I'm sponsoring this case for Mark Powers. I'm marking it as Self Review
since it really only adds new mechanisms to the crypto framework
doesn't provide any new or changed APIs or change anything for a user,
developer or administrator.
Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI
This information is Copyright 2007 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Elliptic-Curve Cryptography for Solaris
1.2. Name of Document Author/Supplier:
Author: Mark Powers
1.3 Date of This Document:
02 August, 2007
2. Project Summary
2.1. Project Description:
This project will add Elliptic-Curve Cryptography (ECC) to the
Solaris Encryption Framework. ECC will be available to kernel
and user-level consumers.
2.2. Risks and Assumptions:
3. Business Summary
3.1. Problem Area:
Larger RSA keys require considerable computational effort.
This makes it difficult to use large RSA keys on devices
with limited resources. ECC keys provide the same level of
security and require less computational effort than larger
RSA keys.
3.2. Market/Requester:
Government is the primary customer. NSA announced Suite B,
which includes ECC on February 16 2005. Sun has announced
support for ECC:
http://www.sun.com/smi/Press/sunflash/2006-02/sunflash.20060214.2.xml
3.3. Business Justification:
3.4. Competitive Analysis:
Microsoft Vista supports ECC
Java supports ECC
3.5. Opportunity Window/Exposure:
We are late.
3.6. How will you know when you are done?:
When we can use pkcs11 on Apache for ECC.
4. Technical Description:
4.1. Details:
The Solaris Crypto Framework has loadable software modules that
provides cryptographic algorithms for kernel consumers. These offer
algorithms such as AES and RSA. The framework also has a softtoken
library that implements algorithms for user-level consumers. This
project introduces a new module offering ECC. It also adds ECC to
the softtoken library.
The low-level implemention of ECC that we will use was originally
developed by Sun Labs and subsequently given to NSS. Legal approval
to use this code under Mozilla Public License v. 1.1 has been
obtained.
Supported PKCS#11 mechanisms are: CKM_EC_KEY_PAIR_GEN, CKM_ECDSA,
CKM_ECDSA_SHA1, and CKM_ECDH1_DERIVE. NSS implements 51 ECC curves,
all of which will be supported. They are:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1,
secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1,
secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1,
sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1,
sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1,
sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v1,
prime192v2, prime192v3, prime256v1
4.2. Bug/RFE Number(s):
5066901 Offer the PKCS#11 Elliptic Curve based mechanisms in Solaris
6562402 kernel software provider for Elliptic Curve mechanisms
4.3. In Scope:
4.4. Out of Scope:
4.5. Interfaces:
Changes to softtoken will not affect the interface to softtoken.
The only visible change will be four new PKCS#11 mechanisms that
are visible when the capabilities of the softtoken are queried.
The loadable module will introduce the following:
/kernel/crypto/ecc
/kernel/crypto/amd64/ecc
/kernel/crypto/sparcv9/ecc
4.6. Doc Impact:
pkcs11_softtoken(5)
4.7. Admin/Config Impact:
An entry for the loadable module will be added to
/etc/crypto/kcf.conf. This, however, is a private interface.
4.8. HA Impact:
No impact.
4.9. I18N/L10N Impact:
No impact.
4.10. Packaging & Delivery:
The new loadable module will be delivered via SUNWckr.
The modified softtoken will be delivered via SUNWcsl.
4.11. Security Impact:
None.
4.12. Dependencies:
None.
5. Reference Documents:
http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
http://en.wikipedia.org/wiki/NSA_Suite_B
http://www.nsa.gov/ia/industry/crypto_suite_b.cfm?MenuID=10.2.7
http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html
6. Resources and Schedule:
6.1. Projected Availability:
FY07 Q2
6.2. Cost of Effort:
4 months engineering
3 months testing
6.3. Cost of Capital Resources:
Existing capital resources will be used.
6.4. Product Approval Committee requested information:
6.4.1. Consolidation or Component Name: ON
6.4.3. Type of CPT Review and Approval expected:
FastTrack
6.4.4. Project Boundary Conditions:
TBD
6.4.5. Is this a necessary project for OEM agreements:
No.
6.4.6. Notes:
6.4.7. Target RTI Date/Release:
onnv_78
6.4.8. Target Code Design Review Date:
October 1
6.4.9. Update approval addition:
N/A
6.5. ARC review type:
FastTrack
7. Prototype Availability:
7.1. Prototype Availability:
Yes
7.2. Prototype Cost:
2 months
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: Automatic
6.6. ARC Exposure: open
