| < draft-nir-ipsecme-eddsa-00.txt | draft-nir-ipsecme-eddsa-01.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track April 8, 2016 | Intended status: Standards Track June 11, 2016 | |||
| Expires: October 10, 2016 | Expires: December 13, 2016 | |||
| Using Edwards-curve Digital Signature Algorithm (EdDSA) in the Internet | Using Edwards-curve Digital Signature Algorithm (EdDSA) in the Internet | |||
| Key Exchange (IKEv2) | Key Exchange (IKEv2) | |||
| draft-nir-ipsecme-eddsa-00 | draft-nir-ipsecme-eddsa-01 | |||
| Abstract | Abstract | |||
| This document describes the use of the Edwards-curve digital | This document describes the use of the Edwards-curve digital | |||
| signature algorithm in the IKEv2 protocol. | signature algorithm in the IKEv2 protocol. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 32 ¶ | skipping to change at page 1, line 32 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 10, 2016. | This Internet-Draft will expire on December 13, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 2 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | |||
| 2. The "Identity" Hash Identifier . . . . . . . . . . . . . . . 3 | 2. The "Identity" Hash Identifier . . . . . . . . . . . . . . . 3 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 5. Normative References . . . . . . . . . . . . . . . . . . . . 3 | 5. Normative References . . . . . . . . . . . . . . . . . . . . 3 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 | Appendix A. ASN.1 Objects . . . . . . . . . . . . . . . . . . . 5 | |||
| A.1. ASN.1 Object for Ed25519 . . . . . . . . . . . . . . . . 5 | ||||
| A.2. ASN.1 Object for Ed448 . . . . . . . . . . . . . . . . . 5 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 1. Introduction | 1. Introduction | |||
| The Internet Key Exchange protocol [RFC7296] can use arbitrary | The Internet Key Exchange protocol [RFC7296] can use arbitrary | |||
| signature algorithms as described in [RFC7427]. The latter RFC | signature algorithms as described in [RFC7427]. The latter RFC | |||
| defines the SIGNATURE_HASH_ALGORITHMS notification where each side of | defines the SIGNATURE_HASH_ALGORITHMS notification where each side of | |||
| the IKE negotiation lists its supported hash algorithms. This | the IKE negotiation lists its supported hash algorithms. This | |||
| assumes that all signature schemes involve a hashing phase before a | assumes that all signature schemes involve a hashing phase followed | |||
| signature phase, which makes sense because most signature algorithms | by a signature phase. This made sense because most signature | |||
| either cannot sign messages bigger than their key or truncate | algorithms either cannot sign messages bigger than their key or | |||
| messages bigger than their key. | truncate messages bigger than their key. | |||
| [I.D-eddsa] defines signature algorithms that do not require pre- | EdDSA ([I.D-eddsa]) defines signature methods that do not require | |||
| hashing of the message. Unlike other methods, these signature | pre-hashing of the message. Unlike other methods, these accept | |||
| algorithms accept arbitrary-sized messages, so no pre-hashing is | arbitrary-sized messages, so no pre-hashing is required. These | |||
| required. These methods are called Ed25519 and Ed448, which | methods are called Ed25519 and Ed448, which respectively use the | |||
| respectively use the Edwards 25519 and the Edwards 448 ("Goldilocks") | Edwards 25519 and the Edwards 448 ("Goldilocks") curves. Although | |||
| curves. Although that document also defines pre-hashed versions of | that document also defines pre-hashed versions of these algorithm, | |||
| these algorithm, those versions are not recommended for protocols | those versions are not recommended for protocols where the entire to- | |||
| where the entire to-be-signed message is available at once. | be-signed message is available at once. | |||
| [I.D-eddsa] defines the binary format of the signatures that should | EdDSA defines the binary format of the signatures that should be used | |||
| be used in the "Signature Value" field of the Authentication Data | in the "Signature Value" field of the Authentication Data Format in | |||
| Format in section 3. [I.D-pkix-newcurves] defined the OIDs for these | section 3. The "EdDSA, Ed25519, Ed448, Curve25519 and Curve448 for | |||
| two signature methods. To signal within IKE that no hashing needs to | X.509" document ([I.D-curdle-pkix]) defines the object identifiers | |||
| be done. A new value has to be signalled in the | (OIDs) for these signature methods. For convenience, these OIDs are | |||
| SIGNATURE_HASH_ALGORITHMS notification, one that indicates that no | repeated in Appendix A. | |||
| hashing is performed. | ||||
| In order to signal within IKE that no hashing needs to be done, we | ||||
| define a new value has in the SIGNATURE_HASH_ALGORITHMS notification, | ||||
| one that indicates that no hashing is performed. | ||||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. The "Identity" Hash Identifier | 2. The "Identity" Hash Identifier | |||
| This document defines a new value called "Identity" (value TBA by | This document defines a new value called "Identity" (value TBA by | |||
| IANA) in the hash algorithm registry for use in the | IANA) in the hash algorithm registry for use in the | |||
| SIGNATURE_HASH_ALGORITHMS notification. Inserting this value into | SIGNATURE_HASH_ALGORITHMS notification. Inserting this new value | |||
| the notification indicates that the receiver supports at least one | into the notification indicates that the receiver supports at least | |||
| signature algorithm that accepts arbitrary-sized messages such as | one signature algorithm that accepts arbitrary-sized messages such as | |||
| Ed25519 and Ed448. | Ed25519 and Ed448. | |||
| Ed25519 and Ed448 are only defined with the Identity hash, and MUST | Ed25519 and Ed448 are only defined with the Identity hash, and MUST | |||
| NOT be sent to a receiver that has not indicated support for the | NOT be sent to a receiver that has not indicated support for the | |||
| "Identity" hash. | "Identity" hash. | |||
| The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph | The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph | |||
| respectively) SHOULD NOT be used in IKE. | respectively) SHOULD NOT be used in IKE. | |||
| 3. Security Considerations | 3. Security Considerations | |||
| The new "Identity" value is needed only for signature algorithms that | The new "Identity" value is needed only for signature algorithms that | |||
| accept an arbitrary-sized input. It MUST NOT be used if none of the | accept an arbitrary-sized input. It MUST NOT be used if none of the | |||
| supported algorithms has this property. OTOH there is no good reason | supported algorithms has this property. On the other hand there is | |||
| to hash where the signature algorithm does not require it (or does it | no good reason to pre-hash the inputs where the signature algorithm | |||
| internally), so the "Identity" value SHOULD be the only one used if | either does not require it or performs a hash internally. For this | |||
| all of the supported signature algorithms have this property. | reason implementations SHOULD have the "Identity" value in the | |||
| SIGNATURE_HASH_ALGORITHMS notification when they support EdDSA. | ||||
| Implementations SHOULD NOT have other hash algorithms in the | ||||
| notification if all signature algorithms have this property. | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| IANA is requested to assign a new value from the "IKEv2 Hash | IANA is requested to assign a new value from the "IKEv2 Hash | |||
| Algorithms" registry with name "Identity" and this document as | Algorithms" registry with name "Identity" and this document as | |||
| reference. | reference. | |||
| 5. Normative References | 5. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| skipping to change at page 4, line 10 ¶ | skipping to change at page 4, line 20 ¶ | |||
| [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in | [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in | |||
| the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, | the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, | |||
| DOI 10.17487/RFC7427, January 2015, | DOI 10.17487/RFC7427, January 2015, | |||
| <http://www.rfc-editor.org/info/rfc7427>. | <http://www.rfc-editor.org/info/rfc7427>. | |||
| [I.D-eddsa] | [I.D-eddsa] | |||
| Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | |||
| Signature Algorithm (EdDSA)", March 2016, | Signature Algorithm (EdDSA)", March 2016, | |||
| <https://tools.ietf.org/id/draft-irtf-cfrg-eddsa-05.html>. | <https://tools.ietf.org/id/draft-irtf-cfrg-eddsa-05.html>. | |||
| [I.D-pkix-newcurves] | [I.D-curdle-pkix] | |||
| Josefsson, S., "Using Curve25519 and Curve448 in PKIX", | Josefsson, S., "EdDSA, Ed25519, Ed448, Curve25519 and | |||
| March 2016, <https://tools.ietf.org/html/draft-ietf- | Curve448 for X.509", April 2016, | |||
| curdle-pkix-newcurves-00>. | <https://tools.ietf.org/html/draft-ietf-curdle-pkix-00>. | |||
| Appendix A. ASN.1 Objects | ||||
| The normative reference for the ASN.1 objects for Ed25519 and Ed448 | ||||
| is in [I.D-curdle-pkix]. They are repeated below for convenience. | ||||
| A.1. ASN.1 Object for Ed25519 | ||||
| id-Curve25519 OBJECT IDENTIFIER ::= { 1.3.101.110 } | ||||
| Parameters are absent. | ||||
| Binary encoding: TBA | ||||
| A.2. ASN.1 Object for Ed448 | ||||
| id-Curve448 OBJECT IDENTIFIER ::= { 1.3.101.111 } | ||||
| Parameters are absent. | ||||
| Binary encoding: TBA | ||||
| Author's Address | Author's Address | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| EMail: ynir.ietf@gmail.com | EMail: ynir.ietf@gmail.com | |||
| End of changes. 11 change blocks. | ||||
| 36 lines changed or deleted | 66 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||