DNS Extensions Working Group F. Dupont
Internet-Draft Internet Systems Consortium
Updates: 2930,2539,2931 (if approved) February 18, 2013
Intended status: Standards Track
Expires: August 22, 2013

Modern cryptography TKEY
draft-dupont-dnsext-ec-tkey-00

Abstract

This document updates the TKEY resource record specifications for the use of Elliptic Curve Diffie-Hellman, and related IANA registries.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on August 22, 2013.

Copyright Notice

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1. Introduction

The TKEY resource record [RFC2930] was designed to enable the establishment of a shared secret between DNS client and server, using GSS-API or a Diffie-Hellman exchange.

The purpose of this document is to modernize the cryptography used by the Diffie-Hellman variant of TKEY, i.e., to move to ECDH (Elliptic Curve Diffie-Hellman). As a side effect, registries for the DH KEY [RFC2539] and SIG(0) [RFC2931] resource records are updated.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [RFC2119].

2. ECDH groups

This document specifies a new "well-known group" with a 1536 bit prime for the DH KEY resource record [RFC2539], taken from the expired revision [I-D.ietf-dnsext-rfc2539bis-dhk], in the Appendix A. (this group is supported by some implementations, the idea is to make it official)

The NIST P-256 and P-384 curve groups are added as groups 13 and 14. These groups are already used in several IETF RFCs, including [RFC5114], or for DNSSEC [RFC6605]. A public key is the uncompressed form of a curve point, so on twice 256 or 384 bits. The shared secret is the first coordinate of the Diffie-Hellman common value, so on 256 or 384 bits.

3. ECDH TKEY

The ECDH TKEY reuses the DH TKEY (RFC2930 [RFC2930] section 4.1) specification with some changes.

The Diffie-Hellman exchange uses the Elliptic Curve P-256 group, the hash function is SHA-256.

The "key data" lengths MUST be at least 128 bits / 16 octets, and SHOULD be at most 256 bits / 32 octets.

      keymat = HMAC-SHA-256(query data | server data, ECDH value)

The "keying material" is derived using the formula (taken from IKEv2 [RFC4306]):

4. IANA Considerations

The "DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs" registry is modified by the addition of entries for 3, 13 and 14, with "A 1536 bit prime", "EC P-256" and "EC P-384" for descriptions, and this document for the reference.

The "DNS Security Algorithm Numbers" registry is modified by adding TKEY in the "transaction security mechanisms" and by making ECDSAP256SHA256 and ECDSAP384SHA384 eligible for transaction security.

The "SIG (0) Algorithm Numbers" registry is either updated / aligned with the preceding one, or simply suppressed as its content was merged into the preceding one.

5. Security Considerations

The Elliptic Curve cryptography is considered as being as safe as the modular prime field one but with faster operations and far smaller payloads, so should be a vector for better security.

In the same way, more support and use of TKEY should be encouraged. This is why it had to be re-based on modern cryptography tools.

To share a private key for two different usages is recognized as a bad practice, so when an ECDH TKEY is authenticated by ECDSAP256SHA256, the private key SHOULD NOT be shared.

6. Acknowledgments

Donald E. Eastlake 3rd is the author of the expired DH KEY revision [I-D.ietf-dnsext-rfc2539bis-dhk] where the well-known group 3 was taken.

7. References

7.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2539] Eastlake, D.E., "Storage of Diffie-Hellman Keys in the Domain Name System (DNS)", RFC 2539, March 1999.
[RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)", RFC 2930, September 2000.
[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( SIG(0)s)", RFC 2931, September 2000.
[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman Groups for Use with IETF Standards", RFC 5114, January 2008.

7.2. Informative References

[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005.
[RFC6605] Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC", RFC 6605, April 2012.
[I-D.ietf-dnsext-rfc2539bis-dhk] Eastlake, D., "Storage of Diffie-Hellman Keying Information in the DNS", Internet-Draft draft-ietf-dnsext-rfc2539bis-dhk-08, October 2006.

Appendix A. Well-Known Group 3: A 1536 bit prime

The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }. 

        241031242692103258855207602219756607485695054850245994265411
        694195810883168261222889009385826134161467322714147790401219
        650364895705058263194273070680500922306273474534107340669624
        601458936165977404102716924945320037872943417032584377865919
        814376319377685986952408894019557734611984354530154704374720
        774996976375008430892633929555996888245787241299381012913029
        459299994792636526405928464720973038494721168143446471443848
        8520940127459844288859336526896320919633919

Its decimal value is: 

          FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
          29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
          EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
          E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
          EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
          C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
          83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
          670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF

Prime modulus Length (32 bit words): 48, Data (hex):

Generator: Length (32 bit words): 1, Data (hex): 2

Author's Address

Francis Dupont Internet Systems Consortium EMail: fdupont@isc.org

Table of Contents