Modern cryptography TKEY
Internet Systems Consortiumfdupont@isc.orgDNS Extensions Working GroupECDH, TKEYThis document updates the TKEY resource record specifications
for the use of Elliptic Curve Diffie-Hellman, and related IANA
registries.The TKEY resource record was designed
to enable the establishment of a shared secret between DNS client
and server, using GSS-API or a Diffie-Hellman exchange.The purpose of this document is to modernize the cryptography
used by the Diffie-Hellman variant of TKEY, i.e., to move to
ECDH (Elliptic Curve Diffie-Hellman). As a side effect,
registries for the DH KEY and SIG(0)
resource records are updated.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in RFC2119.This document specifies a new "well-known group" with
a 1536 bit prime for the DH KEY resource record
, taken from the expired
revision ,
in the . (this group is supported
by some implementations, the idea is to make it official)The NIST P-256 and P-384 curve groups are added as groups 13
and 14. These groups are already used in several IETF RFCs,
including , or for DNSSEC
. A public key is the uncompressed form
of a curve point, so on twice 256 or 384 bits. The shared secret
is the first coordinate of the Diffie-Hellman common value, so
on 256 or 384 bits.The ECDH TKEY reuses the DH TKEY (
RFC2930 section 4.1) specification with some changes.The Diffie-Hellman exchange uses the Elliptic Curve P-256
group, the hash function is SHA-256.The "key data" lengths MUST be at least 128 bits / 16 octets,
and SHOULD be at most 256 bits / 32 octets.The "keying material" is derived using the formula
(taken from IKEv2):
The
"DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs"
registry is modified by the addition of entries for 3, 13 and 14,
with "A 1536 bit prime", "EC P-256" and "EC P-384" for descriptions,
and this document for the reference.The "DNS Security Algorithm Numbers" registry is modified by
adding TKEY in the "transaction security mechanisms" and
by making ECDSAP256SHA256 and ECDSAP384SHA384 eligible for
transaction security.The "SIG (0) Algorithm Numbers" registry is either updated /
aligned with the preceding one, or simply suppressed as its
content was merged into the preceding one.The Elliptic Curve cryptography is considered as being as
safe as the modular prime field one but with faster
operations and far smaller payloads, so should be
a vector for better security.In the same way, more support and use of TKEY
should be encouraged. This is why it had to be
re-based on modern cryptography tools.To share a private key for two different usages
is recognized as a bad practice, so when an ECDH TKEY
is authenticated by ECDSAP256SHA256, the private
key SHOULD NOT be shared.Donald E. Eastlake 3rd is the author of the expired
DH KEY revision
where the well-known group 3 was taken.
The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.
Its decimal value is:
Prime modulus Length (32 bit words): 48, Data (hex):
Generator: Length (32 bit words): 1, Data (hex): 2