summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5903.txt
blob: 17ba47107f3572d3cd3f6715a8f8f33fc379780e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
Internet Engineering Task Force (IETF)                             D. Fu
Request for Comments: 5903                                    J. Solinas
Obsoletes: 4753                                                      NSA
Category: Informational                                        June 2010
ISSN: 2070-1721


  Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2

Abstract

   This document describes three Elliptic Curve Cryptography (ECC)
   groups for use in the Internet Key Exchange (IKE) and Internet Key
   Exchange version 2 (IKEv2) protocols in addition to previously
   defined groups.  These groups are based on modular arithmetic rather
   than binary arithmetic.  These groups are defined to align IKE and
   IKEv2 with other ECC implementations and standards, particularly NIST
   standards.  In addition, the curves defined here can provide more
   efficient implementation than previously defined ECC groups.  This
   document obsoletes RFC 4753.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5903.















Fu & Solinas                  Informational                     [Page 1]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
   2. Requirements Terminology ........................................4
   3. Additional ECC Groups ...........................................4
      3.1. 256-Bit Random ECP Group ...................................4
      3.2. 384-Bit Random ECP Group ...................................5
      3.3. 521-Bit Random ECP Group ...................................6
   4. Security Considerations .........................................7
   5. Alignment with Other Standards ..................................7
   6. IANA Considerations .............................................7
   7. ECP Key Exchange Data Formats ...................................8
   8. Test Vectors ....................................................9
      8.1. 256-Bit Random ECP Group ...................................9
      8.2. 384-Bit Random ECP Group ..................................10
      8.3. 521-Bit Random ECP Group ..................................11
   9. Changes from RFC 4753 ..........................................13
   10. References ....................................................13
      10.1. Normative References .....................................13
      10.2. Informative References ...................................14
















Fu & Solinas                  Informational                     [Page 2]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


1.  Introduction

   This document describes default Diffie-Hellman groups for use in IKE
   and IKEv2 in addition to the Oakley Groups included in [IKE] and the
   additional groups defined since [IANA-IKE].  This document assumes
   that the reader is familiar with the IKE protocol and the concept of
   Oakley Groups, as defined in RFC 2409 [IKE].

   RFC 2409 [IKE] defines five standard Oakley Groups: three modular
   exponentiation groups and two elliptic curve groups over GF[2^N].
   One modular exponentiation group (768 bits - Oakley Group 1) is
   mandatory for all implementations to support, while the other four
   are optional.  Nineteen additional groups subsequently have been
   defined and assigned values by IANA.  All of these additional groups
   are optional.

   The purpose of this document is to expand the options available to
   implementers of elliptic curve groups by adding three ECP groups
   (elliptic curve groups modulo a prime).  The reasons for adding such
   groups include the following.

   - The groups proposed afford efficiency advantages in software
     applications since the underlying arithmetic is integer arithmetic
     modulo a prime rather than binary field arithmetic.  (Additional
     computational advantages for these groups are presented in [GMN].)

   - The groups proposed encourage alignment with other elliptic curve
     standards.  The proposed groups are among those standardized by
     NIST, the Standards for Efficient Cryptography Group (SECG), ISO,
     and ANSI.  (See Section 5 for details.)

   - The groups proposed are capable of providing security consistent
     with the Advanced Encryption Standard [AES].

   In summary, due to the performance advantages of elliptic curve
   groups in IKE implementations and the need for further alignment with
   other standards, this document defines three elliptic curve groups
   based on modular arithmetic.

   These groups were originally proposed in [RFC4753].  This document
   changes the format of the shared key produced by a Diffie-Hellman
   exchange using these groups.  The shared key format used in this
   specification appeared earlier as an erratum to RFC 4753 [Err9], but
   some implementors of RFC 4753 were unaware of the erratum and did not
   implement the correction.  Implementations of RFC 4753 that
   incorporate the correction are interoperable with implementations of
   this specification.  However, there is a potential for
   interoperability problems between implementations of this



Fu & Solinas                  Informational                     [Page 3]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


   specification and implementations of RFC 4753 that did not implement
   the correction from the erratum.  These problems could be difficult
   to detect and analyze since both use the same code point but the
   secret value (which is probably not available to the trouble desk) is
   computed differently.  Where peers are not interoperable, the
   initiator will never receive a response and eventually times out.

   Section 9 provides more details of the changes from [RFC4753].  This
   document obsoletes RFC 4753 and addresses the erratum.

2.  Requirements Terminology

   The key words "MUST" and "SHOULD" that appear in this document are to
   be interpreted as described in [RFC2119].

3.  Additional ECC Groups

   The notation adopted in RFC 2409 [IKE] is used below to describe the
   groups proposed.

3.1.  256-Bit Random ECP Group

   IKE and IKEv2 implementations SHOULD support an ECP group with the
   following characteristics.  The curve is based on the integers modulo
   the generalized Mersenne prime p given by:

                  p = 2^(256)-2^(224)+2^(192)+2^(96)-1

   The equation for the elliptic curve is:

                  y^2 = x^3 - 3 x + b

Field Size:
 256

Group Prime/Irreducible Polynomial:
 FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF

Group Curve b:
 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B

Group Order:
 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551

      The group was chosen verifiably at random using SHA-1 as specified
      in [IEEE-1363] from the seed:

         C49D3608 86E70493 6A6678E1 139D26B7 819F7E90



Fu & Solinas                  Informational                     [Page 4]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


      The generator for this group is given by g=(gx,gy) where:

gx:
 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296

gy:
 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5

3.2.  384-Bit Random ECP Group

   IKE and IKEv2 implementations SHOULD support an ECP group with the
   following characteristics.  The curve is based on the integers modulo
   the generalized Mersenne prime p given by:

                  p = 2^(384)-2^(128)-2^(96)+2^(32)-1

   The equation for the elliptic curve is:

                  y^2 = x^3 - 3 x + b

Field Size:
 384

Group Prime/Irreducible Polynomial:
 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
 FFFFFFFF 00000000 00000000 FFFFFFFF

Group Curve b:
 B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A
 C656398D 8A2ED19D 2A85C8ED D3EC2AEF

Group Order:
 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF
 581A0DB2 48B0A77A ECEC196A CCC52973

      The group was chosen verifiably at random using SHA-1 as specified
      in [IEEE-1363] from the seed:

         A335926A A319A27A 1D00896A 6773A482 7ACDAC73
      The generator for this group is given by g=(gx,gy) where:

gx:
 AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38
 5502F25D BF55296C 3A545E38 72760AB7

gy:
 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0
 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F



Fu & Solinas                  Informational                     [Page 5]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


3.3.  521-Bit Random ECP Group

   IKE and IKEv2 implementations SHOULD support an ECP group with the
   following characteristics.  The curve is based on the integers modulo
   the Mersenne prime p given by:

                  p = 2^(521)-1

   The equation for the elliptic curve is:

                  y^2 = x^3 - 3 x + b

Field Size:
 521

Group Prime/Irreducible Polynomial:
 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
 FFFF

Group Curve b:
 0051953E B9618E1C 9A1F929A 21A0B685 40EEA2DA 725B99B3 15F3B8B4 89918EF1
 09E15619 3951EC7E 937B1652 C0BD3BB1 BF073573 DF883D2C 34F1EF45 1FD46B50
 3F00

Group Order:
 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
 FFFA5186 8783BF2F 966B7FCC 0148F709 A5D03BB5 C9B8899C 47AEBB6F B71E9138
 6409

      The group was chosen verifiably at random using SHA-1 as specified
      in [IEEE-1363] from the seed:

         D09E8800 291CB853 96CC6717 393284AA A0DA64BA

      The generator for this group is given by g=(gx,gy) where:

gx:
 00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D
 3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5
 BD66

gy:
 01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E
 662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1
 6650





Fu & Solinas                  Informational                     [Page 6]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


4.  Security Considerations

   Since this document proposes groups for use within IKE and IKEv2,
   many of the security considerations contained within [IKE] and
   [IKEv2] apply here as well.

   The groups proposed in this document correspond to the symmetric key
   sizes 128 bits, 192 bits, and 256 bits.  This allows the IKE key
   exchange to offer security comparable with the AES algorithms [AES].

5.  Alignment with Other Standards

   The following table summarizes the appearance of these three elliptic
   curve groups in other standards.

                           256-Bit        384-Bit        521-Bit
                           Random         Random         Random
   Standard                ECP Group      ECP Group      ECP Group
   -----------             ------------   ------------   ------------

   NIST     [DSS]          P-256          P-384          P-521

   ISO/IEC  [ISO-15946-1]  P-256

   ISO/IEC  [ISO-18031]    P-256          P-384          P-521

   ANSI     [X9.62-1998]   Sect. J.5.3,
                           Example 1
   ANSI     [X9.62-2005]   Sect. L.6.4.3  Sect. L.6.5.2  Sect. L.6.6.2

   ANSI     [X9.63]        Sect. J.5.4,   Sect. J.5.5    Sect. J.5.6
                           Example 2

   SECG     [SEC2]         secp256r1      secp384r1      secp521r1

   See also [NIST], [ISO-14888-3], [ISO-15946-2], [ISO-15946-3], and
   [ISO-15946-4].

6.  IANA Considerations

   IANA has updated its registries of Diffie-Hellman groups for IKE in
   [IANA-IKE] and for IKEv2 in [IANA-IKEv2] to include the groups
   defined above.

   In [IANA-IKE], the groups appear as entries in the list of Diffie-
   Hellman groups given by Group Description (attribute class 4).





Fu & Solinas                  Informational                     [Page 7]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


   The descriptions are "256-bit random ECP group", "384-bit random ECP
   group", and "521-bit random ECP group".  In each case, the group type
   (attribute class 5) has the value 2 (ECP, elliptic curve group over
   GF[P]).

   In [IANA-IKEv2], the groups appear as entries in the list of IKEv2
   transform type values for Transform Type 4 (Diffie-Hellman groups).

   These entries in both [IANA-IKE] and [IANA-IKEv2] have been updated.
   The update consisted of changing the reference from [RFC4753] to this
   document.

7.  ECP Key Exchange Data Formats

   In an ECP key exchange, the Diffie-Hellman public value passed in a
   KE payload consists of two components, x and y, corresponding to the
   coordinates of an elliptic curve point.  Each component MUST have bit
   length as given in the following table.

      Diffie-Hellman group                component bit length
      ------------------------            --------------------

      256-bit Random ECP Group                   256
      384-bit Random ECP Group                   384
      521-bit Random ECP Group                   528

   This length is enforced, if necessary, by prepending the value with
   zeros.

   The Diffie-Hellman public value is obtained by concatenating the x
   and y values.

   The Diffie-Hellman shared secret value consists of the x value of the
   Diffie-Hellman common value.

   These formats should be regarded as specific to ECP curves and may
   not be applicable to EC2N (elliptic curve group over GF[2^N]) curves.














Fu & Solinas                  Informational                     [Page 8]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


8.  Test Vectors

   The following are examples of the IKEv2 key exchange payload for each
   of the three groups specified in this document.

   We denote by g^n the scalar multiple of the point g by the integer n;
   it is another point on the curve.  In the literature, the scalar
   multiple is typically denoted ng; the notation g^n is used in order
   to conform to the notation used in [IKE] and [IKEv2].

8.1.  256-Bit Random ECP Group

   IANA assigned the ID value 19 to this Diffie-Hellman group.

   We suppose that the initiator's Diffie-Hellman private key is:

i:
 C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433

    Then the public key is given by g^i=(gix,giy) where:

gix:
 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180

giy:
 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58 389E0577 B8990BB3

    The KEi payload is as follows.

 00000048 00130000 DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF
 945D0C37 72581180 5271A046 1CDB8252 D61F1C45 6FA3E59A B1F45B33 ACCF5F58
 389E0577 B8990BB3

    We suppose that the response Diffie-Hellman private key is:

r:
 C6EF9C5D 78AE012A 011164AC B397CE20 88685D8F 06BF9BE0 B283AB46 476BEE53

    Then the public key is given by g^r=(grx,gry) where:

grx:
 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C 736FC755 4494BF63

gry:
 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83 53E74F33 039872AB

    The KEr payload is as follows.




Fu & Solinas                  Informational                     [Page 9]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


 00000048 00130000 D12DFB52 89C8D4F8 1208B702 70398C34 2296970A 0BCCB74C
 736FC755 4494BF63 56FBF3CA 366CC23E 8157854C 13C58D6A AC23F046 ADA30F83
 53E74F33 039872AB

    The Diffie-Hellman common value (girx,giry) is:

girx:
 D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE

giry:
 522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2

    The Diffie-Hellman shared secret value is girx.

8.2.  384-Bit Random ECP Group

   IANA assigned the ID value 20 to this Diffie-Hellman group.

   We suppose that the initiator's Diffie-Hellman private key is:

i:
 099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655
 E35B5380 41E649EE 3FAEF896 783AB194

    Then the public key is given by g^i=(gix,giy) where:

gix:
 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 1634FE72 B4C55EE6
 DE3AC808 ACB4BDB4 C88732AE E95F41AA

giy:
 9482ED1F C0EEB9CA FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E
 EB9FCFF3 C2C947DA E69B4C63 4573A81C

    The KEi payload is as follows.

 00000068 00140000 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3
 1634FE72 B4C55EE6 DE3AC808 ACB4BDB4 C88732AE E95F41AA 9482ED1F C0EEB9CA
 FC498462 5CCFC23F 65032149 E0E144AD A0241815 35A0F38E EB9FCFF3 C2C947DA
 E69B4C63 4573A81C

    We suppose that the response Diffie-Hellman private key is:

r:
 41CB0779 B4BDB85D 47846725 FBEC3C94 30FAB46C C8DC5060 855CC9BD A0AA2942
 E0308312 916B8ED2 960E4BD5 5A7448FC

    Then the public key is given by g^r=(grx,gry) where:



Fu & Solinas                  Informational                    [Page 10]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


grx:
 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D 83CFA417 32BC509D
 0D1AC43A 0336DEF9 6FDA41D0 774A3571

gry:
 DCFBEC7A ACF31964 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF
 F83FA401 42209DFF 5EAAD96D B9E6386C

    The KEr payload is as follows.

 00000068 00140000 E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 A987475D 12FD950D
 83CFA417 32BC509D 0D1AC43A 0336DEF9 6FDA41D0 774A3571 DCFBEC7A ACF31964
 72169E83 8430367F 66EEBE3C 6E70C416 DD5F0C68 759DD1FF F83FA401 42209DFF
 5EAAD96D B9E6386C

    The Diffie-Hellman common value (girx,giry) is:

girx:
 11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4
 D6031355 69B9E9D0 9CF5D4A2 70F59746

giry:
 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6 24BC93BF A82771F4 0D1B65D0 6256A852
 C983135D 4669F879 2F2C1D55 718AFBB4

    The Diffie-Hellman shared secret value is girx.

8.3.  521-Bit Random ECP Group

   IANA assigned the ID value 21 to this Diffie-Hellman group.

   We suppose that the initiator's Diffie-Hellman private key is:

i:
 0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0
 95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D
 4A52

    Then the public key is given by g^i=(gix,giy) where:

gix:
 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE
 E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C
 ED3E







Fu & Solinas                  Informational                    [Page 11]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


giy:
 017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A
 D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F
 9582

    The KEi payload is as follows.

 0000008C 00150000 0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B
 D98BAB43 57C9ECBE E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4
 601723C4 195D176C ED3E017C AE20B664 1D2EEB69 5786D8C9 46146239 D099E18E
 1D5A514C 739D7CB4 A10AD8A7 88015AC4 05D7799D C75E7B7D 5B6CF226 1A6A7F15
 07438BF0 1BEB6CA3 926F9582

    We suppose that the response Diffie-Hellman private key is:

r:
 0145BA99 A847AF43 793FDD0E 872E7CDF A16BE30F DC780F97 BCCC3F07 8380201E
 9C677D60 0B343757 A3BDBF2A 3163E4C2 F869CCA7 458AA4A4 EFFC311F 5CB15168
 5EB9

    Then the public key is given by g^r=(grx,gry) where:

grx:
 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39 728B5E57 39735A21
 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C ED2B6171 640012D9
 460F

gry:
 015C6822 6383956E 3BD066E7 97B623C2 7CE0EAC2 F551A10C 2C724D98 52077B87
 220B6536 C5C408A1 D2AEBB8E 86D678AE 49CB5709 1F473229 6579AB44 FCD17F0F
 C56A

    The KEr payload is as follows.

 0000008c 00150000 00D0B397 5AC4B799 F5BEA16D 5E13E9AF 971D5E9B 984C9F39
 728B5E57 39735A21 9B97C356 436ADC6E 95BB0352 F6BE64A6 C2912D4E F2D0433C
 ED2B6171 640012D9 460F015C 68226383 956E3BD0 66E797B6 23C27CE0 EAC2F551
 A10C2C72 4D985207 7B87220B 6536C5C4 08A1D2AE BB8E86D6 78AE49CB 57091F47
 32296579 AB44FCD1 7F0FC56A

    The Diffie-Hellman common value (girx,giry) is:

girx:
 01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04
 D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3
 DDEA





Fu & Solinas                  Informational                    [Page 12]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


giry:
 01B901E6 B17DB294 7AC017D8 53EF1C16 74E5CFE5 9CDA18D0 78E05D1B 5242ADAA
 9FFC3C63 EA05EDB1 E13CE5B3 A8E50C3E B622E8DA 1B38E0BD D1F88569 D6C99BAF
 FA43

    The Diffie-Hellman shared secret value is girx.

9.  Changes from RFC 4753

   Section 7 (ECP Key Exchange Data Formats) of [RFC4753] states that

      The Diffie-Hellman public value is obtained by concatenating the x
      and y values.

      The format of the Diffie-Hellman shared secret value is the same
      as that of the Diffie-Hellman public value.

   This document replaces the second of these two paragraphs with the
   following:

      The Diffie-Hellman shared secret value consists of the x value of
      the Diffie-Hellman common value.

   This change aligns the ECP key exchange format with that used in
   other standards.

   This change appeared earlier as an erratum to RFC 4753 [Err9].  This
   document obsoletes RFC 4753 and addresses the erratum.

   Section 8 (Test Vectors) of [RFC4753] provides three examples of
   Diffie-Hellman key agreement using the ECP groups.  This document
   changes the last paragraph of each subsection of Section 8 to reflect
   the new format.

10.  References

10.1.  Normative References

   [IANA-IKE]     Internet Assigned Numbers Authority, "Internet Key
                  Exchange (IKE) Attributes", <http://www.iana.org>.

   [IANA-IKEv2]   Internet Assigned Numbers Authority, "Internet Key
                  Exchange Version 2 (IKEv2) Parameters",
                  <http://www.iana.org>.

   [IKE]          Harkins, D. and D. Carrel, "The Internet Key Exchange
                  (IKE)", RFC 2409, November 1998.




Fu & Solinas                  Informational                    [Page 13]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


   [IKEv2]        Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
                  Protocol", RFC 4306, December 2005.

   [RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
                  Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4753]      Fu, D. and J. Solinas, "ECP Groups For IKE and IKEv2",
                  RFC 4753, January 2007.

10.2.  Informative References

   [AES]          U.S. Department of Commerce/National Institute of
                  Standards and Technology, Advanced Encryption Standard
                  (AES), FIPS PUB 197, November 2001,
                  <http://csrc.nist.gov/publications/fips/index.html>.

   [DSS]          U.S. Department of Commerce/National Institute of
                  Standards and Technology, Digital Signature Standard
                  (DSS), FIPS PUB 186-2, January 2000.
                  <http://csrc.nist.gov/publications/fips/index.html>.

   [Err9]         RFC Errata, Errata ID 9, RFC 4753,
                  <http://www.rfc-editor.org>.

   [GMN]          J. Solinas, Generalized Mersenne Numbers,
                  Combinatorics and Optimization Research Report 99-39,
                  1999, <http://www.cacr.math.uwaterloo.ca/>.

   [IEEE-1363]    Institute of Electrical and Electronics Engineers.
                  IEEE 1363-2000, Standard for Public Key Cryptography,
                  <http://grouper.ieee.org/groups/1363/index.html>.

   [ISO-14888-3]  International Organization for Standardization and
                  International Electrotechnical Commission, ISO/IEC
                  14888-3:2006, Information Technology: Security
                  Techniques: Digital Signatures with Appendix:  Part 3
                  - Discrete Logarithm Based Mechanisms.

   [ISO-15946-1]  International Organization for Standardization and
                  International Electrotechnical Commission, ISO/IEC
                  15946-1:  2002-12-01, Information Technology: Security
                  Techniques: Cryptographic Techniques based on Elliptic
                  Curves: Part 1 - General.








Fu & Solinas                  Informational                    [Page 14]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


   [ISO-15946-2]  International Organization for Standardization and
                  International Electrotechnical Commission, ISO/IEC
                  15946-2:  2002-12-01, Information Technology: Security
                  Techniques: Cryptographic Techniques based on Elliptic
                  Curves: Part 2 - Digital Signatures.

   [ISO-15946-3]  International Organization for Standardization and
                  International Electrotechnical Commission, ISO/IEC
                  15946-3:  2002-12-01, Information Technology: Security
                  Techniques: Cryptographic Techniques based on Elliptic
                  Curves: Part 3 - Key Establishment.

   [ISO-15946-4]  International Organization for Standardization and
                  International Electrotechnical Commission, ISO/IEC
                  15946-4:  2004-10-01, Information Technology: Security
                  Techniques: Cryptographic Techniques based on Elliptic
                  Curves: Part 4 - Digital Signatures giving Message
                  Recovery.

   [ISO-18031]    International Organization for Standardization and
                  International Electrotechnical Commission, ISO/IEC
                  18031:2005, Information Technology: Security
                  Techniques: Random Bit Generation.

   [NIST]         U.S. Department of Commerce/National Institute of
                  Standards and Technology.  Recommendation for Pair-
                  Wise Key Establishment Schemes Using Discrete
                  Logarithm Cryptography, NIST Special Publication
                  800-56A, March 2006,
                  <http://csrc.nist.gov/CryptoToolkit/KeyMgmt.html>.

   [SEC2]         Standards for Efficient Cryptography Group.  SEC 2 -
                  Recommended Elliptic Curve Domain Parameters, v. 1.0,
                  2000, <http://www.secg.org>.

   [X9.62-1998]   American National Standards Institute, X9.62-1998:
                  Public Key Cryptography for the Financial Services
                  Industry: The Elliptic Curve Digital Signature
                  Algorithm.  January 1999.

   [X9.62-2005]   American National Standards Institute, X9.62:2005:
                  Public Key Cryptography for the Financial Services
                  Industry: The Elliptic Curve Digital Signature
                  Algorithm (ECDSA).







Fu & Solinas                  Informational                    [Page 15]
^L
RFC 5903              ECP Groups for IKE and IKEv2             June 2010


   [X9.63]        American National Standards Institute.  X9.63-2001,
                  Public Key Cryptography for the Financial Services
                  Industry: Key Agreement and Key Transport using
                  Elliptic Curve Cryptography.  November 2001.

Authors' Addresses

   David E. Fu
   National Information Assurance Research Laboratory
   National Security Agency

   EMail: defu@orion.ncsc.mil


   Jerome A. Solinas
   National Information Assurance Research Laboratory
   National Security Agency

   EMail: jasolin@orion.ncsc.mil
































Fu & Solinas                  Informational                    [Page 16]
^L