 1/draftietfdnsextecckey08.txt 20060428 22:12:24.000000000 +0200
+++ 2/draftietfdnsextecckey09.txt 20060428 22:12:24.000000000 +0200
@@ 1,18 +1,18 @@
INTERNETDRAFT Richard C. Schroeppel
 Donald Eastlake 3rd
Expires: April 2006 October 2005
+ Donald E. Eastlake 3rd
+Expires: October 2006 April 2006
 Elliptic Curve Keys and Signatures in the DNS
        

+ Elliptic Curve Keys and Signatures in the Domain Name System (DNS)
+           
+
Richard C. Schroeppel
Donald Eastlake 3rd
Status of This Document
By submitting this InternetDraft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
@@ 32,27 +32,27 @@
material or to cite them other than as "work in progress."
The list of current InternetDrafts can be accessed at
http://www.ietf.org/1idabstracts.html
The list of InternetDraft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
 The standard method for storing elliptic curve cryptographic keys and
 elliptic curve SHA1 based signatures in the Domain Name System is
 specified.
+ The standard format for storing elliptic curve cryptographic keys and
+ elliptic curve SHA1 based signatures in the Domain Name System (DNS)
+ is specified.
Copyright Notice
 Copyright (C) The Internet Society (2005).
+ Copyright (C) The Internet Society (2006).
INTERNETDRAFT ECC in the DNS
Acknowledgement
The assistance of Hilarie K. Orman in the production of this document
is greatfully acknowledged.
Table of Contents
@@ 60,57 +60,56 @@
Abstract...................................................1
Copyright Notice...........................................1
Acknowledgement............................................2
Table of Contents..........................................2
1. Introduction............................................3
2. Elliptic Curve Keys in Resource Records.................3
3. The Elliptic Curve Equation.............................9
4. How do I Compute Q, G, and Y?..........................10
 5. Elliptic Curve Signature Resource Records..............11
+ 5. Elliptic Curve Signatures..............................11
6. Performance Considerations.............................13
7. Security Considerations................................13
8. IANA Considerations....................................13
 Copyright and Disclaimer..................................14
+ Copyright, Disclaimer, and Additional IPR Provisions......13
Informational References..................................15
Normative Refrences.......................................15
Author's Addresses........................................16
Expiration and File Name..................................16
INTERNETDRAFT ECC in the DNS
1. Introduction
The Domain Name System (DNS) is the global hierarchical replicated
distributed database system for Internet addressing, mail proxy, and
 other information. The DNS has been extended to include digital
 signatures and cryptographic keys as described in [RFC 4033, 4034,
 4035].
+ other information. [RFC 1034, 1035] The DNS stores data in resource
+ records and has been extended to include digital signatures and
+ cryptographic keys in some of these resource records.
 This document describes how to store elliptic curve cryptographic
 (ECC) keys and signatures in the DNS so they can be used for a
 variety of security purposes. The signatures use the SHA1 eigest
 algorithm [RFC 3174]. Familiarity with ECC cryptography is assumed
 [Menezes].
+ This document describes how to format elliptic curve cryptographic
+ (ECC) key and signature data in the DNS so they can be used for a
+ variety of purposes. The signatures use the SHA1 eigest algorithm
+ [RFC 3174]. Familiarity with ECC cryptography is assumed [Menezes].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119].
2. Elliptic Curve Keys in Resource Records
 Elliptic curve public keys are stored in the DNS within the RDATA
 portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the
 structure shown below.
+ Elliptic curve public keys are stored, using the structure described
+ below, in the DNS within the RDATA portions of key RRs, such as RRKEY
+ [RFC 4034] and IPSECKEY [RFC 4025] RRs.
The research world continues to work on the issue of which is the
best elliptic curve system, which finite field to use, and how to
best represent elements in the field. So, representations are
defined for every type of finite field, and every type of elliptic
curve. The reader should be aware that there is a unique finite
field with a particular number of elements, but many possible
representations of that field and its elements. If two different
representations of a field are given, they are interconvertible with
a tedious but practical precomputation, followed by a fast
@@ 483,25 +482,25 @@
as
Y = X * G (as points on the elliptic curve)
If the Zcoordinate of the computed point Y is wrong (i.e., Z > P/2
in the (mod P) case, or the highorder nonzero coefficient of Z >
P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the
GF[2^N] case), then X must be replaced with QX. This will
correspond to the correct Zcoordinate.
5. Elliptic Curve Signature Resource Records
+5. Elliptic Curve Signatures
 The signature portion of an RR RDATA area when using the EC
 algorithm, for example in the RRSIG and SIG [RFC records] RRs is
 shown below.
+ The signature portion of an RR RDATA area when using the ECC
+ algorithm, for example in the SIG and RRSIG [RFC 4304] RRs is shown
+ below.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+++++++++++++++++++++++++++++++++
 R, (length determined from LQ) .../
+++++++++++++++++++++++++++++++++
 S, (length determined from LQ) .../
+++++++++++++++++++++++++++++++++
R and S are integers (mod Q). Their length is specified by the LQ
@@ 510,39 +509,39 @@
The same conditional formula for calculating the length from LQ is
used as for all the other length fields above.
The data signed is determined as specified in [RFC 2535]. Then the
following steps are taken where Q, P, G, and Y are as specified in
the public key [Schneier]. For further information on SHA1, see [RFC
3174].
hash = SHA1 ( data )
 Generate random [RFC 4086] K such that 0 < K < Q. (Never sign two
 different messages with the same K. K should be chosen from a
 very large space: If an opponent learns a K value for a single
 signature, the user's signing key is compromised, and a forger
 can sign arbitrary messages. There is no harm in signing the
 same message multiple times with the same key or different
 keys.)
+ Generate random [RFC 4086] K such that 0 < K < Q. (Never sign
+ two different messages with the same K. K should be chosen
+ from a very large space: If an opponent learns a K value
+ for a single signature, the user's signing key is
+ compromised, and a forger can sign arbitrary messages.
+ There is no harm in signing the same message multiple times
+ with the same key or different keys.)
INTERNETDRAFT ECC in the DNS
 R = (the Wcoordinate of ( K*G on the elliptic curve )) interpreted
 as an integer, and reduced (mod Q). (R must not be 0. In
 this astronomically unlikely event, generate a new random K
 and recalculate R.)
+ R = (the Wcoordinate of ( K*G on the elliptic curve ))
+ interpreted as an integer, and reduced (mod Q). (R must
+ not be 0. In this astronomically unlikely event, generate
+ a new random K and recalculate R.)
S = ( K^(1) * (hash + X*R) ) mod Q.
 S must not be 0. In this astronomically unlikely event, generate a
 new random K and recalculate R and S.
+ S must not be 0. In this astronomically unlikely event,
+ generate a new random K and recalculate R and S.
If S > Q/2, set S = Q  S.
The pair (R,S) is the signature.
Another party verifies the signature as follows. For further
information on SHA1, see [RFC 3174].
Check that 0 < R < Q and 0 < S < Q/2. If not, it can not be a
valid EC sigature.
@@ 557,147 +556,164 @@
(U1 * G + U2 * Y) is computed on the elliptic curve.
V = (the Wcoordinate of this point) interpreted as an integer
and reduced (mod Q).
The signature is valid if V = R.
The reason for requiring S < Q/2 is that, otherwise, both (R,S) and
(R,QS) would be valid signatures for the same data. Note that a
 signature that is valid for hash(data) is also valid for
 hash(data)+Q or hash(data)Q, if these happen to fall in the range
 [0,2^1601]. It's believed to be computationally infeasible to
 find data that hashes to an assigned value, so this is only a
 cosmetic blemish. The blemish can be eliminated by using Q >
 2^160, at the cost of having slightly longer signatures, 42 octets
 instead of 40.
+ signature that is valid for hash(data) is also valid for hash(data)+Q
+ or hash(data)Q, if these happen to fall in the range [0,2^1601].
+ It's believed to be computationally infeasible to find data that
+ hashes to an assigned value, so this is only a cosmetic blemish. The
+ blemish can be eliminated by using Q > 2^160, at the cost of having
+ slightly longer signatures, 42 octets instead of 40.
We must specify how a fieldelement E ("the Wcoordinate") is to be
interpreted as an integer. The fieldelement E is regarded as a
radixP integer, with the digits being the coefficients in the
polynomial basis representation of E. The digits are in the ragne
 [0,P1]. In the two most common cases, this reduces to "the
+ [0,P1]. In the two most common cases, this reduces to "the obvious
+ thing". In the (mod P) case, E is simply a residue mod P, and is
INTERNETDRAFT ECC in the DNS
 obvious thing". In the (mod P) case, E is simply a residue mod P,
 and is taken as an integer in the range [0,P1]. In the GF[2^D]
 case, E is in the Dbit polynomial basis representation, and is
 simply taken as an integer in the range [0,(2^D)1]. For other
 fields GF[P^D], it's necessary to do some radix conversion
 arithmetic.
+ taken as an integer in the range [0,P1]. In the GF[2^D] case, E is
+ in the Dbit polynomial basis representation, and is simply taken as
+ an integer in the range [0,(2^D)1]. For other fields GF[P^D], it's
+ necessary to do some radix conversion arithmetic.
6. Performance Considerations
 Elliptic curve signatures use smaller moduli or field sizes than
 RSA and DSA. Creation of a curve is slow, but not done very often.
 Key generation is faster than RSA or DSA.
+ Elliptic curve signatures use smaller moduli or field sizes than RSA
+ and DSA. Creation of a curve is slow, but not done very often. Key
+ generation is faster than RSA or DSA.
DNS implementations have been optimized for small transfers,
typically less than 512 octets including DNS overhead. Larger
transfers will perform correctly and and extensions have been
standardized to make larger transfers more efficient [RFC 2671].
However, it is still advisable at this time to make reasonable
efforts to minimize the size of RR sets stored within the DNS
consistent with adequate security.
7. Security Considerations
Keys retrieved from the DNS should not be trusted unless (1) they
have been securely obtained from a secure resolver or independently
verified by the user and (2) this secure resolver and secure
obtainment or independent verification conform to security policies
acceptable to the user. As with all cryptographic algorithms,
evaluating the necessary strength of the key is essential and
dependent on local policy.
 Some specific key generation considerations are given in the body
 of this document.
+ Some specific key generation considerations are given in the body of
+ this document.
8. IANA Considerations
 The key and signature data structures defined herein correspond to
 the value 4 in the Algorithm number field of the IANA registry

Assignment of meaning to the remaining ECC data flag bits or to
 values of ECC fields outside the ranges for which meaning in
 defined in this document requires an IETF consensus as defined in
 [RFC 2434].
+ values of ECC fields outside the ranges for which meaning in defined
+ in this document requires an IETF consensus as defined in [RFC 2434].
INTERNETDRAFT ECC in the DNS
+Copyright, Disclaimer, and Additional IPR Provisions
 Copyright and Disclaimer
+ Copyright (C) The Internet Society 2006.
 Copyright (C) The Internet Society 2005.
+INTERNETDRAFT ECC in the DNS
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
 This document and the information contained herein are provided on
 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
 THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
 ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
 PARTICULAR PURPOSE.
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF online IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf
+ ipr@ietf.org.
INTERNETDRAFT ECC in the DNS
Informational References
[RFC 1034]  P. Mockapetris, "Domain names  concepts and
facilities", 11/01/1987.
[RFC 1035]  P. Mockapetris, "Domain names  implementation and
specification", 11/01/1987.
 [RFC 2671]  P. Vixie, "Extension Mechanisms for DNS (EDNS0)",
 August 1999.
+ [RFC 2671]  P. Vixie, "Extension Mechanisms for DNS (EDNS0)", August
+ 1999.
 [RFC 4033]  Arends, R., Austein, R., Larson, M., Massey, D., and
 S. Rose, "DNS Security Introduction and Requirements", RFC 4033,
 March 2005.
+ [RFC 4025]  M. Richardson, "A Method for Storing IPsec Keying
+ Material in DNS", February 2005.
 [RFC 4035]  Arends, R., Austein, R., Larson, M., Massey, D., and
 S. Rose, "Protocol Modifications for the DNS Security Extensions",
 RFC 4035, March 2005.
+ [RFC 4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements", RFC 4033, March
+ 2005.
+
+ [RFC 4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security Extensions", RFC
+ 4035, March 2005.
[RFC 4086]  Eastlake, D., 3rd, Schiller, J., and S. Crocker,
 "Randomness Requirements for Security", BCP 106, RFC 4086, June
 2005.
+ "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[Schneier]  Bruce Schneier, "Applied Cryptography: Protocols,
Algorithms, and Source Code in C", 1996, John Wiley and Sons
[Menezes]  Alfred Menezes, "Elliptic Curve Public Key
Cryptosystems", 1993 Kluwer.
 [Silverman]  Joseph Silverman, "The Arithmetic of Elliptic
 Curves", 1986, Springer Graduate Texts in mathematics #106.
+ [Silverman]  Joseph Silverman, "The Arithmetic of Elliptic Curves",
+ 1986, Springer Graduate Texts in mathematics #106.
Normative Refrences
[RFC 2119]  S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", March 1997.
[RFC 2434]  T. Narten, H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", October 1998.
 [RFC 3174]  Eastlake 3rd, D. and P. Jones, "US Secure Hash
 Algorithm 1 (SHA1)", RFC 3174, September 2001.
+ [RFC 3174]  Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
+ 1 (SHA1)", RFC 3174, September 2001.
 [RFC 4034]  Arends, R., Austein, R., Larson, M., Massey, D., and
 S. Rose, "Resource Records for the DNS Security Extensions", RFC
 4034, March 2005.
+ [RFC 4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
INTERNETDRAFT ECC in the DNS
Author's Addresses
Rich Schroeppel
500 S. Maple Drive
Woodland Hills, UT 84653 USA
Telephone: +15058449079(w)
@@ 706,13 +722,13 @@
Donald E. Eastlake 3rd
Motorola Laboratories
155 Beaver Street
Milford, MA 01757 USA
Telephone: +1 5087867554 (w)
EMail: Donald.Eastlake@motorola.com
Expiration and File Name
 This draft expires in April 2006.
+ This draft expires in October 2006.
 Its file name is draftietfdnsextecckey08.txt.
+ Its file name is draftietfdnsextecckey09.txt.