summaryrefslogtreecommitdiff
path: root/doc/standardisation/draft-zhu-pkinit-ecc-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/standardisation/draft-zhu-pkinit-ecc-01.txt')
-rw-r--r--doc/standardisation/draft-zhu-pkinit-ecc-01.txt611
1 files changed, 0 insertions, 611 deletions
diff --git a/doc/standardisation/draft-zhu-pkinit-ecc-01.txt b/doc/standardisation/draft-zhu-pkinit-ecc-01.txt
deleted file mode 100644
index 37863bbd2..000000000
--- a/doc/standardisation/draft-zhu-pkinit-ecc-01.txt
+++ /dev/null
@@ -1,611 +0,0 @@
-
-
-
-NETWORK WORKING GROUP L. Zhu
-Internet-Draft K. Jaganathan
-Expires: September 3, 2006 K. Lauter
- Microsoft Corporation
- March 2, 2006
-
-
- ECC Support for PKINIT
- draft-zhu-pkinit-ecc-01
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on September 3, 2006.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes the use of Elliptic Curve certificates,
- Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman
- (ECDH) key agreement within the framework of PKINIT - the Kerberos
- Version 5 extension that provides for the use of public key
- cryptography.
-
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 1]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
- 3. Using Elliptic Curve Certificates and Elliptic Curve
- Signature Schemes . . . . . . . . . . . . . . . . . . . . . . 3
- 4. Using ECDH Key Exchange . . . . . . . . . . . . . . . . . . . 4
- 5. Choosing the Domain Parameters and the Key Size . . . . . . . 5
- 6. Interoperability Requirements . . . . . . . . . . . . . . . . 7
- 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
- 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
- 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
- 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
- 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
- 10.2. Informative References . . . . . . . . . . . . . . . . . 9
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
- Intellectual Property and Copyright Statements . . . . . . . . . . 11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 2]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
-1. Introduction
-
- Elliptic Curve Cryptography (ECC) is emerging as an attractive
- public-key cryptosystem that provides security equivalent to
- currently popular public-key mechanisms such as RSA and DSA with
- smaller key sizes [LENSTRA] [NISTSP80057].
-
- Currently [PKINIT] permits the use of ECC algorithms but it does not
- specify how ECC parameters are chosen and how to derive the shared
- key for key delivery using Elliptic Curve Diffie-Hellman (ECDH)
- [IEEE1363] [X9.63].
-
- This document describes how to use Elliptic Curve certificates,
- Elliptic Curve signature schemes, and ECDH with [PKINIT]. However,
- it should be noted that there is no syntactic or semantic change to
- the existing [PKINIT] messages. Both the client and the KDC
- contribute one ECDH key pair using the key agrement protocol
- described in this document.
-
-
-2. Conventions Used in This Document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
-
-
-3. Using Elliptic Curve Certificates and Elliptic Curve Signature
- Schemes
-
- ECC certificates and signature schemes can be used in the
- Cryptographic Message Syntax (CMS) [RFC3369] content type
- 'SignedData'.
-
- X.509 certificates [RFC3280] containing ECC public keys or signed
- using ECC signature schemes MUST comply with [RFC3279].
-
- The elliptic curve domain parameters recommended in [X9.62],
- [FIPS186-2], and [SECG] SHOULD be used.
-
- The signatureAlgorithm field of the CMS data type SignerInfo can
- contain one of the following ECC signature algorithm identifiers:
-
- ecdsa-with-Sha1 [ECCPKALGS]
- ecdsa-with-Sha256 [ECCPKALGS]
- ecdsa-with-Sha384 [ECCPKALGS]
- ecdsa-with-Sha512 [ECCPKALGS]
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 3]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
- The corresponding digestAlgorithm field contains one of the following
- hash algorithm identifiers respectively:
-
- id-sha1 [RFC3279]
- id-sha256 [ECCPKALGS]
- id-sha384 [ECCPKALGS]
- id-sha512 [ECCPKALGS]
-
- Namely id-sha1 MUST be used in conjunction with ecdsa-with-Sha1, id-
- sha256 MUST be used in conjunction with ecdsa-with-Sha256, id-sha384
- MUST be used in conjunction with ecdsa-with-Sha384, and id-sha512
- MUST be used in conjunction with ecdsa-with-Sha512.
-
- Implementations of this specfication MUST support ecdsa-with-Sha256
- and SHOULD support ecdsa-with-Sha1.
-
-
-4. Using ECDH Key Exchange
-
- This section describes how ECDH can be used as the AS reply key
- delivery method [PKINIT]. Note that the protocol description here is
- similar to that of Modular Exponential Diffie-Hellman (MODP DH), as
- described in [PKINIT].
-
- If the client wishes to use ECDH key agreement method, it encodes its
- ECDH public key value and the domain parameters [IEEE1363] [X9.63]
- for its ECDH public key in clientPublicValue of the PA-PK-AS-REQ
- message [PKINIT].
-
- As described in [PKINIT], the ECDH domain parameters for the client's
- public key are specified in the algorithm field of the type
- SubjectPublicKeyInfo [RFC3279] and the client's ECDH public key value
- is mapped to a subjectPublicKey (a BIT STRING) according to
- [RFC3279].
-
- The following algorithm identifier is used to identify the client's
- choice of the ECDH key agreement method for key delivery.
-
- id-ecPublicKey (Elliptic Curve Diffie-Hellman [ECCPKALGS])
-
- If the domain parameters are not accepted by the KDC, the KDC sends
- back an error message [RFC4120] with the code
- KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED [PKINIT]. This error message
- contains the list of domain parameters acceptable to the KDC. This
- list is encoded as TD-DH-PARAMETERS [PKINIT], and it is in the KDC's
- decreasing preference order. The client can then pick a set of
- domain parameters from the list and retry the authentication.
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 4]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
- Both the client and the KDC MUST have local policy that specifies
- which set of domain parameters are acceptable if they do not have a
- priori knowledge of the chosen domain parameters. The need for such
- local policy is explained in Section 7.
-
- If the ECDH domain parameters are accepted by the KDC, the KDC sends
- back its ECDH public key value in the subjectPublicKey field of the
- PA-PK-AS-REP message [PKINIT].
-
- As described in [PKINIT], the KDC's ECDH public key value is encoded
- as a BIT STRING according to [RFC3279].
-
- Note that in the steps above, the client can indicate to the KDC that
- it wishes to reuse ECDH keys or to allow the KDC to do so, by
- including the clientDHNonce field in the request [PKINIT], and the
- KDC can then reuse the ECDH keys and include serverDHNonce field in
- the reply [PKINIT]. This logic is the same as that of the Modular
- Exponential Diffie-Hellman key agreement method [PKINIT].
-
- If ECDH is negotiated as the key delivery method, then the PA-PK-AS-
- REP and AS reply key are generated as in Section 3.2.3.1 of [PKINIT]
- with the following difference: The DHSharedSecret is the x-coordinate
- of the shared secret value (an elliptic curve point); DHSharedSecret
- is the output of operation ECSVDP-DH as described in Section 7.2.1 of
- [IEEE1363].
-
- Both the client and KDC then proceed as described in [PKINIT] and
- [RFC4120].
-
- Lastly it should be noted that ECDH can be used with any certificates
- and signature schemes. However, a significant advantage of using
- ECDH together with ECC certificates and signature schemes is that the
- ECC domain parameters in the client or KDC certificates can be used.
- This obviates the need of locally preconfigured domain parameters as
- described in Section 7.
-
-
-5. Choosing the Domain Parameters and the Key Size
-
- The domain parameters and the key size should be chosen so as to
- provide sufficient cryptographic security [RFC3766]. The following
- table, based on table 2 on page 63 of NIST SP800-57 part 1
- [NISTSP80057], gives approximate comparable key sizes for symmetric-
- and asymmetric-key cryptosystems based on the best-known algorithms
- for attacking them.
-
-
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 5]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
- Symmetric | ECC | RSA
- -------------+----------- +------------
- 80 | 160 - 223 | 1024
- 112 | 224 - 255 | 2048
- 128 | 256 - 383 | 3072
- 192 | 384 - 511 | 7680
- 256 | 512+ | 15360
-
- Table 1: Comparable key sizes (in bits)
-
- Thus, for example, when securing a 128-bit symmetric key, it is
- prudent to use 256-bit Elliptic Curve Cryptography (ECC), e.g. group
- P-256 (secp256r1) as described below.
-
- A set of ECDH domain parameters is also known as a curve. A curve is
- a named curve if the domain paratmeters are well known and can be
- identified by an Object Identifier, otherwise it is called a custom
- curve. [PKINIT] supports both named curves and custom curves, see
- Section 7 on the tradeoff of choosing between named curves and custom
- curves.
-
- The named curves recommended in this document are also recommended by
- NIST [FIPS186-2]. These fifteen ECC curves are given in the
- following table [FIPS186-2] [SECG].
-
- Description SEC 2 OID
- ----------------- ---------
-
- ECPRGF192Random group P-192 secp192r1
- EC2NGF163Random group B-163 sect163r2
- EC2NGF163Koblitz group K-163 sect163k1
-
- ECPRGF224Random group P-224 secp224r1
- EC2NGF233Random group B-233 sect233r1
- EC2NGF233Koblitz group K-233 sect233k1
-
- ECPRGF256Random group P-256 secp256r1
- EC2NGF283Random group B-283 sect283r1
- EC2NGF283Koblitz group K-283 sect283k1
-
- ECPRGF384Random group P-384 secp384r1
- EC2NGF409Random group B-409 sect409r1
- EC2NGF409Koblitz group K-409 sect409k1
-
- ECPRGF521Random group P-521 secp521r1
- EC2NGF571Random group B-571 sect571r1
- EC2NGF571Koblitz group K-571 sect571k1
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 6]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
-6. Interoperability Requirements
-
- Implementations conforming to this specification MUST support curve
- P-256 and P-384.
-
-
-7. Security Considerations
-
- Kerberos error messages are not integrity protected, as a result, the
- domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered
- with by an attacker so that the set of domain parameters selected
- could be either weaker or not mutually preferred. Local policy can
- configure sets of domain parameters acceptable locally, or disallow
- the negotiation of ECDH domain parameters.
-
- Beyond elliptic curve size, the main issue is elliptic curve
- structure. As a general principle, it is more conservative to use
- elliptic curves with as little algebraic structure as possible - thus
- random curves are more conservative than special curves such as
- Koblitz curves, and curves over F_p with p random are more
- conservative than curves over F_p with p of a special form (and
- curves over F_p with p random might be considered more conservative
- than curves over F_2^m as there is no choice between multiple fields
- of similar size for characteristic 2). Note, however, that algebraic
- structure can also lead to implementation efficiencies and
- implementors and users may, therefore, need to balance conservatism
- against a need for efficiency. Concrete attacks are known against
- only very few special classes of curves, such as supersingular
- curves, and these classes are excluded from the ECC standards such as
- [IEEE1363] and [X9.62].
-
- Another issue is the potential for catastrophic failures when a
- single elliptic curve is widely used. In this case, an attack on the
- elliptic curve might result in the compromise of a large number of
- keys. Again, this concern may need to be balanced against efficiency
- and interoperability improvements associated with widely-used curves.
- Substantial additional information on elliptic curve choice can be
- found in [IEEE1363], [X9.62] and [FIPS186-2].
-
-
-8. IANA Considerations
-
- No IANA actions are required for this document.
-
-
-9. Acknowledgements
-
- The following people have made significant contributions to this
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 7]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
- draft: Paul Leach, Dan Simon, Kelvin Yiu, David Cross, Sam Hartman,
- Tolga Acar, and Stefan Santesson.
-
-
-10. References
-
-10.1. Normative References
-
- [ECCPKALGS]
- RFC-Editor: To be replaced by RFC number for draft-ietf-
- pkix-ecc-pkalgs. Work in Progress.
-
- [FIPS186-2]
- NIST, "Digital Signature Standard", FIPS 186-2, 2000.
-
- [IEEE1363]
- IEEE, "Standard Specifications for Public Key Cryptography",
- IEEE 1363, 2000.
-
- [NISTSP80057]
- NIST, "Recommendation on Key Management",
- http://csrc.nist.gov/publications/nistpubs/, SP 800-57,
- August 2005.
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 8]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
-
- [PKINIT] RFC-Editor: To be replaced by RFC number for draft-ietf-
- cat-kerberos-pk-init. Work in Progress.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
- Identifiers for the Internet X.509 Public Key
- Infrastructure Certificate and Certificate Revocation List
- (CRL) Profile", RFC 3279, April 2002.
-
- [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
- X.509 Public Key Infrastructure Certificate and
- Certificate Revocation List (CRL) Profile", RFC 3280,
- April 2002.
-
- [RFC3369] Housley, R., "Cryptographic Message Syntax (CMS)",
- RFC 3369, August 2002.
-
- [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
- Public Keys Used For Exchanging Symmetric Keys", BCP 86,
- RFC 3766, April 2004.
-
- [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
- Kerberos Network Authentication Service (V5)", RFC 4120,
- July 2005.
-
- [X9.62] ANSI, "Public Key Cryptography For The Financial Services
- Industry: The Elliptic Curve Digital Signature Algorithm
- (ECDSA)", ANSI X9.62, 1998.
-
- [X9.63] ANSI, "Public Key Cryptography for the Financial Services
- Industry: Key Agreement and Key Transport using Elliptic
- Curve Cryptography", ANSI X9.63, 2001.
-
-
-9.2. Informative References
-
- [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
- Sizes", Journal of Cryptology 14 (2001) 255-293.
-
- [SECG] SECG, "Elliptic Curve Cryptography", SEC 1, 2000,
- <http://www.secg.org/>.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 9]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
-Authors' Addresses
-
- Larry Zhu
- Microsoft Corporation
- One Microsoft Way
- Redmond, WA 98052
- US
-
- Email: lzhu@microsoft.com
-
-
- Karthik Jaganathan
- Microsoft Corporation
- One Microsoft Way
- Redmond, WA 98052
- US
-
- Email: karthikj@microsoft.com
-
-
- Kristin Lauter
- Microsoft Corporation
- One Microsoft Way
- Redmond, WA 98052
- US
-
- Email: klauter@microsoft.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 10]
-
-Internet-Draft ECC Support for PKINIT March 2006
-
-
-Intellectual Property Statement
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
- Copyright (C) The Internet Society (2006). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-Zhu, et al. Expires September 3, 2006 [Page 11]
-
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 19:20:33 +0000