idnits 2.17.1 draft-ietf-smime-x942-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-24) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 29 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 89 has weird spacing: '...ya ^ xb mod p...' == Line 274 has weird spacing: '...b cd ef fe dc...' == Line 275 has weird spacing: '...b cd ef fe dc...' == Line 276 has weird spacing: '...b cd ef fe dc...' == Line 277 has weird spacing: '...b cd ef fe dc...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DH76' is mentioned on line 40, but not defined -- Looks like a reference, but probably isn't: '0' on line 126 -- Looks like a reference, but probably isn't: '2' on line 127 == Missing Reference: 'DSS' is mentioned on line 294, but not defined == Missing Reference: 'FIPS186' is mentioned on line 378, but not defined == Missing Reference: 'SEED' is mentioned on line 331, but not defined == Unused Reference: 'FIPS-46-1' is defined on line 450, but no explicit reference was found in the text == Unused Reference: 'FIPS-81' is defined on line 454, but no explicit reference was found in the text == Outdated reference: A later version (-13) exists of draft-ietf-smime-cms-07 -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-46-1' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-81' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-180' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-186' -- Possible downref: Non-RFC (?) normative reference: ref. 'P1363' -- Possible downref: Non-RFC (?) normative reference: ref. 'PKIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'LAW98' -- Possible downref: Non-RFC (?) normative reference: ref. 'LL97' -- Possible downref: Non-RFC (?) normative reference: ref. 'X942' Summary: 9 errors (**), 0 flaws (~~), 14 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 E. Rescorla 3 INTERNET-DRAFT RTFM Inc. 4 January 1999 (Expires July 1999) 6 Diffie-Hellman Key Agreement Method 8 Status of this Memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its areas, 12 and its working groups. Note that other groups may also distribute 13 working documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six months 16 and may be updated, replaced, or obsoleted by other documents at any 17 time. It is inappropriate to use Internet-Drafts as reference 18 material or to cite them other than as ``work in progress.'' 20 To learn the current status of any Internet-Draft, please check the 21 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 22 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 23 munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or 24 ftp.isi.edu (US West Coast). 26 Abstract 28 This document standardizes one particular Diffie-Hellman variant, 29 based on the ANSI X9.42 draft, developed by the ANSI X9F1 working 30 group. Diffie-Hellman is a key agreement algorithm used by two par- 31 ties to agree on a shared secret. An algorithm for converting the 32 shared secret into an arbitrary amount of keying material is pro- 33 vided. The resulting keying material is used as a symmetric encryp- 34 tion key. The D-H variant described requires the recipient to have a 35 certificate, but the originator may have a static key pair (with the 36 public key placed in a certificate) or an ephemeral key pair. 38 1. Introduction 40 In [DH76] Diffie and Hellman describe a means for two parties to 41 agree upon a shared secret in such a way that the secret will be una- 42 vailable to eavesdroppers. This secret may then be converted into 43 cryptographic keying material for other (symmetric) algorithms. A 44 large number of minor variants of this process exist. This document 45 describes one such variant, based on the ANSI X9.42 specification. 47 1.1. Discussion of this Draft 49 This draft is being discussed on the "ietf-smime" mailing list. To 50 join the list, send a message to with 51 the single word "subscribe" in the body of the message. Also, there 52 is a Web site for the mailing list at . 55 1.2. Requirements Terminology 57 Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and 58 "MAY" that appear in this document are to be interpreted as described 59 in [RFC2119]. 61 2. Overview Of Method 63 Diffie-Hellman key agreement requires that both the sender and reci- 64 pient of a message have key pairs. By combining one's private key and 65 the other party's public key, both parties can compute the same 66 shared secret number. This number can then be converted into crypto- 67 graphic keying material. That keying material is typically used as a 68 key-encryption key (KEK) to encrypt (wrap) a content-encryption key 69 (CEK) which is in turn used to encrypt the message data. 71 2.1. Key Agreement 73 The first stage of the key agreement process is to compute a shared 74 secret number, called ZZ. When the same originator and recipient 75 public/private key pairs are used, the same ZZ value will result. 76 The ZZ value is then converted into a shared symmetric cryptographic 77 key. When the originator employs a static private/public key pair, 78 the introduction of public random values are used to ensure that the 79 resulting symmetric key will be different for each key agreement. 81 2.1.1. Generation of ZZ 83 X9.42 defines that the shared secret ZZ is generated as follows: 85 ZZ = g ^ (xb * xa) mod p 87 Note that the individual parties actually perform the computations: 89 ZZ = yb ^ xa (mod p) = ya ^ xb mod p 91 where ^ denotes exponentiation 92 ya is party a's public key; ya = g ^ xa mod p 93 yb is party b's public key; yb = g ^ xb mod p 94 xa is party a's private key 95 xb is party b's private key 96 p is a large prime 97 q is a large prime 98 g = h^{(p-1)/q} mod p, where 99 h is any integer with 1 < h < p-1 such that h(p-1)/q mod p > 1 100 (g has order q mod p; i.e. g^q mod p = 1 if g!=1) 101 j a large integer such that p=qj + 1 102 (See Section 2.2 for criteria for keys and parameters) 104 In [CMS], the recipient's key is identified by the CMS RecipientIden- 105 tifier, which points to the recipient's certificate. The sender's 106 key is identified using the OriginatorIdentifierOrKey field, either 107 by reference to the sender's certificate or by inline inclusion of a 108 key. 110 2.1.2. Generation of Keying Material 112 X9.42 provides an algorithm for generating an essentially arbitrary 113 amount of keying material from ZZ. Our algorithm is derived from that 114 algorithm by mandating some optional fields and omitting others. 116 KM = H ( ZZ || OtherInfo) 118 H is the message digest function SHA-1 [FIPS-180] 119 ZZ is the shared secret value computed in Section 2.1.1. Leading zeros MUST 120 be preserved, so that ZZ occupies as many octets as p. For 121 instance, if p is 1024 bits, ZZ should be 128 bytes long. 122 OtherInfo is the DER encoding of the following structure: 124 OtherInfo ::= SEQUENCE { 125 keyInfo KeySpecificInfo, 126 partyAInfo [0] OCTET STRING OPTIONAL, 127 suppPubInfo [2] OCTET STRING 128 } 130 KeySpecificInfo ::= SEQUENCE { 131 algorithm OBJECT IDENTIFIER, 132 counter OCTET STRING SIZE (4..4) } 134 algorithm is the ASN.1 algorithm OID of the symmetric algorithm with which 135 this KEK will be used. Note that this is NOT an AlgorithmIdentifier, 136 but simply the OBJECT IDENTIFIER. No parameters are used. 137 counter is a 32 bit number, represented in network byte order. Its 138 initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01 139 (hex), and it is incremented by one every time the above key generation 140 function is run for a given KEK. 141 partyAInfo is a random string provided by the sender. In CMS, it is provided as 142 a parameter in the UserKeyingMaterial field (encoded as an OCTET STRING). If 143 provided, partyAInfo MUST contain 512 bits. 144 suppPubInfo is the length of the generated KEK, in bits, represented 145 as a 32 bit number in network byte order. E.g. for 3DES it 146 would be the byte sequence 00 00 00 C0. 148 Note that these ASN.1 definitions use EXPLICIT tagging. (In ASN.1, 149 EXPLICIT tagging is implicit unless IMPLICIT is explicitly speci- 150 fied.) 152 To generate a KEK, one generates one or more KM blocks (incrementing 153 counter appropriately) until enough material has been generated. The 154 KM blocks are concatenated left to right in the obvious order. I.e. 155 KM(counter=1) || KM(counter=2)... 157 Note that the only source of secret entropy in this computation is 158 ZZ, so the security of this data is limited to the size of p and q, 159 even if a string longer than ZZ is generated. However, if partyAInfo 160 is different for each message, a different KEK will be generated for 161 each message. Note that partyAInfo MUST be used in Static-Static 162 mode, but MAY appear in Ephemeral-Static mode. 164 2.1.3. KEK Computation 166 Each key encryption algorithm requires a specific size key (n). The 167 KEK is generated by mapping the left n-most bytes of KM onto the key. 168 For 3DES, which requires 192 bits of keying material, the algorithm 169 must be run twice, once with a counter value of 1 (to generate K1', 170 K2', and the first 32 bits of K3') and once with a counter value of 2 171 (to generate the last 32 bits of K3). K1',K2' and K3' are then parity 172 adjusted to generate the 3 DES keys K1,K2 and K3. For RC2, which 173 requires 128 bits of keying material, the algorithm is run once, with 174 a counter value of 1, and the left-most 128 bits are directly con- 175 verted to an RC2 key. 177 2.1.4. Keylengths for common algorithms 179 Some common key encryption algorithms have KEKs of the following 180 lengths. 182 3DES-EDE-ECB 192 bits 183 RC2 (all) 128 bits 185 2.1.5. Public Key Validation 187 The following algorithm MAY be used to validate a received public key 188 y. 190 1. Verify that y lies within the interval [2,p-1]. If it does not, 191 the key is invalid. 192 2. Compute y^q mod p. If the result == 1, the key is valid. 193 Otherwise the key is invalid. 195 The primary purpose of public key validation is to prevent a small 196 subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static 197 mode is used, this check may not be necessary. See also [P1363] for 198 more information on Public Key validation. 200 Note that this procedure may be subject to pending patents. 202 2.1.6. Example 1 204 ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09 205 0a 0b 0c 0d 0e 0f 10 11 12 13 207 The key encryption algorithm is 3DES-EDE. 209 No partyAInfo is used 211 Consequently, the input to the first invocation of SHA-1 is: 213 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ 214 30 1a 215 30 10 216 06 08 2a 86 48 86 f7 0d 03 07 ; 3DES OID 217 04 04 218 00 00 00 01 ; Counter 219 a2 06 220 04 04 221 00 00 00 c0 ; key length 223 And the output is the 20 bytes: 225 b4 85 32 07 a9 da b2 9a 23 5a a8 a5 3f ed cd 65 92 26 0a 4a 227 The input to the second invocation of SHA-1 is: 229 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ 230 30 1a 231 30 10 232 06 08 2a 86 48 86 f7 0d 03 07 ; 3DES OID 233 04 04 234 00 00 00 02 ; Counter 235 a2 06 236 04 04 237 00 00 00 c0 ; key length 239 And the output is the 20 bytes: 241 9d 95 43 57 15 e9 c8 31 ce 8a 64 fe e4 c8 d6 0c bf 50 a6 e1 243 Consequently, 244 K1'=b4 85 32 07 a9 da b2 9a 245 K2'=23 5a a8 a5 3f ed cd 65 246 K3'=92 26 0a 4a 9d 95 43 57 248 Note: These keys are not parity adjusted 250 2.1.7. Example 2 252 ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09 253 0a 0b 0c 0d 0e 0f 10 11 12 13 255 The key encryption algorithm is RC2 257 The partyAInfo used is the 64 bytes 259 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 260 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 261 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 262 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 264 Consequently, the input to SHA-1 is: 266 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ 267 30 5e 268 30 10 269 06 08 2a 86 48 86 f7 0d 03 02 ; RC2 OID 270 04 04 271 00 00 00 01 ; Counter 272 a0 42 273 04 40 274 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 ; partyAInfo 275 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 276 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 277 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 278 a2 06 279 04 04 280 00 00 00 80 ; key length 282 And the output is the 20 bytes: 284 52 45 e1 6d 27 57 be d6 8e 20 53 6b 38 b7 63 47 63 13 1d fd 286 Consequently, 287 K=52 45 e1 6d 27 57 be d6 8e 20 53 6b 38 b7 63 47 289 2.2. Key and Parameter Requirements 291 X9.42 requires that the group parameters be of the form p=jq + 1 292 where q is a large prime of length m and j>=2. An algorithm for gen- 293 erating primes of this form (derived from the algorithms in FIPS PUB 294 186-1[DSS], and [X942]can be found in appendix A. 296 X9.42 requires that the private key x be in the interval [2, (q - 297 2)]. x should be randomly generated in this interval. y is then com- 298 puted by calculating g^x mod p. To comply with this draft, m MUST be 299 >=160, (consequently, q MUST each be at least 160 bits long). When 300 symmetric ciphers stronger than DES are to be used, a larger m may be 301 advisable. p must be a minimum of 160 bits long. 303 2.2.1. Group Parameter Generation 305 Agents SHOULD generate domain parameters (g,p,q) using the following 306 algorithm, derived from [FIPS-186] and [X942]. When this algorithm is 307 used, the correctness of the generation procedure can be verified by 308 a third party by the algorithm of 2.2.2. 310 2.2.1.1. Generation of p, q 312 This algorithm generates a p, q pair where q is of length m and 313 p is of length L. 315 Let L - 1 = n*m + b where both b and n are integers and 316 0 <= b < 160. 318 1. Choose an arbitrary sequence of at least m bits and call it SEED. 319 Let g be the length of SEED in bits. 321 2. Set U = 0 323 3. Set m' = m / 160, where / represents integer division, 324 consequently, if m = 200, m' = 1. 326 4. for i = 0 to m' - 1 328 U = U + SHA[SEED + i] XOR SHA[(SEED + m' + i) mod 2^160] * 2^(160 * i) 330 Note that for m=160, this reduces to the algorithm of [FIPS186] 331 U = SHA[SEED] XOR SHA[(SEED+1) mod 2^160 ]. 333 5. Form q from U by setting the most significant bit (the 2^(m-1) bit) 334 and the least significant bit to 1. In terms of boolean operations, 335 q = U OR 2^(m-1) OR 1. Note that 2^(m-1) < q < 2^m 337 6. Use a robust primality algorithm to test whether q is prime. 339 7. If q is not prime then go to 1. 341 8. Let counter = 0 and offset = 2 343 9. For k = 0 to n let 345 Vk = SHA[(SEED + offset + k) mod 2^160 ]. 347 10. Let W be the integer 349 W = V0 + V1*2^160 + ... + Vn-1*2(n-1)*160 + (Vn mod 2^b) 350 * 2n*160 351 and let 352 X = W + 2^(L-1) 354 Note that 0 <= W < 2^(L-1) and hence 2^(L-1) 356 11. Let c = X mod (2 * q) and set p = X - (c-1). Note that p is congruent 357 to 1 mod (2 * q). 359 12. If p < 2^(L -1) then go to step 15. 361 13. Perform a robust primality test on p. 363 14. If p passes the test performed in step 13 go to step 17. 365 15. Let counter = counter + 1 and offset = offset + n + 1. 367 16. If counter >= 4096 go to step 1. Otherwise go to step 9. 369 17. Save the value of SEED and the value of counter for use 370 in certifying the proper generation of p and q. 372 Note: A robust primality test is one where the probability of 373 a non-prime number passing the test is at most 2^-80. [FIPS-186] 374 provides a suitable algorithm, as does [X9.42]. 376 2.2.1.2. Generation of g 378 This section gives an algorithm (derived from [FIPS186]) for 379 generating g. 380 1. Let j = (p - 1)/q. 382 2. Set h = any integer, where 1 < h < p - 1 and h differs 383 from any value previously tried. 385 3. Set g = h^j mod p 387 4. If g = 1 go to step 2 389 2.2.2. Group Parameter Validation 391 The ASN.1 for DH keys in [PKIX] includes elements j and validation- 392 Parms which MAY be used by recipients of a key to verify that the 393 group parameters were correctly generated. Two checks are possible: 395 1. Verify that p=qj + 1. This demonstrates that the parameters meet 396 the X9.42 parameter criteria. 397 2. Verify that when the p,q generation procedure of [FIPS-186] 398 Appendix 2 is followed with seed 'seed', that p is found when 399 This demonstrates that the parameters were randomly chosen and 400 do not have a special form. 402 Whether agents provide validation information in their certificates 403 is a local matter between the agents and their CA. 405 2.3. Ephemeral-Static Mode 407 In Ephemeral-Static mode, the recipient has a static (and certified) 408 key pair, but the sender generates a new key pair for each message 409 and sends it using the originatorKey production. If the sender's key 410 is freshly generated for each message, the shared secret ZZ will be 411 similarly different for each message and partyAInfo MAY be omitted, 412 since it serves merely to decouple multiple KEKs generated by the 413 same set of pairwise keys. If, however, the same ephemeral sender key 414 is used for multiple messages (e.g. it is cached as a performance 415 optimization) then a separate partyAInfo MUST be used for each mes- 416 sage. All implementations of this standard MUST implement Ephemeral- 417 Static mode. 419 In order to resist small subgroup attacks, the recipient SHOULD per- 420 form the check described in 2.1.5. If an opponent cannot determine 421 success or failure of a decryption operation by the recipient, the 422 recipient MAY choose to omit this check. 424 2.4. Static-Static Mode 426 In Static-Static mode, both the sender and the recipient have a 427 static (and certified) key pair. Since the sender's and recipient's 428 keys are therefore the same for each message, ZZ will be the same for 429 each message. Thus, partyAInfo MUST be used (and different for each 430 message) in order to ensure that different messages use different 431 KEKs. Implementations MAY implement Static-Static mode. 433 In order to prevent small subgroup attacks, both originator and reci- 434 pient SHOULD either perform the validation step described in S 2.1.5 435 or verify that the CA has properly verified the validity of the key. 437 Acknowledgements 439 The Key Agreement method described in this document is based on work 440 done by the ANSI X9F1 working group. The author wishes to extend his 441 thanks for their assistance. 443 The author also wishes to thank Paul Hoffman, Stephen Henson, Russ 444 Housley, Brian Korver, Jim Schaad, Mark Schertler, Peter Yee, and 445 Robert Zuccherato for their expert advice and review. 447 References 448 [CMS] Housley, R., "Cryptographic Message Syntax", draft-ietf-smime-cms-07.txt. 450 [FIPS-46-1] Federal Information Processing Standards Publication (FIPS PUB) 451 46-1, Data Encryption Standard, Reaffirmed 1988 January 22 452 (supersedes FIPS PUB 46, 1977 January 15). 454 [FIPS-81] Federal Information Processing Standards Publication (FIPS PUB) 455 81, DES Modes of Operation, 1980 December 2. 457 [FIPS-180] Federal Information Processing Standards Publication (FIPS PUB) 458 180-1, "Secure Hash Standard", 1995 April 17. 460 [FIPS-186] Federal Information Processing Standards Publication (FIPS PUB) 461 186, "Digital Signature Standard", 1994 May 19. 463 [P1363] "Standard Specifications for Public Key Cryptography", IEEE P1363 464 working group draft, 1998, Annex D. 466 [PKIX] Housley, R., Ford, W., Polk, W., Solo, D., "Internet X.509 Public 467 Key Infrastructure Certificate and CRL Profile", RFC-XXXX. 469 [LAW98] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, 470 "An efficient protocol for authenticated key agreement", 471 Technical report CORR 98-05, University of Waterloo, 1998. 473 [LL97] C.H. Lim and P.J. Lee, "A key recovery attack on discrete log-based 474 schemes using a prime order subgroup", B.S. Kaliski, Jr., editor, 475 Advances in Cryptology - Crypto '97, Lecture Notes in Computer Science, 476 vol. 1295, 1997, Springer-Verlag, pp. 249-263. 478 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement 479 Levels." RFC 2119. March 1997. 481 [X942] "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV Algorithms", 482 ANSI draft, 1998. 484 Security Considerations 486 All the security in this system is provided by the secrecy of the 487 private keying material. If either sender or recipient private keys 488 are disclosed, all messages sent or received using that key are 489 compromised. Similarly, loss of the private key results in an inabil- 490 ity to read messages sent using that key. 492 Static Diffie-Hellman keys are vulnerable to a small subgroup attack 493 [LAW98]. In practice, this issue arises for both sides in Static- 494 Static mode and for the receiver during Ephemeral-Static mode. S 2.3 495 and 2.4 describe appropriate practices to protect against this 496 attack. Alternatively, it is possible to generate keys in such a 497 fashion that they are resistant to this attack. See [LL97] 499 In order to securely generate a symmetric key of length l, m (the 500 length in bits of q, and hence x) should be at least 2l. m MUST 501 always be >= 160. Consequently, for RC2, m should be >=256 and for 502 3DES, >=224 (the effective length of 3DES keys is 112 bits). 504 Author's Address 506 Eric Rescorla 507 RTFM Inc. 508 30 Newell Road, #16 509 East Palo Alto, CA 94303 510 Table of Contents 512 1. Introduction ................................................... 1 514 1.1. Discussion of this Draft ..................................... 2 516 1.2. Requirements Terminology ..................................... 2 518 2. Overview Of Method ............................................. 2 520 2.1. Key Agreement ................................................ 2 522 2.1.1. Generation of ZZ ........................................... 2 524 2.1.2. Generation of Keying Material .............................. 3 526 2.1.3. KEK Computation ............................................ 4 528 2.1.4. Keylengths for common algorithms ........................... 4 530 2.1.5. Public Key Validation ...................................... 4 532 2.1.6. Example 1 .................................................. 5 534 2.1.7. Example 2 .................................................. 6 536 2.2. Key and Parameter Requirements ............................... 7 538 2.2.1. Group Parameter Generation ................................. 7 540 2.2.1.1. Generation of p, q ....................................... 7 542 2.2.1.2. Generation of g .......................................... 8 544 2.2.2. Group Parameter Validation ................................. 9 546 2.3. Ephemeral-Static Mode ........................................ 9 548 2.4. Static-Static Mode ........................................... 10 550 2.4. Acknowledgements ............................................. 10 551 2.4. References ................................................... 10 553 Security Considerations ........................................... 11 555 Author's Address .................................................. 11