Internet Engineering Task Force (IETF) I. Liusvaara Request for Comments: 8037 Independent Category: Standards Track January 2017 ISSN: 2070-1721
CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
Abstract
This document defines how to use the Diffie-Hellman algorithms "X25519" and "X448" as well as the signature algorithms "Ed25519" and "Ed448" from the IRTF CFRG elliptic curves work in JSON Object Signing and Encryption (JOSE).
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8037.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Liusvaara Standards Track [Page 1]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
The Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG) selected new Diffie-Hellman algorithms ("X25519" and "X448"; [RFC7748]) and signature algorithms ("Ed25519" and "Ed448"; [RFC8032]) for asymmetric key cryptography. This document defines how to use those algorithms in JOSE in an interoperable manner.
This document defines the conventions to use in the context of [RFC7515], [RFC7516], and [RFC7517].
While the CFRG also defined two pairs of isogenous elliptic curves that underlie these algorithms, these curves are not directly exposed, as the algorithms laid on top are sufficient for the purposes of JOSE and are much easier to use.
All inputs to and outputs from the Elliptic Curve Diffie-Hellman (ECDH) and signature functions are defined to be octet strings, with the exception of outputs of verification functions, which are booleans.
Liusvaara Standards Track [Page 2]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
"JWS Signing Input" and "JWS Signature" are defined by [RFC7515].
"Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static" is defined by Section 4.6 of [RFC7518].
The JOSE key format ("JSON Web Key (JWK)") is defined by [RFC7517] and thumbprints for it ("JSON Web Key (JWK) Thumbprint") in [RFC7638].
A new key type (kty) value "OKP" (Octet Key Pair) is defined for public key algorithms that use octet strings as private and public keys. It has the following parameters:
o The parameter "kty" MUST be "OKP".
o The parameter "crv" MUST be present and contain the subtype of the key (from the "JSON Web Elliptic Curve" registry).
o The parameter "x" MUST be present and contain the public key encoded using the base64url [RFC4648] encoding.
o The parameter "d" MUST be present for private keys and contain the private key encoded using the base64url encoding. This parameter MUST NOT be present for public keys.
Note: Do not assume that there is an underlying elliptic curve, despite the existence of the "crv" and "x" parameters. (For instance, this key type could be extended to represent Diffie-Hellman (DH) algorithms based on hyperelliptic surfaces.)
When calculating JWK Thumbprints [RFC7638], the three public key fields are included in the hash input in lexicographic order: "crv", "kty", and "x".
Liusvaara Standards Track [Page 3]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
For the purpose of using the Edwards-curve Digital Signature Algorithm (EdDSA) for signing data using "JSON Web Signature (JWS)" [RFC7515], algorithm "EdDSA" is defined here, to be applied as the value of the "alg" parameter.
The following key subtypes are defined here for use with EdDSA:
"crv" EdDSA Variant Ed25519 Ed25519 Ed448 Ed448
The key type used with these keys is "OKP" and the algorithm used for signing is "EdDSA". These subtypes MUST NOT be used for Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES).
The EdDSA variant used is determined by the subtype of the key (Ed25519 for "Ed25519" and Ed448 for "Ed448").
Signing for these is performed by applying the signing algorithm defined in [RFC8032] to the private key (as private key), public key (as public key), and the JWS Signing Input (as message). The resulting signature is the JWS Signature. All inputs and outputs are octet strings.
Verification is performed by applying the verification algorithm defined in [RFC8032] to the public key (as public key), the JWS Signing Input (as message), and the JWS Signature (as signature). All inputs are octet strings. If the algorithm accepts, the signature is valid; otherwise, the signature is invalid.
The "x" parameter of the "epk" field is set as follows:
Apply the appropriate ECDH function to the ephemeral private key (as scalar input) and the standard base point (as u-coordinate input). The base64url encoding of the output is the value for the "x" parameter of the "epk" field. All inputs and outputs are octet strings.
The Z value (raw key agreement output) for key agreement (to be used in subsequent Key Derivation Function (KDF) as per Section 4.6.2 of [RFC7518]) is determined as follows:
Apply the appropriate ECDH function to the ephemeral private key (as scalar input) and receiver public key (as u-coordinate input). The output is the Z value. All inputs and outputs are octet strings.
Security considerations from [RFC7748] and [RFC8032] apply here.
Do not separate key material from information about what key subtype it is for. When using keys, check that the algorithm is compatible with the key subtype for the key. To do otherwise opens the system up to attacks via mixing up algorithms. It is particularly dangerous to mix up signature and Message Authentication Code (MAC) algorithms.
Although for Ed25519 and Ed448, the signature binds the key used for signing, do not assume this, as there are many signature algorithms that fail to make such a binding. If key-binding is desired, include the key used for signing either inside the JWS protected header or the data to sign.
If key generation or batch signature verification is performed, a well-seeded cryptographic random number generator is REQUIRED. Signing and non-batch signature verification are deterministic operations and do not need random numbers of any kind.
Liusvaara Standards Track [Page 5]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret. In key exchange, such mixing could be a bad mistake; whereas here either the receiver public key has to be chosen maliciously or the sender has to be malicious in order to cause problems. In either case, all security evaporates.
The nominal security strengths of X25519 and X448 are ~126 and ~223 bits. Therefore, using 256-bit symmetric encryption (especially key wrapping and encryption) with X448 is RECOMMENDED.
The following has been added to the "JSON Web Key Types" registry:
o "kty" Parameter Value: "OKP" o Key Type Description: Octet string key pairs o JOSE Implementation Requirements: Optional o Change Controller: IESG o Specification Document(s): Section 2 of RFC 8037
The following has been added to the "JSON Web Key Parameters" registry:
o Parameter Name: "crv" o Parameter Description: The subtype of key pair o Parameter Information Class: Public o Used with "kty" Value(s): "OKP" o Change Controller: IESG o Specification Document(s): Section 2 of RFC 8037
o Parameter Name: "d" o Parameter Description: The private key o Parameter Information Class: Private o Used with "kty" Value(s): "OKP" o Change Controller: IESG o Specification Document(s): Section 2 of RFC 8037
o Parameter Name: "x" o Parameter Description: The public key o Parameter Information Class: Public o Used with "kty" Value(s): "OKP" o Change Controller: IESG o Specification Document(s): Section 2 of RFC 8037
Liusvaara Standards Track [Page 6]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
The following has been added to the "JSON Web Signature and Encryption Algorithms" registry:
o Algorithm Name: "EdDSA" o Algorithm Description: EdDSA signature algorithms o Algorithm Usage Location(s): "alg" o JOSE Implementation Requirements: Optional o Change Controller: IESG
The following has been added to the "JSON Web Key Elliptic Curve" registry:
o Curve Name: "Ed25519" o Curve Description: Ed25519 signature algorithm key pairs o JOSE Implementation Requirements: Optional o Change Controller: IESG o Specification Document(s): Section 3.1 of RFC 8037
o Curve Name: "Ed448" o Curve Description: Ed448 signature algorithm key pairs o JOSE Implementation Requirements: Optional o Change Controller: IESG o Specification Document(s): Section 3.1 of RFC 8037
o Curve name: "X25519" o Curve Description: X25519 function key pairs o JOSE Implementation Requirements: Optional o Change Controller: IESG o Specification Document(s): Section 3.2 of RFC 8037 o Analysis Documents(s): [RFC7748]
o Curve Name: "X448" o Curve Description: X448 function key pairs o JOSE Implementation Requirements: Optional o Change Controller: IESG o Specification Document(s): Section 3.2 of RFC 8037 o Analysis Documents(s): [RFC7748]
Liusvaara Standards Track [Page 7]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
Which has the SHA-256 hash (in hexadecimal) of 90facafea9b1556698540f70c0117a22ea37bd5cf3ed3c47093c1707282b4b89, which results in the base64url encoded JWK Thumbprint representation of "kPrK_qmxVWaYVA9wwBF6Iuo3vVzz7TxHCTwXBygrS4k".
Liusvaara Standards Track [Page 9]
RFC 8037 CFRG ECDH and Signatures in JOSE January 2017
Applying the Ed25519 verification algorithm to the public key, JWS signing input, and the signature yields true. So the signature is valid. The message is the base64url decoding of the part between the dots: