1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Internet Engineering Task Force (IETF) A. Jivsov
Request for Comments: 6637 Symantec Corporation
Category: Standards Track June 2012
ISSN: 2070-1721
<span class="h1">Elliptic Curve Cryptography (ECC) in OpenPGP</span>
Abstract
This document defines an Elliptic Curve Cryptography extension to the
OpenPGP public key format and specifies three Elliptic Curves that
enjoy broad support by other standards, including standards published
by the US National Institute of Standards and Technology. The
document specifies the conventions for interoperability between
compliant OpenPGP implementations that make use of this extension and
these Elliptic Curves.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6637">http://www.rfc-editor.org/info/rfc6637</a>.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Jivsov Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Conventions used in This Document ...............................<a href="#page-3">3</a>
<a href="#section-3">3</a>. Elliptic Curve Cryptography .....................................<a href="#page-3">3</a>
<a href="#section-4">4</a>. Supported ECC Curves ............................................<a href="#page-3">3</a>
<a href="#section-5">5</a>. Supported Public Key Algorithms .................................<a href="#page-4">4</a>
<a href="#section-6">6</a>. Conversion Primitives ...........................................<a href="#page-4">4</a>
<a href="#section-7">7</a>. Key Derivation Function .........................................<a href="#page-5">5</a>
<a href="#section-8">8</a>. EC DH Algorithm (ECDH) ..........................................<a href="#page-5">5</a>
<a href="#section-9">9</a>. Encoding of Public and Private Keys .............................<a href="#page-8">8</a>
<a href="#section-10">10</a>. Message Encoding with Public Keys ..............................<a href="#page-9">9</a>
<a href="#section-11">11</a>. ECC Curve OID .................................................<a href="#page-10">10</a>
<a href="#section-12">12</a>. Compatibility Profiles ........................................<a href="#page-10">10</a>
<a href="#section-12.1">12.1</a>. OpenPGP ECC Profile ......................................<a href="#page-10">10</a>
<a href="#section-12.2">12.2</a>. Suite-B Profile ..........................................<a href="#page-11">11</a>
<a href="#section-12.2.1">12.2.1</a>. Security Strength at 192 Bits .....................<a href="#page-11">11</a>
<a href="#section-12.2.2">12.2.2</a>. Security Strength at 128 Bits .....................<a href="#page-11">11</a>
<a href="#section-13">13</a>. Security Considerations .......................................<a href="#page-12">12</a>
<a href="#section-14">14</a>. IANA Considerations ...........................................<a href="#page-14">14</a>
<a href="#section-15">15</a>. References ....................................................<a href="#page-14">14</a>
<a href="#section-15.1">15.1</a>. Normative References .....................................<a href="#page-14">14</a>
<a href="#section-15.2">15.2</a>. Informative References ...................................<a href="#page-15">15</a>
<a href="#section-16">16</a>. Contributors ..................................................<a href="#page-15">15</a>
<a href="#section-17">17</a>. Acknowledgment ................................................<a href="#page-15">15</a>
<span class="grey">Jivsov Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The OpenPGP protocol [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>] supports RSA and DSA (Digital
Signature Algorithm) public key formats. This document defines the
extension to incorporate support for public keys that are based on
Elliptic Curve Cryptography (ECC).
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Conventions Used in This Document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>]. Any
implementation that adheres to the format and methods specified in
this document is called a compliant application. Compliant
applications are a subset of the broader set of OpenPGP applications
described in [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>]. Any [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>] keyword within this document
applies to compliant applications only.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Elliptic Curve Cryptography</span>
This document establishes the minimum set of Elliptic Curve
Cryptography (ECC) public key parameters and cryptographic methods
that will likely satisfy the widest range of platforms and
applications and facilitate interoperability. It adds a more
efficient method for applications to balance the overall level of
security with any AES algorithm specified in [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>] than by simply
increasing the size of RSA keys. This document defines a path to
expand ECC support in the future.
The National Security Agency (NSA) of the United States specifies ECC
for use in its [<a href="#ref-SuiteB" title=""NSA Suite B Cryptography"">SuiteB</a>] set of algorithms. This document includes
algorithms required by Suite B that are not present in [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>].
[<a id="ref-KOBLITZ">KOBLITZ</a>] provides a thorough introduction to ECC.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Supported ECC Curves</span>
This document references three named prime field curves, defined in
[<a href="#ref-FIPS-186-3" title=""Digital Signature Standard"">FIPS-186-3</a>] as "Curve P-256", "Curve P-384", and "Curve P-521".
The named curves are referenced as a sequence of bytes in this
document, called throughout, curve OID. <a href="#section-11">Section 11</a> describes in
detail how this sequence of bytes is formed.
<span class="grey">Jivsov Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Supported Public Key Algorithms</span>
The supported public key algorithms are the Elliptic Curve Digital
Signature Algorithm (ECDSA) [<a href="#ref-FIPS-186-3" title=""Digital Signature Standard"">FIPS-186-3</a>] and the Elliptic Curve
Diffie-Hellman (ECDH). A compatible specification of ECDSA is given
in [<a href="./rfc6090" title=""Fundamental Elliptic Curve Cryptography Algorithms"">RFC6090</a>] as "KT-I Signatures" and in [<a href="#ref-SEC1" title=""SEC 1: Elliptic Curve Cryptography"">SEC1</a>]; ECDH is defined in
<a href="#section-8">Section 8</a> of this document.
The following public key algorithm IDs are added to expand <a href="./rfc4880#section-9.1">Section</a>
<a href="./rfc4880#section-9.1">9.1 of [RFC4880]</a>, "Public-Key Algorithms":
ID Description of Algorithm
-- --------------------------
18 ECDH public key algorithm
19 ECDSA public key algorithm
Compliant applications MUST support ECDSA and ECDH.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Conversion Primitives</span>
This document only defines the uncompressed point format. The point
is encoded in the Multiprecision Integer (MPI) format [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>]. The
content of the MPI is the following:
B = 04 || x || y
where x and y are coordinates of the point P = (x, y), each encoded
in the big-endian format and zero-padded to the adjusted underlying
field size. The adjusted underlying field size is the underlying
field size that is rounded up to the nearest 8-bit boundary.
Therefore, the exact size of the MPI payload is 515 bits for "Curve
P-256", 771 for "Curve P-384", and 1059 for "Curve P-521".
Even though the zero point, also called the point at infinity, may
occur as a result of arithmetic operations on points of an elliptic
curve, it SHALL NOT appear in data structures defined in this
document.
This encoding is compatible with the definition given in [<a href="#ref-SEC1" title=""SEC 1: Elliptic Curve Cryptography"">SEC1</a>].
If other conversion methods are defined in the future, a compliant
application MUST NOT use a new format when in doubt that any
recipient can support it. Consider, for example, that while both the
public key and the per-recipient ECDH data structure, respectively
defined in Sections <a href="#section-9">9</a> and <a href="#section-10">10</a>, contain an encoded point field, the
format changes to the field in <a href="#section-10">Section 10</a> only affect a given
recipient of a given message.
<span class="grey">Jivsov Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Key Derivation Function</span>
A key derivation function (KDF) is necessary to implement the EC
encryption. The Concatenation Key Derivation Function (Approved
Alternative 1) [<a href="#ref-NIST-SP800-56A" title=""Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"">NIST-SP800-56A</a>] with the KDF hash function that is
SHA2-256 [<a href="#ref-FIPS-180-3" title=""Secure Hash Standard (SHS)"">FIPS-180-3</a>] or stronger is REQUIRED. See <a href="#section-12">Section 12</a> for
the details regarding the choice of the hash function.
For convenience, the synopsis of the encoding method is given below
with significant simplifications attributable to the restricted
choice of hash functions in this document. However, [<a href="#ref-NIST-SP800-56A" title=""Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"">NIST-SP800-56A</a>]
is the normative source of the definition.
// Implements KDF( X, oBits, Param );
// Input: point X = (x,y)
// oBits - the desired size of output
// hBits - the size of output of hash function Hash
// Param - octets representing the parameters
// Assumes that oBits <= hBits
// Convert the point X to the octet string, see <a href="#section-6">section 6</a>:
// ZB' = 04 || x || y
// and extract the x portion from ZB'
ZB = x;
MB = Hash ( 00 || 00 || 00 || 01 || ZB || Param );
return oBits leftmost bits of MB.
Note that ZB in the KDF description above is the compact
representation of X, defined in <a href="./rfc6090#section-4.2">Section 4.2 of [RFC6090]</a>.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. EC DH Algorithm (ECDH)</span>
The method is a combination of an ECC Diffie-Hellman method to
establish a shared secret, a key derivation method to process the
shared secret into a derived key, and a key wrapping method that uses
the derived key to protect a session key used to encrypt a message.
The One-Pass Diffie-Hellman method C(1, 1, ECC CDH) [<a href="#ref-NIST-SP800-56A" title=""Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"">NIST-SP800-56A</a>]
MUST be implemented with the following restrictions: the ECC CDH
primitive employed by this method is modified to always assume the
cofactor as 1, the KDF specified in <a href="#section-7">Section 7</a> is used, and the KDF
parameters specified below are used.
<span class="grey">Jivsov Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
The KDF parameters are encoded as a concatenation of the following 5
variable-length and fixed-length fields, compatible with the
definition of the OtherInfo bitstring [<a href="#ref-NIST-SP800-56A" title=""Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"">NIST-SP800-56A</a>]:
o a variable-length field containing a curve OID, formatted as
follows:
- a one-octet size of the following field
- the octets representing a curve OID, defined in <a href="#section-11">Section 11</a>
o a one-octet public key algorithm ID defined in <a href="#section-5">Section 5</a>
o a variable-length field containing KDF parameters, identical to
the corresponding field in the ECDH public key, formatted as
follows:
- a one-octet size of the following fields; values 0 and 0xff
are reserved for future extensions
- a one-octet value 01, reserved for future extensions
- a one-octet hash function ID used with the KDF
- a one-octet algorithm ID for the symmetric algorithm used to
wrap the symmetric key for message encryption; see <a href="#section-8">Section 8</a>
for details
o 20 octets representing the UTF-8 encoding of the string
"Anonymous Sender ", which is the octet sequence
41 6E 6F 6E 79 6D 6F 75 73 20 53 65 6E 64 65 72 20 20 20 20
o 20 octets representing a recipient encryption subkey or a master
key fingerprint, identifying the key material that is needed for
the decryption
The size of the KDF parameters sequence, defined above, is either 54
or 51 for the three curves defined in this document.
The key wrapping method is described in [<a href="./rfc3394" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">RFC3394</a>]. KDF produces a
symmetric key that is used as a key-encryption key (KEK) as specified
in [<a href="./rfc3394" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">RFC3394</a>]. Refer to <a href="#section-13">Section 13</a> for the details regarding the
choice of the KEK algorithm, which SHOULD be one of three AES
algorithms. Key wrapping and unwrapping is performed with the
default initial value of [<a href="./rfc3394" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">RFC3394</a>].
<span class="grey">Jivsov Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
The input to the key wrapping method is the value "m" derived from
the session key, as described in <a href="./rfc4880#section-5.1">Section 5.1 of [RFC4880]</a>, "Public-
Key Encrypted Session Key Packets (Tag 1)", except that the PKCS #1.5
(Public-Key Cryptography Standards version 1.5) padding step is
omitted. The result is padded using the method described in [<a href="#ref-PKCS5" title=""PKCS #5 v2.0: Password-Based Cryptography Standard"">PKCS5</a>]
to the 8-byte granularity. For example, the following AES-256
session key, in which 32 octets are denoted from k0 to k31, is
composed to form the following 40 octet sequence:
<a href="#section-09">09</a> k0 k1 ... k31 c0 c1 05 05 05 05 05
The octets c0 and c1 above denote the checksum. This encoding allows
the sender to obfuscate the size of the symmetric encryption key used
to encrypt the data. For example, assuming that an AES algorithm is
used for the session key, the sender MAY use 21, 13, and 5 bytes of
padding for AES-128, AES-192, and AES-256, respectively, to provide
the same number of octets, 40 total, as an input to the key wrapping
method.
The output of the method consists of two fields. The first field is
the MPI containing the ephemeral key used to establish the shared
secret. The second field is composed of the following two fields:
o a one-octet encoding the size in octets of the result of the key
wrapping method; the value 255 is reserved for future extensions
o up to 254 octets representing the result of the key wrapping
method, applied to the 8-byte padded session key, as described
above
Note that for session key sizes 128, 192, and 256 bits, the size of
the result of the key wrapping method is, respectively, 32, 40, and
48 octets, unless the size obfuscation is used.
For convenience, the synopsis of the encoding method is given below;
however, this section, [<a href="#ref-NIST-SP800-56A" title=""Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"">NIST-SP800-56A</a>], and [<a href="./rfc3394" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">RFC3394</a>] are the
normative sources of the definition.
<span class="grey">Jivsov Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
Obtain the authenticated recipient public key R
Generate an ephemeral key pair {v, V=vG}
Compute the shared point S = vR;
m = symm_alg_ID || session key || checksum || pkcs5_padding;
curve_OID_len = (byte)len(curve_OID);
Param = curve_OID_len || curve_OID || public_key_alg_ID || 03
|| 01 || KDF_hash_ID || KEK_alg_ID for AESKeyWrap || "Anonymous
Sender " || recipient_fingerprint;
Z_len = the key size for the KEK_alg_ID used with AESKeyWrap
Compute Z = KDF( S, Z_len, Param );
Compute C = AESKeyWrap( Z, m ) as per [<a href="./rfc3394" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">RFC3394</a>]
VB = convert point V to the octet string
Output (MPI(VB) || len(C) || C).
The decryption is the inverse of the method given. Note that the
recipient obtains the shared secret by calculating
S = rV = rvG, where (r,R) is the recipient's key pair.
Consistent with <a href="./rfc4880#section-5.13">Section 5.13 of [RFC4880]</a>, "Sym. Encrypted Integrity
Protected Data Packet (Tag 18)", a Modification Detection Code (MDC)
MUST be used anytime the symmetric key is protected by ECDH.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Encoding of Public and Private Keys</span>
The following algorithm-specific packets are added to <a href="./rfc4880#section-5.5.2">Section 5.5.2
of [RFC4880]</a>, "Public-Key Packet Formats", to support ECDH and ECDSA.
This algorithm-specific portion is:
Algorithm-Specific Fields for ECDSA keys:
o a variable-length field containing a curve OID, formatted
as follows:
- a one-octet size of the following field; values 0 and
0xFF are reserved for future extensions
- octets representing a curve OID, defined in <a href="#section-11">Section 11</a>
o MPI of an EC point representing a public key
<span class="grey">Jivsov Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
Algorithm-Specific Fields for ECDH keys:
o a variable-length field containing a curve OID, formatted
as follows:
- a one-octet size of the following field; values 0 and
0xFF are reserved for future extensions
- the octets representing a curve OID, defined in
<a href="#section-11">Section 11</a>
- MPI of an EC point representing a public key
o a variable-length field containing KDF parameters,
formatted as follows:
- a one-octet size of the following fields; values 0 and
0xff are reserved for future extensions
- a one-octet value 01, reserved for future extensions
- a one-octet hash function ID used with a KDF
- a one-octet algorithm ID for the symmetric algorithm
used to wrap the symmetric key used for the message
encryption; see <a href="#section-8">Section 8</a> for details
Observe that an ECDH public key is composed of the same sequence of
fields that define an ECDSA key, plus the KDF parameters field.
The following algorithm-specific packets are added to <a href="./rfc4880#section-5.5.3">Section 5.5.3.
of [RFC4880]</a>, "Secret-Key Packet Formats", to support ECDH and ECDSA.
Algorithm-Specific Fields for ECDH or ECDSA secret keys:
o an MPI of an integer representing the secret key, which is a
scalar of the public EC point
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Message Encoding with Public Keys</span>
<a href="./rfc4880#section-5.2.2">Section 5.2.2 of [RFC4880]</a>, "Version 3 Signature Packet Format"
defines signature formats. No changes in the format are needed for
ECDSA.
<a href="./rfc4880#section-5.1">Section 5.1 of [RFC4880]</a>, "Public-Key Encrypted Session Key Packets
(Tag 1)" is extended to support ECDH. The following two fields are
the result of applying the KDF, as described in <a href="#section-8">Section 8</a>.
<span class="grey">Jivsov Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
Algorithm-Specific Fields for ECDH:
o an MPI of an EC point representing an ephemeral public key
o a one-octet size, followed by a symmetric key encoded using the
method described in <a href="#section-8">Section 8</a>
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. ECC Curve OID</span>
The parameter curve OID is an array of octets that define a named
curve. The table below specifies the exact sequence of bytes for
each named curve referenced in this document:
ASN.1 Object OID Curve OID bytes in Curve name in
Identifier len hexadecimal [<a href="#ref-FIPS-186-3" title=""Digital Signature Standard"">FIPS-186-3</a>]
representation
1.2.840.10045.3.1.7 8 2A 86 48 CE 3D 03 01 07 NIST curve P-256
1.3.132.0.34 5 2B 81 04 00 22 NIST curve P-384
1.3.132.0.35 5 2B 81 04 00 23 NIST curve P-521
The sequence of octets in the third column is the result of applying
the Distinguished Encoding Rules (DER) to the ASN.1 Object Identifier
with subsequent truncation. The truncation removes the two fields of
encoded Object Identifier. The first omitted field is one octet
representing the Object Identifier tag, and the second omitted field
is the length of the Object Identifier body. For example, the
complete ASN.1 DER encoding for the NIST P-256 curve OID is "06 08 2A
86 48 CE 3D 03 01 07", from which the first entry in the table above
is constructed by omitting the first two octets. Only the truncated
sequence of octets is the valid representation of a curve OID.
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. Compatibility Profiles</span>
<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>. OpenPGP ECC Profile</span>
A compliant application MUST implement NIST curve P-256, MAY
implement NIST curve P-384, and SHOULD implement NIST curve P-521, as
defined in <a href="#section-11">Section 11</a>. A compliant application MUST implement
SHA2-256 and SHOULD implement SHA2-384 and SHA2-512. A compliant
application MUST implement AES-128 and SHOULD implement AES-256.
<span class="grey">Jivsov Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
A compliant application SHOULD follow <a href="#section-13">Section 13</a> regarding the choice
of the following algorithms for each curve:
o the KDF hash algorithm
o the KEK algorithm
o the message digest algorithm and the hash algorithm used in the
key certifications
o the symmetric algorithm used for message encryption.
It is recommended that the chosen symmetric algorithm for message
encryption be no less secure than the KEK algorithm.
<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>. Suite-B Profile</span>
A subset of algorithms allowed by this document can be used to
achieve [<a href="#ref-SuiteB" title=""NSA Suite B Cryptography"">SuiteB</a>] compatibility. The references to [<a href="#ref-SuiteB" title=""NSA Suite B Cryptography"">SuiteB</a>] in this
document are informative. This document is primarily concerned with
format specification, leaving additional security restrictions
unspecified, such as matching the assigned security level of
information to authorized recipients or interoperability concerns
arising from fewer allowed algorithms in [<a href="#ref-SuiteB" title=""NSA Suite B Cryptography"">SuiteB</a>] than allowed by
[<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>].
<span class="h4"><a class="selflink" id="section-12.2.1" href="#section-12.2.1">12.2.1</a>. Security Strength at 192 Bits</span>
To achieve the security strength of 192 bits, [<a href="#ref-SuiteB" title=""NSA Suite B Cryptography"">SuiteB</a>] requires NIST
curve P-384, AES-256, and SHA2-384. The symmetric algorithm
restriction means that the algorithm of KEK used for key wrapping in
<a href="#section-8">Section 8</a> and an [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>] session key used for message encryption
must be AES-256. The hash algorithm restriction means that the hash
algorithms of KDF and the [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>] message digest calculation must
be SHA-384.
<span class="h4"><a class="selflink" id="section-12.2.2" href="#section-12.2.2">12.2.2</a>. Security Strength at 128 Bits</span>
The set of algorithms in <a href="#section-12.2.1">Section 12.2.1</a> is extended to allow NIST
curve P-256, AES-128, and SHA2-256.
<span class="grey">Jivsov Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
<span class="h2"><a class="selflink" id="section-13" href="#section-13">13</a>. Security Considerations</span>
Refer to [<a href="#ref-FIPS-186-3" title=""Digital Signature Standard"">FIPS-186-3</a>], B.4.1, for the method to generate a uniformly
distributed ECC private key.
The curves proposed in this document correspond to the symmetric key
sizes 128 bits, 192 bits, and 256 bits, as described in the table
below. This allows a compliant application to offer balanced public
key security, which is compatible with the symmetric key strength for
each AES algorithm allowed by [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>].
The following table defines the hash and the symmetric encryption
algorithm that SHOULD be used with a given curve for ECDSA or ECDH.
A stronger hash algorithm or a symmetric key algorithm MAY be used
for a given ECC curve. However, note that the increase in the
strength of the hash algorithm or the symmetric key algorithm may not
increase the overall security offered by the given ECC key.
Curve name ECC RSA Hash size Symmetric
strength strength, key size
informative
NIST curve P-256 256 3072 256 128
NIST curve P-384 384 7680 384 192
NIST curve P-521 521 15360 512 256
Requirement levels indicated elsewhere in this document lead to the
following combinations of algorithms in the OpenPGP profile: MUST
implement NIST curve P-256 / SHA2-256 / AES-128, SHOULD implement
NIST curve P-521 / SHA2-512 / AES-256, MAY implement NIST curve P-384
/ SHA2-384 / AES-256, among other allowed combinations.
Consistent with the table above, the following table defines the KDF
hash algorithm and the AES KEK encryption algorithm that SHOULD be
used with a given curve for ECDH. A stronger KDF hash algorithm or
AES KEK algorithm MAY be used for a given ECC curve.
Curve name Recommended KDF Recommended KEK
hash algorithm encryption algorithm
NIST curve P-256 SHA2-256 AES-128
NIST curve P-384 SHA2-384 AES-192
NIST curve P-521 SHA2-512 AES-256
<span class="grey">Jivsov Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
This document explicitly discourages the use of algorithms other than
AES as a KEK algorithm because backward compatibility of the ECDH
format is not a concern. The KEK algorithm is only used within the
scope of a Public-Key Encrypted Session Key Packet, which represents
an ECDH key recipient of a message. Compare this with the algorithm
used for the session key of the message, which MAY be different from
a KEK algorithm.
Compliant applications SHOULD implement, advertise through key
preferences, and use in compliance with [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>], the strongest
algorithms specified in this document.
Note that the [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>] symmetric algorithm preference list may make
it impossible to use the balanced strength of symmetric key
algorithms for a corresponding public key. For example, the presence
of the symmetric key algorithm IDs and their order in the key
preference list affects the algorithm choices available to the
encoding side, which in turn may make the adherence to the table
above infeasible. Therefore, compliance with this specification is a
concern throughout the life of the key, starting immediately after
the key generation when the key preferences are first added to a key.
It is generally advisable to position a symmetric algorithm ID of
strength matching the public key at the head of the key preference
list.
Encryption to multiple recipients often results in an unordered
intersection subset. For example, if the first recipient's set is
{A, B} and the second's is {B, A}, the intersection is an unordered
set of two algorithms, A and B. In this case, a compliant
application SHOULD choose the stronger encryption algorithm.
Resource constraints, such as limited computational power, is a
likely reason why an application might prefer to use the weakest
algorithm. On the other side of the spectrum are applications that
can implement every algorithm defined in this document. Most
applications are expected to fall into either of two categories. A
compliant application in the second, or strongest, category SHOULD
prefer AES-256 to AES-192.
SHA-1 MUST NOT be used with the ECDSA or the KDF in the ECDH method.
MDC MUST be used when a symmetric encryption key is protected by
ECDH. None of the ECC methods described in this document are allowed
with deprecated V3 keys. A compliant application MUST only use
iterated and salted S2K to protect private keys, as defined in
<a href="./rfc4880#section-3.7.1.3">Section 3.7.1.3 of [RFC4880]</a>, "Iterated and Salted S2K".
<span class="grey">Jivsov Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
Side channel attacks are a concern when a compliant application's use
of the OpenPGP format can be modeled by a decryption or signing
oracle model, for example, when an application is a network service
performing decryption to unauthenticated remote users. ECC scalar
multiplication operations used in ECDSA and ECDH are vulnerable to
side channel attacks. Countermeasures can often be taken at the
higher protocol level, such as limiting the number of allowed
failures or time-blinding of the operations associated with each
network interface. Mitigations at the scalar multiplication level
seek to eliminate any measurable distinction between the ECC point
addition and doubling operations.
<span class="h2"><a class="selflink" id="section-14" href="#section-14">14</a>. IANA Considerations</span>
Per this document, IANA has assigned an algorithm number from the
"Public Key Algorithms" range (or the "name space" in the terminology
of [<a href="./rfc5226" title="">RFC5226</a>]) of the "Pretty Good Privacy (PGP)" registry, created by
[<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>]. Two ID numbers have been assigned, as defined in <a href="#section-5">Section</a>
<a href="#section-5">5</a>. The first one, value 19, is already designated for ECDSA and is
currently unused, while the other one, value 18, is new.
<span class="h2"><a class="selflink" id="section-15" href="#section-15">15</a>. References</span>
<span class="h3"><a class="selflink" id="section-15.1" href="#section-15.1">15.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC4880">RFC4880</a>] Callas, J., Donnerhacke, L., Finney, H., Shaw, D.,
and R. Thayer, "OpenPGP Message Format", <a href="./rfc4880">RFC 4880</a>,
November 2007.
[<a id="ref-SuiteB">SuiteB</a>] National Security Agency, "NSA Suite B
Cryptography", March 11, 2010,
<a href="http://www.nsa.gov/ia/programs/suiteb_cryptography/">http://www.nsa.gov/ia/programs/suiteb_cryptography/</a>.
[<a id="ref-FIPS-186-3">FIPS-186-3</a>] National Institute of Standards and Technology, U.S.
Department of Commerce, "Digital Signature
Standard", FIPS 186-3, June 2009.
[<a id="ref-NIST-SP800-56A">NIST-SP800-56A</a>] Barker, E., Johnson, D., and M. Smid,
"Recommendation for Pair-Wise Key Establishment
Schemes Using Discrete Logarithm Cryptography", NIST
Special Publication 800-56A Revision 1, March 2007.
[<a id="ref-FIPS-180-3">FIPS-180-3</a>] National Institute of Standards and Technology, U.S.
Department of Commerce, "Secure Hash Standard
(SHS)", FIPS 180-3, October 2008.
<span class="grey">Jivsov Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6637">RFC 6637</a> ECC in OpenPGP June 2012</span>
[<a id="ref-RFC3394">RFC3394</a>] Schaad, J. and R. Housley, "Advanced Encryption
Standard (AES) Key Wrap Algorithm", <a href="./rfc3394">RFC 3394</a>,
September 2002.
[<a id="ref-PKCS5">PKCS5</a>] RSA Laboratories, "PKCS #5 v2.0: Password-Based
Cryptography Standard", March 25, 1999.
[<a id="ref-RFC5226">RFC5226</a>] Narten, T. and H. Alvestrand, "Guidelines for
Writing an IANA Considerations Section in RFCs", <a href="https://www.rfc-editor.org/bcp/bcp26">BCP</a>
<a href="https://www.rfc-editor.org/bcp/bcp26">26</a>, <a href="./rfc5226">RFC 5226</a>, May 2008.
<span class="h3"><a class="selflink" id="section-15.2" href="#section-15.2">15.2</a>. Informative References</span>
[<a id="ref-KOBLITZ">KOBLITZ</a>] N. Koblitz, "A course in number theory and
cryptography", Chapter VI. Elliptic Curves, ISBN:
0-387-96576-9, Springer-Verlag, 1987
[<a id="ref-RFC6090">RFC6090</a>] McGrew, D., Igoe, K., and M. Salter, "Fundamental
Elliptic Curve Cryptography Algorithms", <a href="./rfc6090">RFC 6090</a>,
February 2011.
[<a id="ref-SEC1">SEC1</a>] Standards for Efficient Cryptography Group, "SEC 1:
Elliptic Curve Cryptography", September 2000.
<span class="h2"><a class="selflink" id="section-16" href="#section-16">16</a>. Contributors</span>
Hal Finney provided important criticism on compliance with
[<a href="#ref-NIST-SP800-56A" title=""Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"">NIST-SP800-56A</a>] and [<a href="#ref-SuiteB" title=""NSA Suite B Cryptography"">SuiteB</a>], and pointed out a few other mistakes.
<span class="h2"><a class="selflink" id="section-17" href="#section-17">17</a>. Acknowledgment</span>
The author would like to acknowledge the help of many individuals who
kindly voiced their opinions on the IETF OpenPGP Working Group
mailing list, in particular, the help of Jon Callas, David Crick, Ian
G, Werner Koch, and Marko Kreen.
Author's Address
Andrey Jivsov
Symantec Corporation
EMail: Andrey_Jivsov@symantec.com
Jivsov Standards Track [Page 15]
</pre>
|
