< draft-merkle-tls-brainpool-01.txt		draft-merkle-tls-brainpool-02.txt >
	Network Working Group J. Merkle		Network Working Group J. Merkle
	Internet-Draft secunet Security Networks		Internet-Draft secunet Security Networks
	Updates: 4492 (if approved) M. Lochter		Updates: 4492 (if approved) M. Lochter
	Intended status: Informational Bundesamt fuer Sicherheit in der		Intended status: Informational Bundesamt fuer Sicherheit in der
	Expires: November 14, 2013 Informationstechnik (BSI)		Expires: December 26, 2013 Informationstechnik (BSI)
	May 13, 2013		June 24, 2013
	ECC Brainpool Curves for Transport Layer Security (TLS)		ECC Brainpool Curves for Transport Layer Security (TLS)
	draft-merkle-tls-brainpool-01		draft-merkle-tls-brainpool-02
	Abstract		Abstract
	This document specifies the use of several ECC Brainpool elliptic		This document specifies the use of several ECC Brainpool curves for
	curves for authentication and key exchange in the Transport Layer		authentication and key exchange in the Transport Layer Security (TLS)
	Security (TLS) protocol.		protocol.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This Internet-Draft is submitted in full conformance with the
	provisions of BCP 78 and BCP 79.		provisions of BCP 78 and BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on November 14, 2013.		This Internet-Draft will expire on December 26, 2013.
	Copyright Notice		Copyright Notice
	Copyright (c) 2013 IETF Trust and the persons identified as the		Copyright (c) 2013 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect		carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must		to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of		include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as		the Trust Legal Provisions and are provided without warranty as
	described in the Simplified BSD License.		described in the Simplified BSD License.
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
	2. Values to be Used in the Supported Elliptic Curve Extension . 4		2. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
	3. Security Considerations . . . . . . . . . . . . . . . . . . . 5		3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
	4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6		4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
	5. Intellectual Property Rights . . . . . . . . . . . . . . . . . 7		4.1. Normative References . . . . . . . . . . . . . . . . . . . 6
	6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8		4.2. Informative References . . . . . . . . . . . . . . . . . . 6
	6.1. Normative References . . . . . . . . . . . . . . . . . . . 8		Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . . 8
	6.2. Informative References . . . . . . . . . . . . . . . . . . 8		A.1. 256 Bit Curve . . . . . . . . . . . . . . . . . . . . . . . 8
	Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10		A.2. 384 Bit Curve . . . . . . . . . . . . . . . . . . . . . . . 9
	A.1. 256 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 10		A.3. 512 Bit Curve . . . . . . . . . . . . . . . . . . . . . . . 9
	A.2. 384 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 11
	A.3. 512 Bit Curve . . . . . . . . . . . . . . . . . . . . . . 11
	1. Introduction		1. Introduction
	In [RFC5639], a new set of elliptic curve groups over finite prime		In [RFC5639], a new set of elliptic curve groups over finite prime
	fields for use in cryptographic applications was specified. These		fields for use in cryptographic applications was specified. These
	groups, denoted as ECC Brainpool curves, were generated in a		groups, denoted as ECC Brainpool curves, were generated in a
	verifiably pseudo-random way and comply with the security		verifiably pseudo-random way and comply with the security
	requirements of relevant standards from ISO [ISO1] [ISO2], ANSI		requirements of relevant standards from ISO [ISO1] [ISO2], ANSI
	[ANSI1], NIST [FIPS], and SecG [SEC2].		[ANSI1], NIST [FIPS], and SecG [SEC2].
	Usage of elliptic curves for authentication and key agreement in TLS		Usage of elliptic curves for authentication and key agreement in TLS
	1.0 and TLS 1.1 is defined in [RFC4492]. While the ASN.1 object		1.0 and TLS 1.1 is defined in [RFC4492]. While the ASN.1 object
	identifiers defined in [RFC5639] already allow usage of the ECC		identifiers defined in [RFC5639] already allow usage of the ECC
	Brainpool curves for TLS (client or server) authentication through		Brainpool curves for TLS (client or server) authentication through
	reference in X.509 certificates according to [RFC3279], their		reference in X.509 certificates according to [RFC3279] and [RFC5480]
	negotiation for key exchange according to [RFC4492] requires the		, their negotiation for key exchange according to [RFC4492] requires
	definition and assignment of additional NamedCurve IDs. This		the definition and assignment of additional NamedCurve IDs. This
	document specifies such values for three curves from [RFC5639].		document specifies such values for three curves from [RFC5639].
	2. Values to be Used in the Supported Elliptic Curve Extension
	According to [RFC4492], the Supported Elliptic Curve Extension allows
	the negotiation of elliptic curve groups during a handshake starting
	a new TLS session. A client that proposes ECC cipher suites in its
	ClientHello message SHOULD include this extension to indicate the
	elliptic curves it supports through NamedCurve IDs, and a server that
	receives a ClientHello containing this extension MUST use the
	client's enumerated capabilities to guide its selection of an
	appropriate cipher suite. Furthermore, the server SHOULD use a
	NamedCurve ID, if applicable, to specify the elliptic curve
	corresponding to its ephemeral ECDH public key.
	The values of NamedCurve, by which the elliptic curves are
	identified, are governed by the EC Named Curve Registry of IANA
	[IANA-TLS]. In Table 1, new values for NamedCurve for three of the
	ECC Brainpool curves defined in [RFC5639] are specified. All three
	curves are suitable for usage in DTLS [RFC6347].
	+-----------------+-------+
	| Curve | Value |
	+-----------------+-------+
	| brainpoolP256r1 | TBD1 |
	| | |
	| brainpoolP384r1 | TBD2 |
	| | |
	| brainpoolP512r1 | TBD3 |
	+-----------------+-------+
	Table 1
	Test vectors for a Diffie-Hellman key exchange using these ECC		Test vectors for a Diffie-Hellman key exchange using these ECC
	Brainpool curves are provided in Appendix A		Brainpool curves are provided in Appendix A
	3. Security Considerations		2. Security Considerations
	The security considerations of [RFC5246] apply accordingly.		The security considerations of [RFC5246] apply accordingly.
	The confidentiality, authenticity and integrity of the TLS		The confidentiality, authenticity and integrity of the TLS
	communication is limited by the weakest cryptographic primitive		communication is limited by the weakest cryptographic primitive
	applied. In order to achieve a maximum security level when using one		applied. In order to achieve a maximum security level when using one
	of the elliptic curves from Table 1 for authentication and / or key		of the elliptic curves from Table 1 for authentication and / or key
	exchange in TLS, the key derivation function, the algorithms and key		exchange in TLS, the key derivation function, the algorithms and key
	lengths of symmetric encryption and message authentication as well as		lengths of symmetric encryption and message authentication as well as
	the algorithm, bit length and hash function used for signature		the algorithm, bit length and hash function used for signature
	skipping to change at page 6, line 5 ¶		skipping to change at page 5, line 5 ¶
	y*Z^3) with the coefficient Z specified for that curve in [RFC5639],		y*Z^3) with the coefficient Z specified for that curve in [RFC5639],
	in order to take advantage of an an efficient arithmetic based on the		in order to take advantage of an an efficient arithmetic based on the
	twisted curve's special parameters (A = -3): although the twisted		twisted curve's special parameters (A = -3): although the twisted
	curve itself offers the same level of security as the corresponding		curve itself offers the same level of security as the corresponding
	random curve (through mathematical equivalence), an arithmetic based		random curve (through mathematical equivalence), an arithmetic based
	on small curve parameters may be harder to protect against side-		on small curve parameters may be harder to protect against side-
	channel attacks. General guidance on resistence of elliptic curve		channel attacks. General guidance on resistence of elliptic curve
	cryptography implementations against side-channel-attacks is given in		cryptography implementations against side-channel-attacks is given in
	[BSI1] and [HMV].		[BSI1] and [HMV].
	4. IANA Considerations		3. IANA Considerations
	Before this document can become an RFC, IANA is required to assign		IANA is requested to assign numbers for the ECC Brainpool curves,
	numbers for the elliptic curves specified in Table 1 to the		defined in [RFC5639], found in Table 1 in the Transport Layer
	NamedCurve name space in its Transport Layer Security (TLS)		Security (TLS) Parameters NamedCurve registry [IANA-TLS]. These
	Parameters registry [IANA-TLS]. For all these elliptic curves,		curves are suitability for use with DTLS.
	suitability with DTLS shall be indicated in the registry.
	5. Intellectual Property Rights		+-------+-----------------+---------+-----------+
			| Value | Description | DTLS-OK | Reference |
			+-------+-----------------+---------+-----------+
			| TBD1 | brainpoolP256r1 | Y | This doc |
			| | | | |
			| TBD2 | brainpoolP384r1 | Y | This doc |
			| | | | |
			| TBD3 | brainpoolP512r1 | Y | This doc |
			+-------+-----------------+---------+-----------+
	Although, the authors have no knowledge about any intellectual		Table 1
	property rights which cover the general usage of the ECP groups
	defined herein, implementations based on these domain parameters may
	require use of inventions covered by patent rights. In particular,
	techniques for an efficient arithmetic exploiting the special
	parameters of the twisted curves (see Section 3) may be covered by
	patents.
	6. References		4. References
	6.1. Normative References		4.1. Normative References
	[IANA-TLS] Internet Assigned Numbers Authority, "Transport Layer		[IANA-TLS] Internet Assigned Numbers Authority, "Transport Layer
	Security (TLS) Parameters", <http://www.iana.org/		Security (TLS) Parameters", <http://www.iana.org/
	assignments/tls-parameters/tls-parameters.xml>.		assignments/tls-parameters/tls-parameters.xml>.
	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119, March 1997.		Requirement Levels", BCP 14, RFC 2119, March 1997.
	[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and		[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and
	B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher		B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher
	skipping to change at page 8, line 32 ¶		skipping to change at page 6, line 32 ¶
	Security (TLS) Protocol Version 1.2", RFC 5246,		Security (TLS) Protocol Version 1.2", RFC 5246,
	August 2008.		August 2008.
	[RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography		[RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography
	(ECC) Brainpool Standard Curves and Curve Generation",		(ECC) Brainpool Standard Curves and Curve Generation",
	RFC 5639, March 2010.		RFC 5639, March 2010.
	[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer		[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
	Security Version 1.2", RFC 6347, January 2012.		Security Version 1.2", RFC 6347, January 2012.
	6.2. Informative References		4.2. Informative References
	[ANSI1] American National Standards Institute, "Public Key		[ANSI1] American National Standards Institute, "Public Key
	Cryptography For The Financial Services Industry: The		Cryptography For The Financial Services Industry: The
	Elliptic Curve Digital Signature Algorithm (ECDSA)",		Elliptic Curve Digital Signature Algorithm (ECDSA)",
	ANSI X9.62, 2005.		ANSI X9.62, 2005.
	[BSI1] Bundesamt fuer Sicherheit in der Informationstechnik,		[BSI1] Bundesamt fuer Sicherheit in der Informationstechnik,
	"Minimum Requirements for Evaluating Side-Channel		"Minimum Requirements for Evaluating Side-Channel
	Attack Resistance of Elliptic Curve Implementations",		Attack Resistance of Elliptic Curve Implementations",
	July 2011.		July 2011.
	skipping to change at page 9, line 22 ¶		skipping to change at page 7, line 22 ¶
	[NIST800-57] National Institute of Standards and Technology,		[NIST800-57] National Institute of Standards and Technology,
	"Recommendation for Key Management - Part 1: General		"Recommendation for Key Management - Part 1: General
	(Revised)", NIST Special Publication 800-57,		(Revised)", NIST Special Publication 800-57,
	March 2007.		March 2007.
	[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and		[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
	Identifiers for the Internet X.509 Public Key		Identifiers for the Internet X.509 Public Key
	Infrastructure Certificate and Certificate Revocation		Infrastructure Certificate and Certificate Revocation
	List (CRL) Profile", RFC 3279, April 2002.		List (CRL) Profile", RFC 3279, April 2002.
			[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T.
			Polk, "Elliptic Curve Cryptography Subject Public Key
			Information", RFC 5480, March 2009.
	[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental		[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental
	Elliptic Curve Cryptography Algorithms", RFC 6090,		Elliptic Curve Cryptography Algorithms", RFC 6090,
	February 2011.		February 2011.
	[SEC1] Certicom Research, "Elliptic Curve Cryptography",		[SEC1] Certicom Research, "Elliptic Curve Cryptography",
	Standards for Efficient Cryptography (SEC) 1,		Standards for Efficient Cryptography (SEC) 1,
	September 2000.		September 2000.
	[SEC2] Certicom Research, "Recommended Elliptic Curve Domain		[SEC2] Certicom Research, "Recommended Elliptic Curve Domain
	Parameters", Standards for Efficient Cryptography		Parameters", Standards for Efficient Cryptography
	(SEC) 2, September 2000.		(SEC) 2, September 2000.
	Appendix A. Test Vectors		Appendix A. Test Vectors
	This section provides some test vectors for example Diffie-Hellman		This section provides some test vectors for example Diffie-Hellman
	key exchanges using each of the curves defined in Section 2 . In all		key exchanges using each of the curves defined in Table 1 . In all
	of the following sections the following notation is used:		of the following sections the following notation is used:
	d_A: the secret key of party A		d_A: the secret key of party A
	x_qA: the x-coordinate of the public key of party A		x_qA: the x-coordinate of the public key of party A
	y_qA: the y-coordinate of the public key of party A		y_qA: the y-coordinate of the public key of party A
	d_B: the secret key of party B		d_B: the secret key of party B
End of changes. 17 change blocks.
	72 lines changed or deleted		44 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/