idnits 2.17.1 draft-ietf-ipsec-skip-udh-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 145: '...ate verification MUST be done by perfo...' RFC 2119 keyword, line 152: '...gned DH public values MUST NOT be used...' Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 21, 1995) is 10353 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '2' is defined on line 175, but no explicit reference was found in the text -- Possible downref: Normative reference to a draft: ref. '1' ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '2') ** Obsolete normative reference: RFC 1305 (ref. '3') (Obsoleted by RFC 5905) Summary: 13 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IPSEC Working Group Ashar Aziz 2 INTERNET-DRAFT Tom Markson 3 Hemma Prafullchandra 4 Sun Microsystems, Inc. 6 Expires in six months December 21, 1995 8 Encoding of an Unsigned Diffie-Hellman Public Value 9 11 Status of this Memo 13 This document is a submission to the IETF Internet Protocol Security 14 (IPSEC) Working Group. Comments are solicited and should be addressed to 15 to the working group mailing list (ipsec@ans.net) or to the authors. 17 This document is an Internet-Draft. Internet Drafts are working 18 documents of the Internet Engineering Task Force (IETF), its areas, and 19 its working Groups. Note that other groups may also distribute working 20 documents as Internet Drafts. 22 Internet-Drafts draft documents are valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference material 25 or to cite them other than as "work in progress." 27 To learn the current status of any Internet-Draft, please check the 28 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 29 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 30 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 31 ftp.isi.edu (US West Coast). 33 Distribution of this memo is unlimited. 35 Abstract 37 It is useful to be able to communicate public keys in the absence of a 38 certificate hierarchy and a signature infrastructure. This document 39 describes a method by which certificates which communicate Diffie- 40 Hellman public values and parameters may be encoded and securely named. 42 CONTENTS 44 Status of this Memo.................................. 1 46 Abstract............................................. 2 48 1. Unsigned Public Keys................................. 3 50 2. Encoding of an Unsigned DH public value.............. 3 52 3. Verification of the Unsigned Public Value............ 5 54 4. Security Considerations.............................. 5 56 Acknowledgements..................................... 5 58 References........................................... 5 60 Author's Address(es)................................. 6 62 - i - 63 1. Unsigned Public Keys 65 In public key cryptography, certificates provide a binding between an 66 entity's name and their public key. The signature on the certificate 67 provides this binding. However, certificates tend to be difficult to 68 implement and usually require infrastructure to verify signatures. This 69 infrastructure and certificates, in general, are not in wide use on the 70 Internet. Instead of explicitly binding a name to a public value using 71 a signature, the name may be derived directly from the public key. This 72 can be done by defining the name of the certificate to be the message 73 digest of the public key. 75 Although the public value is distributed in an unsigned manner, there is 76 still a strong binding between a name and the public value, given the 77 collision resistance properties of a message digest. The entity's names 78 need to be securely distributed out of band. 80 This distribution of keys has a number of advantages over conventional 81 signed certificates: no infrastructure is required to use Unsigned 82 Public Keys. No signature algorithm needs to be supported. No complex 83 encoding of certificates is required. 85 A disadvantage of this method is that the name must be securely (but not 86 secretly) communicated to anyone using the key. Since the name is the 87 hash value of the public key, it is a cryptic string of hexadecimal 88 digits which is not user-friendly. 90 The encoding does not specify the hash algorithm used to generate the 91 name. The hash algorithm must be transferred out of band. This may be 92 done by creating a "certificate type" that includes this information. 93 One valid certificate type is "MD5 of Hashed DH Public Key". 95 2. Encoding of an Unsigned DH public value 97 This encoding scheme is used to authenticate/distribute a DH public 98 value, for cases where the entity's name is the message digest of the 99 public value. 101 The following is how the public value is encoded for purposes 102 of message digest computation and distribution in the network. 103 All values are in network order. All variable-length fields 104 must begin with a non-zero byte. 106 0 1 2 3 107 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 108 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 109 | Not Valid Before | 110 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 111 | Not Valid After | 112 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 113 | PrimeLen | Prime (p) (variable length) ~ 114 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 115 ~ Prime (p) (variable length) | GenLen | 116 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 117 | Generator (g) (variable length) | 118 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 119 | PublicValueLen | Public Value (variable length)~ 120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 121 ~ Public Value (g^i mod p) (variable length) | 122 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 124 "Not Valid Before" is the time at which the public value becomes valid. 125 It is in NTP time format [3] (the Integer portion). "Not Valid After" is 126 the time at which the public value expires. It is in NTP [3] time format 127 (the Integer portion). 129 PrimeLen is Length of the DH Prime (p) in bytes. Prime contains the 130 binary representation of the DH prime with most significant byte first. 131 GenLen is the length of the Generator (g) in bytes. Generator is the 132 binary representation of generator with most significant byte first. 133 PublicValueLen is the Length of the Public Value (g^i mod p) in bytes. 134 PublicValue is the binary representation of the DH public value with 135 most significant byte first. 137 The Name associated with the public key and parameters is the 138 cryptographic hash of the above encoding. 140 3. Verification of the Unsigned Public Value 142 Verification of the Encoding in this instance means verifying that the 143 message digest of the entire encoding (as specified above) is the same 144 as the (securely known) name of the entity. When using this instead of 145 signed certificates, certificate verification MUST be done by performing 146 the message digest computation. 148 4. Security Considerations 150 The unsigned DH public value can ONLY be used when entities are named 151 using the message digest of their DH public value, AND these names are 152 securely communicated. Unsigned DH public values MUST NOT be used 153 instead of signed DH certificates when entities are named using 154 something other than the message digest of their public value, since 155 this opens up the possibility of an intruder-in-the-middle attack 156 described in [1]. In order to use other naming schemes, signed 157 certificates such as X.509, Secure DNS, PGP, etc. should be used. 159 Acknowledgements 161 We would like to thank all of the people who helped make this draft 162 possible. 164 Jeff Schiller originally suggested using the hash of the public key as 165 the Entity's name. 167 Bill Danielson, Marc Dye, Colin Plumb, Rich Skrenta and Ben Stoltz for 168 reviewing this draft and providing constructive suggestions. 170 References 172 [1] Aziz, A., "Simple Key Management for Internet Protocols", (I-D 173 draft-ietf-ipsec-skip-06.txt), Work in Progress 175 [2] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992 177 [3] Mills, D.,"Network Time Protocol", RFC 1305, March 1992 178 Author's Address(es) 180 Ashar Aziz 181 Sun Microsystems, Inc. 182 M/S PAL1-550 183 2550 Garcia Avenue 184 Mountain View, CA 94043 186 Email: ashar.aziz@eng.sun.com 187 Alternate email address: ashar@incog.com 189 Tom Markson 190 Sun Microsystems, Inc. 191 M/S PAL1-550 192 2550 Garcia Avenue 193 Mountain View, CA 94043 195 Email: markson@incog.com 196 Alternate email address: markson@eng.sun.com 198 Hemma Prafullchandra 199 Sun Microsystems, Inc. 200 M/S PAL1-550 201 2550 Garcia Avenue 202 Mountain View, CA 94043 204 Email: hemma@eng.sun.com 205 Alternate email address: hemma@incog.com