One document matched: draft-josefsson-tls-eddsa2-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc6347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml">
<!ENTITY eddsaed25519 SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.josefsson-eddsa-ed25519.xml">
]>
<?rfc symrefs="yes"?>
<rfc category="std"
ipr="trust200902"
docName="draft-josefsson-tls-eddsa2-01" >
<front>
<title abbrev="EdDSA and Ed25519 for TLS">
EdDSA and Ed25519 for Transport Layer Security (TLS)
</title>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
</address>
</author>
<date month="June" year="2015" />
<keyword>TLS, Elliptic Curve Cryptography, EdDSA, Ed25519,
Curve25519, X25519</keyword>
<abstract>
<t>This document introduce the public-key signature algorithm
EdDSA for use in Transport Layer Security (TLS). By defining
new SignatureAlgorithm, NamedCurve and ECPointFormat
enumerations, we describe how EdDSA and Ed25519 is used for
digital signatures in the existing ECDSA cipher suites. This is
intended to work with any version of TLS and Datagram TLS.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t><xref target="RFC5246">TLS</xref> and <xref
target="RFC6347">DTLS</xref> support different key exchange
algorithms and authentication mechanisms, and define the
SignatureAlgorithm enumeration for different signature
algorithms. In <xref target="RFC4492">TLS-ECC</xref>, key
exchange and authentication using ECC is specified, where the
NamedCurve and ECPointFormat registries and associated TLS
extensions are introduced.</t>
<t>This document describes how to use <xref
target="I-D.josefsson-eddsa-ed25519">EdDSA and Ed25519</xref> as
a new authentication mechanism in TLS. It define new
SignatureAlgorithm, NamedCurve and ECPointFormat enumeration
values and describe how these are used to negotiate EdDSA-based
signatures.</t>
<t>The goal is that all existing ECDSA cipher suites will, when
the EdDSA SignatureAlgorithm is negotiated, use EdDSA instead of
the traditional ECDSA signature algorithm.</t>
<t>This document is a self-contained alternative to
draft-josefsson-tls-eddsa. This document reuse the ECDSA cipher
suites for EdDSA, whereas draft-josefsson-tls-eddsa specify new
cipher suites for EdDSA. It is an open issue which approach is
to be prefered.</t>
<section title="Requirements Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119" />.</t>
</section>
</section>
<section title="EdDSA SignatureAlgorithm"
anchor="SignatureAlgorithm">
<t>Negotiation of the authentication mechanism is signalled by
sending a SignatureAlgorithm value. Here we extend this
enumeration for EdDSA.</t>
<figure>
<artwork><![CDATA[
enum {
eddsa(4)
} SignatureAlgorithm;
]]></artwork>
</figure>
<t>EdDSA is suitable for use with TLS <xref target='RFC5246'/>
and DTLS <xref target='RFC6347'/>.</t>
<t>Note that EdDSA merely signals which signature algorithm to
use, it does not imply any curve or hash parameter choice.</t>
</section>
<section title="EdDSA Public-key format"
anchor="ECPointFormat">
<t>This section defines a new point format suitable to encode
EdDSA public keys, as well as an identifier to negotiate this
new format in TLS, and includes guidance on their use.</t>
<t>The curves defined in <xref target="RFC4492" /> define a
public key as a point on the curve. In order to exchange public
keys, the points are serialized as a string of bytes. Since
EdDSA public keys already are string of bytes, no serialization
is needed.</t>
<t>We define the following ECPointFormat value for raw binary
EdDSA public keys.</t>
<figure>
<artwork><![CDATA[
enum {
eddsa_public_key(4),
} ECPointFormat;
]]></artwork>
</figure>
<t>When included in a ServerKeyExchange or ClientKeyExchange
message, the public key is wrapped in an ECPoint structure as
defined in <xref target="RFC4492" />, whose payload is as
described above.</t>
<t>For example, a Ed25519 public key with value
D75A980182B10AB7D54BFED3C964073A0EE172F3DAA62325AF021A68F707511A
appears on the wire as follows (including the length byte of
ECPoint.point).</t>
<figure>
<artwork><![CDATA[
20 D7 5A 98 01 82 B1 0A B7 D5 4B FE D3 C9 64 07
3A 0E E1 72 F3 DA A6 23 25 AF 02 1A 68 F7 07 51
1A
]]></artwork>
</figure>
</section>
<section title="Ed25519 NamedCurve"
anchor="NamedCurve">
<t>Negotiation the elliptic curve is signalled with the
Supported Elliptic Curves Extension extension. Here we extend
the NamedCurve enumeration for EdDSA with the Ed25519 parameter
choice.</t>
<figure>
<artwork><![CDATA[
enum {
ed25519(5)
} NamedCurve;
]]></artwork>
</figure>
</section>
<section title="Using EdDSA in a handshake">
<t>The following describe how EdDSA is used in a handshake. For
ease of explanation, we assume a full handshake. <xref
target="RFC4492" /> describes the semantics of ECC in TLS,
including how resumed handshakes work, and this document refer
to it for a complete discussion.</t>
<t>A client that wish to negotiate use of EdDSA in a handshake
MUST offer a ECDSA key exchange algorithm and send, in the same
way as is done for other Signature Algorithms in ECDSA, a
Signature Algorithm extension that include the "eddsa"
SignatureAlgorithm value. The HashAlgorithm, NamedCurve and
ECPointFormat types are also required, but depend on the actual
EdDSA parameter choices.</t>
<t>The HashAlgorithm value to specify for Ed25519 MUST be
"sha512", to indicate use of Ed25519-SHA-512 as defined in <xref
target="I-D.josefsson-eddsa-ed25519"/>. The meaning of using a
"eddsa" SignatureAlgorithm with other HashAlgorithms will
require additional specification to specify the meaning.</t>
<t>The Supported Elliptic Curves Extension ("NamedCurve") must
also contain the relevant curve. Currently the only curve
applicable to EdDSA is the "ed25519" NamedCurve value defined in
this document. This is used to indicate request for
Ed25519.</t>
<t>The client MUST also include a Supported Point Formats
Extension ("ECPointFormat") that contains the "eddsa_public_key"
value.</t>
</section>
<section title="IANA Considerations">
<t>IANA is requested to assign a number for EdDSA described in
<xref target='SignatureAlgorithm' /> to the Transport Layer
Security (TLS) Parameters <xref target='IANA-TLS' /> registry
under "SignatureAlgorithm" as follows.</t>
<texttable>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>4</c>
<c>eddsa</c>
<c>Y</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
<t>IANA is requested to assign a number for Ed25519 described in
<xref target='NamedCurve' /> to the Transport Layer Security
(TLS) Parameters registry EC Named Curve <xref target='IANA-TLS'
/> as follows.</t>
<texttable>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>5</c>
<c>ed25519</c>
<c>Y</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
<t>IANA is requested to assign a number for eddsa_public_key
described in <xref target='ECPointFormat' /> to the Transport
Layer Security (TLS) Parameters registry EC Point Format <xref
target='IANA-TLS' /> as follows. </t>
<texttable>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>4</c>
<c>eddsa_public_key</c>
<c>Y</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
</section>
<section title="Security Considerations">
<t>The security considerations of <xref
target="RFC5246">TLS</xref>, <xref target="RFC6347">DTLS</xref>,
<xref target="RFC4492">TLS-ECC</xref>, and <xref
target="I-D.josefsson-eddsa-ed25519">EdDSA and Ed25519</xref>
are inherited.</t>
<t>As with all cryptographic algorithms and security protocols,
the reader should stay informed about new research insights into
the security of the algorithms and protocols involved.</t>
<t>While discussed in the EdDSA/Ed25519 specification and
papers, we would like to stress the significance of
EdDSA/Ed25519 implementation security. In particular,
implementations must avoid side-channel attacks by, for example,
being constant-time.</t>
</section>
<section title="Acknowledgements">
<t>Thanks to Yoav Nir for suggesting re-use of ECDSA cipher
suites with EdDSA, to reduce the cartesian product cipher suite
explosion. Thanks to Klaus Hartke and Nicolas Williams for
numerous fixes to the document. Other people who contributed
include Ilari Liusvaara and Martin Thomson.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4492;
&rfc5246;
&rfc6347;
&eddsaed25519;
</references>
<references title="Informative References">
<reference anchor="IANA-TLS" target="http://www.iana.org/assignments/tls-parameters/tls-parameters.xml">
<front>
<title>Transport Layer Security (TLS) Parameters</title>
<author>
<organization>Internet Assigned Numbers Authority</organization>
</author>
<date month="" year=""/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 17:42:01 |