Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) Version 1.3
RFC 8734

Document Type RFC - Informational (February 2020; No errata)
Last updated 2020-02-21
Stream ISE
Formats plain text html xml pdf htmlized bibtex
IETF conflict review conflict-review-bruckert-brainpool-for-tls13
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
Shepherd write-up Show (last changed 2019-08-14)
IESG IESG state RFC 8734 (Informational)
Telechat date
Responsible AD (None)
Send notices to Adrian Farrel <rfc-ise@rfc-editor.org>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack


Independent Submission                                       L. Bruckert
Request for Comments: 8734                                     J. Merkle
Category: Informational                        secunet Security Networks
ISSN: 2070-1721                                               M. Lochter
                                                                     BSI
                                                           February 2020

 Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer
                       Security (TLS) Version 1.3

Abstract

   Elliptic Curve Cryptography (ECC) Brainpool curves were an option for
   authentication and key exchange in the Transport Layer Security (TLS)
   protocol version 1.2 but were deprecated by the IETF for use with TLS
   version 1.3 because they had little usage.  However, these curves
   have not been shown to have significant cryptographical weaknesses,
   and there is some interest in using several of these curves in TLS
   1.3.

   This document provides the necessary protocol mechanisms for using
   ECC Brainpool curves in TLS 1.3.  This approach is not endorsed by
   the IETF.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8734.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
   2.  Requirements Terminology
   3.  Brainpool NamedGroup Types
   4.  Brainpool SignatureScheme Types
   5.  IANA Considerations
   6.  Security Considerations
   7.  References
     7.1.  Normative References
     7.2.  Informative References
   Appendix A.  Test Vectors
     A.1.  256-Bit Curve
     A.2.  384-Bit Curve
     A.3.  512-Bit Curve
   Authors' Addresses

1.  Introduction

   [RFC5639] specifies a new set of elliptic curve groups over finite
   prime fields for use in cryptographic applications.  These groups,
   denoted as ECC Brainpool curves, were generated in a verifiably
   pseudorandom way and comply with the security requirements of
   relevant standards from ISO [ISO1][ISO2], ANSI [ANSI1], NIST [FIPS],
   and SECG [SEC2].

   [RFC8422] defines the usage of elliptic curves for authentication and
   key agreement in TLS 1.2 and earlier versions, and [RFC7027] defines
   the usage of the ECC Brainpool curves for authentication and key
   exchange in TLS.  The latter is applicable to TLS 1.2 and earlier
   versions but not to TLS 1.3, which deprecates the ECC Brainpool curve
   IDs defined in [RFC7027] due to the lack of widespread deployment.
   However, there is some interest in using these curves in TLS 1.3.

   The negotiation of ECC Brainpool curves for key exchange in TLS 1.3,
   according to [RFC8446], requires the definition and assignment of
   additional NamedGroup IDs.  This document provides the necessary
   definition and assignment of additional SignatureScheme IDs for using
   three ECC Brainpool curves from [RFC5639].

   This approach is not endorsed by the IETF.  Implementers and
   deployers need to be aware of the strengths and weaknesses of all
   security mechanisms that they use.

2.  Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Brainpool NamedGroup Types

   According to [RFC8446], the "supported_groups" extension is used for
   the negotiation of Diffie-Hellman groups and elliptic curve groups
   for key exchange during a handshake starting a new TLS session.  This
   document adds new named groups for three elliptic curves defined in
   [RFC5639] to the "supported_groups" extension, as follows.

           enum {
                brainpoolP256r1tls13(31),
                brainpoolP384r1tls13(32),
                brainpoolP512r1tls13(33)
           } NamedGroup;

Show full document text