
| select (SignatureAlgorithm) { | select (SignatureAlgorithm) { | |||
| case ecdsa: | case ecdsa: | |||
| digitally-signed struct { | digitally-signed struct { | |||
| opaque sha_hash[sha_size]; | opaque sha_hash[sha_size]; | |||
| }; | }; | |||
| case eddsa: | case eddsa: | |||
| digitally-signed struct { | digitally-signed struct { | |||
| opaque rawdata[rawdata_size]; | opaque rawdata[rawdata_size]; | |||
| }; | }; | |||
| } Signature; | } Signature; | |||
| skipping to change at page 17, line 36 ¶ | skipping to change at page 17, line 48 ¶ | |||
| Meaning of this message: | Meaning of this message: | |||
| The server uses this message to suggest acceptable client | The server uses this message to suggest acceptable client | |||
| authentication methods. | authentication methods. | |||
| Structure of this message: | Structure of this message: | |||
| The TLS CertificateRequest message is extended as follows. | The TLS CertificateRequest message is extended as follows. | |||
| enum { | enum { | |||
| ecdsa_sign(64), rsa_fixed_ecdh(65), | ecdsa_sign(64), | |||
| ecdsa_fixed_ecdh(66), (255) | rsa_fixed_ecdh(65), | |||
| ecdsa_fixed_ecdh(66), | ||||
| (255) | ||||
| } ClientCertificateType; | } ClientCertificateType; | |||
| ecdsa_sign, etc. Indicates that the server would like to use the | ecdsa_sign, etc. Indicates that the server would like to use the | |||
| corresponding client authentication method specified in Section 3. | corresponding client authentication method specified in Section 3. | |||
| Actions of the sender: | Actions of the sender: | |||
| The server decides which client authentication methods it would like | The server decides which client authentication methods it would like | |||
| to use, and conveys this information to the client using the format | to use, and conveys this information to the client using the format | |||
| defined above. | defined above. | |||
| skipping to change at page 19, line 39 ¶ | skipping to change at page 20, line 7 ¶ | |||
| Meaning of the message: | Meaning of the message: | |||
| This message is used to convey ephemeral data relating to the key | This message is used to convey ephemeral data relating to the key | |||
| exchange belonging to the client (such as its ephemeral ECDH public | exchange belonging to the client (such as its ephemeral ECDH public | |||
| key). | key). | |||
| Structure of this message: | Structure of this message: | |||
| The TLS ClientKeyExchange message is extended as follows. | The TLS ClientKeyExchange message is extended as follows. | |||
| enum { implicit, explicit } PublicValueEncoding; | enum { | |||
| implicit, | ||||
| explicit | ||||
| } PublicValueEncoding; | ||||
| implicit, explicit: For ECC cipher suites, this indicates whether | implicit, explicit: For ECC cipher suites, this indicates whether | |||
| the client's ECDH public key is in the client's certificate | the client's ECDH public key is in the client's certificate | |||
| ("implicit") or is provided, as an ephemeral ECDH public key, in | ("implicit") or is provided, as an ephemeral ECDH public key, in | |||
| the ClientKeyExchange message ("explicit"). (This is "explicit" | the ClientKeyExchange message ("explicit"). (This is "explicit" | |||
| in ECC cipher suites except when the client uses the | in ECC cipher suites except when the client uses the | |||
| ECDSA_fixed_ECDH or RSA_fixed_ECDH client authentication | ECDSA_fixed_ECDH or RSA_fixed_ECDH client authentication | |||
| mechanism.) | mechanism.) | |||
| struct { | struct { | |||
| select (PublicValueEncoding) { | select (PublicValueEncoding) { | |||
| case implicit: struct { }; | case implicit: struct { }; | |||
| case explicit: ECPoint ecdh_Yc; | case explicit: ECPoint ecdh_Yc; | |||
| } ecdh_public; | } ecdh_public; | |||
| } ClientECDiffieHellmanPublic; | } ClientECDiffieHellmanPublic; | |||
| ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte | ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte | |||
| string ECPoint.point, which may represent an elliptic curve point | string ECPoint.point, which may represent an elliptic curve point | |||
| in uncompressed or compressed format. Curves Ed25519 and Ed448 | in uncompressed or compressed format. Curves eddsa_ed25519 and | |||
| MUST NOT be used. Here, the format MUST conform to what the | eddsa_ed448 MUST NOT be used here. Here, the format MUST conform | |||
| server has requested through a Supported Point Formats Extension | to what the server has requested through a Supported Point Formats | |||
| if this extension was used, and MUST be uncompressed if this | Extension if this extension was used, and MUST be uncompressed if | |||
| extension was not used. | this extension was not used. | |||
| struct { | struct { | |||
| select (KeyExchangeAlgorithm) { | select (KeyExchangeAlgorithm) { | |||
| case ec_diffie_hellman: ClientECDiffieHellmanPublic; | case ec_diffie_hellman: ClientECDiffieHellmanPublic; | |||
| } exchange_keys; | } exchange_keys; | |||
| } ClientKeyExchange; | } ClientKeyExchange; | |||
| Actions of the sender: | Actions of the sender: | |||
| The client selects an ephemeral ECDH public key corresponding to the | The client selects an ephemeral ECDH public key corresponding to the | |||
| skipping to change at page 22, line 15 ¶ | skipping to change at page 22, line 27 ¶ | |||
| 5.9. Elliptic Curve Certificates | 5.9. Elliptic Curve Certificates | |||
| X.509 certificates containing ECC public keys or signed using ECDSA | X.509 certificates containing ECC public keys or signed using ECDSA | |||
| MUST comply with [RFC3279] or another RFC that replaces or extends | MUST comply with [RFC3279] or another RFC that replaces or extends | |||
| it. X.509 certificates containing ECC public keys or signed using | it. X.509 certificates containing ECC public keys or signed using | |||
| EdDSA MUST comply with [PKIX-EdDSA]. Clients SHOULD use the elliptic | EdDSA MUST comply with [PKIX-EdDSA]. Clients SHOULD use the elliptic | |||
| curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and | curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and | |||
| SEC 2 [SECG-SEC2] or in [CFRG-EdDSA]. | SEC 2 [SECG-SEC2] or in [CFRG-EdDSA]. | |||
| EdDSA keys using Ed25519 and Ed25519ph algorithms MUST use the | EdDSA keys using Ed25519 and Ed25519ph algorithms MUST use the | |||
| Ed25519 curve, and Ed448 and Ed448ph keys MUST use the Ed448 curve. | eddsa_ed25519 curve, and Ed448 and Ed448ph keys MUST use the | |||
| Curves Curve25519, Curve448, Ed25519 and Ed448 MUST NOT be used for | eddsa_ed448 curve. Curves ecdh_x25519, ecdh_x448, eddsa_ed25519 and | |||
| ECDSA. | eddsa_ed448 MUST NOT be used for ECDSA. | |||
| 5.10. ECDH, ECDSA, and RSA Computations | 5.10. ECDH, ECDSA, and RSA Computations | |||
| All ECDH calculations for the NIST curves (including parameter and | All ECDH calculations for the NIST curves (including parameter and | |||
| key generation as well as the shared secret calculation) are | key generation as well as the shared secret calculation) are | |||
| performed according to [IEEE.P1363.1998] using the ECKAS-DH1 scheme | performed according to [IEEE.P1363.1998] using the ECKAS-DH1 scheme | |||
| with the identity map as key derivation function (KDF), so that the | with the identity map as key derivation function (KDF), so that the | |||
| premaster secret is the x-coordinate of the ECDH shared secret | premaster secret is the x-coordinate of the ECDH shared secret | |||
| elliptic curve point represented as an octet string. Note that this | elliptic curve point represented as an octet string. Note that this | |||
| octet string (Z in IEEE 1363 terminology) as output by FE2OSP, the | octet string (Z in IEEE 1363 terminology) as output by FE2OSP, the | |||
| skipping to change at page 22, line 40 ¶ | skipping to change at page 23, line 4 ¶ | |||
| MUST NOT be truncated. | MUST NOT be truncated. | |||
| (Note that this use of the identity KDF is a technicality. The | (Note that this use of the identity KDF is a technicality. The | |||
| complete picture is that ECDH is employed with a non-trivial KDF | complete picture is that ECDH is employed with a non-trivial KDF | |||
| because TLS does not directly use the premaster secret for anything | because TLS does not directly use the premaster secret for anything | |||
| other than for computing the master secret. In TLS 1.0 and 1.1, this | other than for computing the master secret. In TLS 1.0 and 1.1, this | |||
| means that the MD5- and SHA-1-based TLS PRF serves as a KDF; in TLS | means that the MD5- and SHA-1-based TLS PRF serves as a KDF; in TLS | |||
| 1.2 the KDF is determined by ciphersuite; it is conceivable that | 1.2 the KDF is determined by ciphersuite; it is conceivable that | |||
| future TLS versions or new TLS extensions introduced in the future | future TLS versions or new TLS extensions introduced in the future | |||
| may vary this computation.) | may vary this computation.) | |||
| An ECDHE key exchange using X25519 (curve ecdh_x25519) goes as | ||||
| An ECDHE key exchange using Curve25519 goes as follows. Each party | follows: Each party picks a secret key d uniformly at random and | |||
| picks a secret key d uniformly at random and computes the | computes the corresponding public key x = X25519(d, G). Parties | |||
| corresponding public key x = Curve25519(d, G). Parties exchange | exchange their public keys, and compute a shared secret as x_S = | |||
| their public keys and compute a shared secret as x_S = Curve25519(d, | X25519(d, x_peer). If either party obtains all-zeroes x_S, it MUST | |||
| x_peer). ECDHE for Curve448 works similarily, replacing Curve25519 | abort the handshake (as required by definition of X25519 and X448). | |||
| with Curve448. The derived shared secret is used directly as the | ECDHE for X448 works similarily, replacing X25519 with X448, and | |||
| premaster secret, which is always exactly 32 bytes when ECDHE with | ecdh_x25519 with ecdh_x448. The derived shared secret is used | |||
| Curve25519 is used and 56 bytes when ECDHE with Curve448 is used. | directly as the premaster secret, which is always exactly 32 bytes | |||
| when ECDHE with X25519 is used and 56 bytes when ECDHE with X448 is | ||||
| used. | ||||
| All ECDSA computations MUST be performed according to ANSI X9.62 or | All ECDSA computations MUST be performed according to ANSI X9.62 or | |||
| its successors. Data to be signed/verified is hashed, and the result | its successors. Data to be signed/verified is hashed, and the result | |||
| run directly through the ECDSA algorithm with no additional hashing. | run directly through the ECDSA algorithm with no additional hashing. | |||
| The default hash function is SHA-1 [FIPS.180-2], and sha_size (see | The default hash function is SHA-1 [FIPS.180-2], and sha_size (see | |||
| Section 5.4 and Section 5.8) is 20. However, an alternative hash | Section 5.4 and Section 5.8) is 20. However, an alternative hash | |||
| function, such as one of the new SHA hash functions specified in FIPS | function, such as one of the new SHA hash functions specified in FIPS | |||
| 180-2 [FIPS.180-2], SHOULD be used instead. | 180-2 [FIPS.180-2], SHOULD be used instead. | |||
| All EdDSA computations MUST be performed according to [CFRG-EdDSA] or | All EdDSA computations MUST be performed according to [CFRG-EdDSA] or | |||
| its succesors. Data to be signed/verified is run through the EdDSA | its succesors. Data to be signed/verified is run through the EdDSA | |||
| algorithm wih no hashing (EdDSA will internally run the data through | algorithm wih no hashing (EdDSA will internally run the data through | |||
| the PH function). | the PH function). | |||
| skipping to change at page 23, line 36 ¶ | skipping to change at page 24, line 5 ¶ | |||
| [PKCS1] block type 1. | [PKCS1] block type 1. | |||
| 5.11. Public Key Validation | 5.11. Public Key Validation | |||
| With the NIST curves, each party must validate the public key sent by | With the NIST curves, each party must validate the public key sent by | |||
| its peer before performing cryptographic computations with it. | its peer before performing cryptographic computations with it. | |||
| Failing to do so allows attackers to gain information about the | Failing to do so allows attackers to gain information about the | |||
| private key, to the point that they may recover the entire private | private key, to the point that they may recover the entire private | |||
| key in a few requests, if that key is not really ephemeral. | key in a few requests, if that key is not really ephemeral. | |||
| Curve25519 was designed in a way that the result of Curve25519(x, d) | X25519 was designed in a way that the result of X25519(x, d) will | |||
| will never reveal information about d, provided it was chosen as | never reveal information about d, provided it was chosen as | |||
| prescribed, for any value of x (the same holds true for Curve448). | prescribed, for any value of x (the same holds true for X448). | |||
| All-zeroes output from X25519 or X448 MUST NOT be used for premaster | ||||
| secret (as required by definition of X25519 and X448). If the | ||||
| premaster secret would be all zeroes, the handshake MUST be aborted | ||||
| (most probably by sending a fatal alert). | ||||
| Let's define legitimate values of x as the values that can be | Let's define legitimate values of x as the values that can be | |||
| obtained as x = Curve25519(G, d') for some d, and call the other | obtained as x = X25519(G, d') for some d', and call the other values | |||
| values illegitimate. The definition of the Curve25519 function shows | illegitimate. The definition of the X25519 function shows that | |||
| that legitimate values all share the following property: the high- | legitimate values all share the following property: the high-order | |||
| order bit of the last byte is not set (for Ed448, any bit can be | bit of the last byte is not set (for X448, any bit can be set). | |||
| set). | ||||
| Since there are some implementation of the Curve25519 function that | Since there are some implementation of the X25519 function that | |||
| impose this restriction on their input and others that don't, | impose this restriction on their input and others that don't, | |||
| implementations of Curve25519 in TLS SHOULD reject public keys when | implementations of X25519 in TLS SHOULD reject public keys when the | |||
| the high-order bit of the last byte is set (in other words, when the | high-order bit of the last byte is set (in other words, when the | |||
| value of the leftmost byte is greater than 0x7F) in order to prevent | value of the leftmost byte is greater than 0x7F) in order to prevent | |||
| implementation fingerprinting. | implementation fingerprinting. | |||
| Ed25519 and Ed448 internally do public key validation as part of | Ed25519 and Ed448 internally do public key validation as part of | |||
| signature verification. | signature verification. | |||
| Other than this recommended check, implementations do not need to | Other than this recommended check, implementations do not need to | |||
| ensure that the public keys they receive are legitimate: this is not | ensure that the public keys they receive are legitimate: this is not | |||
| necessary for security with Curve25519. | necessary for security with X25519. | |||
| 6. Cipher Suites | 6. Cipher Suites | |||
| The table below defines new ECC cipher suites that use the key | The table below defines new ECC cipher suites that use the key | |||
| exchange algorithms specified in Section 2. | exchange algorithms specified in Section 2. | |||
| +---------------------------------------+----------------+ | +---------------------------------------+----------------+ | |||
| | CipherSuite | Identifier | | | CipherSuite | Identifier | | |||
| +---------------------------------------+----------------+ | +---------------------------------------+----------------+ | |||
| | TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } | | | TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } | | |||
| skipping to change at page 25, line 52 ¶ | skipping to change at page 26, line 38 ¶ | |||
| All of the key exchange algorithms defined in this document provide | All of the key exchange algorithms defined in this document provide | |||
| forward secrecy. Some of the deprecated key exchange algorithms do | forward secrecy. Some of the deprecated key exchange algorithms do | |||
| not. | not. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| [RFC4492], the predecessor of this document has already defined the | [RFC4492], the predecessor of this document has already defined the | |||
| IANA registries for the following: | IANA registries for the following: | |||
| o NamedCurve Section 5.1 | o Supported Groups Section 5.1 | |||
| o ECPointFormat Section 5.1 | o ECPointFormat Section 5.1 | |||
| o ECCurveType Section 5.4 | o ECCurveType Section 5.4 | |||
| For each name space, this document defines the initial value | For each name space, this document defines the initial value | |||
| assignments and defines a range of 256 values (NamedCurve) or eight | assignments and defines a range of 256 values (NamedCurve) or eight | |||
| values (ECPointFormat and ECCurveType) reserved for Private Use. Any | values (ECPointFormat and ECCurveType) reserved for Private Use. The | |||
| additional assignments require IETF Review. | policy for any additional assignments is "Specification Required". | |||
| The previous version of this document required IETF review. | ||||
| NOTE: IANA, please update the registries to reflect the new policy | NOTE: IANA, please update the registries to reflect the new policy. | |||
| name. | ||||
| NOTE: RFC editor please delete these two notes prior to publication. | NOTE: RFC editor please delete these two notes prior to publication. | |||
| IANA, please update these two registries to refer to this document. | IANA, please update these two registries to refer to this document. | |||
| IANA is requested to assign four values from the NamedCurve registry | IANA is requested to assign four values from the NamedCurve registry | |||
| with names Curve25519(TBD1), Curve448(TBD2), Ed25519(TBD3) and | with names ecdh_x25519(TBD1), ecdh_x448(TBD2), eddsa_ed25519(TBD3) | |||
| Ed448(TBD4) with this document as reference. | and eddsa_ed448(TBD4) with this document as reference. | |||
| IANA is requested to assign one value from SignatureAlgorithm | IANA is requested to assign one value from SignatureAlgorithm | |||
| Registry with name eddsa(TBD5) with this document as reference. | Registry with name eddsa(TBD5) with this document as reference. | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| Most of the text is this document is taken from [RFC4492], the | Most of the text is this document is taken from [RFC4492], the | |||
| predecessor of this document. The authors of that document were: | predecessor of this document. The authors of that document were: | |||
| o Simon Blake-Wilson | o Simon Blake-Wilson | |||
| skipping to change at page 27, line 43 ¶ | skipping to change at page 28, line 28 ¶ | |||
| Specification of basic notation", CCITT Recommendation | Specification of basic notation", CCITT Recommendation | |||
| X.680, July 2002. | X.680, July 2002. | |||
| [CCITT.X690] | [CCITT.X690] | |||
| International Telephone and Telegraph Consultative | International Telephone and Telegraph Consultative | |||
| Committee, "ASN.1 encoding rules: Specification of basic | Committee, "ASN.1 encoding rules: Specification of basic | |||
| encoding Rules (BER), Canonical encoding rules (CER) and | encoding Rules (BER), Canonical encoding rules (CER) and | |||
| Distinguished encoding rules (DER)", CCITT Recommendation | Distinguished encoding rules (DER)", CCITT Recommendation | |||
| X.690, July 2002. | X.690, July 2002. | |||
| [CFRG-Curves] | ||||
| Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | ||||
| for Security", draft-irtf-cfrg-curves-11 (work in | ||||
| progress), October 2015. | ||||
| [CFRG-EdDSA] | [CFRG-EdDSA] | |||
| Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | |||
| Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-00 | Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-00 | |||
| (work in progress), October 2015. | (work in progress), October 2015. | |||
| [FIPS.186-4] | [FIPS.186-4] | |||
| National Institute of Standards and Technology, "Digital | National Institute of Standards and Technology, "Digital | |||
| Signature Standard", FIPS PUB 186-4, 2013, | Signature Standard", FIPS PUB 186-4, 2013, | |||
| <http://nvlpubs.nist.gov/nistpubs/FIPS/ | <http://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.186-4.pdf>. | NIST.FIPS.186-4.pdf>. | |||
| skipping to change at page 28, line 41 ¶ | skipping to change at page 29, line 20 ¶ | |||
| [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.1", RFC 4346, April 2006. | (TLS) Protocol Version 1.1", RFC 4346, April 2006. | |||
| [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., | [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., | |||
| and T. Wright, "Transport Layer Security (TLS) | and T. Wright, "Transport Layer Security (TLS) | |||
| Extensions", RFC 4366, April 2006. | Extensions", RFC 4366, April 2006. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | ||||
| for Security", RFC 7748, January 2016. | ||||
| [SECG-SEC2] | [SECG-SEC2] | |||
| CECG, "Recommended Elliptic Curve Domain Parameters", | CECG, "Recommended Elliptic Curve Domain Parameters", | |||
| SEC 2, 2000. | SEC 2, 2000. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [FIPS.180-2] | [FIPS.180-2] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-2, August 2002, | Hash Standard", FIPS PUB 180-2, August 2002, | |||
| <http://csrc.nist.gov/publications/fips/fips180-2/ | <http://csrc.nist.gov/publications/fips/fips180-2/ | |||
| skipping to change at page 31, line 11 ¶ | skipping to change at page 31, line 19 ¶ | |||
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | |||
| TLS_ECDH_RSA_WITH_NULL_SHA | TLS_ECDH_RSA_WITH_NULL_SHA | |||
| TLS_ECDH_RSA_WITH_RC4_128_SHA | TLS_ECDH_RSA_WITH_RC4_128_SHA | |||
| TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | |||
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | |||
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | |||
| All the other RC4 ciphersuites | All the other RC4 ciphersuites | |||
| Removed unused curves and all but the uncompressed point format. | Removed unused curves and all but the uncompressed point format. | |||
| Added Curve25519 and Curve448. | Added X25519 and X448. | |||
| Deprecated explicit curves. | Deprecated explicit curves. | |||
| Removed restriction on signature algorithm in certificate. | Removed restriction on signature algorithm in certificate. | |||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| End of changes. 39 change blocks. | ||||
| 88 lines changed or deleted | 110 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||