Network Working Group A. Jivsov
Internet Draft PGP Corporation
Intended status: Internet Draft April 28, 2008
Expires: October 25, 2008
ECC in OpenPGP
draft-jivsov-openpgp-ecc-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as "work
in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on October 25, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2008).
A. Jivsov Expires October 25, 2008 [Page 1]
Internet-Draft ECC in OpenPGP April 2008
Abstract
This document proposes an Elliptic Curve Cryptography extension to
the OpenPGP public key format and specifies three Elliptic Curves
that enjoy broad support by other standards, including NIST
standards. The document aims to standardize an optimal but narrow
set of parameters for best interoperability and it does so within
the framework it defines that can be expanded in the future to
allow more choices.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in [RFC2119].
An application MAY implement this draft; note that any [RFC2119]
keyword within this draft applies to an OpenPGP application only if
it chooses to implement this draft.
Table of Contents
1. Introduction.................................................2
2. Elliptic Curve Cryptography..................................3
3. Supported ECC curves.........................................3
4. Supported public key algorithms..............................3
5. Conversion primitives........................................4
6. Key Derivation Function......................................4
7. EC DH Algorithm (ECDH).......................................5
8. Encoding of public and private keys..........................7
9. Data encoding with public keys...............................8
10. ECC curve ID................................................8
11. Compatibility profiles......................................9
11.1. OpenPGP ECC profile....................................9
11.2. Suite-B profile........................................9
11.2.1. Secret information................................9
11.2.2. Top Secret information............................9
11.3. Interoperability with Suite-B profile..................9
12. Security Considerations....................................10
13. IANA Considerations........................................12
14. Normative references.......................................13
1. Introduction
The OpenPGP protocol [RFC4880] supports RSA and DSA public key
formats. This document defines the extension to incorporate
A. Jivsov Expires October 25, 2008 [Page 2]
Internet-Draft ECC in OpenPGP April 2008
support for public keys that are based on Elliptic Curve
Cryptography (ECC).
2. Elliptic Curve Cryptography
This specification establishes the minimum set of Elliptic Curve
Cryptography public key parameters and cryptographic methods that
will likely satisfy the widest range of platforms and applications
and facilitate interoperability.
The set meets the requirements of Suite-B and includes an
additional Elliptic Curve (EC) beyond Suite-B requirements,
allowing users to match the level of security of every type of AES
algorithm specified in [RFC4880].
This document defines a path to expand ECC support in the future.
3. Supported ECC curves
This standard defines three named prime field curves, that are
defined in [FIPS 186-2] as "Curve P-256", "Curve P-384", "Curve
P-521".
To identify the named curves new ECC public key algorithm-specific
parameter is introduced: the ECC curve ID, defined in section 10.
4. Supported public key algorithms
Supported public key algorithms are Elliptic Curve Digital
Signature Algorithm (ECDSA), defined in [FIPS 186-2], and Elliptic
Curve Diffie-Hellman (ECDH), defined in section 7.
Other compatible definition of ECDSA can be found in [SEC1].
The section 9.1. Public-Key Algorithms of [RFC4880] is expanded to
define the following public key algorithm IDs:
ID Description of algorithm
19 ECDSA public key algorithm
[to be ECDH public key algorithm
ASSIGNED]
presumably 22
A. Jivsov Expires October 25, 2008 [Page 3]
Internet-Draft ECC in OpenPGP April 2008
Applications MUST support ECDSA and ECDH.
5. Conversion primitives
The method to convert an EC point to the octet string is defined in
[SEC1]. This specification only defines uncompressed point
format. For convenience, the synopsis of the encoding method is
given below, however, the [SEC1] is the normative source of the
definition.
The point is encoded in MPI format. The content of the MPI is the
following:
B = B0 || x || y
where x and y are coordinates of the point P = (x, y), each encoded
in big endian format and zero-padded to the underlying field size.
B0 is a byte with following values:
value description
0 Point O. In this case there is no x or y octets present.
4 Uncompressed point. x and y of EC point values follow.
Note that point O shall not appear in a public or a private
key. Therefore, the size of the MPI payload is always curve_size*2
+ 3 bits. For example, for "Curve P-256" the point is represented
as a bit string of length 515 bits.
If other conversion methods are defined in the future, the
application MAY use them only when it is certain that every
recipient of the data supports the other format.
6. Key Derivation Function
A key derivation function (KDF) is necessary to implement EC
encryption. The Concatenation Key Derivation Function (Approved
Alternative 1) defined in [NIST SP800-56A] is REQUIRED with the
following restriction: the KDF hash function MAY be any of the
following hash functions specified by [FIPS 180-2]: SHA2-256,
SHA2-384, SHA2-512. See section 12 for the details regarding the
choice of the hash function.
A. Jivsov Expires October 25, 2008 [Page 4]
Internet-Draft ECC in OpenPGP April 2008
For convenience, the synopsis of the encoding method is given
below, however, [NIST SP800-56A] is the normative source of the
definition.
// Implements KDF( X, oBits, P );
// Input: point X = (x,y)
// oBits - the desired size of output
// hBits - the size of output of hash function Hash
// P - octets representing the parameters
counter=1;
threshold = (oBits + hBits - 1) / hBits;
// Convert the point P to octet string as defined in section 6:
// ZB' = 04 || x || y
// and extract the x portion from ZB':
ZB = x;
do {
C32 = (uint32)big_endian(counter);
HB = Hash ( ZB || C32 || P );
MB = MB || HB;
} while( counter <= threshold );
return oBits leftmost bits of MB
7. EC DH Algorithm (ECDH)
The method is a combination of ECC Diffie-Hellman method to
establish a shared secret and a key wrapping method that uses the
shared secret to protect symmetric encryption key.
One-Pass Diffie-Hellman method C(1, 1, ECC CDH), defined in [NIST
SP800-56A], SHOULD be implemented with the following restrictions:
ECC CDH primitive employed by this method is modified to always
assume the cofactor as 1, KDF specified in section 6 is used, and
KDF parameters specified below are used.
Key derivation parameters MUST be encoded as 40 octets. These 40
octets are the result of concatenation of the following 7 fields,
each of them is considered a fixed-length field of corresponding
size:
o a one-octet curve ID defined in section 10
o a one-octet public key algorithm ID defined in section 4
o a one-octet value 01, reserved for future extensions
A. Jivsov Expires October 25, 2008 [Page 5]
Internet-Draft ECC in OpenPGP April 2008
o a one-octet hash function ID used in KDF; according to section
6, this octet is 08 for SHA2-256, 09 for SHA2-384, or 10 for
SHA2-512
o a one-octet algorithm ID for the symmetric algorithm used to
wrap the symmetric key for message encryption; the method is
defined later in this section
o 15 octets representing the UTF-8 encoding of the string
"AnonymousSender"
o 20 octets representing recipient encryption subkey or master key
fingerprint, identifying the key material that is needed for
decryption
The key wrapping method is based on [RFC3394]. KDF produces the
AES key that is used as KEK according to [RFC3394]. Refer to
section 12 for the details regarding the choice of the KEK
algorithm, which MUST be one of three AES algorithms.
The input to key wrapping method is the value "m" derived from the
session key as described in section 5.1. Public-Key Encrypted
Session Key Packets (Tag 1) of [RFC4880], except, the PKCS#1.5
padding step is omitted.
The output of the method consists of two fields. The first field
is the MPI with the ephemeral key used to establish shared
secret. The second field is composed of the following two fields:
o a one octet, encoding the size in octets of the result of the
key wrapping method; the value 255 is reserved for future
extensions
o up to 254 octets representing the result of the key wrapping
method applied to session key encoded as described above
Note that for session key sizes 128, 192, and 256 bits the size of
the result of the key wrapping method is, respectfully, 32, 40, and
48 octets.
For convenience, the synopsis of the encoding method is given
below, however, this section, [NIST SP800-56A], and [RFC3394] are
the normative sources of the definition.
Obtain authenticated recipient public key R
Generate ephemeral key pair {v, V=vG}
Compute shared point S = vR;
m = symm_alg_ID || session key.
A. Jivsov Expires October 25, 2008 [Page 6]
Internet-Draft ECC in OpenPGP April 2008
Param = curve_ID || public_key_alg_ID || 01 || KDF_hash_ID ||
AES_alg_ID for AESKeyWrap ||
"AnonymousSender" || recipient_fingerprint;
Z_len = key size for AES_alg_ID to be used with AESKeyWrap
Compute Z = KDF( S, Z_len, Param );
Compute C = AESKeyWrap( Z, m ) as per [RFC3394]
VB = convert point V to octet string
Output (MPI(VB) || len(C) || C).
The decryption is the inverse of the method given. Note that the
recipient obtains the shared secret by calculating
S = rV = rvG, where (r,R) is the recipient's key pair.
Consistent with section 5.13 Sym. Encrypted Integrity Protected
Data Packet (Tag 18) of [RFC4880], the MDC SHOULD be used anytime
symmetric key is protected by ECDH.
8. Encoding of public and private keys
The following algorithm-specific packets are added to Section 5.5.2
Public-Key Packet Formats of [RFC4880] to support ECDH and ECDSA.
This algorithm-specific portion is:
Algorithm-Specific Fields for ECDH keys:
o a one-octet curve ID number, defined in section 10
o a one-octet value 01, reserved for future extension
o a one-octet hash function ID used with KDF
o a one-octet algorithm ID for the symmetric algorithm used
to wrap the symmetric key for message encryption, see
section 7 for details
o MPI of EC point representing public key
Algorithm-Specific Fields for ECDSA keys:
o a one-octet curve ID number, defined in section 10
o MPI of EC point representing public key
The following algorithm-specific packets are added to section
5.5.3. Secret-Key Packet Formats of [RFC4880] to support ECDH and
ECDSA.
A. Jivsov Expires October 25, 2008 [Page 7]
Internet-Draft ECC in OpenPGP April 2008
Algorithm-Specific Fields for ECDH or ECDSA secret keys:
o MPI of an integer representing the secret key, which is a
scalar of the EC point
9. Data encoding with public keys
Section 5.2.2. Version 3 Signature Packet Format defines signature
formats. No changes in format are needed for ECDSA.
Section 5.1. Public-Key Encrypted Session Key Packets (Tag 1) is
extended to support ECDH. The following two fields are result of
applying KDF, as described in section 7.
Algorithm Specific Fields for ECDH:
o an MPI of EC point representing ephemeral public key
o a one octet size, followed by symmetric key encoded using
the method described in section [RFC3394].
10. ECC curve ID
The parameter ECC curve ID is an integer that defines the named
curve.
ID Curve description Curve name
0 Reserved
1 NIST Curve P-256 [FIPS 186-2] "NIST P256"
2 NIST Curve P-384 [FIPS 186-2] "NIST P384"
3 NIST Curve P-521 [FIPS 186-2] "NIST P521"
100-110 Private/Experimental curves
255 Reserved for future expansion
A. Jivsov Expires October 25, 2008 [Page 8]
Internet-Draft ECC in OpenPGP April 2008
11. Compatibility profiles
11.1. OpenPGP ECC profile
Application MUST implement curve with ID 1, MAY implement curve
with ID 2, and SHOULD implement curve with ID 3, defined in section
10. Application MUST implement SHA2-256 and SHOULD implement
SHA2-512. Application MUST implement AES-128 and SHOULD implement
AES-256.
Application SHOULD follow section 12 regarding the choice of the
following algorithms for each curve
o the KDF hash algorithm
o KEK algorithm
o message digest algorithm and hash algorithm used in key
certifications
o message encryption symmetric algorithm.
It is recommended that the chosen symmetric algorithm for message
encryption be no less secure than the KEK algorithm.
11.2. Suite-B profile
A subset of algorithms allowed by this specification can be used to
achieve NSA Suite-B compatibility.
11.2.1. Secret information
Applications MUST use curve ID 1. KEK SHOULD be used with AES-128,
but MAY be used with AES-256. SHA2-256 SHOULD be used for KDF, but
SHA2-384 MAY be used for KDF.
11.2.2. Top Secret information
Application MUST use curve ID 2. KEK MUST be used with
AES-256. SHA2-384 MUST be used for KDF.
11.3. Interoperability with Suite-B profile
For brevity, in this section applications complying with [RFC4880]
and OpenPGP profile defined in section 11.1 are called compliant
with OpenPGP and ECC specifications.
A. Jivsov Expires October 25, 2008 [Page 9]
Internet-Draft ECC in OpenPGP April 2008
The set of symmetric key encryption, hash, and public key
algorithms allowed by Suite-B is a subset of algorithms allowed by
OpenPGP and ECC specifications. Care must be taken to ensure
interoperability between applications implementing OpenPGP and ECC
and applications following Suite-B. Encryption to multiple
recipients is one example in which incompatibilities are possible.
According to [RFC4880], even though there is no shared symmetric
encryption algorithm in the OpenPGP recipients' preferences, the
specification requires TripleDES to be effectively in the
intersection of the encryption preferences. TripleDES as implicit
default is inherited from [RFC4880] by this specification to
improve interoperability.
While TripleDES ensures interoperability between applications
complaint with OpenPGP and ECC specifications, it doesn't help
interoperability with Suite-B profile. Suppose TripleDES is the
only shared algorithm within a set of recipients. If Suite-B
compliant recipient is added to the mentioned recipient set, the
sender SHALL NOT send out a message. This is because TripleDES is
excluded from Suite-B and sending out two copies of the same
message, one encrypted with TripleDES and another with AES-128 or
AES-256, would mean that the same information that must have been
protected with Suite-B compliant algorithm was protected instead
with non-compliant TripleDES. This restriction covers other cases
in which none of recipients' shared algorithms are allowed by
Suite-B. One of available methods to a recipient to help ensure
interoperability with Suite-B is to include one of two Suite-B
symmetric algorithms, AES-128 or AES-256, or both, in the set of
preferred algorithms.
Only hash algorithms defined in section 11.2 must be used in key
certifications, including key self-signatures, and in message
digests for Suite-B interoperability.
12. Security Considerations
The curves proposed in this document correspond to the symmetric
key sizes 128 bits, 192 bits, and 256 bits as described in the
table below. This allows OpenPGP application to offer security
comparable with the strength of each AES algorithms allowed by
[RFC4880].
The following table defines the hash and symmetric encryption
algorithm that SHOULD be used with specific curve for ECDSA or
ECDH. Stronger hash algorithm or symmetric key algorithm MAY be
used for a given ECC curve. However, note that the increase in the
A. Jivsov Expires October 25, 2008 [Page 10]
Internet-Draft ECC in OpenPGP April 2008
strength of the hash algorithm or symmetric key algorithm may not
increase the overall security offered by the given ECC key.
Curve Curve name ECC RSA Hash size Symmetric
ID strength strength, key size
informative
1 "NIST P256" 256 3072 256 128
2 "NIST P384" 384 7680 384 192
3 "NIST P521" 521 15360 512 256
Requirement levels indicated elsewhere in this document result in
the effective support for the following combinations of algorithms
in OpenPGP profile: MUST implement curve ID 1 / SHA2-256 / AES-128,
SHOULD implement curve ID 3 / SHA2-512 / AES-256, MAY implement
curve ID 2 / SHA2-384 / AES-256, among other allowed combinations.
Consistent with the table above, the following table defines the
KDF hash algorithm and AES KEK encryption algorithm that SHOULD be
used with specific curve for ECDH. Stronger KDF hash algorithm or
KEK algorithm MAY be used for a given ECC curve.
Curve Curve name Recommended KDF hash Recommended KEK
ID algorithm encryption algorithm
1 "NIST P256" SHA2-256 AES-128
2 "NIST P384" SHA2-384 AES-192
3 "NIST P521" SHA2-512 AES-256
Applications SHOULD implement, advertise through key preferences,
and use in compliance with [RFC4880] strongest algorithms specified
in this document.
Note that [RFC4880] symmetric algorithm preference list may
restrict the use of balanced strength of symmetric key algorithms
for corresponding public key. For example, the presence of
A. Jivsov Expires October 25, 2008 [Page 11]
Internet-Draft ECC in OpenPGP April 2008
symmetric key algorithms and their order in key preference list
affects the choices available to encoding side for compliance with
the table above. Therefore, applications need to be concerned with
this compliance throughout the life of the key, starting
immediately after key generation when the key preferences are first
added to a key. It is generally advisable to have at the head of
the key preference list a symmetric algorithm of strength
corresponding to the public key.
Often encryption to multiple recipients results in an unordered
intersection subset. For example, given two recipients, if first
recipient's set is {A, B} and second's is {B, A}, the intersection
is unordered set of two algorithms A and B. In this case
application SHOULD choose stronger encryption algorithm.
Resource constraint, such as limited computational power, is the
likely reason why an application might prefer to use weakest
algorithms. On the other side of the spectrum are applications
that can implement every algorithm defined in this document. Most
of applications are expected to fall into either of two
categories. An application in the second or strongest category
SHOULD prefer AES-256 to AES-192.
While some statements in this specification refer to TripleDES
algorithm, this is only done to help interoperability with existing
application and already generated keys; AES-256 is the recommended
alternative to TripleDES in all circumstances when AES-256 is
available.
SHA-1 MUST NOT be used for ECDSA or as part of ECDH method.
MDC MUST be used when symmetric encryption key is protected by
ECDH. None of the ECC methods described in this document are
allowed with deprecated V3 keys. The application MUST only use
Iterated and Salted S2K to protect private keys, as defined in
section 3.7.1.3 Iterated and Salted S2K of [RFC4880].
13. IANA Considerations
This document asks IANA to assign an algorithm number from OpenPGP
Public-Key Algorithms range, or "name space" in the terminology of
[RFC2434], that was created by [RFC4880]. Two ID numbers are
requested, as defined in section 4. The first one with value 19 is
already designated for ECDSA and currently unused, while another
one is new (and expected to be 22).
Finally, this document creates the name space for curve IDs defined
in section 10. Its initial content is defined in the section 10
A. Jivsov Expires October 25, 2008 [Page 12]
Internet-Draft ECC in OpenPGP April 2008
and includes IDs for newly introduced curves, private space for
experimental work, and the ID reserved for future name space
expansion. Future allocations in the registry will be done by IETF
Expert Review process after general consensus between implementors
of the standard is reached. Most important motivation to add new
curve to the registry is expected to be the need for stronger
curves.
14. Normative references
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", November 2007
[FIPS 186-2] US Dept. of Commerce / NIST, "DIGITAL SIGNATURE
STANDARD (DSS)", 2001 October 5
[SEC1] Certicom Research, "SEC 1: Elliptic Curve Cryptography",
September 20, 2000
[NIST SP800-56A] Elaine Barker, Don Johnson, and Miles Smid,
"Recommendation for Pair-WiseKey Establishment Schemes Using
Discrete Logarithm Cryptography (Revised)", March, 2007
[FIPS 180-2] NIST, SECURE HASH STANDARD, 2002 August 1
[RFC3394] J. Schaad, R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", September 2002
[RFC2434] Narten, T., Alvestrand, H., "Guidelines for Writing an
IANA Considerations Section in RFCs",
Contributors
Hal Finney provided important criticism on compliance with [NIST
SP800-56A] and NSA Suite-B, and pointed out a few other mistakes.
Acknowledgment
The author would like to acknowledge the help of many individuals
who kindly voiced their opinions on IETF OpenPGP Working Group
mailing list and, in particular the help of Jon Callas, David
Crick, Ian G. [to be continued]
Author's Address
A. Jivsov Expires October 25, 2008 [Page 13]
Internet-Draft ECC in OpenPGP April 2008
Andrey Jivsov
PGP Corporation
Email: ajivsov@pgp.com
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology described
in this document or the extent to which any license under such
rights might or might not be available; nor does it represent that
it has made any independent effort to identify any such rights.
Information on the procedures with respect to rights in RFC
documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
A. Jivsov Expires October 25, 2008 [Page 14]