IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
RFC 4754
Document | Type |
RFC - Proposed Standard
(January 2007; Errata)
Was draft-ietf-ipsec-ike-auth-ecdsa (individual in sec area)
|
|
---|---|---|---|
Authors | David Fu , Jerome Solinas | ||
Last updated | 2016-07-27 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4754 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group D. Fu Request for Comment: 4754 J. Solinas Category: Standards Track NSA January 2007 IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document describes how the Elliptic Curve Digital Signature Algorithm (ECDSA) may be used as the authentication method within the Internet Key Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols. ECDSA may provide benefits including computational efficiency, small signature sizes, and minimal bandwidth compared to other available digital signature methods. This document adds ECDSA capability to IKE and IKEv2 without introducing any changes to existing IKE operation. Table of Contents 1. Introduction ....................................................2 2. Requirements Terminology ........................................2 3. ECDSA ...........................................................2 4. Specifying ECDSA within IKE and IKEv2 ...........................3 5. Security Considerations .........................................3 6. IANA Considerations .............................................4 7. ECDSA Data Formats ..............................................4 8. Test Vectors ....................................................4 8.1. ECDSA-256 ..................................................5 8.2. ECDSA-384 ..................................................7 8.3. ECDSA-521 .................................................10 9. References .....................................................13 9.1. Normative References ......................................13 9.2. Informative References ....................................14 Fu & Solinas Standards Track [Page 1] RFC 4754 IKE and IKEv2 Authentication Using ECDSA January 2007 1. Introduction The Internet Key Exchange, or IKE [IKE], is a key agreement and security negotiation protocol; it is used for key establishment in IPsec. In the initial set of exchanges, both parties must authenticate each other using a negotiated authentication method. In the original version of IKE, this occurs in Phase 1; in IKEv2, it occurs in the exchange called IKE-AUTH. One option for the authentication method is digital signatures using public key cryptography. Currently, there are two digital signature methods defined for use within Phase 1 and IKE-AUTH: RSA signatures and Digital Signature Algorithm (DSA) Digital Signature Standard (DSS) signatures. This document introduces ECDSA signatures as a third method. For any given level of security against the best attacks known, ECDSA signatures are smaller than RSA signatures, and ECDSA keys require less bandwidth than DSA keys [LV]; there are also advantages of computational speed and efficiency in many settings. Additional efficiency may be gained by simultaneously using ECDSA for IKE/IKEv2 authentication and using elliptic curve groups for the IKE/IKEv2 key exchange. Implementers of IPsec and IKE/IKEv2 may therefore find it desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method. 2. Requirements Terminology The key word "SHALL" in this document is to be interpreted as described in [RFC2119]. 3. ECDSA The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the DSA (DSS) signature method [DSS]. It is defined in the ANSI X9.62 standard [X9.62-2003]. Other compatible specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE 1363A [IEEE-1363A], and SEC1 [SEC]. ECDSA signatures are smaller than RSA signatures of similar cryptographic strength. ECDSA public keys (and certificates) are smaller than similar strength DSA keys, resulting in improved communications efficiency. Furthermore, on many platforms, ECDSA operations can be computed more quickly than similar strength RSA or DSA operations (see [LV] for a security analysis of key sizes across public key algorithms). These advantages of signature size, bandwidth, and computational efficiency may make ECDSA an attractive choice for many IKE and IKEv2 implementations. Fu & Solinas Standards Track [Page 2]Show full document text