Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 5349
Network Working Group L. Zhu
Request for Comments: 5349 K. Jaganathan
Category: Informational K. Lauter
Microsoft Corporation
September 2008
Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography
for Initial Authentication in Kerberos (PKINIT)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This document describes the use of Elliptic Curve certificates,
Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman
(ECDH) key agreement within the framework of PKINIT -- the Kerberos
Version 5 extension that provides for the use of public key
cryptography.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . . 2
3. Using Elliptic Curve Certificates and Elliptic Curve
Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . 2
4. Using the ECDH Key Exchange . . . . . . . . . . . . . . . . . . 3
5. Choosing the Domain Parameters and the Key Size . . . . . . . . 4
6. Interoperability Requirements . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . . 8
Zhu, et al. Informational [Page 1]
RFC 5349 ECC Support for PKINIT September 2008
1. Introduction
Elliptic Curve Cryptography (ECC) is emerging as an attractive
public-key cryptosystem that provides security equivalent to
currently popular public-key mechanisms such as RSA and DSA with
smaller key sizes [LENSTRA] [NISTSP80057].
Currently, [RFC4556] permits the use of ECC algorithms but it does
not specify how ECC parameters are chosen or how to derive the shared
key for key delivery using Elliptic Curve Diffie-Hellman (ECDH)
[IEEE1363] [X9.63].
This document describes how to use Elliptic Curve certificates,
Elliptic Curve signature schemes, and ECDH with [RFC4556]. However,
it should be noted that there is no syntactic or semantic change to
the existing [RFC4556] messages. Both the client and the Key
Distribution Center (KDC) contribute one ECDH key pair using the key
agreement protocol described in this document.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Using Elliptic Curve Certificates and Elliptic Curve Signature
Schemes
ECC certificates and signature schemes can be used in the
Cryptographic Message Syntax (CMS) [RFC3852] [RFC3278] content type
'SignedData'.
X.509 certificates [RFC5280] that contain ECC public keys or are
signed using ECC signature schemes MUST comply with [RFC3279].
The signatureAlgorithm field of the CMS data type 'SignerInfo' can
contain one of the following ECC signature algorithm identifiers:
ecdsa-with-Sha1 [RFC3279]
ecdsa-with-Sha256 [X9.62]
ecdsa-with-Sha384 [X9.62]
ecdsa-with-Sha512 [X9.62]
The corresponding digestAlgorithm field contains one of the following
hash algorithm identifiers respectively:
Zhu, et al. Informational [Page 2]
RFC 5349 ECC Support for PKINIT September 2008
id-sha1 [RFC3279]
id-sha256 [X9.62]
id-sha384 [X9.62]
id-sha512 [X9.62]
Namely, id-sha1 MUST be used in conjunction with ecdsa-with-Sha1,
id-sha256 MUST be used in conjunction with ecdsa-with-Sha256,
id-sha384 MUST be used in conjunction with ecdsa-with-Sha384, and
id-sha512 MUST be used in conjunction with ecdsa-with-Sha512.
Implementations of this specification MUST support ecdsa-with-Sha256
and SHOULD support ecdsa-with-Sha1.
4. Using the ECDH Key Exchange
This section describes how ECDH can be used as the Authentication
Service (AS) reply key delivery method [RFC4556]. Note that the
protocol description here is similar to that of Modular Exponential
Diffie-Hellman (MODP DH), as described in [RFC4556].
If the client wishes to use the ECDH key agreement method, it encodes
its ECDH public key value and the key's domain parameters [IEEE1363]
Show full document text