draft-ietf-curdle-cms-ecdh-new-curves-06.txt   draft-ietf-curdle-cms-ecdh-new-curves-07.txt 
Internet-Draft R. Housley Internet-Draft R. Housley
Intended status: Standards Track Vigil Security Intended status: Standards Track Vigil Security
Expires: 10 November 2017 10 May 2017 Expires: 11 November 2017 11 May 2017
Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm
with X25519 and X448 in the Cryptographic Message Syntax (CMS) with X25519 and X448 in the Cryptographic Message Syntax (CMS)
<draft-ietf-curdle-cms-ecdh-new-curves-06.txt> <draft-ietf-curdle-cms-ecdh-new-curves-07.txt>
Abstract Abstract
This document describes the conventions for using Elliptic Curve This document describes the conventions for using Elliptic Curve
Diffie-Hellman (ECDH) key agreement algorithm using curve25519 and Diffie-Hellman (ECDH) key agreement algorithm using curve25519 and
curve448 in the Cryptographic Message Syntax (CMS). curve448 in the Cryptographic Message Syntax (CMS).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 November 2017. This Internet-Draft will expire on 11 November 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 6 skipping to change at page 3, line 6
X448 [CURVES]. X448 [CURVES].
The originator MUST use an ephemeral public/private key pair that is The originator MUST use an ephemeral public/private key pair that is
generated on the same elliptic curve as the public key of the generated on the same elliptic curve as the public key of the
recipient. The ephemeral key pair MUST be used for a single CMS recipient. The ephemeral key pair MUST be used for a single CMS
protected content type, and then it MUST be discarded. The protected content type, and then it MUST be discarded. The
originator obtains the recipient's static public key from the originator obtains the recipient's static public key from the
recipient's certificate [PROFILE]. recipient's certificate [PROFILE].
X25519 is described in Section 6.1 of [CURVES], and X448 is described X25519 is described in Section 6.1 of [CURVES], and X448 is described
in Section 6.2 of [CURVES]. As described in Section 7 of [CURVES], in Section 6.2 of [CURVES]. Conforming implementations MUST check
curve25519 and curve448 have cofactors of 8 and 4, respectively, and whether the computed Diffie-Hellman shared secret is the all-zero
so an input point of small order will eliminate any contribution from value, and abort if so, as described in Section 6 of [CURVES]. If an
the other party's private key. Conforming implementations MUST check alternative implementation of these elliptic curves to that
for the all-zero output to prevent this situation. documented in Section 6 of [CURVES] is employed, then the additional
checks specified in Section 7 of [CURVES] SHOULD be performed.
In [CURVES], the shared secret value that is produced by ECDH is In [CURVES], the shared secret value that is produced by ECDH is
called K. (In some other specifications, the shared secret value is called K. (In some other specifications, the shared secret value is
called Z.) A key derivation function (KDF) is used to produce a called Z.) A key derivation function (KDF) is used to produce a
pairwise key-encryption key (KEK) from the shared secret value (K), pairwise key-encryption key (KEK) from the shared secret value (K),
the length of the key-encryption key, and the DER-encoded ECC-CMS- the length of the key-encryption key, and the DER-encoded ECC-CMS-
SharedInfo structure [CMSECC]. SharedInfo structure [CMSECC].
The ECC-CMS-SharedInfo definition from [CMSECC] is repeated here for The ECC-CMS-SharedInfo definition from [CMSECC] is repeated here for
convenience. convenience.
 End of changes. 4 change blocks. 
8 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/