| draft-ietf-ipsecme-safecurves-00.txt | draft-ietf-ipsecme-safecurves-01.txt | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track S. Josefsson | Intended status: Standards Track S. Josefsson | |||
| Expires: March 11, 2016 SJD | Expires: August 5, 2016 SJD | |||
| September 8, 2015 | February 2, 2016 | |||
| Curve25519 and Curve448 for IKEv2 Key Agreement | Curve25519 and Curve448 for IKEv2 Key Agreement | |||
| draft-ietf-ipsecme-safecurves-00 | draft-ietf-ipsecme-safecurves-01 | |||
| Abstract | Abstract | |||
| This document describes the use of Curve25519 and Curve448 for | This document describes the use of Curve25519 and Curve448 for | |||
| ephemeral key exchange in the Internet Key Exchange (IKEv2) protocol. | ephemeral key exchange in the Internet Key Exchange (IKEv2) protocol. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 32 | skipping to change at page 1, line 32 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 11, 2016. | This Internet-Draft will expire on August 5, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 15 | skipping to change at page 2, line 15 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 2 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 2 | |||
| 2. Curve25519 & Curve448 . . . . . . . . . . . . . . . . . . . . 2 | 2. Curve25519 & Curve448 . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Use and Negotiation in IKEv2 . . . . . . . . . . . . . . . . 3 | 3. Use and Negotiation in IKEv2 . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Key Exchange Payload . . . . . . . . . . . . . . . . . . 3 | 3.1. Key Exchange Payload . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Recipient Tests . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. Recipient Tests . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 5 | 7.2. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1. Introduction | 1. Introduction | |||
| [CFRG-Curves] describes the two elliptic curves Curve25519 and | [RFC7748] describes two elliptic curves: Curve25519 and Curve448, as | |||
| Curve448 and the X25519 and X448 functions for performing Diffie- | well as the X25519 and X448 functions for performing key agreement | |||
| Hellman operations on the curves. The curves and functions are | (Diffie-Hellman) operations with these curves. The curves and | |||
| designed with performance and security in mind. | functions are designed for both performance and security. | |||
| Almost ten years ago [RFC4753] specified the first elliptic curve | Almost ten years ago [RFC4753] specified the first elliptic curve | |||
| Diffie-Hellman groups for the Internet Key Exchange protocol (IKEv2 - | Diffie-Hellman groups for the Internet Key Exchange protocol (IKEv2 - | |||
| [RFC7296]). These were the so-called NIST curves. The state of the | [RFC7296]). These were the so-called NIST curves. The state of the | |||
| art has advanced since then. More modern curves allow faster | art has advanced since then. More modern curves allow faster | |||
| implementations while making it much easier to write constant-time | implementations while making it much easier to write constant-time | |||
| implementations free from side-channel attacks. This document | implementations free from time-based side-channel attacks. This | |||
| defines such a curve for use in IKE. See [Curve25519] for details | document defines two such curves for use in IKE. See [Curve25519] | |||
| about the speed and security of the Curve25519 function. | for details about the speed and security of the Curve25519 function. | |||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Curve25519 & Curve448 | 2. Curve25519 & Curve448 | |||
| All cryptographic computations are done using the X25519 and X448 | All cryptographic computations are done using the X25519 and X448 | |||
| functions defined in [CFRG-Curves]. All related parameters (for | functions defined in [RFC7748]. All related parameters (for example, | |||
| example, the base point) and the encoding (in particular, pruning the | the base point) and the encoding (in particular, pruning the least/ | |||
| least/most significant bits and use of little-endian encoding) are | most significant bits and use of little-endian encoding) are | |||
| inherited from [CFRG-Curves]. | inherited from [RFC7748]. | |||
| An ephemeral Diffie-Hellman key exchange using Curve25519 or Curve448 | An ephemeral Diffie-Hellman key exchange using Curve25519 or Curve448 | |||
| goes as follows: Each party picks a secret key d uniformly at random | goes as follows: Each party picks a secret key d uniformly at random | |||
| and computes the corresponding public key. "X" is used below to | and computes the corresponding public key. "X" is used below to | |||
| denote either X25519 or X448: | denote either X25519 or X448, and "G" is used to denote the | |||
| corresponding base point: | ||||
| x_mine = X(d, G) | pub_mine = X(d, G) | |||
| Parties exchange their public keys (see Section 3.1) and compute a | Parties exchange their public keys (see Section 3.1) and compute a | |||
| shared secret: | shared secret: | |||
| SHARED_SECRET = X(d, x_peer). | SHARED_SECRET = X(d, pub_peer). | |||
| This shared secret is used directly as the value denoted g^ir in | This shared secret is used directly as the value denoted g^ir in | |||
| section 2.14 of RFC 7296. It is 32 octets when Curve25519 is used, | section 2.14 of RFC 7296. It is 32 octets when Curve25519 is used, | |||
| and 56 octets when Curve448 is used. | and 56 octets when Curve448 is used. | |||
| 3. Use and Negotiation in IKEv2 | 3. Use and Negotiation in IKEv2 | |||
| The use of Curve25519 and Curve448 in IKEv2 is negotiated using a | The use of Curve25519 and Curve448 in IKEv2 is negotiated using a | |||
| Transform Type 4 (Diffie-Hellman group) in the SA payload of either | Transform Type 4 (Diffie-Hellman group) in the SA payload of either | |||
| an IKE_SA_INIT or a CREATE_CHILD_SA exchange. | an IKE_SA_INIT or a CREATE_CHILD_SA exchange. The value xx is used | |||
| for the group defined by Curve25519 and yy is used for the group | ||||
| defined by Curve448. Both are TBA by IANA. | ||||
| 3.1. Key Exchange Payload | 3.1. Key Exchange Payload | |||
| The diagram for the Key Exchange Payload from section 3.4 of RFC 7296 | The diagram for the Key Exchange Payload from section 3.4 of RFC 7296 | |||
| is copied below for convenience: | is copied below for convenience: | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Next Payload |C| RESERVED | Payload Length | | | Next Payload |C| RESERVED | Payload Length | | |||
| skipping to change at page 3, line 47 | skipping to change at page 3, line 50 | |||
| ~ Key Exchange Data ~ | ~ Key Exchange Data ~ | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| o Payload Length - For Curve25519 the public key is 32 octets, so | o Payload Length - For Curve25519 the public key is 32 octets, so | |||
| the Payload Length field will be 40, and for Curve448 the public | the Payload Length field will be 40, and for Curve448 the public | |||
| key is 56 octets, so the Payload Length field will be 64. | key is 56 octets, so the Payload Length field will be 64. | |||
| o The Diffie-Hellman Group Num is xx for Curve25519, or yy for | o The Diffie-Hellman Group Num is xx for Curve25519, or yy for | |||
| Curve448 (both TBA by IANA). | Curve448 (both TBA by IANA). | |||
| o The Key Exchange Data is the 32 or 56 octets as described in | o The Key Exchange Data is the 32 or 56 octets as described in | |||
| section 6 of [CFRG-Curves] | section 6 of [RFC7748] | |||
| 3.2. Recipient Tests | 3.2. Recipient Tests | |||
| This document match the discussion in [CFRG-Curves] related to | This document matches the discussion in [RFC7748] related to | |||
| receiving and accepting incompatible point formats. In particular, | receiving and accepting incompatible point formats. In particular, | |||
| receiving entities MUST mask the most-significant bit in the final | receiving entities MUST mask the most-significant bit in the final | |||
| byte for X25519 (but not X448), and implementations MUST accept non- | byte for X25519 (but not X448), and implementations MUST accept non- | |||
| canonical values. See section 5 of [CFRG-Curves] for further | canonical values. See section 5 of [RFC7748] for further discussion. | |||
| discussion. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| Curve25519 and Curve448 are designed to facilitate the production of | Curve25519 and Curve448 are designed to facilitate the production of | |||
| high-performance constant-time implementations. Implementors are | high-performance constant-time implementations. Implementors are | |||
| encouraged to use a constant-time implementation of the functions. | encouraged to use a constant-time implementation of the functions. | |||
| This point is of crucial importance if the implementation chooses to | This point is of crucial importance if the implementation chooses to | |||
| reuse its supposedly ephemeral key pair for many key exchanges, which | reuse its supposedly ephemeral key pair for many key exchanges, which | |||
| some implementations do in order to improve performance. | some implementations do in order to improve performance. | |||
| skipping to change at page 5, line 7 | skipping to change at page 4, line 50 | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA is requested to assign two values from the IKEv2 "Transform Type | IANA is requested to assign two values from the IKEv2 "Transform Type | |||
| 4 - Diffie-Hellman Group Transform IDs" registry, with names | 4 - Diffie-Hellman Group Transform IDs" registry, with names | |||
| "Curve25519" and "Curve448" and this document as reference. The | "Curve25519" and "Curve448" and this document as reference. The | |||
| Recipient Tests field should also point to this document. | Recipient Tests field should also point to this document. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| Curve25519 was designed by D. J. Bernstein and Curve448 | Curve25519 was designed by D. J. Bernstein and the parameters for | |||
| ("Goldilocks") is by Mike Hamburg. The specification of algorithms, | Curve448 ("Goldilocks") is by Mike Hamburg. The specification of | |||
| wire format and other considerations are due to the CFRG document. | algorithms, wire format and other considerations are in RFC 7748 by | |||
| Adam Langley, Mike Hamburg, and Sean Turner. | ||||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [CFRG-Curves] | ||||
| Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | ||||
| for Security", draft-irtf-cfrg-curves-06 (work in | ||||
| progress), August 2015. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | |||
| Eronen, "Internet Key Exchange Protocol Version 2 | Eronen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", RFC 7296, October 2014. | (IKEv2)", RFC 7296, October 2014. | |||
| [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | ||||
| for Security", RFC 7748, January 2016. | ||||
| 7.2. Informative References | 7.2. Informative References | |||
| [Curve25519] | [Curve25519] | |||
| Bernstein, J., "Curve25519: New Diffie-Hellman Speed | Bernstein, J., "Curve25519: New Diffie-Hellman Speed | |||
| Records", LNCS 3958, February 2006, | Records", LNCS 3958, February 2006, | |||
| <http://dx.doi.org/10.1007/11745853_14>. | <http://dx.doi.org/10.1007/11745853_14>. | |||
| [RFC4753] Fu, D. and J. Solinas, "ECP Groups For IKE and IKEv2", RFC | [RFC4753] Fu, D. and J. Solinas, "ECP Groups For IKE and IKEv2", | |||
| 4753, January 2007. | RFC 4753, January 2007. | |||
| [RFC6954] Merkle, J. and M. Lochter, "Using the Elliptic Curve | [RFC6954] Merkle, J. and M. Lochter, "Using the Elliptic Curve | |||
| Cryptography (ECC) Brainpool Curves for the Internet Key | Cryptography (ECC) Brainpool Curves for the Internet Key | |||
| Exchange Protocol Version 2 (IKEv2)", RFC 6954, July 2013. | Exchange Protocol Version 2 (IKEv2)", RFC 6954, July 2013. | |||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| End of changes. 19 change blocks. | ||||
| 35 lines changed or deleted | 36 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||