Network Working Group D. Fu Request for Comment: 4754 J. Solinas Category: Standards Track NSA January 2007
IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes how the Elliptic Curve Digital Signature Algorithm (ECDSA) may be used as the authentication method within the Internet Key Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols. ECDSA may provide benefits including computational efficiency, small signature sizes, and minimal bandwidth compared to other available digital signature methods. This document adds ECDSA capability to IKE and IKEv2 without introducing any changes to existing IKE operation.
The Internet Key Exchange, or IKE [IKE], is a key agreement and security negotiation protocol; it is used for key establishment in IPsec. In the initial set of exchanges, both parties must authenticate each other using a negotiated authentication method. In the original version of IKE, this occurs in Phase 1; in IKEv2, it occurs in the exchange called IKE-AUTH. One option for the authentication method is digital signatures using public key cryptography. Currently, there are two digital signature methods defined for use within Phase 1 and IKE-AUTH: RSA signatures and Digital Signature Algorithm (DSA) Digital Signature Standard (DSS) signatures. This document introduces ECDSA signatures as a third method.
For any given level of security against the best attacks known, ECDSA signatures are smaller than RSA signatures, and ECDSA keys require less bandwidth than DSA keys [LV]; there are also advantages of computational speed and efficiency in many settings. Additional efficiency may be gained by simultaneously using ECDSA for IKE/IKEv2 authentication and using elliptic curve groups for the IKE/IKEv2 key exchange. Implementers of IPsec and IKE/IKEv2 may therefore find it desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method.
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the DSA (DSS) signature method [DSS]. It is defined in the ANSI X9.62 standard [X9.62-2003]. Other compatible specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE 1363A [IEEE-1363A], and SEC1 [SEC].
ECDSA signatures are smaller than RSA signatures of similar cryptographic strength. ECDSA public keys (and certificates) are smaller than similar strength DSA keys, resulting in improved communications efficiency. Furthermore, on many platforms, ECDSA operations can be computed more quickly than similar strength RSA or DSA operations (see [LV] for a security analysis of key sizes across public key algorithms). These advantages of signature size, bandwidth, and computational efficiency may make ECDSA an attractive choice for many IKE and IKEv2 implementations.
Fu & Solinas Standards Track [Page 2]
RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007
The original IKE key negotiation protocol consists of two phases, Phase 1 and Phase 2. Within Phase 1, the two negotiating parties authenticate each other using either pre-shared keys, digital signatures, or public key encryption.
The IKEv2 key negotiation protocol begins with two exchanges, IKE-SA-INIT and IKE-AUTH. When not using extensible authentication, the IKE-AUTH exchange includes a digital signature or Message Authentication Code (MAC) on a block of data.
The IANA-assigned attribute number for authentication using generic ECDSA in IKE is 8 (see [IANA-IKE]), but the corresponding list of IKEv2 authentication methods does not include ECDSA (see [IANA-IKEv2]). Moreover, ECDSA cannot be specified for IKEv2 independently of an associated hash function since IKEv2 does not have a transform type for hash functions. For this reason, it is necessary to specify the hash function as part of the signature algorithm. Furthermore, the elliptic curve group must be specified since the choice of hash function depends on it as well. As a result, it is necessary to specify three signature algorithms, named ECDSA-256, ECDSA-384, and ECDSA-521. Each of these algorithms represents an instantiation of the ECDSA algorithm using a particular elliptic curve group and hash function. The three hash functions are specified in [SHS]. For reasons of consistency, this document defines the signatures for IKE in the same way.
Digital Signature Algorithm Elliptic Curve Group Hash Function ----------- -------------------------- --------------- ECDSA-256 256-bit random ECP group SHA-256 ECDSA-384 384-bit random ECP group SHA-384 ECDSA-521 521-bit random ECP group SHA-512
The elliptic curve groups, including their base points, are specified in [IKE-ECP].
Since this document proposes new digital signatures for use within IKE and IKEv2, many of the security considerations contained within [IKE] and [IKEv2] apply here as well. Implementers should ensure that appropriate security measures are in place when they deploy ECDSA within IKE or IKEv2.
Fu & Solinas Standards Track [Page 3]
RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007
ECDSA-256, ECDSA-384, and ECDSA-521 are designed to offer security comparable with the AES-128, AES-192, and AES-256 respectively.
IANA updated its registry of IPsec authentication methods in [IANA-IKE] and its registry of IKEv2 authentication methods in [IANA-IKEv2] to include ECDSA-256, ECDSA-384, and ECDSA-521.
When ECDSA-256, ECDSA-384, or ECDSA-521 is used as the digital signature in IKE or IKEv2, the signature payload SHALL contain an encoding of the computed signature consisting of the concatenation of a pair of integers r and s. The definitions of r and s are given in Section 8 of this document.
Digital Signature Bit Lengths Bit Length Algorithm of r and s of Signature ----------- ------------- -------------- ECDSA-256 256 512 ECDSA-384 384 768 ECDSA-521 528 1056
The bit lengths of r and s are enforced, if necessary, by pre-pending the value with zeros.
The following are examples of the IKEv2 authentication payload for each of the three signatures specified in this document.
The following notation is used. The Diffie-Hellman group is given by the elliptic curve y^2 = (x^3 - 3 x + b) modulo p. If (x,y) is a point on the curve (i.e., x and y satisfy the above equation), then (x,y)^n denotes the scalar multiple of the point (x,y) by the integer n; it is another point on the curve. In the literature, the scalar multiple is typically denoted n(x,y); the notation (x,y)^n is used to conform to the notation used in [IKE], [IKEv2], and [IKE-ECP].
The group order for the curve group is denoted q. The generator is denoted g=(gx,gy). The hash of the message is denoted h. The signer's static private key is denoted w; it is an integer between zero and q. The signer's static public key is g^w=(gwx,gwy). The ephemeral private key is denoted k; it is an integer between zero and q. The ephemeral public key is g^k=(gkx,gky). The quantity kinv is the integer between zero and q such that k*kinv = 1 modulo q. The
Fu & Solinas Standards Track [Page 4]
RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007
first signature component is denoted r; it is equal to gkx reduced modulo q. The second signature component is denoted s; it is equal to (h+r*w)*kinv reduced modulo q.
The test vectors below also include the data for verifying the ECDSA signature. The verifier computes h and the quantity sinv, which is the integer between zero and q such that s*sinv = 1 modulo q. The verifier computes
u = h*sinv modulo q and v = r*sinv modulo q.
The verifier computes (gx,gy)^u = (gux,guy) and (gwx,gwy)^v = (gwvx,gwvy). The verifier computes the sum
(sumx,sumy) = (gux,guy) + (gwvx,gwvy)
where + denotes addition of points on the elliptic curve. The signature is verified if
[IKE-ECP] Fu, D. and J. Solinas, "ECP Groups for IKE and IKEv2", RFC 4753, January 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[SHS] FIPS 180-2, "Secure Hash Standard", National Institute of Standards and Technology, 2002.
Fu & Solinas Standards Track [Page 13]
RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007
[X9.62-2005] American National Standards Institute, X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA).
[DSS] U.S. Department of Commerce/National Institute of Standards and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, January 2000. (http://csrc.nist.gov/publications/fips/index.html)
[IEEE-1363A] Institute of Electrical and Electronics Engineers. IEEE 1363A-2004, Standard for Public Key Cryptography - Amendment 1: Additional Techniques. (http://grouper.ieee.org/groups/1363/index.html)
[LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key Sizes", Journal of Cryptology 14 (2001), pp. 255-293.
[SEC] Standards for Efficient Cryptography Group. SEC 1 - Elliptic Curve Cryptography, v. 1.0, 2000. (http://www.secg.org)
Authors' Addresses
David E. Fu National Information Assurance Research Laboratory National Security Agency
EMail: defu@orion.ncsc.mil
Jerome A. Solinas National Information Assurance Research Laboratory National Security Agency
EMail: jasolin@orion.ncsc.mil
Fu & Solinas Standards Track [Page 14]
RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the Internet Society.