📄 rfc2631.txt
字号:
Network Working Group E. Rescorla
Request for Comments: 2631 RTFM Inc.
Category: Standards Track June 1999
Diffie-Hellman Key Agreement Method
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This document standardizes one particular Diffie-Hellman variant,
based on the ANSI X9.42 draft, developed by the ANSI X9F1 working
group. Diffie-Hellman is a key agreement algorithm used by two
parties to agree on a shared secret. An algorithm for converting the
shared secret into an arbitrary amount of keying material is
provided. The resulting keying material is used as a symmetric
encryption key. The Diffie-Hellman variant described requires the
recipient to have a certificate, but the originator may have a static
key pair (with the public key placed in a certificate) or an
ephemeral key pair.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Terminology . . . . . . . . . . . . . . . . 2
2. Overview Of Method . . . . . . . . . . . . . . . . . . . . 2
2.1. Key Agreement . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1. Generation of ZZ . . . . . . . . . . . . . . . . . . . 3
2.1.2. Generation of Keying Material . . . . . . . . . . . . . 3
2.1.3. KEK Computation . . . . . . . . . . . . . . . . . . . . 4
2.1.4. Keylengths for common algorithms . . . . . . . . . . . 5
2.1.5. Public Key Validation . . . . . . . . . . . . . . . . . 5
2.1.6. Example 1 . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.7. Example 2 . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Key and Parameter Requirements . . . . . . . . . . . . . 7
2.2.1. Group Parameter Generation . . . . . . . . . . . . . . 7
2.2.1.1. Generation of p, q . . . . . . . . . . . . . . . . . 8
Rescorla Standards Track [Page 1]
RFC 2631 Diffie-Hellman Key Agreement Method June 1999
2.2.1.2. Generation of g . . . . . . . . . . . . . . . . . . . 9
2.2.2. Group Parameter Validation . . . . . . . . . . . . . . 9
2.3. Ephemeral-Static Mode . . . . . . . . . . . . . . . . . . 10
2.4. Static-Static Mode . . . . . . . . . . . . . . . . . . . 10
2.4. Acknowledgements . . . . . . . . . . . . . . . . . . . . 10
2.4. References . . . . . . . . . . . . . . . . . . . . . . . 11
Security Considerations . . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
1. Introduction
In [DH76] Diffie and Hellman describe a means for two parties to
agree upon a shared secret in such a way that the secret will be
unavailable to eavesdroppers. This secret may then be converted into
cryptographic keying material for other (symmetric) algorithms. A
large number of minor variants of this process exist. This document
describes one such variant, based on the ANSI X9.42 specification.
1.1. Requirements Terminology
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as described
in [RFC2119].
2. Overview Of Method
Diffie-Hellman key agreement requires that both the sender and
recipient of a message have key pairs. By combining one's private key
and the other party's public key, both parties can compute the same
shared secret number. This number can then be converted into
cryptographic keying material. That keying material is typically
used as a key-encryption key (KEK) to encrypt (wrap) a content-
encryption key (CEK) which is in turn used to encrypt the message
data.
2.1. Key Agreement
The first stage of the key agreement process is to compute a shared
secret number, called ZZ. When the same originator and recipient
public/private key pairs are used, the same ZZ value will result.
The ZZ value is then converted into a shared symmetric cryptographic
key. When the originator employs a static private/public key pair,
the introduction of a public random value ensures that the resulting
symmetric key will be different for each key agreement.
Rescorla Standards Track [Page 2]
RFC 2631 Diffie-Hellman Key Agreement Method June 1999
2.1.1. Generation of ZZ
X9.42 defines that the shared secret ZZ is generated as follows:
ZZ = g ^ (xb * xa) mod p
Note that the individual parties actually perform the computations:
ZZ = (yb ^ xa) mod p = (ya ^ xb) mod p
where ^ denotes exponentiation
ya is party a's public key; ya = g ^ xa mod p
yb is party b's public key; yb = g ^ xb mod p
xa is party a's private key
xb is party b's private key
p is a large prime
q is a large prime
g = h^{(p-1)/q} mod p, where
h is any integer with 1 < h < p-1 such that h{(p-1)/q} mod p > 1
(g has order q mod p; i.e. g^q mod p = 1 if g!=1)
j a large integer such that p=qj + 1
(See Section 2.2 for criteria for keys and parameters)
In [CMS], the recipient's key is identified by the CMS
RecipientIdentifier, which points to the recipient's certificate.
The sender's public key is identified using the
OriginatorIdentifierOrKey field, either by reference to the sender's
certificate or by inline inclusion of a public key.
2.1.2. Generation of Keying Material
X9.42 provides an algorithm for generating an essentially arbitrary
amount of keying material from ZZ. Our algorithm is derived from that
algorithm by mandating some optional fields and omitting others.
KM = H ( ZZ || OtherInfo)
H is the message digest function SHA-1 [FIPS-180] ZZ is the shared
secret value computed in Section 2.1.1. Leading zeros MUST be
preserved, so that ZZ occupies as many octets as p. For instance, if
p is 1024 bits, ZZ should be 128 bytes long. OtherInfo is the DER
encoding of the following structure:
OtherInfo ::= SEQUENCE {
keyInfo KeySpecificInfo,
partyAInfo [0] OCTET STRING OPTIONAL,
suppPubInfo [2] OCTET STRING
Rescorla Standards Track [Page 3]
RFC 2631 Diffie-Hellman Key Agreement Method June 1999
}
KeySpecificInfo ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
counter OCTET STRING SIZE (4..4) }
Note that these ASN.1 definitions use EXPLICIT tagging. (In ASN.1,
EXPLICIT tagging is implicit unless IMPLICIT is explicitly
specified.)
algorithm is the ASN.1 algorithm OID of the CEK wrapping algorithm
with which this KEK will be used. Note that this is NOT an
AlgorithmIdentifier, but simply the OBJECT IDENTIFIER. No
parameters are used.
counter is a 32 bit number, represented in network byte order. Its
initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01
(hex), and it is incremented by one every time the above key
generation function is run for a given KEK.
partyAInfo is a random string provided by the sender. In CMS, it is
provided as a parameter in the UserKeyingMaterial field (encoded as
an OCTET STRING). If provided, partyAInfo MUST contain 512 bits.
suppPubInfo is the length of the generated KEK, in bits, represented
as a 32 bit number in network byte order. E.g. for 3DES it would be
the byte sequence 00 00 00 C0.
To generate a KEK, one generates one or more KM blocks (incrementing
counter appropriately) until enough material has been generated. The
KM blocks are concatenated left to right I.e. KM(counter=1) ||
KM(counter=2)...
Note that the only source of secret entropy in this computation is
ZZ. Even if a string longer than ZZ is generated, the effective key
space of the KEK is limited by the size of ZZ, in addition to any
security level considerations imposed by the parameters p and q.
However, if partyAInfo is different for each message, a different KEK
will be generated for each message. Note that partyAInfo MUST be used
in Static-Static mode, but MAY appear in Ephemeral-Static mode.
2.1.3. KEK Computation
Each key encryption algorithm requires a specific size key (n). The
KEK is generated by mapping the left n-most bytes of KM onto the key.
For 3DES, which requires 192 bits of keying material, the algorithm
must be run twice, once with a counter value of 1 (to generate K1',
K2', and the first 32 bits of K3') and once with a counter value of 2
Rescorla Standards Track [Page 4]
RFC 2631 Diffie-Hellman Key Agreement Method June 1999
(to generate the last 32 bits of K3). K1',K2' and K3' are then parity
adjusted to generate the 3 DES keys K1,K2 and K3. For RC2-128, which
requires 128 bits of keying material, the algorithm is run once, with
a counter value of 1, and the left-most 128 bits are directly
converted to an RC2 key. Similarly, for RC2-40, which requires 40
bits of keying material, the algorithm is run once, with a counter
value of 1, and the leftmost 40 bits are used as the key.
2.1.4. Keylengths for common algorithms
Some common key encryption algorithms have KEKs of the following
lengths.
3-key 3DES 192 bits
RC2-128 128 bits
RC2-40 40 bits
RC2 effective key lengths are equal to RC2 real key lengths.
2.1.5. Public Key Validation
The following algorithm MAY be used to validate a received public key
y.
1. Verify that y lies within the interval [2,p-1]. If it does not,
the key is invalid.
2. Compute y^q mod p. If the result == 1, the key is valid.
Otherwise the key is invalid.
The primary purpose of public key validation is to prevent a small
subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static
mode is used, this check may not be necessary. See also [P1363] for
more information on Public Key validation.
Note that this procedure may be subject to pending patents.
2.1.6. Example 1
ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
0a 0b 0c 0d 0e 0f 10 11 12 13
The key wrap algorithm is 3DES-EDE wrap.
No partyAInfo is used.
Consequently, the input to the first invocation of SHA-1 is:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
Rescorla Standards Track [Page 5]
RFC 2631 Diffie-Hellman Key Agreement Method June 1999
30 1d
30 13
06 0b 2a 86 48 86 f7 0d 01 09 10 03 06 ; 3DES wrap OID
04 04
00 00 00 01 ; Counter
a2 06
04 04
00 00 00 c0 ; key length
And the output is the 20 bytes:
a0 96 61 39 23 76 f7 04 4d 90 52 a3 97 88 32 46 b6 7f 5f 1e
The input to the second invocation of SHA-1 is:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
30 1d
30 13
06 0b 2a 86 48 86 f7 0d 01 09 10 03 06 ; 3DES wrap OID
04 04
00 00 00 02 ; Counter
a2 06
04 04
00 00 00 c0 ; key length
And the output is the 20 bytes:
f6 3e b5 fb 5f 56 d9 b6 a8 34 03 91 c2 d3 45 34 93 2e 11 30
Consequently,
K1'=a0 96 61 39 23 76 f7 04
K2'=4d 90 52 a3 97 88 32 46
K3'=b6 7f 5f 1e f6 3e b5 fb
Note: These keys are not parity adjusted
2.1.7. Example 2
ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
0a 0b 0c 0d 0e 0f 10 11 12 13
The key wrap algorithm is RC2-128 key wrap, so we need 128 bits (16
bytes) of keying material.
The partyAInfo used is the 64 bytes
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
Rescorla Standards Track [Page 6]
RFC 2631 Diffie-Hellman Key Agreement Method June 1999
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
Consequently, the input to SHA-1 is:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
30 61
30 13
06 0b 2a 86 48 86 f7 0d 01 09 10 03 07 ; RC2 wrap OID
04 04
00 00 00 01 ; Counter
a0 42
04 40
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 ; partyAInfo
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
a2 06
04 04
00 00 00 80 ; key length
And the output is the 20 bytes:
48 95 0c 46 e0 53 00 75 40 3c ce 72 88 96 04 e0 3e 7b 5d e9
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -