ECP Groups For IKE and IKEv2
RFC 4753
| Document | Type |
RFC - Informational
(January 2007; Errata)
Obsoleted by RFC 5903
Was draft-ietf-ipsec-ike-ecp-groups (individual in sec area)
|
|
|---|---|---|---|
| Authors | David Fu , Jerome Solinas | ||
| Last updated | 2020-01-21 | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4753 (Informational) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Russ Housley | ||
| Send notices to | (None) | ||
Network Working Group D. Fu
Request for Comments: 4753 J. Solinas
Category: Informational NSA
January 2007
ECP Groups for IKE and IKEv2
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes new Elliptic Curve Cryptography (ECC) groups
for use in the Internet Key Exchange (IKE) and Internet Key Exchange
version 2 (IKEv2) protocols in addition to previously defined groups.
Specifically, the new curve groups are based on modular arithmetic
rather than binary arithmetic. These new groups are defined to align
IKE and IKEv2 with other ECC implementations and standards,
particularly NIST standards. In addition, the curves defined here
can provide more efficient implementation than previously defined ECC
groups.
Table of Contents
1. Introduction ....................................................2
2. Requirements Terminology ........................................3
3. Additional ECC Groups ...........................................3
3.1. 256-bit Random ECP Group ...................................3
3.2. 384-bit Random ECP Group ...................................4
3.3. 521-bit Random ECP Group ...................................5
4. Security Considerations .........................................6
5. Alignment with Other Standards ..................................6
6. IANA Considerations .............................................6
7. ECP Key Exchange Data Formats ...................................7
8. Test Vectors ....................................................7
8.1. 256-bit Random ECP Group ...................................8
8.2. 384-bit Random ECP Group ...................................9
8.3. 521-bit Random ECP Group ..................................10
9. References .....................................................12
Fu & Solinas Informational [Page 1]
RFC 4753 ECP Groups for IKE and IKEv2 January 2007
1. Introduction
This document describes default Diffie-Hellman groups for use in IKE
and IKEv2 in addition to the Oakley groups included in [IKE] and the
additional groups defined since [IANA-IKE]. This document assumes
that the reader is familiar with the IKE protocol and the concept of
Oakley Groups, as defined in RFC 2409 [IKE].
RFC 2409 [IKE] defines five standard Oakley Groups: three modular
exponentiation groups and two elliptic curve groups over GF[2^N].
One modular exponentiation group (768 bits - Oakley Group 1) is
mandatory for all implementations to support, while the other four
are optional. Thirteen additional groups subsequently have been
defined and assigned values by IANA. All of these additional groups
are optional. Of the eighteen groups defined so far, eight are MODP
groups (exponentiation groups modulo a prime), and ten are EC2N
groups (elliptic curve groups over GF[2^N]). See [RFC3526] for more
information on MODP groups.
The purpose of this document is to expand the options available to
implementers of elliptic curve groups by adding three ECP groups
(elliptic curve groups modulo a prime). The reasons for adding such
groups include the following.
- The groups proposed afford efficiency advantages in software
applications since the underlying arithmetic is integer arithmetic
modulo a prime rather than binary field arithmetic. (Additional
computational advantages for these groups are presented in [GMN].)
- The groups proposed encourage alignment with other elliptic curve
standards. The proposed groups are among those standardized by
NIST, the Standards for Efficient Cryptography Group (SECG), ISO,
and ANSI. (See Section 5 for details.)
- The groups proposed are capable of providing security consistent
with the new Advanced Encryption Standard.
These groups could also be defined using the New Group Mode, but
including them in this RFC will encourage interoperability of IKE
implementations based upon elliptic curve groups. In addition, the
availability of standardized groups will result in optimizations for
a particular curve and field size and allow precomputation that could
result in faster implementations.
In summary, due to the performance advantages of elliptic curve
groups in IKE implementations and the need for further alignment with
other standards, this document defines three elliptic curve groups
based on modular arithmetic.
Show full document text