| < draft-ietf-tls-rfc4492bis-08.txt | draft-ietf-tls-rfc4492bis-09.txt > | |||
|---|---|---|---|---|
| TLS Working Group Y. Nir | TLS Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Obsoletes: 4492 (if approved) S. Josefsson | Obsoletes: 4492 (if approved) S. Josefsson | |||
| Intended status: Standards Track SJD AB | Intended status: Standards Track SJD AB | |||
| Expires: January 9, 2017 M. Pegourie-Gonnard | Expires: May 2, 2017 M. Pegourie-Gonnard | |||
| Independent / PolarSSL | Independent / PolarSSL | |||
| July 8, 2016 | October 29, 2016 | |||
| Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer | Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer | |||
| Security (TLS) Versions 1.2 and Earlier | Security (TLS) Versions 1.2 and Earlier | |||
| draft-ietf-tls-rfc4492bis-08 | draft-ietf-tls-rfc4492bis-09 | |||
| Abstract | Abstract | |||
| This document describes key exchange algorithms based on Elliptic | This document describes key exchange algorithms based on Elliptic | |||
| Curve Cryptography (ECC) for the Transport Layer Security (TLS) | Curve Cryptography (ECC) for the Transport Layer Security (TLS) | |||
| protocol. In particular, it specifies the use of Ephemeral Elliptic | protocol. In particular, it specifies the use of Ephemeral Elliptic | |||
| Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the | Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the | |||
| use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards | use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards | |||
| Digital Signature Algorithm (EdDSA) as new authentication mechanisms. | Digital Signature Algorithm (EdDSA) as new authentication mechanisms. | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 9, 2017. | This Internet-Draft will expire on May 2, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 9 ¶ | skipping to change at page 4, line 9 ¶ | |||
| handshake, their encoding in TLS messages, and the processing of | handshake, their encoding in TLS messages, and the processing of | |||
| those messages. Section 6 defines ECC-based cipher suites and | those messages. Section 6 defines ECC-based cipher suites and | |||
| identifies a small subset of these as recommended for all | identifies a small subset of these as recommended for all | |||
| implementations of this specification. Section 7 discusses security | implementations of this specification. Section 7 discusses security | |||
| considerations. Section 8 describes IANA considerations for the name | considerations. Section 8 describes IANA considerations for the name | |||
| spaces created by this document's predecessor. Section 9 gives | spaces created by this document's predecessor. Section 9 gives | |||
| acknowledgements. Appendix B provides differences from [RFC4492], | acknowledgements. Appendix B provides differences from [RFC4492], | |||
| the document that this one replaces. | the document that this one replaces. | |||
| Implementation of this specification requires familiarity with TLS, | Implementation of this specification requires familiarity with TLS, | |||
| TLS extensions [RFC4366], and ECC (TBD: reference Wikipedia here?). | TLS extensions [RFC4366], and ECC. | |||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Key Exchange Algorithm | 2. Key Exchange Algorithm | |||
| This document defines three new ECC-based key exchange algorithms for | This document defines three new ECC-based key exchange algorithms for | |||
| skipping to change at page 6, line 34 ¶ | skipping to change at page 6, line 34 ¶ | |||
| This key exchange algorithm is the same as ECDHE_ECDSA except that | This key exchange algorithm is the same as ECDHE_ECDSA except that | |||
| the server's certificate MUST contain an RSA public key authorized | the server's certificate MUST contain an RSA public key authorized | |||
| for signing, and that the signature in the ServerKeyExchange message | for signing, and that the signature in the ServerKeyExchange message | |||
| must be computed with the corresponding RSA private key. | must be computed with the corresponding RSA private key. | |||
| 2.3. ECDH_anon | 2.3. ECDH_anon | |||
| NOTE: Despite the name beginning with "ECDH_" (no E), the key used in | NOTE: Despite the name beginning with "ECDH_" (no E), the key used in | |||
| ECDH_anon is ephemeral just like the key in ECDHE_RSA and | ECDH_anon is ephemeral just like the key in ECDHE_RSA and | |||
| ECDHE_ECDSA. The naming follows the example of DH_anon, where the | ECDHE_ECDSA. The naming follows the example of DH_anon, where the | |||
| key is also ephemeral but the name does not reflect it. TBD: Do we | key is also ephemeral but the name does not reflect it. | |||
| want to rename this so that it makes sense? | ||||
| In ECDH_anon, the server's Certificate, the CertificateRequest, the | In ECDH_anon, the server's Certificate, the CertificateRequest, the | |||
| client's Certificate, and the CertificateVerify messages MUST NOT be | client's Certificate, and the CertificateVerify messages MUST NOT be | |||
| sent. | sent. | |||
| The server MUST send an ephemeral ECDH public key and a specification | The server MUST send an ephemeral ECDH public key and a specification | |||
| of the corresponding curve in the ServerKeyExchange message. These | of the corresponding curve in the ServerKeyExchange message. These | |||
| parameters MUST NOT be signed. | parameters MUST NOT be signed. | |||
| The client generates an ECDH key pair on the same curve as the | The client generates an ECDH key pair on the same curve as the | |||
| skipping to change at page 29, line 14 ¶ | skipping to change at page 29, line 14 ¶ | |||
| [CCITT.X690] | [CCITT.X690] | |||
| International Telephone and Telegraph Consultative | International Telephone and Telegraph Consultative | |||
| Committee, "ASN.1 encoding rules: Specification of basic | Committee, "ASN.1 encoding rules: Specification of basic | |||
| encoding Rules (BER), Canonical encoding rules (CER) and | encoding Rules (BER), Canonical encoding rules (CER) and | |||
| Distinguished encoding rules (DER)", CCITT Recommendation | Distinguished encoding rules (DER)", CCITT Recommendation | |||
| X.690, July 2002. | X.690, July 2002. | |||
| [CFRG-EdDSA] | [CFRG-EdDSA] | |||
| Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | |||
| Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-05 | Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-08 | |||
| (work in progress), March 2016. | (work in progress), August 2016. | |||
| [FIPS.186-4] | [FIPS.186-4] | |||
| National Institute of Standards and Technology, "Digital | National Institute of Standards and Technology, "Digital | |||
| Signature Standard", FIPS PUB 186-4, 2013, | Signature Standard", FIPS PUB 186-4, 2013, | |||
| <http://nvlpubs.nist.gov/nistpubs/FIPS/ | <http://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.186-4.pdf>. | NIST.FIPS.186-4.pdf>. | |||
| [PKCS1] RSA Laboratories, "RSA Encryption Standard, Version 1.5", | [PKCS1] RSA Laboratories, "RSA Encryption Standard, Version 1.5", | |||
| PKCS 1, November 1993. | PKCS 1, November 1993. | |||
| [PKIX-EdDSA] | [PKIX-EdDSA] | |||
| Josefsson, S. and N. Mavrogiannopoulos, "Using EdDSA in | Josefsson, S. and J. Schaad, "Algorithm Identifiers for | |||
| the Internet X.509 Public Key Infrastructure", draft-ietf- | Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for | |||
| curdle-pkix-eddsa-00 (work in progress), March 2016. | use in the Internet X.509 Public Key Infrastructure", | |||
| August 2016, <https://tools.ietf.org/html/draft-ietf- | ||||
| curdle-pkix-01>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
| RFC 2246, January 1999. | RFC 2246, January 1999. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| skipping to change at page 30, line 21 ¶ | skipping to change at page 30, line 21 ¶ | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [FIPS.180-2] | [FIPS.180-2] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-2, August 2002, | Hash Standard", FIPS PUB 180-2, August 2002, | |||
| <http://csrc.nist.gov/publications/fips/fips180-2/ | <http://csrc.nist.gov/publications/fips/fips180-2/ | |||
| fips180-2.pdf>. | fips180-2.pdf>. | |||
| [I-D.ietf-tls-tls13] | [I-D.ietf-tls-tls13] | |||
| Dierks, T. and E. Rescorla, "The Transport Layer Security | Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| (TLS) Protocol Version 1.3", draft-ietf-tls-tls13-02 (work | Version 1.3", draft-ietf-tls-tls13-18 (work in progress), | |||
| in progress), July 2014. | October 2016. | |||
| [IEEE.P1363.1998] | [IEEE.P1363.1998] | |||
| Institute of Electrical and Electronics Engineers, | Institute of Electrical and Electronics Engineers, | |||
| "Standard Specifications for Public Key Cryptography", | "Standard Specifications for Public Key Cryptography", | |||
| IEEE Draft P1363, 1998. | IEEE Draft P1363, 1998. | |||
| [Lenstra_Verheul] | [Lenstra_Verheul] | |||
| Lenstra, A. and E. Verheul, "Selecting Cryptographic Key | Lenstra, A. and E. Verheul, "Selecting Cryptographic Key | |||
| Sizes", Journal of Cryptology 14 (2001) 255-293, 2001. | Sizes", Journal of Cryptology 14 (2001) 255-293, 2001. | |||
| End of changes. 9 change blocks. | ||||
| 15 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||