-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathdraft-ietf-tls-rfc4492bis.xml
1186 lines (1176 loc) · 75.5 KB
/
draft-ietf-tls-rfc4492bis.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='./rfc2629.xslt' ?>
<?rfc compact="yes" ?>
<?rfc sortrefs="yes" ?>
<?rfc strict="yes" ?>
<?rfc linkmailto="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" >
<?xml-stylesheet type='text/xsl' href='./rfc2629.xslt' ?>
<?rfc symrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="yes" ?>
<?rfc sortrefs="yes" ?>
<rfc ipr="trust200902" docName="draft-ietf-tls-rfc4492bis-17" category="std" obsoletes="4492">
<front>
<title abbrev="ECC Cipher Suites for TLS">Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier</title>
<author initials="Y." surname="Nir" fullname="Yoav Nir">
<organization abbrev="Check Point">Check Point Software Technologies Ltd.</organization>
<address>
<postal>
<street>5 Hasolelim st.</street>
<city>Tel Aviv</city>
<code>6789735</code>
<country>Israel</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson">
<organization>SJD AB</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author fullname="Manuel Pegourie-Gonnard"
initials="M." surname="Pegourie-Gonnard">
<organization>Independent / PolarSSL</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date year="2017"/>
<area>Security Area</area>
<workgroup>TLS Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t> This document describes key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport
Layer Security (TLS) protocol. In particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman
(ECDHE) key agreement in a TLS handshake and the use of Elliptic Curve Digital Signature Algorithm (ECDSA) and
Edwards Digital Signature Algorithm (EdDSA) as authentication mechanisms.</t>
<t> This document obsoletes and replaces RFC 4492.</t>
</abstract>
</front>
<!--
Changes from RFC 4492:
* Added mention of TLS 1.2
* Removed "required reading" for ECC from the Introduction. ECC is not longer "exotic"
* Moved the original authors to the Acknowledgement section.
* Added EdDSA.
* Added CFRG curves.
-->
<middle>
<!-- ====================================================================== -->
<section anchor="introduction" title="Introduction">
<t> This document describes additions to TLS to support ECC, applicable to TLS versions 1.0
<xref target="RFC2246"/>, 1.1 <xref target="RFC4346"/>, and 1.2 <xref target="RFC5246"/>. The use of ECC in
TLS 1.3 is defined in <xref target="I-D.ietf-tls-tls13" />, and is explicitly out of scope for this document.
In particular, this document defines:<list style="symbols">
<t> the use of the ECDHE key agreement scheme with ephemeral keys to establish the
TLS premaster secret, and</t>
<t>the use of ECDSA and EdDSA signatures for authentication of TLS peers.</t></list></t>
<t> The remainder of this document is organized as follows. <xref target="ecdh"/> provides an overview of
ECC-based key exchange algorithms for TLS. <xref target="clientauth"/> describes the use of ECC certificates
for client authentication. TLS extensions that allow a client to negotiate the use of specific curves and
point formats are presented in <xref target="tlsext"/>. <xref target="structs"/> specifies various data
structures needed for an ECC-based handshake, their encoding in TLS messages, and the processing of those
messages. <xref target="suites"/> defines ECC-based cipher suites and identifies a small subset of these
as recommended for all implementations of this specification. <xref target="sec"/> discusses security
considerations. <xref target="iana"/> describes IANA considerations for the name spaces created by this
document's predecessor. <xref target="ack" /> gives acknowledgements. <xref target="rfc4492diff" />
provides differences from <xref target="RFC4492" />, the document that this one replaces.</t>
<t> Implementation of this specification requires familiarity with TLS, TLS extensions
<xref target="RFC4366" />, and ECC.</t>
<section anchor="mustshouldmay" title="Conventions Used in This Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119"/>.</t>
</section>
</section>
<section anchor="ecdh" title="Key Exchange Algorithm">
<t> This document defines three new ECC-based key exchange algorithms for TLS. All of them use Ephemeral
ECDH (ECDHE) to compute the TLS premaster secret, and they differ only in the mechanism (if any) used to
authenticate them. The derivation of the TLS master secret from the premaster secret and the subsequent
generation of bulk encryption/MAC keys and initialization vectors is independent of the key exchange
algorithm and not impacted by the introduction of ECC.</t>
<t> <xref target="tbl2"/> summarizes the new key exchange algorithms. All of these key exchange algorithms
provide forward secrecy if and only if fresh ephemeral keys are generated and used, and also destroyed
after use.</t>
<texttable anchor="tbl2" title="ECC Key Exchange Algorithms">
<ttcol align="left">Algorithm</ttcol>
<ttcol align="left">Description</ttcol>
<c>ECDHE_ECDSA</c><c>Ephemeral ECDH with ECDSA or EdDSA signatures.</c>
<c>ECDHE_RSA</c><c>Ephemeral ECDH with RSA signatures.</c>
<c>ECDH_anon</c><c>Anonymous ephemeral ECDH, no signatures.</c>
</texttable>
<t> These key exchanges are analogous to DHE_DSS, DHE_RSA, and DH_anon, respectively.</t>
<t> With ECDHE_RSA, a server
can reuse its existing RSA certificate and easily comply with a constrained client's elliptic curve
preferences (see <xref target="tlsext"/>). However, the computational cost incurred by a server is higher
for ECDHE_RSA than for the traditional RSA key exchange, which does not provide forward secrecy.</t>
<t> The anonymous key exchange algorithm does not provide authentication of the server or the client. Like
other anonymous TLS key exchanges, it is subject to man-in-the-middle attacks. Applications using TLS with
this algorithm SHOULD provide authentication by other means.</t>
<t><figure>
<artwork><![CDATA[
Client Server
------ ------
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*+
<-------- ServerHelloDone
Certificate*+
ClientKeyExchange
CertificateVerify*+
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
* message is not sent under some conditions
+ message is not sent unless client authentication
is desired
]]></artwork><postamble>Figure 1: Message flow in a full TLS 1.2 handshake</postamble>
</figure></t>
<t> Figure 1 shows all messages involved in the TLS key establishment protocol (aka full handshake). The
addition of ECC has direct impact only on the ClientHello, the ServerHello, the server's Certificate
message, the ServerKeyExchange, the ClientKeyExchange, the CertificateRequest, the client's Certificate
message, and the CertificateVerify. Next, we describe the ECC key exchange algorithm in greater detail
in terms of the content and processing of these messages. For ease of exposition, we defer discussion of
client authentication and associated messages (identified with a + in Figure 1) until
<xref target="clientauth" /> and of the optional ECC-specific extensions (which impact the Hello messages)
until <xref target="tlsext" />.</t>
<section anchor="ecdhe_ecdsa" title="ECDHE_ECDSA">
<t> In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA- or EdDSA-capable public key.</t>
<t> The server sends its ephemeral ECDH public key and a specification of the corresponding curve in the
ServerKeyExchange message. These parameters MUST be signed with ECDSA or EdDSA using the private key
corresponding to the public key in the server's Certificate.</t>
<t> The client generates an ECDH key pair on the same curve as the server's ephemeral ECDH key and sends its
public key in the ClientKeyExchange message.</t>
<t> Both client and server perform an ECDH operation <xref target="alg_computes"/> and use the resultant
shared secret as the premaster secret.</t>
</section>
<section anchor="ecdhe_rsa" title="ECDHE_RSA">
<t> This key exchange algorithm is the same as ECDHE_ECDSA except that the server's certificate MUST contain
an RSA public key authorized for signing, and that the signature in the ServerKeyExchange message must be
computed with the corresponding RSA private key.</t>
</section>
<section anchor="ecdh_anon" title="ECDH_anon">
<t> NOTE: Despite the name beginning with "ECDH_" (no E), the key used in ECDH_anon is ephemeral just like
the key in ECDHE_RSA and ECDHE_ECDSA. The naming follows the example of DH_anon, where the key is also
ephemeral but the name does not reflect it.</t>
<t> In ECDH_anon, the server's Certificate, the CertificateRequest, the client's Certificate, and the
CertificateVerify messages MUST NOT be sent.</t>
<t> The server MUST send an ephemeral ECDH public key and a specification of the corresponding curve in
the ServerKeyExchange message. These parameters MUST NOT be signed.</t>
<t> The client generates an ECDH key pair on the same curve as the server's ephemeral ECDH key and sends
its public key in the ClientKeyExchange message.</t>
<t> Both client and server perform an ECDH operation and use the resultant shared secret as the premaster
secret. All ECDH calculations are performed as specified in <xref target="alg_computes"/>.</t>
</section>
<section anchor="certchainalgs" title="Algorithms in Certificate Chains">
<t> This specification does not impose restrictions on signature schemes used anywhere in the certificate chain.
The previous version of this document required the signatures to match, but this restriction, originating
in previous TLS versions is lifted here as it had been in RFC 5246.</t>
</section>
</section>
<section anchor="clientauth" title="Client Authentication">
<t> This document defines a client authentication mechanism, named after the type of client certificate
involved: ECDSA_sign. The ECDSA_sign mechanism is usable with any of the non-anonymous ECC key exchange
algorithms described in <xref target="ecdh"/> as well as other non-anonymous (non-ECC) key exchange
algorithms defined in TLS.</t>
<t> Note that client certificates with EdDSA public keys also use this mechanism. </t>
<t> The server can request ECC-based client authentication by including this certificate type in its
CertificateRequest message. The client must check if it possesses a certificate appropriate for the method
suggested by the server and is willing to use it for authentication.</t>
<t> If these conditions are not met, the client SHOULD send a client Certificate message containing no
certificates. In this case, the ClientKeyExchange MUST be sent as described in <xref target="ecdh"/>, and
the CertificateVerify MUST NOT be sent. If the server requires client authentication, it may respond with
a fatal handshake failure alert.</t>
<t> If the client has an appropriate certificate and is willing to use it for authentication, it must send
that certificate in the client's Certificate message (as per <xref target="client_cert"/>) and prove
possession of the private key corresponding to the certified key. The process of determining an
appropriate certificate and proving possession is different for each authentication mechanism and
described below.</t>
<t> NOTE: It is permissible for a server to request (and the client to send) a client certificate of a
different type than the server certificate.</t>
<section anchor="ecdsa_sign" title="ECDSA_sign">
<t> To use this authentication mechanism, the client MUST possess a certificate containing an ECDSA-
or EdDSA-capable public key.</t>
<t> The client proves possession of the private key corresponding to the certified key by including a
signature in the CertificateVerify message as described in <xref target="cert_verify"/>.</t>
</section>
</section>
<section anchor="tlsext" title="TLS Extensions for ECC">
<t> Two TLS extensions are defined in this specification: (i) the Supported Elliptic Curves Extension,
and (ii) the Supported Point Formats Extension. These allow negotiating the use of specific curves and
point formats (e.g., compressed vs. uncompressed, respectively) during a handshake starting a new session.
These extensions are especially relevant for constrained clients that may only support a limited number of
curves or point formats. They follow the general approach outlined in <xref target="RFC4366"/>; message
details are specified in <xref target="structs"/>. The client enumerates the curves it supports and the
point formats it can parse by including the appropriate extensions in its ClientHello message. The server
similarly enumerates the point formats it can parse by including an extension in its ServerHello message.</t>
<t> A TLS client that proposes ECC cipher suites in its ClientHello message SHOULD include these extensions.
Servers implementing ECC cipher suites MUST support these extensions, and when a client uses these
extensions, servers MUST NOT negotiate the use of an ECC cipher suite unless they can complete the
handshake while respecting the choice of curves specified by the client.
This eliminates the possibility that a negotiated ECC handshake will be subsequently aborted due to a
client's inability to deal with the server's EC key.</t>
<t> The client MUST NOT include these extensions in the ClientHello message if it does not propose any ECC
cipher suites. A client that proposes ECC cipher suites may choose not to include these extensions. In
this case, the server is free to choose any one of the elliptic curves or point formats listed in
<xref target="structs"/>. That section also describes the structure and processing of these extensions
in greater detail.</t>
<t> In the case of session resumption, the server simply ignores the Supported Elliptic Curves Extension and
the Supported Point Formats Extension appearing in the current ClientHello message. These extensions only
play a role during handshakes negotiating a new session.</t>
</section>
<section anchor="structs" title="Data Structures and Computations">
<t> This section specifies the data structures and computations used by ECC-based key mechanisms specified
in the previous three sections. The presentation language used here is the same as that used in TLS.
Since this specification extends TLS, these descriptions should be merged with those in the TLS specification
and any others that extend TLS. This means that enum types may not specify all possible values, and
structures with multiple formats chosen with a select() clause may not indicate all possible cases.</t>
<section anchor="ch_extensions" title="Client Hello Extensions">
<t> This section specifies two TLS extensions that can be included with the ClientHello message as described
in <xref target="RFC4366"/>, the Supported Elliptic Curves Extension and the Supported Point Formats
Extension.</t>
<t> When these extensions are sent:</t>
<t> The extensions SHOULD be sent along with any ClientHello message that proposes ECC cipher suites.</t>
<t> Meaning of these extensions:</t>
<t> These extensions allow a client to enumerate the elliptic curves it supports and/or the point formats
it can parse.</t>
<t> Structure of these extensions:</t>
<t> The general structure of TLS extensions is described in <xref target="RFC4366"/>, and this specification
adds two types to ExtensionType.<figure><artwork><![CDATA[
enum {
elliptic_curves(10),
ec_point_formats(11)
} ExtensionType;
]]></artwork></figure><list style="symbols">
<t> elliptic_curves (Supported Elliptic Curves Extension): Indicates the set of elliptic
curves supported by the client. For this extension, the opaque extension_data field contains
NamedCurveList. See <xref target="supp_ec_ext"/> for details.</t>
<t> ec_point_formats (Supported Point Formats Extension): Indicates the set of point formats
that the client can parse. For this extension, the opaque extension_data field contains ECPointFormatList.
See <xref target="supp_pf_ext"/> for details.</t></list></t>
<t> Actions of the sender:</t>
<t> A client that proposes ECC cipher suites in its ClientHello message appends these extensions (along
with any others), enumerating the curves it supports and the point formats it can parse. Clients SHOULD
send both the Supported Elliptic Curves Extension and the Supported Point Formats Extension. If the
Supported Point Formats Extension is indeed sent, it MUST contain the value 0 (uncompressed) as one of the
items in the list of point formats.</t>
<t> Actions of the receiver:</t>
<t> A server that receives a ClientHello containing one or both of these extensions MUST use the client's
enumerated capabilities to guide its selection of an appropriate cipher suite. One of the proposed ECC
cipher suites must be negotiated only if the server can successfully complete the handshake while using
the curves and point formats supported by the client (cf. <xref target="server_cert"/> and
<xref target="ske"/>).</t>
<t> NOTE: A server participating in an ECDHE_ECDSA key exchange may use different curves for the ECDSA or
EdDSA key in its certificate, and for the ephemeral ECDH key in the ServerKeyExchange message. The server
MUST consider the extensions in both cases.</t>
<t> If a server does not understand the Supported Elliptic Curves Extension, does not understand the
Supported Point Formats Extension, or is unable to complete the ECC handshake while restricting itself
to the enumerated curves and point formats, it MUST NOT negotiate the use of an ECC cipher suite.
Depending on what other cipher suites are proposed by the client and supported by the server, this may
result in a fatal handshake failure alert due to the lack of common cipher suites.</t>
<section anchor="supp_ec_ext" title="Supported Elliptic Curves Extension">
<t> RFC 4492 defined 25 different curves in the NamedCurve registry (now renamed the "Supported Groups" registry,
although the enumeration below is still named NamedCurve) for use in TLS. Only three have seen
much use. This specification is deprecating the rest (with numbers 1-22). This specification also
deprecates the explicit curves with identifiers 0xFF01 and 0xFF02. It also adds the new curves
defined in <xref target="RFC7748"/>. The end result is as follows:</t>
<figure><artwork><![CDATA[
enum {
deprecated(1..22),
secp256r1 (23), secp384r1 (24), secp521r1 (25),
x25519(29), x448(30),
reserved (0xFE00..0xFEFF),
deprecated(0xFF01..0xFF02),
(0xFFFF)
} NamedCurve;
]]></artwork></figure>
<t> Note that other specifications have since added other values to this enumeration. Some of those values
are not curves at all, but finite field groups. See <xref target="RFC7919"/>.</t>
<t> secp256r1, etc: Indicates support of the corresponding named curve or groups.
The named curves secp256r1, secp384r1, and secp521r1 are specified in SEC 2
<xref target="SECG-SEC2"/>. These curves are also recommended in ANSI X9.62
<xref target="ANSI.X9-62.2005"/> and FIPS 186-4 <xref target="FIPS.186-4"/>. The rest of this document
refers to these three curves as the "NIST curves" because they were originally standardized by the National
Institute of Standards and Technology. The curves x25519 and x448
are defined in <xref target="RFC7748"/>. Values 0xFE00 through 0xFEFF are reserved for private use.</t>
<t> The predecessor of this document also supported explicitly defined prime and char2 curves, but these are
deprecated by this specification.</t>
<t> The NamedCurve name space is maintained by IANA. See <xref target="iana"/> for information on how new
value assignments are added.</t>
<figure><artwork><![CDATA[
struct {
NamedCurve named_curve_list<2..2^16-1>
} NamedCurveList;
]]></artwork></figure>
<t> Items in named_curve_list are ordered according to the client's preferences (favorite choice
first).</t>
<t> As an example, a client that only supports secp256r1 (aka NIST P-256; value 23 = 0x0017) and secp384r1
(aka NIST P-384; value 24 = 0x0018) and prefers to use secp256r1 would include a TLS extension consisting
of the following octets. Note that the first two octets indicate the extension type (Supported Elliptic
Curves Extension):</t>
<figure><artwork><![CDATA[
00 0A 00 06 00 04 00 17 00 18
]]></artwork></figure>
</section>
<section anchor="supp_pf_ext" title="Supported Point Formats Extension">
<figure><artwork><![CDATA[
enum {
uncompressed (0),
deprecated (1..2),
reserved (248..255)
} ECPointFormat;
struct {
ECPointFormat ec_point_format_list<1..2^8-1>
} ECPointFormatList;
]]></artwork></figure>
<t> Three point formats were included in the definition of ECPointFormat above. This specification
deprecates all but the uncompressed point format. Implementations of this document MUST support the
uncompressed format for all of their supported curves, and MUST NOT support other formats for curves
defined in this specification. For backwards compatibility purposes, the point format list extension
MAY still be included, and contain exactly one value: the uncompressed point format (0). RFC 4492
specified that if this extension is missing, it means that only the uncompressed point format is
supported, so interoperability with implementations that support the uncompressed format should work
with or without the extension.</t>
<t> If the client sends the extension and the extension does not contain the uncompressed point format,
and the client has used the Supported Groups extension to indicate support for any of the curves defined
in this specification then the server MUST abort the handshake and return an illegal_parameter alert.</t>
<t> The ECPointFormat name space is maintained by IANA. See <xref target="iana"/> for information on how
new value assignments are added.</t>
<t> A client compliant with this specification that supports no other curves MUST send the following octets;
note that the first two octets indicate the extension type (Supported Point Formats Extension):<figure><artwork><![CDATA[
00 0B 00 02 01 00
]]></artwork></figure></t>
</section>
<section anchor="sighash_ext" title="The signature_algorithms Extension and EdDSA">
<t> The signature_algorithms extension, defined in section 7.4.1.4.1 of <xref target="RFC5246"/>, advertises
the combinations of signature algorithm and hash function that the client supports. The pure (non pre-hashed)
forms of EdDSA do not hash the data before signing it. For this reason it does not make sense to combine them
with a signature algorithm in the extension.</t>
<t> For bits-on-the-wire compatibility with TLS 1.3, we define a new dummy value in the HashAlgorithm registry
which we will call "Intrinsic" (value TBD5) meaning that hashing is intrinsic to the signature algorithm.</t>
<t> To represent ed25519 and ed448 in the signature_algorithms extension, the value shall be (TBD5,TBD3) and
(TBD5,TBD4) respectively.</t>
</section>
</section>
<section anchor="serverhello_ext" title="Server Hello Extension">
<t> This section specifies a TLS extension that can be included with the ServerHello message as described
in <xref target="RFC4366"/>, the Supported Point Formats Extension.</t>
<t> When this extension is sent:</t>
<t> The Supported Point Formats Extension is included in a ServerHello message in response to a ClientHello
message containing the Supported Point Formats Extension when negotiating an ECC cipher suite.</t>
<t> Meaning of this extension:</t>
<t> This extension allows a server to enumerate the point formats it can parse (for the curve that will appear
in its ServerKeyExchange message when using the ECDHE_ECDSA, ECDHE_RSA, or ECDH_anon key exchange algorithm.</t>
<t> Structure of this extension:</t>
<t> The server's Supported Point Formats Extension has the same structure as the client's Supported Point
Formats Extension (see <xref target="supp_pf_ext"/>). Items in ec_point_format_list here are ordered
according to the server's preference (favorite choice first). Note that the server MAY include items that
were not found in the client's list. However, without extensions this specification allows exactly one point
format, so there is not really any opportunity for mismatches.</t>
<t> Actions of the sender:</t>
<t> A server that selects an ECC cipher suite in response to a ClientHello message including a Supported
Point Formats Extension appends this extension (along with others) to its ServerHello message, enumerating
the point formats it can parse. The Supported Point Formats Extension, when used, MUST contain the value 0
(uncompressed) as one of the items in the list of point formats.</t>
<t> Actions of the receiver:</t>
<t> A client that receives a ServerHello message containing a Supported Point Formats Extension MUST respect
the server's choice of point formats during the handshake (cf. <xref target="client_cert"/> and
<xref target="cke"/>). If no Supported Point Formats Extension is received with the ServerHello, this is
equivalent to an extension allowing only the uncompressed point format.</t>
</section>
<section anchor="server_cert" title="Server Certificate">
<t> When this message is sent:</t>
<t> This message is sent in all non-anonymous ECC-based key exchange algorithms.</t>
<t> Meaning of this message:</t>
<t> This message is used to authentically convey the server's static public key to the client. The following
table shows the server certificate type appropriate for each key exchange algorithm. ECC public keys MUST
be encoded in certificates as described in <xref target="eccerts"/>.</t>
<t> NOTE: The server's Certificate message is capable of carrying a chain of certificates. The restrictions
mentioned in Table 3 apply only to the server's certificate (first in the chain).</t>
<texttable anchor="tbl3" title="Server Certificate Types">
<ttcol align="left">Algorithm</ttcol>
<ttcol align="left">Server Certificate Type</ttcol>
<c>ECDHE_ECDSA</c><c>Certificate MUST contain an ECDSA- or EdDSA-capable public key.</c>
<c>ECDHE_RSA</c><c>Certificate MUST contain an RSA public key.</c>
</texttable>
<t> Structure of this message:</t>
<t> Identical to the TLS Certificate format.</t>
<t> Actions of the sender:</t>
<t> The server constructs an appropriate certificate chain and conveys it to the client in the Certificate
message. If the client has used a Supported Elliptic Curves Extension, the public key in the server's
certificate MUST respect the client's choice of elliptic curves. A server that cannot satisfy this requirement
MUST NOT choose an ECC cipher suite in its ServerHello message.)</t>
<t> Actions of the receiver:</t>
<t> The client validates the certificate chain, extracts the server's public key, and checks that the key
type is appropriate for the negotiated key exchange algorithm. (A possible reason for a fatal handshake
failure is that the client's capabilities for handling elliptic curves and point formats are exceeded;
cf. <xref target="ch_extensions"/>.)</t>
</section>
<section anchor="ske" title="Server Key Exchange">
<t> When this message is sent:</t>
<t> This message is sent when using the ECDHE_ECDSA, ECDHE_RSA, and ECDH_anon key exchange algorithms.</t>
<t> Meaning of this message:</t>
<t> This message is used to convey the server's ephemeral ECDH public key (and the corresponding elliptic
curve domain parameters) to the client.</t>
<t> The ECCCurveType enum used to have values for explicit prime and for explicit char2 curves. Those
values are now deprecated, so only one value remains:</t>
<t> Structure of this message:<figure><artwork><![CDATA[
enum {
deprecated (1..2),
named_curve (3),
reserved(248..255)
} ECCurveType;
]]></artwork></figure></t>
<t> The value named_curve indicates that a named curve is used. This option is now the only remaining format.</t>
<t> Values 248 through 255 are reserved for private use.</t>
<t> The ECCurveType name space is maintained by IANA. See <xref target="iana"/> for information on how new
value assignments are added.</t>
<t> RFC 4492 had a specification for an ECCurve structure and an ECBasisType structure. Both of these are
omitted now because they were only used with the now deprecated explicit curves.</t>
<t><figure><artwork><![CDATA[
struct {
opaque point <1..2^8-1>;
} ECPoint;
]]></artwork></figure></t>
<t> point: This is the byte string representation of an elliptic curve point following the
conversion routine in Section 4.3.6 of <xref target="ANSI.X9-62.2005"/>. This byte string may
represent an elliptic curve point in uncompressed, compressed, or hybrid format, but this specification
deprecates all but the uncompressed format. For the NIST curves, the format is repeated in <xref
target="UncompressedFormat"/> for convenience. For the X25519 and X448 curves, the only valid
representation is the one specified in <xref target="RFC7748"/> - a 32- or 56-octet representation of
the u value of the point. This structure MUST NOT be used with Ed25519 and Ed448 public keys.</t>
<t> <figure><artwork><![CDATA[
struct {
ECCurveType curve_type;
select (curve_type) {
case named_curve:
NamedCurve namedcurve;
};
} ECParameters;
]]></artwork></figure></t>
<t> curve_type: This identifies the type of the elliptic curve domain parameters.</t>
<t> namedCurve: Specifies a recommended set of elliptic curve domain parameters. All those
values of NamedCurve are allowed that refer to a curve capable of Diffie-Hellman. With the deprecation
of the explicit curves, this now includes all of the NamedCurve values.</t>
<t><figure><artwork><![CDATA[
struct {
ECParameters curve_params;
ECPoint public;
} ServerECDHParams;
]]></artwork></figure></t>
<t> curve_params: Specifies the elliptic curve domain parameters associated with the ECDH
public key.</t>
<t> public: The ephemeral ECDH public key.</t>
<t> The ServerKeyExchange message is extended as follows.<figure><artwork><![CDATA[
enum {
ec_diffie_hellman
} KeyExchangeAlgorithm;
]]></artwork></figure><list style="symbols">
<t> ec_diffie_hellman: Indicates the ServerKeyExchange message contains an ECDH public key.</t></list><figure><artwork><![CDATA[
select (KeyExchangeAlgorithm) {
case ec_diffie_hellman:
ServerECDHParams params;
Signature signed_params;
} ServerKeyExchange;
]]></artwork></figure><list style="symbols">
<t> params: Specifies the ECDH public key and associated domain parameters.</t>
<t> signed_params: A hash of the params, with the signature appropriate to that hash applied.
The private key corresponding to the certified public key in the server's Certificate message is used
for signing.<figure><artwork><![CDATA[
enum {
ecdsa(3),
ed25519(TBD3)
ed448(TBD4)
} SignatureAlgorithm;
select (SignatureAlgorithm) {
case ecdsa:
digitally-signed struct {
opaque sha_hash[sha_size];
};
case ed25519,ed448:
digitally-signed struct {
opaque rawdata[rawdata_size];
};
} Signature;
ServerKeyExchange.signed_params.sha_hash
SHA(ClientHello.random + ServerHello.random +
ServerKeyExchange.params);
ServerKeyExchange.signed_params.rawdata
ClientHello.random + ServerHello.random +
ServerKeyExchange.params;
]]></artwork></figure></t></list></t>
<t> NOTE: SignatureAlgorithm is "rsa" for the ECDHE_RSA key exchange algorithm and "anonymous" for ECDH_anon.
These cases are defined in TLS. SignatureAlgorithm is "ecdsa" or "eddsa" for ECDHE_ECDSA. ECDSA signatures
are generated and verified as described in <xref target="alg_computes"/>, and SHA in the above template for
sha_hash accordingly may denote a hash algorithm other than SHA-1. As per ANSI X9.62, an ECDSA signature
consists of a pair of integers, r and s. The digitally-signed element is encoded as an opaque vector
<0..2^16-1>, the contents of which are the DER encoding corresponding to the following ASN.1
notation.<figure><artwork><![CDATA[
Ecdsa-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
]]></artwork></figure></t>
<t>EdDSA signatures in both the protocol and in certificates that conform to <xref target="PKIX-EdDSA"/> are
generated and verified according to <xref target="RFC8032"/>. The digitally-signed
element is encoded as an opaque vector<0..2^16-1>, the contents of which is the octet string output of
the EdDSA signing algorithm.</t>
<t> Actions of the sender:</t>
<t> The server selects elliptic curve domain parameters and an ephemeral ECDH public key corresponding to
these parameters according to the ECKAS-DH1 scheme from IEEE 1363 <xref target="IEEE.P1363.1998"/>.
It conveys this information to the client in the ServerKeyExchange message using the format defined above.</t>
<t> Actions of the receiver:</t>
<t> The client verifies the signature (when present) and retrieves the server's elliptic curve domain
parameters and ephemeral ECDH public key from the ServerKeyExchange message. (A possible reason for a
fatal handshake failure is that the client's capabilities for handling elliptic curves and point formats
are exceeded; cf. <xref target="ch_extensions"/>.)</t>
<section anchor="UncompressedFormat" title="Uncompressed Point Format for NIST curves">
<t> The following represents the wire format for representing ECPoint in ServerKeyExchange records.
The first octet of the representation indicates the form, which may be compressed, uncompressed, or
hybrid. This specification supports only the uncompressed format for these curves. This is followed by
the binary representation of the X value in "big-endian" or "network" format, followed by the binary
representation of the Y value in "big-endian" or "network" format. There are no internal length markers,
so each number representation occupies as many octets as implied by the curve parameters. For P-256 this
means that each of X and Y use 32 octets, padded on the left by zeros if necessary. For P-384 they take 48
octets each, and for P-521 they take 66 octets each.</t>
<t> Here's a more formal representation:<figure><artwork><![CDATA[
enum {
uncompressed(4),
(255)
} PointConversionForm;
struct {
PointConversionForm form;
opaque X[coordinate_length];
opaque Y[coordinate_length];
} UncompressedPointRepresentation;
]]></artwork></figure></t>
</section>
</section>
<section anchor="certreq" title="Certificate Request">
<t> When this message is sent:</t>
<t> This message is sent when requesting client authentication.</t>
<t> Meaning of this message:</t>
<t> The server uses this message to suggest acceptable client authentication methods.</t>
<t> Structure of this message:</t>
<t> The TLS CertificateRequest message is extended as follows.<figure><artwork><![CDATA[
enum {
ecdsa_sign(64),
deprecated1(65), /* was rsa_fixed_ecdh */
deprecated2(66), /* was ecdsa_fixed_ecdh */
(255)
} ClientCertificateType;
]]></artwork></figure><list style="symbols">
<t> ecdsa_sign: Indicates that the server would like to use the corresponding client
authentication method specified in <xref target="clientauth"/>.</t></list></t>
<t> Note that RFC 4492 also defined RSA and ECDSA certificates that included a fixed ECDH
public key. These mechanisms saw very little implementation so this specification is deprecating them.</t>
<t> Actions of the sender:</t>
<t> The server decides which client authentication methods it would like to use, and conveys this information
to the client using the format defined above.</t>
<t> Actions of the receiver:</t>
<t> The client determines whether it has a suitable certificate for use with any of the requested methods
and whether to proceed with client authentication.</t>
</section>
<section anchor="client_cert" title="Client Certificate">
<t> When this message is sent:</t>
<t> This message is sent in response to a CertificateRequest when a client has a suitable certificate and
has decided to proceed with client authentication. (Note that if the server has used a Supported Point
Formats Extension, a certificate can only be considered suitable for use with the ECDSA_sign
authentication method if the public key point specified in it is uncompressed, as that is the only point
format still supported.</t>
<t> Meaning of this message:</t>
<t> This message is used to authentically convey the client's static public key to the server. The
following table summarizes what client certificate types are appropriate for the ECC-based client
authentication mechanisms described in <xref target="clientauth"/>. ECC public keys must be encoded in
certificates as described in <xref target="eccerts"/>.</t>
<t> NOTE: The client's Certificate message is capable of carrying a chain of certificates. The
restrictions mentioned in Table 4 apply only to the client's certificate (first in the chain).</t>
<t> The certificate MUST contain an ECDSA- or EdDSA-capable public key.</t>
<t> Structure of this message:</t>
<t> Identical to the TLS client Certificate format.</t>
<t> Actions of the sender:</t>
<t> The client constructs an appropriate certificate chain, and conveys it to the server in the Certificate message.</t>
<t> Actions of the receiver:</t>
<t> The TLS server validates the certificate chain, extracts the client's public key, and checks that the key
type is appropriate for the client authentication method.</t>
</section>
<section anchor="cke" title="Client Key Exchange">
<t> When this message is sent:</t>
<t> This message is sent in all key exchange algorithms. It contains the client's ephemeral ECDH
public key.</t>
<t> Meaning of the message:</t>
<t> This message is used to convey ephemeral data relating to the key exchange belonging to the client (such
as its ephemeral ECDH public key).</t>
<t> Structure of this message:</t>
<t> The TLS ClientKeyExchange message is extended as follows.</t>
<t><figure><artwork><![CDATA[
enum {
implicit,
explicit
} PublicValueEncoding;
]]></artwork></figure></t>
<t><list style="symbols">
<t> implicit, explicit: For ECC cipher suites, this indicates whether the client's ECDH public
key is in the client's certificate ("implicit") or is provided, as an ephemeral ECDH public key, in the
ClientKeyExchange message ("explicit"). The implicit encoding is deprecated and is retained here for
backward compatibility only.</t></list></t>
<t><figure><artwork><![CDATA[
struct {
ECPoint ecdh_Yc;
} ClientECDiffieHellmanPublic;
]]></artwork></figure></t>
<t> ecdh_Yc: Contains the client's ephemeral ECDH public key as a byte string ECPoint.point,
which may represent an elliptic curve point in uncompressed format.</t>
<t><figure><artwork><![CDATA[
struct {
select (KeyExchangeAlgorithm) {
case ec_diffie_hellman: ClientECDiffieHellmanPublic;
} exchange_keys;
} ClientKeyExchange;
]]></artwork></figure></t>
<t> Actions of the sender:</t>
<t> The client selects an ephemeral ECDH public key corresponding to the parameters it received from the
server. The format is the same as in <xref target="ske"/>.</t>
<t> Actions of the receiver:</t>
<t> The server retrieves the client's ephemeral ECDH public key from the ClientKeyExchange message and checks
that it is on the same elliptic curve as the server's ECDH key.</t>
</section>
<section anchor="cert_verify" title="Certificate Verify">
<t> When this message is sent:</t>
<t> This message is sent when the client sends a client certificate containing a public key usable for
digital signatures.</t>
<t> Meaning of the message:</t>
<t> This message contains a signature that proves possession of the private key corresponding to the public
key in the client's Certificate message.</t>
<t> Structure of this message:</t>
<t> The TLS CertificateVerify message and the underlying Signature type are defined in the TLS base
specifications, and the latter is extended here in <xref target="ske"/>. For the ecdsa and eddsa cases, the
signature field in the CertificateVerify message contains an ECDSA or EdDSA (respectively) signature computed
over handshake messages exchanged so far, exactly similar to CertificateVerify with other signing
algorithms:<figure><artwork><![CDATA[
CertificateVerify.signature.sha_hash
SHA(handshake_messages);
CertificateVerify.signature.rawdata
handshake_messages;
]]></artwork></figure></t>
<t> ECDSA signatures are computed as described in <xref target="alg_computes"/>, and SHA in the above
template for sha_hash accordingly may denote a hash algorithm other than SHA-1. As per ANSI X9.62, an
ECDSA signature consists of a pair of integers, r and s. The digitally-signed element is encoded as an
opaque vector <0..2^16-1>, the contents of which are the DER encoding <xref target="CCITT.X690"/>
corresponding to the following ASN.1 notation <xref target="CCITT.X680"/>.<figure><artwork><![CDATA[
Ecdsa-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
]]></artwork></figure></t>
<t>EdDSA signatures are generated and verified according to <xref target="RFC8032"/>. The digitally-signed
element is encoded as an opaque vector<0..2^16-1>, the contents of which is the octet string output of
the EdDSA signing algorithm.</t>
<t> Actions of the sender:</t>
<t> The client computes its signature over all handshake messages sent or received starting at client hello
and up to but not including this message. It uses the private key corresponding to its certified public
key to compute the signature, which is conveyed in the format defined above.</t>
<t> Actions of the receiver:</t>
<t> The server extracts the client's signature from the CertificateVerify message, and verifies the
signature using the public key it received in the client's Certificate message.</t>
</section>
<section anchor="eccerts" title="Elliptic Curve Certificates">
<t> X.509 certificates containing ECC public keys or signed using ECDSA MUST comply with
<xref target="RFC3279"/> or another RFC that replaces or extends it. X.509 certificates containing ECC
public keys or signed using EdDSA MUST comply with <xref target="PKIX-EdDSA"/>. Clients SHOULD use the
elliptic curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and SEC 2
<xref target="SECG-SEC2"/> or in <xref target="RFC8032"/>.</t>
<t>EdDSA keys using the Ed25519 algorithm MUST use the ed25519 signature algorithm, and Ed448
keys MUST use the ed448 signature algorithm. This document does not define use of Ed25519ph and Ed448ph keys
with TLS. Ed25519, Ed25519ph, Ed448, and Ed448ph keys MUST NOT be used with ECDSA.</t>
</section>
<section anchor="alg_computes" title="ECDH, ECDSA, and RSA Computations">
<t> All ECDH calculations for the NIST curves (including parameter and key generation as well as the shared
secret calculation) are performed according to <xref target="IEEE.P1363.1998"/> using the ECKAS-DH1 scheme
with the identity map as key derivation function (KDF), so that the premaster secret is the x-coordinate
of the ECDH shared secret elliptic curve point represented as an octet string. Note that this octet string
(Z in IEEE 1363 terminology) as output by FE2OSP, the Field Element to Octet String Conversion Primitive,
has constant length for any given field; leading zeros found in this octet string MUST NOT be truncated.</t>
<t> (Note that this use of the identity KDF is a technicality. The complete picture is that ECDH is
employed with a non-trivial KDF because TLS does not directly use the premaster secret for anything other
than for computing the master secret. In TLS 1.0 and 1.1, this means that the MD5- and SHA-1-based TLS
PRF serves as a KDF; in TLS 1.2 the KDF is determined by ciphersuite; it is conceivable that future TLS
versions or new TLS extensions introduced in the future may vary this computation.)</t>
<t> An ECDHE key exchange using X25519 (curve x25519) goes as follows: Each party picks a secret key d
uniformly at random and computes the corresponding public key x = X25519(d, G). Parties exchange their
public keys, and compute a shared secret as x_S = X25519(d, x_peer). If either party obtains all-zeroes x_S,
it MUST abort the handshake (as required by definition of X25519 and X448). ECDHE for X448 works similarily,
replacing X25519 with X448, and x25519 with x448. The derived shared secret is used directly as
the premaster secret, which is always exactly 32 bytes when ECDHE with X25519 is used and 56 bytes when
ECDHE with X448 is used.</t>
<t> All ECDSA computations MUST be performed according to ANSI X9.62 or its successors. Data to be
signed/verified is hashed, and the result run directly through the ECDSA algorithm with no additional
hashing. A secure hash function such as SHA-256, SHA-384, or SHA-512 from <xref target="FIPS.180-4"/>
MUST be used.</t>
<t> All EdDSA computations MUST be performed according to <xref target="RFC8032"/> or its succesors. Data
to be signed/verified is run through the EdDSA algorithm wih no hashing (EdDSA will internally run the data
through the PH function). The context parameter for Ed448 MUST be set to the empty string.</t>
<t> RFC 4492 anticipated the standardization of a mechanism for specifying the required hash function in the certificate,
perhaps in the parameters field of the subjectPublicKeyInfo. Such standardization never took place, and as a result,
SHA-1 is used in TLS 1.1 and earlier (except for EdDSA, which uses identity function). TLS 1.2 added a
SignatureAndHashAlgorithm parameter to the DigitallySigned struct, thus allowing agility in choosing the
signature hash. EdDSA signatures MUST have HashAlgorithm of TBD5 (Intrinsic).</t>
<t> All RSA signatures must be generated and verified according to <xref target="PKCS1"/> block type 1.</t>
</section>
<section anchor="valid25519" title="Public Key Validation">
<t> With the NIST curves, each party MUST validate the public key sent by its peer in the ClientKeyExchange
and ServerKeyExchange messages. A receiving party MUST
check that the x and y parameters from the peer's public value satisfy the curve equation, y^2 = x^3 + ax + b
mod p. See section 2.3 of <xref target="Menezes"/> for details. Failing to do so allows attackers to gain
information about the private key, to the point that they may recover the entire private key in a few requests,
if that key is not really ephemeral.</t>
<t>With X25519 and X448, a receiving party MUST check whether the computed premaster secret is the all-zero
value and abort the handshake if so, as described in section 6 of <xref target="RFC7748"/>.</t>
<t>Ed25519 and Ed448 internally do public key validation as part of signature verification.</t>
</section>
</section>
<section anchor="suites" title="Cipher Suites">
<t> The table below defines ECC cipher suites that use the key exchange algorithms specified in <xref target="ecdh"/>.</t>
<texttable anchor="tbl5" title="TLS ECC cipher suites">
<ttcol align="left">CipherSuite</ttcol>
<ttcol align="left">Identifier</ttcol>
<c>TLS_ECDHE_ECDSA_WITH_NULL_SHA</c><c>{ 0xC0, 0x06 }</c>
<c>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</c><c>{ 0xC0, 0x08 }</c>
<c>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</c><c>{ 0xC0, 0x09 }</c>
<c>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</c><c>{ 0xC0, 0x0A }</c>
<c>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</c><c>{ 0xC0, 0x2B }</c>
<c>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</c><c>{ 0xC0, 0x2C }</c>
<c> </c><c> </c>
<c>TLS_ECDHE_RSA_WITH_NULL_SHA</c><c>{ 0xC0, 0x10 }</c>
<c>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</c><c>{ 0xC0, 0x12 }</c>
<c>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</c><c>{ 0xC0, 0x13 }</c>
<c>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</c><c>{ 0xC0, 0x14 }</c>
<c>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</c><c>{ 0xC0, 0x2F }</c>
<c>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</c><c>{ 0xC0, 0x30 }</c>
<c> </c><c> </c>
<c>TLS_ECDH_anon_WITH_NULL_SHA</c><c>{ 0xC0, 0x15 }</c>
<c>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</c><c>{ 0xC0, 0x17 }</c>
<c>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</c><c>{ 0xC0, 0x18 }</c>
<c>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</c><c>{ 0xC0, 0x19 }</c>
</texttable>
<t> The key exchange method, cipher, and hash algorithm for each of these cipher suites are easily determined
by examining the name. Ciphers (other than AES ciphers) and hash algorithms are defined in
<xref target="RFC2246"/> and <xref target="RFC4346"/>. AES ciphers are defined in <xref target="RFC5246"/>,
and AES-GCM ciphersuites are in <xref target="RFC5289"/>.</t>
<t> Server implementations SHOULD support all of the following cipher suites, and client implementations
SHOULD support at least one of them:<list style="symbols">
<t> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</t>
<t> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</t>
<t> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</t>
<t> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</t></list></t>
</section>
<section anchor="impstat" title="Implementation Status">
<t> Both ECDHE and ECDSA with the NIST curves are widely implemented, supported in all major browsers and all
widely used TLS libraries. ECDHE with Curve25519 is by now implemented in several browsers and several TLS
libraries including OpenSSL. Curve448 and EdDSA have working, interoperable implementations, but are not yet
as widely deployed.</t>
</section>
<section anchor="sec" title="Security Considerations">
<t> Security issues are discussed throughout this memo.</t>
<t> For TLS handshakes using ECC cipher suites, the security considerations in appendices D of all three TLS
base documemts apply accordingly.</t>
<t> Security discussions specific to ECC can be found in <xref target="IEEE.P1363.1998"/> and
<xref target="ANSI.X9-62.2005"/>. One important issue that implementers and users must consider is elliptic
curve selection. Guidance on selecting an appropriate elliptic curve size is given in Table 1. Security
considerations specific to X25519 and X448 are discussed in section 7 of <xref target="RFC7748"/>.</t>
<t> Beyond elliptic curve size, the main issue is elliptic curve structure. As a general principle, it is
more conservative to use elliptic curves with as little algebraic structure as possible. Thus, random curves
are more conservative than special curves such as Koblitz curves, and curves over F_p with p random are more
conservative than curves over F_p with p of a special form, and curves over F_p with p random are
considered more conservative than curves over F_2^m as there is no choice between multiple fields of similar
size for characteristic 2.</t>
<t> Another issue is the potential for catastrophic failures when a single elliptic curve is widely used.
In this case, an attack on the elliptic curve might result in the compromise of a large number of keys.
Again, this concern may need to be balanced against efficiency and interoperability improvements associated
with widely-used curves. Substantial additional information on elliptic curve choice can be found in
<xref target="IEEE.P1363.1998"/>, <xref target="ANSI.X9-62.2005"/>, and <xref target="FIPS.186-4"/>.</t>
<t> The Introduction of <xref target="RFC8032"/> lists the security, performance, and operational advantages of
EdDSA signatures over ECDSA signatures using the NIST curves. </t>
<t> All of the key exchange algorithms defined in this document provide forward secrecy. Some of the
deprecated key exchange algorithms do not.</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t> <xref target="RFC4492" />, the predecessor of this document has already defined the IANA registries for
the following:<list style="symbols">
<t> Supported Groups <xref target="ch_extensions"/></t>
<t> ECPointFormat <xref target="ch_extensions"/></t>
<t> ECCurveType <xref target="ske"/></t></list></t>
<t> IANA is requested to prepend "TLS" to the names of the previous three registries.</t>
<t> For each name space, this document defines the initial value assignments and defines a range of 256 values
(NamedCurve) or eight values (ECPointFormat and ECCurveType) reserved for Private Use. The policy for any additional
assignments is "Specification Required". The previous version of this document required IETF review.</t>
<t> NOTE: IANA, please update the registries to reflect the new policy.</t>
<t> NOTE: RFC editor please delete these two notes prior to publication.</t>
<t> IANA, please update these two registries to refer to this document.</t>
<t> IANA is requested to assigned the value 29 to x25519, and the value
30 to x448 in the TLS Supported Groups Registry. This replaces the
temporary registrations ecdh_x25519(29) and ecdh_x448(30).</t>
<t> IANA is requested to assign two values from the TLS SignatureAlgorithm Registry with names ed25519(TBD3)
and ed448(TBD4) with this document as reference. To keep compatibility with TLS 1.3, TBD3 should be 7,
and TBD4 should be 8.</t>
<t> IANA is requested to assign one value from the "TLS HashAlgorithm Registry" with name Intrinsic(TBD5)
and this document as reference. To keep compatibility with TLS 1.3, TBD5 should be 8 and DTLS-OK should
be set to true (Y).</t>
</section>
<section anchor="ack" title="Acknowledgements">
<t> Most of the text is this document is taken from <xref target="RFC4492"/>, the predecessor of this
document. The authors of that document were:<list style="symbols">
<t> Simon Blake-Wilson</t>
<t> Nelson Bolyard</t>
<t> Vipul Gupta</t>
<t> Chris Hawk</t>
<t> Bodo Moeller</t></list></t>
<t> In the predecessor document, the authors acknowledged the contributions of Bill Anderson and Tim Dierks.</t>
<t> The author would like to thank Nikos Mavrogiannopoulos, Martin Thomson, and Tanja Lange for contributions
to this document.</t>
</section>
<section anchor="history" title="Version History for This Draft">
<t> NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION</t>
<t> Changes from draft-ietf-tls-rfc4492bis-03 to draft-nir-tls-rfc4492bis-05:<list style="symbols">
<t> Add support for CFRG curves and signatures work.</t>
</list></t>
<t> Changes from draft-ietf-tls-rfc4492bis-01 to draft-nir-tls-rfc4492bis-03:<list style="symbols">
<t> Removed unused curves.</t>
<t> Removed unused point formats (all but uncompressed)</t>
</list></t>
<t> Changes from draft-nir-tls-rfc4492bis-00 and draft-ietf-tls-rfc4492bis-00 to
draft-nir-tls-rfc4492bis-01:<list style="symbols">
<t> Merged errata</t>
<t> Removed ECDH_RSA and ECDH_ECDSA</t>
</list></t>
<t> Changes from RFC 4492 to draft-nir-tls-rfc4492bis-00:<list style="symbols">
<t> Added TLS 1.2 to references.</t>
<t> Moved RFC 4492 authors to acknowledgements.</t>
<t> Removed list of required reading for ECC.</t>
<t> Prepended "TLS" to the names of the three registries defined in the IANA Considerations section.</t></list></t>
</section>
<!-- ====================================================================== -->
</middle>
<!-- ====================================================================== -->
<back>
<references title="Normative References">
<reference anchor="RFC7748">
<front>
<title>Elliptic Curves for Security</title>
<author initials="A" surname="Langley" fullname="Adam Langley"></author>
<author initials="M" surname="Hamburg" fullname="Mike Hamburg"></author>
<author initials="S" surname="Turner" fullname="Sean Turner"></author>
<date month="January" year="2016"/>
</front>
<seriesInfo name='RFC' value='7748' />
<format type='HTML' target='https://tools.ietf.org/html/rfc7748' />
</reference>
<reference anchor="RFC8032">
<front>
<title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
<author initials="S" surname="Josefsson" fullname="Simon Josefsson"></author>
<author initials="I" surname="Liusvaara" fullname="Ilari Liusvaara"></author>
<date month="January" year="2017"/>
</front>
<seriesInfo name="RFC" value="8032"/>
<format type="HTML" target="https://tools.ietf.org/html/rfc8032"/>
</reference>
<reference anchor="PKIX-EdDSA" target="https://tools.ietf.org/html/draft-ietf-curdle-pkix-01">
<front>
<title>Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure</title>
<author initials="S." surname="Josefsson" fullname="Simon Josefsson">
<organization />
</author>
<author initials="J." surname="Schaad" fullname="Jim Schaad">
<organization />
</author>
<date month="August" year="2016" />
</front>
</reference>
<reference anchor='RFC2246'>
<front>
<title>The TLS Protocol Version 1.0</title>
<author initials='T.' surname='Dierks' fullname='Tim Dierks'/>
<author initials='C.' surname='Allen' fullname='Christopher Allen' />
<date year='1999' month='January' />
</front>
<seriesInfo name='RFC' value='2246' />
<format type='HTML' target='http://tools.ietf.org/html/rfc2246' />
</reference>
<reference anchor='RFC4346'>
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.1</title>
<author initials='T.' surname='Dierks' fullname='T. Dierks' />
<author initials='E.' surname='Rescorla' fullname='E. Rescorla' />
<date year='2006' month='April' />
</front>
<seriesInfo name='RFC' value='4346' />
<format type='HTML' target='http://tools.ietf.org/html/rfc4346' />
</reference>
<reference anchor='RFC5289'>
<front>
<title>TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)</title>
<author initials='E.' surname='Rescorla' fullname='E. Rescorla' />
<date year='2008' month='August' />
</front>
<seriesInfo name='RFC' value='5289' />
<format type='HTML' target='http://tools.ietf.org/html/rfc5289' />
</reference>
<reference anchor='RFC5246'>
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
<author initials='T.' surname='Dierks' fullname='T. Dierks' />
<author initials='E.' surname='Rescorla' fullname='E. Rescorla' />
<date year='2008' month='August' />
</front>
<seriesInfo name='RFC' value='5246' />
<format type='HTML' target='http://tools.ietf.org/html/rfc5246' />
</reference>
<reference anchor='SECG-SEC2'>
<front>
<title>Recommended Elliptic Curve Domain Parameters</title>
<author>
<organization>CECG</organization>
</author>
<date year='2000'/>
</front>
<seriesInfo name='SEC' value='2' />
<format type='PDF' target='http://www.secg.org/download/aid-784/sec2-v2.pdf' />
</reference>
<reference anchor='RFC4366'>
<front>
<title>Transport Layer Security (TLS) Extensions</title>
<author initials='S.' surname='Blake-Wilson' fullname='S. Blake-Wilson'>
<organization /></author>
<author initials='M.' surname='Nystrom' fullname='M. Nystrom'>
<organization /></author>
<author initials='D.' surname='Hopwood' fullname='D. Hopwood'>
<organization /></author>
<author initials='J.' surname='Mikkelsen' fullname='J. Mikkelsen'>
<organization /></author>
<author initials='T.' surname='Wright' fullname='T. Wright'>
<organization /></author>
<date year='2006' month='April' />
</front>
<seriesInfo name='RFC' value='4366' />
<format type='TXT' octets='66344' target='http://www.ietf.org/rfc/rfc4366.txt' />
</reference>
<reference anchor='RFC3279'>
<front>
<title>Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
<author initials='L.' surname='Bassham' fullname='L. Bassham'><organization /></author>
<author initials='W.' surname='Polk' fullname='W. Polk'><organization /></author>
<author initials='R.' surname='Housley' fullname='R. Housley'><organization /></author>
<date year='2002' month='April' />
</front>
<seriesInfo name='RFC' value='3279' />
<format type='TXT' target='http://www.ietf.org/rfc/rfc3279.txt' />
</reference>
<reference anchor="CCITT.X680">
<front>
<title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
<author>
<organization>International Telephone and Telegraph Consultative Committee</organization>
</author>
<date month="July" year="2002" />
</front>
<seriesInfo name="CCITT" value="Recommendation X.680" />
</reference>
<reference anchor="CCITT.X690">
<front>
<title>ASN.1 encoding rules: Specification of basic encoding Rules (BER), Canonical encoding rules (CER) and Distinguished encoding rules (DER)</title>
<author>