IPSec Working Group S. Blake-Wilson, BCI
INTERNET-DRAFT D. Brown and Y. Poeluev, Certicom
Intended Status: Informational
Expires: June 15, 2006 December 15, 2005
Additional ECC Groups For IKE
<draft-ietf-ipsec-ike-ecc-groups-07.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 15, 2006.
Abstract
This document describes new ECC groups for use in IKE [IKE] and
IKEv2 [IKEv2] in addition to the Oakley groups included therein.
These groups are defined to align IKE with other ECC
implementations and standards, and in addition, many of them
provide higher strength than the Oakley groups. It should be noted
that this document is not self-contained. It uses the notations
and definitions of [IKE] and IKEv2 [IKEv2].
Blake-Wilson, Brown and Poeluev [Page 1]
INTERNET-DRAFT NIST Curves for IKE December 2005
Table of Contents
1. Introduction ............................................... 2
2. The NIST Groups ............................................ 3
3. Security Considerations .................................... 5
4. Intellectual Property Rights ............................... 5
5. Acknowledgments ............................................ 5
6. References ................................................. 5
7. Author's Address ........................................... 7
1. Introduction
This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [IKEv2], and [MODP-IKE]. The document assumes that
the reader is familiar with the IKE protocol and the concept of Oakley
Groups, as defined in RFC 2409 [IKE] and IKEv2 [IKEv2]. The ECC
groups given here are the fifteen groups that NIST recommends in FIPS
186-2 [FIPS-182-2].
RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.
The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE and IKEv2.
Detailed descriptions of the ECC groups recommended here for IKE in
this are not given in this document but can be found elsewhere: all
fifteen groups in each of FIPS 186-2 [FIPS-186-2] and SEC 2 [SEC-2].
The elliptic curve domain paramenters are uniquely identified in this
document using the ASN.1 object identifiers provided in ANS X9.62
[X9.62], ANS X9.63 [X9.63], and SEC 2 [SEC-2].
Blake-Wilson, Brown and Poeluev [Page 2]
INTERNET-DRAFT NIST Curves for IKE December 2005
2. The NIST Groups
The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively. The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems. The estimates are based
on the running times of the best algorithms known today.
Strength | ECC2N/PR | DH/DSA/RSA
80 | 163/192 | 1024
112 | 233/224 | 2048
128 | 283/256 | 3072
192 | 409/384 | 7680
256 | 571/521 | 15360
Table 1: Comparable key sizes
Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.
The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime. This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].
Seven of the groups proposed here have been assigned identifiers by
IANA [IANA] and the remaining eight might latter be assigned
identifiers by IANA. A brief summary of the IANA identified groups
for IKE as follows. Groups with IANA numbers 1 through 4 are
identified in [IKE]. The group with IANA number 5 is identifed in
[MODP-IKE]. The group with IANA number 6, [X9.62] and [SEC 2], with
object identifer sect163r1, but it is not one of the fifteen curves
that NIST recommends [FIPS-186-2]. The seven groups with IANA numbers
numbers between 7 and 13 have also been identified in [ECP-IKE] and
are included here, as have the NIST groups with numbers 19, 20 and 21.
The remaining five NIST groups are suggested and anticipate to be
assigned IANA numbers 22 to 26.
Blake-Wilson, Brown and Poeluev [Page 3]
INTERNET-DRAFT NIST Curves for IKE December 2005
The groups recommended for IKE and IKEv2 in this document are the ECC
groups that NIST recommends [FIPS-186-2]. These fifteen ECC groups
are given in the following table.
IANA Group Description SEC 2 OID
---- ----------------- ---------
22 ECPRGF192Random group P-192 secp192r1
23 EC2NGF163Random group B-163 sect163r2
7 EC2NGF163Koblitz group K-163 sect163k1
24 ECPRGF224Random group P-224 secp224r1
25 EC2NGF233Random group B-233 sect233r1
26 EC2NGF233Koblitz group K-233 sect233k1
19 ECPRGF256Random group P-256 secp256r1
27 EC2NGF283Random group B-283 sect283r1
9 EC2NGF283Koblitz group K-283 sect283k1
20 ECPRGF384Random group P-384 secp384r1
10 EC2NGF409Random group B-409 sect409r1
11 EC2NGF409Koblitz group K-409 sect409k1
21 ECPRGF521Random group P-521 secp521r1
12 EC2NGF571Random group B-571 sect571r1
13 EC2NGF571Koblitz group K-571 sect571k1
Three curves are defined at each strength - two curves chosen
verifiably at random (as defined in ANSI [X9.62]), one over a binary
field and another over a prime field, and a Koblitz curve over a
binary field that, which enables especially efficient implementations
due to the special structure of the curve [KOB] and [SOL].
Blake-Wilson, Brown and Poeluev [Page 4]
INTERNET-DRAFT NIST Curves for IKE December 2005
3. Security Considerations
Since this document proposes new groups for use within IKE, many of the
security considerations contained within RFC 2409 apply here as well.
Nine of the groups proposed in this document offer higher strength
than the groups in RFC 2409. This allows the IKE and IKEv2 to offer
security comparable with the proposed AES algorithms.
In addition, since all the new groups are defined over GF[P] with P
prime or GF[2^N] with N prime, they address the concerns expressed
regarding the elliptic curve groups included in RFC 2409, which are
curves defined over GF[2^N] with N composite. The work of Gaudry,
Hess, and Smart [WEIL] reveal some of the weaknesses in such groups.
4. Intellectual Property Rights
The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights
(http://www.ietf.org/ipr.html).
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
5. Acknowledgments
To be added.
Blake-Wilson, Brown and Poeluev [Page 5]
INTERNET-DRAFT NIST Curves for IKE December 2005
6. References
[ECP-IKE] J. Solinas, ECP Groups for IKE,
draft-ietf-ipsec-ike-ecp-groups-01.txt, work in progress.
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
2409, November 1998.
[IKEv2] C. Kaufman, Editor, Internt Key Exchange (IKEv2) Protocol,
draft-ietf-ipsec-ikev2-17.txt, work in progress.
[IANA] Internet Assigned Numbers Authority. Attribute Assigned
Numbers.
(http://www.isi.edu/in-notes/iana/assignments/ipsec-registry)
[IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
1363-2000, Standard for Public Key Cryptography. IEEE
Microprocessor Standards Committee. August 2001.
(http://grouper.ieee.org/groups/1363/index.html)
[KOB] N. Koblitz, CM curves with good cryptographic properties.
Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.
[FIPS-186-2] U.S. Department of Commerce/National Institute of
Standards and Technology. Digital Signature Standard (DSS), FIPS
PUB 186-2, January 2000.
(http://csrc.nist.gov/fips/fips186-2.pdf)
[HOF] P. Hoffman and H. Orman, Determining strengths for public keys
used for exchanging symmetric keys, Internet-draft. August 2000.
[LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
Available at: www.cryptosavvy.com.
[JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic
Curve Discrete Logarithm Problems Using Weil Descent,
Combinatorics and Optimization Research Report 2001-31, May 2001.
Available at http://www.cacr.math.uwaterloo.ca/.
[MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE),
rfc3526.txt, May 2003.
[SEC2] Standards for Efficient Cryptography Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters. Working Draft
Ver. 1.0., 2000. (http://www.secg.org)
[SOL] J. Solinas, An improved algorithm for arithmetic on a family
of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
Springer-Verlag, 1997.
Blake-Wilson, Brown and Poeluev [Page 6]
INTERNET-DRAFT NIST Curves for IKE December 2005
[WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
Technical Report No. HPL-2000-10, 2000.
(http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html)
[X9.62] American National Standards Institute, ANS X9.62-2005:
Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm. November 2005.
[X9.63] American National Standards Institute. ANSI X9.63-2001,
Public Key Cryptography for the Financial Services Industry: Key
Agreement and Key Transport using Elliptic Curve Cryptography.
November 2001.
7. Authors' Addresses
Simon Blake-Wilson
Basic Commerce & Industries, Inc.
sblakewilson@bcisse.com
Daniel R. L. Brown
Certicom Corp.
dbrown@certicom.com
Yuri Poeluev
Certicom Corp.
ypoeluev@certicom.com
8. Full Copyright Statement
Copyright (C) The Internet Society (2005). This document is
subject to the rights, licenses and restrictions contained in BCP
78, and except as set forth therein, the authors retain all their
rights.
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Blake-Wilson, Brown and Poeluev [Page 7]
