idnits 2.16.02
/tmp/draft-ietf-smime-x942-07.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** Looks like you're using RFC 2026 boilerplate. This must be updated to
follow RFC 3978/3979, as updated by RFC 4748.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
** Missing expiration date. The document expiration date should appear on
the first and last page.
** The document seems to lack a 1id_guidelines paragraph about
Internet-Drafts being working documents.
** The document seems to lack a 1id_guidelines paragraph about 6 months
document validity -- however, there's a paragraph with a matching
beginning. Boilerplate error?
** The document seems to lack a 1id_guidelines paragraph about the list of
current Internet-Drafts.
** The document seems to lack a 1id_guidelines paragraph about the list of
Shadow Directories.
== No 'Intended status' indicated for this document; assuming Proposed
Standard
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
** The document seems to lack separate sections for Informative/Normative
References. All references will be assumed normative when checking for
downward references.
** There are 26 instances of too long lines in the document, the longest
one being 10 characters in excess of 72.
Miscellaneous warnings:
----------------------------------------------------------------------------
== Line 517 has weird spacing: '...rows as a sub...'
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- Couldn't find a document date in the document -- date freshness check
skipped.
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'DH76' is mentioned on line 42, but not defined
-- Looks like a reference, but probably isn't: '0' on line 128
-- Looks like a reference, but probably isn't: '2' on line 129
== Missing Reference: 'SEED' is mentioned on line 340, but not defined
== Unused Reference: 'FIPS-46-1' is defined on line 464, but no explicit
reference was found in the text
== Unused Reference: 'FIPS-81' is defined on line 468, but no explicit
reference was found in the text
== Outdated reference: draft-ietf-smime-cms has been published as RFC 2630
-- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-46-1'
-- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-81'
-- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-180'
-- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-186'
-- Possible downref: Non-RFC (?) normative reference: ref. 'P1363'
** Obsolete normative reference: RFC 2459 (ref. 'PKIX') (Obsoleted by RFC
3280)
-- Possible downref: Non-RFC (?) normative reference: ref. 'LAW98'
-- Possible downref: Non-RFC (?) normative reference: ref. 'LL97'
-- Possible downref: Non-RFC (?) normative reference: ref. 'X942'
Summary: 10 errors (**), 0 flaws (~~), 8 warnings (==), 12 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 E. Rescorla
3 INTERNET-DRAFT RTFM Inc.
4 March 1999 (Expires September 1999)
6 Diffie-Hellman Key Agreement Method
8 Status of this Memo
10 This document is an Internet-Draft and is in full conformance with
11 all provisions of Section 10 of RFC2026. Internet-Drafts are working
12 documents of the Internet Engineering Task Force (IETF), its areas,
13 and its working groups. Note that other groups may also distribute
14 working documents as Internet-Drafts.
16 Internet-Drafts are draft documents valid for a maximum of six months
17 and may be updated, replaced, or obsoleted by other documents at any
18 time. It is inappropriate to use Internet-Drafts as reference mate-
19 rial or to cite them other than as ``work in progress.''
21 To learn the current status of any Internet-Draft, please check the
22 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
23 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
24 munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
25 ftp.isi.edu (US West Coast).
27 Abstract
29 This document standardizes one particular Diffie-Hellman variant,
30 based on the ANSI X9.42 draft, developed by the ANSI X9F1 working
31 group. Diffie-Hellman is a key agreement algorithm used by two par-
32 ties to agree on a shared secret. An algorithm for converting the
33 shared secret into an arbitrary amount of keying material is pro-
34 vided. The resulting keying material is used as a symmetric encryp-
35 tion key. The Diffie-Hellman variant described requires the recipi-
36 ent to have a certificate, but the originator may have a static key
37 pair (with the public key placed in a certificate) or an ephemeral
38 key pair.
40 1. Introduction
42 In [DH76] Diffie and Hellman describe a means for two parties to
43 agree upon a shared secret in such a way that the secret will be
44 unavailable to eavesdroppers. This secret may then be converted into
45 cryptographic keying material for other (symmetric) algorithms. A
46 large number of minor variants of this process exist. This document
47 describes one such variant, based on the ANSI X9.42 specification.
49 1.1. Discussion of this Draft
51 This draft is being discussed on the "ietf-smime" mailing list. To
52 join the list, send a message to with
53 the single word "subscribe" in the body of the message. Also, there
54 is a Web site for the mailing list at .
57 1.2. Requirements Terminology
59 Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
60 "MAY" that appear in this document are to be interpreted as described
61 in [RFC2119].
63 2. Overview Of Method
65 Diffie-Hellman key agreement requires that both the sender and recip-
66 ient of a message have key pairs. By combining one's private key and
67 the other party's public key, both parties can compute the same
68 shared secret number. This number can then be converted into crypto-
69 graphic keying material. That keying material is typically used as a
70 key-encryption key (KEK) to encrypt (wrap) a content-encryption key
71 (CEK) which is in turn used to encrypt the message data.
73 2.1. Key Agreement
75 The first stage of the key agreement process is to compute a shared
76 secret number, called ZZ. When the same originator and recipient
77 public/private key pairs are used, the same ZZ value will result.
78 The ZZ value is then converted into a shared symmetric cryptographic
79 key. When the originator employs a static private/public key pair,
80 the introduction of a public random value ensures that the resulting
81 symmetric key will be different for each key agreement.
83 2.1.1. Generation of ZZ
85 X9.42 defines that the shared secret ZZ is generated as follows:
87 ZZ = g ^ (xb * xa) mod p
89 Note that the individual parties actually perform the computations:
91 ZZ = (yb ^ xa) mod p = (ya ^ xb) mod p
93 where ^ denotes exponentiation
94 ya is party a's public key; ya = g ^ xa mod p
95 yb is party b's public key; yb = g ^ xb mod p
96 xa is party a's private key
97 xb is party b's private key
98 p is a large prime
99 q is a large prime
100 g = h^{(p-1)/q} mod p, where
101 h is any integer with 1 < h < p-1 such that h{(p-1)/q} mod p > 1
102 (g has order q mod p; i.e. g^q mod p = 1 if g!=1)
103 j a large integer such that p=qj + 1
104 (See Section 2.2 for criteria for keys and parameters)
106 In [CMS], the recipient's key is identified by the CMS RecipientIden-
107 tifier, which points to the recipient's certificate. The sender's
108 public key is identified using the OriginatorIdentifierOrKey field,
109 either by reference to the sender's certificate or by inline inclu-
110 sion of a public key.
112 2.1.2. Generation of Keying Material
114 X9.42 provides an algorithm for generating an essentially arbitrary
115 amount of keying material from ZZ. Our algorithm is derived from that
116 algorithm by mandating some optional fields and omitting others.
118 KM = H ( ZZ || OtherInfo)
120 H is the message digest function SHA-1 [FIPS-180]
121 ZZ is the shared secret value computed in Section 2.1.1. Leading zeros MUST
122 be preserved, so that ZZ occupies as many octets as p. For
123 instance, if p is 1024 bits, ZZ should be 128 bytes long.
124 OtherInfo is the DER encoding of the following structure:
126 OtherInfo ::= SEQUENCE {
127 keyInfo KeySpecificInfo,
128 partyAInfo [0] OCTET STRING OPTIONAL,
129 suppPubInfo [2] OCTET STRING
130 }
132 KeySpecificInfo ::= SEQUENCE {
133 algorithm OBJECT IDENTIFIER,
134 counter OCTET STRING SIZE (4..4) }
136 Note that these ASN.1 definitions use EXPLICIT tagging. (In ASN.1,
137 EXPLICIT tagging is implicit unless IMPLICIT is explicitly specified.)
139 algorithm is the ASN.1 algorithm OID of the CEK wrapping algorithm with
140 which this KEK will be used. Note that this is NOT an
141 AlgorithmIdentifier, but simply the OBJECT IDENTIFIER. No parameters
142 are used.
143 counter is a 32 bit number, represented in network byte order. Its
144 initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01
145 (hex), and it is incremented by one every time the above key
146 generation function is run for a given KEK.
147 partyAInfo is a random string provided by the sender. In CMS, it is
148 provided as a parameter in the UserKeyingMaterial field (encoded as
149 an OCTET STRING). If provided, partyAInfo MUST contain 512 bits.
150 suppPubInfo is the length of the generated KEK, in bits, represented
151 as a 32 bit number in network byte order. E.g. for 3DES it
152 would be the byte sequence 00 00 00 C0.
154 To generate a KEK, one generates one or more KM blocks (incrementing
155 counter appropriately) until enough material has been generated. The
156 KM blocks are concatenated left to right I.e. KM(counter=1) ||
157 KM(counter=2)...
159 Note that the only source of secret entropy in this computation is
160 ZZ. Even if a string longer than ZZ is generated, the effective key
161 space of the KEK is limited by the size of ZZ, in addition to any
162 security level considerations imposed by the parameters p and q.How-
163 ever, if partyAInfo is different for each message, a different KEK
164 will be generated for each message. Note that partyAInfo MUST be used
165 in Static-Static mode, but MAY appear in Ephemeral-Static mode.
167 2.1.3. KEK Computation
169 Each key encryption algorithm requires a specific size key (n). The
170 KEK is generated by mapping the left n-most bytes of KM onto the key.
171 For 3DES, which requires 192 bits of keying material, the algorithm
172 must be run twice, once with a counter value of 1 (to generate K1',
173 K2', and the first 32 bits of K3') and once with a counter value of 2
174 (to generate the last 32 bits of K3). K1',K2' and K3' are then parity
175 adjusted to generate the 3 DES keys K1,K2 and K3. For RC2-128, which
176 requires 128 bits of keying material, the algorithm is run once, with
177 a counter value of 1, and the left-most 128 bits are directly con-
178 verted to an RC2 key. Similarly, for RC2-40, which requires 40 bits
179 of keying material, the algorithm is run once, with a counter value
180 of 1, and the leftmost 40 bits are used as the key.
182 2.1.4. Keylengths for common algorithms
184 Some common key encryption algorithms have KEKs of the following
185 lengths.
187 3-key 3DES 192 bits
188 RC2-128 128 bits
189 RC2-40 40 bits
191 RC2 effective key lengths are equal to RC2 real key lengths.
193 2.1.5. Public Key Validation
195 The following algorithm MAY be used to validate a received public key
196 y.
198 1. Verify that y lies within the interval [2,p-1]. If it does not,
199 the key is invalid.
200 2. Compute y^q mod p. If the result == 1, the key is valid.
201 Otherwise the key is invalid.
203 The primary purpose of public key validation is to prevent a small
204 subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static
205 mode is used, this check may not be necessary. See also [P1363] for
206 more information on Public Key validation.
208 Note that this procedure may be subject to pending patents.
210 2.1.6. Example 1
212 ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
213 0a 0b 0c 0d 0e 0f 10 11 12 13
215 The key wrap algorithm is 3DES-EDE wrap.
217 No partyAInfo is used.
219 Consequently, the input to the first invocation of SHA-1 is:
221 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
222 30 1d
223 30 13
224 06 0b 2a 86 48 86 f7 0d 01 09 10 03 06 ; 3DES wrap OID
225 04 04
226 00 00 00 01 ; Counter
227 a2 06
228 04 04
229 00 00 00 c0 ; key length
230 And the output is the 20 bytes:
232 a0 96 61 39 23 76 f7 04 4d 90 52 a3 97 88 32 46 b6 7f 5f 1e
234 The input to the second invocation of SHA-1 is:
236 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
237 30 1d
238 30 13
239 06 0b 2a 86 48 86 f7 0d 01 09 10 03 06 ; 3DES wrap OID
240 04 04
241 00 00 00 02 ; Counter
242 a2 06
243 04 04
244 00 00 00 c0 ; key length
246 And the output is the 20 bytes:
248 f6 3e b5 fb 5f 56 d9 b6 a8 34 03 91 c2 d3 45 34 93 2e 11 30
250 Consequently,
251 K1'=a0 96 61 39 23 76 f7 04
252 K2'=4d 90 52 a3 97 88 32 46
253 K3'=b6 7f 5f 1e f6 3e b5 fb
255 Note: These keys are not parity adjusted
257 2.1.7. Example 2
259 ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
260 0a 0b 0c 0d 0e 0f 10 11 12 13
262 The key wrap algorithm is RC2-128 key wrap, so we need 128 bits (16
263 bytes) of keying material.
265 The partyAInfo used is the 64 bytes
267 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
268 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
269 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
270 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
272 Consequently, the input to SHA-1 is:
274 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
275 30 61
276 30 13
277 06 0b 2a 86 48 86 f7 0d 01 09 10 03 07 ; RC2 wrap OID
278 04 04
279 00 00 00 01 ; Counter
280 a0 42
281 04 40
282 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 ; partyAInfo
283 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
284 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
285 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
286 a2 06
287 04 04
288 00 00 00 80 ; key length
290 And the output is the 20 bytes:
292 48 95 0c 46 e0 53 00 75 40 3c ce 72 88 96 04 e0 3e 7b 5d e9
294 Consequently,
295 K=48 95 0c 46 e0 53 00 75 40 3c ce 72 88 96 04 e0
297 2.2. Key and Parameter Requirements
299 X9.42 requires that the group parameters be of the form p=jq + 1
300 where q is a large prime of length m and j>=2. An algorithm for gen-
301 erating primes of this form (derived from the algorithms in FIPS PUB
302 186-1[FIPS-186] and [X942]can be found in appendix A.
304 X9.42 requires that the private key x be in the interval [2, (q -
305 2)]. x should be randomly generated in this interval. y is then com-
306 puted by calculating g^x mod p. To comply with this draft, m MUST be
307 >=160 bits in length, (consequently, q MUST be at least 160 bits
308 long). When symmetric ciphers stronger than DES are to be used, a
309 larger m may be advisable. p must be a minimum of 512 bits long.
311 2.2.1. Group Parameter Generation
313 Agents SHOULD generate domain parameters (g,p,q) using the following
314 algorithm, derived from [FIPS-186] and [X942]. When this algorithm is
315 used, the correctness of the generation procedure can be verified by
316 a third party by the algorithm of 2.2.2.
318 2.2.1.1. Generation of p, q
320 This algorithm generates a p, q pair where q is of length m and
321 p is of length L.
323 Let L - 1 = n*m + b where both b and n are integers and
324 0 <= b < 160.
326 1. Choose an arbitrary sequence of at least m bits and call it SEED.
327 Let g be the length of SEED in bits.
329 2. Set U = 0
331 3. Set m' = m / 160, where / represents integer division,
332 consequently, if m = 200, m' = 1.
334 4. for i = 0 to m' - 1
336 U = U + SHA[SEED + i] XOR SHA[(SEED + m' + i) mod 2^160] * 2^(160 * i)
338 Note that for m=160, this reduces to the algorithm of [FIPS-186]
340 U = SHA[SEED] XOR SHA[(SEED+1) mod 2^160 ].
342 5. Form q from U by setting the most significant bit (the 2^(m-1) bit)
343 and the least significant bit to 1. In terms of boolean operations,
344 q = U OR 2^(m-1) OR 1. Note that 2^(m-1) < q < 2^m
346 6. Use a robust primality algorithm to test whether q is prime.
348 7. If q is not prime then go to 1.
350 8. Let counter = 0 and offset = 2
352 9. For k = 0 to n let
354 Vk = SHA[(SEED + offset + k) mod 2^160 ].
356 10. Let W be the integer
358 W = V0 + V1*2^160 + ... + Vn-1*2(n-1)*160 + (Vn mod 2^b)
359 * 2n*160
360 and let
361 X = W + 2^(L-1)
363 Note that 0 <= W < 2^(L-1) and hence 2^(L-1)
365 11. Let c = X mod (2 * q) and set p = X - (c-1). Note that p is congruent
366 to 1 mod (2 * q).
368 12. If p < 2^(L -1) then go to step 15.
370 13. Perform a robust primality test on p.
372 14. If p passes the test performed in step 13 go to step 17.
374 15. Let counter = counter + 1 and offset = offset + n + 1.
376 16. If counter >= 4096 go to step 1. Otherwise go to step 9.
378 17. Save the value of SEED and the value of counter for use
379 in certifying the proper generation of p and q.
381 Note: A robust primality test is one where the probability of
382 a non-prime number passing the test is at most 2^-80. [FIPS-186]
383 provides a suitable algorithm, as does [X9.42].
385 2.2.1.2. Generation of g
387 This section gives an algorithm (derived from [FIPS-186]) for gener-
388 ating g.
389 1. Let j = (p - 1)/q.
391 2. Set h = any integer, where 1 < h < p - 1 and h differs
392 from any value previously tried.
394 3. Set g = h^j mod p
396 4. If g = 1 go to step 2
398 2.2.2. Group Parameter Validation
400 The ASN.1 for DH keys in [PKIX] includes elements j and validation-
401 Parms which MAY be used by recipients of a key to verify that the
402 group parameters were correctly generated. Two checks are possible:
404 1. Verify that p=qj + 1. This demonstrates that the parameters meet
405 the X9.42 parameter criteria.
406 2. Verify that when the p,q generation procedure of [FIPS-186]
407 Appendix 2 is followed with seed 'seed', that p is found when
408 'counter' = pgenCounter.
409 This demonstrates that the parameters were randomly chosen and
410 do not have a special form.
412 Whether agents provide validation information in their certificates
413 is a local matter between the agents and their CA.
415 2.3. Ephemeral-Static Mode
417 In Ephemeral-Static mode, the recipient has a static (and certified)
418 key pair, but the sender generates a new key pair for each message
419 and sends it using the originatorKey production. If the sender's key
420 is freshly generated for each message, the shared secret ZZ will be
421 similarly different for each message and partyAInfo MAY be omitted,
422 since it serves merely to decouple multiple KEKs generated by the
423 same set of pairwise keys. If, however, the same ephemeral sender key
424 is used for multiple messages (e.g. it is cached as a performance
425 optimization) then a separate partyAInfo MUST be used for each mes-
426 sage. All implementations of this standard MUST implement Ephemeral-
427 Static mode.
429 In order to resist small subgroup attacks, the recipient SHOULD per-
430 form the check described in 2.1.5. If an opponent cannot determine
431 success or failure of a decryption operation by the recipient, the
432 recipient MAY choose to omit this check. See also [LL97] for a method
433 of generating keys which are not subject to small subgroup attack.
435 2.4. Static-Static Mode
437 In Static-Static mode, both the sender and the recipient have a
438 static (and certified) key pair. Since the sender's and recipient's
439 keys are therefore the same for each message, ZZ will be the same for
440 each message. Thus, partyAInfo MUST be used (and different for each
441 message) in order to ensure that different messages use different
442 KEKs. Implementations MAY implement Static-Static mode.
444 In order to prevent small subgroup attacks, both originator and
445 recipient SHOULD either perform the validation step described in Sec-
446 tion 2.1.5 or verify that the CA has properly verified the validity
447 of the key. See also [LL97] for a method of generating keys which
448 are not subject to small subgroup attack.
450 Acknowledgements
452 The Key Agreement method described in this document is based on work
453 done by the ANSI X9F1 working group. The author wishes to extend his
454 thanks for their assistance.
456 The author also wishes to thank Stephen Henson, Paul Hoffman, Russ
457 Housley, Burt Kaliski, Brian Korver, John Linn, Jim Schaad, Mark
458 Schertler, Peter Yee, and Robert Zuccherato for their expert advice
459 and review.
461 References
462 [CMS] Housley, R., "Cryptographic Message Syntax", draft-ietf-smime-cms-07.txt.
464 [FIPS-46-1] Federal Information Processing Standards Publication (FIPS PUB)
465 46-1, Data Encryption Standard, Reaffirmed 1988 January 22
466 (supersedes FIPS PUB 46, 1977 January 15).
468 [FIPS-81] Federal Information Processing Standards Publication (FIPS PUB)
469 81, DES Modes of Operation, 1980 December 2.
471 [FIPS-180] Federal Information Processing Standards Publication (FIPS PUB)
472 180-1, "Secure Hash Standard", 1995 April 17.
474 [FIPS-186] Federal Information Processing Standards Publication (FIPS PUB)
475 186, "Digital Signature Standard", 1994 May 19.
477 [P1363] "Standard Specifications for Public Key Cryptography", IEEE P1363
478 working group draft, 1998, Annex D.
480 [PKIX] Housley, R., Ford, W., Polk, W., Solo, D., "Internet X.509 Public
481 Key Infrastructure Certificate and CRL Profile", RFC-2459. January 1999.
483 [LAW98] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone,
484 "An efficient protocol for authenticated key agreement",
485 Technical report CORR 98-05, University of Waterloo, 1998.
487 [LL97] C.H. Lim and P.J. Lee, "A key recovery attack on discrete log-based
488 schemes using a prime order subgroup", B.S. Kaliski, Jr., editor,
489 Advances in Cryptology - Crypto '97, Lecture Notes in Computer Science,
490 vol. 1295, 1997, Springer-Verlag, pp. 249-263.
492 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement
493 Levels." RFC 2119. March 1997.
495 [X942] "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV Algorithms",
496 ANSI draft, 1998.
498 Security Considerations
500 All the security in this system is provided by the secrecy of the
501 private keying material. If either sender or recipient private keys
502 are disclosed, all messages sent or received using that key are com-
503 promised. Similarly, loss of the private key results in an inability
504 to read messages sent using that key.
506 Static Diffie-Hellman keys are vulnerable to a small subgroup attack
507 [LAW98]. In practice, this issue arises for both sides in Static-
508 Static mode and for the receiver during Ephemeral-Static mode. Sec-
509 tions 2.3 and 2.4 describe appropriate practices to protect against
510 this attack. Alternatively, it is possible to generate keys in such a
511 fashion that they are resistant to this attack. See [LL97]
513 The security level provided by these methods depends on several fac-
514 tors. It depends on the length of the symmetric key (typically, a 2^l
515 security level if the length is l bits); the size of the prime q (a
516 2^{m/2} security level); and the size of the prime p (where the secu-
517 rity level grows as a subexponential function of the size in bits).
518 A good design principle is to have a balanced system, where all three
519 security levels are approximately the same. If many keys are derived
520 from a given pair of primes p and q, it may be prudent to have higher
521 levels for the primes. In any case, the overall security is limited
522 by the lowest of the three levels.
524 Author's Address
526 Eric Rescorla
527 RTFM Inc.
528 30 Newell Road, #16
529 East Palo Alto, CA 94303
530 Table of Contents
532 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 1
533 1.1. Discussion of this Draft . . . . . . . . . . . . . . . . . . . 2
534 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . . . 2
535 2. Overview Of Method . . . . . . . . . . . . . . . . . . . . . . . 2
536 2.1. Key Agreement . . . . . . . . . . . . . . . . . . . . . . . . . 2
537 2.1.1. Generation of ZZ . . . . . . . . . . . . . . . . . . . . . . 2
538 2.1.2. Generation of Keying Material . . . . . . . . . . . . . . . . 3
539 2.1.3. KEK Computation . . . . . . . . . . . . . . . . . . . . . . . 4
540 2.1.4. Keylengths for common algorithms . . . . . . . . . . . . . . 4
541 2.1.5. Public Key Validation . . . . . . . . . . . . . . . . . . . . 5
542 2.1.6. Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 5
543 2.1.7. Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 6
544 2.2. Key and Parameter Requirements . . . . . . . . . . . . . . . . 7
545 2.2.1. Group Parameter Generation . . . . . . . . . . . . . . . . . 7
546 2.2.1.1. Generation of p, q . . . . . . . . . . . . . . . . . . . . 7
547 2.2.1.2. Generation of g . . . . . . . . . . . . . . . . . . . . . . 9
548 2.2.2. Group Parameter Validation . . . . . . . . . . . . . . . . . 9
549 2.3. Ephemeral-Static Mode . . . . . . . . . . . . . . . . . . . . . 9
550 2.4. Static-Static Mode . . . . . . . . . . . . . . . . . . . . . . 10
551 2.4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
552 2.4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
553 Security Considerations . . . . . . . . . . . . . . . . . . . . . . 11
554 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . . 12