[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 RFC 6509

Network Working Group                                             Groves
Internet Draft                                                      CESG
Intended Status: Informational                          October 27, 2011
Expires: April 29, 2012

 MIKEY-SAKKE: Sakai-Kasahara Key Exchange in Multimedia Internet KEYing

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on April 29, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Groves                      Informational                       [Page 1]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011


   This document describes MIKEY-SAKKE, a method of key exchange
   designed for use in IP Multimedia Subsystem (IMS) [3GPP.33.328] Media
   Plane Security, but with potential for wider applicability.  The
   MIKEY-SAKKE mode uses Identifier-based Public Key Cryptography
   (IDPKC) to establish a shared secret value and certificate-less
   signatures to provide source authentication.  MIKEY-SAKKE has a
   number of desirable features, including simplex transmission,
   scalability, low-latency call setup and support for secure deferred

Table of Contents

   1. Introduction.....................................................2
      1.1. Requirements Terminology....................................3
   2. A New MIKEY Mode: MIKEY-SAKKE....................................3
      2.1. Outline.....................................................3
         2.1.1. Parameters.............................................4
         2.1.2. Key types..............................................5
      2.2. Preparing and processing MIKEY-SAKKE messages...............5
         2.2.1. Components of the I_MESSAGE............................5
         2.2.2. Processing the I_MESSAGE...............................7
      2.3. Forking and Retargeting.....................................7
      2.4. Group Communications........................................8
      2.5. Deferred Delivery...........................................8
   3. Key Management...................................................9
      3.1. Generating Keys from the Shared Secret Value................9
      3.2. Identifiers.................................................9
      3.3. Key Longevity and Update...................................10
      3.4. Key Delivery...............................................11
   4. Payload Encoding................................................11
      4.1. Common Header Payload (HDR)................................11
      4.2. SAKKE payload..............................................12
      4.3. SIGN payload...............................................13
      4.4. IDR payload................................................13
   5. Applicability of MIKEY-SAKKE mode...............................13
   6. Security Considerations.........................................13
      6.1. Forking....................................................14
      6.2. Retargeting................................................14
      6.3. Group Calls................................................15
      6.4. Deferred Delivery..........................................15
   7. IANA Considerations.............................................15
   8. References......................................................16
      8.1. Normative References.......................................16
      8.2. Informative References.....................................17
   Appendix A. Parameters for use in MIKEY-SAKKE......................18

1. Introduction

Groves                      Informational                       [Page 2]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   Multimedia Internet Keying (MIKEY) [RFC3830] defines a protocol
   framework for key distribution and specifies key distribution methods
   using pre-shared keys, RSA and optionally, a Diffie-Hellman Key
   Exchange.  Since the original specification, several alternative key
   distribution methods for MIKEY have been proposed such as [RFC4650],
   [RFC4738], [RFC6043] and [RFC6267].

   This document defines an Identifier-based cryptography key
   distribution method called MIKEY-SAKKE.  This scheme makes use of a
   Key Management Server (KMS) as a root of trust and distributor of key
   material.  The KMS provides users with assurance of the authenticity
   of the peers with which they communicate.  Unlike traditional key
   distribution systems, MIKEY-SAKKE does not require the KMS to offer
   high availability.  Rather it need only distribute new keys to its
   users periodically.

   MIKEY-SAKKE consists of an IDPKC scheme based on that of Sakai and
   Kasahara [S-K], and a source authentication algorithm which is
   tailored to use Identifiers instead of certificates.  The algorithms
   behind this protocol are described in [SAKKE] and [ECCSI].

   The primary motivation for the MIKEY protocol design is the
   low-latency requirement of real-time communication; hence many of the
   defined exchanges finish in one-half to 1 roundtrip.  However, some
   exchanges, such as [RFC6043] and [RFC6267], have been proposed which
   extend the latency of the protocol with the intent of providing
   additional security.  MIKEY-SAKKE affords similarly enhanced
   security, but requires only a single simplex transmission (one half

   MIKEY-SAKKE additionally offers support for scenarios such as
   forking, retargeting, deferred delivery and pre-encoded content.

1.1. Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in


2.1. Outline

   The proposed MIKEY mode requires a single simplex transmission.  The
   Initiator sends a MIKEY I_MESSAGE containing SAKKE Encapsulated Data
   and a signature to the intended recipient.  The Responder MUST
   validate the signature.  Following signature validation, the
   Responder processes the Encapsulated Data according to the operations

Groves                      Informational                       [Page 3]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   defined in [SAKKE] to derive a Shared Secret Value (SSV).  This SSV
   is used as the TGK (the TEK Generation Key defined in [RFC3830]).

   A verification message from the Responder (as in Pre-shared key mode,
   for example) is not needed as the parties are mutually authenticated
   following processing of the single I_MESSAGE.  The notation used for
   MIKEY messages and their payloads in Figure 1, and in the rest of
   this document, is defined in [RFC3830].

           Initiator                                   Responder

           I_MESSAGE =
           HDR, T, RAND, [IDRi], [IDRr], [IDRkmsi], [IDRkmsr],
           [CERT], {SP}, SAKKE, SIGN        --->

           Figure 1: MIKEY-SAKKE Unicast Mode

   The Initiator wants to establish a secure media session with the
   Responder.  The Initiator and the Responder trust a third party, the
   KMS, which provisions them with key material by a secure mechanism.
   In addition to the public and secret keys corresponding to their
   Identifier, the KMS MUST provision devices with its KMS Public Key
   and, where [ECCSI] is used, its KMS Public Authentication Key.  A
   description of all key material used in MIKEY-SAKKE can be found in
   Section 2.1.2.  The Initiator and the Responder do not share any
   credentials, instead the Initiator is able to derive the Responder's
   public Identifier.

   Implementations MAY provide support for multiple KMSs.  In this case,
   rather than a single KMS, several different KMSs could be involved,
   e.g.  one for the Initiator and one for the Responder.  To allow
   this, each interoperating KMS MUST provide its users with the KMS
   public keys for every KMS subscriber domain with which its users
   communicate.  It is not anticipated that large mutually communicating
   groups of KMSs will be needed as each KMS only needs to provide its
   domain of devices with key material once per key period (see Section
   3.3) rather than to be active in each call.

   As MIKEY-SAKKE is based on [RFC3830], the same terminology,
   processing and considerations still apply unless otherwise stated.
   Following [RFC3830], messages are integrity protected and encryption
   is not applied to entire messages.

2.1.1. Parameters

   [SAKKE] requires each application to define the set of public
   parameters to be used by implementations.  The parameters in Appendix
   A SHOULD be used in MIKEY-SAKKE; alternative parameters MAY be
   subsequently defined, see Section 4.2.

   [ECCSI] requires each application to define the Hash function and

Groves                      Informational                       [Page 4]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   various other parameters to be used (see Section 4.1 of [ECCSI]).
   For MIKEY-SAKKE, the P256 elliptic curve and base-point [FIPS186-3]
   and SHA-256 [FIPS180-3] MUST be used.

2.1.2. Key types

   Users require keys for [SAKKE] and to sign messages.  These keys MUST
   be provided by the users' KMS.  It is RECOMMENDED that
   implementations support the [ECCSI] scheme for signatures.
   Alternatively, RSA signing as defined in [RFC3830] MAY be used.

      SAKKE keys SAKKE requires each user to have a Receiver Secret Key,
                 created by the KMS, and the KMS Public Key.  For
                 systems that support multiple KMSs, each user also
                 requires the KMS Public Key of every KMS subscriber
                 domain with which communication is authorised.

      ECCSI keys If ECCSI signatures are used, each user requires a
                 Secret Signing Key and Public Validation Token, created
                 by the KMS, and the KMS Public Authentication Key.  For
                 systems that support multiple KMSs, each user also
                 requires the KMS Public Authentication Key of every KMS
                 subscriber domain with which communication is

   If instead RSA signatures are to be used, certificates and
   corresponding private keys MUST be supplied.

2.2. Preparing and processing MIKEY-SAKKE messages

   Preparation and parsing of MIKEY messages are as described in
   Sections 5.2 and 5.3 of [RFC3830].  Error handling is described in
   Section 5.1.2 and replay protection guidelines are in Section 5.4 of
   [RFC3830].  In the following, we describe the components of
   MIKEY-SAKKE messages and specify message processing and parsing rules
   in addition to those in [RFC3830].

2.2.1. Components of the I_MESSAGE

   MIKEY-SAKKE requires a single simplex transmission (a half roundtrip)
   to establish a shared TGK.  The I_MESSAGE MUST contain the MIKEY HDR
   and timestamp payload in order to provide replay protection.  The HDR
   field contains a CSB_ID (Crypto Session Bundle ID) randomly selected
   by the Initiator.  The V bit in the HDR payload MUST be set to '0'
   and ignored by the Responder as a response is not expected in this
   mode.  The timestamp payload MUST use TS type NTP-UTC (TS type 0) or
   NTP (TS type 1) as defined in Section 6.6 of [RFC3830] so that the
   Responder can determine the Identifiers used by the Initiator (see
   Section 3.2).  It is RECOMMENDED that the time always be specified in

Groves                      Informational                       [Page 5]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011


   The I_MESSAGE MUST be signed by the Initiator following either the
   procedure to sign MIKEY messages specified in [RFC3830], or using
   [ECCSI] as specified in this document.  The SIGN payload contains
   this signature.  Thus the I_MESSAGE is integrity and replay
   protected.  The ECCSI signature scheme [ECCSI] SHOULD be used.  If
   this signature scheme is used, then the Initiator MUST NOT include a
   CERT payload.  To form this signature type, the Initiator requires a
   Secret Signing Key which is provided by the KMS.

   Other signature types defined for use with MIKEY MAY be used.  If
   signature types 0 or 1 (RSA) are used, then the Initiator SHOULD
   include a CERT payload; in this case the CERT payload MAY be left out
   if it is expected that the Responder is able to obtain the
   certificate in some other manner.  If a CERT payload is included, it
   MUST correspond to the private key used to sign the I_MESSAGE.

   The Initiator MUST include a RAND payload in the I_MESSAGE as this is
   used to derive session keys.

   The I_MESSAGE MAY contain IDRi, IDRr, IDRkmsi and IDRkmsr
   respectively the identities of the Initiator, Responder, the
   Initiator's KMS (root of trust for authentication of the Initiator)
   and the Responder's KMS (root of trust for authentication of the
   Responder).  The IDR payload is defined in [RFC6043] and modified in
   Section 4.4.  When used, this payload provides the Identifier for any
   of the Initiator, the Responder and their respective KMSs.

   The ID role MUST be Initiator (value 1) for the IDRi payload and
   Responder (value 2) for the IDRr payload.  The Initiator's ID is used
   to validate [ECCSI] signatures.  If included, the IDRi payload MUST
   contain the URI of the Initiator incorporated in the Identifier used
   to sign the I_MESSAGE (see Section 3.2).  If included, the IDRr
   payload MUST contain the URI of the Responder incorporated in the
   Identifier which the Initiator used in SAKKE (see Section 3.2).  If
   included, the ID role MUST be Initiator's KMS (value TBD4) for the
   IDRkmsi payload and Responder's KMS (value TBD5) for the IDRkmsr
   payload and MUST correspond to the KMS used as root of trust for the
   signature (for the IDRkmsi payload) and the KMS used as the root of
   trust for the SAKKE key exchange (for the IDRkmsr payload).

   It is OPTIONAL to include any IDR payloads, as in some user groups
   Identifiers could be inferred by other means, e.g.  through the
   signalling used to establish a call.  Furthermore, a closed user
   group could rely on only one KMS, whose identity will be understood
   and need not be included in the signalling.

   The I_MESSAGE MUST contain a SAKKE payload constructed as defined in
   Section 4.2.

   The Initiator MAY also send security policy (SP) payload(s)

Groves                      Informational                       [Page 6]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   containing all the security policies that it supports.  If the
   Responder does not support any of the policies included, it SHOULD
   reply with an Error message of type "Invalid SPpar" (Error no.  10).
   The Responder has the option not to send the Error message in MIKEY
   if a generic session establishment failure indication is deemed
   appropriate and communicated via other means (see Section 4.1.2 of
   [RFC4567] for additional guidance).

2.2.2. Processing the I_MESSAGE

   The Responder MUST process the I_MESSAGE according to the rules
   specified in Section 5.3 of [RFC3830].  The following additional
   processing MUST also be applied.

      * If the Responder does not support the MIKEY-SAKKE mode of
        operation, or otherwise cannot correctly parse the received
        MIKEY message then it SHOULD send an Error message "Message type
        not supported (Error no 13).  Error no 13 is not defined in
        [RFC3830], and so [RFC3830] compliant implementations MAY return
        "an unspecified error occurred" (Error no 12).

      * The Responder MAY compare the IDi payload against his local
        policy to determine whether he wishes to establish secure
        communications from the Initiator.  If the Responder's policy
        does not allow this communication, then the Responder MAY
        respond with an Authentication Error (Error no 0).

      * If the Responder supports MIKEY-SAKKE and has determined that it
        wishes to establish secure communications with the initiator,
        then it MUST verify the signature according to the method
        described in Section 5.2.2 of [ECCSI] if it is of type TBD3, or
        according to the certificate used if a signature of type 0 or 1
        is used.  If the verification of the signature fails then an
        Authentication Error (Error no 0) MAY be sent to the Initiator.

      * If the authentication is successful then the Responder SHALL
        process the SAKKE payload and derive the SSV according to the
        method described in [SAKKE].

2.3. Forking and Retargeting

   Where forking is to be supported, Receiver Secret Keys can be held by
   multiple devices.  To facilitate this, the Responder needs to load
   his Receiver Secret Key into each of his devices that he wishes to
   receive MIKEY-SAKKE communications.  If forking occurs, each of these
   devices can then process the SAKKE payload, and each can verify the
   Identifier of the Initiator as they hold the KMS Public
   Authentication Key.  The traffic keys could therefore be derived by
   any of these devices.  However, this is the case for any scheme
   employing simplex transmission, and it is considered that the

Groves                      Informational                       [Page 7]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   advantages of this type of scheme are significant for many users.
   Furthermore, it is for the owner of the Identifier to determine on
   which devices to allow his Receiver Secret Key to be loaded.  Thus it
   is anticipated that he would have control over all devices that hold
   his Receiver Secret Key.  This argument also applies to applications
   such as call centres, in which the security relationship is typically
   between the call centre and the individual calling the centre, rather
   than the particular operative who receives the call.

   Devices holding the same Receiver Secret Key ought to each hold a
   different Secret Signing Key corresponding to the same Identifier.
   This is possible because the ECCSI scheme allows multiple keys to be
   generated by KMS for the same Identifier.

   Secure retargeted calls can only be established in the situation
   where the Initiator is aware of the Identifier of the device to whom
   the call is being retargeted; in this case the Initiator ought to
   initiate a new MIKEY-SAKKE session with the device to whom it has
   been retargeted (if willing to do so).  Retargeting an Initiator's
   call to another device (with a different Identifier) is to be viewed
   as insecure when the Initiator is unaware that this has occurred as
   this prevents authentication of the Responder.

2.4. Group Communications

   SAKKE supports key establishment for group communications.  The
   Initiator needs to form an I_MESSAGE for each member in the group,
   each using the same SSV.  Alternatively, a bridge can be used.  In
   this case the bridge forms an I_MESSAGE for each member of the
   group.  Any member of the group can invite new members directly by
   forming an I_MESSAGE using the group SSV.

2.5. Deferred Delivery

   Deferred delivery/secure voicemail is fully supported by
   MIKEY-SAKKE.  A deferred delivery server that supports MIKEY-SAKKE
   needs to store the MIKEY-SAKKE I_MESSAGE along with the encrypted
   data.  When the recipient of the voicemail requests his data, the
   server needs to initiate MIKEY-SAKKE using the stored I_MESSAGE.
   Thus the data can be received and decrypted only by a legitimate
   recipient, who can also verify the Identifier of the sender.  This
   requires no additional support from the KMS, and the deferred
   delivery server need not be trusted as it is unable to read or tamper
   with the messages it receives.  Note that the deferred delivery
   server does not need to fully implement MIKEY-SAKKE, merely to store
   and forward the I_MESSAGE.

   The deferred delivery message needs to be collected by its recipient
   before the key period in which it was sent expires (see Section 3.3
   for a discussion of key periods).  Alternatively, if greater

Groves                      Informational                       [Page 8]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   longevity of deferred delivery payloads is to be supported, the
   Initiator needs to include an I_MESSAGE for each key period during
   the lifetime of the deferred delivery message, each using the same
   SSV.  In this case, the deferred delivery server needs to forward the
   I_MESSAGE corresponding to the current key period to the recipient.

3. Key Management

3.1. Generating Keys from the Shared Secret Value

   Once a MIKEY-SAKKE I_MESSAGE has been successfully processed by the
   Responder, he will share an authenticated Shared Secret Value (SSV)
   with the Initiator.  This SSV is used as the TGK.  The keys used to
   protect application traffic are derived as specified in [RFC3830].

3.2. Identifiers

   One of the primary features and advantages of Identifier-Based
   Encryption is that the public keys of users are their Identifiers,
   which can be constructed by their peers.  This removes the need for
   Public Key or Certificate servers, so that all data transmission per
   session can take place directly between the peers and high
   availability security infrastructure is not needed.  In order for the
   Identifiers to be constructable, they need to be unambiguously
   defined.  This section defines the format of Identifiers for use in

   If keys are updated regularly, a KMS is able to revoke devices.  To
   this end, every Identifier for use in MIKEY-SAKKE MUST contain a
   timestamp value indicating the key period for which the Identifier is
   valid (see Section 3.3).  This document uses a year and month format
   to enforce monthly changes of key material.  Further Identifier
   schemes MAY be defined for communities that require different key

   An Identifier for use in MIKEY-SAKKE MUST take the form of a
   timestamp formatted as a US-ASCII string [ASCII] and terminated by a
   NULL byte, followed by identifying data which relates to the identity
   of the device or user, also represented by a US-ASCII string and
   terminated by a NULL byte.

   For the purposes of this document, the timestamp MUST take the form
   of a year and month value, formatted according to [ISO8601], with the
   format "YYYY-MM", indicating a four digit year, followed by a hyphen
   "-", followed by a two digit month.

   For the Identifier scheme defined in this document, the identifying
   data MUST take the form of a constrained "tel" URI.  If an
   alternative URI scheme is to be used to form SAKKE Identifiers, a

Groves                      Informational                       [Page 9]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   subsequent RFC MUST define constraints to ensure that the URI can be
   formed unambiguously.  The normalization procedures described in
   Section 6 of [RFC3986] MUST be used as part of the constraining rules
   for the URI format.  It would also be possible to define Identifier
   types that used identifying data other than a URI.

   The restrictions for the "tel" URI scheme [RFC3966] for use in
   MIKEY-SAKKE Identifiers are as follows:

      * the "tel" URI for use in MIKEY-SAKKE MUST be formed in global

      * visual separators MUST NOT be included,

      * the "tel" URI MUST NOT include additional parameters,

      * the "tel" URI MUST NOT include phone-context parameters.

   These constraints on format are necessary so that all parties can
   unambiguously form the "tel" URI.

   For example, suppose a user's telephone number is +447700900123 and
   the month is 2011-02.  Then the user's Identifier is defined as the
   ASCII string


   where '\0' denotes the null 8-bit ASCII character 0x00.

   If included in I_MESSAGE, the IDRi and IDRr payloads MUST contain the
   URI used to form the Identifier.  The value of the month used to form
   the Identifiers MUST be equal to the month as specified by the data
   in the timestamp payload.

3.3. Key Longevity and Update

   Identifiers for use in MIKEY-SAKKE change regularly in order to force
   users to regularly update their key material; we term the interval
   for which a key is valid a "key period".  This means that if a device
   is compromised (and this is reported procedurally), it can continue
   to communicate with other users for at most one key period.  Key
   periods SHOULD be indicated by the granularity of the format of the
   timestamp used in the Identifier.  In particular, the Identifier
   scheme in this document uses monthly key periods.  Implementations
   MUST allow devices to hold two periods' keys simultaneously to allow
   for differences in system time between Initiator and Responder.

   Where a monthly key period applies, it is RECOMMENDED that
   implementations receive the new key material before the
   second-to-last day of the old month, commence allowing receipt of
   calls with the new key material on the second-to-last day of the old

Groves                      Informational                      [Page 10]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   month, and continue to allow receipt calls with the old key material
   on the first and second days of the new month.  Devices SHOULD cease
   to receive calls with key material corresponding to the previous
   month on the third day of the month; this is to allow compromised
   devices to be keyed out of the communicating user group.

   KMSs MAY update their KMS Master Secret Keys and KMS Master Secret
   Authentication Keys.  If such an update is not deemed necessary, then
   the corresponding KMS Public Keys and KMS Public Authentication Keys
   will be fixed.  If KMS keys are to be updated, then this update MUST
   occur at the change of a key period, and new KMS Public Key(s) and
   KMS Public Authentication Key(s) MUST be provided to all users with
   their user key material.

   It is NOT RECOMMENDED for KMSs to distribute multiple key periods'
   keys simultaneously, as this prevents the periodic change of keys
   from excluding compromised devices.

3.4. Key Delivery

   This document does not seek to restrict the mechanisms by which the
   necessary key material might be obtained from the KMS.  The
   mechanisms of [RFC5408] are not suitable for this application as the
   MIKEY-SAKKE protocol does not require public parameters to be
   obtained from a server: these are fixed for all users in order to
   facilitate interoperability and simplify implementation.

   The delivery mechanism used MUST provide confidentiality to all
   secret keys, integrity protection to all keys and mutual
   authentication of the device and the KMS.

4. Payload Encoding

   This section describes the new SAKKE payload and also the payloads
   for which changes have been made compared to [RFC3830].  A detailed
   description of MIKEY payloads is provided in [RFC3830].

4.1. Common Header Payload (HDR)

   An additional value is added to the data type and next payload

      * Data type (8 bits): describes the type of message

           Data type | Value | Comment
           SAKKE msg |  TBD1 | Initiator's SAKKE message

                   Table 1: Data type (additions)

Groves                      Informational                      [Page 11]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

      * Next payload (8 bits): identifies the payload that is added
        after this payload.

           Next Payload | Value | Section
           SAKKE        |  TBD2 | 4.2

          Table 2: Next payload (additions)

      * V (1 bit): flag to indicate whether a response message is
        expected ('1') or not ('0').  It MUST be set to '0' and ignored
        by the Responder in a SAKKE message.

4.2. SAKKE payload

   The SAKKE payload contains the SAKKE Encapsulated Data as defined in

      1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      ! Next payload  ! SAKKE params  !   ID scheme   !  SAKKE data   ~
      ~ length (cont) !                  SAKKE data                   ~

                         Table 3: SAKKE payload

      * Next payload (8 bits): identifies the payload that is added
        after this payload.

      * SAKKE params (8 bits): indicates the SAKKE parameter set to be

        SAKKE params                       | Value
        Parameter Set 1 (See Appendix A)   |     1

                 Table 4: SAKKE params

      * ID scheme (8 bits): indicates the SAKKE identifier scheme to be

         ID scheme                                    | Value
         tel URI with monthly keys (See Section 3.2)  |     1

                          Table 5: ID scheme

      * SAKKE data length (16 bits): length of SAKKE data (in bytes).

Groves                      Informational                      [Page 12]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

      * SAKKE data (variable): the SAKKE Encapsulated Data formatted as
        defined in Section 4 of [SAKKE].

4.3. SIGN payload

   To enable use of the ECCSI signature algorithm which has efficiency
   benefits for use with Identifier-Based Encryption, we define an
   additional signature type.

      * S type (4 bits): indicates the signature algorithm applied by
        the signer.

        S type  | Value | Comments
        ECCSI   |  TBD3 | ECCSI signature [ECCSI]

              Table 6: S type (additions)

4.4. IDR payload

   The IDR payload was defined in [RFC6043], but its definition only
   provided the facility to identify one KMS per exchange.  Since it is
   possible that different KMSs could be used by the Initiator and
   Responder, this payload is extended to define an ID role for the KMS
   of the Initiator and the KMS of the Responder.

      * ID Role (8 bits): specifies the sort of identity.

        ID Role                   | Value
        Initiator's KMS (IDRkmsi) |  TBD4
        Responder's KMS (IDRkmsr) |  TBD5

           Table 7: ID Role (additions)

5. Applicability of MIKEY-SAKKE mode

   MIKEY-SAKKE is suitable for use in a range of applications in which
   secure communications under a clear trust model are needed.  In
   particular, the KMS need not provide high availability as it is only
   necessary to provide periodic refresh of key material.  Devices are
   provided with a high level of authentication as the KMS acts as a
   root of trust for both key exchange and signatures.

6. Security Considerations

   Unless explicitly stated, the security properties of the MIKEY
   protocol as described in [RFC3830] apply to MIKEY-SAKKE as well.  In
   addition, MIKEY-SAKKE inherits some properties of Identifier-Based

Groves                      Informational                      [Page 13]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   Cryptography.  For instance, by concatenating the "date" with the URI
   to form the Identifier, the need for any key revocation mechanisms is
   virtually eliminated.  It is NOT RECOMMENDED for KMSs to distribute
   multiple months' keys simultaneously in an IBE system, as this
   prevents the monthly change of keys from excluding compromised

   The solution proposed provides protection suitable for high security
   user groups, but is scalable enough that it could be used for large
   numbers of users.  Traffic keys cannot be derived by any
   infrastructure component other than the KMS.

   The effective security of the public parameters defined in this
   document is 112 bits, as this is the security offered by p of size
   1024 bits used in SAKKE (see Section 7 of [SAKKE]).  For similar
   parameter sizes, MIKEY-SAKKE provides equivalent levels of effective
   security to other schemes of this type (such as [RFC6267]).  For
   reasons of efficiency and security, it is RECOMMENDED to use a mode
   of AES-128 [AES] in the traffic application to which MIKEY-SAKKE
   supplies key material, but users SHOULD be aware that 112 bits of
   security are offered by the defined public parameters.  Following
   [SP800-57], this choice of security strength is appropriate for use
   to protect data until 2030.

   User identities cannot be spoofed, since the Public Authentication
   Token is tied to the Identifier of the sender by the KMS.  In
   particular, the Initiator is provided with assurance that nobody
   other than a holder of the legitimate Receiver Secret Key can process
   the SAKKE Encapsulated Data, and the signature binds the holder of
   the Initiator's Secret Signing Key to the I_MESSAGE.  Since these
   keys are provided via a secure channel by the KMS, mutual
   authentication is provided.  This mechanism protects against both
   passive and active attacks.

   If there were a requirement that a caller remain anonymous from any
   called parties, then it would be possible to remove the signature
   from the protocol.  A called user could then decide, according to
   local policy, whether to accept such a secure session.

6.1. Forking

   Where forking is used, the view is taken that it is not necessary for
   each device to have a separate Receiver Secret Key.  Rather, where a
   user wishes his calls to be forked between his devices, he loads the
   same Receiver Secret Key onto each of them.  This does not compromise
   his security as he controls each of the devices, and is consistent
   with the Initiator's expectation that he is authenticated to the
   owner of the Identifier he selected when initiating the call.

6.2. Retargeting

Groves                      Informational                      [Page 14]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   Since the Initiator is made aware by the forwarding server of the
   change to the Identifier of the Responder, he creates an I_MESSAGE
   that can only be processed by this legitimate Responder.  The
   Initiator MAY also choose to discontinue the session after checking
   his local policy.

6.3. Group Calls

   Any device that possesses an SSV can potentially provide it securely
   to any other device using SAKKE.  Thus group calls can either be
   established by an Initiator, or can be extended to further Responders
   by any party to whom the original Initiator has sent an I_MESSAGE.
   The Initiator in this context MAY be a conference bridge.  If a mode
   of operation in which a bridge has no knowledge of the SSV is needed,
   the role of MIKEY-SAKKE Initiator MUST be carried out by one or more
   of the communicating parties, not by the bridge.

   Where multi-way communications (rather than broadcast) are needed,
   the application using the supplied key material MUST ensure that a
   suitable IV scheme is used in order to prevent cryptovariable

6.4. Deferred Delivery

   Secure deferred delivery is supported in a manner such that no trust
   is placed on the deferred delivery server.  This is a significant
   advantage, as it removes the need for secure infrastructure
   components beyond the KMS.

7. IANA Considerations

   This document defines new values for the namespaces Data Type, Next
   Payload, and S type defined in [RFC3830], and for the ID Role
   namespace defined in [RFC6043].  The following IANA assignments were
   added to the MIKEY Payload registry [to be removed upon publication:
   http://www.iana.org/assignments/mikey-payloads] (in bracket is a
   reference to the table containing the registered values):

      * Data Type (see Table 1)

      * Next Payload (see Table 2)

      * S type (see Table 6)

      * ID Role (see Table 7)

   The SAKKE payload defined in Section 4.2 defines two fields for which
   IANA is requested to create and maintain name spaces in the MIKEY

Groves                      Informational                      [Page 15]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

   Payload registry.  These two fields are the 8-bit SAKKE params field,
   and the 8-bit ID scheme field.  IANA is requested to record the
   pre-defined values defined in Section 4.2 for each of the two name
   spaces.  Values in the range 1-239 SHOULD be approved by the process
   of Specification Required, values in the range 240-254 are for
   Private Use, and the values 0 and 255 are Reserved according to

   Initial values for the SAKKE params registry are given below.
   Assignments consist of a SAKKE parameters name and its associated

         Value    SAKKE params      Definition
         -----    ------------      ----------
         0        Reserved
         1        Parameter Set 1   See Appendix A
         2-239    Unassigned
         240-254  Private Use
         255      Reserved

   Initial values for the ID scheme registry are given below.
   Assignments consist of a name of an identifier scheme name and its
   associated value.

         Value    ID Scheme                    Definition
         -----    ------------                 ----------
         0        Reserved
         1        tel URI with monthly keys    See Section 3.2
         2-239    Unassigned
         240-254  Private Use
         255      Reserved

8. References

8.1. Normative References

      [AES]           NIST, "Advanced Encryption Standard (AES)", FIPS
                      PUB 197, http://www.nist.gov/aes/

      [ASCII]         American National Standards Institute, "Coded
                      Character Set -- 7-bit American Standard Code for
                      Information Interchange", ANSI X3.4, 1986.

      [ECCSI]         Groves, M., Elliptic Curve-based Certificate-less
                      Signatures for Identifier Based Encryption
                      (ECCSI), draft-groves-eccsi-01 [work in progress],
                      February 2011.

      [FIPS180-3]     Federal Information Processing Standards
                      Publication (FIPS PUB) 180-3, Secure Hash Standard

Groves                      Informational                      [Page 16]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

                      (SHS), October 2008.

      [FIPS186-3]     Federal Information Processing Standards
                      Publication (FIPS PUB) 186-3, Digital Signature
                      Standard (DSS), June 2009.

      [ISO8601]       "Data elements and interchange formats --
                      Information interchange -- Representation of dates
                      and times", ISO 8601:1988(E), International
                      Organization for Standardization, June, 1988.

      [RFC2119]       Bradner, S., "Key words for use in RFCs to
                      Indicate Requirement Levels", BCP 14, RFC 2119,
                      March 1997.

      [RFC3830]       Arkko, J., Carrara, E., Lindholm, F., Naslund, M.,
                      and K.  Norrman, "MIKEY: Multimedia Internet
                      KEYing", RFC 3830, August 2004.

      [RFC3966]       Schulzrinne, H., "The tel URI for Telephone
                      Numbers", RFC 3966, December 2004.

      [RFC3986]       Berners-Lee, T., Fielding, R.  and L.  Masinter,
                      "Uniform Resource Identifier (URI): Generic
                      Syntax", RFC 3986, January 2005.

      [RFC6043]       Mattsson, J.  and T.  Tian, "MIKEY-TICKET: An
                      Additional Mode of Key Distribution in Multimedia
                      Internet KEYing (MIKEY)", RFC 6043, March 2011.

      [SAKKE]         Groves M., "Sakai-Kasahara Key Establishment
                      (SAKKE)", draft-groves-sakke-03 [work in
                      progress], October 2011.

      [SP800-57]      E.  Barker, W.  Barker, W.  Burr, W.  Polk and M.
                      Smid, "Recommendation for Key Management - Part 1:
                      General (Revised)," NIST Special Publication
                      800-57, March 2007.

8.2. Informative References

      [3GPP.33.328]   3GPP, "IP Multimedia Subsystem (IMS) media plane
                      security", 3GPP TS 33.328 9.3.0, December 2010.

      [RFC4567]       Arkko, J., Lindholm, F., Naslund, M., Norrman, K.,
                      and E.  Carrara, "Key Management Extensions for
                      Session Description Protocol (SDP) and Real Time
                      Streaming Protocol (RTSP)", RFC 4567, July 2006.

      [RFC4650]       Euchner, M., "HMAC-Authenticated Diffie-Hellman
                      for Multimedia Internet KEYing (MIKEY)", RFC 4650,

Groves                      Informational                      [Page 17]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

                      September 2006.

      [RFC4738]       Ignjatic, D., Dondeti, L., Audet, F., and P.  Lin,
                      "MIKEY- RSA-R: An Additional Mode of Key
                      Distribution in Multimedia Internet KEYing
                      (MIKEY)", RFC 4738, November 2006.

      [RFC5226]       Narten, T.  and H.  Alvestrand, "Guidelines for
                      Writing an IANA Considerations Section in RFCs",
                      BCP 26, RFC 5226, May 2008.

      [RFC5408]       Appenzeller, G., Martin, L., and M.  Schertler,
                      "Identity- Based Encryption Architecture and
                      Supporting Data Structures", RFC 5408, January

      [RFC6267]       Cakulev, V.  and G.  Sundaram, "MIKEY-IBAKE:
                      Identity-Based Mode of Key Distribution in
                      Multimedia Internet KEYing (MIKEY)", RFC 6267,
                      June 2011.

      [S-K]           Sakai, R., Ohgishi, K.  and M.  Kasahara, "ID
                      based cryptosystem with pairing on elliptic
                      curve", Symposium on Cryptography and Information
                      Security - SCIS, 2003.

Appendix A. Parameters for use in MIKEY-SAKKE

   [SAKKE] requires each application to define the set of public
   parameters to be used by implementations.  Parameter Set 1 is defined
   in this appendix.  Descriptions of the parameters are provided in
   Section 2.1 of [SAKKE].

     n      = 128

     p      = 997ABB1F 0A563FDA 65C61198 DAD0657A
              416C0CE1 9CB48261 BE9AE358 B3E01A2E
              F40AAB27 E2FC0F1B 228730D5 31A59CB0
              E791B39F F7C88A19 356D27F4 A666A6D0
              E26C6487 326B4CD4 512AC5CD 65681CE1
              B6AFF4A8 31852A82 A7CF3C52 1C3C09AA
              9F94D6AF 56971F1F FCE3E823 89857DB0
              80C5DF10 AC7ACE87 666D807A FEA85FEB

     q      = 265EAEC7 C2958FF6 99718466 36B4195E
              905B0338 672D2098 6FA6B8D6 2CF8068B
              BD02AAC9 F8BF03C6 C8A1CC35 4C69672C
              39E46CE7 FDF22286 4D5B49FD 2999A9B4
              389B1921 CC9AD335 144AB173 595A0738
              6DABFD2A 0C614AA0 A9F3CF14 870F026A
              A7E535AB D5A5C7C7 FF38FA08 E2615F6C

Groves                      Informational                      [Page 18]

Internet Draft         draft-groves-mikey-sakke-03          Oct 27, 2011

              203177C4 2B1EB3A1 D99B601E BFAA17FB

     Px     = 53FC09EE 332C29AD 0A799005 3ED9B52A
              2B1A2FD6 0AEC69C6 98B2F204 B6FF7CBF
              B5EDB6C0 F6CE2308 AB10DB90 30B09E10
              43D5F22C DB9DFA55 718BD9E7 406CE890
              9760AF76 5DD5BCCB 337C8654 8B72F2E1
              A702C339 7A60DE74 A7C1514D BA66910D
              D5CFB4CC 80728D87 EE9163A5 B63F73EC
              80EC46C4 967E0979 880DC8AB EAE63895

     Py     = 0A824906 3F6009F1 F9F1F053 3634A135
              D3E82016 02990696 3D778D82 1E141178
              F5EA69F4 654EC2B9 E7F7F5E5 F0DE55F6
              6B598CCF 9A140B2E 416CFF0C A9E032B9
              70DAE117 AD547C6C CAD696B5 B7652FE0
              AC6F1E80 164AA989 492D979F C5A4D5F2
              13515AD7 E9CB99A9 80BDAD5A D5BB4636
              ADB9B570 6A67DCDE 75573FD7 1BEF16D7

     g      = 66FC2A43 2B6EA392 148F1586 7D623068
              C6A87BD1 FB94C41E 27FABE65 8E015A87
              371E9474 4C96FEDA 449AE956 3F8BC446
              CBFDA85D 5D00EF57 7072DA8F 541721BE
              EE0FAED1 828EAB90 B99DFB01 38C78433
              55DF0460 B4A9FD74 B4F1A32B CAFA1FFA
              D682C033 A7942BCC E3720F20 B9B7B040
              3C8CAE87 B7A0042A CDE0FAB3 6461EA46

     Hash   = SHA-256 (defined in [FIPS180-3]).

   Author's Address

      Michael Groves
      Hubble Road
      GL51 8HJ

      Email: Michael.Groves@cesg.gsi.gov.uk


   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).

Groves                      Informational                      [Page 19]

Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/