1 / 23

SEC 1 & GEC 1

SEC 1 & GEC 1. Core ECC Specifications Simon Blake-Wilson Certicom Research. Overview. Introduction to SEC 1 and GEC 1 Review of ECC standards SEC 1 GEC 1 Summary. SEC 1 & GEC 1. Core ECC specifications SEC 1: cryptographic schemes GEC 1: recommended curves Encourage deployment

barr
Download Presentation

SEC 1 & GEC 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEC 1 & GEC 1 Core ECC Specifications Simon Blake-Wilson Certicom Research

  2. Overview • Introduction to SEC 1 and GEC 1 • Review of ECC standards • SEC 1 • GEC 1 • Summary

  3. SEC 1 & GEC 1 • Core ECC specifications • SEC 1: cryptographic schemes • GEC 1: recommended curves • Encourage deployment • Facilitate interoperability • Encourage analysis

  4. Other ECC Standards • Many efforts to standardize ECC • Creating problems: • Diverse standards • Plethora of options • Difficult to keep up!

  5. ANSI X9.62 • ECDSA signatures • 80 bits minimum security • Fp and F2^m • Polynomial and normal bases for F2m • Point representation options • Approved by ANSI

  6. ANSI X9.63 • ECDH, ECMQV, and EC Unified Model key agreement • ECAES (Bellare-Rogaway) encryption • Many flavors: static-ephemeral, cofactor, key confirmation, 1-2-3 pass. • Core math built (mainly) on X9.62.

  7. IEEE P1363 • ECDSA, ECNR signatures • ECDH, ECMQV, and EC Unified Model key agreement • Very general specification • Extra options for: hashing, point representation, security levels, etc.

  8. IEEE P1363A • Legacy ECAES encryption • Proposals to include encryption, signcryption, identification, implicit certificates, etc. • Impetus?

  9. NIST • ECDSA FIPS • Built on ANSI X9.62 • F2^m m composite removed • F2^m basis restricted? • “Recommended” curves?

  10. ISO • ISO 15946 specifies ECC • Part 1: General • Part 2: Signatures • Part 3: Key establishment • Options, options, options! • Timeline?

  11. ATM Forum • Generic ATM security standard • ECDSA-like signatures • ECDH key agreement • Point compression • Future uncertain?

  12. IPSec • ECC included in Oakley document • ECDH key agreement • x-coordinate point representation • Default curves over F2^155 and F2^185 • Attempts to add ECDSA and align with ANSI and IEEE.

  13. WAP • WTLS for wireless devices • ECDSA signatures for certificates • ECDH for key agreement • Following IEEE P1363 • Strong recommendations on point compression and curves. • Version 1.1? last week

  14. Other Standards • Cellular: TIA CDPD and 3G • Content protection: 5C and USB • De facto: PKCS 13 • IETF: SSL/TLS, PKIX, etc. • Payments: SET, etc.

  15. SEC 1 • Core ECC “Standard” • Profile other standards • Find path which restricts options but ensures conformance and efficiency • Signatures, encryption, and key agreement

  16. SEC 1 Signatures • Only ECDSA • Generic hash function support • Octet oriented • IEEE truncation at export strength • Relationship to ANSI X9.62, IEEE P1363

  17. SEC 1 Encryption • Only ECAES (Bellare-Rogaway) • Generic symmetric encryption, MACing, key derivation • Standard and cofactor ECDH options • Relationship to ANSI X9.63, IEEE P1363A

  18. SEC 1 Key Agreement • ECDH and ECMQV • Generic key derivation • Standard and cofactor ECDH • Only cofactor ECMQV • Relationship to ANSI X9.63, IEEE P1363

  19. SEC 1 “Mathematics” • Curves over Fp and F2^m • Major restrictions on p and m • Major restrictions on F2^m basis: one or two polynomial bases allowed, no normal bases. • Any curve allowed over supported fields • Compressed and uncompressed point representations allowed

  20. SEC 1 “Components” • Parameter generation and validation • Key generation and validation • Standard and cofactor ECDH primitives with point at infinity check • ECMQV primitive with bit flip and point at infinity check • Hash functions: SHA-1

  21. SEC 1 “Components” (cont.) • Key derivation functions: X9.63 • MACs: HMAC with SHA-1. 80 or 160 bit output • Symmetric encryption: “XOR” or TDES in CBC mode. Fixed IV and keying convention

  22. GEC 1 • SEC 1 allows any “secure” curve over supported fields • GEC 1 supplies recommended curves at supported security levels • Crucial for interoperability • Recommended and supplementary curves • Evolve as NIST’s plans and other standards evolve

  23. Summary • SEC 1 and GEC 1 are designed to provide core foundation for SEC series • Provide an interoperability path through murky waters • Going forward: comments, expert review, modification, ratification, ...

More Related