IPSec Working Group J. Solinas, NSA
INTERNET-DRAFT
Expires October 2, 2005 March 31, 2005
ECC Groups For IKEv2
<draft-ietf-ipsec-ikev2-ecc-groups-00.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This document describes ECC groups for use as Diffie-Hellman groups
in the Internet Key Exchange version 2 (IKEv2) protocol. These new
groups are defined to align IKEv2 with other standards, particularly
NIST standards, and with and to provide more efficient implementation
than in previously defined groups.
Solinas [Page 1]
INTERNET-DRAFT ECC Groups For IKEv2 March 2005
1. Introduction
This document describes default groups for use in elliptic curve
Diffie-Hellman in IKEv2 in addition to the groups already so defined.
The IKEv2 document [IKEv2] defines Diffie-Hellman groups 1 and 2
from [IKE] for use in IKEv2. The IKEv2 algorithms document [ALGS]
defines group 2 as well as group 14 from [RFC-3526] for IKEv2.
(The numbering of the groups is as in [IANA].) All three of these
groups are MODP modular exponentiation groups.
This document defines ECP type elliptic curve groups for use in
IKEv2. This is done for four reasons:
1. To enable IKEv2 to be implemented in a way that enjoys the
computational and bandwidth advantages of elliptic curves over
modular exponentiation groups.
2. To align IKEv2 with existing ECC standards, particularly
those of NIST.
3. To provide a common elliptic curve environment for users of
IKE and IKEv2.
4. The groups proposed are capable of providing security consistent
with the new Advanced Encryption Standard.
In addition, it is anticipated that the availability of standardized
groups will result in optimizations for a particular curve and field
size as well as allowing precomputation that could result in faster
implementations.
In summary, due to the performance advantages of elliptic curve
groups in IKEv2 implementations and the need for further alignment
with other standards, this document defines three elliptic curves for
IKEv2.
2. ECC Groups
IKEv2 implementations SHOULD support the following three
Diffie-Hellman groups.
Group Number Group Type Bit Length Defined
19 ECP 256 [IKE-ECP]
20 ECP 384 [IKE-ECP]
21 ECP 521 [IKE-ECP]
Solinas [Page 2]
INTERNET-DRAFT ECC Groups For IKEv2 March 2005
The details of the three groups are given in [IKE-ECP], in which
they are defined for use in the original version of IKE. The group
numbers correspond to the anticipated IANA identifiers. For a full
list of Diffie-Hellman groups, see [IANA] or {ECG5].
3. Alignment with Other Standards
The following table summarizes the appearance of these three elliptic
curve groups in other standards.
Standard Group 19 Group 20 Group 21
NIST [DSS] P-256 P-384 P-521
ISO/IEC [ISO-15946-1] P-256
ISO/IEC [ISO-18031] P-256 P-384 P-521
ANSI [X9.62-1998] Sect. J.5.3,
Example 1
ANSI [X9.62-2003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7
ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6
Example 2
SECG [SEC2] secp256r1 secp384r1 secp521r1
See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and
[ISO-15946-4].
4. Security Considerations
Since this document proposes new groups for use within IKEv2, many
of the security considerations contained within [IKEv2] apply here
as well.
The groups proposed in this document correspond to the symmetric key
sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key
exchange to offer security comparable with the AES algorithms [AES].
5. IANA Considerations
This document has no actions for IANA.
Solinas [Page 3]
INTERNET-DRAFT ECC Groups For IKEv2 March 2005
6. References
6.1 Normative
[IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004,
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt
[IKE-ECP] J. Solinas, ECP Groups For IKE, March 2005,
draft-ietf-ipsec-ike-ecc-groups-05.txt.
6.2 Informative
[AES] U.S. Department of Commerce/National Institute of Standards
and Technology, Advanced Encryption Standard (AES), FIPS PUB 197,
November 2001. (http://csrc.nist.gov/publications/fips/index.html)
[ALGS] J. Schiller, Cryptographic Algorithms for use in the Internet
Key Exchange Version 2, draft-ietf-ipsec-ikev2-algorithms-05.txt,
April 2004.
[DSS] U.S. Department of Commerce/National Institute of Standards
and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2,
January 2000. (http://csrc.nist.gov/publications/fips/index.html)
[IANA] Internet Assigned Numbers Authority, Internet Key Exchange
(IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry)
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409,
November 1998.
[ISO-14888-3] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC First
Committee Draft 14888-3 (2nd ed.), Information Technology:
Security Techniques: Digital Signatures with Appendix: Part 3 -
Discrete Logarithm Based Mechanisms.
[ISO-15946-1] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-1:
2002-12-01, Information Technology: Security Techniques:
Cryptographic Techniques based on Elliptic Curves: Part 1 -
General.
[ISO-15946-2] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-2:
2002-12-01, Information Technology: Security Techniques:
Cryptographic Techniques based on Elliptic Curves: Part 2 -
Digital Signatures.
Solinas [Page 4]
INTERNET-DRAFT ECC Groups For IKEv2 March 2005
[ISO-15946-3] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-3:
2002-12-01, Information Technology: Security Techniques:
Cryptographic Techniques based on Elliptic Curves: Part 3 -
Key Establishment.
[ISO-15946-4] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 15946-4:
2004-10-01, Information Technology: Security Techniques:
Cryptographic Techniques based on Elliptic Curves: Part 4 -
Digital Signatures giving Message Recovery.
[ISO-18031] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC Final
Committee Draft 18031, Information Technology: Security
Techniques: Random Bit Generation, October 2004.
[NIST] U.S. Department of Commerce/National Institute of Standards
and Technology. Recommendation for Key Establishment Schemes
Using Discrete Logarithm Cryptography, NIST Special Publication
800-56. (http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html)
[RFC-3526] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE), RFC
3526, May 2003.
[SEC2] Standards for Efficient Cryptography Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000.
(http://www.secg.org)
[X9.62-1998] American National Standards Institute, ANS X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm. January 1999.
[X9.62-2003] American National Standards Institute, ANS X9.62-1998:
Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm,
Revised-Draft-2003-02-26, February 2003.
[X9.63] American National Standards Institute. ANSI X9.63-2001,
Public Key Cryptography for the Financial Services Industry: Key
Agreement and Key Transport using Elliptic Curve Cryptography.
November 2001.
Solinas [Page 5]
INTERNET-DRAFT ECC Groups For IKEv2 March 2005
7. Author's Address
Jerome A. Solinas
National Security Agency
jsolinas@orion.ncsc.mil
Comments are solicited and should be addressed to the author.
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Expires October 2, 2005
Solinas [Page 6]