Re: HIT Suites and algorithms used in RFC5201-bis
Tobias Heer <heer <at> cs.rwth-aachen.de>
2010-12-09 19:00:16 GMT
Am 09.12.2010 um 17:31 schrieb Henderson, Thomas R:
>> -----Original Message-----
>> From: hipsec-bounces <at> ietf.org
>> [mailto:hipsec-bounces <at> ietf.org] On Behalf Of Tobias Heer
>> Sent: Thursday, December 09, 2010 2:27 AM
>> To: hipsec <at> ietf.org
>> Subject: [Hipsec] HIT Suites and algorithms used in RFC5201-bis
>> ECDSA/SHA-384 bundles two ECC curves (NIST P-256 and P-384)
>> with SHA-384. Both
>> curves must be implemented by hosts that implement HIT this HIT suite.
>> ECDSA_LOW/SHA-1 is meant for devices with limited computation
>> capabilities. It
>> uses the SECP160R curve from SECG.
>> If we want to make a bold move towards ECC cryptography (and
>> make packet
>> fragmentation, etc. less likely) we could change the
>> REQUIRED and RECOMMENDED
>> tags so that we REQUIRE the ECDSA/SHA-384 HIT SUITE and make
>> the other two
>> recommended. Any comments on this?
> Has anyone checked into the availability of these suites in cryptographic libraries and hardware?
I have checked that these are available in the widely used openssl library. They all are.
> Can you clarify what you believe are the implications that you hint at ("packet fragmentation, etc.")?
Large RSA/DSA Keys, large RSA signatures and certificates may add up to a considerable amount of data in HIP
control packets. Reducing the size of the keys (compared to RSA/DSA) and the size of the signatures
(compared to RSA) may reduce the probability of packet fragmentation for HIP control packets - that was my
train of thought. Sorry for not making it more obvious.
>> The ECDH groups look similar:
>> Group Value
>> Reserved 0
>> DEPRECATED 1
>> DEPRECATED 2
>> 1536-bit MODP group 3 [RFC3526]
>> 3072-bit MODP group 4 [RFC3526]
>> DEPRECATED 5
>> DEPRECATED 6
>> NIST P-256 7 [RFC4753]
>> NIST P-384 8 [RFC4753]
>> NIST P-521 9 [RFC4753]
>> SECP160R1 10 [SECG]
>> Groups 7 to 10 are new in RFC5201-bis. Again, group 10 is
>> meant for devices
>> with low computation capabilities and should be used only if long-term
>> confidentiality is not required.
>> The DEPRECATED values are groups present in RFC5201 but have
>> been removed in
>> RFC5201-bis. They have to be removed before we finish the document.
>> Are there any comments regarding the selection of algorithms?
>> With the selected
>> ECC curves, we tried to stay as close to other Internet
>> standards IKE, TLS that
>> use ECC already.
> I don't have other comments and agree with trying to stay close to the predecessors.
> - Tom
Dipl.-Inform. Tobias Heer, Ph.D. Student
Chair of Communication and Distributed Systems - comsys
RWTH Aachen University, Germany
tel: +49 241 80 207 76