draft-ietf-dnsext-ecc-key-07.txt   draft-ietf-dnsext-ecc-key-08.txt 
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT Richard C. Schroeppel
Expires: January 2006 July 2005 Donald Eastlake 3rd
Expires: April 2006 October 2005
Elliptic Curve KEYs in the DNS Elliptic Curve Keys and Signatures in the DNS
-------- ----- ---- -- --- --- -------- ----- ---- --- ---------- -- --- ----
<draft-ietf-dnsext-ecc-key-07.txt> <draft-ietf-dnsext-ecc-key-08.txt>
Richard C. Schroeppel Richard C. Schroeppel
Donald Eastlake 3rd Donald Eastlake 3rd
Status of This Document Status of This Document
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 33
to the DNS mailing list <namedroppers@ops.ietf.org>. to the DNS mailing list <namedroppers@ops.ietf.org>.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than a "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Abstract Abstract
The standard method for storing elliptic curve cryptographic keys and The standard method for storing elliptic curve cryptographic keys and
signatures in the Domain Name System is specified. elliptic curve SHA-1 based signatures in the Domain Name System is
specified.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved. Copyright (C) The Internet Society (2005).
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
Acknowledgement Acknowledgement
The assistance of Hilarie K. Orman in the production of this document The assistance of Hilarie K. Orman in the production of this document
is greatfully acknowledged. is greatfully acknowledged.
Table of Contents Table of Contents
Status of This Document....................................1 Status of This Document....................................1
Abstract...................................................1 Abstract...................................................1
Copyright Notice...........................................1 Copyright Notice...........................................1
Acknowledgement............................................2 Acknowledgement............................................2
Table of Contents..........................................2 Table of Contents..........................................2
1. Introduction............................................3 1. Introduction............................................3
2. Elliptic Curve Data in Resource Records.................3 2. Elliptic Curve Keys in Resource Records.................3
3. The Elliptic Curve Equation.............................9 3. The Elliptic Curve Equation.............................9
4. How do I Compute Q, G, and Y?..........................10 4. How do I Compute Q, G, and Y?..........................10
5. Elliptic Curve SIG Resource Records....................11 5. Elliptic Curve Signature Resource Records..............11
6. Performance Considerations.............................13 6. Performance Considerations.............................13
7. Security Considerations................................13 7. Security Considerations................................13
8. IANA Considerations....................................13 8. IANA Considerations....................................13
Copyright and Disclaimer..................................14 Copyright and Disclaimer..................................14
Informational References..................................15 Informational References..................................15
Normative Refrences.......................................15 Normative Refrences.......................................15
Author's Addresses........................................16 Author's Addresses........................................16
Expiration and File Name..................................16 Expiration and File Name..................................16
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
1. Introduction 1. Introduction
The Domain Name System (DNS) is the global hierarchical replicated The Domain Name System (DNS) is the global hierarchical replicated
distributed database system for Internet addressing, mail proxy, and distributed database system for Internet addressing, mail proxy, and
other information. The DNS has been extended to include digital other information. The DNS has been extended to include digital
signatures and cryptographic keys as described in [RFC 4033, 4034, signatures and cryptographic keys as described in [RFC 4033, 4034,
4035]. 4035].
This document describes how to store elliptic curve cryptographic This document describes how to store elliptic curve cryptographic
(ECC) keys and signatures in the DNS so they can be used for a (ECC) keys and signatures in the DNS so they can be used for a
variety of security purposes. Familiarity with ECC cryptography is variety of security purposes. The signatures use the SHA-1 eigest
assumed [Menezes]. algorithm [RFC 3174]. Familiarity with ECC cryptography is assumed
[Menezes].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119]. document are to be interpreted as described in [RFC 2119].
2. Elliptic Curve Data in Resource Records 2. Elliptic Curve Keys in Resource Records
Elliptic curve public keys are stored in the DNS within the RDATA Elliptic curve public keys are stored in the DNS within the RDATA
portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the
structure shown below. structure shown below.
The research world continues to work on the issue of which is the The research world continues to work on the issue of which is the
best elliptic curve system, which finite field to use, and how to best elliptic curve system, which finite field to use, and how to
best represent elements in the field. So, representations are best represent elements in the field. So, representations are
defined for every type of finite field, and every type of elliptic defined for every type of finite field, and every type of elliptic
curve. The reader should be aware that there is a unique finite curve. The reader should be aware that there is a unique finite
field with a particular number of elements, but many possible field with a particular number of elements, but many possible
representations of that field and its elements. If two different representations of that field and its elements. If two different
representations of a field are given, they are interconvertible with representations of a field are given, they are interconvertible with
a tedious but practical precomputation, followed by a fast a tedious but practical precomputation, followed by a fast
computation for each field element to be converted. It is perfectly computation for each field element to be converted. It is perfectly
reasonable for an algorithm to work internally with one field reasonable for an algorithm to work internally with one field
representation, and convert to and from a different external representation, and convert to and from a different external
representation. representation.
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|S M -FMT- A B Z| |S M -FMT- A B Z|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
| LP | | LP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| P (length determined from LP) .../ | P (length determined from LP) .../
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 5, line 5 skipping to change at page 5, line 5
| LB | | LB |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| B (length determined from LB) .../ | B (length determined from LB) .../
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LC | | LC |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| C (length determined from LC) .../ | C (length determined from LC) .../
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LG | | LG |
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| G (length determined from LG) .../ | G (length determined from LG) .../
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LY | | LY |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Y (length determined from LY) .../ | Y (length determined from LY) .../
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SMFMTABZ is a flags octet as follows: SMFMTABZ is a flags octet as follows:
skipping to change at page 6, line 5 skipping to change at page 6, line 5
= 2 The field polynomial is implicit. = 2 The field polynomial is implicit.
= 3 The field polynomial is a binomial. P>2. = 3 The field polynomial is a binomial. P>2.
= 4 The field polynomial is a trinomial. = 4 The field polynomial is a trinomial.
= 5 The field polynomial is the quotient of a trinomial by a = 5 The field polynomial is the quotient of a trinomial by a
short polynomial. P=2. short polynomial. P=2.
= 6 The field polynomial is a pentanomial. P=2. = 6 The field polynomial is a pentanomial. P=2.
Flags A and B apply to the elliptic curve parameters. Flags A and B apply to the elliptic curve parameters.
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
A = 1 When P>=5, the curve parameter A is negated. If P=2, then A = 1 When P>=5, the curve parameter A is negated. If P=2, then
A=1 indicates that the A parameter is special. See the A=1 indicates that the A parameter is special. See the
ALTA parameter below, following A. The combination A=1, ALTA parameter below, following A. The combination A=1,
P=3 is forbidden. P=3 is forbidden.
B = 1 When P>=5, the curve parameter B is negated. If P=2 or 3, B = 1 When P>=5, the curve parameter B is negated. If P=2 or 3,
then B=1 indicates an alternate elliptic curve equation is then B=1 indicates an alternate elliptic curve equation is
used. When P=2 and B=1, an additional curve parameter C used. When P=2 and B=1, an additional curve parameter C
is present. is present.
skipping to change at page 7, line 5 skipping to change at page 7, line 5
ceiling(log2 P) bits. Coefficients are in the numerical range ceiling(log2 P) bits. Coefficients are in the numerical range
[0,P-1]. The coefficients are packed into fixed-width fields, from [0,P-1]. The coefficients are packed into fixed-width fields, from
higher order to lower order. All coefficients must be present, higher order to lower order. All coefficients must be present,
including any 0s and also the leading coefficient (which is required including any 0s and also the leading coefficient (which is required
to be 1). The coefficients are right justified into the octet string to be 1). The coefficients are right justified into the octet string
of length specified by LF, with the low-order "constant" coefficient of length specified by LF, with the low-order "constant" coefficient
at the right end. As a concession to storage efficiency, the higher at the right end. As a concession to storage efficiency, the higher
order bits of the leading coefficient may be elided, discarding high- order bits of the leading coefficient may be elided, discarding high-
order 0 octets and reducing LF. The degree is calculated by order 0 octets and reducing LF. The degree is calculated by
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
determining the bit position of the left most 1-bit in the F data determining the bit position of the left most 1-bit in the F data
(counting the right most bit as position 0), and dividing by (counting the right most bit as position 0), and dividing by
ceiling(log2 P). The division must be exact, with no remainder. In ceiling(log2 P). The division must be exact, with no remainder. In
this format, all of the other degree and field parameters are this format, all of the other degree and field parameters are
omitted. The next parameters will be LQ,Q. omitted. The next parameters will be LQ,Q.
If FMT>=2, the degree of the field extension is specified explicitly, If FMT>=2, the degree of the field extension is specified explicitly,
usually along with other parameters to define the field polynomial. usually along with other parameters to define the field polynomial.
skipping to change at page 8, line 5 skipping to change at page 8, line 5
divisor. The small polynomial is right-adjusted in the two octet divisor. The small polynomial is right-adjusted in the two octet
field TRDV. DEG specifies the degree of the field. The degree of field TRDV. DEG specifies the degree of the field. The degree of
TRDV is calculated from the position of the high-order 1 bit. The TRDV is calculated from the position of the high-order 1 bit. The
trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1. If trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1. If
DEGH is 0, the middle term is omitted from the trinomial. The DEGH is 0, the middle term is omitted from the trinomial. The
quotient must be exact, with no remainder. quotient must be exact, with no remainder.
When FMT=6, then P=2 (only). The field polynomial is a pentanomial, When FMT=6, then P=2 (only). The field polynomial is a pentanomial,
with the degrees of the middle terms given by the three 2-octet with the degrees of the middle terms given by the three 2-octet
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
values DEGH, DEGI, DEGJ. The polynomial is X^DEG + X^DEGH + X^DEGI + values DEGH, DEGI, DEGJ. The polynomial is X^DEG + X^DEGH + X^DEGI +
X^DEGJ + 1. The values must satisfy the inequality DEG > DEGH > DEGI X^DEGJ + 1. The values must satisfy the inequality DEG > DEGH > DEGI
> DEGJ > 0. > DEGJ > 0.
DEGH, DEGI, DEGJ are two-octet fields that define the degree of DEGH, DEGI, DEGJ are two-octet fields that define the degree of
a term in a field polynomial. DEGH is present when FMT = 4, a term in a field polynomial. DEGH is present when FMT = 4,
5, or 6. DEGI and DEGJ are present only when FMT = 6. 5, or 6. DEGI and DEGJ are present only when FMT = 6.
TRDV is a two-octet right-adjusted binary polynomial of degree < TRDV is a two-octet right-adjusted binary polynomial of degree <
skipping to change at page 9, line 5 skipping to change at page 9, line 5
P-K. To save space, 0 bits may be removed from the left end of the P-K. To save space, 0 bits may be removed from the left end of the
element representation, and the length field reduced appropriately. element representation, and the length field reduced appropriately.
This would normally only happen with A,B,C, because the designer This would normally only happen with A,B,C, because the designer
chose curve parameters with some high-order 0 coefficients or bits. chose curve parameters with some high-order 0 coefficients or bits.
If the finite field is simply (mod P), then the field elements are If the finite field is simply (mod P), then the field elements are
simply numbers (mod P), in the usual right-justified notation. If simply numbers (mod P), in the usual right-justified notation. If
the finite field is GF[2^D], the field elements are the usual right- the finite field is GF[2^D], the field elements are the usual right-
justified polynomial basis representation. justified polynomial basis representation.
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
LA,A is the first parameter of the elliptic curve equation. LA,A is the first parameter of the elliptic curve equation.
When P>=5, the flag A = 1 indicates A should be negated (mod When P>=5, the flag A = 1 indicates A should be negated (mod
P). When P=2 (indicated by the flag M=0), the flag A = 1 P). When P=2 (indicated by the flag M=0), the flag A = 1
indicates that the parameter pair LA,A is replaced by the two indicates that the parameter pair LA,A is replaced by the two
octet parameter ALTA. In this case, the parameter A in the octet parameter ALTA. In this case, the parameter A in the
curve equation is x^ALTA, where x is the field generator. curve equation is x^ALTA, where x is the field generator.
Parameter A often has the value 0, which may be indicated by Parameter A often has the value 0, which may be indicated by
LA=0 (with no A data field), and sometimes A is 1, which may LA=0 (with no A data field), and sometimes A is 1, which may
be represented with LA=1 and a data field of 1, or by setting be represented with LA=1 and a data field of 1, or by setting
skipping to change at page 10, line 5 skipping to change at page 10, line 5
+ A*W + B. Z,W,A,B are all numbers (mod P) or elements of GF[P^D]. + A*W + B. Z,W,A,B are all numbers (mod P) or elements of GF[P^D].
If A and/or B is negative (i.e., in the range from P/2 to P), and If A and/or B is negative (i.e., in the range from P/2 to P), and
P>=5, space may be saved by putting the sign bit(s) in the A and B P>=5, space may be saved by putting the sign bit(s) in the A and B
bits of the flags octet, and the magnitude(s) in the parameter bits of the flags octet, and the magnitude(s) in the parameter
fields. fields.
If M=1 and P=3, the B flag has a different meaning: it specifies an If M=1 and P=3, the B flag has a different meaning: it specifies an
alternate curve equation, Z^2 = W^3 + A*W^2 + B. The middle term of alternate curve equation, Z^2 = W^3 + A*W^2 + B. The middle term of
the right-hand-side is different. When P=3, this equation is more the right-hand-side is different. When P=3, this equation is more
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
commonly used. commonly used.
If M=0, the GF[2^N] case, the curve equation is Z^2 + W*Z = W^3 + If M=0, the GF[2^N] case, the curve equation is Z^2 + W*Z = W^3 +
A*W^2 + B. Z,W,A,B are all elements of the field GF[2^N]. The A A*W^2 + B. Z,W,A,B are all elements of the field GF[2^N]. The A
parameter can often be 0 or 1, or be chosen as a single-1-bit value. parameter can often be 0 or 1, or be chosen as a single-1-bit value.
The flag B is used to select an alternate curve equation, Z^2 + C*Z = The flag B is used to select an alternate curve equation, Z^2 + C*Z =
W^3 + A*W + B. This is the only time that the C parameter is used. W^3 + A*W + B. This is the only time that the C parameter is used.
4. How do I Compute Q, G, and Y? 4. How do I Compute Q, G, and Y?
skipping to change at page 11, line 5 skipping to change at page 11, line 5
In the GF[2^N] case, the two possible Z values xor to W (or to the In the GF[2^N] case, the two possible Z values xor to W (or to the
parameter C with the alternate curve equation). The numerically parameter C with the alternate curve equation). The numerically
smaller Z value (the one which does not contain the highest-order 1 smaller Z value (the one which does not contain the highest-order 1
bit of W (or C)) is used in subsequent calculations. bit of W (or C)) is used in subsequent calculations.
Y is specified by giving the W-coordinate of the user's public Y is specified by giving the W-coordinate of the user's public
signature key. The Z-coordinate value is determined from the curve signature key. The Z-coordinate value is determined from the curve
equation. As with G, there are two possible Z values; the same rule equation. As with G, there are two possible Z values; the same rule
is followed for choosing which Z to use. is followed for choosing which Z to use.
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
During the key generation process, a random [RFC 1750] number X must During the key generation process, a random [RFC 1750] number X must
be generated such that 1 <= X <= Q-1. X is the private key and is be generated such that 1 <= X <= Q-1. X is the private key and is
used in the final step of public key generation where Y is computed used in the final step of public key generation where Y is computed
as as
Y = X * G (as points on the elliptic curve) Y = X * G (as points on the elliptic curve)
If the Z-coordinate of the computed point Y is wrong (i.e., Z > P/2 If the Z-coordinate of the computed point Y is wrong (i.e., Z > P/2
in the (mod P) case, or the high-order non-zero coefficient of Z > in the (mod P) case, or the high-order non-zero coefficient of Z >
P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the
GF[2^N] case), then X must be replaced with Q-X. This will GF[2^N] case), then X must be replaced with Q-X. This will
correspond to the correct Z-coordinate. correspond to the correct Z-coordinate.
5. Elliptic Curve SIG Resource Records 5. Elliptic Curve Signature Resource Records
The signature portion of an RR RDATA area when using the EC The signature portion of an RR RDATA area when using the EC
algorithm, for example in the RRSIG and SIG [RFC records] RRs is algorithm, for example in the RRSIG and SIG [RFC records] RRs is
shown below. shown below.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| R, (length determined from LQ) .../ | R, (length determined from LQ) .../
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 11, line 42 skipping to change at page 11, line 42
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R and S are integers (mod Q). Their length is specified by the LQ R and S are integers (mod Q). Their length is specified by the LQ
field of the corresponding KEY RR and can also be calculated from the field of the corresponding KEY RR and can also be calculated from the
SIG RR's RDLENGTH. They are right justified, high-order-octet first. SIG RR's RDLENGTH. They are right justified, high-order-octet first.
The same conditional formula for calculating the length from LQ is The same conditional formula for calculating the length from LQ is
used as for all the other length fields above. used as for all the other length fields above.
The data signed is determined as specified in [RFC 2535]. Then the The data signed is determined as specified in [RFC 2535]. Then the
following steps are taken where Q, P, G, and Y are as specified in following steps are taken where Q, P, G, and Y are as specified in
the public key [Schneier]: the public key [Schneier]. For further information on SHA-1, see [RFC
3174].
hash = SHA-1 ( data ) hash = SHA-1 ( data )
Generate random [RFC 4086] K such that 0 < K < Q. (Never sign two Generate random [RFC 4086] K such that 0 < K < Q. (Never sign two
different messages with the same K. K should be chosen from a different messages with the same K. K should be chosen from a
very large space: If an opponent learns a K value for a single very large space: If an opponent learns a K value for a single
signature, the user's signing key is compromised, and a forger signature, the user's signing key is compromised, and a forger
can sign arbitrary messages. There is no harm in signing the can sign arbitrary messages. There is no harm in signing the
same message multiple times with the same key or different same message multiple times with the same key or different
keys.) keys.)
R = (the W-coordinate of ( K*G on the elliptic curve )) interpreted INTERNET-DRAFT ECC in the DNS
INTERNET-DRAFT ECC Keys in the DNS
R = (the W-coordinate of ( K*G on the elliptic curve )) interpreted
as an integer, and reduced (mod Q). (R must not be 0. In as an integer, and reduced (mod Q). (R must not be 0. In
this astronomically unlikely event, generate a new random K this astronomically unlikely event, generate a new random K
and recalculate R.) and recalculate R.)
S = ( K^(-1) * (hash + X*R) ) mod Q. S = ( K^(-1) * (hash + X*R) ) mod Q.
S must not be 0. In this astronomically unlikely event, generate a S must not be 0. In this astronomically unlikely event, generate a
new random K and recalculate R and S. new random K and recalculate R and S.
If S > Q/2, set S = Q - S. If S > Q/2, set S = Q - S.
The pair (R,S) is the signature. The pair (R,S) is the signature.
Another party verifies the signature as follows: Another party verifies the signature as follows. For further
information on SHA-1, see [RFC 3174].
Check that 0 < R < Q and 0 < S < Q/2. If not, it can not be a Check that 0 < R < Q and 0 < S < Q/2. If not, it can not be a
valid EC sigature. valid EC sigature.
hash = SHA-1 ( data ) hash = SHA-1 ( data )
Sinv = S^(-1) mod Q. Sinv = S^(-1) mod Q.
U1 = (hash * Sinv) mod Q. U1 = (hash * Sinv) mod Q.
skipping to change at page 12, line 55 skipping to change at page 13, line 4
find data that hashes to an assigned value, so this is only a find data that hashes to an assigned value, so this is only a
cosmetic blemish. The blemish can be eliminated by using Q > cosmetic blemish. The blemish can be eliminated by using Q >
2^160, at the cost of having slightly longer signatures, 42 octets 2^160, at the cost of having slightly longer signatures, 42 octets
instead of 40. instead of 40.
We must specify how a field-element E ("the W-coordinate") is to be We must specify how a field-element E ("the W-coordinate") is to be
interpreted as an integer. The field-element E is regarded as a interpreted as an integer. The field-element E is regarded as a
radix-P integer, with the digits being the coefficients in the radix-P integer, with the digits being the coefficients in the
polynomial basis representation of E. The digits are in the ragne polynomial basis representation of E. The digits are in the ragne
[0,P-1]. In the two most common cases, this reduces to "the [0,P-1]. In the two most common cases, this reduces to "the
obvious thing". In the (mod P) case, E is simply a residue mod P,
and is taken as an integer in the range [0,P-1]. In the GF[2^D]
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
obvious thing". In the (mod P) case, E is simply a residue mod P,
and is taken as an integer in the range [0,P-1]. In the GF[2^D]
case, E is in the D-bit polynomial basis representation, and is case, E is in the D-bit polynomial basis representation, and is
simply taken as an integer in the range [0,(2^D)-1]. For other simply taken as an integer in the range [0,(2^D)-1]. For other
fields GF[P^D], it's necessary to do some radix conversion fields GF[P^D], it's necessary to do some radix conversion
arithmetic. arithmetic.
6. Performance Considerations 6. Performance Considerations
Elliptic curve signatures use smaller moduli or field sizes than Elliptic curve signatures use smaller moduli or field sizes than
RSA and DSA. Creation of a curve is slow, but not done very often. RSA and DSA. Creation of a curve is slow, but not done very often.
Key generation is faster than RSA or DSA. Key generation is faster than RSA or DSA.
skipping to change at page 14, line 5 skipping to change at page 14, line 5
8. IANA Considerations 8. IANA Considerations
The key and signature data structures defined herein correspond to The key and signature data structures defined herein correspond to
the value 4 in the Algorithm number field of the IANA registry the value 4 in the Algorithm number field of the IANA registry
Assignment of meaning to the remaining ECC data flag bits or to Assignment of meaning to the remaining ECC data flag bits or to
values of ECC fields outside the ranges for which meaning in values of ECC fields outside the ranges for which meaning in
defined in this document requires an IETF consensus as defined in defined in this document requires an IETF consensus as defined in
[RFC 2434]. [RFC 2434].
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
Copyright and Disclaimer Copyright and Disclaimer
Copyright (C) The Internet Society 2005. This document is subject Copyright (C) The Internet Society 2005.
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. PARTICULAR PURPOSE.
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
Informational References Informational References
[RFC 1034] - P. Mockapetris, "Domain names - concepts and [RFC 1034] - P. Mockapetris, "Domain names - concepts and
facilities", 11/01/1987. facilities", 11/01/1987.
[RFC 1035] - P. Mockapetris, "Domain names - implementation and [RFC 1035] - P. Mockapetris, "Domain names - implementation and
specification", 11/01/1987. specification", 11/01/1987.
[RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)", [RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)",
skipping to change at page 15, line 47 skipping to change at page 15, line 47
Curves", 1986, Springer Graduate Texts in mathematics #106. Curves", 1986, Springer Graduate Texts in mathematics #106.
Normative Refrences Normative Refrences
[RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", March 1997. Requirement Levels", March 1997.
[RFC 2434] - T. Narten, H. Alvestrand, "Guidelines for Writing an [RFC 2434] - T. Narten, H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", October 1998. IANA Considerations Section in RFCs", October 1998.
[RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash
Algorithm 1 (SHA1)", RFC 3174, September 2001.
[RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and
S. Rose, "Resource Records for the DNS Security Extensions", RFC S. Rose, "Resource Records for the DNS Security Extensions", RFC
4034, March 2005. 4034, March 2005.
INTERNET-DRAFT ECC Keys in the DNS INTERNET-DRAFT ECC in the DNS
Author's Addresses Author's Addresses
Rich Schroeppel Rich Schroeppel
500 S. Maple Drive 500 S. Maple Drive
Woodland Hills, UT 84653 USA Woodland Hills, UT 84653 USA
Telephone: +1-505-844-9079(w) Telephone: +1-505-844-9079(w)
Email: rschroe@sandia.gov Email: rschroe@sandia.gov
Donald E. Eastlake 3rd Donald E. Eastlake 3rd
Motorola Laboratories Motorola Laboratories
155 Beaver Street 155 Beaver Street
Milford, MA 01757 USA Milford, MA 01757 USA
Telephone: +1 508-786-7554 (w) Telephone: +1 508-786-7554 (w)
EMail: Donald.Eastlake@motorola.com EMail: Donald.Eastlake@motorola.com
Expiration and File Name Expiration and File Name
This draft expires in January 2006. This draft expires in April 2006.
Its file name is draft-ietf-dnsext-ecc-key-07.txt. Its file name is draft-ietf-dnsext-ecc-key-08.txt.
 End of changes. 34 change blocks. 
39 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/