📄 draft-ietf-dnsext-ecc-key-03.txt
字号:
INTERNET-DRAFT ECC Keys in the DNSExpires: June 2003 December 2002 Elliptic Curve KEYs in the DNS -------- ----- ---- -- --- --- <draft-ietf-dnsext-ecc-key-03.txt> Richard C. Schroeppel Donald Eastlake 3rdStatus of This Document This draft is intended to be become a Proposed Standard RFC. Distribution of this document is unlimited. Comments should be sent to the DNS mailing list <namedroppers@internic.com> or to the authors. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.Abstract A standard method for storing elliptic curve cryptographic keys in the Domain Name System is described which utilizes DNS KEY resource record.R. Schroeppel, et al [Page 1]
INTERNET-DRAFT ECC Keys in the DNSAcknowledgement The assistance of Hilarie K. Orman in the production of this document is greatfully acknowledged.Table of Contents Status of This Document....................................1 Abstract...................................................1 Acknowledgement............................................2 Table of Contents..........................................2 1. Introduction............................................3 2. Elliptic Curve KEY Resource Records.....................3 3. The Elliptic Curve Equation.............................9 4. How do I Compute Q, G, and Y?..........................10 5. Performance Considerations.............................11 6. Security Considerations................................11 7. IANA Considerations....................................11 References................................................13 Authors' Addresses........................................14 Expiration and File Name..................................14R. Schroeppel, et al [Page 2]
INTERNET-DRAFT ECC Keys in the DNS1. Introduction The Domain Name System (DNS) is the global hierarchical replicated distributed database system for Internet addressing, mail proxy, and other information. The DNS has been extended to include digital signatures and cryptographic keys as described in [RFC 2535]. This document describes how to store elliptic curve cryptographic (ECC) keys in the DNS so they can be used for a variety of security purposes. A DNS elliptic curve SIG resource record is not defined. Familiarity with ECC cryptography is assumed [Menezes]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].2. Elliptic Curve KEY Resource Records Elliptic curve public keys are stored in the DNS as KEY RRs using algorithm number 4 (see [RFC 2535]). The structure of the RDATA portion of this RR is as shown below. The first 4 octets, including the flags, protocol, and algorithm fields are common to all KEY RRs. The remainder is the "public key" part of the KEY RR. The period of key validity is not in the KEY RR but is indicated by the SIG RR(s) which signs and authenticates the KEY RR(s) at that domain name and class. The research world continues to work on the issue of which is the best elliptic curve system, which finite field to use, and how to best represent elements in the field. So, we have defined representations for every type of finite field, and every type of elliptic curve. The reader should be aware that there is a unique finite field with a particular number of elements, but many possible representations of that field and its elements. If two different representations of a field are given, they are interconvertible with a tedious but practical precomputation, followed by a fast computation for each field element to be converted. It is perfectly reasonable for an algorithm to work internally with one field representation, and convert to and from a different external representation.R. Schroeppel, et al [Page 3]
INTERNET-DRAFT ECC Keys in the DNS 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | KEY flags | protocol | algorithm=4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S M -FMT- A B Z| +-+-+-+-+-+-+-+-+ | LP | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P (length determined from LP) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | F (length determined from LF) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DEG | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DEGH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DEGI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DEGJ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TRDV | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S| LH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | H (length determined from LH) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S| LK | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | K (length determined from LK) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LQ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Q (length determined from LQ) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | A (length determined from LA) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ALTA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LB | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | B (length determined from LB) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LC | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | C (length determined from LC) .../R. Schroeppel, et al [Page 4]
INTERNET-DRAFT ECC Keys in the DNS +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LG | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | G (length determined from LG) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LY | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Y (length determined from LY) .../ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SMFMTABZ is a flags octet as follows: S = 1 indicates that the remaining 7 bits of the octet selects one of 128 predefined choices of finite field, element representation, elliptic curve, and signature parameters. MFMTABZ are omitted, as are all parameters from LP through G. LY and Y are retained. If S = 0, the remaining parameters are as in the picture and described below. M determines the type of field underlying the elliptic curve. M = 0 if the field is a GF[2^N] field; M = 1 if the field is a (mod P) or GF[P^D] field with P>2. FMT is a three bit field describing the format of the field representation. FMT = 0 for a (mod P) field. > 0 for an extension field, either GF[2^D] or GF[P^D]. The degree D of the extension, and the field polynomial must be specified. The field polynomial is always monic (leading coefficient 1.) FMT = 1 The field polynomial is given explicitly; D is implied. If FMT >=2, the degree D is given explicitly. = 2 The field polynomial is implicit. = 3 The field polynomial is a binomial. P>2. = 4 The field polynomial is a trinomial. = 5 The field polynomial is the quotient of a trinomial by a short polynomial. P=2. = 6 The field polynomial is a pentanomial. P=2. Flags A and B apply to the elliptic curve parameters.R. Schroeppel, et al [Page 5]
INTERNET-DRAFT ECC Keys in the DNS A = 1 When P>=5, the curve parameter A is negated. If P=2, then A=1 indicates that the A parameter is special. See the ALTA parameter below, following A. The combination A=1, P=3 is forbidden. B = 1 When P>=5, the curve parameter B is negated. If P=2 or 3, then B=1 indicates an alternate elliptic curve equation is used. When P=2 and B=1, an additional curve parameter C is present. The Z bit SHOULD be set to zero on creation of KEY RR and MUST be ignored when processing a KEY RR (when S=0). Most of the remaining parameters are present in some formats and absent in others. The presence or absence of a parameter is determined entirely by the flags. When a parameter occurs, it is in the order defined by the picture. Of the remaining parameters, PFHKQABCGY are variable length. When present, each is preceded by a one-octet length field as shown in the diagram above. The length field does not include itself. The length field may have values from 0 through 110. The parameter length in octets is determined by a conditional formula: If LL<=64, the parameter length is LL. If LL>64, the parameter length is 16 times (LL-60). In some cases, a parameter value of 0 is sensible, and MAY be represented by an LL value of 0, with the data field omitted. A length value of 0 represents a parameter value of 0, not an absent parameter. (The data portion occupies 0 space.) There is no requirement that a parameter be represented in the minimum number of octets; high-order 0 octets are allowed at the front end. Parameters are always right adjusted, in a field of length defined by LL. The octet-order is always most-significant first, least-significant last. The parameters H and K may have an optional sign bit stored in the unused high-order bit of their length fields. LP defines the length of the prime P. P must be an odd prime. The parameters LP,P are present if and only if the flag M=1. If M=0, the prime is 2. LF,F define an explicit field polynomial. This parameter pair is present only when FMT = 1. The length of a polynomial coefficient is ceiling(log2 P) bits. Coefficients are in the numerical range [0,P-1]. The coefficients are packed into fixed-width fields, from higher order to lower order. All coefficients must be present, including any 0s and also the leading coefficient (which is required to be 1). The coefficients are right justified into the octet string of length specified by LF, with the low-order "constant" coefficient at the right end. As a concession to storage efficiency, the higher order bits of the leading coefficient may be elided, discarding high- order 0 octets and reducing LF. The degree is calculated byR. Schroeppel, et al [Page 6]
INTERNET-DRAFT ECC Keys in the DNS determining the bit position of the left most 1-bit in the F data (counting the right most bit as position 0), and dividing by ceiling(log2 P). The division must be exact, with no remainder. In this format, all of the other degree and field parameters are omitted. The next parameters will be LQ,Q. If FMT>=2, the degree of the field extension is specified explicitly, usually along with other parameters to define the field polynomial. DEG is a two octet field that defines the degree of the field extension. The finite field will have P^DEG elements. DEG is present when FMT>=2. When FMT=2, the field polynomial is specified implicitly. No other parameters are required to define the field; the next parameters present will be the LQ,Q pair. The implicit field poynomial is the lexicographically smallest irreducible (mod P) polynomial of the correct degree. The ordering of polynomials is by highest-degree coefficients first -- the leading coefficient 1 is most important, and the constant term is least important. Coefficients are ordered by sign-magnitude: 0 < 1 < -1 < 2 < -2 < ... The first polynomial of degree D is X^D (which is not irreducible). The next is X^D+1, which is sometimes irreducible, followed by X^D-1, which isn't. Assuming odd P, this series continues to X^D - (P-1)/2, and then goes to X^D + X, X^D + X + 1, X^D + X - 1, etc. When FMT=3, the field polynomial is a binomial, X^DEG + K. P must be odd. The polynomial is determined by the degree and the low order term K. Of all the field parameters, only the LK,K parameters are present. The high-order bit of the LK octet stores on optional sign for K; if the sign bit is present, the field polynomial is X^DEG - K. When FMT=4, the field polynomial is a trinomial, X^DEG + H*X^DEGH + K. When P=2, the H and K parameters are implicitly 1, and are omitted from the representation. Only DEG and DEGH are present; the next parameters are LQ,Q. When P>2, then LH,H and LK,K are specified. Either or both of LH, LK may contain a sign bit for its parameter. When FMT=5, then P=2 (only). The field polynomial is the exact quotient of a trinomial divided by a small polynomial, the trinomial divisor. The small polynomial is right-adjusted in the two octet field TRDV. DEG specifies the degree of the field. The degree of TRDV is calculated from the position of the high-order 1 bit. The trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1. If DEGH is 0, the middle term is omitted from the trinomial. The quotient must be exact, with no remainder. When FMT=6, then P=2 (only). The field polynomial is a pentanomial, with the degrees of the middle terms given by the three 2-octetR. Schroeppel, et al [Page 7]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -