 1/draftietfsmimex94201.txt 20060205 01:54:20.000000000 +0100
+++ 2/draftietfsmimex94202.txt 20060205 01:54:20.000000000 +0100
@@ 1,14 +1,14 @@
E. Rescorla
INTERNETDRAFT RTFM Inc.
 October 1998 (Expires April 1999)
+ November 1998 (Expires May 1999)
DiffieHellman Key Agreement Method
Status of this Memo
This document is an InternetDraft. InternetDrafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as InternetDrafts.
@@ 23,59 +23,54 @@
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast).
Abstract
This document standardizes one particular DiffieHellman variant,
based on the ANSI X9.42 standard, developed by the ANSI X9F1 working
group. An algorithm for converting the shared secret into an arbi
trary amount of keying material is provided.
TODO

 Redo the examples to match the new algorithm for computing K.

1. Introduction
In [DH76] Diffie and Hellman describe a means for two parties to
agree upon a shared secret in such a way that the secret will be una
vailable to eavesdroppers. This secret may then be converted into
cryptographic keying material for other (symmetric) algorithms. A
large number of minor variants of this process exist. This document
describes one such variant, based on the ANSI X9.42 specification.
1.1. Discussion of this Draft
This draft is being discussed on the "ietfsmime" mailing list. To
join the list, send a message to with

Rescorla [Page 1]InternetDraft DiffieHellman Key Agreement Method

the single word "subscribe" in the body of the message. Also, there
is a Web site for the mailing list at .
+Rescorla [Page 1]InternetDraft DiffieHellman Key Agreement Method
+
1.2. Requirements Terminology
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as described
in [RFC2119].
2. Overview Of Method
DiffieHellman key agreement requires that both the sender and reci
pient of a message have key pairs. By combining one's private key and
the other party's public key, both parties can compute the same
shared secret number. This number can then be converted into crypto
graphic keying material. That keying material is typically used as a
 key encryption key (KEK) to encrypt (wrap) a key (a message encryp
 tion key  MEK) which is in turn used to encrypt the message data.
+ key encryption key (KEK) to encrypt (wrap) a message encrytion key
+ (MEK) which is in turn used to encrypt the message data.
2.1. Key Agreement
The first stage of the key agreement process is to compute a shared
secret number ZZ (which will be constant for any pair of Diffie
Hellman keys). ZZ is then converted into a shared symmetric key. Note
that the symmetric key will be different for each key agreement, due
to the introduction of public random components.
2.1.1. Generation of ZZ
@@ 90,40 +85,39 @@
where ^ denotes exponentiation
ya is party a's public key; ya = g ^ xa (mod p)
yb is party b's public key; yb = g ^ xb (mod p)
xa is party a's private key
xb is party b's private key
p is a large prime
g is a generator for the integer group specified by p.
(See Section 2.2 for criteria for keys and parameters)
 In CMS, the recipient's key is identified by the CMS
+ In CMS, the recipient's key is identified by the CMS RecipientIden
+ tifier, which points to the recipient's certificate. The sender's
+ key is identified using the OriginatorIdentifierOrKey field, either
+ by reference to the sender's certificate or by inline inclusion of a
+ key.
Rescorla [Page 2]InternetDraft DiffieHellman Key Agreement Method
 RecipientIdentifier, which points to the recipient's certificate.
 The sender's key is identified using the OriginatorIdentifierOrKey
 field, either by reference to the sender's certificate or by inline
 inclusion of a key.

2.1.2. Generation of Keying Material
X9.42 provides an algorithm for generating an essentially arbitrary
amount of keying material from ZZ. Our algorithm is derived from that
algorithm by mandating some optional fields and omitting others.
KM = H ( ZZ  OtherInfo)
 H is the message digest function SHA1 [FIPS180] ZZ is the shared
 key computed in Section 2.1.1 OtherInfo is the DER encoding of the
 following structure:
+ H is the message digest function SHA1 [FIPS180]
+ ZZ is the shared key computed in Section 2.1.1
+ OtherInfo is the DER encoding of the following structure:
OtherInfo ::= SEQUENCE {
keyInfo KeySpecificInfo,
pubInfo [2] OCTET STRING OPTIONAL,
}
KeySpecificInfo ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
counter OCTET STRING SIZE (4..4) }
@@ 141,79 +135,84 @@
message.
2.1.3. KEK Computation
Each key encryption algorithm requires a specific size key (n). The
KEK is generated by mapping the left nmost bytes of KM onto the key.
Consequently, for a DES [FIPS461] key, which requires 64 bits of
keying material, the algorithm is only run once, with a counter value
of 1. The first 64 bits of the output are parity adjusted and con
verted into a DES key. For 3DES, which requires 192 bits of keying

Rescorla [Page 3]InternetDraft DiffieHellman Key Agreement Method

material, the algorithm must be run twice, once with a counter value
of 1 (to generate K1', K2', and the first 32 bits of K3') and once
with a counter value of 2 (to generate the last 32 bits of K3).
K1',K2' and K3' are then parity adjusted to generate the 3 DES keys
K1,K2 and K3.
+Rescorla [Page 3]InternetDraft DiffieHellman Key Agreement Method
+
2.1.4. Keylengths for common algorithms
Some common key encryption algorithms have KEKs of the following
lengths.
DESECB 64 bits
3DESEDEECB 192 bits
RC2 (all) 128 bits
2.1.5. Public Key Validation
The following algorithm MAY be used to validate received public keys.
1. Verify that y lies within the interval [2,p1]. If it does not,
the key is invalid.
2. Compute y^q (mod p). If the result == 1, the key is valid.
Otherwise the key is invalid.
The primary purpose of public key validation is to prevent a small
 subgroup attack [REFERENCE?] on the sender's key pair. If Ephemeral
+ subgroup attack [SUBGROUP] on the sender's key pair. If Ephemeral
Static mode is used, this check is unnecessary. Note that this pro
cedure may be subject to pending patents.
2.1.6. Example
ZZ is the 16 bytes 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
The key encryption algorithm is 3DESEDE.
No pubInfo is used
 Consequently, the input to the first invocation of SHA1 is: 00 01 02
 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 30 13
+ Consequently, the input to the first invocation of SHA1 is:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ
+ 30 13
30 11
06 09 2a 86 48 86 f7 0d 03 06 00 ; 3DESEDE OID
04 04 00 00 00 01 ; Counter
 And the output is the 20 bytes: a8 c6 4e 46 1a aa c2 36 45 c9 2e c6
 0e 8a c1 96 8f fb 94 b3
+ And the output is the 20 bytes:
+
+ a8 c6 4e 46 1a aa c2 36 45 c9 2e c6 0e 8a c1 96 8f fb 94 b3
+
+ The input to the second invocation of SHA1 is:
Rescorla [Page 4]InternetDraft DiffieHellman Key Agreement Method
 The input to the second invocation of SHA1 is: 00 01 02 03 04 05 06
 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 30 13
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ
+ 30 13
30 11
06 09 2a 86 48 86 f7 0d 03 06 00 ; 3DESEDE OID
04 04 00 00 00 01 ; Counter
 And the output is the 20 bytes: 49 eb c8 09 27 77 19 c1 a3 0c cc 49
 bd 0c 12 5e e0 f9 1a cc
+ And the output is the 20 bytes:
+
+ 49 eb c8 09 27 77 19 c1 a3 0c cc 49 bd 0c 12 5e e0 f9 1a cc
Consequently,
K1=a8 c6 4e 46 1a aa c2 36
K2=45 c9 2e c6 0e 8a c1 96
K3=8f fb 94 b3 49 eb c8 09
Note: These keys are not parity adjusted
2.2. Key and Parameter Requirements
@@ 233,29 +232,29 @@
Agents SHOULD generate domain parameters (g,p,q) using the algorithms
specified in Appendixes 2 and 3 of [FIPS186].
2.2.2. Group Parameter Validation
The ASN.1 for DH keys in [PKIX] includes elements j and validation
Parms which MAY be used by recipients of a key to verify that the
group parameters were correctly generated. Two checks are possible:
+Rescorla [Page 5]InternetDraft DiffieHellman Key Agreement Method
+
1. Verify that p=qj + 1. This demonstrates that the parameters meet
the X9.42 parameter criteria.
2. Verify that when the p,q generation procedure of [FIPS186] Appendix 2
is followed with seed 'seed', that p is found when 'counter' = pgenCounter.
This demonstrates that the parameters were randomly chosen and do not
have a special form.
Rescorla [Page 5]InternetDraft DiffieHellman Key Agreement Method

Whether agents provide validation information in their certificates
is a local matter between the agents and their CA.
2.3. EphemeralStatic Mode
In EphemeralStatic mode, the recipient has a static (and certified)
key pair, but the sender generates a new key pair for each message
and sends it using the originatorKey production. If the sender's key
is freshly generated for each message, the shared secret ZZ will be
similarly different for each message and pubInfo MAY be omitted,
@@ 282,31 +281,33 @@
[FIPS461] Federal Information Processing Standards Publication (FIPS PUB)
461, Data Encryption Standard, Reaffirmed 1988 January 22
(supersedes FIPS PUB 46, 1977 January 15).
[FIPS81] Federal Information Processing Standards Publication (FIPS PUB)
81, DES Modes of Operation, 1980 December 2.
[FIPS180] Federal Information Processing Standards Publication (FIPS PUB)
1801, "Secure Hash Standard", 1995 April 17.
+Rescorla [Page 6]InternetDraft DiffieHellman Key Agreement Method
+
[FIPS186] Federal Information Processing Standards Publication (FIPS PUB)
186, "Digital Signature Standard", 1994 May 19.
[PKIX] Housley, R., Ford, W., Polk, W., Solo, D., "Internet X.509 Public
Key Infrastructure Certificate and CRL Profile", RFCXXXX.
+ [SUBGROUP] I still need a reference for the Small Subgroup attack.
+
[X942] "Agreement Of Symmetric Keys Using DiffieHellman and MQV Algorithms",
ANSI draft, 1998.
Rescorla [Page 6]InternetDraft DiffieHellman Key Agreement Method

Security Considerations
All the security in this system is provided by the secrecy of the
private keying material. If either sender or recipient private keys
are disclosed, all messages sent or received using that key are
compromised. Similarly, loss of the private key results in an inabil
ity to read messages sent using that key.
Author's Address