Network Working Group J. Schmidt Internet-Draft J. Merkle Intended status: Informational secunet Security Networks Expires: August 22, 2015 M. Lochter BSI February 18, 2015 ECC Brainpool Curves for DNSSEC draft-schmidt-brainpool-dnssec-02 Abstract This document specifies the use of ECDSA with ECC Brainpool curves in DNS Security (DNSSEC). It comprises curves of two different sizes. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 22, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Schmidt, et al. Expires August 22, 2015 [Page 1] Internet-Draft ECC Brainpool Curves for TLS February 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Terminology . . . . . . . . . . . . . . . . . . 2 3. SHA-384 DS Records . . . . . . . . . . . . . . . . . . . . . 2 4. ECDSA Parameters . . . . . . . . . . . . . . . . . . . . . . 2 5. DNSKEY and RRSIG Resource Records for ECDSA . . . . . . . . . 3 6. Support for NSEC3 Denial of Existence . . . . . . . . . . . . 3 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 8. Security Considerations . . . . . . . . . . . . . . . . . . . 4 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 9.1. Normative References . . . . . . . . . . . . . . . . . . 4 9.2. Informative References . . . . . . . . . . . . . . . . . 4 1. Introduction In [RFC5639] a new set of elliptic curve groups over finite prime fields for use in cryptographic applications is specified. These groups, denoted as ECC Brainpool curves, were generated in a verifiable pseudo-random way and comply with the security requirements of relevant standards from ISO [ISO1] [ISO2], ANSI [ANSI1], NIST [FIPS-186-4], and SecG [SEC2]. [RFC6605] defines the usage of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC with two specific NIST curves. This document specifies the use of two additional curves from [RFC5639]. Details on Elliptic Curves and the implementation of ECDSA can be found e.g. in [SEC1], [HMV], [BSI1], and [RFC6090]. 2. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. SHA-384 DS Records The SHA-384 record is defined according to [RFC6605]. The algorithm SHA-384 is specified in [FIPS-180-4] and [RFC6234]. It is implemented in DNSSEC the same way as SHA-256 in [RFC4509]. For SHA-384 the digest size is 48 byte with digest type code 4. 4. ECDSA Parameters Signer and verifier of an ECDSA signature need to agree on a set of parameters. This document makes use of the Brainpool curves with the bit-sizes 256, and 384, specified in Section 3.4 and 3.6 of [RFC5639], denoted as Brainpool P256r1, and Brainpool P384r1. Schmidt, et al. Expires August 22, 2015 [Page 2] Internet-Draft ECC Brainpool Curves for TLS February 2015 5. DNSKEY and RRSIG Resource Records for ECDSA The records are defined as in [RFC6605]: The "Q" value of the ECDSA keys according to [FIPS-186-4] is encoded as the bit string "x|y", representing the concatenation of the x and y coordinates of the uncompressed curve point. An ECDSA signature is composed of the integer values "r" and "s" (see [FIPS-186-4]). Each integer value is encoded as bit string of 32 octets for Brainpool P256r1 and of 48 octets for Brainpool P384r1. The conversion of integers in bit strings is specified in Section C.2 of [FIPS-186-4]. The signature for DNSSEC is encoded as concatenation of the bit strings of "r" and "s", i.e., as "r|s". The IANA Considerations section defines the algorithm numbers used for DNSKEY and RRSIG resource records. Algorithm number TBD1 for using ECDSA with Brainpool P256r1 and SHA-256 for DNSKEY and RRSIG Resource Records. Algorithm number TBD2 for using ECDSA with Brainpool P384r1 and SHA-384 for DNSKEY and RRSIG Resource Records. The use of these algorithms is OPTIONAL, an implementer can choose to support any subset. 6. Support for NSEC3 Denial of Existence The statement of [RFC6605] applies. 7. IANA Considerations IANA is requested to assign numbers for ECDSA with ECC Brainpool curves listed in Section 4 to "Domain Name System Security (DNSSEC) Algorithm Numbers". In the following the two new entries are listed. Number TBD1 Description ECDSA Curve Brainpool P256r1 with SHA-256 Mnemonic ECDSAbrainpoolP256r1SHA256 Zone Signing Y Trans. Sec * Reference This document Number TBD2 Description ECDSA Curve Brainpool P384r1 with SHA-384 Mnemonic ECDSAbrainpoolP384r1SHA384 Zone Signing Y Trans. Sec * Reference This document Schmidt, et al. Expires August 22, 2015 [Page 3] Internet-Draft ECC Brainpool Curves for TLS February 2015 * There has been no determination of standardization of the use of this algorithm with Transaction Security. 8. Security Considerations The security considerations of [RFC5639], [RFC6605], and [RFC4509] apply accordingly. 9. References 9.1. Normative References [FIPS-180-4] National Institute of Standards and Technology, "Secure Hash Standard (SHS)", FIPS PUB 180-4, March 2012. [FIPS-186-4] National Institute of Standards and Technology, "Digital Signature Standard (DSS)", FIPS PUB 186-4, July 2013. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)", RFC 4509, May 2006. [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", RFC 5639, March 2010. [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC", RFC 6605, April 2012. 9.2. Informative References [ANSI1] American National Standards Institute, "Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI X9.62, 2005. [BSI1] Bundesamt fuer Sicherheit in der Informationstechnik, "Minimum Requirements for Evaluating Side-Channel Attack Resistance of Elliptic Curve Implementations", July 2011. [HMV] Hankerson, D., Menezes, A., and S. Vanstone, "Guide to Elliptic Curve Cryptography", Springer Verlag, 2004. Schmidt, et al. Expires August 22, 2015 [Page 4] Internet-Draft ECC Brainpool Curves for TLS February 2015 [ISO1] International Organization for Standardization, "Information Technology - Security Techniques - Digital Signatures with Appendix - Part 3: Discrete Logarithm Based Mechanisms", ISO/IEC 14888-3, 2006. [ISO2] International Organization for Standardization, "Information Technology - Security Techniques - Cryptographic Techniques Based on Elliptic Curves - Part 2: Digital signatures", ISO/IEC 15946-2, 2002. [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, February 2011. [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. [SEC1] Certicom Research, "Elliptic Curve Cryptography", Standards for Efficient Cryptography (SEC) 1, September 2000. [SEC2] Certicom Research, "Recommended Elliptic Curve Domain Parameters", Standards for Efficient Cryptography (SEC) 2, September 2000. Authors' Addresses Joern-Marc Schmidt secunet Security Networks Mergenthaler Allee 77 65760 Eschborn Germany Phone: +49 201 5454 3694 EMail: joern-marc.schmidt@secunet.com Johannes Merkle secunet Security Networks Mergenthaler Allee 77 65760 Eschborn Germany Phone: +49 201 5454 3091 EMail: johannes.merkle@secunet.com Schmidt, et al. Expires August 22, 2015 [Page 5] Internet-Draft ECC Brainpool Curves for TLS February 2015 Manfred Lochter BSI Postfach 200363 53133 Bonn Germany Phone: +49 228 9582 5643 EMail: manfred.lochter@bsi.bund.de Schmidt, et al. Expires August 22, 2015 [Page 6]