Upload
cynthia-neal
View
214
Download
0
Embed Size (px)
DESCRIPTION
ECDSA 224 and MuGM3 Elliptic Curve Digital Signature (ECDSA) is introduced in the current IEEE d in two options ECDSA 224 ECDSA 256 Need some clarifications - ECDSA 224 can imply ECDSA using a curve with 224 bit group size. That is, the group order is n and the binary length is 224 bits with any hash function (in SHA-2); ECDSA over an elliptic curve with any group order n such that n is at least 224 bits and using SHA-224 as a hash function; or ECDSA over a curve with group order n with length 224 bits and SHA-224.
Citation preview
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-13-00xx-ECDSATitle: Discussion on introducing ECDSA to 802.21d for group
managementDate Submitted: July 16, 2013Presented at IEEE 802.21 session #57 in Geneva, SwitzerlandAuthors or Source(s): Lily Chen (NIST), Karen Randall (Randall-Consulting)Abstract: Discuss whether additional information is needed when
using ECDSA for group management.
121-13-0090-00-MuGM
21-13-0090-00-MuGM 2
IEEE 802.21 presentation release statementsThis document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis
for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21.
The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf>
ECDSA 224 and 256
21-13-0090-00-MuGM 3
• Elliptic Curve Digital Signature (ECDSA) is introduced in the current IEEE 802.21d in two options• ECDSA 224• ECDSA 256
• Need some clarifications - ECDSA 224 can imply• ECDSA using a curve with 224 bit group size. That is, the
group order is n and the binary length is 224 bits with any hash function (in SHA-2); • ECDSA over an elliptic curve with any group order n such
that n is at least 224 bits and using SHA-224 as a hash function; or• ECDSA over a curve with group order n with length 224
bits and SHA-224.
Identifier on ECDSA
• An X.509 certificate includes the parameters for the finite field (e.g., p for GF(p)), elliptic curve (e.g. a and b in the elliptic curve equation y^2 = x^3 + ax + b), which hash function to use, etc.
• Will ECDSA-224 permit any curve with the binary size of n at least 224 bits?
• In fact, there can be many such curves.• If we restrict the curves to NIST specified curves (P-224 and
P-256) with the OID defined in IETF RFC 5480 (also IEEE 802.1AR), then ECDSA-224 and ECDSA-256 will represent signature with specific curves. We can further require to use SHA-224 for P-224 and SHA-256 for P-256. (We can also use SHA-256 for both).
21-13-0090-00-MuGM 4
ECDSA Algorithm Identifier• If we restrict the curves to NIST specified curves (P-224 and P-
256) with the OID defined in IETF RFC 5480 (also IEEE 802.1AR), we can include algorithm identifier and cryptographic primitives in Clause 9.4.6 (along with reference).
• From IEEE 802.1AR-2009, the EC signature algorithm is defined as ECDSA with SHA-256 as specified in RFC 5008. The signature algorithm identifier is :
ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-sha2(3) 2 }
• IEEE 802.1AR also specifies identifiers for the EC public key, ECParameters, and namedCurve (P-256) as well as other guidance for implementation.
21-13-0090-00-MuGM 5
ECDSA and AES CCM• In the current cipher suites, some of them use both AES-CCM
and ECDSA.• AES-CCM is an authenticated encryption. If AES-CCM is
applied to the data, why is a signature needed?• Will the signature be applied to the ciphertext? • Will the signature be applied to both group manipulation
command and group command? • Is the data that is protected by AES-CCM the same as
protected by signature?
21-13-0090-00-MuGM 6
Summary
21-13-0090-00-MuGM 7
• Some clarifications are needed to determine and specify ECDSA support.
• Rationales need to be discussed on using AES-CCM with signature in some cipher suites.