Network Working Group S. Josefsson
Internet-Draft SJD AB
Updates: 4492 (if approved) January 8, 2014
Intended status: Informational
Expires: July 12, 2014
Elliptic Curve Diffie-Hellman Key Agreement using Curve25519 for
Transport Layer Security (TLS)
draft-josefsson-tls-curve25519-02
Abstract
This document specifies the use of Curve25519 for key exchange in the
Transport Layer Security (TLS) protocol.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 12, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Josefsson Expires July 12, 2014 [Page 1]
Internet-Draft Curve25519 for TLS January 2014
1. Introduction
In [Curve25519], a new elliptic curve function for use in
cryptographic applications was specified. Curve25519 is a Diffie-
Hellman function designed with performance and security in mind.
[RFC4492] defines the usage of elliptic curves for authentication and
key agreement in TLS 1.0 and TLS 1.1, and these mechanisms are also
applicable to TLS 1.2 [RFC5246]. The use of ECC curves for key
exchange requires the definition and assignment of additional
NamedCurve IDs. This document specify that value for Curve25519, as
well as the minor changes in key selection and representation that
are required to accomodate for Curve25519's slightly different
nature.
This document only describes usage of Curve25519 for ephemeral key
exchange (ECDHE), not for use with long-term keys embedded in PKIX
certificates (ECDH_ECDSA and ECDH_ECDSA).
Curve25519 is not directly suitable for authentication, and thus not
applicable for signing of e.g. PKIX certificates. See draft-
josefsson-eddsa-ed25519 for a parallel effort.
2. Data Structures and Computations
[RFC4492] and related standards [SEC1] define an elliptic curve over
GF(p) as the set of solutions of the equation y^2 = x^3 + a x + b
(commonly referred to as a short Weierstrass equation) with both x
and y in GF(p), plus the point at infinity. For each curve, a point
G is fixed, generating a subgroup of large (prime) order N.
The Diffie-Hellman key exchange is then defined as follows: each
party generates a random number 1 <= d < N (the private key),
computes Q = d G (the public key). The parties exchange their public
keys and compute the shared secret as Z = d Q_peer.
[RFC4492] defines formats for representing public keys during the
exchange, and extensions for negotiating the format used by each
party and the underlying curve used by both parties.
While retaining the same overall structure for the Diffie-Hellman key
exchange, Curve25519 makes some changes to the way the curve equation
is presented, private keys are selected and public keys exchanged, in
order to ease secure and efficient implementations.
The following subsections describe the differences between using
Curve25519 and the curves defined by RFC 4492 for key exchange in
TLS.
Josefsson Expires July 12, 2014 [Page 2]
Internet-Draft Curve25519 for TLS January 2014
2.1. Group negotiation and new NamedCurve type
Curve negotiation is the same for Curve25519 as for other curves, but
is restricted to using the named_curve type in the ServerKeyEchange
message: the explicit_prime type is only suited to curves in short
Weierstrass form. This document adds a new NamedCurve value for
Curve25519 as follows.
enum {
curve25519(TBD1),
} NamedCurve;
The curve is suitable for use with DTLS [RFC6347].
Since Curve25519 is not designed to be used in signatures, clients
who offer ECDHE_ECDSA ciphersuites and advertise support Curve25519
in the elliptic_curves ClientHello extension SHOULD also advertise
support for at least one other curve, suitable for ECDSA. Servers
MUST NOT select an ECDHE_ECDSA ciphersuite if the only common curve
is Curve25519.
2.2. Private key generation
Private keys MUST be selected as specified in [Curve25519]. That is,
private keys are 255-bits numbers with the following properties: the
most significant bit (bit 254) is set, and the three least
significants bits are cleared; the remaining bits (3 to 253 included)
are chosen uniformly at random.
2.3. Public key representation
For ECDHE, public keys need to be transmitted in the
ServerKeyExchange and ClientKeyExchange messages, both of which
encode it as follows.
struct {
opaque point <1..2^8-1>;
} ECPoint;
For short Weierstrass curves, the contents of ECPoint.point are
defined by X9.62. For Curve25519, the ECpoint structure is the same,
but the contents of ECPoint.point are encoded and interpreted as
follows: each peer's public key is a number between 0 and 2^255 - 20
included, and ECPoint.point contains the 32 bytes string representing
this number in big endian convention. (The receiving party can
accept any 32 bytes string, interpreted as a 256 bits number, as
public key: by design, no validation is needed.)
Josefsson Expires July 12, 2014 [Page 3]
Internet-Draft Curve25519 for TLS January 2014
Note that ECPoint.point differs from the definition of public keys in
[Curve25519] in two ways: (1) the byte-ordering is big-endian, wich
is more uniform with how big integers are represented in TLS, and (2)
there is an additional length byte (so ECpoint.point is actually 33
bytes), again for uniformity (and extensibility).
Since only one point format can be used with Curve25519, which is
distinct from the formats used by short Weierstrass curves, the
contents of the "Supported Point Formats" extension is irrelevant for
this curve. Peers do not need to advertise support for the above
point format in any way (nor check that the orther party supports it)
when planning to use Curve25519 for key agreement: support for
Curve25519 implies support for the above point format, which is tied
to it.
2.4. Shared secret computation
As in the standard Elliptic Curve Diffie-Hellman protocol [SEC1],
each party computes the shared secret by multiplying the peer's
public value (seen as a point on the curve) by its own private value,
except that in the case of Curve25519, only the x coordinate is
computed. This is merely an internal detail since [RFC4492]
specifies that only the x coordinate is used as the premaster secret
anyway.
Again, in line with [RFC4492] and as a departure from the convention
chosen in [Curve25519], the x coordinate is converted to a bytes
string using big endian order. As in [RFC4492], leading zeros are
preserved, so the premaster secret is always a 32 bytes string with
Curve25519.
3. IANA Considerations
IANA is requested to assign numbers for Curve25519 listed in
Section 2.1 to the Transport Layer Security (TLS) Parameters registry
EC Named Curve [IANA-TLS] as follows.
+-------+-------------+---------+-----------+
| Value | Description | DTLS-OK | Reference |
+-------+-------------+---------+-----------+
| TBD1 | curve25519 | Y | This doc |
+-------+-------------+---------+-----------+
Table 1
4. Security Considerations
Josefsson Expires July 12, 2014 [Page 4]
Internet-Draft Curve25519 for TLS January 2014
The security considerations of [RFC5246] and most of the security
considerations of [RFC4492] apply accordingly.
Curve25519 was specifically designed so that secure, fast
implementations are easier to produce. In particular, no validation
of public keys is required, and point multiplication (using only the
x coordinate) can be efficiently [EFD] computed with a Montgomery
ladder using a constant number of operations (since the actual bit
length of the private key is fixed), which avoids a number of side-
channel attacks. However, in the fight against side-channel leaks,
implementors should also pay attention to the following points:
1. In the Montgomery ladder, avoid branches depending on secret data
(the individual bits of the secret key);
2. In the same place, avoid memory access patterns dependant on
secret data;
3. Either avoid data-dependant branches and memory access patterns
in the underlying field arithmetic (that is, the bignum
arithmetic, including the mod 2^255-19 operation) or randomize
projective (that is, x/z) coordinates by multiplying both x and z
with the same 256-bit value, chosen at random.
Some of the curves defined in [RFC4492], namely all whose name ends
with r1 or r2, have been advertised as pseudo-randomly chosen, but
the lack of verifiability of the seeds has raised concerns that the
those curves might be weaker than expected aginst some attackers.
The Koblitz curves (those whose name end with k1) of [RFC4492] do not
suffer from this problem, but are char2 curves and there seems to be
a consensus that curves over prime fields are a safer bet against
future progress in discrete log computation. The Brainpool curves
[RFC7027] are prime curves generated in a fully verifiable pseudo-
random way to avoid manipulation concerns, but do not perform as well
due to the use of pseudo-random primes. Curve22519 is also chosen in
a fully verifiable way, but offers better performances (better than
the curves form [RFC4492]) while facilitating secure implementations
as mentioned above. See also [SafeCurves].
5. References
5.1. Normative References
[Curve25519]
Bernstein, J., "Curve25519: new Diffie-Hellman speed
records", WWW
http://cr.yp.to/ecdh/curve25519-20060209.pdf, February
2006.
Josefsson Expires July 12, 2014 [Page 5]
Internet-Draft Curve25519 for TLS January 2014
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
5.2. Informative References
[IANA-TLS]
Internet Assigned Numbers Authority, "Transport Layer
Security (TLS) Parameters", .
[SafeCurves]
Bernstein, D. and T. Lange, "SafeCurves: choosing safe
curves for elliptic-curve cryptography.", January 2014,
.
[EFD] Bernstein, D. and T. Lange, "Explicit-Formulas Database:
XZ coordinates for Montgomery curves", January 2014,
.
[RFC7027] Merkle, J. and M. Lochter, "Elliptic Curve Cryptography
(ECC) Brainpool Curves for Transport Layer Security
(TLS)", RFC 7027, October 2013.
[SEC1] Certicom Research, , "Standards for Efficient Cryptography
(SEC) 1", September 2000.
Appendix A. Test vectors
This section provides some test vectors for example Diffie-Hellman
key exchanges using Curve25519. The following notations are used:
d_A the secret key of party A
x_A the public key of party A
d_B the secret key of party B
x_B the public key of party B
Josefsson Expires July 12, 2014 [Page 6]
Internet-Draft Curve25519 for TLS January 2014
x_S the shared secret that results from completion of the Diffie-
Hellman computation, i.e., the hex representation of the pre-
master secret.
The field elements x_A, x_B, and x_S are represented as hexadecimal
values using the FieldElement-to-OctetString conversion method
specified in [SEC1].
d_A = 5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF51
7369C660
d_B = 47DC3D214174820E1154B49BC6CDB2ABD45EE95817055D255AA35831
B70D3260
x_A = 057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA5
14FDA863
x_B = 6EB89DA91989AE37C7EAC7618D9E5C4951DBA1D73C285AE1CD26A855
020EEF04
x_S = 61450CD98E36016B58776A897A9F0AEF738B99F09468B8D6B8511184
D53494AB
Author's Address
Simon Josefsson
SJD AB
Email: simon@josefsson.org
Josefsson Expires July 12, 2014 [Page 7]