IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
RFC 4754
| Document | Type |
RFC - Proposed Standard
(January 2007; Errata)
Was draft-ietf-ipsec-ike-auth-ecdsa (individual in sec area)
|
|
|---|---|---|---|
| Authors | David Fu , Jerome Solinas | ||
| Last updated | 2016-07-27 | ||
| Stream | Internent Engineering Task Force (IETF) | ||
| Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4754 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Russ Housley | ||
| Send notices to | (None) | ||
Network Working Group D. Fu
Request for Comment: 4754 J. Solinas
Category: Standards Track NSA
January 2007
IKE and IKEv2 Authentication Using
the Elliptic Curve Digital Signature Algorithm (ECDSA)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes how the Elliptic Curve Digital Signature
Algorithm (ECDSA) may be used as the authentication method within the
Internet Key Exchange (IKE) and Internet Key Exchange version 2
(IKEv2) protocols. ECDSA may provide benefits including
computational efficiency, small signature sizes, and minimal
bandwidth compared to other available digital signature methods.
This document adds ECDSA capability to IKE and IKEv2 without
introducing any changes to existing IKE operation.
Table of Contents
1. Introduction ....................................................2
2. Requirements Terminology ........................................2
3. ECDSA ...........................................................2
4. Specifying ECDSA within IKE and IKEv2 ...........................3
5. Security Considerations .........................................3
6. IANA Considerations .............................................4
7. ECDSA Data Formats ..............................................4
8. Test Vectors ....................................................4
8.1. ECDSA-256 ..................................................5
8.2. ECDSA-384 ..................................................7
8.3. ECDSA-521 .................................................10
9. References .....................................................13
9.1. Normative References ......................................13
9.2. Informative References ....................................14
Fu & Solinas Standards Track [Page 1]
RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007
1. Introduction
The Internet Key Exchange, or IKE [IKE], is a key agreement and
security negotiation protocol; it is used for key establishment in
IPsec. In the initial set of exchanges, both parties must
authenticate each other using a negotiated authentication method. In
the original version of IKE, this occurs in Phase 1; in IKEv2, it
occurs in the exchange called IKE-AUTH. One option for the
authentication method is digital signatures using public key
cryptography. Currently, there are two digital signature methods
defined for use within Phase 1 and IKE-AUTH: RSA signatures and
Digital Signature Algorithm (DSA) Digital Signature Standard (DSS)
signatures. This document introduces ECDSA signatures as a third
method.
For any given level of security against the best attacks known, ECDSA
signatures are smaller than RSA signatures, and ECDSA keys require
less bandwidth than DSA keys [LV]; there are also advantages of
computational speed and efficiency in many settings. Additional
efficiency may be gained by simultaneously using ECDSA for IKE/IKEv2
authentication and using elliptic curve groups for the IKE/IKEv2 key
exchange. Implementers of IPsec and IKE/IKEv2 may therefore find it
desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method.
2. Requirements Terminology
The key word "SHALL" in this document is to be interpreted as
described in [RFC2119].
3. ECDSA
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the
elliptic curve analogue of the DSA (DSS) signature method [DSS]. It
is defined in the ANSI X9.62 standard [X9.62-2003]. Other compatible
specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE
1363A [IEEE-1363A], and SEC1 [SEC].
ECDSA signatures are smaller than RSA signatures of similar
cryptographic strength. ECDSA public keys (and certificates) are
smaller than similar strength DSA keys, resulting in improved
communications efficiency. Furthermore, on many platforms, ECDSA
operations can be computed more quickly than similar strength RSA or
DSA operations (see [LV] for a security analysis of key sizes across
public key algorithms). These advantages of signature size,
bandwidth, and computational efficiency may make ECDSA an attractive
choice for many IKE and IKEv2 implementations.
Fu & Solinas Standards Track [Page 2]
Show full document text