DNS Extensions Working Group F. Dupont Internet-Draft Internet Systems Consortium Updates: 2930,2539,2931 February 18, 2013 (if approved) Intended status: Standards Track Expires: August 22, 2013 Modern cryptography TKEY draft-dupont-dnsext-ec-tkey-00 Abstract This document updates the TKEY resource record specifications for the use of Elliptic Curve Diffie-Hellman, and related IANA registries. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 22, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Dupont Expires August 22, 2013 [Page 1] Internet-Draft ECDH TKEY February 2013 1. Introduction The TKEY resource record [RFC2930] was designed to enable the establishment of a shared secret between DNS client and server, using GSS-API or a Diffie-Hellman exchange. The purpose of this document is to modernize the cryptography used by the Diffie-Hellman variant of TKEY, i.e., to move to ECDH (Elliptic Curve Diffie-Hellman). As a side effect, registries for the DH KEY [RFC2539] and SIG(0) [RFC2931] resource records are updated. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [RFC2119]. 2. ECDH groups This document specifies a new "well-known group" with a 1536 bit prime for the DH KEY resource record [RFC2539], taken from the expired revision [I-D.ietf-dnsext-rfc2539bis-dhk], in the Appendix A. (this group is supported by some implementations, the idea is to make it official) The NIST P-256 and P-384 curve groups are added as groups 13 and 14. These groups are already used in several IETF RFCs, including [RFC5114], or for DNSSEC [RFC6605]. A public key is the uncompressed form of a curve point, so on twice 256 or 384 bits. The shared secret is the first coordinate of the Diffie-Hellman common value, so on 256 or 384 bits. 3. ECDH TKEY The ECDH TKEY reuses the DH TKEY (RFC2930 [RFC2930] section 4.1) specification with some changes. The Diffie-Hellman exchange uses the Elliptic Curve P-256 group, the hash function is SHA-256. The "key data" lengths MUST be at least 128 bits / 16 octets, and SHOULD be at most 256 bits / 32 octets. The "keying material" is derived using the formula (taken from IKEv2 [RFC4306]): keymat = HMAC-SHA-256(query data | server data, ECDH value) Dupont Expires August 22, 2013 [Page 2] Internet-Draft ECDH TKEY February 2013 4. IANA Considerations The "DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs" registry is modified by the addition of entries for 3, 13 and 14, with "A 1536 bit prime", "EC P-256" and "EC P-384" for descriptions, and this document for the reference. The "DNS Security Algorithm Numbers" registry is modified by adding TKEY in the "transaction security mechanisms" and by making ECDSAP256SHA256 and ECDSAP384SHA384 eligible for transaction security. The "SIG (0) Algorithm Numbers" registry is either updated / aligned with the preceding one, or simply suppressed as its content was merged into the preceding one. 5. Security Considerations The Elliptic Curve cryptography is considered as being as safe as the modular prime field one but with faster operations and far smaller payloads, so should be a vector for better security. In the same way, more support and use of TKEY should be encouraged. This is why it had to be re-based on modern cryptography tools. To share a private key for two different usages is recognized as a bad practice, so when an ECDH TKEY is authenticated by ECDSAP256SHA256, the private key SHOULD NOT be shared. 6. Acknowledgments Donald E. Eastlake 3rd is the author of the expired DH KEY revision [I-D.ietf-dnsext-rfc2539bis-dhk] where the well-known group 3 was taken. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the Domain Name System (DNS)", RFC 2539, March 1999. Dupont Expires August 22, 2013 [Page 3] Internet-Draft ECDH TKEY February 2013 [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)", RFC 2930, September 2000. [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( SIG(0)s)", RFC 2931, September 2000. [RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman Groups for Use with IETF Standards", RFC 5114, January 2008. 7.2. Informative References [I-D.ietf-dnsext-rfc2539bis-dhk] Eastlake, D., "Storage of Diffie-Hellman Keying Information in the DNS", draft-ietf-dnsext-rfc2539bis-dhk-08 (work in progress), October 2006. [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC", RFC 6605, April 2012. Appendix A. Well-Known Group 3: A 1536 bit prime The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }. Its decimal value is: 241031242692103258855207602219756607485695054850245994265411 694195810883168261222889009385826134161467322714147790401219 650364895705058263194273070680500922306273474534107340669624 601458936165977404102716924945320037872943417032584377865919 814376319377685986952408894019557734611984354530154704374720 774996976375008430892633929555996888245787241299381012913029 459299994792636526405928464720973038494721168143446471443848 8520940127459844288859336526896320919633919 Prime modulus Length (32 bit words): 48, Data (hex): Dupont Expires August 22, 2013 [Page 4] Internet-Draft ECDH TKEY February 2013 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF Generator: Length (32 bit words): 1, Data (hex): 2 Author's Address Francis Dupont Internet Systems Consortium Email: fdupont@isc.org Dupont Expires August 22, 2013 [Page 5]