Internet DRAFT - draft-dupont-dnsext-ec-tkey
draft-dupont-dnsext-ec-tkey
DNS Extensions Working Group F. Dupont
Internet-Draft Internet Systems Consortium
Updates: 2930,2539,2931 February 18, 2013
(if approved)
Intended status: Standards Track
Expires: August 22, 2013
Modern cryptography TKEY
draft-dupont-dnsext-ec-tkey-00
Abstract
This document updates the TKEY resource record specifications for the
use of Elliptic Curve Diffie-Hellman, and related IANA registries.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 22, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Dupont Expires August 22, 2013 [Page 1]
Internet-Draft ECDH TKEY February 2013
1. Introduction
The TKEY resource record [RFC2930] was designed to enable the
establishment of a shared secret between DNS client and server, using
GSS-API or a Diffie-Hellman exchange.
The purpose of this document is to modernize the cryptography used by
the Diffie-Hellman variant of TKEY, i.e., to move to ECDH (Elliptic
Curve Diffie-Hellman). As a side effect, registries for the DH KEY
[RFC2539] and SIG(0) [RFC2931] resource records are updated.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC2119].
2. ECDH groups
This document specifies a new "well-known group" with a 1536 bit
prime for the DH KEY resource record [RFC2539], taken from the
expired revision [I-D.ietf-dnsext-rfc2539bis-dhk], in the Appendix A.
(this group is supported by some implementations, the idea is to make
it official)
The NIST P-256 and P-384 curve groups are added as groups 13 and 14.
These groups are already used in several IETF RFCs, including
[RFC5114], or for DNSSEC [RFC6605]. A public key is the uncompressed
form of a curve point, so on twice 256 or 384 bits. The shared
secret is the first coordinate of the Diffie-Hellman common value, so
on 256 or 384 bits.
3. ECDH TKEY
The ECDH TKEY reuses the DH TKEY (RFC2930 [RFC2930] section 4.1)
specification with some changes.
The Diffie-Hellman exchange uses the Elliptic Curve P-256 group, the
hash function is SHA-256.
The "key data" lengths MUST be at least 128 bits / 16 octets, and
SHOULD be at most 256 bits / 32 octets.
The "keying material" is derived using the formula (taken from IKEv2
[RFC4306]):
keymat = HMAC-SHA-256(query data | server data, ECDH value)
Dupont Expires August 22, 2013 [Page 2]
Internet-Draft ECDH TKEY February 2013
4. IANA Considerations
The "DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs"
registry is modified by the addition of entries for 3, 13 and 14,
with "A 1536 bit prime", "EC P-256" and "EC P-384" for descriptions,
and this document for the reference.
The "DNS Security Algorithm Numbers" registry is modified by adding
TKEY in the "transaction security mechanisms" and by making
ECDSAP256SHA256 and ECDSAP384SHA384 eligible for transaction
security.
The "SIG (0) Algorithm Numbers" registry is either updated / aligned
with the preceding one, or simply suppressed as its content was
merged into the preceding one.
5. Security Considerations
The Elliptic Curve cryptography is considered as being as safe as the
modular prime field one but with faster operations and far smaller
payloads, so should be a vector for better security.
In the same way, more support and use of TKEY should be encouraged.
This is why it had to be re-based on modern cryptography tools.
To share a private key for two different usages is recognized as a
bad practice, so when an ECDH TKEY is authenticated by
ECDSAP256SHA256, the private key SHOULD NOT be shared.
6. Acknowledgments
Donald E. Eastlake 3rd is the author of the expired DH KEY revision
[I-D.ietf-dnsext-rfc2539bis-dhk] where the well-known group 3 was
taken.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the
Domain Name System (DNS)", RFC 2539, March 1999.
Dupont Expires August 22, 2013 [Page 3]
Internet-Draft ECDH TKEY February 2013
[RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY
RR)", RFC 2930, September 2000.
[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures (
SIG(0)s)", RFC 2931, September 2000.
[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
Groups for Use with IETF Standards", RFC 5114,
January 2008.
7.2. Informative References
[I-D.ietf-dnsext-rfc2539bis-dhk]
Eastlake, D., "Storage of Diffie-Hellman Keying
Information in the DNS",
draft-ietf-dnsext-rfc2539bis-dhk-08 (work in progress),
October 2006.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital
Signature Algorithm (DSA) for DNSSEC", RFC 6605,
April 2012.
Appendix A. Well-Known Group 3: A 1536 bit prime
The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.
Its decimal value is:
241031242692103258855207602219756607485695054850245994265411
694195810883168261222889009385826134161467322714147790401219
650364895705058263194273070680500922306273474534107340669624
601458936165977404102716924945320037872943417032584377865919
814376319377685986952408894019557734611984354530154704374720
774996976375008430892633929555996888245787241299381012913029
459299994792636526405928464720973038494721168143446471443848
8520940127459844288859336526896320919633919
Prime modulus Length (32 bit words): 48, Data (hex):
Dupont Expires August 22, 2013 [Page 4]
Internet-Draft ECDH TKEY February 2013
FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
Generator: Length (32 bit words): 1, Data (hex): 2
Author's Address
Francis Dupont
Internet Systems Consortium
Email: fdupont@isc.org
Dupont Expires August 22, 2013 [Page 5]