idnits 2.17.1 draft-ietf-ipsec-ike-ecp-groups-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 668. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 679. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 686. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 692. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 123: '... implementations SHOULD support an ECP...' RFC 2119 keyword, line 160: '... implementations SHOULD support an ECP...' RFC 2119 keyword, line 202: '... implementations SHOULD support an ECP...' RFC 2119 keyword, line 307: '...curve point. Each component MUST have...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 150 has weird spacing: '...iven by g=(gx...' == Line 190 has weird spacing: '...iven by g=(gx...' == Line 235 has weird spacing: '...iven by g=(gx...' == Line 346 has weird spacing: '...iven by g^i=(...' == Line 365 has weird spacing: '...iven by g^r=(...' == (7 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 15, 2006) is 6556 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2119' is mentioned on line 114, but not defined == Missing Reference: 'P' is mentioned on line 297, but not defined == Unused Reference: 'RFC-3526' is defined on line 621, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-IKE' -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-IKEv2' ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 4306 (ref. 'IKEv2') (Obsoleted by RFC 5996) Summary: 6 errors (**), 0 flaws (~~), 11 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSec Working Group D. Fu, NSA 3 INTERNET-DRAFT J. Solinas, NSA 4 Expires November 15, 2006 May 15, 2006 6 ECP Groups For IKE and IKEv2 7 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that other 18 groups may also distribute working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/1id-abstracts.html 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html 31 Abstract 33 This document describes new ECC groups for use in the Internet Key 34 Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols 35 in addition to previously defined groups. Specifically, the new 36 curve groups are based on modular arithmetic rather than binary 37 arithmetic. These new groups are defined to align IKE and IKEv2 38 with other ECC implementations and standards, particularly NIST 39 standards. In addition, the curves defined here can provide more 40 efficient implementation than previously defined ECC groups. 42 Table of Contents 44 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 45 2. Requirements Terminology. . . . . . . . . . . . . . . . . . 4 46 3. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4 47 3.1 256-bit Random Curve Group. . . . . . . . . . . . . . 4 48 3.2. 384-bit Random Curve Group. . . . . . . . . . . . . . 5 49 3.3. 521-bit Random Curve Group. . . . . . . . . . . . . . 5 50 4. Security Considerations . . . . . . . . . . . . . . . . . . 6 51 5. Alignment with Other Standards. . . . . . . . . . . . . . . 7 52 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 53 7. ECP Key Exchange Data Formats . . . . . . . . . . . . . . . 8 54 8. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8 55 8.1 256-bit Random Curve Group. . . . . . . . . . . . . . 8 56 8.2. 384-bit Random Curve Group. . . . . . . . . . . . . . 9 57 8.3. 521-bit Random Curve Group. . . . . . . . . . . . . . 11 58 9. References. . . . . . . . . . . . . . . . . . . . . . . . . 13 59 9.1 Normative . . . . . . . . . . . . . . . . . . . . . . 13 60 9.2. Informative . . . . . . . . . . . . . . . . . . . . . 13 61 10. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . 14 63 1. Introduction 65 This document describes default Diffie-Hellman groups for use in 66 IKE and IKEv2 in addition to the Oakley groups included in [IKE] and 67 the additional groups defined since [IANA-IKE]. This document 68 assumes that the reader is familiar with the IKE protocol and the 69 concept of Oakley Groups, as defined in RFC 2409 [IKE]. 71 RFC 2409 [IKE] defines five standard Oakley Groups - three modular 72 exponentiation groups and two elliptic curve groups over GF[2^N]. 73 One modular exponentiation group (768 bits - Oakley Group 1) is 74 mandatory for all implementations to support, while the other four 75 are optional. Thirteen additional groups subsequently have been 76 defined and assigned values by IANA. All of these additional groups 77 are optional. Of the eighteen groups defined so far, eight are MODP 78 groups (exponentiation groups modulo a prime) and ten are EC2N groups 79 (elliptic curve groups over GF[2^N]). 81 The purpose of this document is to expand the options available to 82 implementers of elliptic curve groups by adding three ECP groups 83 (elliptic curve groups modulo a prime). The reasons for adding such 84 groups include the following. 86 - The groups proposed afford efficiency advantages in software 87 applications since the underlying arithmetic is integer arithmetic 88 modulo a prime rather than binary field arithmetic. (Additional 89 computational advantages for these groups are presented in [GMN].) 91 - The groups proposed encourage alignment with other elliptic curve 92 standards. The proposed groups are among those standardized by 93 NIST, by the SECG, by ISO, and by ANSI. (See Section 3 for 94 details.) 96 - The groups proposed are capable of providing security consistent 97 with the new Advanced Encryption Standard. 99 These groups could also be defined using the New Group Mode but 100 including them in this RFC will encourage interoperability of IKE 101 implementations based upon elliptic curve groups. In addition, the 102 availability of standardized groups will result in optimizations for 103 a particular curve and field size as well as allowing precomputation 104 that could result in faster implementations. 106 In summary, due to the performance advantages of elliptic curve 107 groups in IKE implementations and the need for further alignment with 108 other standards, this document defines three elliptic curve groups 109 based on modular arithmetic. 111 2. Requirements Terminology 113 Keywords "MUST" and "SHOULD" that appear in this document are to be 114 interpreted as described in [RFC2119]. 116 3. Additional ECC Groups 118 The notation adopted in RFC 2409 [IKE] is used below to describe the 119 new groups proposed. 121 3.1 256-bit Random ECP Group 123 IKE and IKEv2 implementations SHOULD support an ECP group with the 124 following characteristics. The curve is based on the integers modulo 125 the generalized Mersenne prime p given by 127 p = 2^(256)-2^(224)+2^(192)+2^(96)-1 . 129 The equation for the elliptic curve is: 131 y^2 = x^3 - 3 x + b. 133 Field size: 134 256 136 Group Prime/Irreducible Polynomial: 137 FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF 139 Group Curve b: 140 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 142 Group order: 143 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 145 The group was chosen verifiably at random using SHA-1 as specified in 146 [IEEE-1363] from the seed: 148 C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 150 The generator for this group is given by g=(gx,gy) where 152 gx: 153 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 155 gy: 156 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 158 3.2 384-bit Random ECP Group 160 IKE and IKEv2 implementations SHOULD support an ECP group with the 161 following characteristics. The curve is based on the integers modulo 162 the generalized Mersenne prime p given by 164 p = 2^(384)-2^(128)-2^(96)+2^(32)-1 . 166 The equation for the elliptic curve is: 168 y^2 = x^3 - 3 x + b. 170 Field size: 171 384 173 Group Prime/Irreducible Polynomial: 174 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE 175 FFFFFFFF 00000000 00000000 FFFFFFFF 177 Group Curve b: 178 B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A 179 C656398D 8A2ED19D 2A85C8ED D3EC2AEF 181 Group order: 182 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF 183 581A0DB2 48B0A77A ECEC196A CCC52973 185 The group was chosen verifiably at random using SHA-1 as specified in 186 [IEEE-1363] from the seed: 188 A335926A A319A27A 1D00896A 6773A482 7ACDAC73 190 The generator for this group is given by g=(gx,gy) where 192 gx: 193 AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 194 5502F25D BF55296C 3A545E38 72760AB7 196 gy: 197 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 198 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F 200 3.3 521-bit Random ECP Group 202 IKE and IKEv2 implementations SHOULD support an ECP group with the 203 following characteristics. The curve is based on the integers modulo 204 the Mersenne prime p given by 206 p = 2^(521)-1 . 208 The equation for the elliptic curve is: 210 y^2 = x^3 - 3 x + b. 212 Field size: 213 521 215 Group Prime/Irreducible Polynomial: 216 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 217 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 218 FFFF 220 Group Curve b: 221 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1 222 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50 223 3F00 225 Group order: 226 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 227 FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 228 6409 230 The group was chosen verifiably at random using SHA-1 as specified in 231 [IEEE-1363] from the seed: 233 D09E8800 291CB853 96CC6717 393284AA A0DA64BA 235 The generator for this group is given by g=(gx,gy) where 237 gx: 238 00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D 239 3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5 240 BD66 242 gy: 243 01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E 244 662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1 245 6650 247 4. Security Considerations 249 Since this document proposes new groups for use within IKE and IKEv2, 250 many of the security considerations contained within [IKE] and 251 [IKEv2] apply here as well. 253 The groups proposed in this document correspond to the symmetric key 254 sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key 255 exchange to offer security comparable with the AES algorithms [AES]. 257 5. Alignment with Other Standards 259 The following table summarizes the appearance of these three 260 elliptic curve groups in other standards. 262 256-bit 384-bit 521-bit 263 Random Random Random 264 Standard ECP Group ECP Group ECP Group 265 ----------- ------------ ------------ ------------ 267 NIST [DSS] P-256 P-384 P-521 269 ISO/IEC [ISO-15946-1] P-256 271 ISO/IEC [ISO-18031] P-256 P-384 P-521 273 ANSI [X9.62-1998] Sect. J.5.3, 274 Example 1 276 ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7 278 ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 279 Example 2 281 SECG [SEC2] secp256r1 secp384r1 secp521r1 283 See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and 284 [ISO-15946-4]. 286 6. IANA Considerations 288 Before this document can become an RFC, it is required that IANA 289 update its registries of Diffie-Hellman groups for IKE in [IANA-IKE] 290 and for IKEv2 in [IANA-IKEv2] to include the groups defined above. 292 In [IANA-IKE], the groups are to appear as new entries in the list of 293 Diffie-Hellman groups given by Group Description (attribute class 4). 294 The descriptions are "256-bit random ECP group", "384-bit random ECP 295 group", and "521-bit random ECP group". In each case, the group type 296 (attribute class 5) has the value 2 (ECP, elliptic curve group over 297 GF[P]). 299 In [IANA-IKEv2], the groups are to appear as new entries in the list 300 of IKEv2 transform type values for Transform Type 4 (Diffie-Hellman 301 groups). 303 7. ECP Key Exchange Data Formats 305 In an ECP key exchange, the Diffie-Hellman public value passed in a 306 KE payload consists of two components, x and y, corresponding to the 307 coordinates of an elliptic curve point. Each component MUST have 308 bit length as given in the following table. 310 Diffie-Hellman group component bit length 311 ------------------------ -------------------- 313 256-bit Random ECP Group 256 314 384-bit Random ECP Group 384 315 521-bit Random ECP Group 528 317 This length is enforced, if necessary, by prepending the value with 318 zeros. 320 The Diffie-Hellman public value is obtained by concatenating the x 321 and y values. 323 The format of the Diffie-Hellman shared secret value is the same as 324 that of the Diffie-Hellman public value. 326 8. Test Vectors 328 The following are examples of the IKEv2 key exchange payload for each 329 of the three groups specified in this document. 331 We denote by g^n the scalar multiple of the point g by the 332 integer n; it is another point on the curve. In the literature, the 333 scalar multiple is typically denoted ng; the notation g^n is 334 used in order to conform to the notation used in [IKE] and [IKEv2]. 336 8.1 256-bit Random ECP Group 338 It is assumed for this example that this Diffie-Hellman group is 339 assigned the id number 19 by IANA. 341 We suppose that the initiator's Diffie-Hellman private key is 343 i: 344 C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433 346 Then the public key is given by g^i=(gix,giy) where 348 gix: 349 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180 351 giy: 352 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 389E0577 B8990BB3 354 The KEi payload is as follows. 356 00000048 00130000 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 357 945D0C37 72581180 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 358 389E0577 B8990BB3 360 We suppose that the response Diffie-Hellman private key is 362 r: 363 C6EF9C5D 78AE012A 011164AC B397CE20 88685D8F 06BF9BE0 B283AB46 476BEE53 365 Then the public key is given by g^r=(grx,gry) where 367 grx: 368 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 736FC755 4494BF63 370 gry: 371 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 53E74F33 039872AB 373 The KEr payload is as follows. 375 00000048 00130000 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 376 736FC755 4494BF63 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 377 53E74F33 039872AB 379 The shared secret value g^ir=(girx,giry) where 381 girx: 382 D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE 384 giry: 385 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 387 These are concatenated to form 389 g^ir: 390 D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE 391 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 393 This is the value which is used in the formation of SKEYSEED. 395 8.2 384-bit Random ECP Group 397 It is assumed for this example that this Diffie-Hellman group is 398 assigned the id number 20 by IANA. 400 We suppose that the initiator's Diffie-Hellman private key is 402 i: 403 099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655 404 E35B5380 41E649EE 3FAEF896 783AB194 406 Then the public key is given by g^i=(gix,giy) where 408 gix: 409 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 1634FE72 B4C55EE6 410 DE3AC808 ACB4BDB4 C88732AE E95F41AA 412 giy: 413 9482ED1F C0EEB9CA FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E 414 EB9FCFF3 C2C947DA E69B4C63 4573A81C 416 The KEi payload is as follows. 418 00000068 00140000 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 419 1634FE72 B4C55EE6 DE3AC808 ACB4BDB4 C88732AE E95F41AA 9482ED1F C0EEB9CA 420 FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E EB9FCFF3 C2C947DA 421 E69B4C63 4573A81C 423 We suppose that the response Diffie-Hellman private key is 425 r: 426 41CB0779 B4BDB85D 47846725 FBEC3C94 30FAB46C C8DC5060 855CC9BD A0AA2942 427 E0308312 916B8ED2 960E4BD5 5A7448FC 429 Then the public key is given by g^r=(grx,gry) where 431 grx: 432 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 83CFA417 32BC509D 433 0D1AC43A 0336DEF9 6FDA41D0 774A3571 435 gry: 436 DCFBEC7A ACF31964 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF 437 F83FA401 42209DFF 5EAAD96D B9E6386C 439 The KEr payload is as follows. 441 00000068 00140000 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 442 83CFA417 32BC509D 0D1AC43A 0336DEF9 6FDA41D0 774A3571 DCFBEC7A ACF31964 443 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF F83FA401 42209DFF 444 5EAAD96D B9E6386C 446 The shared secret value g^ir=(girx,giry) where 448 girx: 449 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 450 D6031355 69B9E9D0 9CF5D4A2 70F59746 452 giry: 453 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852 454 C983135D 4669F879 2F2C1D55 718AFBB4 456 These are concatenated to form 458 g^ir: 459 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 460 D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 461 24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4 463 This is the value which is used in the formation of SKEYSEED. 465 8.3 521-bit Random ECP Group 467 It is assumed for this example that this Diffie-Hellman group is 468 assigned the id number 21 by IANA. 470 We suppose that the initiator's Diffie-Hellman private key is 472 i: 473 0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 474 95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D 475 4A52 477 Then the public key is given by g^i=(gix,giy) where 479 gix: 480 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE 481 E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C 482 ED3E 484 giy: 485 017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A 486 D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F 487 9582 489 The KEi payload is as follows. 491 0000008C 00150000 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B 492 D98BAB43 57C9ECBE E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 493 601723C4 195D176C ED3E017C AE20B664 1D2EEB69 5786D8C9 46146239 D099E18E 494 1D5A514C 739D7CB4 A10AD8A7 88015AC4 05D7799D C75E7B7D 5B6CF226 1A6A7F15 495 07438BF0 1BEB6CA3 926F9582 497 We suppose that the response Diffie-Hellman private key is 499 r: 500 0145BA99 A847AF43 793FDD0E 872E7CDF A16BE30F DC780F97 BCCC3F07 8380201E 501 9C677D60 0B343757 A3BDBF2A 3163E4C2 F869CCA7 458AA4A4 EFFC311F 5CB15168 502 5EB9 504 Then the public key is given by g^r=(grx,gry) where 506 grx: 507 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 728B5E57 39735A21 508 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C ED2B6171 640012D9 509 460F 511 gry: 512 015C6822 6383956E 3BD066E7 97B623C2 7CE0EAC2 F551A10C 2C724D98 52077B87 513 220B6536 C5C408A1 D2AEBB8E 86D678AE 49CB5709 1F473229 6579AB44 FCD17F0F 514 C56A 516 The KEr payload is as follows. 518 0000008c 00150000 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 519 728B5E57 39735A21 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C 520 ED2B6171 640012D9 460F015C 68226383 956E3BD0 66E797B6 23C27CE0 EAC2F551 521 A10C2C72 4D985207 7B87220B 6536C5C4 08A1D2AE BB8E86D6 78AE49CB 57091F47 522 32296579 AB44FCD1 7F0FC56A 524 The shared secret value g^ir=(girx,giry) where 526 girx: 527 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 528 D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 529 DDEA 531 giry: 532 01B901E6 B17DB294 7AC017D8 53EF1C16 74E5CFE5 9CDA18D0 78E05D1B 5242ADAA 533 9FFC3C63 EA05EDB1 E13CE5B3 A8E50C3E B622E8DA 1B38E0BD D1F88569 D6C99BAF 534 FA43 536 These are concatenated to form 538 g^ir: 539 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 540 D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 541 DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242 542 ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9 543 9BAFFA43 545 This is the value which is used in the formation of SKEYSEED. 547 9. References 549 9.1 Normative 551 [IANA-IKE] Internet Assigned Numbers Authority, Internet Key Exchange 552 (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) 554 [IANA-IKEv2] IKEv2 Parameters. 555 (http://www.iana.org/assignments/ikev2-parameters) 557 [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, 558 November 1998. 560 [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, RFC 4306, 561 December 2005. 563 9.2 Informative 565 [AES] U.S. Department of Commerce/National Institute of Standards 566 and Technology, Advanced Encryption Standard (AES), FIPS PUB 197, 567 November 2001. (http://csrc.nist.gov/publications/fips/index.html) 569 [DSS] U.S. Department of Commerce/National Institute of Standards 570 and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, 571 January 2000. (http://csrc.nist.gov/publications/fips/index.html) 573 [GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics 574 and Optimization Research Report 99-39, 1999. 575 (http://www.cacr.math.uwaterloo.ca/) 577 [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 578 1363-2000, Standard for Public Key Cryptography. 579 (http://grouper.ieee.org/groups/1363/index.html) 581 [ISO-14888-3] International Organization for Standardization and 582 International Electrotechnical Commission, ISO/IEC First 583 Committee Draft 14888-3 (2nd ed.), Information Technology: 584 Security Techniques: Digital Signatures with Appendix: Part 3 - 585 Discrete Logarithm Based Mechanisms. 587 [ISO-15946-1] International Organization for Standardization and 588 International Electrotechnical Commission, ISO/IEC 15946-1: 589 2002-12-01, Information Technology: Security Techniques: 590 Cryptographic Techniques based on Elliptic Curves: Part 1 - 591 General. 593 [ISO-15946-2] International Organization for Standardization and 594 International Electrotechnical Commission, ISO/IEC 15946-2: 595 2002-12-01, Information Technology: Security Techniques: 596 Cryptographic Techniques based on Elliptic Curves: Part 2 - 597 Digital Signatures. 599 [ISO-15946-3] International Organization for Standardization and 600 International Electrotechnical Commission, ISO/IEC 15946-3: 601 2002-12-01, Information Technology: Security Techniques: 602 Cryptographic Techniques based on Elliptic Curves: Part 3 - 603 Key Establishment. 605 [ISO-15946-4] International Organization for Standardization and 606 International Electrotechnical Commission, ISO/IEC 15946-4: 607 2004-10-01, Information Technology: Security Techniques: 608 Cryptographic Techniques based on Elliptic Curves: Part 4 - 609 Digital Signatures giving Message Recovery. 611 [ISO-18031] International Organization for Standardization and 612 International Electrotechnical Commission, ISO/IEC Final 613 Committee Draft 18031, Information Technology: Security 614 Techniques: Random Bit Generation, October 2004. 616 [NIST] U.S. Department of Commerce/National Institute of Standards 617 and Technology. Recommendation for Key Establishment Schemes 618 Using Discrete Logarithm Cryptography, NIST Special Publication 619 800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) 621 [RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential MODP 622 Diffie-Hellman groups for Internet Key Exchange (IKE), RFC 623 3526, May 2003. 625 [SEC2] Standards for Efficient Cryptography Group. SEC 2 - 626 Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. 627 (http://www.secg.org) 629 [X9.62-1998] American National Standards Institute, X9.62-1998: 630 Public Key Cryptography for the Financial Services Industry: The 631 Elliptic Curve Digital Signature Algorithm. January 1999. 633 [X9.62-2003] American National Standards Institute, X9.62-1998: 634 Public Key Cryptography for the Financial Services Industry: The 635 Elliptic Curve Digital Signature Algorithm, 636 Revised-Draft-2003-02-26, February 2003. 638 [X9.63] American National Standards Institute. X9.63-2001, 639 Public Key Cryptography for the Financial Services Industry: Key 640 Agreement and Key Transport using Elliptic Curve Cryptography. 641 November 2001. 643 10. Authors' Addresses 645 David E. Fu 646 National Information Assurance Research Laboratory 647 National Security Agency 648 defu@orion.ncsc.mil 649 Jerome A. Solinas 650 National Information Assurance Research Laboratory 651 National Security Agency 652 jasolin@orion.ncsc.mil 654 Comments are solicited and should be addressed to the author. 656 Copyright (C) The Internet Society (2006). 658 This document is subject to the rights, licenses and restrictions 659 contained in BCP 78, and except as set forth therein, the authors 660 retain all their rights. 662 This document and the information contained herein are provided on an 663 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 664 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 665 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 666 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 667 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 668 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 670 Intellectual Property 672 The IETF takes no position regarding the validity or scope of any 673 Intellectual Property Rights or other rights that might be claimed to 674 pertain to the implementation or use of the technology described in 675 this document or the extent to which any license under such rights 676 might or might not be available; nor does it represent that it has 677 made any independent effort to identify any such rights. Information 678 on the procedures with respect to rights in RFC documents can be 679 found in BCP 78 and BCP 79. 681 Copies of IPR disclosures made to the IETF Secretariat and any 682 assurances of licenses to be made available, or the result of an 683 attempt made to obtain a general license or permission for the use of 684 such proprietary rights by implementers or users of this 685 specification can be obtained from the IETF on-line IPR repository at 686 http://www.ietf.org/ipr. 688 The IETF invites any interested party to bring to its attention any 689 copyrights, patents or patent applications, or other proprietary 690 rights that may cover technology that may be required to implement 691 this standard. Please address the information to the IETF at ietf- 692 ipr@ietf.org. 694 Expires November 15, 2006