idnits 2.17.00 (12 Aug 2021) /tmp/idnits53945/draft-ietf-ipsec-ike-auth-ecdsa-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 13. -- Found old boilerplate from RFC 3978, Section 5.5 on line 648. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure Invitation. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 14 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 132: '... payload SHALL contain an encoding o...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 165 has weird spacing: '...c curve y^2 =...' == Line 179 has weird spacing: '...uantity kinv ...' == Line 180 has weird spacing: '...ch that k*kin...' == Line 186 has weird spacing: '...ch that t*tin...' == Line 287 has weird spacing: '...d since sumx ...' == (2 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 30, 2005) is 6076 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '19' on line 119 -- Looks like a reference, but probably isn't: '4' on line 119 -- Looks like a reference, but probably isn't: '20' on line 120 -- Looks like a reference, but probably isn't: '5' on line 120 -- Looks like a reference, but probably isn't: '21' on line 121 -- Looks like a reference, but probably isn't: '6' on line 121 == Unused Reference: 'SHS' is defined on line 579, but no explicit reference was found in the text == Unused Reference: 'RFC-3279' is defined on line 605, but no explicit reference was found in the text == Unused Reference: 'RFC-3280' is defined on line 610, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) -- Possible downref: Non-RFC (?) normative reference: ref. 'IKEv2' == Outdated reference: draft-ietf-ipsec-ike-ecp-groups has been published as RFC 4753 ** Downref: Normative reference to an Informational draft: draft-ietf-ipsec-ike-ecp-groups (ref. 'IKE-ECP') -- Possible downref: Non-RFC (?) normative reference: ref. 'SHS' -- Duplicate reference: RFC3279, mentioned in 'RFC-3280', was also mentioned in 'RFC-3279'. Summary: 9 errors (**), 0 flaws (~~), 13 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IPSec Working Group D. Fu, NSA 2 INTERNET-DRAFT J. Solinas, NSA 3 Expires March 30, 2006 September 30, 2005 5 IKE and IKEv2 Authentication Using ECDSA 6 8 Status of this Memo 10 By submitting this Internet-Draft, each author represents that any 11 applicable patent or other IPR claims of which he or she is aware 12 have been or will be disclosed, and any of which he or she becomes 13 aware will be disclosed, in accordance with Section 6 of BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that other 17 groups may also distribute working documents as Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/1id-abstracts.html 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html 30 Abstract 32 This document describes how the Elliptic Curve Digital Signature 33 Algorithm (ECDSA) may be used as the authentication method within 34 the Internet Key Exchange (IKE) and Internet Key Exchange version 2 35 (IKEv2) protocols. ECDSA may provide benefits including 36 computational efficiency, small signature sizes, and minimal 37 bandwidth compared to other available digital signature methods. 38 This document adds ECDSA capability to IKE without introducing any 39 changes to existing IKE operation. 41 Table of Contents 43 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3 44 2. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 45 3. Specifying ECDSA within IKE and IKEv2 . . . . . . . . . . . 3 46 4. Security Considerations . . . . . . . . . . . . . . . . . . 4 47 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 5 48 6. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 5 49 6.1 Authentication Method 9 . . . . . . . . . . . . . . . 6 50 6.2 Authentication Method 10. . . . . . . . . . . . . . . 7 51 6.3 Authentication Method 11. . . . . . . . . . . . . . . 10 52 7. References. . . . . . . . . . . . . . . . . . . . . . . . . 11 53 7.1 Normative . . . . . . . . . . . . . . . . . . . . . . 11 54 7.2. Informative . . . . . . . . . . . . . . . . . . . . . 11 56 1. Introduction 58 The Internet Key Exchange, or IKE [IKE], is a key agreement and 59 security negotiation protocol; it is used for key establishment in 60 IPSec. In the initial set of exchanges, both parties must 61 authenticate each other using a negotiated authentication method. In 62 the original version of IKE, this occurs in Phase 1; in IKEv2, it 63 occurs in the exchange called IKE-AUTH. One option for the 64 authentication method is digital signatures using public key 65 cryptography. Currently, there are two digital signature methods 66 defined for use within Phase 1 and IKE-AUTH: RSA signatures and DSA 67 (DSS) signatures. This document introduces ECDSA signatures as a 68 third method. 70 For any given level of security against the best attacks known, ECDSA 71 signatures are smaller than RSA signatures and ECDSA keys require 72 less bandwidth than DSA keys; there are also advantages of 73 computational speed and efficiency in many settings. Additional 74 efficiency may be gained by simultaneously using ECDSA for IKE 75 authentication and using elliptic curve groups for the IKE key 76 exchange. Implementers of IPSec and IKE may therefore find it 77 desirable to use ECDSA as the Phase 1/IKE-AUTH authentication method. 79 2. ECDSA 81 The Elliptic Curve Digital Signature Algorithm (ECDSA) is the 82 elliptic curve analogue of the DSA (DSS) signature method [DSS]. It 83 is defined in the ANSI X9.62 standard [X9.62-2003]. Other compatible 84 specifications include FIPS 186-2 [DSS], IEEE 1363 [IEEE-1363], IEEE 85 1363A [IEEE-1363A], and SEC1 [SEC1]. 87 ECDSA signatures are smaller than RSA signatures of similar 88 cryptographic strength. ECDSA public keys (and certificates) are 89 smaller than similar strength DSA keys, resulting in improved 90 communications efficiency. Furthermore, on many platforms ECDSA 91 operations can be computed more quickly than similar strength RSA or 92 DSA operations (see [LV] for a security analysis of key sizes across 93 public key algorithms). These advantages of signature size, 94 bandwidth, and computational efficiency may make ECDSA an attractive 95 choice for many IKE implementations. 97 3. Specifying ECDSA within IKE and IKEv2 99 The original IKE key negotiation protocol consists of two phases, 100 Phase 1 and Phase 2. Within Phase 1, the two negotiating parties 101 authenticate each other using either pre-shared keys, digital 102 signatures, or public-key encryption. 104 The IKEv2 key negotiation protocol begins with two exchanges, 105 IKE-SA-INIT and IKE-AUTH. When not using extensible authentication, 106 the IKE-AUTH exchange includes a digital signature or MAC on a block 107 of data. 109 The IANA-assigned attribute number for authentication using generic 110 ECDSA is 8 (see [IANA]), but the parameters and associated hash 111 functions are not specified. The document defines the following 112 authentication algorithms along with their anticipated IANA 113 attribute numbers. 115 Digital Diffie- 116 IANA Signature Hellman Hash 117 Value Algorithm Group Function 118 ----- --------- ------------ ------------- 119 9 ECDSA P-256 [19] SHA-256 [4] 120 10 ECDSA P-384 [20] SHA-384 [5] 121 11 ECDSA P-521 [21] SHA-512 [6] 123 The numbers in brackets are the IANA identifiers for the Diffie- 124 Hellman groups and the hash functions. 126 The Diffie-Hellman group is understood to use the base points 127 supplied in [IKE-ECP]. Therefore the selection of IANA identifier 128 from the above table completely specifies the parameters necessary 129 for verifying the signature. 131 When ECDSA is used as the digital signature in IKE, the signature 132 payload SHALL contain an encoding of the computed signature 133 consisting of the concatenation of a pair of integers s and t. The 134 definition of s and t are given in Section 6 of this document. 136 Implementers may find it convenient, when using ECDSA as the 137 authentication method, to specify the hash used by ECDSA as the 138 value of the hash algorithm attribute. Implementers may also find 139 it convenient to use ECDSA authentication in conjunction with an 140 elliptic curve group for the IKE Diffie-Hellman key agreement; see 141 [IKE-ECP] for some specific curves for the key agreement. 143 4. Security Considerations 145 Implementers should ensure that appropriate security measures are in 146 place when they deploy ECDSA within IKE. In particular, the security 147 of ECDSA requires the careful selection of both key sizes and 148 elliptic curve domain parameters. Selection guidelines for these 149 parameters and some specific recommended curves that are considered 150 safe are provided in ANSI X9.62 [X9.62], FIPS 186-2 [DSS], and SEC 2 151 [SEC2]. 153 5. IANA Considerations 155 Before this document can become an RFC, it is required that IANA 156 update its registry of IKE authentication methods in [IANA] to 157 include the three options defined in Section 3 of this document. 159 6. Test Vectors 161 The following are examples of the IKEv2 key exchange payload for each 162 of the three groups specified in this document. 164 The following notation is used. The Diffie-Hellman group is given by 165 the elliptic curve y^2 = x^3 - 3 x + b modulo p. If (x,y) is a 166 point on the curve (i.e. x and y satisfy the above equation), then 167 (x,y)^n denotes the scalar multiple of the point (x,y) by the 168 integer n; it is another point on the curve. In the literature, the 169 scalar multiple is typically denoted n(x,y); the notation (x,y)^n is 170 used in order to conform to the notation used in [IKE], [IKEv2], and 171 [IKE-ECP]. 173 The group order for the Diffie-Hellman group is denoted q. The 174 generator is denoted g=(gx,gy). The hash of the message is denoted 175 h. The signer's static private key is denoted w; it is an integer 176 between zero and q. The signer's static public key is 177 g^w=(gwx,gwy). The ephemeral private key is denoted k; it is an 178 integer between zero and q. The ephemeral public key is 179 g^k=(gkx,gky). The quantity kinv is the integer between zero and 180 q such that k*kinv = 1 modulo q. The first signature component is 181 denoted s; it is equal to gkx reduced modulo q. The second signature 182 component is denoted t; it is equal to (h+s*w)*kinv reduced modulo q. 184 The test vectors below also include the data for verifying the ECDSA 185 signature. The verifier computes h and the quantity tinv, which is 186 the integer between zero and q such that t*tinv = 1 modulo q. The 187 verifier computes 189 u = h*tinv modulo q 190 and 191 v = s*tinv modulo q. 193 The verifier computes (gx,gy)^u = (gux,guy) and 194 (gwx,gwy)^v = (gwvx,gwvy). The verifier computes the sum 196 (sumx,sumy) = (gux,guy) + (gwvx,gwvy) 198 where + denotes addition of points on the elliptic curve. The 199 signature is verified if 201 sumx modulo q = s. 203 6.1 Authentication Method 9 205 The parameters for Diffie-Hellman group 19 are 207 p: 208 FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF 210 b: 211 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B 213 q: 214 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 216 gx: 217 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 219 gy: 220 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 222 The static and ephemeral keys are given by 224 w: 225 DC51D386 6A15BACD E33D96F9 92FCA99D A7E6EF09 34E70975 59C27F16 14C88A7F 227 gwx: 228 2442A5CC 0ECD015F A3CA31DC 8E2BBC70 BF42D60C BCA20085 E0822CB0 4235E970 230 gwy: 231 6FC98BD7 E50211A4 A27102FA 3549DF79 EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D 233 k: 234 9E56F509 196784D9 63D1C0A4 01510EE7 ADA3DCC5 DEE04B15 4BF61AF1 D5A6DECE 236 gkx: 237 CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C 239 gky: 240 2B57C023 5FB74897 68D058FF 4911C20F DBE71E36 99D91339 AFBB903E E17255DC 242 The SHA-256 hash of the message "abc" (hex 616263) is 244 h: 245 BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C B410FF61 F20015AD 247 The signature of the message is (s,t) where 249 kinv: 250 AFA27894 5AF74B1E 295008E0 3A8984E2 E1C69D9B BBC74AF1 4E3AC4E4 21ABFA61 252 s: 253 CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C 255 t: 256 86FA3BB4 E26CAD5B F90B7F81 899256CE 7594BB1E A0C89212 748BFF3B 3D5B0315 258 The quantities required for verification of the signature are 260 tinv: 261 33BDC294 E90CFAD6 2A9F2FD1 F8741DA7 7C02A573 E1B53BA1 7A60BA90 4F491952 263 u: 264 C3875E57 C85038A0 D60370A8 7505200D C8317C8C 534948BE A6559C7C 18E6D4CE 266 v: 267 3B4E49C4 FDBFC006 FF993C81 A50EAE22 1149076D 6EC09DDD 9FB3B787 F85B6483 269 gux: 270 4F749762 9362EFBB EE591206 D036568F 239789B2 34960635 C6607EC6 99062600 272 guy: 273 8490E12D E4DBB68C BF941721 5D8C648E 57A8E0E4 4E176856 3CD58697 001A8D08 275 gwvx: 276 726E5684 964DB8EA 341D8679 DFB70E04 EDA404E9 94BA730F A43F1E78 ED81211B 278 gwvy: 279 0C10CBA8 DD2620C1 12A4F9BE 578E4BE1 E64DC0F7 D1D526CA 167749F9 CEC0DF08 281 sumx: 282 CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 97566EA1 C066957C 284 sumy: 285 2B57C023 5FB74897 68D058FF 4911C20F DBE71E36 99D91339 AFBB903E E17255DC 287 The signature is valid since sumx modulo q equals s. 289 If the signature (s,t) were the one appearing in the authentication 290 payload, then the payload would be as follows. 292 00000048 00090000 CB28E099 9B9C7715 FD0A80D8 E47A7707 9716CBBF 917DD72E 293 97566EA1 C066957C 86FA3BB4 E26CAD5B F90B7F81 899256CE 7594BB1E A0C89212 294 748BFF3B 3D5B0315 296 6.2 Authentication Method 10 298 The parameters for Diffie-Hellman group 20 are 300 p: 301 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE 302 FFFFFFFF 00000000 00000000 FFFFFFFF 304 b: 305 B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A 306 C656398D 8A2ED19D 2A85C8ED D3EC2AEF 308 q: 309 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF 310 581A0DB2 48B0A77A ECEC196A CCC52973 312 gx: 313 AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 314 5502F25D BF55296C 3A545E38 72760AB7 316 gy: 317 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0 318 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F 320 The static and ephemeral keys are given by 322 w: 323 0BEB6466 34BA8773 5D77AE48 09A0EBEA 865535DE 4C1E1DCB 692E8470 8E81A5AF 324 62E528C3 8B2A81B3 5309668D 73524D9F 326 gwx: 327 96281BF8 DD5E0525 CA049C04 8D345D30 82968D10 FEDF5C5A CA0C64E6 465A97EA 328 5CE10C9D FEC21797 41571072 1F437922 330 gwy: 331 447688BA 94708EB6 E2E4D59F 6AB6D7ED FF9301D2 49FE49C3 3096655F 5D502FAD 332 3D383B91 C5E7EDAA 2B714CC9 9D5743CA 334 k: 335 B4B74E44 D71A13D5 68003D74 89908D56 4C7761E2 29C58CBF A1895009 6EB7463B 336 854D7FA9 92F934D9 27376285 E63414FA 338 gkx: 339 FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E 340 08E07C9C 63F2D21A 07DCB56A 6AF56EB3 342 gky: 343 2C735822 48686C41 8485E7B7 4E707625 A1832769 F7F56E81 7CF83B1E 4690E782 344 65B7AD37 BC2F865F DC290DB6 15CDF17F 346 The SHA-384 hash of the message "abc" (hex 616263) is 348 h: 349 CB00753F 45A35E8B B5A03D69 9AC65007 272C32AB 0EDED163 1A8B605A 43FF5BED 350 8086072B A1E7CC23 58BAECA1 34C825A7 352 The signature of the message is (s,t) where 354 kinv: 355 EB12876B F6191A29 1AA5780A 3887C3BF E7A5C7E3 21CCA674 886B1228 D9BB3D52 356 918EF19F E5CE67E9 80BEDC1E 613D39C0 358 s: 359 FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E 360 08E07C9C 63F2D21A 07DCB56A 6AF56EB3 362 t: 363 B263A130 5E057F98 4D38726A 1B468741 09F417BC A112674C 528262A4 0A629AF1 364 CBB9F516 CE0FA7D2 FF630863 A00E8B9F 366 The quantities required for verification of the signature are 368 tinv: 369 06EFACEE 8A657F77 584C5A03 9F7E2720 D61DF84C 8FAC6FA4 9A06F6C4 6E8CDA28 370 6ADD7D3B 90E1CDA4 79BD899B EE14B99D 372 u: 373 CA5E3714 B4B68BB8 5AF0BC69 E12B16C8 8FAFA26A A6598D7E 2D5C3C40 26F7A944 374 7D731721 ABE62CC0 1165ABFD 847088E9 376 v: 377 1342C935 5F1A4563 5435899A C24AEF06 3947CA47 951E89F6 83D73172 F964C359 378 69E75EF9 06DA2396 2C747C04 A01137B8 380 gux: 381 94B90657 77A3B5BE 399CEE66 A9DB4E64 8422E370 F19ED1A9 C699769E 01EC9A30 382 E544EB10 7D35F7C9 3FA8FB11 8DCB91ED 384 guy: 385 45882DC2 CF367F74 3FC02961 2D5B96FC F9A09E28 1C3C162D 0D189267 83841606 386 87E9953A CC634CEF 2D9897B8 BEE32BC2 388 gwvx: 389 6A142FF2 B0B8C552 9B7F78E2 1B014764 440ED8C0 339B2187 13DB9500 3D1A8BA5 390 0811C3B8 41B34CA6 E1785BC8 DB9111F4 392 gwvy: 393 98C2A76C 7E6EDB56 6B1DB657 ED3019F8 2FB94FBB F36124DE C23BB7DE 4B181357 394 173F1ABF F3980DF1 F7EC4335 B185CEBF 396 sumx: 397 FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 8084E293 0F1C8F7E 398 08E07C9C 63F2D21A 07DCB56A 6AF56EB3 400 sumy: 401 2C735822 48686C41 8485E7B7 4E707625 A1832769 F7F56E81 7CF83B1E 4690E782 402 65B7AD37 BC2F865F DC290DB6 15CDF17F 404 The signature is valid since sumx modulo q equals s. 406 If the signature (s,t) were the one appearing in the authentication 407 payload, then the payload would be as follows. 409 00000068 000A0000 FB017B91 4E291494 32D8BAC2 9A514640 B46F53DD AB2C6994 410 8084E293 0F1C8F7E 08E07C9C 63F2D21A 07DCB56A 6AF56EB3 B263A130 5E057F98 411 4D38726A 1B468741 09F417BC A112674C 528262A4 0A629AF1 CBB9F516 CE0FA7D2 412 FF630863 A00E8B9F 414 6.3 Authentication Method 11 416 The parameters for Diffie-Hellman group 21 are 418 p: 419 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 420 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 421 FFFF 423 b: 424 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1 425 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50 426 3F00 428 q: 429 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 430 FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138 431 6409 433 gx: 434 00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D 435 3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5 436 BD66 438 gy: 439 01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E 440 662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1 441 6650 443 The static and ephemeral keys are given by 445 w: 446 0065FDA3 409451DC AB0A0EAD 45495112 A3D813C1 7BFD34BD F8C1209D 7DF58491 447 20597779 060A7FF9 D704ADF7 8B570FFA D6F062E9 5C7E0C5D 5481C5B1 53B48B37 448 5FA1 450 gwx: 451 0151518F 1AF0F563 517EDD54 85190DF9 5A4BF57B 5CBA4CF2 A9A3F647 4725A35F 452 7AFE0A6D DEB8BEDB CD6A197E 592D4018 8901CECD 650699C9 B5E456AE A5ADD190 453 52A8 455 gwy: 456 006F3B14 2EA1BFFF 7E2837AD 44C9E4FF 6D2D34C7 3184BBAD 90026DD5 E6E85317 457 D9DF45CA D7803C6C 20035B2F 3FF63AFF 4E1BA64D 1C077577 DA3F4286 C58F0AEA 458 E643 460 k: 461 00C1C2B3 05419F5A 41344D7E 4359933D 734096F5 56197A9B 244342B8 B62F46F9 462 373778F9 DE6B6497 B1EF825F F24F42F9 B4A4BD73 82CFC337 8A540B1B 7F0C1B95 463 6C2F 465 gkx: 466 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339 467 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055 468 2251 470 gky: 471 006D073D 72B272EA 86388D86 8EF64D4C 300A67AC 2981C0F8 E6710AEF A2FCF845 472 8117B05E B91BA11C 68BCFC1B C24587E3 A1D0CA2A FE398CDB CFD79CB3 0B36B218 473 B437 475 The hash of the message "abc" (hex 616263) is 477 SHA-512(616263): 478 DDAF35A1 93617ABA CC417349 AE204131 12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A 479 2192992A 274FC1A8 36BA3C23 A3FEEBBD 454D4423 643CE80E 2A9AC94F A54CA49F 481 Therefore the quantity h is 483 h: 484 0000DDAF 35A19361 7ABACC41 7349AE20 413112E6 FA4E89A9 7EA20A9E EEE64B55 485 D39A2192 992A274F C1A836BA 3C23A3FE EBBD454D 4423643C E80E2A9A C94FA54C 486 A49F 488 The signature of the message is (s,t) where 490 kinv: 491 00E90EF3 CE52F8D1 E5A4EEBD 0905F425 2400B0AE 73B49E33 23BCE258 A55F507D 492 7C45F3A2 DE3A3EA2 E51D9343 46D71593 A80C8C62 FE229DDF 5D2B64B7 AF4A0837 493 0D32 495 s: 496 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339 497 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055 498 2251 500 t: 501 017705A7 030290D1 CEB605A9 A1BB03FF 9CDD521E 87A696EC 926C8C10 C8362DF4 502 97536710 1F67D1CF 9BCCBF2F 3D239534 FA509E70 AAC851AE 01AAC68D 62F86647 503 2660 505 The quantities required for verification of the signature are 507 tinv: 508 00DDA6B8 83CB36BF CB21D5B0 B7D1F443 9D3C7797 B23A8D73 58032D5C C917142E 509 3F6778BD 977D8460 867853AE 9C74EF5E 417CFA96 F7C937C1 418D9343 738A1BA8 510 78E0 512 u: 513 019E5FDB ECC2A88B 72679233 11B27868 427AE2B8 83ED0346 9CBABE65 ACD3F2F8 514 D74FA657 8A23C85D 598D1DC6 C1DA074E 0AB83852 BDAAE2F1 857713D3 5BB9BDB7 515 32D8 517 v: 518 0069BB0C BA5A6FC8 8A08C0AD AA88F5A5 1EE60477 2D084D98 63DF86FD 958AD9B3 519 006E62C4 30CE545E 9C918F04 D852DA13 47CC6A3E FA89BC2C 13B89124 25BA8D60 520 BF03 522 gux: 523 00921F3E CEAF579C FDDA6AF9 C1728E5B CA33F77B 57F5984C 624BFF10 F244B577 524 144CA24E 20310DEF 2F777892 DA1ED5DE A9A6EF09 85D965AE 98BCF129 855C6C4F 525 3311 527 guy: 528 01812CBF E8D08BE9 0CD6AB5D 2ED107A0 123A41A9 C15ACB31 7D65E228 92D89AF8 529 C29A4220 83E3495E D14726A0 9868AF1B 399CEF86 6DDDE6B1 0D709696 06525D15 530 B4EB 532 gwvx: 533 00AF23A7 7F50CC54 8CEBC506 58FE4A0B A26FF9DE 4E864DE2 7FD059B6 3AE14B5F 534 87286BC7 7AAEBA32 4FF675A1 FF7035B6 89AF3835 95F8B5A8 67432FFE 8BF29CF6 535 0688 537 gwvy: 538 017A32C4 5A01DF60 3CA96FDF E83493BB 4CB5EE00 C32960A5 4FEB0B39 88841E2F 539 9D52B745 C5A7FEC6 777BB899 B65730E9 32D1395D C0574D3C F1093C64 505804D0 540 A5B3 542 sumx: 543 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 AAAAB68E 2E6F4339 544 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 2CAEACEE 54432055 545 2251 547 sumy: 548 006D073D 72B272EA 86388D86 8EF64D4C 300A67AC 2981C0F8 E6710AEF A2FCF845 549 8117B05E B91BA11C 68BCFC1B C24587E3 A1D0CA2A FE398CDB CFD79CB3 0B36B218 550 B437 552 The signature is valid since sumx modulo q equals s. 554 If the signature (s,t) were the one appearing in the authentication 555 payload, then the payload would be as follows. 557 0000008C 000B0000 0154FD38 36AF92D0 DCA57DD5 341D3053 988534FD E8318FC6 558 AAAAB68E 2E6F4339 B19F2F28 1A7E0B22 C269D93C F8794A92 78880ED7 DBB8D936 559 2CAEACEE 54432055 22510177 05A70302 90D1CEB6 05A9A1BB 03FF9CDD 521E87A6 560 96EC926C 8C10C836 2DF49753 67101F67 D1CF9BCC BF2F3D23 9534FA50 9E70AAC8 561 51AE01AA C68D62F8 66472660 563 7. References 565 7.1 Normative 567 [IANA] Internet Assigned Numbers Authority, Internet Key Exchange 568 (IKE) Attributes. (http://www.iana.org/assignments/ipsec-registry) 570 [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, 571 November 1998. 573 [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004, 574 http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-17.txt 576 [IKE-ECP] D. Fu and J. Solinas, ECP Groups For IKE and IKEv2, 2005. 577 (draft-ietf-ipsec-ike-ecp-groups-02.txt) 579 [SHS] FIPS 180-2, "Secure Hash Standard", National Institute of 580 Standards and Technology, 2002. 582 [X9.62-2003] American National Standards Institute, X9.62-1998: 583 Public Key Cryptography for the Financial Services Industry: The 584 Elliptic Curve Digital Signature Algorithm, 585 Revised-Draft-2003-02-26, February 2003. 587 7.2 Informative 589 [DSS] U.S. Department of Commerce/National Institute of Standards 590 and Technology, Digital Signature Standard (DSS), FIPS PUB 186-2, 591 January 2000. (http://csrc.nist.gov/publications/fips/index.html) 593 [IEEE-1363] Institute of Electrical and Electronics Engineers. 594 IEEE 1363-2000, Standard for Public Key Cryptography. 595 (http://grouper.ieee.org/groups/1363/index.html) 597 [IEEE-1363A] Institute of Electrical and Electronics Engineers. 598 IEEE 1363A-2004, Standard for Public Key Cryptography - 599 Amendment 1: Additional Techniques. 600 (http://grouper.ieee.org/groups/1363/index.html) 602 [LV] A. Lenstra and E. Verheul, "Selecting Cryptographic Key 603 Sizes", Journal of Cryptology 14 (2001), pp. 255-293. 605 [RFC-3279] Bassham, L., Housley, R., and Polk, W., RFC 3279, 606 Algorithms and Identifiers for the Internet X.509 Public Key 607 Infrastructure Certificate and Certificate Revocation List (CRL) 608 Profile, 2002. (http://www.ietf.org/rfc/rfc3279.txt) 610 [RFC-3280] Housley, R., Polk, W., Ford, W. and D. Solo, RFC 3280, 611 Internet X.509 Public Key Infrastructure Certificate and 612 Certificate Revocation List (CRL) Profile, 2002. 613 (http://www.ietf.org/rfc/rfc3279.txt) 615 [SEC1] Standards for Efficient Cryptography Group. SEC 1 - Elliptic 616 Curve Cryptography, v. 1.0, 2000. (http://www.secg.org) 618 [SEC2] Standards for Efficient Cryptography Group. SEC 2 - 619 Recommended Elliptic Curve Domain Parameters, v. 1.0, 2000. 620 (http://www.secg.org) 622 7. Authors' Addresses 624 David E. Fu 625 National Information Assurance Research Laboratory 626 National Security Agency 627 defu@orion.ncsc.mil 629 Jerome A. Solinas 630 National Information Assurance Research Laboratory 631 National Security Agency 632 jasolin@orion.ncsc.mil 634 Comments are solicited and should be addressed to the authors. 636 Copyright (C) The Internet Society (2005). 638 This document is subject to the rights, licenses and restrictions 639 contained in BCP 78, and except as set forth therein, the authors 640 retain all their rights. 642 This document and the information contained herein are provided on an 643 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 644 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 645 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 646 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 647 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 648 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 650 Expires March 30, 2006