idnits 2.17.1 draft-ietf-ipsec-ike-ecp-groups-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 417. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure Invitation. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 10 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 130: '... implementations SHOULD support an ECP...' RFC 2119 keyword, line 170: '... implementations SHOULD support an ECP...' RFC 2119 keyword, line 214: '... implementations SHOULD support an ECP...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 31, 2005) is 6966 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) == Outdated reference: A later version (-10) exists of draft-ietf-ipsec-ike-ecc-groups-04 Summary: 8 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSec Working Group J. Solinas, NSA 3 INTERNET-DRAFT 4 Expires October 2, 2005 March 31, 2005 6 ECP Groups For IKE 7 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that other 18 groups may also distribute working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/1id-abstracts.html 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html 31 Abstract 33 This document describes new ECC groups for use in the Internet Key 34 Exchange (IKE) protocol in addition to previously defined groups. 35 Specifically, the new curve groups are based on modular arithmetic 36 rather than binary arithmetic. These new groups are defined to align 37 IKE with other ECC implementations and standards, particularly NIST 38 standards. In addition, the curves defined here can provide more 39 efficient implementation than previously defined ECC groups. 41 1. Introduction 43 This document describes default groups for use in elliptic curve 44 Diffie-Hellman in IKE in addition to the Oakley groups included in 45 [IKE] and the groups defined in [RFC-3526] and [BBPS]. The document 46 assumes that the reader is familiar with the IKE protocol and the 47 concept of Oakley Groups, as defined in RFC 2409 [IKE]. 49 RFC 2409 [IKE] defines five standard Oakley Groups - three modular 50 exponentiation groups and two elliptic curve groups over GF[2^N]. 51 One modular exponentiation group (768 bits - Oakley Group 1) is 52 mandatory for all implementations to support, while the other four 53 are optional. Thirteen additional groups subsequently have 54 been defined and assigned values by IANA. All of these additional 55 groups are optional. Of the eighteen groups defined so far, eight 56 are modular exponentiation groups and ten are elliptic curve groups 57 over GF[2^N] with N composite. 59 The purpose of this document is to expand the options available to 60 implementers of elliptic curve groups by adding three new elliptic 61 curve groups. Unlike the previous elliptic curve groups, the three 62 groups proposed in this document are defined over GF[p] with p prime. 63 The reasons for adding these new groups include the following. 65 - The groups proposed afford efficiency advantages in software 66 applications since the underlying arithmetic is integer arithmetic 67 modulo a prime rather than binary field arithmetic. (Additional 68 computational advantages for these groups are presented in [GMN].) 70 - The groups proposed encourage alignment with other elliptic curve 71 standards. The proposed groups are among those standardized by 72 NIST, by the SECG, by ISO, and by ANSI. (See section 3 for 73 details.) 75 - The groups proposed are capable of providing security consistent 76 with the new Advanced Encryption Standard. 78 These groups could also be defined using the New Group Mode but 79 including them in this RFC will encourage interoperability of IKE 80 implementations based upon elliptic curve groups. In addition, the 81 availability of standardized groups will result in optimizations for 82 a particular curve and field size as well as allowing precomputation 83 that could result in faster implementations. 85 It is anticipated that the groups proposed here will be assigned 86 identifiers by IANA [IANA]. In that case the full list of assigned 87 values for the Group Description class within IKE will be the 88 following. (The groups defined in this document are listed as 89 19, 20, and 21.) 90 Group Description Value 91 ----------------- ----- 92 Default 768-bit MODP group [IKE] 1 93 Alternate 1024-bit MODP group [IKE] 2 94 EC2N group over GF[2^155] [IKE] 3 95 EC2N group over GF[2^185] [IKE] 4 96 1536-bit MODP group [RFC-3526] 5 97 EC2N group over GF[2^163] [BBPS] 6 98 EC2N group over GF[2^163] [BBPS] 7 99 EC2N group over GF[2^283] [BBPS] 8 100 EC2N group over GF[2^283] [BBPS] 9 101 EC2N group over GF[2^409] [BBPS] 10 102 EC2N group over GF[2^409] [BBPS] 11 103 EC2N group over GF[2^571] [BBPS] 12 104 EC2N group over GF[2^571] [BBPS] 13 105 2048-bit MODP group [RFC-3526] 14 106 3072-bit MODP group [RFC-3526] 15 107 4096-bit MODP group [RFC-3526] 16 108 6144-bit MODP group [RFC-3526] 17 109 8192-bit MODP group [RFC-3526] 18 110 256-bit ECP group (EC group modulo a 256-bit prime) 19 111 384-bit ECP group (EC group modulo a 384-bit prime) 20 112 521-bit ECP group (EC group modulo a 521-bit prime) 21 114 The IANA group type [IANA] of the three new groups is 2 (ECP - 115 elliptic curve group over GF(P)). The previous eighteen groups all 116 have group types 1 or 3. 118 In summary, due to the performance advantages of elliptic curve 119 groups in IKE implementations and the need for further alignment with 120 other standards, this document defines three elliptic curve groups 121 based on modular arithmetic. 123 2. Additional ECC Groups 125 The notation adopted in RFC2409 [IKE] is used below to describe the 126 new groups proposed. 128 2.1 Nineteenth Group 130 IKE implementations SHOULD support an ECP group with the following 131 characteristics. This group is assigned id 19 (nineteen). The curve 132 is based on the integers modulo the generalized Mersenne prime p 133 given by 135 p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . 137 The equation for the elliptic curve is: 139 y^2 = x^3 - 3 x + b. 141 Field size: 142 256 144 Group Prime/Irreducible Polynomial: 145 FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF 147 Group Curve b: 148 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 150 Group Generator point P (x coordinate): 151 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 153 Group Generator point P (y coordinate): 154 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 156 Group order: 157 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 159 The group was chosen verifiably at random using SHA-1 as specified in 160 [IEEE-1363] from the seed: 162 C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 164 The data in the KE payload when using this group represents the 165 point on the curve obtained by taking the scalar multiple Ka*P, 166 where Ka is the randomly chosen secret. 168 2.2 Twentieth Group 170 IKE implementations SHOULD support an ECP group with the following 171 characteristics. This group is assigned id 20 (twenty). The curve is 172 based on the integers modulo the generalized Mersenne prime p given by 174 p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . 176 The equation for the elliptic curve is: 178 y^2 = x^3 - 3 x + b. 180 Field size: 181 384 183 Group Prime/Irreducible Polynomial: 184 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 185 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFF 187 Group Curve b: 188 B3312FA7 E23EE7E4 988E056B E3F82D19 189 181D9C6E FE814112 0314088F 5013875A C656398D 8A2ED19D 2A85C8ED D3EC2AEF 191 Group Generator point P (x coordinate): 192 AA87CA22 BE8B0537 8EB1C71E F320AD74 193 6E1D3B62 8BA79B98 59F741E0 82542A38 5502F25D BF55296C 3A545E38 72760AB7 195 Group Generator point P (y coordinate): 196 3617DE4A 96262C6F 5D9E98BF 9292DC29 197 F8F41DBD 289A147C E9DA3113 B5F0B8C0 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F 199 Group order: 200 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 201 FFFFFFFF FFFFFFFF C7634D81 F4372DDF 581A0DB2 48B0A77A ECEC196A CCC52973 203 The group was chosen verifiably at random using SHA-1 as specified in 204 [IEEE-1363] from the seed: 206 A335926A A319A27A 1D00896A 6773A482 7ACDAC73 208 The data in the KE payload when using this group represents the 209 point on the curve obtained by taking the scalar multiple Ka*P, 210 where Ka is the randomly chosen secret. 212 2.3 Twenty-First Group 214 IKE implementations SHOULD support an ECP group with the following 215 characteristics. This group is assigned id 21 (twenty-one). The 216 curve is based on the integers modulo the Mersenne prime p given by 218 p = 2^(521)-1 . 220 The equation for the elliptic curve is: 222 y^2 = x^3 - 3 x + b. 224 Field size: 225 521 227 Group Prime/Irreducible Polynomial: 228 000001FF 229 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 230 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 232 Group Curve b: 233 00000051 234 953EB961 8E1C9A1F 929A21A0 B68540EE A2DA725B 99B315F3 B8B48991 8EF109E1 235 56193951 EC7E937B 1652C0BD 3BB1BF07 3573DF88 3D2C34F1 EF451FD4 6B503F00 237 Group Generator point P (x coordinate): 238 000000C6 239 858E06B7 0404E9CD 9E3ECB66 2395B442 9C648139 053FB521 F828AF60 6B4D3DBA 240 A14B5E77 EFE75928 FE1DC127 A2FFA8DE 3348B3C1 856A429B F97E7E31 C2E5BD66 242 Group Generator point P (y coordinate): 243 00000118 244 39296A78 9A3BC004 5C8A5FB4 2C7D1BD9 98F54449 579B4468 17AFBD17 273E662C 245 97EE7299 5EF42640 C550B901 3FAD0761 353C7086 A272C240 88BE9476 9FD16650 247 Group order: 248 000001FF 249 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFA 250 51868783 BF2F966B 7FCC0148 F709A5D0 3BB5C9B8 899C47AE BB6FB71E 91386409 252 The group was chosen verifiably at random using SHA-1 as specified in 253 [IEEE-1363] from the seed: 255 D09E8800 291CB853 96CC6717 393284AA A0DA64BA 257 The data in the KE payload when using this group represents the 258 point on the curve obtained by taking the scalar multiple Ka*P, 259 where Ka is the randomly chosen secret. 261 3. Alignment with Other Standards 263 The following table summarizes the appearance of these three 264 elliptic curve groups in other standards. 266 Standard Group 19 Group 20 Group 21 268 NIST [DSS] P-256 P-384 P-521 270 ISO/IEC [ISO-15946-1] P-256 272 ISO/IEC [ISO-18031] P-256 P-384 P-521 274 ANSI [X9.62-1998] Sect. J.5.3, 275 Example 1 277 ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 279 ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 280 Example 2 282 SECG [SEC2] secp256r1 secp384r1 secp521r1 284 See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and 285 [ISO-15946-4]. 287 4. Security Considerations 289 Since this document proposes new groups for use within IKE, many of 290 the security considerations contained within RFC 2409 apply here as 291 well. 293 The groups proposed in this document correspond to the symmetric key 294 sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key 295 exchange to offer security comparable with the AES algorithms [AES]. 297 5. IANA Considerations 299 Before this document can become an RFC, it is required that IANA 300 update its registry of Diffie-Hellman groups for IKE in [IANA] to 301 include the three groups defined above. 303 6. References 305 6.1 Normative 307 [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, 308 November 1998. 310 6.2 Informative 312 [AES] U.S. Department of Commerce/National Institute of Standards 313 and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, 314 November 2001. (http://csrc.nist.gov/publications/fips/index.html) 316 [BBPS] S. Blake-Wilson, D. Brown, Y. Poeluev, M. Salter, Additional 317 ECC Groups for IKE, draft-ietf-ipsec-ike-ecc-groups-04.txt, 318 July 2002. 320 [DSS] U.S. Department of Commerce/National Institute of Standards 321 and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, 322 January 2000. (http://csrc.nist.gov/publications/fips/index.html) 324 [GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics 325 and Optimization Research Report 99-39, 1999. 326 (http://www.cacr.math.uwaterloo.ca/) 328 [IANA] Internet Assigned Numbers Authority, Internet Key Exchange 329 (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) 331 [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 332 1363-2000, Standard for Public Key Cryptography. 333 (http://grouper.ieee.org/groups/1363/index.html) 335 [ISO-14888-3] International Organization for Standardization and 336 International Electrotechnical Commission, ISO/IEC First 337 Committee Draft 14888-3 (2nd ed.), Information Technology: 338 Security Techniques: Digital Signatures with Appendix: Part 3 - 339 Discrete Logarithm Based Mechanisms. 341 [ISO-15946-1] International Organization for Standardization and 342 International Electrotechnical Commission, ISO/IEC 15946-1: 343 2002-12-01, Information Technology: Security Techniques: 344 Cryptographic Techniques based on Elliptic Curves: Part 1 - 345 General. 347 [ISO-15946-2] International Organization for Standardization and 348 International Electrotechnical Commission, ISO/IEC 15946-2: 349 2002-12-01, Information Technology: Security Techniques: 350 Cryptographic Techniques based on Elliptic Curves: Part 2 - 351 Digital Signatures. 353 [ISO-15946-3] International Organization for Standardization and 354 International Electrotechnical Commission, ISO/IEC 15946-3: 355 2002-12-01, Information Technology: Security Techniques: 356 Cryptographic Techniques based on Elliptic Curves: Part 3 - 357 Key Establishment. 359 [ISO-15946-4] International Organization for Standardization and 360 International Electrotechnical Commission, ISO/IEC 15946-4: 361 2004-10-01, Information Technology: Security Techniques: 362 Cryptographic Techniques based on Elliptic Curves: Part 4 - 363 Digital Signatures giving Message Recovery. 365 [ISO-18031] International Organization for Standardization and 366 International Electrotechnical Commission, ISO/IEC Final 367 Committee Draft 18031, Information Technology: Security 368 Techniques: Random Bit Generation, October 2004. 370 [NIST] U.S. Department of Commerce/National Institute of Standards 371 and Technology. Recommendation for Key Establishment Schemes 372 Using Discrete Logarithm Cryptography, NIST Special Publication 373 800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) 375 [RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential (MODP) 376 Diffie-Hellman groups for Internet Key Exchange (IKE), RFC 377 3526, May 2003. 379 [SEC2] Standards for Efficient Cryptography Group. SEC 2 - 380 Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. 381 (http://www.secg.org) 383 [X9.62-1998] American National Standards Institute, X9.62-1998: 384 Public Key Cryptography for the Financial Services Industry: The 385 Elliptic Curve Digital Signature Algorithm. January 1999. 387 [X9.62-2003] American National Standards Institute, X9.62-1998: 388 Public Key Cryptography for the Financial Services Industry: The 389 Elliptic Curve Digital Signature Algorithm, 390 Revised-Draft-2003-02-26, February 2003. 392 [X9.63] American National Standards Institute. X9.63-2001, 393 Public Key Cryptography for the Financial Services Industry: Key 394 Agreement and Key Transport using Elliptic Curve Cryptography. 395 November 2001. 397 7. Author's Address 399 Jerome A. Solinas 400 National Security Agency 401 jsolinas@orion.ncsc.mil 403 Comments are solicited and should be addressed to the author. 405 Copyright (C) The Internet Society (2005). 407 This document is subject to the rights, licenses and restrictions 408 contained in BCP 78, and except as set forth therein, the authors 409 retain all their rights. 411 This document and the information contained herein are provided on an 412 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 413 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 414 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 415 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 416 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 417 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 419 Expires October 2, 2005