# Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)

RFC 5349

Document | |||
---|---|---|---|

Type | RFC - Informational (September 2008; No errata) | ||

Last updated | 2013-03-02 | ||

Stream | IETF | ||

Formats | plain text pdf html | ||

Stream | |||

WG state | (None) | ||

Consensus | Unknown | ||

Document shepherd | No shepherd assigned | ||

IESG | |||

IESG state | RFC 5349 (Informational) | ||

Telechat date | |||

Responsible AD | Tim Polk | ||

Send notices to | krb-wg-chairs@ietf.org, draft-zhu-pkinit-ecc@ietf.org |

Network Working Group L. Zhu Request for Comments: 5349 K. Jaganathan Category: Informational K. Lauter Microsoft Corporation September 2008 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This document describes the use of Elliptic Curve certificates, Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman (ECDH) key agreement within the framework of PKINIT -- the Kerberos Version 5 extension that provides for the use of public key cryptography. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . . 2 3. Using Elliptic Curve Certificates and Elliptic Curve Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . 2 4. Using the ECDH Key Exchange . . . . . . . . . . . . . . . . . . 3 5. Choosing the Domain Parameters and the Key Size . . . . . . . . 4 6. Interoperability Requirements . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 Zhu, et al. Informational [Page 1] RFC 5349 ECC Support for PKINIT September 2008 1. Introduction Elliptic Curve Cryptography (ECC) is emerging as an attractive public-key cryptosystem that provides security equivalent to currently popular public-key mechanisms such as RSA and DSA with smaller key sizes [LENSTRA] [NISTSP80057]. Currently, [RFC4556] permits the use of ECC algorithms but it does not specify how ECC parameters are chosen or how to derive the shared key for key delivery using Elliptic Curve Diffie-Hellman (ECDH) [IEEE1363] [X9.63]. This document describes how to use Elliptic Curve certificates, Elliptic Curve signature schemes, and ECDH with [RFC4556]. However, it should be noted that there is no syntactic or semantic change to the existing [RFC4556] messages. Both the client and the Key Distribution Center (KDC) contribute one ECDH key pair using the key agreement protocol described in this document. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Using Elliptic Curve Certificates and Elliptic Curve Signature Schemes ECC certificates and signature schemes can be used in the Cryptographic Message Syntax (CMS) [RFC3852] [RFC3278] content type 'SignedData'. X.509 certificates [RFC5280] that contain ECC public keys or are signed using ECC signature schemes MUST comply with [RFC3279]. The signatureAlgorithm field of the CMS data type 'SignerInfo' can contain one of the following ECC signature algorithm identifiers: ecdsa-with-Sha1 [RFC3279] ecdsa-with-Sha256 [X9.62] ecdsa-with-Sha384 [X9.62] ecdsa-with-Sha512 [X9.62] The corresponding digestAlgorithm field contains one of the following hash algorithm identifiers respectively: Zhu, et al. Informational [Page 2] RFC 5349 ECC Support for PKINIT September 2008 id-sha1 [RFC3279] id-sha256 [X9.62] id-sha384 [X9.62] id-sha512 [X9.62] Namely, id-sha1 MUST be used in conjunction with ecdsa-with-Sha1, id-sha256 MUST be used in conjunction with ecdsa-with-Sha256, id-sha384 MUST be used in conjunction with ecdsa-with-Sha384, and id-sha512 MUST be used in conjunction with ecdsa-with-Sha512. Implementations of this specification MUST support ecdsa-with-Sha256 and SHOULD support ecdsa-with-Sha1. 4. Using the ECDH Key Exchange This section describes how ECDH can be used as the AuthenticationShow full document text