rfc2631.txt

RFC 的详细文档！

   Consequently,
   K=48 95 0c 46 e0 53 00 75 40 3c ce 72 88 96 04 e0

2.2.  Key and Parameter Requirements

   X9.42 requires that the group parameters be of the form p=jq + 1
   where q is a large prime of length m and j>=2. An algorithm for
   generating primes of this form (derived from the algorithms in FIPS
   PUB 186-1[FIPS-186] and [X942]can be found in appendix A.

   X9.42 requires that the private key x be in the interval [2, (q -
   2)].  x should be randomly generated in this interval. y is then
   computed by calculating g^x mod p.  To comply with this memo, m MUST
   be >=160 bits in length, (consequently, q MUST be at least 160 bits
   long). When symmetric ciphers stronger than DES are to be used, a
   larger m may be advisable. p must be a minimum of 512 bits long.

2.2.1.  Group Parameter Generation

   Agents SHOULD generate domain parameters (g,p,q) using the following
   algorithm, derived from [FIPS-186] and [X942]. When this algorithm is
   used, the correctness of the generation procedure can be verified by
   a third party by the algorithm of 2.2.2.



Rescorla                    Standards Track                     [Page 7]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


2.2.1.1.  Generation of p, q

   This algorithm generates a p, q pair where q is of length m and p is
   of length L.

   1. Set m' = m/160 where / represents integer division with rounding
      upwards. I.e. 200/160 = 2.

   2. Set L'=  L/160

   3. Set N'=  L/1024

   4. Select an arbitrary bit string SEED such that the length of SEED
      >= m

   5. Set U = 0

   6. For i = 0 to m' - 1

        U = U + (SHA1[SEED + i] XOR SHA1[(SEED + m' + i)) * 2^(160 * i)

   Note that for m=160, this reduces to the algorithm of [FIPS-186]

        U = SHA1[SEED] XOR SHA1[(SEED+1) mod 2^160 ].

   5. Form q from U by computing U mod (2^m) and setting the most
      significant bit (the 2^(m-1) bit) and the least significant bit to
      1. In terms of boolean operations, q = U OR 2^(m-1) OR 1. Note
      that 2^(m-1) < q < 2^m

   6. Use a robust primality algorithm to test whether q is prime.

   7. If q is not prime then go to 4.

   8. Let counter = 0

   9. Set R = seed + 2*m' + (L' * counter)

   10. Set V = 0

   12. For i = 0 to L'-1 do

       V = V + SHA1(R + i) * 2^(160 * i)

   13. Set W = V mod 2^L

   14. Set X = W OR 2^(L-1)




Rescorla                    Standards Track                     [Page 8]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   Note that 0 <= W < 2^(L-1) and hence X >= 2^(L-1)

   15. Set p = X - (X mod (2*q)) + 1

   6. If p > 2^(L-1) use a robust primality test to test whether p is
      prime. Else go to 18.

   17. If p is prime output p, q, seed, counter and stop.

   18. Set counter = counter + 1

   19. If counter < (4096 * N) then go to 8.

   20. Output "failure"

   Note: A robust primality test is one where the probability of a non-
   prime number passing the test is at most 2^-80. [FIPS-186] provides a
   suitable algorithm, as does [X942].

2.2.1.2.  Generation of g

   This section gives an algorithm (derived from [FIPS-186]) for
   generating g.

   1. Let j = (p - 1)/q.

   2. Set h = any integer, where 1 < h < p - 1 and h differs
      from any value previously tried.

   3. Set g = h^j mod p

   4. If g = 1 go to step 2

2.2.2.  Group Parameter Validation

   The ASN.1 for DH keys in [PKIX] includes elements j and validation-
   Parms which MAY be used by recipients of a key to verify that the
   group parameters were correctly generated. Two checks are possible:

     1. Verify that p=qj + 1. This demonstrates that the parameters meet
        the X9.42 parameter criteria.
     2. Verify that when the p,q generation procedure of [FIPS-186]
        Appendix 2 is followed with seed 'seed', that p is found when
        'counter' = pgenCounter.

     This demonstrates that the parameters were randomly chosen and
     do not have a special form.




Rescorla                    Standards Track                     [Page 9]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   Whether agents provide validation information in their certificates
   is a local matter between the agents and their CA.

2.3.  Ephemeral-Static Mode

   In Ephemeral-Static mode, the recipient has a static (and certified)
   key pair, but the sender generates a new key pair for each message
   and sends it using the originatorKey production. If the sender's key
   is freshly generated for each message, the shared secret ZZ will be
   similarly different for each message and partyAInfo MAY be omitted,
   since it serves merely to decouple multiple KEKs generated by the
   same set of pairwise keys. If, however, the same ephemeral sender key
   is used for multiple messages (e.g. it is cached as a performance
   optimization) then a separate partyAInfo MUST be used for each
   message. All implementations of this standard MUST implement
   Ephemeral-Static mode.

   In order to resist small subgroup attacks, the recipient SHOULD
   perform the check described in 2.1.5. If an opponent cannot determine
   success or failure of a decryption operation by the recipient, the
   recipient MAY choose to omit this check. See also [LL97] for a method
   of generating keys which are not subject to small subgroup attack.

2.4.  Static-Static Mode

   In Static-Static mode, both the sender and the recipient have a
   static (and certified) key pair. Since the sender's and recipient's
   keys are therefore the same for each message, ZZ will be the same for
   each message. Thus, partyAInfo MUST be used (and different for each
   message) in order to ensure that different messages use different
   KEKs. Implementations MAY implement Static-Static mode.

   In order to prevent small subgroup attacks, both originator and
   recipient SHOULD either perform the validation step described in
   Section 2.1.5 or verify that the CA has properly verified the
   validity of the key.  See also [LL97] for a method of generating keys
   which are not subject to small subgroup attack.

Acknowledgements

   The Key Agreement method described in this document is based on work
   done by the ANSI X9F1 working group. The author wishes to extend his
   thanks for their assistance.

   The author also wishes to thank Stephen Henson, Paul Hoffman, Russ
   Housley, Burt Kaliski, Brian Korver, John Linn, Jim Schaad, Mark
   Schertler, Peter Yee, and Robert Zuccherato for their expert advice
   and review.



Rescorla                    Standards Track                    [Page 10]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


References

   [CMS]       Housley, R., "Cryptographic Message Syntax", RFC 2630,
               June 1999.

   [FIPS-46-1] Federal Information Processing Standards Publication
               (FIPS PUB) 46-1, Data Encryption Standard, Reaffirmed
               1988 January 22 (supersedes FIPS PUB 46, 1977 January
               15).

   [FIPS-81]   Federal Information Processing Standards Publication
               (FIPS PUB) 81, DES Modes of Operation, 1980 December 2.

   [FIPS-180]  Federal Information Processing Standards Publication
               (FIPS PUB) 180-1, "Secure Hash Standard", 1995 April 17.

   [FIPS-186]  Federal Information Processing Standards Publication
               (FIPS PUB) 186, "Digital Signature Standard", 1994 May
               19.

   [P1363]     "Standard Specifications for Public Key Cryptography",
               IEEE P1363 working group draft, 1998, Annex D.

   [PKIX]      Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
               X.509 Public Key Infrastructure Certificate and CRL
               Profile", RFC 2459, January 1999.

   [LAW98]     L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone,
               "An efficient protocol for authenticated key agreement",
               Technical report CORR 98-05, University of Waterloo,
               1998.

   [LL97]      C.H. Lim and P.J. Lee, "A key recovery attack on discrete
               log-based schemes using a prime order subgroup", B.S.
               Kaliski, Jr., editor, Advances in Cryptology - Crypto
               '97, Lecture Notes in Computer Science, vol. 1295, 1997,
               Springer-Verlag, pp. 249-263.

   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.

   [X942]      "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV
               Algorithms", ANSI draft, 1998.








Rescorla                    Standards Track                    [Page 11]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


Security Considerations

   All the security in this system is provided by the secrecy of the
   private keying material. If either sender or recipient private keys
   are disclosed, all messages sent or received using that key are
   compromised. Similarly, loss of the private key results in an
   inability to read messages sent using that key.

   Static Diffie-Hellman keys are vulnerable to a small subgroup attack
   [LAW98]. In practice, this issue arises for both sides in Static-
   Static mode and for the receiver during Ephemeral-Static mode.
   Sections 2.3 and 2.4 describe appropriate practices to protect
   against this attack. Alternatively, it is possible to generate keys
   in such a fashion that they are resistant to this attack. See [LL97]

   The security level provided by these methods depends on several
   factors. It depends on the length of the symmetric key (typically, a
   2^l security level if the length is l bits); the size of the prime q
   (a 2^{m/2} security level); and the size of the prime p (where the
   security level grows as a subexponential function of the size in
   bits).  A good design principle is to have a balanced system, where
   all three security levels are approximately the same. If many keys
   are derived from a given pair of primes p and q, it may be prudent to
   have higher levels for the primes. In any case, the overall security
   is limited by the lowest of the three levels.

Author's Address

   Eric Rescorla
   RTFM Inc.
   30 Newell Road, #16
   East Palo Alto, CA 94303

   EMail: ekr@rtfm.com

















Rescorla                    Standards Track                    [Page 12]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement


   Funding for the RFC Editor function is currently provided by the
   Internet Society.


















Rescorla                    Standards Track                    [Page 13]