idnits 2.17.1 draft-solinas-rfc4753bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 113 instances of too long lines in the document, the longest one being 1 character in excess of 72. ** There is 1 instance of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (November 18, 2009) is 5272 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'P' is mentioned on line 303, but not defined == Unused Reference: 'RFC3526' is defined on line 647, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 4306 (ref. 'IKEv2') (Obsoleted by RFC 5996) ** Obsolete normative reference: RFC 4753 (Obsoleted by RFC 5903) Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT D. Fu 2 Obsoletes: 4753 (if approved) J. Solinas 3 Intended status: Informational NSA 4 Expires: May 18, 2010 November 18, 2009 6 ECP Groups for IKE and IKEv2 7 9 Status of This Memo 11 This Internet-Draft is submitted to IETF in full conformance with 12 the provisions of BCP 78 and BCP 79. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as 17 Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six 20 months and may be updated, replaced, or obsoleted by other 21 documents at any time. It is inappropriate to use Internet-Drafts 22 as reference material or to cite them other than as 23 "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/1id-abstracts.html. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Copyright Notice 33 Copyright (c) 2009 IETF Trust and the persons identified as the 34 document authors. All rights reserved. 36 This document is subject to BCP 78 and the IETF Trust's Legal 37 Provisions Relating to IETF Documents in effect on the date of 38 publication of this document (http://trustee.ietf.org/license-info). 39 Please review these documents carefully, as they describe your 40 rights and restrictions with respect to this document. 42 Abstract 44 This document describes three Elliptic Curve Cryptography (ECC) 45 groups for use in the Internet Key Exchange (IKE) and Internet Key 46 Exchange version 2 (IKEv2) protocols in addition to previously 47 defined groups. These groups are based on modular arithmetic rather 48 than binary arithmetic. These groups are defined to align IKE and 49 IKEv2 with other ECC implementations and standards, particularly NIST 50 standards. In addition, the curves defined here can provide more 51 efficient implementation than previously defined ECC groups. This 52 document obsoletes RFC 4753. 54 Table of Contents 56 1. Introduction ....................................................2 57 2. Requirements Terminology ........................................3 58 3. Additional ECC Groups ...........................................3 59 3.1. 256-bit Random ECP Group ...................................3 60 3.2. 384-bit Random ECP Group ...................................4 61 3.3. 521-bit Random ECP Group ...................................5 62 4. Security Considerations .........................................6 63 5. Alignment with Other Standards ..................................6 64 6. IANA Considerations .............................................6 65 7. ECP Key Exchange Data Formats ...................................7 66 8. Test Vectors ....................................................7 67 8.1. 256-bit Random ECP Group ...................................7 68 8.2. 384-bit Random ECP Group ...................................8 69 8.3. 521-bit Random ECP Group ..................................10 70 9. Changes from RFC 4753...........................................11 71 10. References .....................................................12 73 1. Introduction 75 This document describes default Diffie-Hellman groups for use in IKE 76 and IKEv2 in addition to the Oakley groups included in [IKE] and the 77 additional groups defined since [IANA-IKE]. This document assumes 78 that the reader is familiar with the IKE protocol and the concept of 79 Oakley Groups, as defined in RFC 2409 [IKE]. 81 RFC 2409 [IKE] defines five standard Oakley Groups: three modular 82 exponentiation groups and two elliptic curve groups over GF[2^N]. 83 One modular exponentiation group (768 bits - Oakley Group 1) is 84 mandatory for all implementations to support, while the other four 85 are optional. Nineteen additional groups subsequently have been 86 defined and assigned values by IANA. All of these additional groups 87 are optional. 89 The purpose of this document is to expand the options available to 90 implementers of elliptic curve groups by adding three ECP groups 91 (elliptic curve groups modulo a prime). The reasons for adding such 92 groups include the following. 94 - The groups proposed afford efficiency advantages in software 95 applications since the underlying arithmetic is integer arithmetic 96 modulo a prime rather than binary field arithmetic. (Additional 97 computational advantages for these groups are presented in [GMN].) 99 - The groups proposed encourage alignment with other elliptic curve 100 standards. The proposed groups are among those standardized by 101 NIST, the Standards for Efficient Cryptography Group (SECG), ISO, 102 and ANSI. (See Section 5 for details.) 104 - The groups proposed are capable of providing security consistent 105 with the Advanced Encryption Standard [AES]. 107 In summary, due to the performance advantages of elliptic curve 108 groups in IKE implementations and the need for further alignment with 109 other standards, this document defines three elliptic curve groups 110 based on modular arithmetic. 112 These groups were originally proposed in [RFC4753]. This document 113 changes the format of the shared key produced by a Diffie-Hellman 114 exchange using these groups. Section 9 provides more details of the 115 changes from [RFC4753]. This document obsoletes RFC 4753. 117 2. Requirements Terminology 119 The keywords "MUST" and "SHOULD" that appear in this document are to 120 be interpreted as described in [RFC2119]. 122 3. Additional ECC Groups 124 The notation adopted in RFC 2409 [IKE] is used below to describe the 125 groups proposed. 127 3.1. 256-bit Random ECP Group 129 IKE and IKEv2 implementations SHOULD support an ECP group with the 130 following characteristics. The curve is based on the integers modulo 131 the generalized Mersenne prime p given by 133 p = 2^(256)-2^(224)+2^(192)+2^(96)-1 135 The equation for the elliptic curve is: 137 y^2 = x^3 - 3 x + b 139 Field Size: 140 256 142 Group Prime/Irreducible Polynomial: 143 FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF 145 Group Curve b: 146 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 148 Group Order: 149 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 151 The group was chosen verifiably at random using SHA-1 as specified in 152 [IEEE-1363] from the seed: 154 C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 156 The generator for this group is given by g=(gx,gy) where 158 gx: 159 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 161 gy: 162 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 164 3.2. 384-bit Random ECP Group 166 IKE and IKEv2 implementations SHOULD support an ECP group with the 167 following characteristics. The curve is based on the integers modulo 168 the generalized Mersenne prime p given by 170 p = 2^(384)-2^(128)-2^(96)+2^(32)-1 172 The equation for the elliptic curve is: 174 y^2 = x^3 - 3 x + b 176 Field Size: 177 384 179 Group Prime/Irreducible Polynomial: 180 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE 181 FFFFFFFF 00000000 00000000 FFFFFFFF 183 Group Curve b: 184 B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A 185 C656398D 8A2ED19D 2A85C8ED D3EC2AEF 187 Group Order: 188 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF 189 581A0DB2 48B0A77A ECEC196A CCC52973 191 The group was chosen verifiably at random using SHA-1 as specified in 192 [IEEE-1363] from the seed: 194 A335926A A319A27A 1D00896A 6773A482 7ACDAC73 196 The generator for this group is given by g=(gx,gy) where 198 gx: 199 AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 200 5502F25D BF55296C 3A545E38 72760AB7 202 gy: 203 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 204 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F 206 3.3. 521-bit Random ECP Group 208 IKE and IKEv2 implementations SHOULD support an ECP group with the 209 following characteristics. The curve is based on the integers modulo 210 the Mersenne prime p given by 212 p = 2^(521)-1 214 The equation for the elliptic curve is: 216 y^2 = x^3 - 3 x + b 218 Field Size: 219 521 221 Group Prime/Irreducible Polynomial: 222 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 223 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 224 FFFF 226 Group Curve b: 227 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1 228 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50 229 3F00 231 Group Order: 232 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 233 FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 234 6409 236 The group was chosen verifiably at random using SHA-1 as specified in 237 [IEEE-1363] from the seed: 239 D09E8800 291CB853 96CC6717 393284AA A0DA64BA 241 The generator for this group is given by g=(gx,gy) where 243 gx: 244 00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D 245 3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5 246 BD66 248 gy: 249 01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E 250 662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1 251 6650 253 4. Security Considerations 255 Since this document proposes groups for use within IKE and IKEv2, 256 many of the security considerations contained within [IKE] and 257 [IKEv2] apply here as well. 259 The groups proposed in this document correspond to the symmetric key 260 sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key 261 exchange to offer security comparable with the AES algorithms [AES]. 263 5. Alignment with Other Standards 265 The following table summarizes the appearance of these three elliptic 266 curve groups in other standards. 268 256-bit 384-bit 521-bit 269 Random Random Random 270 Standard ECP Group ECP Group ECP Group 271 ----------- ------------ ------------ ------------ 273 NIST [DSS] P-256 P-384 P-521 275 ISO/IEC [ISO-15946-1] P-256 277 ISO/IEC [ISO-18031] P-256 P-384 P-521 279 ANSI [X9.62-1998] Sect. J.5.3, 280 Example 1 281 ANSI [X9.62-2005] Sect. L.6.4.3 Sect. L.6.5.2 Sect. L.6.6.2 283 ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6 284 Example 2 286 SECG [SEC2] secp256r1 secp384r1 secp521r1 288 See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and 289 [ISO-15946-4]. 291 6. IANA Considerations 293 IANA has updated its registries of Diffie-Hellman groups for IKE in 294 [IANA-IKE] and for IKEv2 in [IANA-IKEv2] to include the groups 295 defined above. 297 In [IANA-IKE], the groups appear as entries in the list of 298 Diffie-Hellman groups given by Group Description (attribute class 4). 300 The descriptions are "256-bit random ECP group", "384-bit random ECP 301 group", and "521-bit random ECP group". In each case, the group type 302 (attribute class 5) has the value 2 (ECP, elliptic curve group over 303 GF[P]). 305 In [IANA-IKEv2], the groups appear as entries in the list of IKEv2 306 transform type values for Transform Type 4 (Diffie-Hellman groups). 308 Upon adoption of this document as an RFC, these entries in both 309 [IANA-IKE] and [IANA-IKEv2] should be updated. The update should 310 consist of changing the reference from [RFC4753] to this document. 312 7. ECP Key Exchange Data Formats 314 In an ECP key exchange, the Diffie-Hellman public value passed in a 315 KE payload consists of two components, x and y, corresponding to the 316 coordinates of an elliptic curve point. Each component MUST have bit 317 length as given in the following table. 319 Diffie-Hellman group component bit length 320 ------------------------ -------------------- 322 256-bit Random ECP Group 256 323 384-bit Random ECP Group 384 324 521-bit Random ECP Group 528 326 This length is enforced, if necessary, by prepending the value with 327 zeros. 329 The Diffie-Hellman public value is obtained by concatenating the x 330 and y values. 332 The Diffie-Hellman shared secret value consists of the x value of the 333 Diffie-Hellman common value. 335 These formats should be regarded as specific to ECP curves and may 336 not be applicable to EC2N curves. 338 8. Test Vectors 340 The following are examples of the IKEv2 key exchange payload for each 341 of the three groups specified in this document. 343 We denote by g^n the scalar multiple of the point g by the integer n; 344 it is another point on the curve. In the literature, the scalar 345 multiple is typically denoted ng; the notation g^n is used in order 346 to conform to the notation used in [IKE] and [IKEv2]. 348 8.1. 256-bit Random ECP Group 350 IANA assigned the ID value 19 to this Diffie-Hellman group. 352 We suppose that the initiator's Diffie-Hellman private key is 354 i: 355 C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433 357 Then the public key is given by g^i=(gix,giy) where 359 gix: 360 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180 362 giy: 363 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 389E0577 B8990BB3 365 The KEi payload is as follows. 367 00000048 00130000 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 368 945D0C37 72581180 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 369 389E0577 B8990BB3 371 We suppose that the response Diffie-Hellman private key is 373 r: 374 C6EF9C5D 78AE012A 011164AC B397CE20 88685D8F 06BF9BE0 B283AB46 476BEE53 376 Then the public key is given by g^r=(grx,gry) where 378 grx: 379 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 736FC755 4494BF63 381 gry: 382 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 53E74F33 039872AB 384 The KEr payload is as follows. 386 00000048 00130000 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 387 736FC755 4494BF63 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 388 53E74F33 039872AB 390 The Diffie-Hellman common value (girx,giry) is 392 girx: 393 D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE 395 giry: 396 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 398 The Diffie-Hellman shared secret value is girx. 400 8.2. 384-bit Random ECP Group 402 IANA assigned the ID value 20 to this Diffie-Hellman group. 404 We suppose that the initiator's Diffie-Hellman private key is 406 i: 407 099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655 408 E35B5380 41E649EE 3FAEF896 783AB194 410 Then the public key is given by g^i=(gix,giy) where 412 gix: 413 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 1634FE72 B4C55EE6 414 DE3AC808 ACB4BDB4 C88732AE E95F41AA 416 giy: 417 9482ED1F C0EEB9CA FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E 418 EB9FCFF3 C2C947DA E69B4C63 4573A81C 420 The KEi payload is as follows. 422 00000068 00140000 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 423 1634FE72 B4C55EE6 DE3AC808 ACB4BDB4 C88732AE E95F41AA 9482ED1F C0EEB9CA 424 FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E EB9FCFF3 C2C947DA 425 E69B4C63 4573A81C 427 We suppose that the response Diffie-Hellman private key is 429 r: 430 41CB0779 B4BDB85D 47846725 FBEC3C94 30FAB46C C8DC5060 855CC9BD A0AA2942 431 E0308312 916B8ED2 960E4BD5 5A7448FC 433 Then the public key is given by g^r=(grx,gry) where 435 grx: 436 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 83CFA417 32BC509D 437 0D1AC43A 0336DEF9 6FDA41D0 774A3571 439 gry: 440 DCFBEC7A ACF31964 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF 441 F83FA401 42209DFF 5EAAD96D B9E6386C 443 The KEr payload is as follows. 445 00000068 00140000 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 446 83CFA417 32BC509D 0D1AC43A 0336DEF9 6FDA41D0 774A3571 DCFBEC7A ACF31964 447 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF F83FA401 42209DFF 448 5EAAD96D B9E6386C 450 The Diffie-Hellman common value (girx,giry) is 452 girx: 453 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4 454 D6031355 69B9E9D0 9CF5D4A2 70F59746 456 giry: 457 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852 458 C983135D 4669F879 2F2C1D55 718AFBB4 460 The Diffie-Hellman shared secret value is girx. 462 8.3. 521-bit Random ECP Group 464 IANA assigned the ID value 21 to this Diffie-Hellman group. 466 We suppose that the initiator's Diffie-Hellman private key is 468 i: 469 0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 470 95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D 471 4A52 473 Then the public key is given by g^i=(gix,giy) where 475 gix: 476 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE 477 E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C 478 ED3E 480 giy: 481 017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A 482 D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F 483 9582 485 The KEi payload is as follows. 487 0000008C 00150000 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B 488 D98BAB43 57C9ECBE E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 489 601723C4 195D176C ED3E017C AE20B664 1D2EEB69 5786D8C9 46146239 D099E18E 490 1D5A514C 739D7CB4 A10AD8A7 88015AC4 05D7799D C75E7B7D 5B6CF226 1A6A7F15 491 07438BF0 1BEB6CA3 926F9582 493 We suppose that the response Diffie-Hellman private key is 495 r: 496 0145BA99 A847AF43 793FDD0E 872E7CDF A16BE30F DC780F97 BCCC3F07 8380201E 497 9C677D60 0B343757 A3BDBF2A 3163E4C2 F869CCA7 458AA4A4 EFFC311F 5CB15168 498 5EB9 500 Then the public key is given by g^r=(grx,gry) where 502 grx: 503 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 728B5E57 39735A21 504 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C ED2B6171 640012D9 505 460F 507 gry: 508 015C6822 6383956E 3BD066E7 97B623C2 7CE0EAC2 F551A10C 2C724D98 52077B87 509 220B6536 C5C408A1 D2AEBB8E 86D678AE 49CB5709 1F473229 6579AB44 FCD17F0F 510 C56A 512 The KEr payload is as follows. 514 0000008c 00150000 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 515 728B5E57 39735A21 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C 516 ED2B6171 640012D9 460F015C 68226383 956E3BD0 66E797B6 23C27CE0 EAC2F551 517 A10C2C72 4D985207 7B87220B 6536C5C4 08A1D2AE BB8E86D6 78AE49CB 57091F47 518 32296579 AB44FCD1 7F0FC56A 520 The Diffie-Hellman common value (girx,giry) is 522 girx: 523 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04 524 D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 525 DDEA 527 giry: 528 01B901E6 B17DB294 7AC017D8 53EF1C16 74E5CFE5 9CDA18D0 78E05D1B 5242ADAA 529 9FFC3C63 EA05EDB1 E13CE5B3 A8E50C3E B622E8DA 1B38E0BD D1F88569 D6C99BAF 530 FA43 532 The Diffie-Hellman shared secret value is girx. 534 9. Changes from RFC 4753 536 Section 7 (ECP Key Exchange Data Formats) of [RFC4753] states that 538 The Diffie-Hellman public value is obtained by concatenating 539 the x and y values. 541 The format of the Diffie-Hellman shared secret value is the 542 same as that of the Diffie-Hellman public value. 544 This document replaces the second of these two paragraphs with the 545 following: 547 The Diffie-Hellman shared secret value consists of the x 548 value of the Diffie-Hellman common value. 550 This change aligns the ECP key exchange format with that used in 551 other standards. 553 This change appeared earlier as an erratum to RFC 4753. This 554 document obsoletes that erratum. 556 Section 8 (Test Vectors) of [RFC4753] provides three examples of 557 Diffie-Hellman key agreement using the ECP groups. This document 558 changes the last paragraph of each subsection of Section 8 to 559 reflect the new format. 561 10. References 563 10.1. Normative References 565 [IANA-IKE] Internet Assigned Numbers Authority, Internet Key 566 Exchange (IKE) Attributes. 567 (http://www.iana.org/assignments/ipsec-registry) 569 [IANA-IKEv2] IKEv2 Parameters. 570 (http://www.iana.org/assignments/ikev2-parameters) 572 [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange 573 (IKE)", RFC 2409, November 1998. 575 [IKEv2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", 576 RFC 4306, December 2005. 578 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 579 Requirement Levels", BCP 14, RFC 2119, March 1997. 581 [RFC4753] Bradner, S., "ECP Groups for IKE and IKEv2", BCP 14, 582 RFC 2119, March 1997. 584 10.2. Informative References 586 [AES] U.S. Department of Commerce/National Institute of 587 Standards and Technology, Advanced Encryption Standard 588 (AES), FIPS PUB 197, November 2001. 589 (http://csrc.nist.gov/publications/fips/index.html) 591 [DSS] U.S. Department of Commerce/National Institute of 592 Standards and Technology, Digital Signature Standard 593 (DSS), FIPS PUB 186-2, January 2000. 594 (http://csrc.nist.gov/publications/fips/index.html) 596 [GMN] J. Solinas, Generalized Mersenne Numbers, 597 Combinatorics and Optimization Research Report 99-39, 598 1999. (http://www.cacr.math.uwaterloo.ca/) 600 [IEEE-1363] Institute of Electrical and Electronics Engineers. 601 IEEE 1363-2000, Standard for Public Key Cryptography. 602 (http://grouper.ieee.org/groups/1363/index.html) 604 [ISO-14888-3] International Organization for Standardization and 605 International Electrotechnical Commission, ISO/IEC 606 14888-3:2006, Information Technology: Security 607 Techniques: Digital Signatures with Appendix: Part 3 608 - Discrete Logarithm Based Mechanisms. 610 [ISO-15946-1] International Organization for Standardization and 611 International Electrotechnical Commission, ISO/IEC 612 15946-1: 2002-12-01, Information Technology: Security 613 Techniques: Cryptographic Techniques based on Elliptic 614 Curves: Part 1 - General. 616 [ISO-15946-2] International Organization for Standardization and 617 International Electrotechnical Commission, ISO/IEC 618 15946-2: 2002-12-01, Information Technology: Security 619 Techniques: Cryptographic Techniques based on Elliptic 620 Curves: Part 2 - Digital Signatures. 622 [ISO-15946-3] International Organization for Standardization and 623 International Electrotechnical Commission, ISO/IEC 624 15946-3: 2002-12-01, Information Technology: Security 625 Techniques: Cryptographic Techniques based on Elliptic 626 Curves: Part 3 - Key Establishment. 628 [ISO-15946-4] International Organization for Standardization and 629 International Electrotechnical Commission, ISO/IEC 630 15946-4: 2004-10-01, Information Technology: Security 631 Techniques: Cryptographic Techniques based on Elliptic 632 Curves: Part 4 - Digital Signatures giving Message 633 Recovery. 635 [ISO-18031] International Organization for Standardization and 636 International Electrotechnical Commission, ISO/IEC 637 18031:2005, Information Technology: Security 638 Techniques: Random Bit Generation. 640 [NIST] U.S. Department of Commerce/National Institute of 641 Standards and Technology. Recommendation for Pair- 642 Wise Key Establishment Schemes Using Discrete 643 Logarithm Cryptography, NIST Special Publication 644 Publication 800-56A, March 2006. 645 (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html) 647 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential 648 (MODP) Diffie-Hellman groups for Internet Key Exchange 649 (IKE)", RFC 3526, May 5003. 651 [RFC4753] Fu, D. and J. Solinas, "ECP Groups for IKE and IKEv2", 652 RFC 4753, November 2006. 654 [SEC2] Standards for Efficient Cryptography Group. SEC 2 - 655 Recommended Elliptic Curve Domain Parameters, v. 1.0, 656 2000. (http://www.secg.org) 658 [X9.62-1998] American National Standards Institute, X9.62-1998: 659 Public Key Cryptography for the Financial Services 660 Industry: The Elliptic Curve Digital Signature 661 Algorithm. January 1999. 663 [X9.62-2005] American National Standards Institute, X9.62:2005: 664 Public Key Cryptography for the Financial Services 665 Industry: The Elliptic Curve Digital Signature 666 Algorithm (ECDSA). 668 [X9.63] American National Standards Institute. X9.63-2001, 669 Public Key Cryptography for the Financial Services 670 Industry: Key Agreement and Key Transport using 671 Elliptic Curve Cryptography. November 2001. 673 Authors' Addresses 675 David E. Fu 676 National Information Assurance Research Laboratory 677 National Security Agency 679 Email: defu@orion.ncsc.mil 681 Jerome A. Solinas 682 National Information Assurance Research Laboratory 683 National Security Agency 685 Email: jasolin@orion.ncsc.mil