1. IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-13-00xx-ECDSA Title: Discussion on introducing ECDSA to 802.21d for group management Date Submitted: July 16, 2013 Presented at IEEE 802.21 session #57 in Geneva, Switzerland Authors or Source(s): Lily Chen (NIST), Karen Randall (Randall-Consulting) Abstract: Discuss whether additional information is needed when using ECDSA for group management. 121-13-0090-00-MuGM

2. 2 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6http://standards.ieee.org/board/pat/faq.pdf

3. ECDSA 224 and 256 21-13-0090-00-MuGM3 Elliptic Curve Digital Signature (ECDSA) is introduced in the current IEEE 802.21d in two options ECDSA 224 ECDSA 256 Need some clarifications - ECDSA 224 can imply ECDSA using a curve with 224 bit group size. That is, the group order is n and the binary length is 224 bits with any hash function (in SHA-2); ECDSA over an elliptic curve with any group order n such that n is at least 224 bits and using SHA-224 as a hash function; or ECDSA over a curve with group order n with length 224 bits and SHA-224.

4. Identifier on ECDSA An X.509 certificate includes the parameters for the finite field (e.g., p for GF(p)), elliptic curve (e.g. a and b in the elliptic curve equation y^2 = x^3 + ax + b), which hash function to use, etc. Will ECDSA-224 permit any curve with the binary size of n at least 224 bits? In fact, there can be many such curves. If we restrict the curves to NIST specified curves (P-224 and P-256) with the OID defined in IETF RFC 5480 (also IEEE 802.1AR), then ECDSA-224 and ECDSA-256 will represent signature with specific curves. We can further require to use SHA-224 for P-224 and SHA-256 for P-256. (We can also use SHA-256 for both). 21-13-0090-00-MuGM4

5. ECDSA Algorithm Identifier If we restrict the curves to NIST specified curves (P-224 and P- 256) with the OID defined in IETF RFC 5480 (also IEEE 802.1AR), we can include algorithm identifier and cryptographic primitives in Clause 9.4.6 (along with reference). From IEEE 802.1AR-2009, the EC signature algorithm is defined as ECDSA with SHA-256 as specified in RFC 5008. The signature algorithm identifier is : ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-sha2(3) 2 } IEEE 802.1AR also specifies identifiers for the EC public key, ECParameters, and namedCurve (P-256) as well as other guidance for implementation. 21-13-0090-00-MuGM5

6. ECDSA and AES CCM In the current cipher suites, some of them use both AES-CCM and ECDSA. AES-CCM is an authenticated encryption. If AES-CCM is applied to the data, why is a signature needed? Will the signature be applied to the ciphertext? Will the signature be applied to both group manipulation command and group command? Is the data that is protected by AES-CCM the same as protected by signature? 21-13-0090-00-MuGM6

7. Summary 21-13-0090-00-MuGM7 Some clarifications are needed to determine and specify ECDSA support. Rationales need to be discussed on using AES-CCM with signature in some cipher suites.