One document matched: draft-josefsson-tls-eddsa2-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc6347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml">
<!ENTITY eddsaed25519 SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.josefsson-eddsa-ed25519.xml">
]>
<?rfc symrefs="yes"?>
<rfc category="std"
ipr="trust200902"
docName="draft-josefsson-tls-eddsa2-02" >
<front>
<title abbrev="EdDSA and Ed25519 for TLS">
EdDSA and Ed25519 for Transport Layer Security (TLS)
</title>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
</address>
</author>
<date month="June" year="2015" />
<keyword>TLS, Elliptic Curve Cryptography, EdDSA, Ed25519,
Curve25519, X25519</keyword>
<abstract>
<t>This document introduce the public-key signature algorithm
EdDSA for use in Transport Layer Security (TLS). By defining
new SignatureAlgorithm and NamedCurve enumeration values, we
describe how EdDSA and Ed25519 is used for digital signatures in
the existing ECDSA cipher suites. This is intended to work with
any version of TLS and Datagram TLS.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t><xref target="RFC5246">TLS</xref> and <xref
target="RFC6347">DTLS</xref> support different key exchange
algorithms and authentication mechanisms, and define the
SignatureAlgorithm enumeration for different signature
algorithms. In <xref target="RFC4492">TLS-ECC</xref>, key
exchange and authentication using ECC is specified, where the
NamedCurve registry and associated TLS extensions are
introduced.</t>
<t>This document describes how to use <xref
target="I-D.josefsson-eddsa-ed25519">EdDSA and Ed25519</xref> as
a new authentication mechanism in TLS. It define new
SignatureAlgorithm and NamedCurve enumeration values and
describe how these are used to negotiate EdDSA-based
signatures.</t>
<t>The goal is that all existing ECDSA cipher suites will, when
the EdDSA SignatureAlgorithm is negotiated, use EdDSA instead of
the traditional ECDSA signature algorithm.</t>
<t>This document is a self-contained alternative to
draft-josefsson-tls-eddsa. This document reuse the ECDSA cipher
suites for EdDSA, whereas draft-josefsson-tls-eddsa specify new
cipher suites for EdDSA. It is an open issue which approach is
to be prefered.</t>
<section title="Requirements Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119" />.</t>
</section>
</section>
<section title="EdDSA SignatureAlgorithm"
anchor="SignatureAlgorithm">
<t>Negotiation of the authentication mechanism is signalled by
sending a SignatureAlgorithm value. Here we extend this
enumeration for EdDSA.</t>
<figure>
<artwork><![CDATA[
enum {
eddsa(TBD1)
} SignatureAlgorithm;
]]></artwork>
</figure>
<t>EdDSA is suitable for use with TLS <xref target='RFC5246'/>
and DTLS <xref target='RFC6347'/>.</t>
<t>Note that EdDSA merely signals which signature algorithm to
use, it does not imply any curve or hash parameter choice.</t>
<t>For TLS 1.0 and 1.1 the DigitallySigned structure did not
convey the signature algorithm to use, and hence implementations
need to inspect the certificate to find out the signature
algorithm to use.</t>
</section>
<section title="Ed25519 NamedCurve"
anchor="NamedCurve">
<t>Negotiation the elliptic curve is signalled with the
Supported Elliptic Curves Extension extension. Here we extend
the NamedCurve enumeration for EdDSA with the Ed25519 parameter
choice.</t>
<figure>
<artwork><![CDATA[
enum {
ed25519(TBD3)
} NamedCurve;
]]></artwork>
</figure>
</section>
<section title="Using EdDSA in a handshake">
<t>The following describe how EdDSA is used in a handshake. For
ease of explanation, we assume a full handshake. <xref
target="RFC4492" /> describes the semantics of ECC in TLS,
including how resumed handshakes work, and this document refer
to it for a complete discussion.</t>
<t>A client that wish to negotiate use of EdDSA in a handshake
MUST offer a ECDSA key exchange algorithm and send, in the same
way as is done for other Signature Algorithms in ECDSA, a
Signature Algorithm extension that include the "eddsa"
SignatureAlgorithm value. The HashAlgorithm and NamedCurve
types are also used, but depend on the actual EdDSA parameter
choices.</t>
<t>The HashAlgorithm value to specify for Ed25519 MUST be
"sha512", to indicate use of Ed25519-SHA-512 as defined in <xref
target="I-D.josefsson-eddsa-ed25519"/>. The meaning of using a
"eddsa" SignatureAlgorithm with other HashAlgorithms is not
defined here.</t>
<t>The Supported Elliptic Curves Extension ("NamedCurve") must
contain the relevant curve. Currently the only curve applicable
to EdDSA is the "ed25519" NamedCurve value defined in this
document. This is used to indicate request for Ed25519.</t>
<t>Where applicable, the Supported Point Formats Extension
("ECPointFormat") value to use for EdDSA is "uncompressed". The
format of EdDSA public-keys, e.g. Ed25519-SHA-512 public-keys,
follows from the NamedCurve and HashAlgorithm value.</t>
</section>
<section title="IANA Considerations">
<t>IANA is requested to assign a number for EdDSA described in
<xref target='SignatureAlgorithm' /> to the Transport Layer
Security (TLS) Parameters <xref target='IANA-TLS' /> registry
under "SignatureAlgorithm" as follows.</t>
<texttable>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>TBD1</c>
<c>eddsa</c>
<c>Y</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
<t>IANA is requested to assign a number for Ed25519 described in
<xref target='NamedCurve' /> to the Transport Layer Security
(TLS) Parameters registry EC Named Curve <xref target='IANA-TLS'
/> as follows.</t>
<texttable>
<preamble></preamble>
<ttcol align='center'>Value</ttcol>
<ttcol align='center'>Description</ttcol>
<ttcol align='center'>DTLS-OK</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>TBD2</c>
<c>ed25519</c>
<c>Y</c>
<c>This doc</c>
<postamble></postamble>
</texttable>
</section>
<section title="Security Considerations">
<t>The security considerations of <xref
target="RFC5246">TLS</xref>, <xref target="RFC6347">DTLS</xref>,
<xref target="RFC4492">TLS-ECC</xref>, and <xref
target="I-D.josefsson-eddsa-ed25519">EdDSA and Ed25519</xref>
are inherited.</t>
<t>As with all cryptographic algorithms and security protocols,
the reader should stay informed about new research insights into
the security of the algorithms and protocols involved.</t>
<t>While discussed in the EdDSA/Ed25519 specification and
papers, we would like to stress the significance of
EdDSA/Ed25519 implementation security. In particular,
implementations must avoid side-channel attacks by, for example,
being constant-time.</t>
</section>
<section title="Acknowledgements">
<t>Thanks to Yoav Nir for suggesting re-use of ECDSA cipher
suites with EdDSA, to reduce the cartesian product cipher suite
explosion. Thanks to Klaus Hartke and Nicolas Williams for
numerous fixes to the document. Other people who contributed
include Ilari Liusvaara and Martin Thomson.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4492;
&rfc5246;
&rfc6347;
&eddsaed25519;
</references>
<references title="Informative References">
<reference anchor="IANA-TLS" target="http://www.iana.org/assignments/tls-parameters/tls-parameters.xml">
<front>
<title>Transport Layer Security (TLS) Parameters</title>
<author>
<organization>Internet Assigned Numbers Authority</organization>
</author>
<date month="" year=""/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 17:50:23 |