datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
RFC 4754

Document type: RFC - Proposed Standard (January 2007)
Was draft-ietf-ipsec-ike-auth-ecdsa (individual in sec area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html
IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned
IESG State: RFC 4754 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: defu@orion.ncsc.mil, jasolin@orion.ncsc.mil
Email Authors | IPR Disclosures (6) | References | Referenced By | Check nits | History feed | Search Mailing Lists 
Network Working Group                                              D. Fu
Request for Comment: 4754                                     J. Solinas
Category: Standards Track                                            NSA
                                                            January 2007

                   IKE and IKEv2 Authentication Using
         the Elliptic Curve Digital Signature Algorithm (ECDSA)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document describes how the Elliptic Curve Digital Signature
   Algorithm (ECDSA) may be used as the authentication method within the
   Internet Key Exchange (IKE) and Internet Key Exchange version 2
   (IKEv2) protocols.  ECDSA may provide benefits including
   computational efficiency, small signature sizes, and minimal
   bandwidth compared to other available digital signature methods.
   This document adds ECDSA capability to IKE and IKEv2 without
   introducing any changes to existing IKE operation.

Table of Contents

   1. Introduction ....................................................2
   2. Requirements Terminology ........................................2
   3. ECDSA ...........................................................2
   4. Specifying ECDSA within IKE and IKEv2 ...........................3
   5. Security Considerations .........................................3
   6. IANA Considerations .............................................4
   7. ECDSA Data Formats ..............................................4
   8. Test Vectors ....................................................4
      8.1. ECDSA-256 ..................................................5
      8.2. ECDSA-384 ..................................................7
      8.3. ECDSA-521 .................................................10
   9. References .....................................................13
      9.1. Normative References ......................................13
      9.2. Informative References ....................................14

Fu & Solinas                Standards Track                     [Page 1]
RFC 4754        IKE and IKEv2 Authentication Using ECDSA    January 2007

1.  Introduction

   The Internet Key Exchange, or IKE [IKE], is a key agreement and
   security negotiation protocol; it is used for key establishment in
   IPsec.  In the initial set of exchanges, both parties must
   authenticate each other using a negotiated authentication method.  In
   the original version of IKE, this occurs in Phase 1; in IKEv2, it
   occurs in the exchange called IKE-AUTH.  One option for the
   authentication method is digital signatures using public key
   cryptography.  Currently, there are two digital signature methods
   defined for use within Phase 1 and IKE-AUTH: RSA signatures and
   Digital Signature Algorithm (DSA) Digital Signature Standard (DSS)
   signatures.  This document introduces ECDSA signatures as a third
   method.

   For any given level of security against the best attacks known, ECDSA
   signatures are smaller than RSA signatures, and ECDSA keys require
   less bandwidth than DSA keys [LV]; there are also advantages of
   computational speed and efficiency in many settings.  Additional
   efficiency may be gained by simultaneously using ECDSA for IKE/IKEv2
   authentication and using elliptic curve groups for the IKE/IKEv2 key
   exchange.  Implementers of IPsec and IKE/IKEv2 may therefore find it
   desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method.

2.  Requirements Terminology

   The key word "SHALL" in this document is to be interpreted as
   described in [RFC2119].

3.  ECDSA

   The Elliptic Curve Digital Signature Algorithm (ECDSA) is the
   elliptic curve analogue of the DSA (DSS) signature method [DSS].  It
   is defined in the ANSI X9.62 standard [X9.62-2003].  Other compatible
   specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE
   1363A [IEEE-1363A], and SEC1 [SEC].

   ECDSA signatures are smaller than RSA signatures of similar
   cryptographic strength.  ECDSA public keys (and certificates) are
   smaller than similar strength DSA keys, resulting in improved
   communications efficiency.  Furthermore, on many platforms, ECDSA
   operations can be computed more quickly than similar strength RSA or
   DSA operations (see [LV] for a security analysis of key sizes across

[include full document text]