| < draft-nir-ipsecme-curve25519-00.txt | draft-nir-ipsecme-curve25519-01.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track S. Josefsson | Intended status: Standards Track S. Josefsson | |||
| Expires: December 13, 2015 SJD | Expires: January 8, 2016 SJD | |||
| June 11, 2015 | July 7, 2015 | |||
| Using Curve25519 for IKEv2 Key Agreement | New Safe Curves for IKEv2 Key Agreement | |||
| draft-nir-ipsecme-curve25519-00 | draft-nir-ipsecme-curve25519-01 | |||
| Abstract | Abstract | |||
| This document describes the use of Curve25519 for ephemeral key | This document describes the use of Curve25519 and Curve448 | |||
| exchange in the Internet Key Exchange (IKEv2) protocol. | ("Goldilocks") for ephemeral key exchange in the Internet Key | |||
| Exchange (IKEv2) protocol. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 13, 2015. | This Internet-Draft will expire on January 8, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 2 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 2 | |||
| 2. Curve25519 . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Curve25519 & Curve448 . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Use and Negotiation in IKEv2 . . . . . . . . . . . . . . . . 3 | 3. Use and Negotiation in IKEv2 . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Key Exchange Payload . . . . . . . . . . . . . . . . . . 3 | 3.1. Key Exchange Payload . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Recipient Tests . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. Recipient Tests . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Appendix A. The curve25519 function . . . . . . . . . . . . . . 6 | Appendix A. The curve25519 function . . . . . . . . . . . . . . 6 | |||
| A.1. Formulas . . . . . . . . . . . . . . . . . . . . . . . . 6 | A.1. Formulas . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| A.1.1. Field Arithmetic . . . . . . . . . . . . . . . . . . 7 | A.1.1. Field Arithmetic . . . . . . . . . . . . . . . . . . 7 | |||
| A.1.2. Conversion to and from internal format . . . . . . . 7 | A.1.2. Conversion to and from internal format . . . . . . . 7 | |||
| A.1.3. Scalar Multiplication . . . . . . . . . . . . . . . . 7 | A.1.3. Scalar Multiplication . . . . . . . . . . . . . . . . 8 | |||
| A.1.4. Conclusion . . . . . . . . . . . . . . . . . . . . . 9 | A.1.4. Conclusion . . . . . . . . . . . . . . . . . . . . . 9 | |||
| A.2. Test vectors . . . . . . . . . . . . . . . . . . . . . . 9 | A.2. Test vectors . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| A.3. Side-channel considerations . . . . . . . . . . . . . . . 10 | A.3. Side-channel considerations . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| [CFRG-Curves] specifies a new elliptic curve function for use in | [CFRG-Curves] specifies two new elliptic curve functions for use in | |||
| cryptographic applications. Curve25519 is a Diffie-Hellman function | cryptographic applications. Curve25519 and Curve448 (also known as | |||
| designed with performance and security in mind. | "Goldilocks") are Diffie-Hellman functions designed with performance | |||
| and security in mind. | ||||
| Almost ten years ago [RFC4753] specified the first elliptic curve | Almost ten years ago [RFC4753] specified the first elliptic curve | |||
| Diffie-Hellman groups for the Internet Key Exchange protocol (IKEv2 - | Diffie-Hellman groups for the Internet Key Exchange protocol (IKEv2 - | |||
| [RFC7296]). These were the so-called NIST curves. The state of the | [RFC7296]). These were the so-called NIST curves. The state of the | |||
| art has advanced since then. More modern curves allow faster | art has advanced since then. More modern curves allow faster | |||
| implementations while making it much easier to write constant-time | implementations while making it much easier to write constant-time | |||
| implementations free from side-channel attacks. This document | implementations free from side-channel attacks. This document | |||
| defines such a curve for use in IKE. See [Curve25519] for details | defines such a curve for use in IKE. See [Curve25519] for details | |||
| about the speed and security of this curve. | about the speed and security of the Curve25519 function. | |||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Curve25519 | 2. Curve25519 & Curve448 | |||
| All cryptographic computations are done using the Curve25519 function | All cryptographic computations are done using the Curve25519 and | |||
| defined in [CFRG-Curves]. In this document, this function is | Curve448 functions defined in [CFRG-Curves]. In this document, these | |||
| considered a black box that takes for input a (secret key, public | functions are considered black boxes that take for input a (secret | |||
| key) pair and outputs a public key. Public keys are defined as | key, public key) pair and output a public key. Public keys for are | |||
| strings of 32 octets. Secret keys are defined as 255-bit numbers | defined as strings of 32 octets. A common public key, denoted below | |||
| such that high-order bit (bit 254) is set, and the three lowest-order | as G (or "base point" in the curves document) is shared by all users. | |||
| bits are unset. In addition, a common public key, denoted by G, is | Since the functions only use the u-coordinate of the public key, only | |||
| shared by all users. | the u coordinate of the base points is necessary. For Curve25519 | |||
| Gu=9 ; for Curve448 Gu=5. | ||||
| An ephemeral Diffie-Hellman key exchange using Curve25519 goes as | For Curve25519 secret keys are defined as 255-bit numbers such that | |||
| follows: Each party picks a secret key d uniformly at random and | the high-order bit (bit 254) is set, and the three lowest-order bits | |||
| computes the corresponding public key: | are unset. | |||
| x_mine = Curve25519(d, G) | For Curve448 secret keys are defined as 448-bit numbers such that the | |||
| high-order bit (bit 447) is set, and the two lowest-order bits are | ||||
| unset. | ||||
| An ephemeral Diffie-Hellman key exchange using Curve25519 or Curve448 | ||||
| goes as follows: Each party picks a secret key d uniformly at random | ||||
| and computes the corresponding public key. "curve_function" is used | ||||
| below to denote either Curve25519 or Curve448: | ||||
| x_mine = curve_function(d, G) | ||||
| Parties exchange their public keys (see Section 3.1) and compute a | Parties exchange their public keys (see Section 3.1) and compute a | |||
| shared secret: | shared secret: | |||
| SHARED_SECRET = Curve25519(d, x_peer). | SHARED_SECRET = curve_function(d, x_peer). | |||
| This shared secret is used directly as the value denoted g^ir in | This shared secret is used directly as the value denoted g^ir in | |||
| section 2.14 of RFC 7296. It is always exactly 32 octets when | section 2.14 of RFC 7296. It is always exactly 32 octets when these | |||
| Curve25519 is used. | functions are used. | |||
| A complete description of the Curve25519 function, as well as a few | A complete description of the Curve25519 function, as well as a few | |||
| implementation notes, are provided in Appendix A. | implementation notes, are provided in Appendix A. | |||
| 3. Use and Negotiation in IKEv2 | 3. Use and Negotiation in IKEv2 | |||
| The use of Curve25519 in IKEv2 is negotiated using a Transform Type 4 | The use of Curve25519 and Curve448 in IKEv2 is negotiated using a | |||
| (Diffie-Hellman group) in the SA payload of either an IKE_SA_INIT or | Transform Type 4 (Diffie-Hellman group) in the SA payload of either | |||
| a CREATE_CHILD_SA exchange. | an IKE_SA_INIT or a CREATE_CHILD_SA exchange. | |||
| 3.1. Key Exchange Payload | 3.1. Key Exchange Payload | |||
| The diagram for the Key Exchange Payload from section 3.4 of RFC 7296 | The diagram for the Key Exchange Payload from section 3.4 of RFC 7296 | |||
| is copied below for convenience: | is copied below for convenience: | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Next Payload |C| RESERVED | Payload Length | | | Next Payload |C| RESERVED | Payload Length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Diffie-Hellman Group Num | RESERVED | | | Diffie-Hellman Group Num | RESERVED | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| ~ Key Exchange Data ~ | ~ Key Exchange Data ~ | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| o Payload Length - Since a Curve25519 public key is 32 octets, the | o Payload Length - Since the public key is 32 octets, the Payload | |||
| Payload Length is always 40. | Length field always contains 40. | |||
| o The Diffie-Hellman Group Num is xx for Curve25519 (TBA by IANA) | o The Diffie-Hellman Group Num is xx for Curve25519, or yy for | |||
| Curve448 (both TBA by IANA). | ||||
| o The Key Exchange Data is 32 octets encoded as an array of bytes in | o The Key Exchange Data is 32 octets encoded as an array of bytes in | |||
| little-endian order as described in section 8 of [CFRG-Curves] | little-endian order as described in section 8 of [CFRG-Curves] | |||
| 3.2. Recipient Tests | 3.2. Recipient Tests | |||
| This section describes the checks that a recipient of a public key | This section describes the checks that a recipient of a public key | |||
| needs to perform. It is the equivalent of the tests described in | needs to perform. It is the equivalent of the tests described in | |||
| [RFC6989] for other Diffie-Hellman groups. | [RFC6989] for other Diffie-Hellman groups. We use "func" to denote | |||
| either Curve25519 or Curve448, as the tests are similar to both. | ||||
| Curve25519 was designed in a way that the result of Curve25519(x, d) | Both functions were designed in a way that the result of func(d, x) | |||
| will never reveal information about d, provided is was chosen as | will never reveal information about d, provided it was chosen as | |||
| prescribed, for any value of x. | prescribed, for any value of x. | |||
| Define legitimate values of x as the values that can be obtained as x | Define legitimate values of x as the values that can be obtained as x | |||
| = Curve25519(G, d') for some d, and call the other values | = func(d, G) for some d, and call the other values illegitimate. The | |||
| illegitimate. The definition of the Curve25519 function shows that | definitions of the functions show that legitimate values all share | |||
| legitimate values all share the following property: the high-order | the following property: the high-order bit of the last byte is not | |||
| bit of the last byte is not set. | set. | |||
| Since there are some implementation of the Curve25519 function that | Since there are some implementation of these functions that impose | |||
| impose this restriction on their input and others that don't, | this restriction on their input and others that don't, IKEv2 | |||
| implementations of Curve25519 in IKE SHOULD reject public keys when | implementations SHOULD reject public keys when the high-order bit of | |||
| the high-order bit of the last byte is set (in other words, when the | the last byte is set (in other words, when the value of the leftmost | |||
| value of the leftmost byte is greater than 0x7F) in order to prevent | byte is greater than 0x7F) in order to prevent implementation | |||
| implementation fingerprinting. | fingerprinting. | |||
| Other than this recommended check, implementations do not need to | Other than this recommended check, implementations do not need to | |||
| ensure that the public keys they receive are legitimate: this is not | ensure that the public keys they receive are legitimate: this is not | |||
| necessary for security with Curve25519. | necessary for security. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| Curve25519 is designed to facilitate the production of high- | Curve25519 is designed to facilitate the production of high- | |||
| performance constant-time implementations of the Curve25519 function. | performance constant-time implementations. Implementors are | |||
| Implementors are encouraged to use a constant-time implementation of | encouraged to use a constant-time implementation of the Curve25519 | |||
| the Curve25519 function. This point is of crucial importance if the | function. This point is of crucial importance if the implementation | |||
| implementation chooses to reuse its supposedly ephemeral key pair for | chooses to reuse its supposedly ephemeral key pair for many key | |||
| many key exchanges, which some implementations do in order to improve | exchanges, which some implementations do in order to improve | |||
| performance. | performance. The same is true for Curve448. | |||
| Curve25519 is believed to be at least as secure as the 256-bit random | Curve25519 is believed to be at least as secure as the 256-bit random | |||
| ECP group (group 19) defined in RFC 4753, also known as NIST P-256. | ECP group (group 19) defined in RFC 4753, also known as NIST P-256 or | |||
| secp256r1. Curve448 is believed to be more secure than the 384-bit | ||||
| random ECP group (group 20), also known as NIST P-384 or secp384r1. | ||||
| While the NIST curves are advertised as being chosen verifiably at | While the NIST curves are advertised as being chosen verifiably at | |||
| random, there is no explanation for the seeds used to generate them. | random, there is no explanation for the seeds used to generate them. | |||
| In contrast, the process used to pick Curve25519 is fully documented | In contrast, the process used to pick these curves is fully | |||
| and rigid enough so that independent verification has been done. | documented and rigid enough so that independent verification has been | |||
| This is widely seen as a security advantage for Curve25519, since it | done. This is widely seen as a security advantage for Curve25519, | |||
| prevents the generating party from maliciously manipulating the | since it prevents the generating party from maliciously manipulating | |||
| parameters. | the parameters. | |||
| Another family of curves available in IKE, generated in a fully | Another family of curves available in IKE, generated in a fully | |||
| verifiable way, is the Brainpool curves [RFC6954]. Specifically, | verifiable way, is the Brainpool curves [RFC6954]. Specifically, | |||
| brainpoolP256 (group 28) is expected to provide a level of security | brainpoolP256 (group 28) is expected to provide a level of security | |||
| comparable to Curve25519 and NIST P-256. However, due to the use of | comparable to Curve25519 and NIST P-256. However, due to the use of | |||
| pseudo-random prime, it is significantly slower than NIST P-256, | pseudo-random prime, it is significantly slower than NIST P-256, | |||
| which is itself slower than Curve25519. | which is itself slower than Curve25519. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA is requested to assign one value from the IKEv2 "Transform Type | IANA is requested to assign two values from the IKEv2 "Transform Type | |||
| 4 - Diffie-Hellman Group Transform IDs" registry, with name | 4 - Diffie-Hellman Group Transform IDs" registry, with names | |||
| Curve25519, and this document as reference. The Recipient Tests | "Curve25519" and "Curve448" and this document as reference. The | |||
| field should also point to this document. | Recipient Tests field should also point to this document. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| Curve25519 was designed by D. J. Bernstein and Tanja Lange. The | Curve25519 was designed by D. J. Bernstein and Tanja Lange. | |||
| specification of wire format is by Sean Turner, Rich Salz, and Watson | Curve448 ("Goldilocks") is by Mike Hamburg. The specification of | |||
| Ladd, with Adam Langley editing the current document. Much of the | wire format is Sean Turner, Rich Salz, and Watson Ladd, with Adam | |||
| text in this document is copied from Simon's draft for the TLS | Langley editing the current document. Much of the text in this | |||
| working group. | document is copied from Simon's draft for the TLS working group. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [CFRG-Curves] | [CFRG-Curves] | |||
| Langley, A., "Elliptic Curves for Security", draft-agl- | Langley, A., Salz, R., and S. Turner, "Elliptic Curves for | |||
| cfrgcurve-00 (work in progress), January 2015. | Security", draft-irtf-cfrg-curves-02 (work in progress), | |||
| March 2015. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | |||
| Eronen, "Internet Key Exchange Protocol Version 2 | Eronen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", RFC 7296, October 2014. | (IKEv2)", RFC 7296, October 2014. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| End of changes. 31 change blocks. | ||||
| 75 lines changed or deleted | 94 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||