idnits 2.17.1 draft-ietf-smime-x942-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 18 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 88 has weird spacing: '...ya ^ xb mod p...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DH76' is mentioned on line 39, but not defined -- Looks like a reference, but probably isn't: '2' on line 123 == Missing Reference: 'DSS' is mentioned on line 259, but not defined == Missing Reference: 'FIPS186' is mentioned on line 343, but not defined == Missing Reference: 'SEED' is mentioned on line 297, but not defined == Unused Reference: 'FIPS-46-1' is defined on line 415, but no explicit reference was found in the text == Unused Reference: 'FIPS-81' is defined on line 419, but no explicit reference was found in the text == Outdated reference: A later version (-13) exists of draft-ietf-smime-cms-07 -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-46-1' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-81' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-180' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-186' -- Possible downref: Non-RFC (?) normative reference: ref. 'PKIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'LAW98' -- Possible downref: Non-RFC (?) normative reference: ref. 'X942' Summary: 9 errors (**), 0 flaws (~~), 10 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 E. Rescorla 2 INTERNET-DRAFT RTFM Inc. 3 December 1998 (Expires June 1999) 5 Diffie-Hellman Key Agreement Method 7 Status of this Memo 9 This document is an Internet-Draft. Internet-Drafts are working 10 documents of the Internet Engineering Task Force (IETF), its areas, 11 and its working groups. Note that other groups may also distribute 12 working documents as Internet-Drafts. 14 Internet-Drafts are draft documents valid for a maximum of six months 15 and may be updated, replaced, or obsoleted by other documents at any 16 time. It is inappropriate to use Internet-Drafts as reference 17 material or to cite them other than as ``work in progress.'' 19 To learn the current status of any Internet-Draft, please check the 20 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 21 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 22 munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or 23 ftp.isi.edu (US West Coast). 25 Abstract 27 This document standardizes one particular Diffie-Hellman variant, 28 based on the ANSI X9.42 standard, developed by the ANSI X9F1 working 29 group. Diffie-Hellman is a key agreement algorithm used by two par- 30 ties to agree on a shared secret. An algorithm for converting the 31 shared secret into an arbitrary amount of keying material is pro- 32 vided. The resulting keying material is used as a symmetric encryp- 33 tion key. The D-H variant described requires the recipient to have a 34 certificate, but the originator may have a static key pair (with the 35 public key placed in a certificate) or an ephemeral key pair. 37 1. Introduction 39 In [DH76] Diffie and Hellman describe a means for two parties to 40 agree upon a shared secret in such a way that the secret will be una- 41 vailable to eavesdroppers. This secret may then be converted into 42 cryptographic keying material for other (symmetric) algorithms. A 43 large number of minor variants of this process exist. This document 44 describes one such variant, based on the ANSI X9.42 specification. 46 1.1. Discussion of this Draft 48 This draft is being discussed on the "ietf-smime" mailing list. To 49 join the list, send a message to with 50 the single word "subscribe" in the body of the message. Also, there 51 is a Web site for the mailing list at . 54 1.2. Requirements Terminology 56 Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and 57 "MAY" that appear in this document are to be interpreted as described 58 in [RFC2119]. 60 2. Overview Of Method 62 Diffie-Hellman key agreement requires that both the sender and reci- 63 pient of a message have key pairs. By combining one's private key and 64 the other party's public key, both parties can compute the same 65 shared secret number. This number can then be converted into crypto- 66 graphic keying material. That keying material is typically used as a 67 key-encryption key (KEK) to encrypt (wrap) a content-encryption key 68 (CEK) which is in turn used to encrypt the message data. 70 2.1. Key Agreement 72 The first stage of the key agreement process is to compute a shared 73 secret number, called ZZ. When the same originator and recipient 74 public/private key pairs are used, the same ZZ value will result. 75 The ZZ value is then converted into a shared symmetric cryptographic 76 key. When the originator employs a static private/public key pair, 77 the introduction of public random values are used to ensure that the 78 resulting symmetric key will be different for each key agreement. 80 2.1.1. Generation of ZZ 82 X9.42 defines that the shared secret ZZ is generated as follows: 84 ZZ = g ^ (xb * xa) mod p 86 Note that the individual parties actually perform the computations: 88 ZZ = yb ^ xa (mod p) = ya ^ xb mod p 90 where ^ denotes exponentiation 91 ya is party a's public key; ya = g ^ xa mod p 92 yb is party b's public key; yb = g ^ xb mod p 93 xa is party a's private key 94 xb is party b's private key 95 p is a large prime 96 g = h(p-1)/q mod p, where 97 h is any integer with 1 < h < p-1 such that h(p-1)/q mod p > 1 98 (g has order q mod p) 99 q is a large prime 100 j a large integer such that p=qj + 1 101 (See Section 2.2 for criteria for keys and parameters) 103 In [CMS], the recipient's key is identified by the CMS RecipientIden- 104 tifier, which points to the recipient's certificate. The sender's 105 key is identified using the OriginatorIdentifierOrKey field, either 106 by reference to the sender's certificate or by inline inclusion of a 107 key. 109 2.1.2. Generation of Keying Material 111 X9.42 provides an algorithm for generating an essentially arbitrary 112 amount of keying material from ZZ. Our algorithm is derived from that 113 algorithm by mandating some optional fields and omitting others. 115 KM = H ( ZZ || OtherInfo) 117 H is the message digest function SHA-1 [FIPS-180] 118 ZZ is the shared key computed in Section 2.1.1 119 OtherInfo is the DER encoding of the following structure: 121 OtherInfo ::= SEQUENCE { 122 keyInfo KeySpecificInfo, 123 pubInfo [2] OCTET STRING OPTIONAL, 124 } 126 KeySpecificInfo ::= SEQUENCE { 127 algorithm OBJECT IDENTIFIER, 128 counter OCTET STRING SIZE (4..4) } 130 algorithm is the ASN.1 algorithm OID of the symmetric algorithm with which 131 this KEK will be used. Note that this is NOT an AlgorithmIdentifier, 132 but simply the OBJECT IDENTIFIER. No paramters are used. 133 counter is a 32 bit number, represented in network byte order. Its 134 initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01 135 (hex), and it is incremented by one every time the above key generation 136 function is run for a given KEK. 137 pubInfo is a random string provided by the sender. In CMS, it is provided as 138 a parameter in the UserKeyingMaterial field (encoded as an OCTET STRING). If 139 provided this pubInfo MUST contain 512 bits. 141 Note that the only source of secret entropy in this computation is 142 ZZ, so the security of this data is limited to the size of ZZ, even 143 if more data than ZZ is generated. However, if pubInfo is different 144 for each message, a different KEK will be generated for each message. 145 Note that pubInfo MUST be used in Static-Static mode, but MAY appear 146 in Ephemeral-Static mode. 148 2.1.3. KEK Computation 150 Each key encryption algorithm requires a specific size key (n). The 151 KEK is generated by mapping the left n-most bytes of KM onto the key. 152 For 3DES, which requires 192 bits of keying material, the algorithm 153 must be run twice, once with a counter value of 1 (to generate K1', 154 K2', and the first 32 bits of K3') and once with a counter value of 2 155 (to generate the last 32 bits of K3). K1',K2' and K3' are then parity 156 adjusted to generate the 3 DES keys K1,K2 and K3. For RC2, which 157 requires 128 bits of keying material, the algorithm is run once, with 158 a counter value of 1, and the left-most 128 bits are directly con- 159 verted to an RC2 key. 161 2.1.4. Keylengths for common algorithms 163 Some common key encryption algorithms have KEKs of the following 164 lengths. 166 3DES-EDE-ECB 192 bits 167 RC2 (all) 128 bits 169 2.1.5. Public Key Validation 171 The following algorithm MAY be used to validate received public keys. 173 1. Verify that y lies within the interval [2,p-1]. If it does not, 174 the key is invalid. 175 2. Compute y^q mod p. If the result == 1, the key is valid. 176 Otherwise the key is invalid. 178 The primary purpose of public key validation is to prevent a small 179 subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static 180 mode is used, this check may not be necessary. 182 Note that this procedure may be subject to pending patents. 184 2.1.6. Example 1 186 ZZ is the 16 bytes 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 187 The key encryption algorithm is 3DES-EDE. 189 No pubInfo is used 191 Consequently, the input to the first invocation of SHA-1 is: 193 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 194 30 12 195 30 10 196 06 08 2a 86 48 86 f7 0d 03 07 ; 3DES-EDE OID 197 04 04 00 00 00 01 ; Counter 199 And the output is the 20 bytes: 201 20 be 23 e3 3b 72 ef 16 8e e3 ae 18 5a 00 93 b0 d6 49 56 22 203 The input to the second invocation of SHA-1 is: 205 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 206 30 12 207 30 10 208 06 08 2a 86 48 86 f7 0d 03 07 ; 3DES-EDE OID 209 04 04 00 00 00 02 ; Counter 211 And the output is the 20 bytes: 213 3b 4e fd d4 6e ff 6b 6d 35 a9 cd e3 e3 e7 05 39 e0 31 53 de 215 Consequently, 216 K1'=20 be 23 e3 3b 72 ef 16 217 K2'=8e e3 ae 18 5a 00 93 b0 218 K3'=d6 49 56 22 3b 4e fd d4 220 Note: These keys are not parity adjusted 222 2.1.7. Example 2 224 ZZ is the 16 bytes 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 226 The key encryption algorithm is RC2 228 The pubInfo used is the 64 bytes 01 23 45 67 89 ab cd ef 01 23 45 67 229 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 230 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 01 23 231 45 67 89 ab cd ef 233 Consequently, the input to SHA-1 is: 235 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ; ZZ 236 30 56 237 30 10 238 06 08 2a 86 48 86 f7 0d 03 02 ; RC2 OID 239 04 04 00 00 00 01 ; Counter 240 a2 42 241 04 40 242 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef ; PubInfo 243 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 244 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 245 01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd ef 247 And the output is the 20 bytes: 249 c7 4e c5 80 68 7d 70 aa 06 38 d3 e3 c7 2a da 5a 67 4e cf 06 251 Consequently, 252 K=c7 4e c5 80 68 7d 70 aa 06 38 d3 e3 c7 2a da 5a 254 2.2. Key and Parameter Requirements 256 X9.42 requires that the group parameters be of the form p=jq + 1 257 where q is a large prime of length m and j>=2. An algorithm for gen- 258 erating primes of this form (derived from the algorithms in FIPS PUB 259 186-1[DSS], and [X942]can be found in appendix A. 261 X9.42 requires that the private key x be in the interval [2, (q - 262 2)]. x should be randomly generated in this interval. y is then com- 263 puted by calculating g^x mod p. To comply with this draft, m MUST be 264 >=160, (consequently, q and x MUST each be at least 128 bits long). 265 When symmetric ciphers stronger than DES are to be used, a larger m 266 may be advisable. 268 2.2.1. Group Parameter Generation 270 Agents SHOULD generate domain parameters (g,p,q) using the following 271 algorithm, derived from [FIPS-186] and [X942]. When this algorithm is 272 used, the correctness of the generation procedure can be verified by 273 a third party by the algorithm of 2.2.2. 275 2.2.1.1. Generation of p, q 277 This algorithm generates a p, q pair where q is of length m and 278 p is of length L. 280 Let L - 1 = n*m + b where both b and n are integers and 281 0 <= b < 160. 283 1. Choose an arbitrary sequence of at least m bits and call it SEED. 284 Let g be the length of SEED in bits. 286 2. Set U = 0 288 3. Set m' = m / 160, where / represents integer division, 289 consequently, if m = 200, m' = 1. 291 4. for i = 0 to m' - 1 293 U = U + SHA[SEED + i] XOR SHA[(SEED + m' + i) mod 2^160] * 2^(160 * i) 295 Note that for m=160, this reduces to the algorithm of [FIPS186] 297 U = SHA[SEED] XOR SHA[(SEED+1) mod 2^160 ]. 299 5. Form q from U by setting the most significant bit (the 2^(m-1) bit) 300 and the least significant bit to 1. In terms of boolean operations, 301 q = U OR 2^(m-1) OR 1. Note that 2^(m-1) < q < 2^m 303 6. Use a robust primality algorithm to test whether q is prime. 305 7. If q is not prime then go to 1. 307 8. Let counter = 0 and offset = 2 309 9. For k = 0 to n let 311 Vk = SHA[(SEED + offset + k) mod 2^160 ]. 313 10. Let W be the integer 315 W = V0 + V1*2^160 + ... + Vn-1*2(n-1)*160 + (Vn mod 2^b) 316 * 2n*160 317 and let 318 X = W + 2^(L-1) 320 Note that 0 <= W < 2^(L-1) and hence 2^(L-1) 322 11. Let c = X mod (2 * q) and set p = X - (c-1). Note that p is congruent 323 to 1 mod (2 * q). 325 12. If p < 2^(L -1) then go to step 15. 327 13. Perform a robust primality test on p. 329 14. If p passes the test performed in step 13 go to step 17. 331 15. Let counter = counter + 1 and offset = offset + n + 1. 333 16. If counter >= 4096 go to step 1. Otherwise go to step 9. 335 17. Save the value of SEED and the value of counter for use 336 in certifying the proper generation of p and q. 338 Note: A robust primality test is one where the probability of 339 a non-prime number passing the test is at most 2^-80. 341 2.2.1.2. Generation of g 343 This section gives an algorithm (derived from [FIPS186]) for generat- 344 ing g. 345 1. Let j = (p - 1)/q. 347 2. Set h = any integer, where 1 < h < p - 1 and h differs 348 from any value previously tried. 350 3. Set g = h^j mod p 352 4. If g = 1 go to step 2 354 2.2.2. Group Parameter Validation 356 The ASN.1 for DH keys in [PKIX] includes elements j and validation- 357 Parms which MAY be used by recipients of a key to verify that the 358 group parameters were correctly generated. Two checks are possible: 360 1. Verify that p=qj + 1. This demonstrates that the parameters meet 361 the X9.42 parameter criteria. 362 2. Verify that when the p,q generation procedure of [FIPS-186] 363 Appendix 2 is followed with seed 'seed', that p is found when 364 This demonstrates that the parameters were randomly chosen and 365 do not have a special form. 367 Whether agents provide validation information in their certificates 368 is a local matter between the agents and their CA. 370 2.3. Ephemeral-Static Mode 372 In Ephemeral-Static mode, the recipient has a static (and certified) 373 key pair, but the sender generates a new key pair for each message 374 and sends it using the originatorKey production. If the sender's key 375 is freshly generated for each message, the shared secret ZZ will be 376 similarly different for each message and pubInfo MAY be omitted, 377 since it serves merely to decouple multiple KEKs generated by the 378 same set of pairwise keys. If, however, the same ephemeral sender key 379 is used for multiple messages (e.g. it is cached as a performance 380 optimization) then a separate pubInfo MUST be used for each message. 381 All implementations of this standard MUST implement Ephemeral-Static 382 mode. 384 In order to resist small subgroup attacks, the recipient SHOULD per- 385 form the check described in 2.1.5. If the sender cannot determine 386 success or failure of decryption, the recipient MAY choose to omit 387 this check. 389 2.4. Static-Static Mode 391 In Static-Static mode, both the sender and the recipient have a 392 static (and certified) key pair. Since the sender's and recipient's 393 keys are therefore the same for each message, ZZ will be the same for 394 each message. Thus, pubInfo MUST be used (and different for each mes- 395 sage) in order to ensure that different messages use different KEKs. 396 Implementations MAY implement Static-Static mode. 398 In order to prevent small subgroup attacks, both originator and reci- 399 pient SHOULD either perform the validation step described in S 2.1.5 400 or verify that the CA has properly verified the validity of the key. 402 Acknowledgements 404 The Key Agreement method described in this document is based on work 405 done by the ANSI X9F1 working group. The author wishes to extend his 406 thanks for their assistance. 408 The author also wishes to thank Paul Hoffman, Stephen Henson, Russ 409 Housley, Brian Korver, Jim Schaad, Mark Schertler, and Peter Yee for 410 their expert advice and review. 412 References 413 [CMS] Housley, R., "Cryptographic Message Syntax", draft-ietf-smime-cms-07.txt. 415 [FIPS-46-1] Federal Information Processing Standards Publication (FIPS PUB) 416 46-1, Data Encryption Standard, Reaffirmed 1988 January 22 417 (supersedes FIPS PUB 46, 1977 January 15). 419 [FIPS-81] Federal Information Processing Standards Publication (FIPS PUB) 420 81, DES Modes of Operation, 1980 December 2. 422 [FIPS-180] Federal Information Processing Standards Publication (FIPS PUB) 423 180-1, "Secure Hash Standard", 1995 April 17. 425 [FIPS-186] Federal Information Processing Standards Publication (FIPS PUB) 426 186, "Digital Signature Standard", 1994 May 19. 428 [PKIX] Housley, R., Ford, W., Polk, W., Solo, D., "Internet X.509 Public 429 Key Infrastructure Certificate and CRL Profile", RFC-XXXX. 431 [LAW98] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, 432 "An efficient protocol for authenticated key agreement", 433 Technical report CORR 98-05, University of Waterloo, 1998. 435 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement 436 Levels." RFC 2119. March 1997. 438 [X942] "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV Algorithms", 439 ANSI draft, 1998. 441 Security Considerations 443 All the security in this system is provided by the secrecy of the 444 private keying material. If either sender or recipient private keys 445 are disclosed, all messages sent or received using that key are 446 compromised. Similarly, loss of the private key results in an inabil- 447 ity to read messages sent using that key. 449 Static Diffie-Hellman keys are vulnerable to a small subgroup attack 450 [LAW98]. In practice, this issue arises for both sides in Static- 451 Static mode and for the receiver during Ephemeral-Static mode. S 2.3 452 and 2.4 describe appropriate practices to protect against this 453 attack. 455 In order to securely generate a symmetric key of length l, m (the 456 length in bits of q, and hence x) should be at least 2l. m MUST 457 always be >= 160. Consequently, for RC2, m should be >=256 and for 458 3DES, >=336 (the effective length of 3DES keys is 168 bits). 460 Author's Address 462 Eric Rescorla 463 RTFM Inc. 464 30 Newell Road, #16 465 East Palo Alto, CA 94303 466 Table of Contents 468 1. Introduction ................................................... 1 470 1.1. Discussion of this Draft ..................................... 2 472 1.2. Requirements Terminology ..................................... 2 474 2. Overview Of Method ............................................. 2 476 2.1. Key Agreement ................................................ 2 478 2.1.1. Generation of ZZ ........................................... 2 480 2.1.2. Generation of Keying Material .............................. 3 482 2.1.3. KEK Computation ............................................ 4 484 2.1.4. Keylengths for common algorithms ........................... 4 486 2.1.5. Public Key Validation ...................................... 4 488 2.1.6. Example 1 .................................................. 4 490 2.1.7. Example 2 .................................................. 5 492 2.2. Key and Parameter Requirements ............................... 6 494 2.2.1. Group Parameter Generation ................................. 6 496 2.2.1.1. Generation of p, q ....................................... 6 498 2.2.1.2. Generation of g .......................................... 8 500 2.2.2. Group Parameter Validation ................................. 8 502 2.3. Ephemeral-Static Mode ........................................ 8 504 2.4. Static-Static Mode ........................................... 9 506 2.4. Acknowledgements ............................................. 9 507 2.4. References ................................................... 9 509 Security Considerations ........................................... 10 511 Author's Address .................................................. 10