INTERNET-DRAFT Richard Takahashi draft-takahashi-modpgroups-universal-00.txt Corrent Corporation Expires: April 2004 October 18, 2003 Universal MODP Groups for Public Key Cryptography Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six Months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This document is an individual submission to the Internet Engineering Task Force (IETF). Distribution of this memo is unlimited. This Internet Draft expires in April 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This Internet Draft offers seven MODP ?Diffie-Hellman? groups which can be used in conjunction with other IETF standards to provide security for Internet communications. The groups are designed to allow implementers to use the same groups with different security protocols such as SMIME, SSH, TLS and IKE. The prime numbers which form part of the definition of these groups are designed to allow for fast, small signatures and be of the correct form for compliance with standards bodies such as ANSI, NIST and the IEEE. This draft includes groups with bit sizes of 1024, 2048, 3072, 4096, 6144, and 8192. These may be used in addition to the groups already specified or in place of them. Since these groups are acceptable for all cryptographic applications involving the difficulty of discrete logarithms over GF(p) they are referred to as "universal" groups. Internet Draft October 18, 2003 Requirements Terminology Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and "MAY" that appear in this document are to be interpreted as described in [Bra97]. 1 Introduction Numerous IETF and other security protocols call for the use of MODP groups to provide security for key exchanges, digital signatures and proofs of possession. However some standards specifying these protocols call for the use of primes structured so they cannot be effectively used in other protocols. This situation forces vendors which implement several different security protocols in their device to implement several different MODP groups when there is no compelling security reason to do so. For instance the primes suggested for use with the Internet Key Exchange (IKE) [RFC2409]are not suitable for use in applications using the Digital Signature Standard [DSS]and related cryptographic mechanisms. While primes of some forms may or may not be appropriate for use with one or another protocols, primes of the form required by the Digital Signature Standard [DSS] are appropriate for all IETF protocols, both existing and in development. In particular, the Transport Layer Security Protocol Version 1 [RFC2246] and its successor Version 1.1 envision using the same prime for both digital signatures and Diffie-Hellman key exchanges in TLS. Outside the IETF, the US Government's National Institute for Standards and Technology (NIST), which developed the Digital Signature Standard, is developing a "Recommendation on Key Establishment Schemes" [NIST-800-56] which will require primes of DSS form for Diffie-Hellman key exchanges. Once adopted, conformance with this standard will be required in order to receive certification under NIST's FIPS-140-2, "Security Requirements for Cryptographic Modules" [FIPS-140]. Such certification is required for sales to the US and Canadian governments and may be required by other governments and organizations as the FIPS-140 standard is migrated into the Intenational Standards Organization (ISO). By utilizing a set of standardized primes suitable for all protocols, vendors can avoid having to implement many different MODP groups and can expend greater effort in optimizing the performance of a common set of suitable primes. 2 DSS Prime Structure The structure of primes specified in the Digital Signature Standard was selected to allow for fast signature creation and verification. Likewise the MODP groups defined by these groups put explicit requirements on the size of the group and on the size of the exponents used. Takahashi [Page 2] Internet Draft October 18, 2003 This helps ensure the security of protocols using these groups as well as their efficiency. The Digital Signature Standard defines the following parameters: p = a prime modulus q = a divisor of p-1 g = an element of order q in GF(p) The DSS specifies that p be 1024 bits in length and q be 160 bits in in length. However, this limitation is removed in the ANSI and IEEE specifications for the DSS. Likewise, the draft NIST publication on Key Establishment schemes provides a wider range of compliant p and q values. Specifically, NIST provides for p and q values of (1024, 2048, 3072, 8192) and (160, 224, 256, 384) bit sizes respectively. The q values listed are the minimum values required. This document includes more possibilities for p and provides q values which are more conservative than those presented by NIST. Specifically, the following Universal MODP groups are presented: Length of p (in bits): 1024 1536 2048 3072 4096 6144 8192 Length of q (in bits): 160 192 256 288 320 352 384 By making the value q much smaller than p, computations in the DSS are faster and the signature size smaller than if q were close to p in size. 3 Universal 1024-bit MODP Group (To Be Specified) 4 Universal 1536-bit MODP Group (To Be Specified) 5 Universal 2048-bit MODP Group (To Be Specified) 6 Universal 3072-bit MODP Group (To Be Specified) 7 Universal 4096-bit MODP Group (To Be Specified) 8 Universal 6144-bit MODP Group (To Be Specified) 9 Universal 8192-bit MODP Group (To Be Specified) 10 Security Considerations The strength of a key derived from a Diffie-Hellman exchange using any of the groups defined here depends on the inherent strength of the group, the size of the exponent used, and the entropy provided by the random number generator used. The groups defined in this document were chosen to make the work factor for solving the discrete logarithm problem roughly comparable to an attack on the subgroup. Takahashi [Page 3] Internet Draft October 18, 2003 11 IANA Considerations This document contains group numbers to be maintained by the Internet Assigned Numbers Authority (IANA). These numbers (19-25) were chosen to avoid collisions with other specifications. IKE [RFC-2409] defines 4 Diffie-Hellman Groups, numbered 1 through 4. RFC-3526 defines 6 more groups numbered 5, 14, 15, 16, 17, and 18. This document defines 7 more groups which can be numbers 19 to 25. 12 Intellectual Property Rights The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF encourages any interested party to bring to its attention any copyrights, patents, or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 13 References 13.1 Normative References [DSS] National Institute for Standards and Technology, Federal Information Processing Standards Publication, (FIPS PUB 186-2), Digital Signature Standard, 27 January 2000. [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [NIST-800-56] National Institute for Standards and Technology, NIST Special Publication 800-56: Recommendation on Key Establishment Schemes ? Draft 2.0, January 2003 13.2 Informative References [ADDGROUP] Kivinen, T., and Kojo, M., "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, May 2003. Takahashi [Page 4] Internet Draft October 18, 2003 [NIST80056] National Institute of Standards and Technology, "NIST Special Publication 800-56 (Draft 2): Recommendation on Key Establishment Schemes", January 2003. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [NIST140] National Institute of Standards and Technology, "FIPS PUB 140-2, Security Requirements for Cryptographic Modules", May 2001. Author's Address Richard Takahashi Corrent Corporation 1711 West Greentree Dr. Suite 201 Tempe, Arizona, USA 85284 e-mail: richard.takahashi@corrent.com Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Expiration This Internet-Draft (draft-takahashi-modpgroups-universal-00.txt) expires in April 2004. Takahashi [Page 5] Internet Draft October 18, 2003