ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Diffie-Hellman Choices

1998-10-02 05:27:23
from [Russ Housley] [Permanent Link]
The S/MIME WG needs to select one mandatory to implement variant of Diffie-Hellman.  This not presents the two alternatives that have been proposed.  I would like the WG to discuss these alternatives and then select the one that will be included in CMS.  Both alternatives were presented at the face-to-face session in Chicago.

The criteria for selecting the most appropriate choice include security, performance, and patents.

The two alternatives are both variants of X9.42, the ANSI Draft Diffie-Hellman (D-H) standard.

Static-Static D-H is the first alternative.
Certicom has a pending patent that covers a check to avoid the small subgroup attack.  Certicom has offered royalty-free lisence for CMS and PKIX implemntations if this is chosen as the mandatory to implement algorithm.

Static-Static D-H requires one exponentiation per recipient when sending encrypted messages.

Static-Static D-H provides data origin authuthentication.  This is due to the originator public key being contained in a certificate.

Static-Static D-H would have a shorter certificate than the Ephemeral-Static D-H alternative.

The originator certerficate is carried in message.  The public key in the certificate is used by all recipients.

Static-Static D-H requires a common set of D-H parameters (p,q,g) for the entire community.

Sample processing:
 - Certificate contains Ya = ( g ** Xa ) mod p
 - Originator certificate transferred in the header
 - Originator generates random, R, that is transferred in plaintext in the header
 - Key = SHA1 [ ( g ** XaXb ) mod p || algorithm ID || counter || R ]

Ephemeral-Static D-H is the second alternative.
No patents known patents.  If there are any (including pending patents), please make us aware of them now.

Ephemeral-Static D-H requires two exponentiations per recipient when sending encrypted messages.

Ephemeral-Static D-H provides no authentication.  The originator uses an ephemeral public/private key pair for each recipient, so there is not originator certificate.

The recipient certificate must contain the D-H paramters (p,q,g), so the certificate is longer than the Static-Static D-H alternative. 

Neither the originator nor the recipient certificate is carried in the message.

When generating the ephemeral public/private key pair, the originator uses the recipient's D-H parmaters (p,q,g) obtained from the recipient certificate.  Thus, the community does not need to agree on a common set of D-H paramters (p,q,g).

Sample processing:
 - No originator certificate; Recipient certificate contains Yb = ( g ** Xb ) mod p
 - Originator generates D-H key pair for each recipient, using the recipient p,q,g values
 - Originator Yr = ( g ** Xr ) mod p transferred in header for each recipient
 - Key = SHA1 [ ( g ** XrXb ) mod p || algorithm ID || counter ]

Which alternative do you prefer?  Why?

Russ
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I-D ACTION:draft-ietf-smime-ess-08.txt, Denis Pinkas
Next by Date:  Re: Diffie-Hellman Choices, Dr Stephen Henson
Previous by Thread:  Updated ASN.1 dump program uploaded, Peter Gutmann
Next by Thread:  Re: Diffie-Hellman Choices, Dr Stephen Henson
Indexes:  [Date] [Thread] [Top] [All Lists]