< draft-ietf-tls-rfc4492bis-15.txt   draft-ietf-tls-rfc4492bis-16.txt >
TLS Working Group Y. Nir TLS Working Group Y. Nir
Internet-Draft Check Point Internet-Draft Check Point
Obsoletes: 4492 (if approved) S. Josefsson Obsoletes: 4492 (if approved) S. Josefsson
Intended status: Standards Track SJD AB Intended status: Standards Track SJD AB
Expires: September 14, 2017 M. Pegourie-Gonnard Expires: September 24, 2017 M. Pegourie-Gonnard
Independent / PolarSSL Independent / PolarSSL
March 13, 2017 March 23, 2017
Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
Security (TLS) Versions 1.2 and Earlier Security (TLS) Versions 1.2 and Earlier
draft-ietf-tls-rfc4492bis-15 draft-ietf-tls-rfc4492bis-16
Abstract Abstract
This document describes key exchange algorithms based on Elliptic This document describes key exchange algorithms based on Elliptic
Curve Cryptography (ECC) for the Transport Layer Security (TLS) Curve Cryptography (ECC) for the Transport Layer Security (TLS)
protocol. In particular, it specifies the use of Ephemeral Elliptic protocol. In particular, it specifies the use of Ephemeral Elliptic
Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the
use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards
Digital Signature Algorithm (EdDSA) as authentication mechanisms. Digital Signature Algorithm (EdDSA) as authentication mechanisms.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on September 24, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used in This Document . . . . . . . . . . . . 3 1.1. Conventions Used in This Document . . . . . . . . . . . . 3
2. Key Exchange Algorithm . . . . . . . . . . . . . . . . . . . 3 2. Key Exchange Algorithm . . . . . . . . . . . . . . . . . . . 3
2.1. ECDHE_ECDSA . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. ECDHE_ECDSA . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. ECDHE_RSA . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. ECDHE_RSA . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. ECDH_anon . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. ECDH_anon . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4. Algorithms in Certificate Chains . . . . . . . . . . . . 6
3. Client Authentication . . . . . . . . . . . . . . . . . . . . 6 3. Client Authentication . . . . . . . . . . . . . . . . . . . . 6
3.1. ECDSA_sign . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. ECDSA_sign . . . . . . . . . . . . . . . . . . . . . . . 7
4. TLS Extensions for ECC . . . . . . . . . . . . . . . . . . . 7 4. TLS Extensions for ECC . . . . . . . . . . . . . . . . . . . 7
5. Data Structures and Computations . . . . . . . . . . . . . . 8 5. Data Structures and Computations . . . . . . . . . . . . . . 8
5.1. Client Hello Extensions . . . . . . . . . . . . . . . . . 8 5.1. Client Hello Extensions . . . . . . . . . . . . . . . . . 8
5.1.1. Supported Elliptic Curves Extension . . . . . . . . . 9 5.1.1. Supported Elliptic Curves Extension . . . . . . . . . 10
5.1.2. Supported Point Formats Extension . . . . . . . . . . 11 5.1.2. Supported Point Formats Extension . . . . . . . . . . 11
5.1.3. The signature_algorithms Extension and EdDSA . . . . 11 5.1.3. The signature_algorithms Extension and EdDSA . . . . 12
5.2. Server Hello Extension . . . . . . . . . . . . . . . . . 12 5.2. Server Hello Extension . . . . . . . . . . . . . . . . . 12
5.3. Server Certificate . . . . . . . . . . . . . . . . . . . 13 5.3. Server Certificate . . . . . . . . . . . . . . . . . . . 13
5.4. Server Key Exchange . . . . . . . . . . . . . . . . . . . 14 5.4. Server Key Exchange . . . . . . . . . . . . . . . . . . . 14
5.4.1. Uncompressed Point Format for NIST curves . . . . . . 17 5.4.1. Uncompressed Point Format for NIST curves . . . . . . 18
5.5. Certificate Request . . . . . . . . . . . . . . . . . . . 18 5.5. Certificate Request . . . . . . . . . . . . . . . . . . . 18
5.6. Client Certificate . . . . . . . . . . . . . . . . . . . 19 5.6. Client Certificate . . . . . . . . . . . . . . . . . . . 19
5.7. Client Key Exchange . . . . . . . . . . . . . . . . . . . 20 5.7. Client Key Exchange . . . . . . . . . . . . . . . . . . . 20
5.8. Certificate Verify . . . . . . . . . . . . . . . . . . . 21 5.8. Certificate Verify . . . . . . . . . . . . . . . . . . . 21
5.9. Elliptic Curve Certificates . . . . . . . . . . . . . . . 23 5.9. Elliptic Curve Certificates . . . . . . . . . . . . . . . 23
5.10. ECDH, ECDSA, and RSA Computations . . . . . . . . . . . . 23 5.10. ECDH, ECDSA, and RSA Computations . . . . . . . . . . . . 23
5.11. Public Key Validation . . . . . . . . . . . . . . . . . . 24 5.11. Public Key Validation . . . . . . . . . . . . . . . . . . 24
6. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 25 6. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 24
7. Implementation Status . . . . . . . . . . . . . . . . . . . . 26 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 25
8. Security Considerations . . . . . . . . . . . . . . . . . . . 26 8. Security Considerations . . . . . . . . . . . . . . . . . . . 26
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
11. Version History for This Draft . . . . . . . . . . . . . . . 28 11. Version History for This Draft . . . . . . . . . . . . . . . 28
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 28
12.1. Normative References . . . . . . . . . . . . . . . . . . 29 12.1. Normative References . . . . . . . . . . . . . . . . . . 28
12.2. Informative References . . . . . . . . . . . . . . . . . 30 12.2. Informative References . . . . . . . . . . . . . . . . . 30
Appendix A. Equivalent Curves (Informative) . . . . . . . . . . 31 Appendix A. Equivalent Curves (Informative) . . . . . . . . . . 30
Appendix B. Differences from RFC 4492 . . . . . . . . . . . . . 32 Appendix B. Differences from RFC 4492 . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
This document describes additions to TLS to support ECC, applicable This document describes additions to TLS to support ECC, applicable
to TLS versions 1.0 [RFC2246], 1.1 [RFC4346], and 1.2 [RFC5246]. The to TLS versions 1.0 [RFC2246], 1.1 [RFC4346], and 1.2 [RFC5246]. The
use of ECC in TLS 1.3 is defined in [I-D.ietf-tls-tls13], and is use of ECC in TLS 1.3 is defined in [I-D.ietf-tls-tls13], and is
explicitly out of scope for this document. In particular, this explicitly out of scope for this document. In particular, this
document defines: document defines:
o the use of the ECDHE key agreement scheme with ephemeral keys to o the use of the ECDHE key agreement scheme with ephemeral keys to
skipping to change at page 4, line 6 skipping to change at page 4, line 6
This document defines three new ECC-based key exchange algorithms for This document defines three new ECC-based key exchange algorithms for
TLS. All of them use Ephemeral ECDH (ECDHE) to compute the TLS TLS. All of them use Ephemeral ECDH (ECDHE) to compute the TLS
premaster secret, and they differ only in the mechanism (if any) used premaster secret, and they differ only in the mechanism (if any) used
to authenticate them. The derivation of the TLS master secret from to authenticate them. The derivation of the TLS master secret from
the premaster secret and the subsequent generation of bulk the premaster secret and the subsequent generation of bulk
encryption/MAC keys and initialization vectors is independent of the encryption/MAC keys and initialization vectors is independent of the
key exchange algorithm and not impacted by the introduction of ECC. key exchange algorithm and not impacted by the introduction of ECC.
Table 1 summarizes the new key exchange algorithms. All of these key Table 1 summarizes the new key exchange algorithms. All of these key
exchange algorithms provide forward secrecy. exchange algorithms provide forward secrecy if and only if fresh
ephemeral keys are generated and used, and also destroyed after use.
+-------------+------------------------------------------------+ +-------------+------------------------------------------------+
| Algorithm | Description | | Algorithm | Description |
+-------------+------------------------------------------------+ +-------------+------------------------------------------------+
| ECDHE_ECDSA | Ephemeral ECDH with ECDSA or EdDSA signatures. | | ECDHE_ECDSA | Ephemeral ECDH with ECDSA or EdDSA signatures. |
| ECDHE_RSA | Ephemeral ECDH with RSA signatures. | | ECDHE_RSA | Ephemeral ECDH with RSA signatures. |
| ECDH_anon | Anonymous ephemeral ECDH, no signatures. | | ECDH_anon | Anonymous ephemeral ECDH, no signatures. |
+-------------+------------------------------------------------+ +-------------+------------------------------------------------+
Table 1: ECC Key Exchange Algorithms Table 1: ECC Key Exchange Algorithms
skipping to change at page 6, line 17 skipping to change at page 6, line 38
parameters MUST NOT be signed. parameters MUST NOT be signed.
The client generates an ECDH key pair on the same curve as the The client generates an ECDH key pair on the same curve as the
server's ephemeral ECDH key and sends its public key in the server's ephemeral ECDH key and sends its public key in the
ClientKeyExchange message. ClientKeyExchange message.
Both client and server perform an ECDH operation and use the Both client and server perform an ECDH operation and use the
resultant shared secret as the premaster secret. All ECDH resultant shared secret as the premaster secret. All ECDH
calculations are performed as specified in Section 5.10. calculations are performed as specified in Section 5.10.
2.4. Algorithms in Certificate Chains
This specification does not impose restrictions on signature schemes This specification does not impose restrictions on signature schemes
used anywhere in the certificate chain. The previous version of this used anywhere in the certificate chain. The previous version of this
document required the signatures to match, but this restriction, document required the signatures to match, but this restriction,
originating in previous TLS versions is lifted here as it had been in originating in previous TLS versions is lifted here as it had been in
RFC 5246. RFC 5246.
3. Client Authentication 3. Client Authentication
This document defines a client authentication mechanism, named after This document defines a client authentication mechanism, named after
the type of client certificate involved: ECDSA_sign. The ECDSA_sign the type of client certificate involved: ECDSA_sign. The ECDSA_sign
mechanism is usable with any of the non-anonymous ECC key exchange mechanism is usable with any of the non-anonymous ECC key exchange
algorithms described in Section 2 as well as other non-anonymous algorithms described in Section 2 as well as other non-anonymous
(non-ECC) key exchange algorithms defined in TLS. (non-ECC) key exchange algorithms defined in TLS.
Note that client certificates with EdDSA public keys use this Note that client certificates with EdDSA public keys also use this
mechanism. mechanism.
The server can request ECC-based client authentication by including The server can request ECC-based client authentication by including
this certificate type in its CertificateRequest message. The client this certificate type in its CertificateRequest message. The client
must check if it possesses a certificate appropriate for the method must check if it possesses a certificate appropriate for the method
suggested by the server and is willing to use it for authentication. suggested by the server and is willing to use it for authentication.
If these conditions are not met, the client should send a client If these conditions are not met, the client SHOULD send a client
Certificate message containing no certificates. In this case, the Certificate message containing no certificates. In this case, the
ClientKeyExchange should be sent as described in Section 2, and the ClientKeyExchange MUST be sent as described in Section 2, and the
CertificateVerify should not be sent. If the server requires client CertificateVerify MUST NOT be sent. If the server requires client
authentication, it may respond with a fatal handshake failure alert. authentication, it may respond with a fatal handshake failure alert.
If the client has an appropriate certificate and is willing to use it If the client has an appropriate certificate and is willing to use it
for authentication, it must send that certificate in the client's for authentication, it must send that certificate in the client's
Certificate message (as per Section 5.6) and prove possession of the Certificate message (as per Section 5.6) and prove possession of the
private key corresponding to the certified key. The process of private key corresponding to the certified key. The process of
determining an appropriate certificate and proving possession is determining an appropriate certificate and proving possession is
different for each authentication mechanism and described below. different for each authentication mechanism and described below.
NOTE: It is permissible for a server to request (and the client to NOTE: It is permissible for a server to request (and the client to
skipping to change at page 7, line 39 skipping to change at page 8, line 12
supports and the point formats it can parse by including the supports and the point formats it can parse by including the
appropriate extensions in its ClientHello message. The server appropriate extensions in its ClientHello message. The server
similarly enumerates the point formats it can parse by including an similarly enumerates the point formats it can parse by including an
extension in its ServerHello message. extension in its ServerHello message.
A TLS client that proposes ECC cipher suites in its ClientHello A TLS client that proposes ECC cipher suites in its ClientHello
message SHOULD include these extensions. Servers implementing ECC message SHOULD include these extensions. Servers implementing ECC
cipher suites MUST support these extensions, and when a client uses cipher suites MUST support these extensions, and when a client uses
these extensions, servers MUST NOT negotiate the use of an ECC cipher these extensions, servers MUST NOT negotiate the use of an ECC cipher
suite unless they can complete the handshake while respecting the suite unless they can complete the handshake while respecting the
choice of curves and compression techniques specified by the client. choice of curves specified by the client. This eliminates the
This eliminates the possibility that a negotiated ECC handshake will possibility that a negotiated ECC handshake will be subsequently
be subsequently aborted due to a client's inability to deal with the aborted due to a client's inability to deal with the server's EC key.
server's EC key.
The client MUST NOT include these extensions in the ClientHello The client MUST NOT include these extensions in the ClientHello
message if it does not propose any ECC cipher suites. A client that message if it does not propose any ECC cipher suites. A client that
proposes ECC cipher suites may choose not to include these proposes ECC cipher suites may choose not to include these
extensions. In this case, the server is free to choose any one of extensions. In this case, the server is free to choose any one of
the elliptic curves or point formats listed in Section 5. That the elliptic curves or point formats listed in Section 5. That
section also describes the structure and processing of these section also describes the structure and processing of these
extensions in greater detail. extensions in greater detail.
In the case of session resumption, the server simply ignores the In the case of session resumption, the server simply ignores the
skipping to change at page 8, line 51 skipping to change at page 9, line 23
and this specification adds two types to ExtensionType. and this specification adds two types to ExtensionType.
enum { enum {
elliptic_curves(10), elliptic_curves(10),
ec_point_formats(11) ec_point_formats(11)
} ExtensionType; } ExtensionType;
o elliptic_curves (Supported Elliptic Curves Extension): Indicates o elliptic_curves (Supported Elliptic Curves Extension): Indicates
the set of elliptic curves supported by the client. For this the set of elliptic curves supported by the client. For this
extension, the opaque extension_data field contains extension, the opaque extension_data field contains
EllipticCurveList. See Section 5.1.1 for details. NamedCurveList. See Section 5.1.1 for details.
o ec_point_formats (Supported Point Formats Extension): Indicates o ec_point_formats (Supported Point Formats Extension): Indicates
the set of point formats that the client can parse. For this the set of point formats that the client can parse. For this
extension, the opaque extension_data field contains extension, the opaque extension_data field contains
ECPointFormatList. See Section 5.1.2 for details. ECPointFormatList. See Section 5.1.2 for details.
Actions of the sender: Actions of the sender:
A client that proposes ECC cipher suites in its ClientHello message A client that proposes ECC cipher suites in its ClientHello message
appends these extensions (along with any others), enumerating the appends these extensions (along with any others), enumerating the
curves it supports and the point formats it can parse. Clients curves it supports and the point formats it can parse. Clients
skipping to change at page 10, line 8 skipping to change at page 10, line 27
renamed the "Supported Groups" registry, although the enumeration renamed the "Supported Groups" registry, although the enumeration
below is still named NamedCurve) for use in TLS. Only three have below is still named NamedCurve) for use in TLS. Only three have
seen much use. This specification is deprecating the rest (with seen much use. This specification is deprecating the rest (with
numbers 1-22). This specification also deprecates the explicit numbers 1-22). This specification also deprecates the explicit
curves with identifiers 0xFF01 and 0xFF02. It also adds the new curves with identifiers 0xFF01 and 0xFF02. It also adds the new
curves defined in [RFC7748]. The end result is as follows: curves defined in [RFC7748]. The end result is as follows:
enum { enum {
deprecated(1..22), deprecated(1..22),
secp256r1 (23), secp384r1 (24), secp521r1 (25), secp256r1 (23), secp384r1 (24), secp521r1 (25),
ecdh_x25519(29), ecdh_x448(30), x25519(29), x448(30),
reserved (0xFE00..0xFEFF), reserved (0xFE00..0xFEFF),
deprecated(0xFF01..0xFF02), deprecated(0xFF01..0xFF02),
(0xFFFF) (0xFFFF)
} NamedCurve; } NamedCurve;
Note that other specifications have since added other values to this Note that other specifications have since added other values to this
enumeration. Some of those values are not curves at all, but finite enumeration. Some of those values are not curves at all, but finite
field groups. See [RFC7919]. field groups. See [RFC7919].
secp256r1, etc: Indicates support of the corresponding named curve or secp256r1, etc: Indicates support of the corresponding named curve or
groups. The named curves secp256r1, secp384r1, and secp521r1 are groups. The named curves secp256r1, secp384r1, and secp521r1 are
specified in SEC 2 [SECG-SEC2]. These curves are also recommended in specified in SEC 2 [SECG-SEC2]. These curves are also recommended in
ANSI X9.62 [ANSI.X9-62.2005] and FIPS 186-4 [FIPS.186-4]. The rest ANSI X9.62 [ANSI.X9-62.2005] and FIPS 186-4 [FIPS.186-4]. The rest
of this document refers to these three curves as the "NIST curves" of this document refers to these three curves as the "NIST curves"
because they were originally standardized by the National Institute because they were originally standardized by the National Institute
of Standards and Technology. The curves ecdh_x25519 and ecdh_x448 of Standards and Technology. The curves x25519 and x448 are defined
are defined in [RFC7748]. Values 0xFE00 through 0xFEFF are reserved in [RFC7748]. Values 0xFE00 through 0xFEFF are reserved for private
for private use. use.
The predecessor of this document also supported explicitly defined The predecessor of this document also supported explicitly defined
prime and char2 curves, but these are deprecated by this prime and char2 curves, but these are deprecated by this
specification. specification.
The NamedCurve name space is maintained by IANA. See Section 9 for The NamedCurve name space is maintained by IANA. See Section 9 for
information on how new value assignments are added. information on how new value assignments are added.
struct { struct {
NamedCurve elliptic_curve_list<2..2^16-1> NamedCurve named_curve_list<2..2^16-1>
} EllipticCurveList; } NamedCurveList;
Items in elliptic_curve_list are ordered according to the client's Items in named_curve_list are ordered according to the client's
preferences (favorite choice first). preferences (favorite choice first).
As an example, a client that only supports secp256r1 (aka NIST P-256; As an example, a client that only supports secp256r1 (aka NIST P-256;
value 23 = 0x0017) and secp384r1 (aka NIST P-384; value 24 = 0x0018) value 23 = 0x0017) and secp384r1 (aka NIST P-384; value 24 = 0x0018)
and prefers to use secp256r1 would include a TLS extension consisting and prefers to use secp256r1 would include a TLS extension consisting
of the following octets. Note that the first two octets indicate the of the following octets. Note that the first two octets indicate the
extension type (Supported Elliptic Curves Extension): extension type (Supported Elliptic Curves Extension):
00 0A 00 06 00 04 00 17 00 18 00 0A 00 06 00 04 00 17 00 18
skipping to change at page 11, line 21 skipping to change at page 11, line 36
} ECPointFormat; } ECPointFormat;
struct { struct {
ECPointFormat ec_point_format_list<1..2^8-1> ECPointFormat ec_point_format_list<1..2^8-1>
} ECPointFormatList; } ECPointFormatList;
Three point formats were included in the definition of ECPointFormat Three point formats were included in the definition of ECPointFormat
above. This specification deprecates all but the uncompressed point above. This specification deprecates all but the uncompressed point
format. Implementations of this document MUST support the format. Implementations of this document MUST support the
uncompressed format for all of their supported curves, and MUST NOT uncompressed format for all of their supported curves, and MUST NOT
support other formats for curves defined in this specification. For support other formats for curves defined in this specification. For
backwards compatibility purposes, the point format list extension backwards compatibility purposes, the point format list extension MAY
MUST still be included, and contain exactly one value: the still be included, and contain exactly one value: the uncompressed
uncompressed point format (0). point format (0). RFC 4492 specified that if this extension is
missing, it means that only the uncompressed point format is
supported, so interoperability with implementations that support the
uncompressed format should work with or without the extension.
If the client sends the extension and the extension does not contain
the uncompressed point format, and the client has used the Supported
Groups extension to indicate support for any of the curves defined in
this specification then the server MUST abort the handshake and
return an illegal_parameter alert.
The ECPointFormat name space is maintained by IANA. See Section 9 The ECPointFormat name space is maintained by IANA. See Section 9
for information on how new value assignments are added. for information on how new value assignments are added.
Items in ec_point_format_list are ordered according to the client's
preferences (favorite choice first).
A client compliant with this specification that supports no other A client compliant with this specification that supports no other
curves MUST send the following octets; note that the first two octets curves MUST send the following octets; note that the first two octets
indicate the extension type (Supported Point Formats Extension): indicate the extension type (Supported Point Formats Extension):
00 0B 00 02 01 00 00 0B 00 02 01 00
5.1.3. The signature_algorithms Extension and EdDSA 5.1.3. The signature_algorithms Extension and EdDSA
The signature_algorithms extension, defined in section 7.4.1.4.1 of The signature_algorithms extension, defined in section 7.4.1.4.1 of
[RFC5246], advertises the combinations of signature algorithm and [RFC5246], advertises the combinations of signature algorithm and
skipping to change at page 13, line 29 skipping to change at page 14, line 10
NOTE: The server's Certificate message is capable of carrying a chain NOTE: The server's Certificate message is capable of carrying a chain
of certificates. The restrictions mentioned in Table 3 apply only to of certificates. The restrictions mentioned in Table 3 apply only to
the server's certificate (first in the chain). the server's certificate (first in the chain).
+-------------+-----------------------------------------------------+ +-------------+-----------------------------------------------------+
| Algorithm | Server Certificate Type | | Algorithm | Server Certificate Type |
+-------------+-----------------------------------------------------+ +-------------+-----------------------------------------------------+
| ECDHE_ECDSA | Certificate MUST contain an ECDSA- or EdDSA-capable | | ECDHE_ECDSA | Certificate MUST contain an ECDSA- or EdDSA-capable |
| | public key. | | | public key. |
| ECDHE_RSA | Certificate MUST contain an RSA public key | | ECDHE_RSA | Certificate MUST contain an RSA public key. |
| | authorized for use in digital signatures. |
+-------------+-----------------------------------------------------+ +-------------+-----------------------------------------------------+
Table 2: Server Certificate Types Table 2: Server Certificate Types
Structure of this message: Structure of this message:
Identical to the TLS Certificate format. Identical to the TLS Certificate format.
Actions of the sender: Actions of the sender:
The server constructs an appropriate certificate chain and conveys it The server constructs an appropriate certificate chain and conveys it
to the client in the Certificate message. If the client has used a to the client in the Certificate message. If the client has used a
Supported Elliptic Curves Extension, the public key in the server's Supported Elliptic Curves Extension, the public key in the server's
certificate MUST respect the client's choice of elliptic curves; If certificate MUST respect the client's choice of elliptic curves. A
the client has used a Supported Point Formats Extension, both the server that cannot satisfy this requirement MUST NOT choose an ECC
server's public key point and (in the case of an explicit curve) the cipher suite in its ServerHello message.)
curve's base point MUST respect the client's choice of point formats.
(A server that cannot satisfy these requirements MUST NOT choose an
ECC cipher suite in its ServerHello message.)
Actions of the receiver: Actions of the receiver:
The client validates the certificate chain, extracts the server's The client validates the certificate chain, extracts the server's
public key, and checks that the key type is appropriate for the public key, and checks that the key type is appropriate for the
negotiated key exchange algorithm. (A possible reason for a fatal negotiated key exchange algorithm. (A possible reason for a fatal
handshake failure is that the client's capabilities for handling handshake failure is that the client's capabilities for handling
elliptic curves and point formats are exceeded; cf. Section 5.1.) elliptic curves and point formats are exceeded; cf. Section 5.1.)
5.4. Server Key Exchange 5.4. Server Key Exchange
skipping to change at page 14, line 37 skipping to change at page 15, line 14
Structure of this message: Structure of this message:
enum { enum {
deprecated (1..2), deprecated (1..2),
named_curve (3), named_curve (3),
reserved(248..255) reserved(248..255)
} ECCurveType; } ECCurveType;
The value named_curve indicates that a named curve is used. This The value named_curve indicates that a named curve is used. This
option SHOULD be used when applicable. option is now the only remaining format.
Values 248 through 255 are reserved for private use. Values 248 through 255 are reserved for private use.
The ECCurveType name space is maintained by IANA. See Section 9 for The ECCurveType name space is maintained by IANA. See Section 9 for
information on how new value assignments are added. information on how new value assignments are added.
RFC 4492 had a specification for an ECCurve structure and an RFC 4492 had a specification for an ECCurve structure and an
ECBasisType structure. Both of these are omitted now because they ECBasisType structure. Both of these are omitted now because they
were only used with the now deprecated explicit curves. were only used with the now deprecated explicit curves.
skipping to change at page 18, line 33 skipping to change at page 19, line 14
The server uses this message to suggest acceptable client The server uses this message to suggest acceptable client
authentication methods. authentication methods.
Structure of this message: Structure of this message:
The TLS CertificateRequest message is extended as follows. The TLS CertificateRequest message is extended as follows.
enum { enum {
ecdsa_sign(64), ecdsa_sign(64),
rsa_fixed_ecdh(65), deprecated1(65), /* was rsa_fixed_ecdh */
ecdsa_fixed_ecdh(66), deprecated2(66), /* was ecdsa_fixed_ecdh */
(255) (255)
} ClientCertificateType; } ClientCertificateType;
o ecdsa_sign, etc.: Indicates that the server would like to use the o ecdsa_sign: Indicates that the server would like to use the
corresponding client authentication method specified in Section 3. corresponding client authentication method specified in Section 3.
Note that RFC 4492 also defined RSA and ECDSA certificates that
included a fixed ECDH public key. These mechanisms saw very little
implementation so this specification is deprecating them.
Actions of the sender: Actions of the sender:
The server decides which client authentication methods it would like The server decides which client authentication methods it would like
to use, and conveys this information to the client using the format to use, and conveys this information to the client using the format
defined above. defined above.
Actions of the receiver: Actions of the receiver:
The client determines whether it has a suitable certificate for use The client determines whether it has a suitable certificate for use
with any of the requested methods and whether to proceed with client with any of the requested methods and whether to proceed with client
authentication. authentication.
5.6. Client Certificate 5.6. Client Certificate
When this message is sent: When this message is sent:
This message is sent in response to a CertificateRequest when a This message is sent in response to a CertificateRequest when a
client has a suitable certificate and has decided to proceed with client has a suitable certificate and has decided to proceed with
client authentication. (Note that if the server has used a Supported client authentication. (Note that if the server has used a Supported
Point Formats Extension, a certificate can only be considered Point Formats Extension, a certificate can only be considered
suitable for use with the ECDSA_sign, RSA_fixed_ECDH, and suitable for use with the ECDSA_sign authentication method if the
ECDSA_fixed_ECDH authentication methods if the public key point public key point specified in it is uncompressed, as that is the only
specified in it respects the server's choice of point formats. If no point format still supported.
Supported Point Formats Extension has been used, a certificate can
only be considered suitable for use with these authentication methods
if the point is represented in uncompressed point format.)
Meaning of this message: Meaning of this message:
This message is used to authentically convey the client's static This message is used to authentically convey the client's static
public key to the server. The following table summarizes what client public key to the server. The following table summarizes what client
certificate types are appropriate for the ECC-based client certificate types are appropriate for the ECC-based client
authentication mechanisms described in Section 3. ECC public keys authentication mechanisms described in Section 3. ECC public keys
must be encoded in certificates as described in Section 5.9. must be encoded in certificates as described in Section 5.9.
NOTE: The client's Certificate message is capable of carrying a chain NOTE: The client's Certificate message is capable of carrying a chain
of certificates. The restrictions mentioned in Table 4 apply only to of certificates. The restrictions mentioned in Table 4 apply only to
the client's certificate (first in the chain). the client's certificate (first in the chain).
+------------------+------------------------------------------------+ The certificate MUST contain an ECDSA- or EdDSA-capable public key.
| Client | Client Certificate Type |
| Authentication | |
| Method | |
+------------------+------------------------------------------------+
| ECDSA_sign | Certificate MUST contain an ECDSA- or EdDSA- |
| | capable public key. |
| ECDSA_fixed_ECDH | Certificate MUST contain an ECDH-capable |
| | public key on the same elliptic curve as the |
| | server's long-term ECDH key. |
| RSA_fixed_ECDH | The same as ECDSA_fixed_ECDH. The codepoints |
| | meant different things, but due to changes in |
| | TLS 1.2, both mean the same thing now. |
+------------------+------------------------------------------------+
Table 3: Client Certificate Types
Structure of this message: Structure of this message:
Identical to the TLS client Certificate format. Identical to the TLS client Certificate format.
Actions of the sender: Actions of the sender:
The client constructs an appropriate certificate chain, and conveys The client constructs an appropriate certificate chain, and conveys
it to the server in the Certificate message. it to the server in the Certificate message.
Actions of the receiver: Actions of the receiver:
The TLS server validates the certificate chain, extracts the client's The TLS server validates the certificate chain, extracts the client's
public key, and checks that the key type is appropriate for the public key, and checks that the key type is appropriate for the
client authentication method. client authentication method.
5.7. Client Key Exchange 5.7. Client Key Exchange
When this message is sent: When this message is sent:
This message is sent in all key exchange algorithms. If client This message is sent in all key exchange algorithms. It contains the
authentication with ECDSA_fixed_ECDH or RSA_fixed_ECDH is used, this client's ephemeral ECDH public key.
message is empty. Otherwise, it contains the client's ephemeral ECDH
public key.
Meaning of the message: Meaning of the message:
This message is used to convey ephemeral data relating to the key This message is used to convey ephemeral data relating to the key
exchange belonging to the client (such as its ephemeral ECDH public exchange belonging to the client (such as its ephemeral ECDH public
key). key).
Structure of this message: Structure of this message:
The TLS ClientKeyExchange message is extended as follows. The TLS ClientKeyExchange message is extended as follows.
enum { enum {
implicit, implicit,
explicit explicit
} PublicValueEncoding; } PublicValueEncoding;
o implicit, explicit: For ECC cipher suites, this indicates whether o implicit, explicit: For ECC cipher suites, this indicates whether
the client's ECDH public key is in the client's certificate the client's ECDH public key is in the client's certificate
("implicit") or is provided, as an ephemeral ECDH public key, in ("implicit") or is provided, as an ephemeral ECDH public key, in
the ClientKeyExchange message ("explicit"). (This is "explicit" the ClientKeyExchange message ("explicit"). The implicit encoding
in ECC cipher suites except when the client uses the is deprecated and is retained here for backward compatibility
ECDSA_fixed_ECDH or RSA_fixed_ECDH client authentication only.
mechanism.)
struct { struct {
select (PublicValueEncoding) { ECPoint ecdh_Yc;
case implicit: struct { };
case explicit: ECPoint ecdh_Yc;
} ecdh_public;
} ClientECDiffieHellmanPublic; } ClientECDiffieHellmanPublic;
o ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte
string ECPoint.point, which may represent an elliptic curve point ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte
in uncompressed or compressed format. Curves eddsa_ed25519 and string ECPoint.point, which may represent an elliptic curve point in
eddsa_ed448 MUST NOT be used here. Here, the format MUST conform uncompressed format.
to what the server has requested through a Supported Point Formats
Extension if this extension was used, and MUST be uncompressed if
this extension was not used.
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
case ec_diffie_hellman: ClientECDiffieHellmanPublic; case ec_diffie_hellman: ClientECDiffieHellmanPublic;
} exchange_keys; } exchange_keys;
} ClientKeyExchange; } ClientKeyExchange;
Actions of the sender: Actions of the sender:
The client selects an ephemeral ECDH public key corresponding to the The client selects an ephemeral ECDH public key corresponding to the
parameters it received from the server according to the ECKAS-DH1 parameters it received from the server. The format is the same as in
scheme from IEEE 1363. It conveys this information to the client in Section 5.4.
the ClientKeyExchange message using the format defined above.
Actions of the receiver: Actions of the receiver:
The server retrieves the client's ephemeral ECDH public key from the The server retrieves the client's ephemeral ECDH public key from the
ClientKeyExchange message and checks that it is on the same elliptic ClientKeyExchange message and checks that it is on the same elliptic
curve as the server's ECDH key. curve as the server's ECDH key.
5.8. Certificate Verify 5.8. Certificate Verify
When this message is sent: When this message is sent:
This message is sent when the client sends a client certificate This message is sent when the client sends a client certificate
containing a public key usable for digital signatures, e.g., when the containing a public key usable for digital signatures.
client is authenticated using the ECDSA_sign mechanism.
Meaning of the message: Meaning of the message:
This message contains a signature that proves possession of the This message contains a signature that proves possession of the
private key corresponding to the public key in the client's private key corresponding to the public key in the client's
Certificate message. Certificate message.
Structure of this message: Structure of this message:
The TLS CertificateVerify message and the underlying Signature type The TLS CertificateVerify message and the underlying Signature type
skipping to change at page 23, line 14 skipping to change at page 23, line 14
5.9. Elliptic Curve Certificates 5.9. Elliptic Curve Certificates
X.509 certificates containing ECC public keys or signed using ECDSA X.509 certificates containing ECC public keys or signed using ECDSA
MUST comply with [RFC3279] or another RFC that replaces or extends MUST comply with [RFC3279] or another RFC that replaces or extends
it. X.509 certificates containing ECC public keys or signed using it. X.509 certificates containing ECC public keys or signed using
EdDSA MUST comply with [PKIX-EdDSA]. Clients SHOULD use the elliptic EdDSA MUST comply with [PKIX-EdDSA]. Clients SHOULD use the elliptic
curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and
SEC 2 [SECG-SEC2] or in [RFC8032]. SEC 2 [SECG-SEC2] or in [RFC8032].
EdDSA keys using Ed25519 and Ed25519ph algorithms MUST use the EdDSA keys using the Ed25519 algorithm MUST use the ed25519 signature
eddsa_ed25519 curve, and Ed448 and Ed448ph keys MUST use the algorithm, and Ed448 keys MUST use the ed448 signature algorithm.
eddsa_ed448 curve. Curves ecdh_x25519, ecdh_x448, eddsa_ed25519 and This document does not define use of Ed25519ph and Ed448ph keys with
eddsa_ed448 MUST NOT be used for ECDSA. TLS. Ed25519, Ed25519ph, Ed448, and Ed448ph keys MUST NOT be used
with ECDSA.
5.10. ECDH, ECDSA, and RSA Computations 5.10. ECDH, ECDSA, and RSA Computations
All ECDH calculations for the NIST curves (including parameter and All ECDH calculations for the NIST curves (including parameter and
key generation as well as the shared secret calculation) are key generation as well as the shared secret calculation) are
performed according to [IEEE.P1363.1998] using the ECKAS-DH1 scheme performed according to [IEEE.P1363.1998] using the ECKAS-DH1 scheme
with the identity map as key derivation function (KDF), so that the with the identity map as key derivation function (KDF), so that the
premaster secret is the x-coordinate of the ECDH shared secret premaster secret is the x-coordinate of the ECDH shared secret
elliptic curve point represented as an octet string. Note that this elliptic curve point represented as an octet string. Note that this
octet string (Z in IEEE 1363 terminology) as output by FE2OSP, the octet string (Z in IEEE 1363 terminology) as output by FE2OSP, the
skipping to change at page 23, line 41 skipping to change at page 23, line 42
(Note that this use of the identity KDF is a technicality. The (Note that this use of the identity KDF is a technicality. The
complete picture is that ECDH is employed with a non-trivial KDF complete picture is that ECDH is employed with a non-trivial KDF
because TLS does not directly use the premaster secret for anything because TLS does not directly use the premaster secret for anything
other than for computing the master secret. In TLS 1.0 and 1.1, this other than for computing the master secret. In TLS 1.0 and 1.1, this
means that the MD5- and SHA-1-based TLS PRF serves as a KDF; in TLS means that the MD5- and SHA-1-based TLS PRF serves as a KDF; in TLS
1.2 the KDF is determined by ciphersuite; it is conceivable that 1.2 the KDF is determined by ciphersuite; it is conceivable that
future TLS versions or new TLS extensions introduced in the future future TLS versions or new TLS extensions introduced in the future
may vary this computation.) may vary this computation.)
An ECDHE key exchange using X25519 (curve ecdh_x25519) goes as An ECDHE key exchange using X25519 (curve x25519) goes as follows:
follows: Each party picks a secret key d uniformly at random and Each party picks a secret key d uniformly at random and computes the
computes the corresponding public key x = X25519(d, G). Parties corresponding public key x = X25519(d, G). Parties exchange their
exchange their public keys, and compute a shared secret as x_S = public keys, and compute a shared secret as x_S = X25519(d, x_peer).
X25519(d, x_peer). If either party obtains all-zeroes x_S, it MUST If either party obtains all-zeroes x_S, it MUST abort the handshake
abort the handshake (as required by definition of X25519 and X448). (as required by definition of X25519 and X448). ECDHE for X448 works
ECDHE for X448 works similarily, replacing X25519 with X448, and similarily, replacing X25519 with X448, and x25519 with x448. The
ecdh_x25519 with ecdh_x448. The derived shared secret is used derived shared secret is used directly as the premaster secret, which
directly as the premaster secret, which is always exactly 32 bytes is always exactly 32 bytes when ECDHE with X25519 is used and 56
when ECDHE with X25519 is used and 56 bytes when ECDHE with X448 is bytes when ECDHE with X448 is used.
used.
All ECDSA computations MUST be performed according to ANSI X9.62 or All ECDSA computations MUST be performed according to ANSI X9.62 or
its successors. Data to be signed/verified is hashed, and the result its successors. Data to be signed/verified is hashed, and the result
run directly through the ECDSA algorithm with no additional hashing. run directly through the ECDSA algorithm with no additional hashing.
The default hash function is SHA-1 [FIPS.180-2], and sha_size (see A secure hash function such as SHA-256, SHA-384, or SHA-512 from
Section 5.4 and Section 5.8) is 20. However, an alternative hash [FIPS.180-4] MUST be used.
function, such as one of the new SHA hash functions specified in FIPS
180-2 [FIPS.180-2], SHOULD be used instead.
All EdDSA computations MUST be performed according to [RFC8032] or All EdDSA computations MUST be performed according to [RFC8032] or
its succesors. Data to be signed/verified is run through the EdDSA its succesors. Data to be signed/verified is run through the EdDSA
algorithm wih no hashing (EdDSA will internally run the data through algorithm wih no hashing (EdDSA will internally run the data through
the PH function). The context parameter for Ed448 MUST be set to the the PH function). The context parameter for Ed448 MUST be set to the
empty string. empty string.
RFC 4492 anticipated the standardization of a mechanism for RFC 4492 anticipated the standardization of a mechanism for
specifying the required hash function in the certificate, perhaps in specifying the required hash function in the certificate, perhaps in
the parameters field of the subjectPublicKeyInfo. Such the parameters field of the subjectPublicKeyInfo. Such
skipping to change at page 24, line 34 skipping to change at page 24, line 32
TLS 1.2 added a SignatureAndHashAlgorithm parameter to the TLS 1.2 added a SignatureAndHashAlgorithm parameter to the
DigitallySigned struct, thus allowing agility in choosing the DigitallySigned struct, thus allowing agility in choosing the
signature hash. EdDSA signatures MUST have HashAlgorithm of TBD5 signature hash. EdDSA signatures MUST have HashAlgorithm of TBD5
(Intrinsic). (Intrinsic).
All RSA signatures must be generated and verified according to All RSA signatures must be generated and verified according to
[PKCS1] block type 1. [PKCS1] block type 1.
5.11. Public Key Validation 5.11. Public Key Validation
With the NIST curves, each party must validate the public key sent by With the NIST curves, each party MUST validate the public key sent by
its peer. A receiving party MUST check that the x and y parameters its peer in the ClientKeyExchange and ServerKeyExchange messages. A
from the peer's public value satisfy the curve equation, y^2 = x^3 + receiving party MUST check that the x and y parameters from the
ax + b mod p. See section 2.3 of [Menezes] for details. Failing to peer's public value satisfy the curve equation, y^2 = x^3 + ax + b
do so allows attackers to gain information about the private key, to mod p. See section 2.3 of [Menezes] for details. Failing to do so
the point that they may recover the entire private key in a few allows attackers to gain information about the private key, to the
requests, if that key is not really ephemeral. point that they may recover the entire private key in a few requests,
if that key is not really ephemeral.
X25519 was designed in a way that the result of X25519(x, d) will
never reveal information about d, provided it was chosen as
prescribed, for any value of x (the same holds true for X448).
All-zeroes output from X25519 or X448 MUST NOT be used for premaster
secret (as required by definition of X25519 and X448). If the
premaster secret would be all zeroes, the handshake MUST be aborted
(most probably by sending a fatal alert).
Let's define legitimate values of x as the values that can be
obtained as x = X25519(G, d') for some d', and call the other values
illegitimate. The definition of the X25519 function shows that
legitimate values all share the following property: the high-order
bit of the last byte is not set (for X448, any bit can be set).
Since there are some implementation of the X25519 function that With X25519 and X448, a receiving party MUST check whether the
impose this restriction on their input and others that don't, computed premaster secret is the all-zero value and abort the
implementations of X25519 in TLS SHOULD reject public keys when the handshake if so, as described in section 6 of [RFC7748].
high-order bit of the final byte is set (in other words, when the
value of the rightmost byte is greater than 0x7F) in order to prevent
implementation fingerprinting. Note that this deviates from RFC 7748
which suggests that This value be masked.
Ed25519 and Ed448 internally do public key validation as part of Ed25519 and Ed448 internally do public key validation as part of
signature verification. signature verification.
Other than this recommended check, implementations do not need to
ensure that the public keys they receive are legitimate: this is not
necessary for security with X25519.
6. Cipher Suites 6. Cipher Suites
The table below defines new ECC cipher suites that use the key The table below defines new ECC cipher suites that use the key
exchange algorithms specified in Section 2. exchange algorithms specified in Section 2.
+---------------------------------------+----------------+ +---------------------------------------+----------------+
| CipherSuite | Identifier | | CipherSuite | Identifier |
+---------------------------------------+----------------+ +---------------------------------------+----------------+
| TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } | | TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } |
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x08 } | | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x08 } |
skipping to change at page 25, line 47 skipping to change at page 25, line 24
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x12 } | | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x12 } |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x13 } | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x13 } |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x14 } | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x14 } |
| | | | | |
| TLS_ECDH_anon_WITH_NULL_SHA | { 0xC0, 0x15 } | | TLS_ECDH_anon_WITH_NULL_SHA | { 0xC0, 0x15 } |
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x17 } | | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x17 } |
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA | { 0xC0, 0x18 } | | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | { 0xC0, 0x18 } |
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA | { 0xC0, 0x19 } | | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | { 0xC0, 0x19 } |
+---------------------------------------+----------------+ +---------------------------------------+----------------+
Table 4: TLS ECC cipher suites Table 3: TLS ECC cipher suites
The key exchange method, cipher, and hash algorithm for each of these The key exchange method, cipher, and hash algorithm for each of these
cipher suites are easily determined by examining the name. Ciphers cipher suites are easily determined by examining the name. Ciphers
(other than AES ciphers) and hash algorithms are defined in [RFC2246] (other than AES ciphers) and hash algorithms are defined in [RFC2246]
and [RFC4346]. AES ciphers are defined in [RFC5246]. and [RFC4346]. AES ciphers are defined in [RFC5246].
Server implementations SHOULD support all of the following cipher Server implementations SHOULD support all of the following cipher
suites, and client implementations SHOULD support at least one of suites, and client implementations SHOULD support at least one of
them: them:
skipping to change at page 27, line 42 skipping to change at page 27, line 21
values (ECPointFormat and ECCurveType) reserved for Private Use. The values (ECPointFormat and ECCurveType) reserved for Private Use. The
policy for any additional assignments is "Specification Required". policy for any additional assignments is "Specification Required".
The previous version of this document required IETF review. The previous version of this document required IETF review.
NOTE: IANA, please update the registries to reflect the new policy. NOTE: IANA, please update the registries to reflect the new policy.
NOTE: RFC editor please delete these two notes prior to publication. NOTE: RFC editor please delete these two notes prior to publication.
IANA, please update these two registries to refer to this document. IANA, please update these two registries to refer to this document.
IANA has already assigned the value 29 to ecdh_x25519, and the value IANA is requested to assigned the value 29 to x25519, and the value
30 to ecdh_x448. 30 to x448 in the TLS Supported Groups Registry. This replaces the
temporary registrations ecdh_x25519(29) and ecdh_x448(30).
IANA is requested to assign two values from the TLS IANA is requested to assign two values from the TLS
SignatureAlgorithm Registry with names ed25519(TBD3) and ed448(TBD4) SignatureAlgorithm Registry with names ed25519(TBD3) and ed448(TBD4)
with this document as reference. To keep compatibility with TLS 1.3, with this document as reference. To keep compatibility with TLS 1.3,
TBD3 should be 7, and TBD4 should be 8. TBD3 should be 7, and TBD4 should be 8.
IANA is requested to assign one value from the "TLS HashAlgorithm IANA is requested to assign one value from the "TLS HashAlgorithm
Registry" with name Intrinsic(TBD5) and this document as reference. Registry" with name Intrinsic(TBD5) and this document as reference.
To keep compatibility with TLS 1.3, TBD5 should be 8 and DTLS-OK To keep compatibility with TLS 1.3, TBD5 should be 8 and DTLS-OK
should be set to true (Y). should be set to true (Y).
10. Acknowledgements 10. Acknowledgements
Most of the text is this document is taken from [RFC4492], the Most of the text is this document is taken from [RFC4492], the
predecessor of this document. The authors of that document were: predecessor of this document. The authors of that document were:
o Simon Blake-Wilson o Simon Blake-Wilson
o Nelson Bolyard o Nelson Bolyard
skipping to change at page 30, line 32 skipping to change at page 30, line 14
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032, January 2017. Signature Algorithm (EdDSA)", RFC 8032, January 2017.
[SECG-SEC2] [SECG-SEC2]
CECG, "Recommended Elliptic Curve Domain Parameters", CECG, "Recommended Elliptic Curve Domain Parameters",
SEC 2, 2000. SEC 2, 2000.
12.2. Informative References 12.2. Informative References
[FIPS.180-2] [FIPS.180-4]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, Hash Standard (SHS)", FIPS PUB 180-4, August 2015,
<http://csrc.nist.gov/publications/fips/fips180-2/ <http://nvlpubs.nist.gov/nistpubs/FIPS/
fips180-2.pdf>. NIST.FIPS.180-4.pdf>.
[I-D.ietf-tls-tls13] [I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-18 (work in progress), Version 1.3", draft-ietf-tls-tls13-18 (work in progress),
October 2016. October 2016.
[IEEE.P1363.1998] [IEEE.P1363.1998]
Institute of Electrical and Electronics Engineers, Institute of Electrical and Electronics Engineers,
"Standard Specifications for Public Key Cryptography", "Standard Specifications for Public Key Cryptography",
IEEE Draft P1363, 1998. IEEE Draft P1363, 1998.
skipping to change at page 32, line 37 skipping to change at page 31, line 37
| secp192k1 | | | | secp192k1 | | |
| secp192r1 | prime192v1 | NIST P-192 | | secp192r1 | prime192v1 | NIST P-192 |
| secp224k1 | | | | secp224k1 | | |
| secp224r1 | | NIST P-224 | | secp224r1 | | NIST P-224 |
| secp256k1 | | | | secp256k1 | | |
| secp256r1 | prime256v1 | NIST P-256 | | secp256r1 | prime256v1 | NIST P-256 |
| secp384r1 | | NIST P-384 | | secp384r1 | | NIST P-384 |
| secp521r1 | | NIST P-521 | | secp521r1 | | NIST P-521 |
+-----------+------------+------------+ +-----------+------------+------------+
Table 5: Equivalent curves defined by SECG, ANSI, and NIST Table 4: Equivalent curves defined by SECG, ANSI, and NIST
Appendix B. Differences from RFC 4492 Appendix B. Differences from RFC 4492
o Added TLS 1.2 o Added TLS 1.2
o Merged Errata o Merged Errata
o Removed the ECDH key exchange algorithms: ECDH_RSA and ECDH_ECDSA o Removed the ECDH key exchange algorithms: ECDH_RSA and ECDH_ECDSA
o Deprecated a bunch of ciphersuites: o Deprecated a bunch of ciphersuites:
TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_NULL_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA
 End of changes. 51 change blocks. 
161 lines changed or deleted 117 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/