Internet Draft M. Lepinski
Intended status: Informational S. Kent
Expires: February 2008 BBN Technologies
August 31, 2007
Additional Diffie-Hellman Groups for use with IETF Standards
draft-lepinski-dh-groups-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of
BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on January 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes eight Diffie-Hellman groups that can be used
in conjunction with IETF protocols to provide security for Internet
communications. The groups allow implementers to use the same groups
with a variety of security protocols, e.g., SMIME, SSH, TLS, and IKE.
All of these groups comply in form and structure with relevant
standards from ISO, ANSI, NIST and the IEEE. These groups are
Lepinski and Kent Expires February 2008 [Page 1]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
compatible with all IETF standards that make use of Diffie-Hellman or
Elliptic Curve Diffie-Hellman crypto.
These groups and the associated test data are defined by NIST on
their web site [EX80056A], but have not yet (as of this writing) been
published in a formal NIST document. Publication of these groups and
associated test data as an RFC will facilitate development of
interoperable implementations and support FIPS validation of
implementations that make use of these groups.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents
1. Introduction...................................................3
2. Additional Diffie-Hellman Groups...............................4
2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup.....4
2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup.....5
2.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup.....5
2.4. 192-bit Random ECP Group..................................6
2.5. 224-bit Random ECP Group..................................7
2.6. 256-bit Random ECP Group..................................8
2.7. 384-bit Random ECP Group..................................8
2.8. 521-bit Random ECP Group..................................9
3. Using these Groups with IETF Standards........................10
3.1. X.509 Certificates.......................................10
3.2. IKE......................................................10
3.3. TLS......................................................11
3.4. SSH......................................................12
3.5. SMIME....................................................12
4. Security Considerations.......................................12
5. IANA Considerations...........................................13
6. Acknowledgments...............................................14
APPENDIX A: Test Data............................................15
A.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup....15
A.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup....16
A.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup....18
A.4. 192-bit Random ECP Group.................................19
A.5. 224-bit Random ECP Group.................................20
A.6. 256-bit Random ECP Group.................................20
A.7. 384-bit Random ECP Group.................................21
A.8. 521-bit Random ECP Group.................................22
Lepinski and Kent Expires January 2008 [Page 2]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
7. References....................................................24
7.1. Normative References.....................................24
7.2. Informative References...................................25
Author's Addresses...............................................26
Intellectual Property Statement..................................26
Disclaimer of Validity...........................................27
1. Introduction
This document provides parameters and test data for several Diffie-
Hellman (D-H) groups that can be used with IETF protocols that employ
D-H keys, (e.g., IKE, TLS, SSH, and SMIME) and with IETF standards
such as PKIX (for certificates that carry D-H keys). These groups
complement others already documented for the IETF, including the
"Oakley" groups defined in RFC 2409 [RFC2409] for use with IKEv1, and
several additional D-H groups defined later, e.g., [RFC3526] and
[RFC4492].
The initial impetus for the definition of D-H groups (in the IETF)
arose in the IPsec (IKE) context, because of the use of an ephemeral,
unauthenticated D-H exchange as the starting point for that protocol.
RFC 2409 defined five standard Oakley Groups: three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. One
modular exponentiation group (768 bits - Oakley Group 1) was declared
to be mandatory for all IKEv1 implementations to support, while the
other four were optional. Sixteen additional groups subsequently
have been defined and assigned values by IANA for use with IKE (v1
and v2). All of these additional groups are optional in the IKE
context. Of the twenty-one groups defined so far, eight are MODP
groups (exponentiation groups modulo a prime), ten are EC2N groups
(elliptic curve groups over GF[2^N]) and three are ECP groups
(elliptic curve groups over GF[P]).
The purpose of this document is to provide the parameters and test
data for eight additional groups, along with instructions on how
these groups can used with IETF protocols such as SMIME, SSH, TLS,
and IKE. Three of these groups were previously specified for use with
IKE [RFC4753], and five of these groups were previously specified for
use with TLS [RFC4492]. (The latter document does not provide or
reference test data for the specified groups). By combining the
specification of all eight groups with test data and instructions for
use in a variety of protocols, this document serves as a resource for
implementers who may wish to offer the same Diffie-Hellman groups for
use with multiple IETF protocols.
All of these groups are compatible with applicable ISO [ISO-14888-3],
ANSI [X9.62], and NIST [NIST80056A] standards for Diffie-Hellman key
Lepinski and Kent Expires January 2008 [Page 3]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
exchange. These groups and the associated test data are defined by
NIST on their web site [EX80056A], but have not yet (as of this
writing) been published in a formal NIST document. Publication of
these groups with associated test data as an RFC will facilitate
development of interoperable implementations and support FIPS
validation of implementations that make use of these groups.
2. Additional Diffie-Hellman Groups
This section contains the specification for 8 groups for use in IKE,
TLS, SSH, etc. There are three standard prime modulus groups and five
elliptic curve groups. All groups were taken from publications of
the National Institute of Standards and Technology, specifically
[DSS] and [EX80056A]. Test data for each group is provided in
Appendix A.
2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup
p = 1 mod q
q = F518AA87 81A8DF27 8ABA4E7D 64B7CB9D 49462353
p = B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6
9A6A9DCA 52D23B61 6073E286 75A23D18 9838EF1E 2EE652C0
13ECB4AE A9061123 24975C3C D49B83BF ACCBDD7D 90C4BD70
98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0
A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708
DF1FB2BC 2E4A4371
G = A4D1CBD5 C3FD3412 6765A442 EFB99905 F8104DD2 58AC507F
D6406CFF 14266D31 266FEA1E 5C41564B 777E690F 5504F213
160217B4 B01B886A 5E91547F 9E2749F4 D7FBD7D3 B9A92EE1
909D0D22 63F80A76 A6A24C08 7A091F53 1DBF0A01 69B6A28A
D662A4D1 8E73AFA3 2D779D59 18D08BC8 858F4DCE F97C2A24
855E6EEB 22B3B2E5
Lepinski and Kent Expires January 2008 [Page 4]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
p = 1 mod q
q = 801C0D34 C58D93FE 99717710 1F80535A 4738CEBC BF389A99
B36371EB
p = AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1
B54B1597 B61D0A75 E6FA141D F95A56DB AF9A3C40 7BA1DF15
EB3D688A 309C180E 1DE6B85A 1274A0A6 6D3F8152 AD6AC212
9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207
C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708
B3BF8A31 70918836 81286130 BC8985DB 1602E714 415D9330
278273C7 DE31EFDC 7310F712 1FD5A074 15987D9A DC0A486D
CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8
BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763
C9B53DCF 4BA80A29 E3FB73C1 6B8E75B9 7EF363E2 FFA31F71
CF9DE538 4E71B81C 0AC4DFFE 0C10E64F
G = AC4032EF 4F2D9AE3 9DF30B5C 8FFDAC50 6CDEBE7B 89998CAF
74866A08 CFE4FFE3 A6824A4E 10B9A6F0 DD921F01 A70C4AFA
AB739D77 00C29F52 C57DB17C 620A8652 BE5E9001 A8D66AD7
C1766910 1999024A F4D02727 5AC1348B B8A762D0 521BC98A
E2471504 22EA1ED4 09939D54 DA7460CD B5F6C6B2 50717CBE
F180EB34 118E98D1 19529A45 D6F83456 6E3025E3 16A330EF
BB77A86F 0C1AB15B 051AE3D4 28C8F8AC B70A8137 150B8EEB
10E183ED D19963DD D9E263E4 770589EF 6AA21E7F 5F2FF381
B539CCE3 409D13CD 566AFBB4 8D6C0191 81E1BCFE 94B30269
EDFE72FE 9B6AA4BD 7B5A0F1C 71CFFF4C 19C418E1 F6EC0179
81BC087F 2A7065B3 84B890D3 191F2BFA
2.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup
p = 1 mod q
q = 8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B
A308B0FE 64F5FBD3
Lepinski and Kent Expires January 2008 [Page 5]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
p = 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2
5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30
16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD
5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C
4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E
F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9
67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3
75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F
693877FA D7EF09CA DB094AE9 1E1A1597
G = 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054
07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555
BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18
A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B
777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83
1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55
A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14
C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915
B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6
184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451
5E2327CF EF98C582 664B4C0F 6CC41659
2.4. 192-bit Random ECP Group
Curve P-192: p = 2^(192) - 2^(64) - 1
Elliptic curve equation: y^2 = x^3 + ax + b (mod p)
Field size:
q = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF
Curve parameter:
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFC
Curve parameter:
b = 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1
Lepinski and Kent Expires January 2008 [Page 6]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
x-coordinate of base point G:
xG = 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF1012
y-coordinate of base point G:
yG = 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811
Order of the point G:
n = FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831
2.5. 224-bit Random ECP Group
Curve P-224: p = 2^(224) - 2^(96) + 1
Elliptic curve equation: y^2 = x^3 + ax + b (mod p)
Field size:
q = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 00000000
00000001
Curve parameter:
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF
FFFFFFFE
Curve parameter:
b = B4050A85 0C04B3AB F5413256 5044B0B7 D7BFD8BA 270B3943
2355FFB4
x-coordinate of base point G:
xG = B70E0CBD 6BB4BF7F 321390B9 4A03C1D3 56C21122 343280D6
115C1D21
y-coordinate of base point G:
yG = BD376388 B5F723FB 4C22DFE6 CD4375A0 5A074764 44D58199
85007E34
Order of the point G:
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFF16A2 E0B8F03E 13DD2945
5C5C2A3D
Lepinski and Kent Expires January 2008 [Page 7]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
2.6. 256-bit Random ECP Group
Curve P-256: p = 2^(256)-2^(224)+2^(192)+2^(96)-1
Elliptic curve equation: y^2 = x^3 + ax + b (mod p)
Field size:
q = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF
FFFFFFFF FFFFFFFF
Curve parameter:
a = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF
FFFFFFFF FFFFFFFC
Curve parameter:
b = 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6
3BCE3C3E 27D2604B
x-coordinate of base point G:
xG = 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0
F4A13945 D898C296
y-coordinate of base point G:
yG = 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE
CBB64068 37BF51F5
Order of the point G:
n = FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84
F3B9CAC2 FC632551
2.7. 384-bit Random ECP Group
Curve P-384: p = 2^(384)-2^(128)-2^(96)+2^(32)-1
Elliptic curve equation: y^2 = x^3 + ax + b (mod p)
Field size:
q = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFF
Lepinski and Kent Expires January 2008 [Page 8]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
Curve parameter:
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFC
Curve parameter:
b = B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112
0314088F 5013875A C656398D 8A2ED19D 2A85C8ED D3EC2AEF
x-coordinate of base point G:
xG = AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98
59F741E0 82542A38 5502F25D BF55296C 3A545E38 72760AB7
y-coordinate of base point G:
yG = 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C
E9DA3113 B5F0B8C0 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F
Order of the point G:
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
C7634D81 F4372DDF 581A0DB2 48B0A77A ECEC196A CCC52973
2.8. 521-bit Random ECP Group
Note: This is the curve with ID 21 in the IANA registry of IKE
Diffie-Hellman groups.
Curve P-521: p = 2^(521)-1
Elliptic curve equation: y^2 = x^3 + ax + b (mod p)
Field size:
q = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
Curve parameter:
a = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFC
Curve parameter:
b = 00000051 953EB961 8E1C9A1F 929A21A0 B68540EE A2DA725B
99B315F3 B8B48991 8EF109E1 56193951 EC7E937B 1652C0BD
3BB1BF07 3573DF88 3D2C34F1 EF451FD4 6B503F00
Lepinski and Kent Expires January 2008 [Page 9]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
x-coordinate of base point G:
xG = 000000C6 858E06B7 0404E9CD 9E3ECB66 2395B442 9C648139
053FB521 F828AF60 6B4D3DBA A14B5E77 EFE75928 FE1DC127
A2FFA8DE 3348B3C1 856A429B F97E7E31 C2E5BD66
y-coordinate of base point G:
yG = 00000118 39296A78 9A3BC004 5C8A5FB4 2C7D1BD9 98F54449
579B4468 17AFBD17 273E662C 97EE7299 5EF42640 C550B901
3FAD0761 353C7086 A272C240 88BE9476 9FD16650
Order of the point G:
n = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFA 51868783 BF2F966B 7FCC0148
F709A5D0 3BB5C9B8 899C47AE BB6FB71E 91386409
3. Using these Groups with IETF Standards
3.1. X.509 Certificates
Representation of both MODP and Elliptic Curve Diffie-Hellman public
keys (and associated parameters) in X.509 certificates is defined in
[RFC3279]. The MODP groups defined above MUST be represented via the
syntax defined in Section 2.3.3, and the elliptic curve groups via
the syntax defined in Section in 2.3.5 of that RFC. When a Diffie-
Hellman public key is encoded in a certificate, if the KeyUsage
extension is present, the keyAgreement bits MUST be asserted, and
encipherOnly or decipherOnly (but not both) MAY be asserted.
3.2. IKE
Use of Diffie-Hellman with IKE IKEv1 is defined in [RFC2409] and its
use in IKEv2 is defined in [RFC4306]. To enable use of these
additional groups in IKE, it is required that IANA update the IKE
registry of Diffie-Hellman groups to include five of the groups
defined above (for which no group numbers were previously assigned).
Section 6 details the required IANA actions. RFC 2409 describes how
to use the output of both MODP and Elliptic Curve Diffie-Hellman
groups in the key generation process.
The following table provides the Transform IDs of each of the Diffie-
Hellman groups as registered in both [IANA-IKE] and [IANA-IKE2].
Lepinski and Kent Expires January 2008 [Page 10]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
NAME | NUMBER
--------------------------------------------------------+---------
1024-bit MODP Group with 160-bit Prime Order Subgroup | <TBD-1>
2048-bit MODP Group with 224-bit Prime Order Subgroup | <TBD-2>
2048-bit MODP Group with 256-bit Prime Order Subgroup | <TBD-3>
192-bit Random ECP Group | <TBD-4>
224-bit Random ECP Group | <TBD-5>
256-bit Random ECP Group | 19
384-bit Random ECP Group | 20
521-bit Random ECP Group | 21
3.3. TLS
Use of Diffie-Hellman in TLS 1.0 is defined in [RFC2246]. The
specification for TLS 1.1 [RFC4346] does not change how (MODP)
Diffie-Hellman is used to compute a pre-Master secret. (Currently,
the TLS working group is in the process of producing a specification
for TLS 1.2. It is unlikely that TLS 1.2 will make significant
changes to the use of Diffie-Hellman, and thus the following will
likely also be applicable to TLS 1.2.)
A server may employ a certificate containing (fixed) Diffie-Hellman
parameters, and likewise for a client using a certificate. Thus the
relevant PKIX RFCs (see 3.1 above) are applicable. Alternatively, a
server may send ephemeral Diffie-Hellman parameters in the server key
exchange message, where the message signature is verified using an
RSA or DSS-signed server certificate. The details for accomplishing
this for MODP Diffie-Hellman groups are provided in [RFC2246].
Use of Elliptic Curve Diffie-Hellman in TLS 1.0 and 1.1 is defined in
[RFC4492]. The Elliptic Curves in this document appear in the IANA EC
Named Curve Registry [IANA-TLS], although the names in the registry
are taken from the SECG specification [SECG] and differ from the
names appearing in NIST publications. The following table provides
the EC Named Curve ID for each of the elliptic curves along with both
the NIST name and the SECG name for the curve.
NAME (NIST) | NUMBER | NAME (SECG)
---------------------------------+--------------+---------------
192-bit Random ECP Group | 19 | secp192r1
224-bit Random ECP Group | 21 | secp224r1
256-bit Random ECP Group | 23 | secp256r1
384-bit Random ECP Group | 24 | secp384r1
521-bit Random ECP Group | 25 | secp521r1
Lepinski and Kent Expires January 2008 [Page 11]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
3.4. SSH
Use of Diffie-Hellman with SSH was defined initially in [RFC4253].
That RFC defined two MODP Diffie-Hellman groups, and called for
registration of additional groups via an IANA registry. However,
[RFC4419] extended the original model to allow MODP Diffie-Hellman
parameters to be transmitted as part of the key exchange messages.
Thus, using RFC 4419, no additional specifications (or IANA registry
actions) are required to enable use of the MODP groups defined in
this document. At this time no RFC describes use of Elliptic Curve
Diffie-Hellman with SSH. However, the Internet Draft [SSH-ECC]
provided a candidate description of how to make use of Elliptic Curve
Diffie-Hellman with SSH.
3.5. SMIME
Use of Diffie-Hellman in SMIME is defined via a discussion of CMS
encrypted data [RFC3852]. For MODP Diffie-Hellman, the appropriate
reference is [RFC2631]. This specification calls for a sender to
extract the Diffie-Hellman (MODP) parameters from a recipient's
certificate, and thus the PKIX specifications for representation of
Diffie-Hellman parameters suffice. The sender transmits his public
key via the OriginatorIdentifierorKey field, or via a reference to
the sender's certificate.
Use of Elliptic Curve Diffie-Hellman in CMS is defined in [RFC3278].
As with use of MODP Diffie-Hellman in the CMS context, the sender is
assumed to acquire the recipients public key and parameters from a
certificate. The sender includes his Elliptic Curve Diffie-Hellman
public key in the KeyAgreeRecipientInfo originator field. (See
Section 8.2 of RFC 3278 for details of the ECC-CMS-SharedInfo.)
4. Security Considerations
The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by
the random number generator used. The groups defined in this document
were chosen to make the work factor for solving the discrete
logarithm problem roughly comparable to an attack on the subgroup.
Using secret keys of an appropriate size is crucial to the security
of a Diffie-Hellman exchange. For modular exponentiation groups the
size of the secret key should be equal to the size of q (the size of
the prime order subgroup). For elliptic curve groups the size of the
secret key must be equal to the size of n (the order of the point G).
Using larger secret keys provides absolutely no additional security
Lepinski and Kent Expires January 2008 [Page 12]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
and using smaller secret keys is likely to result in dramatically
less security. (See [NIST80056A] for more information on selecting
secret keys.)
When secret keys of an appropriate size are used, an approximation of
the strength of each of the Diffie-Hellman groups is provided in the
table below. For each group, the table contains an RSA key size and
symmetric key size that provide roughly equivalent levels of
security. This data is based on the recommendations in [NIST80057].
GROUP | SYMMETRIC | RSA
-------------------------------------------+------------+-------
1024-bit MODP with 160-bit Prime Subgroup | 80 | 1024
2048-bit MODP with 224-bit Prime Subgroup | 112 | 2048
2048-bit MODP with 256-bit Prime Subgroup | 112 | 2048
192-bit Random ECP Group | 80 | 1024
224-bit Random ECP Group | 112 | 2048
256-bit Random ECP Group | 128 | 3072
384-bit Random ECP Group | 192 | 7680
521-bit Random ECP Group | 256 | 15360
5. IANA Considerations
When this document becomes an RFC, the following actions are required
of IANA:
Update the IKE and IKEv2 registries to include the following five
groups defined in this document: (Note that the other three ECP
groups defined in this document have already been added to the IKE
registry.)
o 1024-bit MODP Group with 160-bit Prime Order Subgroup
o 2048-bit MODP Group with 224-bit Prime Order Subgroup
o 2048-bit MODP Group with 256-bit Prime Order Subgroup
o 192-bit Random ECP Group
o 224-bit Random ECP Group
In [IANA-IKE] and [IANA-IKE2], the groups are to appear as new
entries in the list of Diffie-Hellman groups given by Group
Description. The descriptions are to be as stated above. These values
are then to be filled into the table in Section 4.2 of this document.
Lepinski and Kent Expires January 2008 [Page 13]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
6. Acknowledgments
We wish to thank NIST for publishing the group definitions and
providing test data to assist implementers in verifying that software
or hardware correctly implements these groups. This document was
prepared using 2-Word-v2.0.template.dot.
Lepinski and Kent Expires January 2008 [Page 14]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
APPENDIX A: Test Data
The test data in this appendix is a protocol-independent subset of
the test data in [EX80056A]. In the test data for the three modular
exponentiation groups, we use the following notation:
xU: The secret key of party U
yU: The public key of party U
xV: The secret key of party V
yV: The public key of party V
Z: The shared secret that results from the Diffie-Hellman
computation
In the test data for the four ecliptic curve groups, we use the
following notation:
dU: The secret value of party U
x_qU: The x-coordinate of the public key of party U
y_qU: The y-coordinate of the public key of party U
dV: The secret value of party V
x_qV: The x-coordinate of the public key of party V
y_qV: The y-coordinate of the public key of party V
Z: The shared secret that results from the Diffie-Hellman
computation
A.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup
xV = 6A6764D8 837A8F5C B2D87E5B 078766D8 E1E9BED3
yV = 477EE744 F322AA81 44C02790 CD5EA571 6106420F 5D630E06
B88A150E CFBF39CD 6566E8BC 6DC28288 32158B5F 52407D57
441AE5C8 77B059D1 22ECFF4F 1D3CDE25 0F88F39B 6B80BA75
134DD0B3 159CAB17 A3A11C14 467518F9 2E1657C6 9A28978E
35292BFF 3DBA7D0A 7F6DAAA9 9D5C8711 2B58C82C 7EE6C034
D114CA0F 4A16DEB8
Lepinski and Kent Expires January 2008 [Page 15]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
xV = 4739D45C D8093C45 8EA3AD85 BBAB7700 62871BF6
yV = 09046D14 18585FA5 D32FAD23 18805CCD 19F857E5 E35CC1A3
D7F93F7B 15D52BC7 D3B642E7 B56A07F8 1BDFF0C2 A2FE71CA
F8F5E89C 9989A67D B6BF2332 750AD188 BE9C8372 DE48C1D0
21473512 52FFF746 F05CBCE6 8A016614 54AE3EDB 612CC4CE
3ABA089D 1A817F5A 210A1985 650255C0 F0E460A0 16E35BFD
94FEC560 F9843436
Hexadecimal value for the shared secret:
Z = 02AE79D9 8FF676CD D76FFE60 DAE97ADE 3A3B6DC7 B850F830
B73FF712 565E029E DF98FFA6 219696D7 422E13E9 A2AE3D67
0F40CB4B BA852729 478249F2 0BC3EF17 EC98F5E2 EE3A8306
2264F694 6AA34B60 0BF2D235 1399BDA9 C4B8E1AF 3E353F39
4AC1D7AE 70B5FA69 0E8E676A B5840377 1E6A37D6 3F966A7A
3E90295A 08D6DF41
Decimal value of the shared secret:
Z = 18830461872584087022250653356034156473984886465022
54227558343171847986540459875476823120234109902725
27700657101923024841406344167856501483918803459263
14769510754827240926864169342166357694566333478451
31311934284195303067675700217753376137584696810037
50822146938040975678472150865125473949119135342718
9227329
A.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
xU = BCC732B2 0597BF04 893C5392 0EC2E9D0 B7BB774C F1B40640
A2345A27
yU = 2A19E891 D3BACF8B 7C6CE3A8 538F0F89 B846A3AA 214D0D8B
801A242F 416F6DFA 51B8D236 6F96DE6F DB985A6C 13DE3930
23D6736E 21F0F231 B748B250 47766E47 A7A5753F 2DC3AFC1
AE44719C 17839118 4FDC01CE 631893A8 FEC7EC16 AACEF1D2
327DD02E 1D84B023 B20B119F 83A7BE07 417FDE59 6591BC38
FE3655BA 040D46E4 40001C1A 68A06A44 AC252AF8 30DF5C08
ECDC2132 D2A80E43 5EF21344 8247346E 9062E303 04907879
7522CAD3 BC949424 2347ECB0 29A3F323 9DFCADF8 62A2539A
35584D21 038FD2B6 21AF071C C5C827C5 90CEAD0E 98C511FA
EA445DC1 CED852B5 40DDF6A2 E7C1CD15 C75B9279 E25092F4
67308A60 D90AB435 5C58214E 044EF1D6
Lepinski and Kent Expires January 2008 [Page 16]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
xV = 0A497196 2C7A18A1 B2A2C70D C5C50682 2863E11E 59A26128
8D319B79
yV = 2D337F87 ADDEEDFE 123B6CB6 2AEDFCBC 9E89167F 75B75E40
0201EBEE 9591089A 30C3C13F BC4F1B0E C051A1E6 208FBA7F
DEC7CA1F D8BEFBF0 1A739F7A 6A0A92BE ECC776B9 F91AECDF
3B767F11 7FCE440B D40F1B60 37E0CB03 B5E61778 C6A81EBB
0ACFF7F7 574D7D51 ED4C1518 AB3C8114 D5D1DB68 D1D3F8B3
FE42CFA1 32FD9CCD 931FC198 A4C3C603 6557D9E1 560F598B
E758A537 9982DC0C 653D48AE 4AB05A68 09C8925A BB0AB5A8
A4D46752 3F58E922 A7D7711E 0691C5EE 70948977 BAD7850A
DA01FF2C DEE05BA5 A0ACCB30 3B619692 32FBA7F3 59A4C667
8679A3A5 11CEBADB 361F53BE 687CA9D3 E8F9E559 1E528D2D
57E808B4 4C639DD1 EB90CE9D 5D88659D
Hexadecimal value for the shared secret:
Z = 76A15BB3 E674EC0F 00C07B8D CD6198DF EFA0379C DAF2DF26
1BB8AC44 B89FAB46 FB09D7E5 B597C8E0 DA489710 CABA2FBF
717601BF 1B6766BC 929B335E D7FEFAED F45D2C77 8879549D
80C9980C 23004753 5EF1F918 5F0BBB83 D7FD2992 C2439211
67311A32 374A4730 DC386183 5B23DA95 7D7177EB 3488CDEA
CE2DBF55 3B7F5858 9849D9EC 44DCE6CE 27FF9E34 76ED0CEE
ABAEC2F2 04207DA8 F3E696B4 FA01DEF5 65E05D96 F904A6C8
5CA3D95E 77E78BBE CDDD4633 18119EA4 FDEE2DED 39C819A4
51391B15 5E48BD70 4CDA4A88 81B37514 8BC50DE2 6C870BC1
BEE267F5 36F253A8 1A1C7E68 0C3B6ED6 B6DFF575 932FB403
34027291 1C09B9C1 AFF15F06 E3BD718E
Decimal value of the shared secret:
Z = 14975688686790489248602208623009559017450506866866
06682086719427725030308720632598417395976270607785
04684398235439327291399561811828019671492993345726
69735601257689833727225520207083746030517721818565
78598988338145930373090611305984732188173675327221
32916094592510680005853669941825602458183958193186
36102355299995772261041988628967709538721840292220
40398377297756461439700489066994948105228134875900
34132575318689985898034410948907547761052464029533
96446572749846684267954923375127482918325854993708
28840262218516545488940781814549722943642039374394
83982131509758160248254749539758211410527916011570
86559253666034062
Lepinski and Kent Expires January 2008 [Page 17]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
A.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup
xU = 95796E6F 829106A4 2208D7D7 894B735C 626496C5 76D03AEE
BE3DF641 FCF2E0E1
yU = 2E9380C8 323AF975 45BC4941 DEB0EC37 42C62FE0 ECE824A6
ABDBE66C 59BEE024 2911BFB9 67235CEB A35AE13E 4EC752BE
630B92DC 4BDE2847 A9C62CB8 15274542 1FB7EB60 A63C0FE9
159FCCE7 26CE7CD8 523D7450 667EF840 E4919121 EB5F01C8
C9B0D3D6 48A93BFB 75689E82 44AC134A F544711C E79A02DC
C3422668 4780DDDC B4985941 06C37F5B C7985648 7AF5AB02
2A2E5E42 F09897C1 A85A11EA 0212AF04 D9B4CEBC 937C3C1A
3E15A8A0 342E3376 15C84E7F E3B8B9B8 7FB1E73A 15AF12A3
0D746E06 DFC34F29 0D797CE5 1AA13AA7 85BF6658 AFF5E4B0
93003CBE AF665B3C 2E113A3A 4E905269 341DC071 1426685F
4EF37E86 8A8126FF 3F2279B5 7CA67E29
xV = 7D62A7E3 EF36DE61 7B13D1AF B82C780D 83A23BD4 EE670564
5121F371 F546A53D
yV = 575F0351 BD2B1B81 7448BDF8 7A6C362C 1E289D39 03A30B98
32C5741F A250363E 7ACBC7F7 7F3DACBC 1F131ADD 8E03367E
FF8FBBB3 E1C57844 24809B25 AFE4D226 2A1A6FD2 FAB64105
CA30A674 E07F7809 85208863 2FC04923 3791AD4E DD083A97
8B883EE6 18BC5E0D D047415F 2D95E683 CF14826B 5FBE10D3
CE41C6C1 20C78AB2 0008C698 BF7F0BCA B9D7F407 BED0F43A
FB2970F5 7F8D1204 3963E66D DD320D59 9AD9936C 8F44137C
08B180EC 5E985CEB E186F3D5 49677E80 607331EE 17AF3380
A725B078 2317D7DD 43F59D7A F9568A9B B63A84D3 65F92244
ED120988 219302F4 2924C7CA 90B89D24 F71B0AB6 97823D7D
EB1AFF5B 0E8E4A45 D49F7F53 757E1913
Hexadecimal value of the shared secret:
Z = 86C70BF8 D0BB81BB 01078A17 219CB7D2 7203DB2A 19C877F1
D1F19FD7 D77EF225 46A68F00 5AD52DC8 4553B78F C60330BE
51EA7C06 72CAC151 5E4B35C0 47B9A551 B88F39DC 26DA14A0
9EF74774 D47C762D D177F9ED 5BC2F11E 52C879BD 95098504
CD9EECD8 A8F9B3EF BD1F008A C5853097 D9D1837F 2B18F77C
D7BE01AF 80A7C7B5 EA3CA54C C02D0C11 6FEE3F95 BB873993
85875D7E 86747E67 6E728938 ACBFF709 8E05BE4D CFB24052
B83AEFFB 14783F02 9ADBDE7F 53FAE920 84224090 E007CEE9
4D4BF2BA CE9FFD4B 57D2AF7C 724D0CAA 19BF0501 F6F17B4A
A10F425E 3EA76080 B4B9D6B3 CEFEA115 B2CEB878 9BB8A3B0
EA87FEBE 63B6C8F8 46EC6DB0 C26C5D7C
Lepinski and Kent Expires January 2008 [Page 18]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
Decimal value of the shared secret:
Z = 17014086483691799988179156384159336252014329275393
54206744899725452335140588665348467087589506642580
56749459279726135406146753953813645792406438006074
78115624552232273920609963621474643404371687604213
61186490258949121810305586450024155046326100657873
01639682944896871170712618094623782435200684871624
51349161678002179549584100958328488783183164728487
11068458748569427217544624298072911100126995766342
76864677367000401743824008824179942431953835338777
53639707402834149856651558563193835398981103773564
50833552080021513813408975159461416341852559558246
75850808142720983330136576557157066364574374740800
37115205807529340
A.4. 192-bit Random ECP Group
dU = 0C5FABD9 A3A79D09 3D57A6C8 D18FFC57 7CE69FBD 00C8BA71
x_qU = E496011D F3832BFE 8A13A2BF 49697822 7E186D1D 23EE49E8
y_qU = 36B18BF3 D714D777 6279BE8E 7F571D54 F1E547ED 4CE452F1
dV = A8DC54A1 3B6BFECD 905A34E6 89A796FF 1CEB7761 0E698B81
x_qV = 243D7694 E3301CF4 4C03DC19 F6BB6E28 C5E29B6C 075582EA
y_qV = 3D05DF80 B641863D 44BF3A09 1655C692 B313525F 85A5D291
Hexadecimal value of the shared secret:
Z = 2B45D435 CF6EDF4C 1891152B A11EBA09 D46AD2C0 88458F32
Decimal value of the shared secret:
Z = 10610452163963973050194951443312932994709151535451
36541490
Lepinski and Kent Expires January 2008 [Page 19]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
A.5. 224-bit Random ECP Group
dU = E29A8727 74B90BB1 B2B3481D 0AF97A17 63B5F3E9 9E351D74
E088EC57
x_qU = A1381358 7945B280 4F0E6CE2 9EE82F9D BFEFEEED D825DB43
DF4BA829
y_qU = 2E4A7E31 2ECEC157 368ADFFC 8BB1F94F 416AD252 00D0BB03
3D99F78A
dV = F19F9E23 05AAB14E C43B4E78 0A71001F 35D0D2C0 AA0AE4E4
DF3CCCB0
x_qV = 60DBF3D7 5953812D 5A4460E8 FA2C7F5E 9F0AD36E 26B71434
5F696372
y_qV = F5E6427F 46CF17D9 2C5C014E 56771FF3 CF9369D9 49476058
2BF67824
Hexadecimal value of the shared secret:
Z = 2FFCBA54 E17A0BBC 0558A6A9 38333F74 12190661 D94ECAF4
30547D10
Decimal value of the shared secret:
Z = 50536439188148753161280880991099858203711795317198
12947464819080464
A.6. 256-bit Random ECP Group
dU = 1FBBB87A 02D939E4 251240F7 0B0AF36C 3AA04D03 85073D84
6523DF77 86FFE2D0
x_qU = FF3844D5 13C5C874 95A92B9F 951BA3DF 34731221 6E8050DA
07AC6A3A 6D803888
Lepinski and Kent Expires January 2008 [Page 20]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
y_qU = ABA4F2B4 C3F4A7A0 4FF05D7F E3F07B16 6714D40D 9A045310
CEC279D0 0BD1B691
dV = E204CAC1 DAB2FC4C AC396277 042D6312 8D5A5E33 5317C50F
15CDB32C 613521E1
x_qV = 47E05358 CF21FE52 1D36AA13 014A3043 5D6A8C75 B04B563C
B3C90B22 9D5D88B5
y_qV = C15DA098 A84DC449 38BD2BD1 8F6827E3 56A4B178 D872EDB4
E6805DDA 812FEADA
Hexadecimal value of the shared secret:
Z = 3808D42D FAC73E09 0645CCD6 4E455F93 B93E6C0B B1F561DF
14A3311A B5C3CE5B
Decimal value of the shared secret:
Z = 25345118707014300900517037727481648141699552488381
367737963782350957625724507
A.7. 384-bit Random ECP Group
dU = 168BBFCE 72A19F7F B7FC01DE B946757B D088CEDF 82B902BE
1C7566CF EAAFF862 ED424DAF 1D0380CF F0049DA4 3A301548
x_qU = 3270FDF2 E5C31C37 C6FD007D 67A81641 F55F33B0 F6AA57DE
382A747D 09A565D6 9EDFAFDC CD29B5DD F535FE45 0DE6DB0A
y_qU = DB79FFCF 5944A62E 9349FC7A D04069BB F8EC8310 979E8E81
29D44B69 E4099ED0 9058D7DC 4F6A4A84 97FD33D6 F64B59D0
dV = DF7525AB E9D1204F FC30B554 7BE8D889 DF7A5E5F 834E4554
6114B382 B952D0D7 8EC0E0FC 8071F101 9EB406EF 892307B0
x_qV = CF8BF93A C83FC537 E980D04F FFB4B6B1 734B9DCB DF98B77D
7594CC99 34F5F871 A2DD96EC 4D3FBAEF 56076424 8B237BD1
y_qV = 5B5F180C 4F9A5007 1FE3ADC7 0ED64D36 5E74DB39 4F54316B
0BF06879 9A4967C2 302C74D2 9EAC6A41 4B8DF7DF 5D1D499A
Lepinski and Kent Expires January 2008 [Page 21]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
Hexadecimal value of the shared secret:
Z = 35C0C540 33C33F0A 5597C45D 449A187D 4FDA0E10 E2DA4932
9595D4B5 67DF7A8E 8C188055 22C743B4 53B71F87 8AB2B668
Decimal value of the shared secret:
Z = 82733454122552091837738968118663958805876224377340
73017846306519016530235997409287666074578949558939
390425169049192
A.8. 521-bit Random ECP Group
dU = 0000005D 814A4477 8554AC22 F99CCEEA 849A84E6 D9D2294C
5CB5C65E 0883194D 1978C21E 236A2C7A AE425E1A C0F3DB00
BC356519 74853729 99AEDA53 2BE5BD7A FD319370
x_qU = 000001EE 0381337A F5B437AD 414E60D4 9681B81C 035AD5E4
E44B6B69 7A02F894 0A8BA8EA 3C9B7E25 FD0A85BB 108F0F44
994CF58C 4B3005AE 205A110A 36ED971E D51D7180
y_qU = 0000010F C5252109 1E83E94C DB494482 3427B734 470DA66A
06C8567F BC511BFC DC2B24D8 ECC6DA76 BA125C01 B5985439
126E785D 1B30AF77 7987C08A 466FDC10 2723DF55
dV = 000001F6 6BAC6B8F 8A18B144 9EEB60A8 27E68C02 8C099F5A
45982459 916BB14A 1CF990DC 42A27D33 D74207D5 4C4C64FF
747F97D4 52BD775F 5F515E79 B8E8C8ED B691FFFA
x_qV = 0000014E 1C22331C 606E016E 2F8B5A99 D9820C7C E30CDBCD
B0A06D03 3BDC2A71 213654AE D4F6311B 3AAFA713 A68743A7
761ECDBE 15AF1BCC 6B1DA4EC 75B62193 9D2AD938
y_qV = 000000B9 1534952C E7BDB189 253C2B66 22E97A77 D2B13C45
6ABB952B FDB604CB C5CAD319 D53E9EE9 D785464C B18159DD
31BEB019 C79A7148 534EF2BF 2F48357D 63A790E8
Hexadecimal value of the shared secret:
Z = 000001E8 F9228B38 FFD25CA8 7FAE88D6 C16BC786 AE397771
1CCBA6D5 4EE9C162 3D948F49 ACDD92E6 BC97C2B3 1D70F88A
55A8DF3E 808DDFE4 3DA0DFCC 930FE8C9 E6C0BAA4
Lepinski and Kent Expires January 2008 [Page 22]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
Decimal value of the shared secret:
Z = 65560585252111253009882654696256902830407009540069
19556406780084270249631704347018296764597543578465
76421769024791220238648525507689835024346409801803
7381796
Lepinski and Kent Expires January 2008 [Page 23]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3852] Housley, R., "Cryptographic Message Syntax", RFC 3369,
2004.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC
2631, 1999.
[RFC3278] Blake-Wilson, S., Brown, D., and P. Lambert, "Use of
Elliptic Curve Cryptography (ECC) Algorithms in
Cryptographic Message Syntax (CMS)", RFC 3278, 2002.
[RFC3279] Polk, W., Housley, R., and L. Bassham, "Algorithms and
Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL)", RFC 3279, April 2002.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, 2006.
[RFC4306] Kaufman, C., et al., Internet Key Exchange (IKEv2) Protocol
December, RFC 4306, 2005.
[RFC4492] Blake-Wilson, S., et al, "Elliptic Curve Cryptography (ECC)
Cipher Suites for Transport Layer Security (TLS)", RFC
4492, 2006.
[RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman
Group Exchange for the Secure Shell (SSH) Transport Layer
Protocol", RFC 4419, 2006.
[IANA-IKE] Internet Assigned Numbers Authority, Internet Key
Exchange (IKE) Attributes.
(http://www.iana.org/assignments/ipsec-registry)
[IANA-IKE2] IKEv2 Parameters.
(http://www.iana.org/assignments/ikev2-parameters)
Lepinski and Kent Expires January 2008 [Page 24]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
7.2. Informative References
[DSS] U.S. Department of Commerce/National Institute for
Standards and Technology, Digital Signature Standard(DSS),
FIPS PUB 186-2, January 2000.
(http://csrc.nist.gov/publications/fips/index.html)
[EX80056A] U.S. Department of Commerce/National Institute for
Standards and Technology, Examples for NIST 800-56A, May
2007.
(http://csrc.nist.gov/CryptoToolkit/kms/KS_FFC_Prime.pdf)
[IANA-TLS] Internet Assigned Numbers Authority, Transport Layer
Security (TLS) Attributes.
(http://www.iana.org/assignments/tls-parameters)
[SSH-ECC] Green, J. and D. Stebila, "Elliptic-Curve Algorithm
Integration in the Secure Shell Transport Layer", draft-
green-secsh-ecc (work in progress), 2006.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, 1999.
[RFC3526] Kivinen, T., and Kojo, M., "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC
3526, May 2003.
[RFC4753] Fu, D. and Solinas, J., "ECP Groups for IKE and IKEv2", RFC
3526, January 2007.
[ISO-14888-3] International Organization for Standardization and
International Electrotechnical Commission, ISO/IEC 14888-
3:2006, Information Technology: Security Techniques:
Digital Signatures with Appendix: Part 3 - Discrete
Logarithm Based Mechanisms.
[NIST80056A] U.S. Department of Commerce/National Institute of
Standards and Technology. Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm
Cryptography, NIST Special Publication Publication 800-56A,
March 2006.
(http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html)
Lepinski and Kent Expires January 2008 [Page 25]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
[SECG] SECG, "Recommended Elliptic Curve Domain Parameters", SEC
2, 2000, <http://www.secg.org/>.
[NIST80057] National Institute of Standards and Technology,
"Recommendation for Key Management - Part 1", NIST Special
Publication 800-57.
[X9.62] ANSI X9.62-2005, Public Key Cryptography For The Financial
Services Industry: The Elliptic Curve Digital Signature
Algorithm (ECDSA). 2005.
Author's Addresses
Matt Lepinski
BBN Technologies
10 Moulton St.
Cambridge, MA 02138
Email: mlepinski@bbn.com
Stephen Kent
BBN Technologies
10 Moulton St.
Cambridge, MA 02138
Email: kent@bbn.com
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
Lepinski and Kent Expires January 2008 [Page 26]
Internet-Draft draft-lepinski-DH-groups-00 August 2007
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Lepinski and Kent Expires January 2008 [Page 27]
