One document matched: draft-josefsson-tls-eddsa2-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc6347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml">
<!ENTITY tlscurve25519 SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.josefsson-tls-curve25519.xml">
<!ENTITY eddsaed25519 SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.josefsson-eddsa-ed25519.xml">
]>
<?rfc symrefs="yes"?>
<rfc category="std"
ipr="trust200902"
docName="draft-josefsson-tls-eddsa2-00" >
<front>
<title abbrev="EdDSA and Ed25519 for TLS">
EdDSA and Ed25519 for Transport Layer Security (TLS)
</title>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
</address>
</author>
<date month="June" year="2015" />
<keyword>TLS, Elliptic Curve Cryptography, EdDSA, Ed25519,
Curve25519, X25519</keyword>
<abstract>
<t>This document introduce the public-key signature algorithm
EdDSA for use in Transport Layer Security (TLS). By using a new
SignatureAlgorithm value, defined in this document, together
with the NamedCurve and ECPointFormat assignments from the
Curve25519 ECDHE key exchange mechanism, we describe how EdDSA
is used for digital signatures in the existing ECDSA cipher
suites. This is intended to work with any version of TLS and
Datagram TLS.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t><xref target="RFC5246">TLS</xref> and <xref
target="RFC6347">DTLS</xref> support different key exchange
algorithms and authentication mechanisms. In <xref
target="RFC4492">ECC in TLS</xref>, key exchange and
authentication using ECC is specified, where the NamedCurve and
ECPointFormat registries and associated TLS extensions are
introduced.</t>
<t>In <xref target="I-D.josefsson-tls-curve25519" /> support for
ECDHE key exchange with the Curve25519 curve is added. That
document introduces a new NamedCurve value for Curve25519, and a
new ECPointFormat value to correspond to the public-key
encoding.</t>
<t>This document describes how to use <xref
target="I-D.josefsson-eddsa-ed25519">EdDSA and Ed25519</xref> as
a new authentication mechanism in TLS. It reuses the newly
registered NamedCurve and ECPointFormat values, and define a new
SignatureAlgorithm value to indicate EdDSA.</t>
<t>The goal is that all existing ECDSA cipher suites will, when
the EdDSA SignatureAlgorithm is negotiated, use EdDSA instead of
the traditional ECDSA signature algorithm.</t>
<t>This document is a self-contained alternative to
draft-josefsson-tls-eddsa. This document reuse the ECDSA cipher
suites for EdDSA, whereas draft-josefsson-tls-eddsa specify new
cipher suites for EdDSA. It is an open issue which approach is
to be prefered.</t>
<section title="Requirements Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119" />.</t>
</section>
</section>
<section title="EdDSA SignatureAlgorithm" >
<t>Negotiation of the authentication mechanism is signalled by
sending a SignatureAlgorithm value. Here we extend this
enumeration for EdDSA.</t>
<figure>
<artwork><![CDATA[
enum {
eddsa(4)
} SignatureAlgorithm;
]]></artwork>
</figure>
<t>EdDSA is suitable for use with TLS <xref target='RFC5246'/>
and DTLS <xref target='RFC6347'/>.</t>
</section>
<section title="Using EdDSA in a handshake">
<t>The following describe how EdDSA is used in a handshake. For
ease of explanation, we assume a full handshake. <xref
target="RFC4492" /> describes the semantics of ECC in TLS,
including how resumed handshakes work, and this document refer
to it for a complete discussion.</t>
<t>A client that wish to negotiate use of EdDSA in a handshake
MUST offer a ECDSA key exchange algorithm and send, in the same
way as is done for other Signature Algorithms in ECDSA, a
Signature Algorithm extension that include the "eddsa"
SignatureAlgorithm value</t>
<t>The HashAlgorithm value to specify for EdDSA MUST be "none"
as the EdDSA signature algorithm does not hash the input before
signing.</t>
<t>The client MUST also include a Supported Elliptic Curves
Extension ("NamedCurve") containing the "Curve25519" value
defined in <xref target="I-D.josefsson-tls-curve25519" />. This
is used to indicate request for Ed25519. Use of other curves
with EdDSA is not defined here.</t>
<t>The client MUST also include a Supported Point Formats
Extension ("ECPointFormat") that contains the "montgomery_x_le"
value defined in <xref target="I-D.josefsson-tls-curve25519"
/>.</t>
<t>This document RECOMMENDS use of ECDHE_ECDSA key exchange
algorithm, in particular with Curve25519, rather than the
ECDH_ECDSA key exchange algorithm.</t>
</section>
<section title="IANA Considerations">
<t>EdDSA should be registered in the Transport Layer Security
(TLS) Parameters <xref target='IANA-TLS' /> registry under
"SignatureAlgorithm" as follows.</t>
<texttable>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>4</c>
<c>eddsa</c>
<c>Y</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
</section>
<section title="Security Considerations">
<t>The security considerations of <xref
target="RFC5246">TLS</xref>, <xref target="RFC6347">DTLS</xref>,
<xref target="RFC4492">ECC in TLS</xref> <xref
target="I-D.josefsson-tls-curve25519">Curve25519 in TLS</xref>,
and <xref target="I-D.josefsson-eddsa-ed25519">EdDSA and
Ed25519</xref> are inherited.</t>
<t>As with all cryptographic algorithms, the reader should stay
informed about new research insights into the security of the
algorithms involved.</t>
<t>While discussed in the EdDSA/Ed25519 specification and papers,
we would like to stress the significance of secure implementation
of EdDSA/Ed25519. For example, implementations ought to be
constant-time to avoid side-channel attacks.</t>
</section>
<section title="Acknowledgements">
<t>Thanks to Yoav Nir for suggesting re-use of ECDSA cipher
suites with EdDSA, to reduce the cartesian product cipher suite
explosion. Thanks to Klaus Hartke and Nicolas Williams for
fixes to the document.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4492;
&rfc5246;
&rfc6347;
&tlscurve25519;
&eddsaed25519;
</references>
<references title="Informative References">
<reference anchor="IANA-TLS" target="http://www.iana.org/assignments/tls-parameters/tls-parameters.xml">
<front>
<title>Transport Layer Security (TLS) Parameters</title>
<author>
<organization>Internet Assigned Numbers Authority</organization>
</author>
<date month="" year=""/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 17:51:18 |