Internet DRAFT - draft-black-tls-numscurves

draft-black-tls-numscurves







Network Working Group                                           B. Black
Internet-Draft                                                 Microsoft
Intended status: Informational                                   T. Acar
Expires: January 4, 2015                              Microsoft Research
                                                                  M. Ray
                                                               Microsoft
                                                            July 3, 2014


    Nothing Up My Sleeve (NUMS) Curves for Ephemeral Key Exchange in
                     Transport Layer Security (TLS)
                     draft-black-tls-numscurves-00

Abstract

   This document specifies the use of the Nothing Up My Sleeve (NUMS)
   twisted Edwards curves at the 128 and 256-bit security levels for
   ephemeral key exchange in Transport Layer Security (TLS).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 4, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Black, et al.            Expires January 4, 2015                [Page 1]

Internet-Draft             NUMS Curves for TLS                 July 2014


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  NUMS NamedCurve Types . . . . . . . . . . . . . . . . . . . .   2
   3.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   4
   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .   5
     A.1.  256-Bit Curve . . . . . . . . . . . . . . . . . . . . . .   6
     A.2.  512-Bit Curve . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   In [NUMS] a family of deterministically generated Nothing Up My
   Sleeve (NUMS) elliptic curves over prime fields was specified based
   on [MSRECC].  These curves support constant-time, exception-free
   scalar multiplications that are resistant to a wide range of side-
   channel attacks including timing and cache attacks, thereby offering
   high practical security in cryptographic applications.

   Their negotiation for key exchange according to [RFC4492] requires
   the definition and assignment of additional NamedCurve identifiers.
   This document specifies values for two twisted Edwards curves from
   [NUMS].

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  NUMS NamedCurve Types

   As defined in [RFC4492], the name space NamedCurve is used for the
   negotiation of elliptic curve groups for key exchange during TLS
   session establishment.  This document adds new NamedCurve types for
   two of the elliptic curves defined in [NUMS] as follows:






Black, et al.            Expires January 4, 2015                [Page 2]

Internet-Draft             NUMS Curves for TLS                 July 2014


         enum {
             numsp256t1(TBD1),
             numsp512t1(TBD2)
         } NamedCurve;

   These curves are suitable for use with Datagram TLS [RFC6347].

3.  Contributors

   Joppe W. Bos    NXP Semiconductors
   Craig Costello  Microsoft Research
   Brian LaMacchia Microsoft Research
   Patrick Longa   Microsoft Research
   Michael Naehrig Microsoft Research

4.  IANA Considerations

   IANA is requested to assign numbers for the curves listed in
   Section 2 in the "EC Named Curve" [IANA-TLS] registry of the
   "Transport Layer Security (TLS) Parameters" registry as follows:

               +-------+-------------+---------+-----------+
               | Value | Description | DTLS-OK | Reference |
               +-------+-------------+---------+-----------+
               |  TBD1 |  numsp256t1 |    Y    |  this doc |
               |  TBD2 |  numsp512t1 |    Y    |  this doc |
               +-------+-------------+---------+-----------+

                                  Table 2

5.  Security Considerations

   This memo is entirely concerned with security, but there are specific
   considerations for implementations of the NUMS curves in TLS.

   1.  The security consideration in [RFC4492] and [RFC5246] for TLS
       handshakes using the ECC ciphersuites are applicable to the use
       of curves in this memo.

   2.  All the security considerations of the underlying NUMS curves and
       their implementations apply.  A comprehensive treatment is in
       [NUMS] and [MSRECC].

   3.  The PFS (Perfect Forward Secrecy) provided by ECDHE in TLS is
       bounded by the duration of the session secrets stored on the
       peers (client and server), including caches, e.g., memory and
       disk caches.  Implementations must especially pay attention to
       the session ticket cache on the server, as the security of the



Black, et al.            Expires January 4, 2015                [Page 3]

Internet-Draft             NUMS Curves for TLS                 July 2014


       connection is limited by the security of this cache.  A detailed
       treatment of PFS implementation issues is given in [BOTCH].

   4.  We also refer readers to [THS] for triple handshake
       authentication attacks that exploit RSA and DH key exchange
       combinations.  For instance, most ECDHE implementations accept
       named curves from a known set whereas DHE implementations accept
       explicit DH parameters from the server.  While named curves
       provide protection against triple handshake attacks, if the
       cipher suites in this draft are used with explicit ECC
       parameters, the same attacks might apply.

   5.  Implementations must prevent against cross-protocol attacks where
       an adversary may deceive a client to interpret ECDH[E]
       ServerKeyExchange messages as RSA or DH[E] ServerKeyExchange
       messages (and vice versa), and, in general, any message other
       than the intended ECDH[E] messages.  We refer the reader to
       Wagner/Schneier and related cross protocol attacks detailed in
       [XPA].

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

6.2.  Informative References

   [BOTCH]    Langley, A., June 2013,
              <https://www.imperialviolet.org/2013/06/27/
              botchingpfs.html>.

   [MSRECC]   Bos, J., Costello, C., Longa, P., and M. Naehrig,
              "Selecting Elliptic Curves for Cryptography: An Efficiency
              and Security Analysis", February 2014,
              <http://eprint.iacr.org/2014/130.pdf>.

   [NUMS]     Black, B., Ed., Bos, J., Costello, C., Longa, P., and M.
              Naehrig, "Elliptic Curve Cryptography (ECC) Nothing Up My
              Sleeve (NUMS) Curves and Curve Generation", June 2014,
              <http://www.ietf.org/id/draft-black-numscurves-01.txt>.

   [RFC3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC
              Text on Security Considerations", BCP 72, RFC 3552, July
              2003.





Black, et al.            Expires January 4, 2015                [Page 4]

Internet-Draft             NUMS Curves for TLS                 July 2014


   [RFC4492]  Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
              Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
              for Transport Layer Security (TLS)", RFC 4492, May 2006.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [THS]      Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti,
              A., and P. Strub, "Triple Handshakes and Cookie Cutters:
              Breaking and Fixing Authentication over TLS", May 2014,
              <https://secure-resumption.com/tlsauth.pdf>.

   [XPA]      Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., and
              B. Preneel, "A Cross-Protocol Attack on the TLS Protocol",
              October 2012,
              <https://www.cosic.esat.kuleuven.be/publications/article-
              2216.pdf>.

Appendix A.  Test Vectors

   This section provides test vectors for example Diffie-Hellman key
   exchanges using the curves numsp256t1 and numsp512t1.  The following
   notation is used:

     s_A: the secret key of party A

     x_A: the x-coordinate of the public key of party A

     y_A: the y-coordinate of the public key of party A

     s_B: the secret key of party B

     x_B: the x-coordinate of the public key of party B

     y_B: the y-coordinate of the public key of party B

     x_SS: the x-coordinate of the Diffie-Hellman shared secret

     y_SS: the y-coordinate of the Diffie-Hellman shared secret





Black, et al.            Expires January 4, 2015                [Page 5]

Internet-Draft             NUMS Curves for TLS                 July 2014


A.1.  256-Bit Curve

   Curve numsp256t1

     s_A =
     0x22A13B32B730C46BD0664044F2144FADDC497D9EF6324912FD367840EE509A20

     x_A =
     0x4E911BB0A5F4F850D8C61F1A87A4D7E689713597CA8740320D0F9B4AF4CE5D4D

     y_A =
     0x3F9ED46B9C702B3B7C267A79C1C75B02ADFF274919B708F094A1088762ED71CD

     s_B =
     0x1667BF53CCC9EAB280E9D599C57E802D0E5D82A890A5958228F6A0946A2904EF

     x_B =
     0x9FD536B5B8CFB1FDE0C4ACBDC57041CF4BE97501ADACAEBF284884ECF9D4CF40

     y_B =
     0x5A9046F9BB6F35D2F1A8C9835415793056596449D5CC93CFFB8C3C89EF127928

     x_SS =
     0x5967C998CF694C90BB1869886B6A07EC772760978E94B8EE873906A75DE323E6

     y_SS =
     0x53603A22E48B10054B53CB3F13E8412C36B60C66CBB673C60215DC79B72C1900

A.2.  512-Bit Curve

   Curve numsp512t1




















Black, et al.            Expires January 4, 2015                [Page 6]

Internet-Draft             NUMS Curves for TLS                 July 2014


     s_A =
     0x1667BF53CCC9EAB280E9D599C57E802C499D72B90299CAB0DA1F8BE19D9122F7
      2AF22314E7A0913EDDF8D75724547DDB458A5DCC93B21A7711CC02DFCC339585

     x_A =
     0xE105BDAC3E5EFF691B098F605960DD11BFF50B6C27FEAC359077E140098BFFA6
      8EA799DE43F521A09FC98A22D1A349CBB7E5F1BEC18A49494FD103C2BF44F55D

     y_A =
     0xD8AED3EA0734C996BDC469BBB7D71B2A554C5E88C0639FE7432F9CE7C57D6527
      9BD491A4C1B43B7044CD3ABBF393E16FB47D62A8114A8DF2D31A7DA60F26F2A1

     s_B =
     0x2D90D3CFCCF42232CF357E59A4D49FD4D5F40C9E74331E12C9CB532C39E8D702
      774A4F84F01DE67272169C9D1ED1CD618F69FF614957EF83668EDC2D7ED614BF

     x_B =
     0x606A43D636D365D56B3D5F0CE7A21F862492C89C3F22C167B695E322E3CC56EA
      E990AFEC979236FF14262A45AA8C856C52611B0DF98BF896AA69FFE9276F6399

     y_B =
     0xEE727A35113D4975F9FC87D477CF443CAFFC333418DA3BB1AD3D787C48C43CE5
      50E27CF616F5BEAF2C68103CB1D812086329C10F1DD988111A79F6FBAE77CD24

     x_SS =
     0x29E1C3540417274BE35F3231BC4F6FC41E7424F0CAA6BA79219E1C7D2695115D
      08C9AC7EC94ECB6EDB7DFDCB2FF3A0976C23442B64BDE725752D4C77AE83430F

     y_SS =
     0x9FAD25F2E31AF9348258E7C036DA873B6D7B41AC0BFB0D4522339DEB591BB98A
      2498C928EF4A379052E6547BC94AB26FEBDD0E76DCD409A45A31505654687AFF

Authors' Addresses

   Benjamin Black
   Microsoft
   One Microsoft Way
   Redmond, WA  98115
   US

   Email: benblack@microsoft.com










Black, et al.            Expires January 4, 2015                [Page 7]

Internet-Draft             NUMS Curves for TLS                 July 2014


   Tolga Acar
   Microsoft Research
   One Microsoft Way
   Redmond, WA  98115
   US

   Email: tolga@microsoft.com


   Marsh Ray
   Microsoft
   One Microsoft Way
   Redmond, WA  98115
   US

   Email: maray@microsoft.com



































Black, et al.            Expires January 4, 2015                [Page 8]