Network Working Group W A Simpson [DayDreamer] Internet Draft expires in six months May 1998 Photuris: Secret Exchange draft-simpson-photuris-secret-00.txt Status of this Memo This document is an Internet-Draft. Internet Drafts are working doc- uments of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute work- ing documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as refer- ence material, or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow Directories on: ftp.is.co.za (Africa) nic.nordu.net (Northern Europe) ftp.nis.garr.it (Southern Europe) ftp.ietf.org (Eastern USA) ftp.isi.edu (Western USA) munnari.oz.au (Pacific Rim) Distribution of this memo is unlimited. Copyright Notice Copyright (C) William Allen Simpson (1995,1998). All Rights Reserved. Abstract Photuris is a session-key management protocol. Extensible Messages are provided to enable future implementation changes without affect- ing the basic protocol. The Secret Exchange messages provide the capability to create ephemeral symmetric secrets between parties. Simpson expires in six months [Page i] DRAFT Secret Exchange May 1998 1. Introduction In addition to establishing session-keys, Photuris is easily capable of generating high quality unpredictable secrets. This facility can be useful to augment or expand lower quality user passwords, and to substitute for computationally expensive public-key operations. The packet format and basic facilities are already defined for Pho- turis [RFC-zzzz]. 1.1. Terminology In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [RFC-2119]. nonce A value that is not used more than once for the same purpose. The value is recommended to be generated by a cryptographically random method, which may be concatenated with a timestamp or sequence number. Party Secret Index (PSI) A number that indicates a particular symmetric secret. The number is unique relative to the IP Destination, which is the PSI Owner. The value is recommended to be generated by a cryptographically random method. The use of this value is orthogonal to usage of sim- ilar values by other related security protocols, such as the Security-Parameters-Index (SPI). That is, the same value MAY be used by multiple protocols to concurrently indicate different Security Associa- tion parameters. Simpson expires in six months [Page 1] DRAFT Secret Exchange May 1998 2. Secret Exchange The Secret Exchange will occur following the usual Value Exchange: Initiator Responder ========= ========= Cookie_Request -> <- Cookie_Response Value_Request -> <- Value_Response [generate shared-secret from exchanged values] Frequently, the Secret Exchange will occur before the Identification Exchange: Initiator Responder ========= ========= Secret_Request -> <- Secret_Response [make PSI secret-keys in each direction] Identity_Request -> <- Identity_Response [make SPI session-keys in each direction] Alternatively, the Secret Exchange can occur in the middle of the Identification Exchange: Initiator Responder ========= ========= Identity_Request -> <- Secret_Request Secret_Response -> [make PSI secret-keys in each direction] <- Identity_Response [make SPI session-keys in each direction] Finally, the Secret Exchange can occur at both times. The exchange of messages is ordered, although the formats and mean- ings of the messages are identical in each direction. The messages are easily distinguished by the parties themselves, by examining the Simpson expires in six months [Page 2] DRAFT Secret Exchange May 1998 Message and Identification fields. 2.1. Secret_Request +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Initiator-Cookie ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Responder-Cookie ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message | LifeTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Party-Secret-Index | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | Identity-Choice | | + + + + + + + + + + + + + + + + + + | | ~ Identification ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Initiator-Cookie 16 bytes. Copied from the Value_Request. Responder-Cookie 16 bytes. Copied from the Value_Request. Message 6 LifeTime 3 bytes. The number of seconds remaining before the indicated PSI expires. When zero, indicates that the PSI is used for only this Identification Exchange. Party-Secret-Index (PSI) 4 bytes. The PSI to be used for this party in the Identification Exchange. The value MUST NOT be zero. Identity-Choice 2 or more bytes. An identity attribute is selected from the list of Offered-Attributes sent by the peer. Simpson expires in six months [Page 3] DRAFT Secret Exchange May 1998 The field may be any integral number of bytes in length, as indicated by its Length field. It does not require any particular alignment. The 16-bit alignment shown is for convenience in the illustra- tion. Identification Variable Precision Integer, or alternative format indicated by the Identity-Choice. See the "Addi- tional Attributes" for details. The field may be any integral number of bytes in length. It does not require any particular align- ment. The 32-bit alignment shown is for convenience in the illustration. Padding 8 to 255 bytes. This field is filled up to at least a 128 byte boundary, measured from the beginning of the message. The number of pad bytes are chosen randomly. In addition, when a Privacy-Method indicated by the current Scheme-Choice requires the plaintext to be a multiple of some number of bytes (the block size of a block cipher), this field is adjusted as necessary to the size required by the algorithm. Self-Describing-Padding begins with the value 1. Each byte contains the index of that byte. Thus, the final pad byte indicates the number of pad bytes to remove. For example, when the unpadded message length is 120 bytes, the padding values might be 1, 2, 3, 4, 5, 6, 7, and 8. The portion of the message after the PSI field is masked using the Privacy-Method indicated by the current Scheme-Choice. The fields following the PSI are opaque. That is, the values are set prior to masking (and optional encryption), and examined only after unmasking (and optional decryption). Simpson expires in six months [Page 4] DRAFT Secret Exchange May 1998 2.2. Secret_Response +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Initiator-Cookie ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Responder-Cookie ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message | LifeTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Party-Secret-Index | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | Identity-Choice | | + + + + + + + + + + + + + + + + + + | | ~ Secret-Value ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Verification ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | (Identity-Choice) | | + + + + + + + + + + + + + + + + + + | | ~ (Identification) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Initiator-Cookie 16 bytes. Copied from the Secret_Request. Responder-Cookie 16 bytes. Copied from the Secret_Request. Message 5 LifeTime 3 bytes. The number of seconds remaining before the indicated PSI expires. When zero, indicates that the PSI is used for only this Identification Exchange. Simpson expires in six months [Page 5] DRAFT Secret Exchange May 1998 Party-Secret-Index (PSI) 4 bytes. The PSI to be used for this party in the Identification Exchange. The value MUST NOT be zero. Also, the value MUST NOT equal the PSI from the Secret_Request. Identity-Choice 2 or more bytes. A symmetric identity attribute is selected from the list of Offered-Attributes sent by the peer, and is used to calculate the Verification. The field may be any integral number of bytes in length, as indicated by its Length field. It does not require any particular alignment. The 16-bit alignment shown is for convenience in the illustra- tion. Secret-Value Variable Precision Integer, or alternative format indicated by the Secret_Request Identity-Choice. Used for calculating a pair of symmetric secret-keys between the parties. The field may be any integral number of bytes in length, as indicated by its Size field. It does not require any particular alignment. The 32-bit align- ment shown is for convenience in the illustration. Verification Variable Precision Integer, or alternative format indicated by the Identity-Choice. The calculation of the value is described in "Secret Verification". The field may be any integral number of bytes in length. It does not require any particular align- ment. The 32-bit alignment shown is for convenience in the illustration. (Identity-Choice) 2 or more bytes. An identity attribute is selected from the list of Offered-Attributes sent by the peer. This field is optional. Its presence is indicated by the UDP Length after removing the Padding (UDP Length - last Padding value). The field may be any integral number of bytes in length, as indicated by its Length field. It does not require any particular alignment. The 16-bit alignment shown is for convenience in the Simpson expires in six months [Page 6] DRAFT Secret Exchange May 1998 illustration. (Identification) Variable Precision Integer, or alternative format indicated by the Identity-Choice. See the "Addi- tional Attributes" for details. This field is optional. Its presence is indicated by the UDP Length after removing the Padding (UDP Length - last Padding value). The field may be any integral number of bytes in length. It does not require any particular align- ment. The 32-bit alignment shown is for convenience in the illustration. Padding 8 to 255 bytes. This field is filled up to at least a 128 byte boundary, measured from the beginning of the message. The number of pad bytes are chosen randomly. In addition, when a Privacy-Method indicated by the current Scheme-Choice requires the plaintext to be a multiple of some number of bytes (the block size of a block cipher), this field is adjusted as necessary to the size required by the algorithm. Self-Describing-Padding begins with the value 1. Each byte contains the index of that byte. Thus, the final pad byte indicates the number of pad bytes to remove. For example, when the unpadded message length is 120 bytes, the padding values might be 1, 2, 3, 4, 5, 6, 7, and 8. The portion of the message after the PSI field is masked using the Privacy-Method indicated by the current Scheme-Choice. The fields following the PSI are opaque. That is, the values are set prior to masking (and optional encryption), and examined only after unmasking (and optional decryption). 2.3. Secret-Nonce A secret-nonce is derived as indicated by the Identity-Choice speci- fied in the Secret_Request. Asymmetric Identity Attributes The Secret-Value contains the secret-nonce encoded by the public- Simpson expires in six months [Page 7] DRAFT Secret Exchange May 1998 key. Symmetric Identity Attributes The Value part of the Secret-Value is concatenated to (followed by) the existing symmetric secret-key. Regardless of the internal representation of the secret-nonce, when used in calculations it is in the same form as the Value part of a Variable Precision Integer: - most significant byte first. - bits used are right justified within byte boundaries. - any unused bits are in the most significant byte. - unused bits are zero filled. The secret-nonce does not include a Size field. 2.4. Secret-Key Computation Each pair of PSI values is used to generate a corresponding pair of symmetric secret-keys (one for each party). The Scheme-Choice specified Key-Generation-Function is calculated over the following concatenated values: + the Initiator Cookie, + the Responder Cookie, + the Owner Message, LifeTime and PSI, + the secret-nonce, + the Peer Message, LifeTime and PSI, + the computed shared-secret. Since the order of the Owner and Peer fields is different in each direction, the resulting secret-key will usually be different in each direction. Following verification, the pair of PSI values also identifies the secret-keys. The primary (Requester) identity is the Secret_Request PSI value concatenated to (followed by) the Verification value. The secondary (Peer) identity is the Secret_Request PSI value, concate- nated to (followed by) the Secret_Response PSI value, concatenated to (followed by) the Verification value. These identities can be used with a Symmetric Identity Attribute in any subsequent Identification message. The Secret_Request LifeTime is used as the LifeTime for both secret-keys. Simpson expires in six months [Page 8] DRAFT Secret Exchange May 1998 Implementation Notes: The exact details of the secret-nonce and Secret-Value field that are included in the secret-key calculation are dependent on the Secret_Request Identity-Choice and Identification. The Secret Exchange ultimately depends upon the Identification Exchange for verification. When verification fails, the PSI secret-keys MUST be discarded. 2.5. Secret Verification The Secret_Response is authenticated using the Identity-Choice. The Verification value is calculated prior to masking (and optional encryption), and verified after unmasking (and optional decryption). The Identity-Choice authentication function is supplied with two input values: - the secondary PSI secret-key, - the data to be verified (as a concatenated sequence of bytes). The resulting output value is stored in the Verification field. The Identity-Choice verification data consists of the following con- catenated values: + the Initiator Cookie, + the Responder Cookie, + the Secret_Request Message, LifeTime and PSI fields, + the Secret_Request Identity-Choice and Identification, + the Secret_Response Message, LifeTime and PSI fields, + the Secret_Response Identity-Choice and Secret-Value, + the Secret_Response Identity-Choice and Identification (optional), + the Padding. Note that the order of the Message, LifeTime and PSI fields are dif- ferent in each direction. If the verification fails, the users are notified, and a Verifica- tion_Failure message is sent, without adding any PSIs. On success, normal operation begins with the remainder of the Identification Exchange. Simpson expires in six months [Page 9] DRAFT Secret Exchange May 1998 Implementation Notes: The exact details of the Identifications and secret-nonce included in the Verification calculation are dependent on the corresponding Identity-Choices. Failure to find an Identification in either an internal or exter- nal database results in the same Verification_Failure message as failure of the verification computation. The Secret-Value data includes both the Size and Value fields. 2.6. Optional Identification When the optional Identity-Choice and Identification fields are included in the Secret_Response, the next Identification message is modified. The Identity-Choice and Identification fields are replaced by Identity-Choice and Secret-Value fields in the same manner as the Secret_Response format. The SPI value is used as a PSI value to generate two additional PSI secret-keys, yielding a total of four PSI secret-keys. The secondary PSI secret-key is used to calculate the sender (SPI Owner) verifica- tion-key, and is used directly as the generation-key. Following verification, the pair of PSI and SPI values also identi- fies the secret-keys. The primary (Responder) identity is the Secret_Response PSI value concatenated to (followed by) the Verifica- tion value. The secondary (Peer) identity is the Secret_Response PSI value, concatenated to (followed by) the SPI value, concatenated to (followed by) the Verification value. These identities can be used with a Symmetric Identity Attribute in any subsequent Identification message. The Secret_Response LifeTime is used as the LifeTime for both additional secret-keys. Implementation Notes: The exact details of the secret-nonce and Secret-Value field that are included in the secret-key calculation are dependent on the Secret_Response optional Identity-Choice and Identification. The Secret-Value data includes both the Size and Value fields. Simpson expires in six months [Page 10] DRAFT Secret Exchange May 1998 3. Additional Attributes The attribute format and basic facilities are already defined for Photuris [RFC-zzzz]. These optional attributes are specified separately, and no single implementation is expected to support all of them. This document defines the following values: Use Type I 27 DNS-Key I 28 PGP I Identity-Choice 3.1. DNS-Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Algorithm | Power | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 27 Length 2 Algorithm An algorithm supported. See [RFC-2065] for details. Examples include: 1 RSA with MD5 (support optional). 3 DSA with SHA1 (support required). Power The maximum public/private-key bits supported, expressed as a power of two. As a minimum, it is required that all implementations of this attribute support value 10 (1024-bit keys). When more than one version is supported, multiple attributes are listed in the Offered-Attributes. Asymmetric Identification When selected as an Identity-Choice, the immediately following Identification field consists of the binary form of the DNS-Key Resource Record. The domain name is fully expanded (no name Simpson expires in six months [Page 11] DRAFT Secret Exchange May 1998 compression via pointers). No DNS-Signature Resource Records are included with the Identifi- cation. Valid Identifications and corresponding signature cer- tificates are preconfigured by the parties, or maintained in external databases. The Identification is not contained within a Variable Precision Integer (VPI). The Key RR elements are parsed by the implementa- tion to determine the end of the Identification field. This attribute is never used for [RFC-zzzz] "Identity Verifica- tion" or "Validity Verification". Instead, a Secret Exchange occurs to associate a pair of symmetric secrets with the Identifi- cation. The Secret-Value consists of a public-key encrypted secret-nonce of the form determined by the DNS-Key algorithm. The size of the secret-nonce is determined by the size of the public-key. The result is contained within a Variable Precision Integer (VPI). 3.2. PGP Identification +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Version | Power | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 28 Length 2 Algorithm An algorithm supported. See [RFC-1991] for details. Examples include: 3 PGP 2.6.x RSA with MD5 (support optional). 4 PGP 5.0.x DSA with SHA1 (support required). Power The maximum public/private-key bits supported, expressed as a power of two. As a minimum, it is required that all implementations of this attribute support value 10 (1024-bit keys). Simpson expires in six months [Page 12] DRAFT Secret Exchange May 1998 When more than one version is supported, multiple attributes are listed in the Offered-Attributes. Asymmetric Identification When selected as an Identity-Choice, the immediately following Identification field consists of a PGP public-key element, fol- lowed by one or more PGP user identity elements. No PGP Signature elements are included in the Identification. Valid Identifications and corresponding signature certificates are preconfigured by the parties, or maintained in external databases. The Identification is not contained within a Variable Precision Integer (VPI). The PGP elements are parsed by the implementation to determine the end of the Identification field. This attribute is never used for [RFC-zzzz] "Identity Verifica- tion" or "Validity Verification". Instead, a Secret Exchange occurs to associate a pair of symmetric secrets with the Identifi- cation. The Secret-Value consists of a public-key encrypted secret-nonce in the form of a PGP Public-Key-Encrypted element. The size of the secret-nonce is determined by the size of the public-key. The Secret-Value is not contained within a Variable Precision Integer (VPI). The PGP elements are parsed by the implementation to determine the end of the Secret-Value field. Nota Bene: The PGP Multi-Precision Integer (MPI) is very similar to the Variable Precision Integer (VPI). However, the Size field is not extensible, and PGP library functions truncate leading sig- nificant zeroes. Simpson expires in six months [Page 13] DRAFT Secret Exchange May 1998 Security Considerations Acknowledgements William Simpson was responsible for the packet formats, additional message types, editing and formatting. All such mistakes are his responsibity. Hilarie Orman suggested adding secret "nonces" to session-key genera- tion for asymmetric public/private-key identity methods. References [RFC-zzzz] Karn, P., and Simpson, W., "Photuris: Session Key Manage- ment Protocol", draft-simpson-photuris-18.txt, work in progress. Contacts Comments about this document should be discussed on the pho- turis@adk.gr mailing list. Questions about this document can also be directed to: William Allen Simpson DayDreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071 wsimpson@UMich.edu wsimpson@GreenDragon.com (preferred) Simpson expires in six months [Page 14] DRAFT Secret Exchange May 1998 Full Copyright Statement Copyright (C) William Allen Simpson (1995,1998). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this doc- ument itself may not be modified in any way, except as required to translate it into languages other than English. This document and the information contained herein is provided on an "AS IS" basis and the author(s) DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING (BUT NOT LIMITED TO) ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Simpson expires in six months [Page 15]