draft-ietf-smime-x942-04.txt   draft-ietf-smime-x942-05.txt 
E. Rescorla E. Rescorla
INTERNET-DRAFT RTFM Inc. INTERNET-DRAFT RTFM Inc.
<draft-ietf-smime-x942-04.txt> December 1998 (Expires June 1999) <draft-ietf-smime-x942-05.txt> January 1999 (Expires July 1999)
Diffie-Hellman Key Agreement Method Diffie-Hellman Key Agreement Method
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
skipping to change at line 28 skipping to change at line 29
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast). ftp.isi.edu (US West Coast).
Abstract Abstract
This document standardizes one particular Diffie-Hellman variant, This document standardizes one particular Diffie-Hellman variant,
based on the ANSI X9.42 standard, developed by the ANSI X9F1 working based on the ANSI X9.42 draft, developed by the ANSI X9F1 working
group. Diffie-Hellman is a key agreement algorithm used by two par- group. Diffie-Hellman is a key agreement algorithm used by two par-
ties to agree on a shared secret. An algorithm for converting the ties to agree on a shared secret. An algorithm for converting the
shared secret into an arbitrary amount of keying material is pro- shared secret into an arbitrary amount of keying material is pro-
vided. The resulting keying material is used as a symmetric encryp- vided. The resulting keying material is used as a symmetric encryp-
tion key. The D-H variant described requires the recipient to have a tion key. The D-H variant described requires the recipient to have a
certificate, but the originator may have a static key pair (with the certificate, but the originator may have a static key pair (with the
public key placed in a certificate) or an ephemeral key pair. public key placed in a certificate) or an ephemeral key pair.
1. Introduction 1. Introduction
skipping to change at line 101 skipping to change at line 102
where ^ denotes exponentiation where ^ denotes exponentiation
ya is party a's public key; ya = g ^ xa mod p ya is party a's public key; ya = g ^ xa mod p
yb is party b's public key; yb = g ^ xb mod p yb is party b's public key; yb = g ^ xb mod p
xa is party a's private key xa is party a's private key
Rescorla [Page 2] Internet-Draft Diffie-Hellman Key Agreement Method Rescorla [Page 2] Internet-Draft Diffie-Hellman Key Agreement Method
xb is party b's private key xb is party b's private key
p is a large prime p is a large prime
g = h(p-1)/q mod p, where
h is any integer with 1 < h < p-1 such that h(p-1)/q mod p > 1
(g has order q mod p)
q is a large prime q is a large prime
g = h^{(p-1)/q} mod p, where
h is any integer with 1 < h < p-1 such that h(p-1)/q mod p > 1
(g has order q mod p; i.e. g^q mod p = 1 if g!=1)
j a large integer such that p=qj + 1 j a large integer such that p=qj + 1
(See Section 2.2 for criteria for keys and parameters) (See Section 2.2 for criteria for keys and parameters)
In [CMS], the recipient's key is identified by the CMS RecipientIden- In [CMS], the recipient's key is identified by the CMS RecipientIden-
tifier, which points to the recipient's certificate. The sender's tifier, which points to the recipient's certificate. The sender's
key is identified using the OriginatorIdentifierOrKey field, either key is identified using the OriginatorIdentifierOrKey field, either
by reference to the sender's certificate or by inline inclusion of a by reference to the sender's certificate or by inline inclusion of a
key. key.
2.1.2. Generation of Keying Material 2.1.2. Generation of Keying Material
X9.42 provides an algorithm for generating an essentially arbitrary X9.42 provides an algorithm for generating an essentially arbitrary
amount of keying material from ZZ. Our algorithm is derived from that amount of keying material from ZZ. Our algorithm is derived from that
algorithm by mandating some optional fields and omitting others. algorithm by mandating some optional fields and omitting others.
KM = H ( ZZ || OtherInfo) KM = H ( ZZ || OtherInfo)
H is the message digest function SHA-1 [FIPS-180] H is the message digest function SHA-1 [FIPS-180]
ZZ is the shared key computed in Section 2.1.1 ZZ is the shared secret value computed in Section 2.1.1. Leading zeros MUST
be preserved, so that ZZ occupies as many octets as p. For
instance, if p is 1024 bits, ZZ should be 128 bytes long.
OtherInfo is the DER encoding of the following structure: OtherInfo is the DER encoding of the following structure:
OtherInfo ::= SEQUENCE { OtherInfo ::= SEQUENCE {
keyInfo KeySpecificInfo, keyInfo KeySpecificInfo,
pubInfo [2] OCTET STRING OPTIONAL, partyAInfo [0] OCTET STRING OPTIONAL,
suppPubInfo [2] OCTET STRING
} }
KeySpecificInfo ::= SEQUENCE { KeySpecificInfo ::= SEQUENCE {
algorithm OBJECT IDENTIFIER, algorithm OBJECT IDENTIFIER,
counter OCTET STRING SIZE (4..4) } counter OCTET STRING SIZE (4..4) }
algorithm is the ASN.1 algorithm OID of the symmetric algorithm with which algorithm is the ASN.1 algorithm OID of the symmetric algorithm with which
this KEK will be used. Note that this is NOT an AlgorithmIdentifier, this KEK will be used. Note that this is NOT an AlgorithmIdentifier,
but simply the OBJECT IDENTIFIER. No paramters are used. but simply the OBJECT IDENTIFIER. No parameters are used.
counter is a 32 bit number, represented in network byte order. Its counter is a 32 bit number, represented in network byte order. Its
initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01 initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01
(hex), and it is incremented by one every time the above key generation (hex), and it is incremented by one every time the above key generation
function is run for a given KEK. function is run for a given KEK.
pubInfo is a random string provided by the sender. In CMS, it is provided as partyAInfo is a random string provided by the sender. In CMS, it is provided as
a parameter in the UserKeyingMaterial field (encoded as an OCTET STRING). If a parameter in the UserKeyingMaterial field (encoded as an OCTET STRING). If
provided this pubInfo MUST contain 512 bits.
Note that the only source of secret entropy in this computation is
Rescorla [Page 3] Internet-Draft Diffie-Hellman Key Agreement Method Rescorla [Page 3] Internet-Draft Diffie-Hellman Key Agreement Method
ZZ, so the security of this data is limited to the size of ZZ, even provided, partyAInfo MUST contain 512 bits.
if more data than ZZ is generated. However, if pubInfo is different suppPubInfo is the length of the generated KEK, in bits, represented
for each message, a different KEK will be generated for each message. as a 32 bit number in network byte order. E.g. for 3DES it
Note that pubInfo MUST be used in Static-Static mode, but MAY appear would be the byte sequence 00 00 00 C0.
in Ephemeral-Static mode.
Note that these ASN.1 definitions use EXPLICIT tagging. (In ASN.1,
EXPLICIT tagging is implicit unless IMPLICIT is explicitly speci-
fied.)
To generate a KEK, one generates one or more KM blocks (incrementing
counter appropriately) until enough material has been generated. The
KM blocks are concatenated left to right in the obvious order. I.e.
KM(counter=1) || KM(counter=2)...
Note that the only source of secret entropy in this computation is
ZZ, so the security of this data is limited to the size of p and q,
even if a string longer than ZZ is generated. However, if partyAInfo
is different for each message, a different KEK will be generated for
each message. Note that partyAInfo MUST be used in Static-Static
mode, but MAY appear in Ephemeral-Static mode.
2.1.3. KEK Computation 2.1.3. KEK Computation
Each key encryption algorithm requires a specific size key (n). The Each key encryption algorithm requires a specific size key (n). The
KEK is generated by mapping the left n-most bytes of KM onto the key. KEK is generated by mapping the left n-most bytes of KM onto the key.
For 3DES, which requires 192 bits of keying material, the algorithm For 3DES, which requires 192 bits of keying material, the algorithm
must be run twice, once with a counter value of 1 (to generate K1', must be run twice, once with a counter value of 1 (to generate K1',
K2', and the first 32 bits of K3') and once with a counter value of 2 K2', and the first 32 bits of K3') and once with a counter value of 2
(to generate the last 32 bits of K3). K1',K2' and K3' are then parity (to generate the last 32 bits of K3). K1',K2' and K3' are then parity
adjusted to generate the 3 DES keys K1,K2 and K3. For RC2, which adjusted to generate the 3 DES keys K1,K2 and K3. For RC2, which
skipping to change at line 179 skipping to change at line 195
2.1.4. Keylengths for common algorithms 2.1.4. Keylengths for common algorithms
Some common key encryption algorithms have KEKs of the following Some common key encryption algorithms have KEKs of the following
lengths. lengths.
3DES-EDE-ECB 192 bits 3DES-EDE-ECB 192 bits
RC2 (all) 128 bits RC2 (all) 128 bits
2.1.5. Public Key Validation 2.1.5. Public Key Validation
The following algorithm MAY be used to validate received public keys. The following algorithm MAY be used to validate a received public key
y.
Rescorla [Page 4] Internet-Draft Diffie-Hellman Key Agreement Method
1. Verify that y lies within the interval [2,p-1]. If it does not, 1. Verify that y lies within the interval [2,p-1]. If it does not,
the key is invalid. the key is invalid.
2. Compute y^q mod p. If the result == 1, the key is valid. 2. Compute y^q mod p. If the result == 1, the key is valid.
Otherwise the key is invalid. Otherwise the key is invalid.
The primary purpose of public key validation is to prevent a small The primary purpose of public key validation is to prevent a small
subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static
mode is used, this check may not be necessary. mode is used, this check may not be necessary. See also [P1363] for
more information on Public Key validation.
Note that this procedure may be subject to pending patents. Note that this procedure may be subject to pending patents.
2.1.6. Example 1 2.1.6. Example 1
ZZ is the 16 bytes 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
0a 0b 0c 0d 0e 0f 10 11 12 13
Rescorla [Page 4] Internet-Draft Diffie-Hellman Key Agreement Method
The key encryption algorithm is 3DES-EDE. The key encryption algorithm is 3DES-EDE.
No pubInfo is used No partyAInfo is used
Consequently, the input to the first invocation of SHA-1 is: Consequently, the input to the first invocation of SHA-1 is:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
30 12 30 1a
30 10 30 10
06 08 2a 86 48 86 f7 0d 03 07 ; 3DES-EDE OID 06 08 2a 86 48 86 f7 0d 03 07 ; 3DES OID
04 04 00 00 00 01 ; Counter 04 04
00 00 00 01 ; Counter
a2 06
04 04
00 00 00 c0 ; key length
And the output is the 20 bytes: And the output is the 20 bytes:
20 be 23 e3 3b 72 ef 16 8e e3 ae 18 5a 00 93 b0 d6 49 56 22 b4 85 32 07 a9 da b2 9a 23 5a a8 a5 3f ed cd 65 92 26 0a 4a
The input to the second invocation of SHA-1 is: The input to the second invocation of SHA-1 is:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
30 12 30 1a
30 10 30 10
06 08 2a 86 48 86 f7 0d 03 07 ; 3DES-EDE OID 06 08 2a 86 48 86 f7 0d 03 07 ; 3DES OID
04 04 00 00 00 02 ; Counter 04 04
00 00 00 02 ; Counter
Rescorla [Page 5] Internet-Draft Diffie-Hellman Key Agreement Method
a2 06
04 04
00 00 00 c0 ; key length
And the output is the 20 bytes: And the output is the 20 bytes:
3b 4e fd d4 6e ff 6b 6d 35 a9 cd e3 e3 e7 05 39 e0 31 53 de 9d 95 43 57 15 e9 c8 31 ce 8a 64 fe e4 c8 d6 0c bf 50 a6 e1
Consequently, Consequently,
K1'=20 be 23 e3 3b 72 ef 16 K1'=b4 85 32 07 a9 da b2 9a
K2'=8e e3 ae 18 5a 00 93 b0 K2'=23 5a a8 a5 3f ed cd 65
K3'=d6 49 56 22 3b 4e fd d4 K3'=92 26 0a 4a 9d 95 43 57
Note: These keys are not parity adjusted Note: These keys are not parity adjusted
2.1.7. Example 2 2.1.7. Example 2
ZZ is the 16 bytes 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
0a 0b 0c 0d 0e 0f 10 11 12 13
The key encryption algorithm is RC2 The key encryption algorithm is RC2
The pubInfo used is the 64 bytes 01 23 45 67 89 ab cd ef 01 23 45 67 The partyAInfo used is the 64 bytes
89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45
67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23
45 67 89 ab cd ef
Consequently, the input to SHA-1 is: 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
Rescorla [Page 5] Internet-Draft Diffie-Hellman Key Agreement Method Consequently, the input to SHA-1 is:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
30 56 30 5e
30 10 30 10
06 08 2a 86 48 86 f7 0d 03 02 ; RC2 OID 06 08 2a 86 48 86 f7 0d 03 02 ; RC2 OID
04 04 00 00 00 01 ; Counter 04 04
a2 42 00 00 00 01 ; Counter
a0 42
04 40 04 40
01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef ; PubInfo 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 ; partyAInfo
01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
a2 06
04 04
00 00 00 80 ; key length
And the output is the 20 bytes: And the output is the 20 bytes:
c7 4e c5 80 68 7d 70 aa 06 38 d3 e3 c7 2a da 5a 67 4e cf 06 Rescorla [Page 6] Internet-Draft Diffie-Hellman Key Agreement Method
52 45 e1 6d 27 57 be d6 8e 20 53 6b 38 b7 63 47 63 13 1d fd
Consequently, Consequently,
K=c7 4e c5 80 68 7d 70 aa 06 38 d3 e3 c7 2a da 5a K=52 45 e1 6d 27 57 be d6 8e 20 53 6b 38 b7 63 47
2.2. Key and Parameter Requirements 2.2. Key and Parameter Requirements
X9.42 requires that the group parameters be of the form p=jq + 1 X9.42 requires that the group parameters be of the form p=jq + 1
where q is a large prime of length m and j>=2. An algorithm for gen- where q is a large prime of length m and j>=2. An algorithm for gen-
erating primes of this form (derived from the algorithms in FIPS PUB erating primes of this form (derived from the algorithms in FIPS PUB
186-1[DSS], and [X942]can be found in appendix A. 186-1[DSS], and [X942]can be found in appendix A.
X9.42 requires that the private key x be in the interval [2, (q - X9.42 requires that the private key x be in the interval [2, (q -
2)]. x should be randomly generated in this interval. y is then com- 2)]. x should be randomly generated in this interval. y is then com-
puted by calculating g^x mod p. To comply with this draft, m MUST be puted by calculating g^x mod p. To comply with this draft, m MUST be
>=160, (consequently, q and x MUST each be at least 128 bits long). >=160, (consequently, q MUST each be at least 160 bits long). When
When symmetric ciphers stronger than DES are to be used, a larger m symmetric ciphers stronger than DES are to be used, a larger m may be
may be advisable. advisable. p must be a minimum of 160 bits long.
2.2.1. Group Parameter Generation 2.2.1. Group Parameter Generation
Agents SHOULD generate domain parameters (g,p,q) using the following Agents SHOULD generate domain parameters (g,p,q) using the following
algorithm, derived from [FIPS-186] and [X942]. When this algorithm is algorithm, derived from [FIPS-186] and [X942]. When this algorithm is
used, the correctness of the generation procedure can be verified by used, the correctness of the generation procedure can be verified by
a third party by the algorithm of 2.2.2. a third party by the algorithm of 2.2.2.
2.2.1.1. Generation of p, q 2.2.1.1. Generation of p, q
This algorithm generates a p, q pair where q is of length m and This algorithm generates a p, q pair where q is of length m and
p is of length L. p is of length L.
Let L - 1 = n*m + b where both b and n are integers and Let L - 1 = n*m + b where both b and n are integers and
0 <= b < 160. 0 <= b < 160.
Rescorla [Page 6] Internet-Draft Diffie-Hellman Key Agreement Method
1. Choose an arbitrary sequence of at least m bits and call it SEED. 1. Choose an arbitrary sequence of at least m bits and call it SEED.
Let g be the length of SEED in bits. Let g be the length of SEED in bits.
2. Set U = 0 2. Set U = 0
3. Set m' = m / 160, where / represents integer division, 3. Set m' = m / 160, where / represents integer division,
consequently, if m = 200, m' = 1. consequently, if m = 200, m' = 1.
4. for i = 0 to m' - 1 4. for i = 0 to m' - 1
U = U + SHA[SEED + i] XOR SHA[(SEED + m' + i) mod 2^160] * 2^(160 * i) U = U + SHA[SEED + i] XOR SHA[(SEED + m' + i) mod 2^160] * 2^(160 * i)
Note that for m=160, this reduces to the algorithm of [FIPS186] Note that for m=160, this reduces to the algorithm of [FIPS186]
Rescorla [Page 7] Internet-Draft Diffie-Hellman Key Agreement Method
U = SHA[SEED] XOR SHA[(SEED+1) mod 2^160 ]. U = SHA[SEED] XOR SHA[(SEED+1) mod 2^160 ].
5. Form q from U by setting the most significant bit (the 2^(m-1) bit) 5. Form q from U by setting the most significant bit (the 2^(m-1) bit)
and the least significant bit to 1. In terms of boolean operations, and the least significant bit to 1. In terms of boolean operations,
q = U OR 2^(m-1) OR 1. Note that 2^(m-1) < q < 2^m q = U OR 2^(m-1) OR 1. Note that 2^(m-1) < q < 2^m
6. Use a robust primality algorithm to test whether q is prime. 6. Use a robust primality algorithm to test whether q is prime.
7. If q is not prime then go to 1. 7. If q is not prime then go to 1.
skipping to change at line 346 skipping to change at line 383
11. Let c = X mod (2 * q) and set p = X - (c-1). Note that p is congruent 11. Let c = X mod (2 * q) and set p = X - (c-1). Note that p is congruent
to 1 mod (2 * q). to 1 mod (2 * q).
12. If p < 2^(L -1) then go to step 15. 12. If p < 2^(L -1) then go to step 15.
13. Perform a robust primality test on p. 13. Perform a robust primality test on p.
14. If p passes the test performed in step 13 go to step 17. 14. If p passes the test performed in step 13 go to step 17.
Rescorla [Page 7] Internet-Draft Diffie-Hellman Key Agreement Method
15. Let counter = counter + 1 and offset = offset + n + 1. 15. Let counter = counter + 1 and offset = offset + n + 1.
16. If counter >= 4096 go to step 1. Otherwise go to step 9. 16. If counter >= 4096 go to step 1. Otherwise go to step 9.
17. Save the value of SEED and the value of counter for use 17. Save the value of SEED and the value of counter for use
in certifying the proper generation of p and q. in certifying the proper generation of p and q.
Note: A robust primality test is one where the probability of Note: A robust primality test is one where the probability of
a non-prime number passing the test is at most 2^-80. a non-prime number passing the test is at most 2^-80. [FIPS-186]
provides a suitable algorithm, as does [X9.42].
2.2.1.2. Generation of g 2.2.1.2. Generation of g
This section gives an algorithm (derived from [FIPS186]) for generat- This section gives an algorithm (derived from [FIPS186]) for
ing g.
Rescorla [Page 8] Internet-Draft Diffie-Hellman Key Agreement Method
generating g.
1. Let j = (p - 1)/q. 1. Let j = (p - 1)/q.
2. Set h = any integer, where 1 < h < p - 1 and h differs 2. Set h = any integer, where 1 < h < p - 1 and h differs
from any value previously tried. from any value previously tried.
3. Set g = h^j mod p 3. Set g = h^j mod p
4. If g = 1 go to step 2 4. If g = 1 go to step 2
2.2.2. Group Parameter Validation 2.2.2. Group Parameter Validation
skipping to change at line 393 skipping to change at line 432
Whether agents provide validation information in their certificates Whether agents provide validation information in their certificates
is a local matter between the agents and their CA. is a local matter between the agents and their CA.
2.3. Ephemeral-Static Mode 2.3. Ephemeral-Static Mode
In Ephemeral-Static mode, the recipient has a static (and certified) In Ephemeral-Static mode, the recipient has a static (and certified)
key pair, but the sender generates a new key pair for each message key pair, but the sender generates a new key pair for each message
and sends it using the originatorKey production. If the sender's key and sends it using the originatorKey production. If the sender's key
is freshly generated for each message, the shared secret ZZ will be is freshly generated for each message, the shared secret ZZ will be
similarly different for each message and pubInfo MAY be omitted, similarly different for each message and partyAInfo MAY be omitted,
since it serves merely to decouple multiple KEKs generated by the since it serves merely to decouple multiple KEKs generated by the
Rescorla [Page 8] Internet-Draft Diffie-Hellman Key Agreement Method
same set of pairwise keys. If, however, the same ephemeral sender key same set of pairwise keys. If, however, the same ephemeral sender key
is used for multiple messages (e.g. it is cached as a performance is used for multiple messages (e.g. it is cached as a performance
optimization) then a separate pubInfo MUST be used for each message. optimization) then a separate partyAInfo MUST be used for each mes-
All implementations of this standard MUST implement Ephemeral-Static sage. All implementations of this standard MUST implement Ephemeral-
mode. Static mode.
In order to resist small subgroup attacks, the recipient SHOULD per- In order to resist small subgroup attacks, the recipient SHOULD per-
form the check described in 2.1.5. If the sender cannot determine form the check described in 2.1.5. If an opponent cannot determine
success or failure of decryption, the recipient MAY choose to omit success or failure of a decryption operation by the recipient, the
this check. recipient MAY choose to omit this check.
Rescorla [Page 9] Internet-Draft Diffie-Hellman Key Agreement Method
2.4. Static-Static Mode 2.4. Static-Static Mode
In Static-Static mode, both the sender and the recipient have a In Static-Static mode, both the sender and the recipient have a
static (and certified) key pair. Since the sender's and recipient's static (and certified) key pair. Since the sender's and recipient's
keys are therefore the same for each message, ZZ will be the same for keys are therefore the same for each message, ZZ will be the same for
each message. Thus, pubInfo MUST be used (and different for each mes- each message. Thus, partyAInfo MUST be used (and different for each
sage) in order to ensure that different messages use different KEKs. message) in order to ensure that different messages use different
Implementations MAY implement Static-Static mode. KEKs. Implementations MAY implement Static-Static mode.
In order to prevent small subgroup attacks, both originator and reci- In order to prevent small subgroup attacks, both originator and reci-
pient SHOULD either perform the validation step described in S 2.1.5 pient SHOULD either perform the validation step described in S 2.1.5
or verify that the CA has properly verified the validity of the key. or verify that the CA has properly verified the validity of the key.
Acknowledgements Acknowledgements
The Key Agreement method described in this document is based on work The Key Agreement method described in this document is based on work
done by the ANSI X9F1 working group. The author wishes to extend his done by the ANSI X9F1 working group. The author wishes to extend his
thanks for their assistance. thanks for their assistance.
The author also wishes to thank Paul Hoffman, Stephen Henson, Russ The author also wishes to thank Paul Hoffman, Stephen Henson, Russ
Housley, Brian Korver, Jim Schaad, Mark Schertler, and Peter Yee for Housley, Brian Korver, Jim Schaad, Mark Schertler, Peter Yee, and
their expert advice and review. Robert Zuccherato for their expert advice and review.
References References
[CMS] Housley, R., "Cryptographic Message Syntax", draft-ietf-smime-cms-07.txt. [CMS] Housley, R., "Cryptographic Message Syntax", draft-ietf-smime-cms-07.txt.
[FIPS-46-1] Federal Information Processing Standards Publication (FIPS PUB) [FIPS-46-1] Federal Information Processing Standards Publication (FIPS PUB)
46-1, Data Encryption Standard, Reaffirmed 1988 January 22 46-1, Data Encryption Standard, Reaffirmed 1988 January 22
(supersedes FIPS PUB 46, 1977 January 15). (supersedes FIPS PUB 46, 1977 January 15).
[FIPS-81] Federal Information Processing Standards Publication (FIPS PUB) [FIPS-81] Federal Information Processing Standards Publication (FIPS PUB)
81, DES Modes of Operation, 1980 December 2. 81, DES Modes of Operation, 1980 December 2.
[FIPS-180] Federal Information Processing Standards Publication (FIPS PUB) [FIPS-180] Federal Information Processing Standards Publication (FIPS PUB)
180-1, "Secure Hash Standard", 1995 April 17. 180-1, "Secure Hash Standard", 1995 April 17.
[FIPS-186] Federal Information Processing Standards Publication (FIPS PUB) [FIPS-186] Federal Information Processing Standards Publication (FIPS PUB)
Rescorla [Page 9] Internet-Draft Diffie-Hellman Key Agreement Method
186, "Digital Signature Standard", 1994 May 19. 186, "Digital Signature Standard", 1994 May 19.
[P1363] "Standard Specifications for Public Key Cryptography", IEEE P1363
working group draft, 1998, Annex D.
[PKIX] Housley, R., Ford, W., Polk, W., Solo, D., "Internet X.509 Public [PKIX] Housley, R., Ford, W., Polk, W., Solo, D., "Internet X.509 Public
Key Infrastructure Certificate and CRL Profile", RFC-XXXX. Key Infrastructure Certificate and CRL Profile", RFC-XXXX.
[LAW98] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, [LAW98] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone,
"An efficient protocol for authenticated key agreement", "An efficient protocol for authenticated key agreement",
Technical report CORR 98-05, University of Waterloo, 1998. Technical report CORR 98-05, University of Waterloo, 1998.
Rescorla [Page 10] Internet-Draft Diffie-Hellman Key Agreement Method
[LL97] C.H. Lim and P.J. Lee, "A key recovery attack on discrete log-based
schemes using a prime order subgroup", B.S. Kaliski, Jr., editor,
Advances in Cryptology - Crypto '97, Lecture Notes in Computer Science,
vol. 1295, 1997, Springer-Verlag, pp. 249-263.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels." RFC 2119. March 1997. Levels." RFC 2119. March 1997.
[X942] "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV Algorithms", [X942] "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV Algorithms",
ANSI draft, 1998. ANSI draft, 1998.
Security Considerations Security Considerations
All the security in this system is provided by the secrecy of the All the security in this system is provided by the secrecy of the
private keying material. If either sender or recipient private keys private keying material. If either sender or recipient private keys
are disclosed, all messages sent or received using that key are are disclosed, all messages sent or received using that key are
compromised. Similarly, loss of the private key results in an inabil- compromised. Similarly, loss of the private key results in an inabil-
ity to read messages sent using that key. ity to read messages sent using that key.
Static Diffie-Hellman keys are vulnerable to a small subgroup attack Static Diffie-Hellman keys are vulnerable to a small subgroup attack
[LAW98]. In practice, this issue arises for both sides in Static- [LAW98]. In practice, this issue arises for both sides in Static-
Static mode and for the receiver during Ephemeral-Static mode. S 2.3 Static mode and for the receiver during Ephemeral-Static mode. S 2.3
and 2.4 describe appropriate practices to protect against this and 2.4 describe appropriate practices to protect against this
attack. attack. Alternatively, it is possible to generate keys in such a
fashion that they are resistant to this attack. See [LL97]
In order to securely generate a symmetric key of length l, m (the In order to securely generate a symmetric key of length l, m (the
length in bits of q, and hence x) should be at least 2l. m MUST length in bits of q, and hence x) should be at least 2l. m MUST
always be >= 160. Consequently, for RC2, m should be >=256 and for always be >= 160. Consequently, for RC2, m should be >=256 and for
3DES, >=336 (the effective length of 3DES keys is 168 bits). 3DES, >=224 (the effective length of 3DES keys is 112 bits).
Author's Address Author's Address
Eric Rescorla <ekr@rtfm.com> Eric Rescorla <ekr@rtfm.com>
RTFM Inc. RTFM Inc.
30 Newell Road, #16 30 Newell Road, #16
East Palo Alto, CA 94303 East Palo Alto, CA 94303
Rescorla [Page 10] Internet-Draft Diffie-Hellman Key Agreement Method Rescorla [Page 11] Internet-Draft Diffie-Hellman Key Agreement Method
Table of Contents Table of Contents
1. Introduction ................................................... 1 1. Introduction ................................................... 1
1.1. Discussion of this Draft ..................................... 2 1.1. Discussion of this Draft ..................................... 2
1.2. Requirements Terminology ..................................... 2 1.2. Requirements Terminology ..................................... 2
2. Overview Of Method ............................................. 2 2. Overview Of Method ............................................. 2
skipping to change at line 514 skipping to change at line 560
2.1.1. Generation of ZZ ........................................... 2 2.1.1. Generation of ZZ ........................................... 2
2.1.2. Generation of Keying Material .............................. 3 2.1.2. Generation of Keying Material .............................. 3
2.1.3. KEK Computation ............................................ 4 2.1.3. KEK Computation ............................................ 4
2.1.4. Keylengths for common algorithms ........................... 4 2.1.4. Keylengths for common algorithms ........................... 4
2.1.5. Public Key Validation ...................................... 4 2.1.5. Public Key Validation ...................................... 4
2.1.6. Example 1 .................................................. 4 2.1.6. Example 1 .................................................. 5
2.1.7. Example 2 .................................................. 5 2.1.7. Example 2 .................................................. 6
2.2. Key and Parameter Requirements ............................... 6 2.2. Key and Parameter Requirements ............................... 7
2.2.1. Group Parameter Generation ................................. 6 2.2.1. Group Parameter Generation ................................. 7
2.2.1.1. Generation of p, q ....................................... 6 2.2.1.1. Generation of p, q ....................................... 7
2.2.1.2. Generation of g .......................................... 8 2.2.1.2. Generation of g .......................................... 8
2.2.2. Group Parameter Validation ................................. 8 2.2.2. Group Parameter Validation ................................. 9
2.3. Ephemeral-Static Mode ........................................ 8 2.3. Ephemeral-Static Mode ........................................ 9
2.4. Static-Static Mode ........................................... 9 2.4. Static-Static Mode ........................................... 10
2.4. Acknowledgements ............................................. 9 2.4. Acknowledgements ............................................. 10
Rescorla [Page 11] Internet-Draft Diffie-Hellman Key Agreement Method Rescorla [Page 12] Internet-Draft Diffie-Hellman Key Agreement Method
2.4. References ................................................... 9 2.4. References ................................................... 10
Security Considerations ........................................... 10 Security Considerations ........................................... 11
Author's Address .................................................. 10 Author's Address .................................................. 11
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/