W3C home > Mailing lists > Public > public-xmlsec@w3.org > November 2008

Summary of problems with the definition of ECDSA public key in RFC 4050

From: Kelvin Yiu <kelviny@exchange.microsoft.com>
Date: Fri, 7 Nov 2008 15:42:49 -0800
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <B50E442C206C3045BD85290E7AA3FD4988F5E5218A@df-whippet-msg.exchange.corp.microsoft.com>
Background: RFC 4050 is an informational RFC that defines a method of
representing ECDSA public keys and ECC curve parameters for use with XMLDSIG.
As part of the new alg work for XMLDSIG 1.1 I've been investigating whether
RFC 4050 is an appropriate starting point for our ECDSA support. In particular,
I've been looking at whether we can import the ECDSAKeyValue and ECPointType
elements into XMLDSIG easily.  Here is a summary of the problems.

The RFC 4050 definition of an ECDSAKeyValue is larger than necessary

       An ECDSAKeyValue is defined by the type ECPointType, which has subelements
       X and Y. X and Y are defined as FieldParamsType which is an abstract type.
       Separate derived types are defined for prime fields, trinomial base fields,
       pentanomial base fields, and odd characteristic extension fields.  In order
       to validate against the 4050 schema, one must include the type attribute
       from the Xml schema instance namespace.

       The example below was (mostly) generated using .NET 3.5 on Vista SP1,
       except that I had to manually add the xsi:type attribute in order to make
       it conform to the RFC 4050 schema.

         <ECDSAKeyValue xmlns="http://www.w3.org/2001/04/xmldsig-more#">
             <DomainParameters>
                <NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/>
             </DomainParameters>
             <PublicKey xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <X Value="58511060653801744393249179046482833320204931884267326155134056258624064349885"
                 xsi:type="PrimeFieldElemType"/>
                <Y Value="102403352136827775240910267217779508359028642524881540878079119895764161434936"
                 xsi:type="PrimeFieldElemType"/>
             </PublicKey>
         </ECDSAKeyValue>

       This is not a significant problem but it does make the public key larger
       than necessary.

ECPointType definition is inconsistent with ANSI X9.62 and RFC 3279

       ECPointType is reused in the definition of the ExplicitParamsType to
       describe the base point of a curve. ExplicitParamsType is defined as

         <xs:complexType name="ExplicitParamsType">
             <xs:sequence>
                <xs:element name="FieldParams" type="ecdsa:FieldParamsType"/>
                <xs:element name="CurveParams" type="ecdsa:CurveParamsType"/>
                <xs:element name="BasePointParams"
                 type="ecdsa:BasePointParamsType"/>
             </xs:sequence>
         </xs:complexType>
         <xs:complexType name="CurveParamsType">
             <xs:sequence>
                <xs:element name="A" type="ecdsa:FieldElemType"/>
                <xs:element name="B" type="ecdsa:FieldElemType"/>
                <xs:element name="Seed" type="xs:hexBinary" minOccurs="0"/>
             </xs:sequence>
         </xs:complexType>
         <xs:complexType name="BasePointParamsType">
             <xs:sequence>
                <xs:element name="BasePoint" type="ecdsa:ECPointType"/>
                <xs:element name="Order" type="xs:positiveInteger"/>
                <xs:element name="Cofactor" type="xs:positiveInteger"
                 minOccurs="0"/>
             </xs:sequence>
         </xs:complexType>

       Notice that the field parameters are already included in the FieldParams
       element. The use of the FieldParamsType in the ECPointType definition
       appears to be a mistake in 4050. If you look at the ASN.1 definition for
       ECC public keys in RFC 3279, ECPoint simply references the Point to Octet
       String conversion function in ANSI X9.62 (section A.5.6 in the 2005
       version, section 4.3.6 in the 1998 version). The conversion functions in
       X9.62 are not ASN.1 specific and I believe they would be implemented as
       part of any ECC crypto library. It appears that RFC 4050 tried to avoid
       using any of the conversion functions in X9.62 but somehow mixed up the
       definitions between a field type and a field element.

Limitation of the decimal type in XSD

       RFC 4050 defines X and Y (at least for prime and odd characteristic
       extension fields) as xs:nonNegativeInteger which derives from the
       xs:decimal primitive type. However, XSD requires implementations to support
       only a minimum of 18 digits.

           http://www.w3.org/TR/xmlschema-2/#decimal

       My example above required 77 and 78 digits for X and Y respectively.
       This means that there is no guarantee that an RFC 4050 compliant
       ECDSAKeyValue element will actually validate against the RFC 4050 schema.
       (It did not when I tried the example above with the XML editor in Visual
       Studio 2008, for example).

Collision between the RFC 4050 DTD and the XMLDSIG DTD

       I could not merge the RFC 4050 DTD into the XMLDSIG DTD. In ECDSAKeyValue,
       Y is defined as:

       <!ELEMENT Y EMPTY>
       <!ATTLIST Y Value CDATA #REQUIRED>

       However, DSAKeyValue defines Y as follows:

       <!ELEMENT Y (#PCDATA) >

       ECDSAKeyValue also contains identical definition for elements SEED and P
       as DSAKeyValue.

       I don't know if there is a way to scope the definition of Y under a
       specific element in DTD.


Proposed Solution

       Because of these issues, I believe XMLDSIG 1.1 should not attempt to reuse
       the RFC 4050 ECDSAPublicKey elements.  Instead, I proposed that XMLDSIG 1.1
       define a new ECPublicKey element in the ds namespace to address problems
       in the RFC 4050 schema and will be based on the ASN.1 definition in ANSI
       X9.62 and RFC 3279. Changing the name of the element to ECPublicKey means
       we can reuse it when we update Xml Encryption to support ECDH.

       To maximize interoperability with existing RFC 4050 implementations, I
       would like to put a note in 1.1 to recommend implementations to support a
       profile of RFC 4050. The profile will support only named prime curves
       which is basically the example above.

Kelvin
Received on Friday, 7 November 2008 23:43:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:55 GMT