Network Working Group M. Lepinski
Request for Comments: 5114 S. Kent
Category: Informational BBN Technologies
January 2008
Additional Diffie-Hellman Groups for Use with IETF Standards
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This document describes eight Diffie-Hellman groups that can be used
in conjunction with IETF protocols to provide security for Internet
communications. The groups allow implementers to use the same groups
with a variety of security protocols, e.g., SMIME, Secure SHell
(SSH), Transport Layer Security (TLS), and Internet Key Exchange
(IKE).
All of these groups comply in form and structure with relevant
standards from ISO, ANSI, NIST, and the IEEE. These groups are
compatible with all IETF standards that make use of Diffie-Hellman or
Elliptic Curve Diffie-Hellman cryptography.
These groups and the associated test data are defined by NIST on
their web site [EX80056A], but have not yet (as of this writing) been
published in a formal NIST document. Publication of these groups and
associated test data, as well as describing how to use Diffie-Hellman
and Elliptic Curve Diffie-Hellman for key agreement in all of the
protocols cited below, in one RFC, will facilitate development of
interoperable implementations and support the Federal Information
Processing Standard (FIPS) validation of implementations that make
use of these groups.
Lepinski & Kent Informational [Page 1]
RFC 5114 Additional Diffie-Hellman Groups January 2008
Table of Contents
1. Introduction ....................................................2
2. Additional Diffie-Hellman Groups ................................4
2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup ......4
2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup ......4
2.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup ......5
2.4. 192-bit Random ECP Group ...................................6
2.5. 224-bit Random ECP Group ...................................7
2.6. 256-bit Random ECP Group ...................................7
2.7. 384-bit Random ECP Group ...................................8
2.8. 521-bit Random ECP Group ...................................9
3. Using These Groups with IETF Standards ..........................9
3.1. X.509 Certificates .........................................9
3.2. IKE .......................................................10
3.3. TLS .......................................................10
3.4. SSH .......................................................11
3.5. SMIME .....................................................11
4. Security Considerations ........................................12
5. IANA Considerations ............................................13
6. Acknowledgments ................................................13
Appendix A: Test Data .............................................14
A.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup......15
A.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup......15
A.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup......16
A.4. 192-bit Random ECP Group ..................................17
A.5. 224-bit Random ECP Group ..................................18
A.6. 256-bit Random ECP Group ..................................18
A.7. 384-bit Random ECP Group ..................................19
A.8. 521-bit Random ECP Group ..................................19
Normative References ..............................................20
Informative References ............................................20
1. Introduction
This document provides parameters and test data for several
Diffie-Hellman (D-H) groups that can be used with IETF protocols that
employ D-H keys, (e.g., IKE, TLS, SSH, and SMIME) and with IETF
standards, such as Public Key Infrastructure for X.509 Certificates
(PKIX) (for certificates that carry D-H keys). These groups
complement others already documented for the IETF, including the
"Oakley" groups defined in RFC 2409 [RFC2409] for use with IKEv1, and
several additional D-H groups defined later, e.g., [RFC3526] and
[RFC4492].
Lepinski & Kent Informational [Page 2]
RFC 5114 Additional Diffie-Hellman Groups January 2008
The initial impetus for the definition of D-H groups (in the IETF)
arose in the IPsec (IKE) context, because of the use of an ephemeral,
unauthenticated D-H exchange as the starting point for that protocol.
RFC 2409 defined five standard Oakley Groups: three modular
exponentiation groups and two elliptic curve groups over GF[2^N].
One modular exponentiation group (768 bits - Oakley Group 1) was
declared to be mandatory for all IKEv1 implementations to support,
while the other four were optional. Sixteen additional groups
subsequently have been defined and registered with IANA for use with
IKEv1, including eight that have also been registered for use with
IKEv2. All of these additional groups are optional in the IKE
context. Of the twenty-one groups defined so far for use with IKE,
eight are MODP groups (exponentiation groups modulo a prime), ten are
EC2N groups (elliptic curve groups over GF[2^N]), and three are ECP
groups (elliptic curve groups over GF[P]).
The purpose of this document is to provide the parameters and test
data for eight additional groups, in a format consistent with
existing RFCs along with instructions on how these groups can be used
with IETF protocols such as SMIME, SSH, TLS, and IKE. Three of these
groups were previously specified for use with IKE [RFC4753], and five
of these groups were previously specified for use with TLS [RFC4492].
(The latter document does not provide or reference test data for the
specified groups). By combining the specification of all eight
groups with test data and instructions for use in a variety of
protocols, this document serves as a resource for implementers who
may wish to offer the same Diffie-Hellman groups for use with
multiple IETF protocols.
All of these groups are compatible with applicable ISO [ISO-14888-3],
ANSI [X9.62], and NIST [NIST80056A] standards for Diffie-Hellman key
exchange. These groups and the associated test data are defined by
NIST on their web site [EX80056A], but have not yet (as of this
writing) been published in a formal NIST document. Publication of
these groups with associated test data as an RFC will facilitate
development of interoperable implementations and support FIPS
validation of implementations that make use of these groups.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Lepinski & Kent Informational [Page 3]
RFC 5114 Additional Diffie-Hellman Groups January 2008
2. Additional Diffie-Hellman Groups
This section contains the specification for eight groups for use in
IKE, TLS, SSH, etc. There are three standard prime modulus groups
and five elliptic curve groups. All groups were taken from
publications of the National Institute of Standards and Technology,
specifically [DSS] and [NIST80056A]. Test data for each group is
provided in Appendix A.
2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup
The hexadecimal value of the prime is:
p = B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6
9A6A9DCA 52D23B61 6073E286 75A23D18 9838EF1E 2EE652C0
13ECB4AE A9061123 24975C3C D49B83BF ACCBDD7D 90C4BD70
98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0
A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708
DF1FB2BC 2E4A4371
The hexadecimal value of the generator is:
g = A4D1CBD5 C3FD3412 6765A442 EFB99905 F8104DD2 58AC507F
D6406CFF 14266D31 266FEA1E 5C41564B 777E690F 5504F213
160217B4 B01B886A 5E91547F 9E2749F4 D7FBD7D3 B9A92EE1
909D0D22 63F80A76 A6A24C08 7A091F53 1DBF0A01 69B6A28A
D662A4D1 8E73AFA3 2D779D59 18D08BC8 858F4DCE F97C2A24
855E6EEB 22B3B2E5
The generator generates a prime-order subgroup of size:
q = F518AA87 81A8DF27 8ABA4E7D 64B7CB9D 49462353
2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
The hexadecimal value of the prime is:
p = AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1
B54B1597 B61D0A75 E6FA141D F95A56DB AF9A3C40 7BA1DF15
EB3D688A 309C180E 1DE6B85A 1274A0A6 6D3F8152 AD6AC212
9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207
C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708
B3BF8A31 70918836 81286130 BC8985DB 1602E714 415D9330
278273C7 DE31EFDC 7310F712 1FD5A074 15987D9A DC0A486D
CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8
BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763
C9B53DCF 4BA80A29 E3FB73C1 6B8E75B9 7EF363E2 FFA31F71
CF9DE538 4E71B81C 0AC4DFFE 0C10E64F
Lepinski & Kent Informational [Page 4]
RFC 5114 Additional Diffie-Hellman Groups January 2008
The hexadecimal value of the generator is:
g = AC4032EF 4F2D9AE3 9DF30B5C 8FFDAC50 6CDEBE7B 89998CAF
74866A08 CFE4FFE3 A6824A4E 10B9A6F0 DD921F01 A70C4AFA
AB739D77 00C29F52 C57DB17C 620A8652 BE5E9001 A8D66AD7
C1766910 1999024A F4D02727 5AC1348B B8A762D0 521BC98A
E2471504 22EA1ED4 09939D54 DA7460CD B5F6C6B2 50717CBE
F180EB34 118E98D1 19529A45 D6F83456 6E3025E3 16A330EF
BB77A86F 0C1AB15B 051AE3D4 28C8F8AC B70A8137 150B8EEB
10E183ED D19963DD D9E263E4 770589EF 6AA21E7F 5F2FF381
B539CCE3 409D13CD 566AFBB4 8D6C0191 81E1BCFE 94B30269
EDFE72FE 9B6AA4BD 7B5A0F1C 71CFFF4C 19C418E1 F6EC0179
81BC087F 2A7065B3 84B890D3 191F2BFA
The generator generates a prime-order subgroup of size:
q = 801C0D34 C58D93FE 99717710 1F80535A 4738CEBC BF389A99
B36371EB
2.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup
The hexadecimal value of the prime is:
p = 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2
5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30
16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD
5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C
4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E
F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9
67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3
75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F
693877FA D7EF09CA DB094AE9 1E1A1597
Lepinski & Kent Informational [Page 5]
RFC 5114 Additional Diffie-Hellman Groups January 2008
The hexadecimal value of the generator is:
g = 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054
07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555
BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18
A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B
777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83
1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55
A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14
C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915
B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6
184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451
5E2327CF EF98C582 664B4C0F 6CC41659
The generator generates a prime-order subgroup of size:
q = 8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B
A308B0FE 64F5FBD3
2.4. 192-bit Random ECP Group
The curve is based on the integers modulo the prime p given by:
p = 2^(192) - 2^(64) - 1
Group prime (in hexadecimal):
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF
The equation for the elliptic curve is:
y^2 = x^3 + ax + b (mod p)
Group curve parameter A (in hexadecimal):
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFC
Group curve parameter B (in hexadecimal):
b = 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1
The generator for this group is given by: g=(gx,gy) where
gx = 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF1012
gy = 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811
Group order (in hexadecimal):
n = FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831
Lepinski & Kent Informational [Page 6]
RFC 5114 Additional Diffie-Hellman Groups January 2008
2.5. 224-bit Random ECP Group
The curve is based on the integers modulo the prime p given by:
p = 2^(224) - 2^(96) + 1
Group prime (in hexadecimal):
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 00000000
00000001
The equation for the elliptic curve is:
y^2 = x^3 + ax + b (mod p)
Group curve parameter A (in hexadecimal):
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF
FFFFFFFE
Group curve parameter B (in hexadecimal):
b = B4050A85 0C04B3AB F5413256 5044B0B7 D7BFD8BA 270B3943
2355FFB4
The generator for this group is given by: g=(gx,gy) where
gx = B70E0CBD 6BB4BF7F 321390B9 4A03C1D3 56C21122 343280D6
115C1D21
gy = BD376388 B5F723FB 4C22DFE6 CD4375A0 5A074764 44D58199
85007E34
Group Order (in hexadecimal):
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFF16A2 E0B8F03E 13DD2945
5C5C2A3D
2.6. 256-bit Random ECP Group
The curve is based on the integers modulo the prime p given by:
p = 2^(256)-2^(224)+2^(192)+2^(96)-1
Group prime (in hexadecimal):
p = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF
FFFFFFFF FFFFFFFF
The equation for the elliptic curve is:
y^2 = x^3 + ax + b (mod p)
Group curve parameter A (in hexadecimal):
a = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF
FFFFFFFF FFFFFFFC
Lepinski & Kent Informational [Page 7]
RFC 5114 Additional Diffie-Hellman Groups January 2008
Group curve parameter B (in hexadecimal):
b = 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6
3BCE3C3E 27D2604B
The generator for this group is given by: g=(gx,gy) where
gx = 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0
F4A13945 D898C296
gy = 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE
CBB64068 37BF51F5
Group Order (in hexadecimal):
n = FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84
F3B9CAC2 FC632551
2.7. 384-bit Random ECP Group
The curve is based on the integers modulo the prime p given by:
p = 2^(384)-2^(128)-2^(96)+2^(32)-1
Group prime (in hexadecimal):
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFF
The equation for the elliptic curve is:
y^2 = x^3 + ax + b (mod p)
Group curve parameter A (in hexadecimal):
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFC
Group curve parameter B (in hexadecimal):
b = B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112
0314088F 5013875A C656398D 8A2ED19D 2A85C8ED D3EC2AEF
The generator for this group is given by: g=(gx,gy) where
gx = AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98
59F741E0 82542A38 5502F25D BF55296C 3A545E38 72760AB7
gy = 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C
E9DA3113 B5F0B8C0 0A60B1CE 1D7E819D 7A431D7C 90EA0E5F
Group Order (in hexadecimal):
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
C7634D81 F4372DDF 581A0DB2 48B0A77A ECEC196A CCC52973
Lepinski & Kent Informational [Page 8]
RFC 5114 Additional Diffie-Hellman Groups January 2008
2.8. 521-bit Random ECP Group
The curve is based on the integers modulo the prime p given by:
p = 2^(521)-1
Group Prime (in hexadecimal):
p = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
The equation for the elliptic curve is:
y^2 = x^3 + ax + b (mod p)
Group curve parameter A (in hexadecimal):
a = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFC
Group curve parameter B (in hexadecimal):
b = 00000051 953EB961 8E1C9A1F 929A21A0 B68540EE A2DA725B
99B315F3 B8B48991 8EF109E1 56193951 EC7E937B 1652C0BD
3BB1BF07 3573DF88 3D2C34F1 EF451FD4 6B503F00
The generator for this group is given by: g=(gx,gy) where
gx = 000000C6 858E06B7 0404E9CD 9E3ECB66 2395B442 9C648139
053FB521 F828AF60 6B4D3DBA A14B5E77 EFE75928 FE1DC127
A2FFA8DE 3348B3C1 856A429B F97E7E31 C2E5BD66
gy = 00000118 39296A78 9A3BC004 5C8A5FB4 2C7D1BD9 98F54449
579B4468 17AFBD17 273E662C 97EE7299 5EF42640 C550B901
3FAD0761 353C7086 A272C240 88BE9476 9FD16650
Group Order (in hexadecimal):
n = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFA 51868783 BF2F966B 7FCC0148
F709A5D0 3BB5C9B8 899C47AE BB6FB71E 91386409
3. Using These Groups with IETF Standards
3.1. X.509 Certificates
Representation of both MODP and Elliptic Curve Diffie-Hellman public
keys (and associated parameters) in X.509 certificates is defined in
[RFC3279]. The MODP groups defined above MUST be represented via the
syntax defined in Section 2.3.3, and the elliptic curve groups via
Lepinski & Kent Informational [Page 9]
RFC 5114 Additional Diffie-Hellman Groups January 2008
the syntax defined in Section in 2.3.5 of that RFC. When a
Diffie-Hellman public key is encoded in a certificate, if the
KeyUsage extension is present, the keyAgreement bits MUST be
asserted, and encipherOnly or decipherOnly (but not both) MAY be
asserted.
3.2. IKE
Use of MODP Diffie-Hellman groups with IKEv2 is defined in [RFC4306],
and the use of MODP groups with IKEv1 is defined in [RFC2409].
However, in the case of ECP Diffie-Hellman groups, the format of key
exchange payloads and the derivation of a shared secret has thus far
been specified on a group-by-group basis. For the ECP Diffie-Hellman
groups defined in this document, the key exchange payload format and
shared key derivation procedure specified in [RFC4753] MUST be used
(with both IKEv2 and IKEv1).
In order to use a Diffie-Hellman group with IKE, it is required that
a transform ID for the group be registered with IANA. The following
table provides the Transform IDs of each Diffie-Hellman group
described in this document, as registered in both [IANA-IKE] and
[IANA-IKE2].
NAME | NUMBER
--------------------------------------------------------+---------
1024-bit MODP Group with 160-bit Prime Order Subgroup | 22
2048-bit MODP Group with 224-bit Prime Order Subgroup | 23
2048-bit MODP Group with 256-bit Prime Order Subgroup | 24
192-bit Random ECP Group | 25
224-bit Random ECP Group | 26
256-bit Random ECP Group | 19
384-bit Random ECP Group | 20
521-bit Random ECP Group | 21
3.3. TLS
Use of MODP Diffie-Hellman groups in TLS 1.1 is defined in [RFC4346].
TLS 1.0, the widely deployed predecessor of TLS 1.1, is specified in
[RFC2246] and is the same as TLS 1.1 with respect to the use of
(MODP) Diffie-Hellman to compute a pre-Master secret. (Currently,
the TLS working group is in the process of producing a specification
for TLS 1.2. It is unlikely that TLS 1.2 will make significant
changes to the use of Diffie-Hellman, and thus the following will
likely also be applicable to TLS 1.2).
Lepinski & Kent Informational [Page 10]
RFC 5114 Additional Diffie-Hellman Groups January 2008
A server may employ a certificate containing (fixed) Diffie-Hellman
parameters, and likewise for a client using a certificate. Thus, the
relevant PKIX RFCs (see 3.1 above) are applicable. Alternatively, a
server may send ephemeral Diffie-Hellman parameters in the server key
exchange message, where the message signature is verified using an
RSA- or DSS-signed server certificate. The details for accomplishing
this for MODP Diffie-Hellman groups are provided in [RFC2246].
Use of Elliptic Curve Diffie-Hellman in TLS 1.1 (and 1.0) is defined
in [RFC4492]. The elliptic curves in this document appear in the
IANA EC Named Curve Registry [IANA-TLS], although the names in the
registry are taken from the Standards for Efficient Cryptography
Group (SECG) specification [SECG] and differ from the names appearing
in NIST publications. The following table provides the EC Named
Curve ID for each of the elliptic curves along with both the NIST
name and the SECG name for the curve.
NAME (NIST) | NUMBER | NAME (SECG)
---------------------------------+--------------+---------------
192-bit Random ECP Group | 19 | secp192r1
224-bit Random ECP Group | 21 | secp224r1
256-bit Random ECP Group | 23 | secp256r1
384-bit Random ECP Group | 24 | secp384r1
521-bit Random ECP Group | 25 | secp521r1
3.4. SSH
Use of Diffie-Hellman with SSH was defined initially in [RFC4253].
That RFC defined two MODP Diffie-Hellman groups, and called for the
registration of additional groups via an IANA registry. However,
[RFC4419] extended the original model to allow MODP Diffie-Hellman
parameters to be transmitted as part of the key exchange messages.
Thus, using RFC 4419, no additional specifications (or IANA registry
actions) are required to enable use of the MODP groups defined in
this document. At this time, no RFC describes the use of Elliptic
Curve Diffie-Hellman with SSH. However, [SSH-ECC] provides a
description of how to make use of Elliptic Curve Diffie-Hellman with
SSH.
3.5. SMIME
Use of Diffie-Hellman in SMIME is defined via a discussion of
Cryptographic Message Syntax (CMS) enveloped data [RFC3852]. For
MODP Diffie-Hellman, the appropriate reference is [RFC2631]. This
specification calls for a sender to extract the Diffie-Hellman (MODP)
parameters from a recipient's certificate, and thus the PKIX
specifications for representation of Diffie-Hellman parameters
suffice. The sender transmits his public key via the
Lepinski & Kent Informational [Page 11]
RFC 5114 Additional Diffie-Hellman Groups January 2008
OriginatorIdentifierorKey field, or via a reference to the sender's
certificate.
Use of Elliptic Curve Diffie-Hellman in CMS is defined in [RFC3278].
As with use of MODP Diffie-Hellman in the CMS context, the sender is
assumed to acquire the recipient's public key and parameters from a
certificate. The sender includes his Elliptic Curve Diffie-Hellman
public key in the KeyAgreeRecipientInfo originator field. (See
Section 8.2 of RFC 3278 for details of the ECC-CMS-SharedInfo).
4. Security Considerations
The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by
the random number generator used. The groups defined in this
document were chosen to make the work factor for solving the discrete
logarithm problem roughly comparable to an attack on the subgroup.
Using secret keys of an appropriate size is crucial to the security
of a Diffie-Hellman exchange. For modular exponentiation groups, the
size of the secret key should be equal to the size of q (the size of
the prime order subgroup). For elliptic curve groups, the size of
the secret key must be equal to the size of n (the order of the group
generated by the point g). Using larger secret keys provides
absolutely no additional security, and using smaller secret keys is
likely to result in dramatically less security. (See [NIST80056A]
for more information on selecting secret keys.)
When secret keys of an appropriate size are used, an approximation of
the strength of each of the Diffie-Hellman groups is provided in the
table below. For each group, the table contains an RSA key size and
symmetric key size that provide roughly equivalent levels of
security. This data is based on the recommendations in [NIST80057].
GROUP | SYMMETRIC | RSA
-------------------------------------------+------------+-------
1024-bit MODP with 160-bit Prime Subgroup | 80 | 1024
2048-bit MODP with 224-bit Prime Subgroup | 112 | 2048
2048-bit MODP with 256-bit Prime Subgroup | 112 | 2048
192-bit Random ECP Group | 80 | 1024
224-bit Random ECP Group | 112 | 2048
256-bit Random ECP Group | 128 | 3072
384-bit Random ECP Group | 192 | 7680
521-bit Random ECP Group | 256 | 15360
Lepinski & Kent Informational [Page 12]
RFC 5114 Additional Diffie-Hellman Groups January 2008
5. IANA Considerations
IANA has taken the following actions:
Updated the IKE and IKEv2 registries to include the following five
groups defined in this document: (Note that the other three ECP
groups defined in this document have already been added to the IKE
registry).
o 1024-bit MODP Group with 160-bit Prime Order Subgroup
o 2048-bit MODP Group with 224-bit Prime Order Subgroup
o 2048-bit MODP Group with 256-bit Prime Order Subgroup
o 192-bit Random ECP Group
o 224-bit Random ECP Group
Updated [IANA-IKE] and [IANA-IKE2] to reflect the above, which now
appear as entries in the list of Diffie-Hellman groups given by Group
Description. The descriptions are as stated above.
6. Acknowledgments
We wish to thank NIST for publishing the group definitions and
providing test data to assist implementers in verifying that software
or hardware correctly implements these groups. We also wish to thank
Tero Kivinen and Sean Turner for providing helpful comments after
reviewing an earlier version of this document.
Lepinski & Kent Informational [Page 13]
RFC 5114 Additional Diffie-Hellman Groups January 2008
Appendix A. Test Data
The test data in this appendix is a protocol-independent subset of
the test data in [EX80056A]. In the test data for the three modular
exponentiation groups, we use the following notation:
xA: The secret key of party A
yA: The public key of party A
xB: The secret key of party B
yB: The public key of party B
Z: The shared secret that results from the Diffie-Hellman
computation
In the test data for the five elliptic curve groups, we use the
following notation:
dA: The secret value of party A
x_qA: The x-coordinate of the public key of party A
y_qA: The y-coordinate of the public key of party A
dB: The secret value of party B
x_qA: The x-coordinate of the public key of party B
y_qA: The y-coordinate of the public key of party B
x_Z: The x-coordinate of the shared secret that results from the
Diffie-Hellman computation
y_Z: The y-coordinate of the shared secret that results form the
Diffie-Hellman computation
Lepinski & Kent Informational [Page 14]
RFC 5114 Additional Diffie-Hellman Groups January 2008
A.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup
xA = B9A3B3AE 8FEFC1A2 93049650 7086F845 5D48943E
yA = 2A853B3D 92197501
B9015B2D EB3ED84F 5E021DCC 3E52F109 D3273D2B 7521281C
BABE0E76 FF5727FA 8ACCE269 56BA9A1F CA26F202 28D8693F
EB10841D 84A73600 54ECE5A7 F5B7A61A D3DFB3C6 0D2E4310
6D8727DA 37DF9CCE 95B47875 5D06BCEA 8F9D4596 5F75A5F3
D1DF3701 165FC9E5 0C4279CE B07F9895 40AE96D5 D88ED776
xB = 9392C9F9 EB6A7A6A 9022F7D8 3E7223C6 835BBDDA
yB = 717A6CB0 53371FF4
A3B93294 1C1E5663 F861A1D6 AD34AE66 576DFB98 F6C6CBF9
DDD5A56C 7833F6BC FDFF0955 82AD868E 440E8D09 FD769E3C
ECCDC3D3 B1E4CFA0 57776CAA F9739B6A 9FEE8E74 11F8D6DA
C09D6A4E DB46CC2B 5D520309 0EAE6126 311E53FD 2C14B574
E6A3109A 3DA1BE41 BDCEAA18 6F5CE067 16A2B6A0 7B3C33FE
Z = 5C804F45 4D30D9C4
DF85271F 93528C91 DF6B48AB 5F80B3B5 9CAAC1B2 8F8ACBA9
CD3E39F3 CB614525 D9521D2E 644C53B8 07B810F3 40062F25
7D7D6FBF E8D5E8F0 72E9B6E9 AFDA9413 EAFB2E8B 0699B1FB
5A0CACED DEAEAD7E 9CFBB36A E2B42083 5BD83A19 FB0B5E96
BF8FA4D0 9E345525 167ECD91 55416F46 F408ED31 B63C6E6D
A.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
xA = 22E62601
DBFFD067 08A680F7 47F361F7 6D8F4F72 1A0548E4 83294B0C
yA = 1B3A6345 1BD886E6 99E67B49 4E288BD7
F8E0D370 BADDA7A0 EFD2FDE7 D8F66145 CC9F2804 19975EB8
08877C8A 4C0C8E0B D48D4A54 01EB1E87 76BFEEE1 34C03831
AC273CD9 D635AB0C E006A42A 887E3F52 FB8766B6 50F38078
BC8EE858 0CEFE243 968CFC4F 8DC3DB08 4554171D 41BF2E86
1B7BB4D6 9DD0E01E A387CBAA 5CA672AF CBE8BDB9 D62D4CE1
5F17DD36 F91ED1EE DD65CA4A 06455CB9 4CD40A52 EC360E84
B3C926E2 2C4380A3 BF309D56 849768B7 F52CFDF6 55FD053A
7EF70697 9E7E5806 B17DFAE5 3AD2A5BC 568EBB52 9A7A61D6
8D256F8F C97C074A 861D827E 2EBC8C61 34553115 B70E7103
920AA16D 85E52BCB AB8D786A 68178FA8 FF7C2F5C 71648D6F
xB = 4FF3BC96
C7FC6A6D 71D3B363 800A7CDF EF6FC41B 4417EA15 353B7590
Lepinski & Kent Informational [Page 15]
RFC 5114 Additional Diffie-Hellman Groups January 2008
yB = 4DCEE992 A9762A13 F2F83844 AD3D77EE
0E31C971 8B3DB6C2 035D3961 182C3E0B A247EC41 82D760CD
48D99599 970622A1 881BBA2D C822939C 78C3912C 6661FA54
38B20766 222B75E2 4C2E3AD0 C7287236 129525EE 15B5DD79
98AA04C4 A9696CAC D7172083 A97A8166 4EAD2C47 9E444E4C
0654CC19 E28D7703 CEE8DACD 6126F5D6 65EC52C6 7255DB92
014B037E B621A2AC 8E365DE0 71FFC140 0ACF077A 12913DD8
DE894734 37AB7BA3 46743C1B 215DD9C1 2164A7E4 053118D1
99BEC8EF 6FC56117 0C84C87D 10EE9A67 4A1FA8FF E13BDFBA
1D44DE48 946D68DC 0CDD7776 35A7AB5B FB1E4BB7 B856F968
27734C18 4138E915 D9C3002E BCE53120 546A7E20 02142B6C
Z = 34D9BDDC 1B42176C 313FEA03 4C21034D
074A6313 BB4ECDB3 703FFF42 4567A46B DF75530E DE0A9DA5
229DE7D7 6732286C BC0F91DA 4C3C852F C099C679 531D94C7
8AB03D9D ECB0A4E4 CA8B2BB4 591C4021 CF8CE3A2 0A541D33
994017D0 200AE2C9 516E2FF5 14577926 9E862B0F B474A2D5
6DC31ED5 69A7700B 4C4AB16B 22A45513 531EF523 D7121207
7B5A169B DEFFAD7A D9608284 C7795B6D 5A5183B8 7066DE17
D8D671C9 EBD8EC89 544D45EC 06159