Network Working Group S. Turner Request for Comments: 5480 IECA Updates: 3279 D. Brown Category: Standards Track Certicom K. Yiu Microsoft R. Housley Vigil Security T. Polk NIST March 2009
Elliptic Curve Cryptography Subject Public Key Information
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
Abstract
This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279.
Turner, et al. Standards Track [Page 1]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
This document specifies the format of the subjectPublicKeyInfo field in X.509 certificates [PKI] that use Elliptic Curve Cryptography (ECC). It updates RFC 3279 [PKI-ALG]. This document specifies the encoding formats for public keys used with the following ECC algorithms:
o Elliptic Curve Digital Signature Algorithm (ECDSA);
o Elliptic Curve Diffie-Hellman (ECDH) family schemes; and
o Elliptic Curve Menezes-Qu-Vanstone (ECMQV) family schemes.
Two methods for specifying the algorithms that can be used with the subjectPublicKey are defined. One method allows the key to be used with any ECC algorithm, while the other method restricts the usage of the key to specific algorithms. To promote interoperability, this document indicates which is required to implement for Certification Authorities (CAs) that implement ECC algorithms and relying parties that claim to process ECC algorithms.
The ASN.1 [X.680] module in this document includes ASN.1 for ECC algorithms. It also includes ASN.1 for non-ECC algorithms defined in [PKI-ALG] and [PKI-ADALG], even though the associated text is unaffected. By updating all of the ASN.1 from [PKI-ALG] in this document, implementers only need to use the module found in this document.
Turner, et al. Standards Track [Page 2]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [MUSTSHOULD].
In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax:
SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }
The fields in SubjectPublicKeyInfo have the following meanings:
o algorithm is the algorithm identifier and parameters for the ECC public key.
o subjectPublicKey is the ECC public key. See Section 2.2.
The AlgorithmIdentifier type, which is included for convenience [PKI], is defined as follows:
AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL }
The fields in AlgorithmIdentifier have the following meanings:
o algorithm identifies the cryptographic algorithm with an object identifier. See Section 2.1.
o parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field. See Section 2.1.1.
2.1. Elliptic Curve Cryptography Public Key Algorithm Identifiers
The algorithm field in the SubjectPublicKeyInfo structure [PKI] indicates the algorithm and any associated parameters for the ECC public key (see Section 2.2). Three algorithm identifiers are defined in this document:
Turner, et al. Standards Track [Page 3]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
o id-ecPublicKey indicates that the algorithms that can be used with the subject public key are unrestricted. The key is only restricted by the values indicated in the key usage certificate extension (see Section 3). id-ecPublicKey MUST be supported. See Section 2.1.1. This value is also included in certificates when a public key is used with ECDSA.
o id-ecDH indicates that the algorithm that can be used with the subject public key is restricted to the Elliptic Curve Diffie- Hellman algorithm. See Section 2.1.2. id-ecDH MAY be supported.
o id-ecMQV indicates that the algorithm that can be used with the subject public key is restricted to the Elliptic Curve Menezes- Qu-Vanstone key agreement algorithm. See Section 2.1.2. id-ecMQV MAY be supported.
2.1.1. Unrestricted Algorithm Identifier and Parameters
The public key (ECPoint) syntax is described in Section 2.2.
The parameter for id-ecPublicKey is as follows and MUST always be present:
ECParameters ::= CHOICE { namedCurve OBJECT IDENTIFIER -- implicitCurve NULL -- specifiedCurve SpecifiedECDomain } -- implicitCurve and specifiedCurve MUST NOT be used in PKIX. -- Details for SpecifiedECDomain can be found in [X9.62]. -- Any future additions to this CHOICE should be coordinated -- with ANSI X9.
The fields in ECParameters have the following meanings:
o namedCurve identifies all the required values for a particular set of elliptic curve domain parameters to be represented by an object identifier. This choice MUST be supported. See Section 2.1.1.1.
o implicitCurve allows the elliptic curve domain parameters to be inherited. This choice MUST NOT be used.
Turner, et al. Standards Track [Page 4]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
o specifiedCurve, which is of type SpecifiedECDomain type (defined in [X9.62]), allows all of the elliptic curve domain parameters to be explicitly specified. This choice MUST NOT be used. See Section 5, "ASN.1 Considerations".
The addition of any new choices in ECParameters needs to be coordinated with ANSI X9.
The AlgorithmIdentifier within SubjectPublicKeyInfo is the only place within a certificate where the elliptic curve domain parameters may be located. If the elliptic curve domain parameters are not present, then clients MUST reject the certificate.
The namedCurve field in ECParameters uses object identifiers to name well-known curves. This document publishes curve identifiers for the fifteen NIST-recommended curves [FIPS186-3]. Other documents can publish other name curve identifiers. The NIST-named curves are:
-- Note that in [X9.62] the curves are referred to as 'ansiX9' as -- opposed to 'sec'. For example, secp192r1 is the same curve as -- ansix9p192r1.
-- Note that in [PKI-ALG] the secp192r1 curve was referred to as -- prime192v1 and the secp256r1 curve was referred to as -- prime256v1.
-- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as -- P-224, secp256r1 as P-256, secp384r1 as P-384, and secp521r1 as -- P-521.
2.1.2. Restricted Algorithm Identifiers and Parameters
Two "restricted" algorithms are defined for key agreement algorithms: the Elliptic Curve Diffie-Hellman (ECDH) key agreement family schemes and the Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement family schemes. Both algorithms are identified by an object identifier and have parameters. The object identifier varies based on the algorithm, but the parameters are always ECParameters and they MUST always be present (see Section 2.1.1).
The ECDH algorithm uses the following object identifier:
The subjectPublicKey from SubjectPublicKeyInfo is the ECC public key. ECC public keys have the following syntax:
ECPoint ::= OCTET STRING
Implementations of Elliptic Curve Cryptography according to this document MUST support the uncompressed form and MAY support the compressed form of the ECC public key. The hybrid form of the ECC public key from [X9.62] MUST NOT be used. As specified in [SEC1]:
o The elliptic curve public key (a value of type ECPoint that is an OCTET STRING) is mapped to a subjectPublicKey (a value of type BIT STRING) as follows: the most significant bit of the OCTET STRING value becomes the most significant bit of the BIT STRING value, and so on; the least significant bit of the OCTET STRING becomes the least significant bit of the BIT STRING. Conversion routines are found in Sections 2.3.1 and 2.3.2 of [SEC1].
o The first octet of the OCTET STRING indicates whether the key is compressed or uncompressed. The uncompressed form is indicated by 0x04 and the compressed form is indicated by either 0x02 or 0x03 (see 2.3.3 in [SEC1]). The public key MUST be rejected if any other value is included in the first octet.
If the keyUsage extension is present in a Certification Authority (CA) certificate that indicates id-ecPublicKey in SubjectPublicKeyInfo, then any combination of the following values MAY be present:
digitalSignature; nonRepudiation; keyAgreement; keyCertSign; and cRLSign.
Turner, et al. Standards Track [Page 7]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
If the CA certificate keyUsage extension asserts keyAgreement, then it MAY assert either encipherOnly or decipherOnly. However, this specification RECOMMENDS that if keyCertSign or cRLSign is present, then keyAgreement, encipherOnly, and decipherOnly SHOULD NOT be present.
If the keyUsage extension is present in an End Entity (EE) certificate that indicates id-ecPublicKey in SubjectPublicKeyInfo, then any combination of the following values MAY be present:
digitalSignature; nonRepudiation; and keyAgreement.
If the EE certificate keyUsage extension asserts keyAgreement, then it MAY assert either encipherOnly or decipherOnly.
If the keyUsage extension is present in a certificate that indicates id-ecDH or id-ecMQV in SubjectPublicKeyInfo, then the following MUST be present:
keyAgreement;
one of the following MAY be present:
encipherOnly; or decipherOnly.
If the keyUsage extension is present in a certificate that indicates id-ecDH or id-ecMQV in SubjectPublicKeyInfo, then the following values MUST NOT be present:
digitalSignature; nonRepudiation; keyTransport; keyCertSign; and cRLSign.
When implementing ECC in X.509 Certificates and Certificate Revocation Lists (CRLs), there are three algorithm-related choices that need to be made for the signatureAlgorithm field in a Certificate or CertificateList:
Turner, et al. Standards Track [Page 8]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
1) What is the public key size?
2) What is the hash algorithm [FIPS180-3]?
3) What is the curve?
Consideration must be given by the CA to the strength of the security provided by each of these choices. Security is measured in bits, where a strong symmetric cipher with a key of X bits is said to provide X bits of security. It is recommended that the bits of security provided by each choice are roughly equivalent. The following table provides comparable minimum bits of security [SP800-57] for the ECDSA key sizes and message digest algorithms. It also lists curves (see Section 2.1.1.1) for the key sizes.
Using a larger hash value and then truncating it consumes more processing power than is necessary. This is more important on constrained devices. Since the signer does not know the environment that the recipient will use to validate the signature, it is better to use a hash function that provides the desired hash value output size, and no more.
There are security risks with using keys not associated with well- known and widely reviewed curves. For example, the curve may not satisfy the Menezes-Okamoto-Vanstone (MOV) condition [X9.62] or the curve may be vulnerable to the Anomalous attack [X9.62]. Additionally, either a) all of the arithmetic properties of a candidate ECC public key must be validated to ensure that it has the unique correct representation in the correct (additive) subgroup (and therefore is also in the correct EC group) specified by the associated ECC domain parameters, or b) some of the arithmetic properties of a candidate ECC public key must be validated to ensure that it is in the correct group (but not necessarily the correct subgroup) specified by the associated ECC domain parameters [SP800-56A].
As noted in [PKI-ALG], the use of MD2 and MD5 for new applications is discouraged. It is still reasonable to use MD2 and MD5 to verify existing signatures.
[X9.62] defines additional options for ECParameters and ECDSA-Sig- Value [PKI-ALG]. If an implementation needs to use these options, then use the [X9.62] ASN.1 module. This RFC contains a conformant subset of the ASN.1 module defined in [X9.62].
Turner, et al. Standards Track [Page 10]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
If an implementation generates a PER [X.691] encoding using the ASN.1 module found in this specification, it might not achieve the same encoded output as one that uses the [X9.62] module. PER is not required by either the PKIX or S/MIME environments. If an implementation environment requires PER, then implementation concerns are less likely with the use of the [X9.62] module.
This document makes extensive use of object identifiers to register public key types, elliptic curves, and algorithms. Most are registered in the ANSI X9.62 arc, with the exception of the hash algorithms (which are in the NIST arc) and many of the curves (which are in the Certicom Inc. arc; these curves have been adopted by ANSI and NIST). Additionally, an object identifier is used to identify the ASN.1 module found in Appendix A. It is defined in an arc delegated by IANA to the PKIX Working Group. No further action by IANA is necessary for this document or any anticipated updates.
[FIPS180-3] National Institute of Standards and Technology (NIST), FIPS Publication 180-3: Secure Hash Standard, October 2008.
[FIPS186-3] National Institute of Standards and Technology (NIST), FIPS Publication 186-3: Digital Signature Standard, (draft) November 2008.
[MUSTSHOULD] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[PKI-ALG] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002.
Turner, et al. Standards Track [Page 11]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
[RSAOAEP] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005.
[SEC1] Standards for Efficient Cryptography Group (SECG), "SEC 1: Elliptic Curve Cryptography", Version 1.0, September 2000.
[X9.62] American National Standards Institute (ANSI), ANS X9.62-2005: The Elliptic Curve Digital Signature Algorithm (ECDSA), 2005.
[PKI-ADALG] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. Polk, "Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA", Work in Progress, October 2008.
[SP800-56A] National Institute of Standards and Technology (NIST), Special Publication 800-56A: Recommendation for Pair- Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
[SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007.
[X.691] ITU-T Recommendation X.691 (2002) | ISO/IEC 8825-2:2002. Information Technology - ASN.1 Encoding Rules: Specification of Packed Encoding Rules.
Turner, et al. Standards Track [Page 12]
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
RFC 5480 ECC SubjectPublicKeyInfo Format March 2009
-- specifiedCurve SpecifiedECDomain } -- implicitCurve and specifiedCurve MUST NOT be used in PKIX. -- Details for SpecifiedECDomain can be found in [X9.62]. -- Any future additions to this CHOICE should be coordinated -- with ANSI X9.
-- Sec 2.1.2 Restricted Algorithm IDs, Key, and Parameters: ECDH