I've submitted a draft of an X9.42-derived Key Agreement
specification to Internet-Drafts. It should be out in a couple
of days. Here's a prerelease.
There are a couple of problems known with this draft:
It's missing both examples and the default group.
I'm not sure if the RC2 keylength is correctly dealt with.
RC2 is a variable effective keylength cipher with a variable
length key. I.e. you can imagine calling RC2 like this:
RC2Init(char *key, int key_length, int effective_key_length)
So, we need to decide how long the keys are for RC2-40.
(We probably should use 16-byte long, 128 bit effective
for RC2-128).
Comments and questions welcomed,
-Ekr
E. Rescorla
INTERNET-DRAFT Terisa Systems, Inc.
<draft-ietf-smime-x942-00.txt> June 1998 (Expires December 1998)
Diffie-Hellman Key Agreement Method
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast).
Abstract
This document standardizes one particular Diffie-Hellman variant,
based on the ANSI X9.42 standard, developed by the ANSI X9F1 working
group. An algorithm for converting the shared secret into an arbi-
trary amount of keying material is provided. In addition, a standard
group that meets the X9.42 requirements is provided.
TODO
Redo the examples to match the new algorithm for computing K. Actu-
ally generate the group.
1. Introduction
In [DH76] Diffie and Hellman describe a means for two parties to
agree upon a shared secret in such a way that the secret will be una-
vailable to eavesdroppers. This secret may then be converted into
cryptographic keying material for other (symmetric) algorithms. A
large number of minor variants of this process exist. This document
describes one such variant, based on the ANSI X9.42 specification.
Rescorla [Page 1]
Internet-Draft Diffie-Hellman Key Agreement Method
1.1. Discussion of this Draft
This draft is being discussed on the "ietf-smime" mailing list. To
join the list, send a message to <ietf-smime-request(_at_)imc(_dot_)org> with
the single word "subscribe" in the body of the message. Also, there
is a Web site for the mailing list at <http://www.imc.org/ietf-
smime/>.
1.2. Requirements Terminology
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as described
in [RFC2119].
2. Overview Of Method
Diffie-Hellman key agreement requires that both the sender and reci-
pient of a message have key pairs. By combining one's private key and
the other party's public key, both parties can compute the same
shared secret number. This number can then be converted into crypto-
graphic keying material. That keying material is typically used as a
key encryption key (KEK) to encrypt (wrap) a key (a message encryp-
tion key -- MEK) which is in turn used to encrypt the message data.
2.1. Key Agreement
The first stage of the key agreement process is to compute a shared
secret number ZZ (which will be constant for any pair of Diffie-
Hellman keys). ZZ is then converted into a shared symmetric key. Note
that the symmetric key will be different for each key agreement, due
to the introduction of public random components.
2.1.1. Generation of ZZ
X9.42 defines that the shared secret ZZ is generated as follows:
ZZ = g ^ (xb * xa) (mod p)
Note that the individual parties actually perform the computations:
ZZ = yb ^ xa (mod p) = ya ^ xb (mod p)
where ^ denotes exponentiation
ya is party a's public key; ya = g ^ xa (mod p)
yb is party b's public key; yb = g ^ xb (mod p)
xa is party a's private key
xb is party b's private key
p is a large prime
Rescorla [Page 2]
Internet-Draft Diffie-Hellman Key Agreement Method
g is a generator for the integer group specified by p.
(See Section 2.2 for criteria for keys and parameters)
In CMS, the recipient's key is identified by the CMS RecipientIden-
tifier, which points to the recipient's certificate. The sender's
key is identified using the OriginatorIdentifier field, either by
reference to the sender's certificate or by inline inclusion of a
key.
Senders SHOULD verify the receiver's public key using the procedure
of Section 2.1.5 before generating shared secrets. This check MAY be
omitted if the CA which certified the key performs this check. Simi-
larly, recipient's SHOULD verify the sender's public key before
decrypting messages.
2.1.2. Generation of Keying Material
X9.42 provides an algorithm for generating an essentially arbitrary
amount of keying material from ZZ. Our algorithm is derived from that
algorithm by mandating some optional fields and omitting others.
KM = H ( ZZ || OtherInfo)
H is the message digest function SHA-1 [FIPS-180] ZZ is the shared
key computed in Section 2.1.1 OtherInfo is the DER encoding of the
following structure:
OtherInfo ::= SEQUENCE {
keyInfo KeySpecificInfo,
pubInfo [2] OCTET STRING OPTIONAL,
}
KeySpecificInfo ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
counter OCTET STRING SIZE (4..4) }
algorithm is the ASN.1 algorithm OID of the symmetric algorithm with which
this KEK will be used.
counter is a 32 bit number, represented in network byte order.
Its initial value is 1, i.e. the byte sequence 00 00 00 01 (hex)
pubInfo is a random string provided by the sender. In CMS, it is provided
as a parameter in the UserKeyingMaterial field (a 512 bit byte string).
Note that the only source of secret entropy in this computation is
ZZ, so the security of this data is limited to the size of ZZ, even
if more data than ZZ is generated. However, since pubInfo is dif-
ferent for each message, a different KEK will be generated for each
Rescorla [Page 3]
Internet-Draft Diffie-Hellman Key Agreement Method
message.
2.1.3. KEK Computation
Each key encryption algorithm requires a specific size key (n). The
KEK is generated by mapping the left n-most bytes of KM onto the key.
Consequently, for a DES [FIPS-46-1] key, which requires 64 bits of
keying material, the algorithm is only run once, with a counter value
of 1. The first 64 bits of the output are parity adjusted and con-
verted into a DES key. For 3DES, which requires 192 bits of keying
material, the algorithm must be run twice, once with a counter value
of 1 (to generate K1', K2', and the first 32 bits of K3') and once
with a counter value of 2 (to generate the last 32 bits of K3).
K1',K2' and K3' are then parity adjusted to generate the 3 DES keys
K1,K2 and K3.
2.1.4. Keylengths for common algorithms
Some common key encryption algorithms have KEKs of the following
lengths.
DES-ECB 64 bits
3DES-EDE-ECB 192 bits
RC2 (all) 256 bits
2.1.5. Public Key Validation
The following algorithm may be used to validate received public keys.
1. Verify that y lies within the interval [2,p-1]. If it does not,
the key is invalid.
2. Compute y^q (mod p). If the result == 1, the key is valid.
Otherwise the key is invalid.
2.1.6. Example
TBD
2.2. Key and Parameter Requirements
X9.42 requires that the group parameters be of the form p=jq + 1
where q is a large prime of length m and j>=2. An algorithm for gen-
erating primes of this form can be found in FIPS PUB 186-1[DSS] and
ANSI, X9.30-1 1996 [X930], as well as in [X942].
X9.42 requires that the private key x be in the interval [2^(m-1) +
Rescorla [Page 4]
Internet-Draft Diffie-Hellman Key Agreement Method
1, (q - 2)]. x should be randomly generated in this interval. y is
then computed by calculating g^x (mod p). To comply with this draft,
m MUST be >=128, (consequently, q and x MUST each be at least 128
bits long). When symmetric ciphers stronger than DES are to be used,
a larger m may be advisable.
2.2.1. Common Group
This standard specifies a common IETF DH group that satisfies the
above parameters. Standards incorporating this key exchange method
may choose to require support of this group. TBD
Acknowledgements
The Key Agreement method described in this document is based on work
done by the ANSI X9F1 working group. The author wishes to extend his
thanks for their assistance.
The author also wishes to thank Russ Housley, Brian Korver, Mark
Schertler, and Peter Yee for their expert advice and review.
References
[CMS] Housley, R., "Cryptographic Message Syntax",
draft-ietf-smime-cms-05.txt.
[FIPS-46-1] Federal Information Processing Standards Publication (FIPS PUB)
46-1, Data Encryption Standard, Reaffirmed 1988 January 22
(supersedes FIPS PUB 46, 1977 January 15).
[FIPS-81] Federal Information Processing Standards Publication (FIPS PUB)
81, DES Modes of Operation, 1980 December 2.
[FIPS-180] Federal Information Processing Standards Publication (FIPS PUB)
180-1, "Secure Hash Standard", 1995 April 17.
[X942] "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV Algorithms",
ANSI draft, 1998.
Security Considerations
All the security in this system is provided by the secrecy of the
private keying material. If either sender or recipient private keys
are disclosed, all messages sent or received using that key are
compromised. Similarly, loss of the private key results in an inabil-
ity to read messages sent using that key.
Author's Address
Rescorla [Page 5]
Internet-Draft Diffie-Hellman Key Agreement Method
Eric Rescorla <ekr(_at_)terisa(_dot_)com>
Terisa Systems, Inc.
4984 El Camino Real
Los Altos, CA 94022
Phone: (650) 919-1753
Rescorla [Page 6]
Internet-Draft Diffie-Hellman Key Agreement Method
Table of Contents
1. Introduction ................................................... 1
1.1. Discussion of this Draft ..................................... 2
1.2. Requirements Terminology ..................................... 2
2. Overview Of Method ............................................. 2
2.1. Key Agreement ................................................ 2
2.1.1. Generation of ZZ ........................................... 2
2.1.2. Generation of Keying Material .............................. 3
2.1.3. KEK Computation ............................................ 4
2.1.4. Keylengths for common algorithms ........................... 4
2.1.5. Public Key Validation ...................................... 4
2.1.6. Example .................................................... 4
2.2. Key and Parameter Requirements ............................... 4
2.2.1. Common Group ............................................... 5
2.2.1. Acknowledgements ........................................... 5
2.2.1. References ................................................. 5
Security Considerations ........................................... 5
Author's Address .................................................. 5