IPSec Working Group S. Blake-Wilson, BCI
INTERNET-DRAFT D. Brown and Y. Poeluev, Certicom
Intended Status: Informational M. Salter, NSA
Expires October April 11, 2005
Additional ECC Groups For IKE
<draft-ietf-ipsec-ike-ecc-groups-05.txt>
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 3 of RFC 3978.
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she become
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October, 2005.
Abstract
This document describes new ECC groups for use in IKE [IKE] in
addition to the Oakley groups included therein. These groups are
defined to align IKE with other ECC implementations and standards,
and in addition, many of them provide higher strength than the
Oakley groups. It should be noted that this document is not
self-contained. It uses the notations and definitions of [IKE].
Blake-Wilson, Brown, Poeluev and Salter [Page 1]
INTERNET-DRAFT NIST Curves for IKE April 2005
Table of Contents
1. Introduction ............................................... 2
2. The NIST Groups ............................................ 3
3. Security Considerations .................................... 5
4. Intellectual Property Rights ............................... 5
5. Acknowledgments ............................................ 5
6. References ................................................. 5
7. Author's Address ........................................... 7
1. Introduction
This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [ECC-IKE] and [MODP-IKE]. The document assumes that the reader
is familiar with the IKE protocol and the concept of Oakley Groups, as
defined in RFC 2409 [IKE]. The ECC groups given here are the fifteen
groups that NIST recommends in FIPS 186-2 [FIPS-182-2].
RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.
The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE.
Detailed descriptions of the ECC groups recommended here for IKE in
this are not given in this document but can be found elsewhere: all
fifteen groups in each of FIPS 186-2 [FIPS-186-2] and SEC 2 [SEC-2].
The elliptic curve domain paramenters are uniquely identified in this
document using the ASN.1 object identifiers provided in ANS X9.63
[X9.63], which are also given in SEC 2 [SEC-2].
Blake-Wilson, Brown, Poeluev and Salter [Page 2]
INTERNET-DRAFT NIST Curves for IKE April 2005
2. The NIST Groups
The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively. The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems. The estimates are based
on the running times of the best algorithms known today.
Strength | ECC2N/PR | DH/DSA/RSA
80 | 163/192 | 1024
112 | 233/224 | 2048
128 | 283/256 | 3072
192 | 409/384 | 7680
256 | 571/521 | 15360
Table 1: Comparable key sizes
Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.
The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime. This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].
Seven of the groups proposed here have been assigned identifiers by
IANA [IANA] and the remaining eight might latter be assigned
identifiers by IANA. A brief summary of the IANA identified groups
for IKE as follows. Groups with IANA numbers 1 through 4 are
identified in [IKE]. The group with IANA number 5 is identifed in
[MODP-IKE]. The group with IANA number 6 is identified in [ECC-IKE],
[X9.62] and [SEC 2], with object identifer sect163r1, but it is not
one of the fifteen curves that NIST recommends [FIPS-186-2]. The
seven groups with IANA numbers numbers between 7 and 13 have already
been identified in [ECC-IKE] and are included here. The remaining
eight curves recommended by NIST might be assigned numbers between X-2
and X+5 for some X.
Blake-Wilson, Brown, Poeluev and Salter [Page 3]
INTERNET-DRAFT NIST Curves for IKE April 2005
The groups recommended for IKE in this document are the ECC groups
that NIST recommends [FIPS-186-2]. These fifteen ECC groups are
given in the following table.
IANA Group Description SEC 2 OID
---- ----------------- ---------
X+1 ECPRGF192Random group P-192 secp192r1
X-2 EC2NGF163Random group B-163 sect163r2
7 EC2NGF163Koblitz group K-163 sect163k1
X+2 ECPRGF224Random group P-224 secp224r1
X EC2NGF233Random group B-233 sect233r1
X-1 EC2NGF233Koblitz group K-233 sect233k1
X+3 ECPRGF256Random group P-256 secp256r1
X+3 EC2NGF283Random group B-283 sect283r1
9 EC2NGF283Koblitz group K-283 sect283k1
X+4 ECPRGF384Random group P-384 secp384r1
10 EC2NGF409Random group B-409 sect409r1
11 EC2NGF409Koblitz group K-409 sect409k1
X+5 ECPRGF521Random group P-521 secp521r1
12 EC2NGF571Random group B-571 sect571r1
13 EC2NGF571Koblitz group K-571 sect571k1
Three curves are defined at each strength - two curves chosen
verifiably at random (as defined in ANSI [X9.62]), one over a binary
field and another over a prime field, and a Koblitz curve over a
binary field that, which enables especially efficient implementations
due to the special structure of the curve [KOB] and [SOL].
Blake-Wilson, Brown, Poeluev and Salter [Page 4]
INTERNET-DRAFT NIST Curves for IKE April 2005
3. Security Considerations
Since this document proposes new groups for use within IKE, many of the
security considerations contained within RFC 2409 apply here as well.
Nine of the groups proposed in this document offer higher strength
than the groups in RFC 2409. This allows the IKE and IKEv2 to offer
security comparable with the proposed AES algorithms.
In addition, since all the new groups are defined over GF[P] with P
prime or GF[2^N] with N prime, they address the concerns expressed
regarding the elliptic curve groups included in RFC 2409, which are
curves defined over GF[2^N] with N composite. The work of
Gaudry,Hess, and Smart [WEIL] reveal some of the weaknesses in such
groups.
4. Intellectual Property Rights
The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights
(http://www.ietf.org/ipr.html).
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
5. Acknowledgments
To be added.
Blake-Wilson, Brown, Poeluev and Salter [Page 5]
INTERNET-DRAFT NIST Curves for IKE April 2005
6. References
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
2409, November 1998.
[IANA] Internet Assigned Numbers Authority. Attribute Assigned
Numbers.
(http://www.isi.edu/in-notes/iana/assignments/ipsec-registry)
[IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
1363-2000, Standard for Public Key Cryptography. IEEE
Microprocessor Standards Committee. August 2001.
(http://grouper.ieee.org/groups/1363/index.html)
[KOB] N. Koblitz, CM curves with good cryptographic properties.
Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.
[FIPS-186-2] U.S. Department of Commerce/National Institute of
Standards and Technology. Digital Signature Standard (DSS), FIPS
PUB 186-2, January 2000.
(http://csrc.nist.gov/fips/fips186-2.pdf)
[HOF] P. Hoffman and H. Orman, Determining strengths for public keys
used for exchanging symmetric keys, Internet-draft. August 2000.
[LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
Available at: www.cryptosavvy.com.
[JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic
Curve Discrete Logarithm Problems Using Weil Descent,
Combinatorics and Optimization Research Report 2001-31, May 2001.
Available at http://www.cacr.math.uwaterloo.ca/.
[MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE),
rfc3526.txt, May 2003.
[SEC2] Standards for Efficient Cryptography Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters. Working Draft
Ver. 1.0., 2000. (http://www.secg.org)
[SOL] J. Solinas, An improved algorithm for arithmetic on a family
of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
Springer-Verlag, 1997.
[WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
Technical Report No. HPL-2000-10, 2000.
(http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html)
Blake-Wilson, Brown, Poeluev and Salter [Page 6]
INTERNET-DRAFT NIST Curves for IKE April 2005
[X9.62] American National Standards Institute, ANS X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm. January 1999.
[X9.63] American National Standards Institute. ANSI X9.63-2001,
Public Key Cryptography for the Financial Services Industry: Key
Agreement and Key Transport using Elliptic Curve Cryptography.
November 2001.
7. Authors' Addresses
Simon Blake-Wilson
Basic Commerce & Industries, Inc.
sblakewilson@bcisse.com
Daniel R. L. Brown
Certicom Corp.
dbrown@certicom.com
Yuri Poeluev
Certicom Corp.
ypoeluev@certicom.com
Margaret Salter
National Security Agency
msalter@radium.ncsc.mil
8. Full Copyright Statement
Copyright (C) The Internet Society (2005). This document is
subject to the rights, licenses and restrictions contained in BCP
78, and except as set forth therein, the authors retain all their
rights.
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Blake-Wilson, Brown, Poeluev and Salter [Page 7]