draft-ietf-dnsext-ecc-key-07.txt | draft-ietf-dnsext-ecc-key-08.txt | |||
---|---|---|---|---|

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT Richard C. Schroeppel | |||

Expires: January 2006 July 2005 | Donald Eastlake 3rd | |||

Expires: April 2006 October 2005 | ||||

Elliptic Curve KEYs in the DNS | Elliptic Curve Keys and Signatures in the DNS | |||

-------- ----- ---- -- --- --- | -------- ----- ---- --- ---------- -- --- ---- | |||

<draft-ietf-dnsext-ecc-key-07.txt> | <draft-ietf-dnsext-ecc-key-08.txt> | |||

Richard C. Schroeppel | Richard C. Schroeppel | |||

Donald Eastlake 3rd | Donald Eastlake 3rd | |||

Status of This Document | Status of This Document | |||

By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||

applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||

have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||

aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||

skipping to change at page 1, line 32 | skipping to change at page 1, line 33 | |||

to the DNS mailing list <namedroppers@ops.ietf.org>. | to the DNS mailing list <namedroppers@ops.ietf.org>. | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||

other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||

Drafts. | Drafts. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than a "work in progress." | material or to cite them other than as "work in progress." | |||

The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||

http://www.ietf.org/1id-abstracts.html | http://www.ietf.org/1id-abstracts.html | |||

The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||

http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||

Abstract | Abstract | |||

The standard method for storing elliptic curve cryptographic keys and | The standard method for storing elliptic curve cryptographic keys and | |||

signatures in the Domain Name System is specified. | elliptic curve SHA-1 based signatures in the Domain Name System is | |||

specified. | ||||

Copyright Notice | Copyright Notice | |||

Copyright (C) The Internet Society (2005). All Rights Reserved. | Copyright (C) The Internet Society (2005). | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

Acknowledgement | Acknowledgement | |||

The assistance of Hilarie K. Orman in the production of this document | The assistance of Hilarie K. Orman in the production of this document | |||

is greatfully acknowledged. | is greatfully acknowledged. | |||

Table of Contents | Table of Contents | |||

Status of This Document....................................1 | Status of This Document....................................1 | |||

Abstract...................................................1 | Abstract...................................................1 | |||

Copyright Notice...........................................1 | Copyright Notice...........................................1 | |||

Acknowledgement............................................2 | Acknowledgement............................................2 | |||

Table of Contents..........................................2 | Table of Contents..........................................2 | |||

1. Introduction............................................3 | 1. Introduction............................................3 | |||

2. Elliptic Curve Data in Resource Records.................3 | 2. Elliptic Curve Keys in Resource Records.................3 | |||

3. The Elliptic Curve Equation.............................9 | 3. The Elliptic Curve Equation.............................9 | |||

4. How do I Compute Q, G, and Y?..........................10 | 4. How do I Compute Q, G, and Y?..........................10 | |||

5. Elliptic Curve SIG Resource Records....................11 | 5. Elliptic Curve Signature Resource Records..............11 | |||

6. Performance Considerations.............................13 | 6. Performance Considerations.............................13 | |||

7. Security Considerations................................13 | 7. Security Considerations................................13 | |||

8. IANA Considerations....................................13 | 8. IANA Considerations....................................13 | |||

Copyright and Disclaimer..................................14 | Copyright and Disclaimer..................................14 | |||

Informational References..................................15 | Informational References..................................15 | |||

Normative Refrences.......................................15 | Normative Refrences.......................................15 | |||

Author's Addresses........................................16 | Author's Addresses........................................16 | |||

Expiration and File Name..................................16 | Expiration and File Name..................................16 | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

1. Introduction | 1. Introduction | |||

The Domain Name System (DNS) is the global hierarchical replicated | The Domain Name System (DNS) is the global hierarchical replicated | |||

distributed database system for Internet addressing, mail proxy, and | distributed database system for Internet addressing, mail proxy, and | |||

other information. The DNS has been extended to include digital | other information. The DNS has been extended to include digital | |||

signatures and cryptographic keys as described in [RFC 4033, 4034, | signatures and cryptographic keys as described in [RFC 4033, 4034, | |||

4035]. | 4035]. | |||

This document describes how to store elliptic curve cryptographic | This document describes how to store elliptic curve cryptographic | |||

(ECC) keys and signatures in the DNS so they can be used for a | (ECC) keys and signatures in the DNS so they can be used for a | |||

variety of security purposes. Familiarity with ECC cryptography is | variety of security purposes. The signatures use the SHA-1 eigest | |||

assumed [Menezes]. | algorithm [RFC 3174]. Familiarity with ECC cryptography is assumed | |||

[Menezes]. | ||||

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||

document are to be interpreted as described in [RFC 2119]. | document are to be interpreted as described in [RFC 2119]. | |||

2. Elliptic Curve Data in Resource Records | 2. Elliptic Curve Keys in Resource Records | |||

Elliptic curve public keys are stored in the DNS within the RDATA | Elliptic curve public keys are stored in the DNS within the RDATA | |||

portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the | portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the | |||

structure shown below. | structure shown below. | |||

The research world continues to work on the issue of which is the | The research world continues to work on the issue of which is the | |||

best elliptic curve system, which finite field to use, and how to | best elliptic curve system, which finite field to use, and how to | |||

best represent elements in the field. So, representations are | best represent elements in the field. So, representations are | |||

defined for every type of finite field, and every type of elliptic | defined for every type of finite field, and every type of elliptic | |||

curve. The reader should be aware that there is a unique finite | curve. The reader should be aware that there is a unique finite | |||

field with a particular number of elements, but many possible | field with a particular number of elements, but many possible | |||

representations of that field and its elements. If two different | representations of that field and its elements. If two different | |||

representations of a field are given, they are interconvertible with | representations of a field are given, they are interconvertible with | |||

a tedious but practical precomputation, followed by a fast | a tedious but practical precomputation, followed by a fast | |||

computation for each field element to be converted. It is perfectly | computation for each field element to be converted. It is perfectly | |||

reasonable for an algorithm to work internally with one field | reasonable for an algorithm to work internally with one field | |||

representation, and convert to and from a different external | representation, and convert to and from a different external | |||

representation. | representation. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

|S M -FMT- A B Z| | |S M -FMT- A B Z| | |||

+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ | |||

| LP | | | LP | | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| P (length determined from LP) .../ | | P (length determined from LP) .../ | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

skipping to change at page 5, line 5 | skipping to change at page 5, line 5 | |||

| LB | | | LB | | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| B (length determined from LB) .../ | | B (length determined from LB) .../ | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| LC | | | LC | | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| C (length determined from LC) .../ | | C (length determined from LC) .../ | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| LG | | | LG | | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| G (length determined from LG) .../ | | G (length determined from LG) .../ | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| LY | | | LY | | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| Y (length determined from LY) .../ | | Y (length determined from LY) .../ | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

SMFMTABZ is a flags octet as follows: | SMFMTABZ is a flags octet as follows: | |||

skipping to change at page 6, line 5 | skipping to change at page 6, line 5 | |||

= 2 The field polynomial is implicit. | = 2 The field polynomial is implicit. | |||

= 3 The field polynomial is a binomial. P>2. | = 3 The field polynomial is a binomial. P>2. | |||

= 4 The field polynomial is a trinomial. | = 4 The field polynomial is a trinomial. | |||

= 5 The field polynomial is the quotient of a trinomial by a | = 5 The field polynomial is the quotient of a trinomial by a | |||

short polynomial. P=2. | short polynomial. P=2. | |||

= 6 The field polynomial is a pentanomial. P=2. | = 6 The field polynomial is a pentanomial. P=2. | |||

Flags A and B apply to the elliptic curve parameters. | Flags A and B apply to the elliptic curve parameters. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

A = 1 When P>=5, the curve parameter A is negated. If P=2, then | A = 1 When P>=5, the curve parameter A is negated. If P=2, then | |||

A=1 indicates that the A parameter is special. See the | A=1 indicates that the A parameter is special. See the | |||

ALTA parameter below, following A. The combination A=1, | ALTA parameter below, following A. The combination A=1, | |||

P=3 is forbidden. | P=3 is forbidden. | |||

B = 1 When P>=5, the curve parameter B is negated. If P=2 or 3, | B = 1 When P>=5, the curve parameter B is negated. If P=2 or 3, | |||

then B=1 indicates an alternate elliptic curve equation is | then B=1 indicates an alternate elliptic curve equation is | |||

used. When P=2 and B=1, an additional curve parameter C | used. When P=2 and B=1, an additional curve parameter C | |||

is present. | is present. | |||

skipping to change at page 7, line 5 | skipping to change at page 7, line 5 | |||

ceiling(log2 P) bits. Coefficients are in the numerical range | ceiling(log2 P) bits. Coefficients are in the numerical range | |||

[0,P-1]. The coefficients are packed into fixed-width fields, from | [0,P-1]. The coefficients are packed into fixed-width fields, from | |||

higher order to lower order. All coefficients must be present, | higher order to lower order. All coefficients must be present, | |||

including any 0s and also the leading coefficient (which is required | including any 0s and also the leading coefficient (which is required | |||

to be 1). The coefficients are right justified into the octet string | to be 1). The coefficients are right justified into the octet string | |||

of length specified by LF, with the low-order "constant" coefficient | of length specified by LF, with the low-order "constant" coefficient | |||

at the right end. As a concession to storage efficiency, the higher | at the right end. As a concession to storage efficiency, the higher | |||

order bits of the leading coefficient may be elided, discarding high- | order bits of the leading coefficient may be elided, discarding high- | |||

order 0 octets and reducing LF. The degree is calculated by | order 0 octets and reducing LF. The degree is calculated by | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

determining the bit position of the left most 1-bit in the F data | determining the bit position of the left most 1-bit in the F data | |||

(counting the right most bit as position 0), and dividing by | (counting the right most bit as position 0), and dividing by | |||

ceiling(log2 P). The division must be exact, with no remainder. In | ceiling(log2 P). The division must be exact, with no remainder. In | |||

this format, all of the other degree and field parameters are | this format, all of the other degree and field parameters are | |||

omitted. The next parameters will be LQ,Q. | omitted. The next parameters will be LQ,Q. | |||

If FMT>=2, the degree of the field extension is specified explicitly, | If FMT>=2, the degree of the field extension is specified explicitly, | |||

usually along with other parameters to define the field polynomial. | usually along with other parameters to define the field polynomial. | |||

skipping to change at page 8, line 5 | skipping to change at page 8, line 5 | |||

divisor. The small polynomial is right-adjusted in the two octet | divisor. The small polynomial is right-adjusted in the two octet | |||

field TRDV. DEG specifies the degree of the field. The degree of | field TRDV. DEG specifies the degree of the field. The degree of | |||

TRDV is calculated from the position of the high-order 1 bit. The | TRDV is calculated from the position of the high-order 1 bit. The | |||

trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1. If | trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1. If | |||

DEGH is 0, the middle term is omitted from the trinomial. The | DEGH is 0, the middle term is omitted from the trinomial. The | |||

quotient must be exact, with no remainder. | quotient must be exact, with no remainder. | |||

When FMT=6, then P=2 (only). The field polynomial is a pentanomial, | When FMT=6, then P=2 (only). The field polynomial is a pentanomial, | |||

with the degrees of the middle terms given by the three 2-octet | with the degrees of the middle terms given by the three 2-octet | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

values DEGH, DEGI, DEGJ. The polynomial is X^DEG + X^DEGH + X^DEGI + | values DEGH, DEGI, DEGJ. The polynomial is X^DEG + X^DEGH + X^DEGI + | |||

X^DEGJ + 1. The values must satisfy the inequality DEG > DEGH > DEGI | X^DEGJ + 1. The values must satisfy the inequality DEG > DEGH > DEGI | |||

> DEGJ > 0. | > DEGJ > 0. | |||

DEGH, DEGI, DEGJ are two-octet fields that define the degree of | DEGH, DEGI, DEGJ are two-octet fields that define the degree of | |||

a term in a field polynomial. DEGH is present when FMT = 4, | a term in a field polynomial. DEGH is present when FMT = 4, | |||

5, or 6. DEGI and DEGJ are present only when FMT = 6. | 5, or 6. DEGI and DEGJ are present only when FMT = 6. | |||

TRDV is a two-octet right-adjusted binary polynomial of degree < | TRDV is a two-octet right-adjusted binary polynomial of degree < | |||

skipping to change at page 9, line 5 | skipping to change at page 9, line 5 | |||

P-K. To save space, 0 bits may be removed from the left end of the | P-K. To save space, 0 bits may be removed from the left end of the | |||

element representation, and the length field reduced appropriately. | element representation, and the length field reduced appropriately. | |||

This would normally only happen with A,B,C, because the designer | This would normally only happen with A,B,C, because the designer | |||

chose curve parameters with some high-order 0 coefficients or bits. | chose curve parameters with some high-order 0 coefficients or bits. | |||

If the finite field is simply (mod P), then the field elements are | If the finite field is simply (mod P), then the field elements are | |||

simply numbers (mod P), in the usual right-justified notation. If | simply numbers (mod P), in the usual right-justified notation. If | |||

the finite field is GF[2^D], the field elements are the usual right- | the finite field is GF[2^D], the field elements are the usual right- | |||

justified polynomial basis representation. | justified polynomial basis representation. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

LA,A is the first parameter of the elliptic curve equation. | LA,A is the first parameter of the elliptic curve equation. | |||

When P>=5, the flag A = 1 indicates A should be negated (mod | When P>=5, the flag A = 1 indicates A should be negated (mod | |||

P). When P=2 (indicated by the flag M=0), the flag A = 1 | P). When P=2 (indicated by the flag M=0), the flag A = 1 | |||

indicates that the parameter pair LA,A is replaced by the two | indicates that the parameter pair LA,A is replaced by the two | |||

octet parameter ALTA. In this case, the parameter A in the | octet parameter ALTA. In this case, the parameter A in the | |||

curve equation is x^ALTA, where x is the field generator. | curve equation is x^ALTA, where x is the field generator. | |||

Parameter A often has the value 0, which may be indicated by | Parameter A often has the value 0, which may be indicated by | |||

LA=0 (with no A data field), and sometimes A is 1, which may | LA=0 (with no A data field), and sometimes A is 1, which may | |||

be represented with LA=1 and a data field of 1, or by setting | be represented with LA=1 and a data field of 1, or by setting | |||

skipping to change at page 10, line 5 | skipping to change at page 10, line 5 | |||

+ A*W + B. Z,W,A,B are all numbers (mod P) or elements of GF[P^D]. | + A*W + B. Z,W,A,B are all numbers (mod P) or elements of GF[P^D]. | |||

If A and/or B is negative (i.e., in the range from P/2 to P), and | If A and/or B is negative (i.e., in the range from P/2 to P), and | |||

P>=5, space may be saved by putting the sign bit(s) in the A and B | P>=5, space may be saved by putting the sign bit(s) in the A and B | |||

bits of the flags octet, and the magnitude(s) in the parameter | bits of the flags octet, and the magnitude(s) in the parameter | |||

fields. | fields. | |||

If M=1 and P=3, the B flag has a different meaning: it specifies an | If M=1 and P=3, the B flag has a different meaning: it specifies an | |||

alternate curve equation, Z^2 = W^3 + A*W^2 + B. The middle term of | alternate curve equation, Z^2 = W^3 + A*W^2 + B. The middle term of | |||

the right-hand-side is different. When P=3, this equation is more | the right-hand-side is different. When P=3, this equation is more | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

commonly used. | commonly used. | |||

If M=0, the GF[2^N] case, the curve equation is Z^2 + W*Z = W^3 + | If M=0, the GF[2^N] case, the curve equation is Z^2 + W*Z = W^3 + | |||

A*W^2 + B. Z,W,A,B are all elements of the field GF[2^N]. The A | A*W^2 + B. Z,W,A,B are all elements of the field GF[2^N]. The A | |||

parameter can often be 0 or 1, or be chosen as a single-1-bit value. | parameter can often be 0 or 1, or be chosen as a single-1-bit value. | |||

The flag B is used to select an alternate curve equation, Z^2 + C*Z = | The flag B is used to select an alternate curve equation, Z^2 + C*Z = | |||

W^3 + A*W + B. This is the only time that the C parameter is used. | W^3 + A*W + B. This is the only time that the C parameter is used. | |||

4. How do I Compute Q, G, and Y? | 4. How do I Compute Q, G, and Y? | |||

skipping to change at page 11, line 5 | skipping to change at page 11, line 5 | |||

In the GF[2^N] case, the two possible Z values xor to W (or to the | In the GF[2^N] case, the two possible Z values xor to W (or to the | |||

parameter C with the alternate curve equation). The numerically | parameter C with the alternate curve equation). The numerically | |||

smaller Z value (the one which does not contain the highest-order 1 | smaller Z value (the one which does not contain the highest-order 1 | |||

bit of W (or C)) is used in subsequent calculations. | bit of W (or C)) is used in subsequent calculations. | |||

Y is specified by giving the W-coordinate of the user's public | Y is specified by giving the W-coordinate of the user's public | |||

signature key. The Z-coordinate value is determined from the curve | signature key. The Z-coordinate value is determined from the curve | |||

equation. As with G, there are two possible Z values; the same rule | equation. As with G, there are two possible Z values; the same rule | |||

is followed for choosing which Z to use. | is followed for choosing which Z to use. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

During the key generation process, a random [RFC 1750] number X must | During the key generation process, a random [RFC 1750] number X must | |||

be generated such that 1 <= X <= Q-1. X is the private key and is | be generated such that 1 <= X <= Q-1. X is the private key and is | |||

used in the final step of public key generation where Y is computed | used in the final step of public key generation where Y is computed | |||

as | as | |||

Y = X * G (as points on the elliptic curve) | Y = X * G (as points on the elliptic curve) | |||

If the Z-coordinate of the computed point Y is wrong (i.e., Z > P/2 | If the Z-coordinate of the computed point Y is wrong (i.e., Z > P/2 | |||

in the (mod P) case, or the high-order non-zero coefficient of Z > | in the (mod P) case, or the high-order non-zero coefficient of Z > | |||

P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the | P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the | |||

GF[2^N] case), then X must be replaced with Q-X. This will | GF[2^N] case), then X must be replaced with Q-X. This will | |||

correspond to the correct Z-coordinate. | correspond to the correct Z-coordinate. | |||

5. Elliptic Curve SIG Resource Records | 5. Elliptic Curve Signature Resource Records | |||

The signature portion of an RR RDATA area when using the EC | The signature portion of an RR RDATA area when using the EC | |||

algorithm, for example in the RRSIG and SIG [RFC records] RRs is | algorithm, for example in the RRSIG and SIG [RFC records] RRs is | |||

shown below. | shown below. | |||

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

| R, (length determined from LQ) .../ | | R, (length determined from LQ) .../ | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

skipping to change at page 11, line 42 | skipping to change at page 11, line 42 | |||

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||

R and S are integers (mod Q). Their length is specified by the LQ | R and S are integers (mod Q). Their length is specified by the LQ | |||

field of the corresponding KEY RR and can also be calculated from the | field of the corresponding KEY RR and can also be calculated from the | |||

SIG RR's RDLENGTH. They are right justified, high-order-octet first. | SIG RR's RDLENGTH. They are right justified, high-order-octet first. | |||

The same conditional formula for calculating the length from LQ is | The same conditional formula for calculating the length from LQ is | |||

used as for all the other length fields above. | used as for all the other length fields above. | |||

The data signed is determined as specified in [RFC 2535]. Then the | The data signed is determined as specified in [RFC 2535]. Then the | |||

following steps are taken where Q, P, G, and Y are as specified in | following steps are taken where Q, P, G, and Y are as specified in | |||

the public key [Schneier]: | the public key [Schneier]. For further information on SHA-1, see [RFC | |||

3174]. | ||||

hash = SHA-1 ( data ) | hash = SHA-1 ( data ) | |||

Generate random [RFC 4086] K such that 0 < K < Q. (Never sign two | Generate random [RFC 4086] K such that 0 < K < Q. (Never sign two | |||

different messages with the same K. K should be chosen from a | different messages with the same K. K should be chosen from a | |||

very large space: If an opponent learns a K value for a single | very large space: If an opponent learns a K value for a single | |||

signature, the user's signing key is compromised, and a forger | signature, the user's signing key is compromised, and a forger | |||

can sign arbitrary messages. There is no harm in signing the | can sign arbitrary messages. There is no harm in signing the | |||

same message multiple times with the same key or different | same message multiple times with the same key or different | |||

keys.) | keys.) | |||

R = (the W-coordinate of ( K*G on the elliptic curve )) interpreted | INTERNET-DRAFT ECC in the DNS | |||

INTERNET-DRAFT ECC Keys in the DNS | ||||

R = (the W-coordinate of ( K*G on the elliptic curve )) interpreted | ||||

as an integer, and reduced (mod Q). (R must not be 0. In | as an integer, and reduced (mod Q). (R must not be 0. In | |||

this astronomically unlikely event, generate a new random K | this astronomically unlikely event, generate a new random K | |||

and recalculate R.) | and recalculate R.) | |||

S = ( K^(-1) * (hash + X*R) ) mod Q. | S = ( K^(-1) * (hash + X*R) ) mod Q. | |||

S must not be 0. In this astronomically unlikely event, generate a | S must not be 0. In this astronomically unlikely event, generate a | |||

new random K and recalculate R and S. | new random K and recalculate R and S. | |||

If S > Q/2, set S = Q - S. | If S > Q/2, set S = Q - S. | |||

The pair (R,S) is the signature. | The pair (R,S) is the signature. | |||

Another party verifies the signature as follows: | Another party verifies the signature as follows. For further | |||

information on SHA-1, see [RFC 3174]. | ||||

Check that 0 < R < Q and 0 < S < Q/2. If not, it can not be a | Check that 0 < R < Q and 0 < S < Q/2. If not, it can not be a | |||

valid EC sigature. | valid EC sigature. | |||

hash = SHA-1 ( data ) | hash = SHA-1 ( data ) | |||

Sinv = S^(-1) mod Q. | Sinv = S^(-1) mod Q. | |||

U1 = (hash * Sinv) mod Q. | U1 = (hash * Sinv) mod Q. | |||

skipping to change at page 12, line 55 | skipping to change at page 13, line 4 | |||

find data that hashes to an assigned value, so this is only a | find data that hashes to an assigned value, so this is only a | |||

cosmetic blemish. The blemish can be eliminated by using Q > | cosmetic blemish. The blemish can be eliminated by using Q > | |||

2^160, at the cost of having slightly longer signatures, 42 octets | 2^160, at the cost of having slightly longer signatures, 42 octets | |||

instead of 40. | instead of 40. | |||

We must specify how a field-element E ("the W-coordinate") is to be | We must specify how a field-element E ("the W-coordinate") is to be | |||

interpreted as an integer. The field-element E is regarded as a | interpreted as an integer. The field-element E is regarded as a | |||

radix-P integer, with the digits being the coefficients in the | radix-P integer, with the digits being the coefficients in the | |||

polynomial basis representation of E. The digits are in the ragne | polynomial basis representation of E. The digits are in the ragne | |||

[0,P-1]. In the two most common cases, this reduces to "the | [0,P-1]. In the two most common cases, this reduces to "the | |||

obvious thing". In the (mod P) case, E is simply a residue mod P, | ||||

and is taken as an integer in the range [0,P-1]. In the GF[2^D] | ||||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

obvious thing". In the (mod P) case, E is simply a residue mod P, | ||||

and is taken as an integer in the range [0,P-1]. In the GF[2^D] | ||||

case, E is in the D-bit polynomial basis representation, and is | case, E is in the D-bit polynomial basis representation, and is | |||

simply taken as an integer in the range [0,(2^D)-1]. For other | simply taken as an integer in the range [0,(2^D)-1]. For other | |||

fields GF[P^D], it's necessary to do some radix conversion | fields GF[P^D], it's necessary to do some radix conversion | |||

arithmetic. | arithmetic. | |||

6. Performance Considerations | 6. Performance Considerations | |||

Elliptic curve signatures use smaller moduli or field sizes than | Elliptic curve signatures use smaller moduli or field sizes than | |||

RSA and DSA. Creation of a curve is slow, but not done very often. | RSA and DSA. Creation of a curve is slow, but not done very often. | |||

Key generation is faster than RSA or DSA. | Key generation is faster than RSA or DSA. | |||

skipping to change at page 14, line 5 | skipping to change at page 14, line 5 | |||

8. IANA Considerations | 8. IANA Considerations | |||

The key and signature data structures defined herein correspond to | The key and signature data structures defined herein correspond to | |||

the value 4 in the Algorithm number field of the IANA registry | the value 4 in the Algorithm number field of the IANA registry | |||

Assignment of meaning to the remaining ECC data flag bits or to | Assignment of meaning to the remaining ECC data flag bits or to | |||

values of ECC fields outside the ranges for which meaning in | values of ECC fields outside the ranges for which meaning in | |||

defined in this document requires an IETF consensus as defined in | defined in this document requires an IETF consensus as defined in | |||

[RFC 2434]. | [RFC 2434]. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

Copyright and Disclaimer | Copyright and Disclaimer | |||

Copyright (C) The Internet Society 2005. This document is subject | Copyright (C) The Internet Society 2005. | |||

to the rights, licenses and restrictions contained in BCP 78, and | ||||

except as set forth therein, the authors retain all their rights. | This document is subject to the rights, licenses and restrictions | |||

contained in BCP 78, and except as set forth therein, the authors | ||||

retain all their rights. | ||||

This document and the information contained herein are provided on | This document and the information contained herein are provided on | |||

an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | |||

REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND | REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND | |||

THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, | |||

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT | |||

THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR | THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR | |||

ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A | ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A | |||

PARTICULAR PURPOSE. | PARTICULAR PURPOSE. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

Informational References | Informational References | |||

[RFC 1034] - P. Mockapetris, "Domain names - concepts and | [RFC 1034] - P. Mockapetris, "Domain names - concepts and | |||

facilities", 11/01/1987. | facilities", 11/01/1987. | |||

[RFC 1035] - P. Mockapetris, "Domain names - implementation and | [RFC 1035] - P. Mockapetris, "Domain names - implementation and | |||

specification", 11/01/1987. | specification", 11/01/1987. | |||

[RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)", | [RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)", | |||

skipping to change at page 15, line 47 | skipping to change at page 15, line 47 | |||

Curves", 1986, Springer Graduate Texts in mathematics #106. | Curves", 1986, Springer Graduate Texts in mathematics #106. | |||

Normative Refrences | Normative Refrences | |||

[RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate | [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate | |||

Requirement Levels", March 1997. | Requirement Levels", March 1997. | |||

[RFC 2434] - T. Narten, H. Alvestrand, "Guidelines for Writing an | [RFC 2434] - T. Narten, H. Alvestrand, "Guidelines for Writing an | |||

IANA Considerations Section in RFCs", October 1998. | IANA Considerations Section in RFCs", October 1998. | |||

[RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash | ||||

Algorithm 1 (SHA1)", RFC 3174, September 2001. | ||||

[RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and | [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and | |||

S. Rose, "Resource Records for the DNS Security Extensions", RFC | S. Rose, "Resource Records for the DNS Security Extensions", RFC | |||

4034, March 2005. | 4034, March 2005. | |||

INTERNET-DRAFT ECC Keys in the DNS | INTERNET-DRAFT ECC in the DNS | |||

Author's Addresses | Author's Addresses | |||

Rich Schroeppel | Rich Schroeppel | |||

500 S. Maple Drive | 500 S. Maple Drive | |||

Woodland Hills, UT 84653 USA | Woodland Hills, UT 84653 USA | |||

Telephone: +1-505-844-9079(w) | Telephone: +1-505-844-9079(w) | |||

Email: rschroe@sandia.gov | Email: rschroe@sandia.gov | |||

Donald E. Eastlake 3rd | Donald E. Eastlake 3rd | |||

Motorola Laboratories | Motorola Laboratories | |||

155 Beaver Street | 155 Beaver Street | |||

Milford, MA 01757 USA | Milford, MA 01757 USA | |||

Telephone: +1 508-786-7554 (w) | Telephone: +1 508-786-7554 (w) | |||

EMail: Donald.Eastlake@motorola.com | EMail: Donald.Eastlake@motorola.com | |||

Expiration and File Name | Expiration and File Name | |||

This draft expires in January 2006. | This draft expires in April 2006. | |||

Its file name is draft-ietf-dnsext-ecc-key-07.txt. | Its file name is draft-ietf-dnsext-ecc-key-08.txt. | |||

End of changes. 34 change blocks. | ||||

39 lines changed or deleted | | 48 lines changed or added | ||

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |