Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 5349
Document Type RFC - Informational (September 2008; No errata)
Authors Karthik Jaganathan  , Kristin Lauter  , Larry Zhu 
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5349 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                             L. Zhu
Request for Comments: 5349                                 K. Jaganathan
Category: Informational                                        K. Lauter
                                                   Microsoft Corporation
                                                          September 2008

 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography
            for Initial Authentication in Kerberos (PKINIT)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This document describes the use of Elliptic Curve certificates,
   Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman
   (ECDH) key agreement within the framework of PKINIT -- the Kerberos
   Version 5 extension that provides for the use of public key
   cryptography.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Conventions Used in This Document . . . . . . . . . . . . . . . 2
   3.  Using Elliptic Curve Certificates and Elliptic Curve
       Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . 2
   4.  Using the ECDH Key Exchange . . . . . . . . . . . . . . . . . . 3
   5.  Choosing the Domain Parameters and the Key Size . . . . . . . . 4
   6.  Interoperability Requirements . . . . . . . . . . . . . . . . . 6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 8

Zhu, et al.                  Informational                      [Page 1]
RFC 5349                 ECC Support for PKINIT           September 2008

1.  Introduction

   Elliptic Curve Cryptography (ECC) is emerging as an attractive
   public-key cryptosystem that provides security equivalent to
   currently popular public-key mechanisms such as RSA and DSA with
   smaller key sizes [LENSTRA] [NISTSP80057].

   Currently, [RFC4556] permits the use of ECC algorithms but it does
   not specify how ECC parameters are chosen or how to derive the shared
   key for key delivery using Elliptic Curve Diffie-Hellman (ECDH)
   [IEEE1363] [X9.63].

   This document describes how to use Elliptic Curve certificates,
   Elliptic Curve signature schemes, and ECDH with [RFC4556].  However,
   it should be noted that there is no syntactic or semantic change to
   the existing [RFC4556] messages.  Both the client and the Key
   Distribution Center (KDC) contribute one ECDH key pair using the key
   agreement protocol described in this document.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Using Elliptic Curve Certificates and Elliptic Curve Signature
    Schemes

   ECC certificates and signature schemes can be used in the
   Cryptographic Message Syntax (CMS) [RFC3852] [RFC3278] content type
   'SignedData'.

   X.509 certificates [RFC5280] that contain ECC public keys or are
   signed using ECC signature schemes MUST comply with [RFC3279].

   The signatureAlgorithm field of the CMS data type 'SignerInfo' can
   contain one of the following ECC signature algorithm identifiers:

      ecdsa-with-Sha1   [RFC3279]
      ecdsa-with-Sha256 [X9.62]
      ecdsa-with-Sha384 [X9.62]
      ecdsa-with-Sha512 [X9.62]

   The corresponding digestAlgorithm field contains one of the following
   hash algorithm identifiers respectively:

Zhu, et al.                  Informational                      [Page 2]
RFC 5349                 ECC Support for PKINIT           September 2008

      id-sha1           [RFC3279]
      id-sha256         [X9.62]
      id-sha384         [X9.62]
      id-sha512         [X9.62]

   Namely, id-sha1 MUST be used in conjunction with ecdsa-with-Sha1,
   id-sha256 MUST be used in conjunction with ecdsa-with-Sha256,
   id-sha384 MUST be used in conjunction with ecdsa-with-Sha384, and
   id-sha512 MUST be used in conjunction with ecdsa-with-Sha512.

   Implementations of this specification MUST support ecdsa-with-Sha256
   and SHOULD support ecdsa-with-Sha1.

4.  Using the ECDH Key Exchange

   This section describes how ECDH can be used as the Authentication
   Service (AS) reply key delivery method [RFC4556].  Note that the
   protocol description here is similar to that of Modular Exponential
   Diffie-Hellman (MODP DH), as described in [RFC4556].

   If the client wishes to use the ECDH key agreement method, it encodes
   its ECDH public key value and the key's domain parameters [IEEE1363]
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools