[Search] [pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
IPSec Working Group                                      J. Solinas, NSA
INTERNET-DRAFT
Expires November 27, 2005                                   May 27, 2005



                          ECC Groups For IKEv2
               <draft-ietf-ipsec-ikev2-ecc-groups-01.txt>



                          Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html



                                Abstract

   This document describes ECC groups for use as Diffie-Hellman groups
   in the Internet Key Exchange version 2 (IKEv2) protocol.  These new
   groups are defined to align IKEv2 with other standards, particularly
   NIST standards, and with and to provide more efficient implementation
   than in previously defined groups.













Solinas                                                         [Page 1]


INTERNET-DRAFT            ECC Groups For IKEv2                  May 2005


1.  Introduction

   This document describes default groups for use in elliptic curve
   Diffie-Hellman in IKEv2 in addition to the groups already so defined.

   The IKEv2 document [IKEv2] defines Diffie-Hellman groups 1 and 2
   from [IKE] for use in IKEv2.  The IKEv2 algorithms document [ALGS]
   defines group 2 as well as group 14 from [RFC-3526] for IKEv2.
   (The numbering of the groups is as in [IANA].)  All three of these
   groups are MODP modular exponentiation groups.

   This document defines ECP type elliptic curve groups for use in
   IKEv2.  This is done for four reasons:

   1.  To enable IKEv2 to be implemented in a way that enjoys the
       computational and bandwidth advantages of elliptic curves over
       modular exponentiation groups.

   2.  To align IKEv2 with existing ECC standards, particularly
       those of NIST.

   3.  To provide a common elliptic curve environment for users of
       IKE and IKEv2.

   4.  The groups proposed are capable of providing security consistent
       with the new Advanced Encryption Standard.

   In addition, it is anticipated that the availability of standardized
   groups will result in optimizations for a particular curve and field
   size as well as allowing precomputation that could result in faster
   implementations.

   In summary, due to the performance advantages of elliptic curve
   groups in IKEv2 implementations and the need for further alignment
   with other standards, this document defines three elliptic curves for
   IKEv2.


2. ECC Groups

   IKEv2 implementations SHOULD support the following three
   Diffie-Hellman groups.

     Group Number        Group Type      Bit Length      Defined

     19                  ECP             256            [IKE-ECP]
     20                  ECP             384            [IKE-ECP]
     21                  ECP             521            [IKE-ECP]



Solinas                                                         [Page 2]


INTERNET-DRAFT            ECC Groups For IKEv2                  May 2005


   The details of the three groups are given in [IKE-ECP], in which
   they are defined for use in the original version of IKE.  The group
   numbers correspond to the anticipated IANA identifiers.  For a full
   list of Diffie-Hellman groups, see [IANA] or {ECG5].


3. Alignment with Other Standards

   The following table summarizes the appearance of these three elliptic
   curve groups in other standards.


   Standard                 Group 19        Group 20        Group 21

   NIST     [DSS]           P-256           P-384           P-521

   ISO/IEC  [ISO-15946-1]   P-256

   ISO/IEC  [ISO-18031]     P-256           P-384           P-521

   ANSI     [X9.62-1998]    Sect. J.5.3,
                            Example 1

   ANSI     [X9.62-2003]    Sect. J.6.5.3   Sect. J.6.6     Sect. J.6.7

   ANSI     [X9.63]         Sect. J.5.4,    Sect. J.5.5     Sect. J.5.6
                            Example 2

   SECG     [SEC2]          secp256r1       secp384r1       secp521r1


   See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and
   [ISO-15946-4].


4. Security Considerations

   Since this document proposes new groups for use within IKEv2, many
   of the security considerations contained within [IKEv2] apply here
   as well.

   The groups proposed in this document correspond to the symmetric key
   sizes 128 bits, 192 bits, and 256 bits.  This allows the IKE key
   exchange to offer security comparable with the AES algorithms [AES].


5. IANA Considerations

   This document has no actions for IANA.


Solinas                                                         [Page 3]


INTERNET-DRAFT            ECC Groups For IKEv2                  May 2005


6. References

6.1 Normative

  [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004,
     http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt

  [IKE-ECP] J. Solinas, ECP Groups For IKE, May 2005,
     draft-ietf-ipsec-ike-ecp-groups-01.txt.


6.2 Informative

  [AES] U.S. Department of Commerce/National Institute of Standards
     and Technology, Advanced Encryption Standard (AES), FIPS PUB 197,
     November 2001.  (http://csrc.nist.gov/publications/fips/index.html)

  [ALGS] J. Schiller, Cryptographic Algorithms for use in the Internet
     Key Exchange Version 2, draft-ietf-ipsec-ikev2-algorithms-05.txt,
     April 2004.

  [DSS] U.S. Department of Commerce/National Institute of Standards
     and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2,
     January 2000.  (http://csrc.nist.gov/publications/fips/index.html)

  [IANA] Internet Assigned Numbers Authority, Internet Key Exchange
     (IKE) Attributes.  (http://www.iana.org/assignments/ipsec-registry)

  [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409,
     November 1998.

  [ISO-14888-3]  International Organization for Standardization and
     International Electrotechnical Commission, ISO/IEC First
     Committee Draft 14888-3 (2nd ed.), Information Technology:
     Security Techniques: Digital Signatures with Appendix: Part 3 -
     Discrete Logarithm Based Mechanisms.

  [ISO-15946-1]   International Organization for Standardization and
     International Electrotechnical Commission, ISO/IEC 15946-1:
     2002-12-01, Information Technology: Security Techniques:
     Cryptographic Techniques based on Elliptic Curves: Part 1 -
     General.

  [ISO-15946-2]   International Organization for Standardization and
     International Electrotechnical Commission, ISO/IEC 15946-2:
     2002-12-01, Information Technology: Security Techniques:
     Cryptographic Techniques based on Elliptic Curves: Part 2 -
     Digital Signatures.



Solinas                                                         [Page 4]


INTERNET-DRAFT            ECC Groups For IKEv2                  May 2005


  [ISO-15946-3]   International Organization for Standardization and
     International Electrotechnical Commission, ISO/IEC 15946-3:
     2002-12-01, Information Technology: Security Techniques:
     Cryptographic Techniques based on Elliptic Curves: Part 3 -
     Key Establishment.

  [ISO-15946-4]   International Organization for Standardization and
     International Electrotechnical Commission, ISO/IEC 15946-4:
     2004-10-01, Information Technology: Security Techniques:
     Cryptographic Techniques based on Elliptic Curves: Part 4 -
     Digital Signatures giving Message Recovery.

  [ISO-18031] International Organization for Standardization and
     International Electrotechnical Commission, ISO/IEC Final
     Committee Draft 18031, Information Technology: Security
     Techniques: Random Bit Generation, October 2004.

  [NIST] U.S. Department of Commerce/National Institute of Standards
     and Technology. Recommendation for Key Establishment Schemes
     Using Discrete Logarithm Cryptography, NIST Special Publication
     800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html)

  [RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
     Diffie-Hellman groups for Internet Key Exchange (IKE), RFC
     3526, May 2003.

  [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
     Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000.
     (http://www.secg.org)

  [X9.62-1998] American National Standards Institute, ANS X9.62-1998:
     Public Key Cryptography for the Financial Services Industry: The
     Elliptic Curve Digital Signature Algorithm.  January 1999.

  [X9.62-2003] American National Standards Institute, ANS X9.62-1998:
     Public Key Cryptography for the Financial Services Industry: The
     Elliptic Curve Digital Signature Algorithm,
     Revised-Draft-2003-02-26, February 2003.

  [X9.63] American National Standards Institute. ANSI X9.63-2001,
     Public Key Cryptography for the Financial Services Industry: Key
     Agreement and Key Transport using Elliptic Curve Cryptography.
     November 2001.








Solinas                                                         [Page 5]


INTERNET-DRAFT            ECC Groups For IKEv2                  May 2005


7. Author's Address

           Jerome A. Solinas
           National Security Agency
           jasolin@orion.ncsc.mil

   Comments are solicited and should be addressed to the author.



   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.



   Expires November 27, 2005
























Solinas                                                         [Page 6]