%ents; ]>
Security Extensions Security extensions for Jabber/XMPP. &LEGALNOTICE; 0102 Deferred Standards Track Standards JIG None None None Not yet assigned Jean-Louis Seguineau jean-louis.seguineau@antepo.com jlseguineau@im.antepo.com 0.1 2003-06-25 jls Initial version.

While the benefits of IM are clear and compelling, the risks associated with sharing sensitive information in an IM environment are often overlooked. We need a mechanism that permits communities of users to protect their IM conversations. This document presents an extension protocol that can be incorporated into the existing XMPP protocol to provide such a mechanism.

In addition to its ability to protect instant message data, the proposed protocol may also serve as a foundation for securing other data transported via XMPP extensions.

TermDefinition
UserA user is simply any XMPP user. Users are uniquely identified by a JID; they connect to XMPP hosts using a XMPP node. Users produce and consume information, and we wish to provide them with mechanisms that can be used to protect this information.
CommunityA community is a collection of users who wish to communicate via XMPP. No restrictions or assumptions are made about the size of communities or the geographical, organizational, or national attributes of the members. Communities are assumed to be dynamic and ad-hoc. Users typically join communities by the simple act of invitation. All members of a community are assumed to be peers. The members of communities share information among themselves, and we wish to provide them with mechanisms that can permit information to only be shared by community members.
ConversationA conversation is the set of messages that flows among the members of a community via some network. Conversations consist of both the actual conversation data produced and consumed by the various users as well as the XMPP protocol elements that transport it. Members participate in a conversation when they are the source or destination of this traffic.
InitiatorThe initiator is the user who requested a security session negotiation. Initiator's are identified by their JID.
ResponderThe responder is the user who responded to a security session negotiation request. Responder's are identified by their JID.
Concatentation operatorThe '|' character is used in character or octet string expressions to indicate concatenation.
PFSPerfect Forward Secrecy. In cryptography, is said of a key-establishment protocol in which the compromise of a session key or long-term private key after a given session does not cause the compromise of any earlier session.
GRPThe definition of a Diffie-Hellman group length
DHxThe Diffie-Hellman ephemeral public keys for the initiator (x=i) and the responder (x=r)
KEYThe Diffie-Hellman ephemeral session secret that is agreed to during a key exchange negotiation.
CKYxA 64 bits pseudo-random number or cookie generated by the initiator (x=i) and responder (x=r) in the authenticated key exchange.
KEYIDThe concatenation of CKI-I and CKI-r and the domain of interpretation. It is the name of the keying material.
sKEYIDThis is the keying material named by KEYID. It is never transmitted but is used in the various calculations made by the exchanging parties.
EHAoA list of encryption/hash/authentication algorithms choices.
EHAsThe selected reference encryption/hash/authentication choice.
NxThe nonces selected by the initiator (x=i) and the responder (x=r)
JIDxThe identities of the initiator (x=i) and the responder (x=r)
E{value}KxThe encryption of value with the public key of the initiator (x=i) and the responder (x=r). Encryption is done using the algorithm associated with the authentication method. Usually this will be RSA
D{value}KxThe decryption of value with the public key of the initiator (x=i) and the responder (x=r). Decryption is done using the algorithm associated with the authentication method. Usually this will be RSA
S{value}KxThe signature of value with the private key of the initiator (x=i) and the responder (x=r). Signing is done using the algorithm associated with the authentication method. Usually this will be RSA or DSS
prf(a, b)The result of applying pseudo-random function "a" to data "b". One may think of "a" as a key or as a value that characterizes the function prf; in the latter case it is the index into a family of functions. Each function in the family provides a "hash" or one-way mixing of the input.
prf(0, b)The application of a one-way function to data "b". The similarity with the previous notation is deliberate and indicates that a single algorithm, e.g. MD5, might will used for both purposes. In the first case a "keyed" MD5 transform would be used with key "a"; in the second case the transform would have the fixed key value zero, resulting in a one-way function.
hmac(a, b)This indicates the HMAC algorithm. pseudo-random function "a" to data "b".

The proposed protocol is designed to address the specific requirements and considerations presented in this section.

A secure IM system must permit conversation participants to preserve the following properties of their conversation data:

PropertyDescription
confidentialityConversation data must only be disclosed to authorized recipients
integrityConversation data must not be altered
data origin authenticationRecipients must be able to determine the identity of the sender and trust that the message did, in fact, come from the sender. It is important to note that this requirement does not include the requirement of a durable digital signature on conversation data.
replay protectionRecipients must be able to detect and ignore duplicate conversation data.

These are established, traditional goals of information security applied to the conversation data. In the IM environment, these goals protect against the following attacks:

  • eavesdropping, snooping, etc.
  • masquerading as a conversation participant
  • forging messages

Preserving the availability of conversation data is not addressed by this protocol.

Finally, note that this protocol does not concern any authentication between an XMPP node and an XMPP host.

A secure IM system must support a data classification feature through the use of security labeling. Conversation participants must be able to associate a security label with each piece of conversation data. This label may be used to specify a data classification level for the conversation data.

It is easy to imagine XMPP systems in which the servers play active, fundamental roles in the protection of conversation data. Such systems could offer many advantages, like:

  • allowing the servers to function as credential issuing authorities,
  • allowing the servers to function as policy enforcement points.

Unfortunately, such systems have significant disadvantages when one considers the nature of instant messaging:

  • Many servers may be un-trusted, public servers.
  • In many conversation communities, decisions of trust and membership can only be adequately defined by the members themselves.
  • In many conversation communities, membership in the community changes in real time based upon the dynamics of the conversation.
  • In many conversation communities, the data classification of the conversation changes in real time based upon the dynamics of the conversation.

Furthermore, the use of gateways to external IM systems is a further complication.

Based on this analysis, we propose that security be entirely controlled in an end to end fashion by the conversation participants themselves via their user agent software.

Similarly, we believe that trust decisions are in the hands of the conversation participants. A security protocol and appropriate user agents must provide a mechanism for them to make informed decisions.

One of the accepted axioms of security is that people must avoid the temptation to start from scratch and produce new, untested algorithms and protocols. History has demonstrated that such approaches are likely to contain flaws and that considerable time and effort are required to identify and address all of these flaws. Any new security protocol should be based on existing, established algorithms and protocols.

Any new IM security protocol must integrate smoothly into the existing IM environment, and it must also recognize the nature of the transactions performed by conversation participants. These considerations are especially important:

  • dynamic communities. The members of a community are defined in near real time by the existing members.
  • dynamic conversations. Conversations may involve any possible subset of the entire set of community members.

Addressing these considerations becomes especially crucial when selecting a conference keying mechanism.

Given the requirement to place the responsibility for the protection of conversation data in the hands of the participants, it is imperative to address some fundamental usability issues:

  • Overall ease of use is a requirement. For protocol purposes, one implication is that some form of authentication via passphrases is necessary. While we recognize that this can have appalling consequences, especially when we realize that a passphrase may be shared by all of the community members, we also recognize its utility.
  • PKIs are well established in many large organizations, and some communities will prefer to rely on credentials issued from these authorities. We must allow the use of existing PKI credentials and trust models rather than impose closed, XMPP-specific credentials.
  • Performance must not be negatively impacted. This is particularly true if we consider that most communities are composed of human users conversing in real time. For protocol purposes, one obvious implication is the desire to minimize computationally expensive public key operations.

To successfully integrate into the existing XMPP environment, an extension protocol for security must satisfy the following:

  • It must be an optional extension of the existing XMPP protocol.
  • It must be transparent to existing XMPP servers.
  • It must function gracefully in cases where some community members are not running a user agent that supports the protocol.
  • It must make good use of XML.
  • It must avoid encumbered algorithms.
  • It must be straightforward to implement using widely available cryptographic toolkits.
  • It must not require a PKI.

Since cryptographic operations are applied to data that is transported within an XML stream, the protocol defines a set of rules to ensure a consistent interpretation by all conversation participants.

Binary data, such as the result of an HMAC, is always transported in an encoded form; the only supported encoding scheme is base64.

Senders MAY include arbitrary white space within the character stream. Senders SHOULD NOT include any other characters outside of the encoding set.

Receivers MUST ignore all characters not in the encoding set.

Encrypted data is always transported in an encoded form; the only supported encoding scheme is base64.

Senders MAY include arbitrary white space within the character stream. Senders SHOULD NOT include any other characters outside of the encoding set.

Receivers MUST ignore all characters not in the encoding set.

HMACs are computed over a specific collection of attribute values and character data; when computing an HMAC the following rules apply:

  • All characters MUST be HMACed in their pure Unicode form encoded in UTF-16.
  • The octets in each character MUST be processed in network byte order.
  • For a given element, the attribute values that are HMACed MUST be processed in the specified order regardless of the order in which they appear in the element tag.
  • For each attribute value, the computation MUST only include characters from the anticipated set defined in this specification; in particular, white space MUST always be ignored.
  • For character data that is represented in a base64 encoded form, the computation MUST only include valid characters from the encoding set.

The following algorithm is used to encrypt a character string:

  • The character string MUST be represented in Unicode encoded in UTF-16.
  • The octets in each character MUST be processed in network byte order.
  • Appropriate cryptographic algorithm parameters, such as an IV for a block cipher, are generated.
  • The octet string derived from the character string is padded with up to 256 octets of arbitrary padding data. There MUST be at least one padding octet. The last octet of the padding MUST indicate the number of preceeding octets in the stream. All padding octets except the last octet SHOULD be randomly generated. When block ciphers are used, the padding MUST result in a stream of octets that is a multiple of the cipher's block size.

When used to extend existing XMPP construct, the container element is an <x/> element. Each <x/> element could have one <SecurityAssociation/> to refer to a particular security session, one <KeyAgreement/> element which would contain the information for an an exchange of keys. The <x/> element could have its content authenticated by one <Signature/> element which contains the information about signature of information exchanged between two nodes. The <x/> element may contains one <KeyTransport/> element which contains the information about keys to be securely exchanged between two nodes.

When used in an IQ XMPP construct, the container element is a <query/> element. Each <query/> element could have one <SecurityAssociation/> to refer to a particular security session, one <KeyAgreement/> element which would contain the information for an an exchange of keys. The <query/> element could have its content authenticated by one <Signature/> element which contains the information about signature of information exchanged between two nodes. The <query/> element may contains one <KeyTransport/> element which contains the information about keys to be securely exchanged between two nodes.

Each <SecurityAssociation/> element may have <DigestMethod/>, <EncryptionMethod/> and <SignatureMethod/> elements to specify the actual algorithms set that will be used in a key exchange.

Each <KeyAgreement/> element may have a <DHKeyValue/> and a < DHParamters/> elements to specify the actual data and parameters used in the key exchange. It may also contain a <KA-Nonce/> element to specify a nonce to be used in a key exchange.

AttributeMeaning
idThe id attribute hold the agreement or security association ID, when present.
lengthThe length attribute hold the require number of bits in the prime number used to generate the DH key pair.
ElementMeaning
SecurityAssociationThe <SecurityAssociation/> tag is used to encapsulate EncryptionMethod, DigestMethod, SignatureMethod data. It is used as a container for the different algorithm definition that are negotiated for the session.
AgreementMethodThe <AgreementMethod/> tag is an optional element that identifies the key agreement algorithm to be applied to an object.
DigestMethodThe <DigestMethod/> tag is an optional element that identifies the digest algorithm to be applied to an object.
DigestValueThe <DigestValue/> tag is an optional element that contains the encoded value of a digest.
EncryptionMethodThe <EncryptionMethod/> tag is an optional element that describes the encryption algorithm applied to the cipher data. If the element is absent, the encryption algorithm must be known by the recipient or the decryption will fail.
SignatureThe <Signature/> tag is used to encapsulate signature data. It is used as a container of other XML structures that could come from any namespace.
SignatureMethodThe <SignatureMethod/> tag is an optional element that specifies the algorithm used for signature generation and validation.
SignatureValueThe <SignatureValue/> tag is an optional element that contains the encoded value of a signature.
SignedInfoThe <SignedInfo/> tag includes the canonicalization algorithm, a signature algorithm, and one or more references. The SignedInfo element may contain an optional ID attribute that will allow it to be referenced by other signatures and objects. It is in the http://www.w3.org/2000/09/xmldsig# namespace.
KA-NonceThe <KA-Nonce/> tag is an optional element under <KeyAgreement/> to assure that different keying material is generated even for repeated agreements using the same sender and recipient public keys.
KeyAgreementThe <KeyAgreement/> tag is used to encapsulate key agreement data. It is used as a container of other XML structures that could come from external namespace.
KeyInfoThe <KeyInfo/> tag is used to encapsulate key information data. It enables the recipient to obtain the key needed to validate a signature. <KeyInfo/> may contain keys, names, certificates and other public key management information, such as in-band key distribution or key agreement data. It is used as a container of other XML structures that could come from external namespace.
OriginatorKeyInfoThe <OriginatorKeyInfo/> tag is used to encapsulate originator key information data in a key agreement. It is of type <KeyInfo/> and used as a container of other XML structures that could come from external namespace.
RecipientKeyInfoThe <RecipientKeyInfo/> tag is used to encapsulate recipient key information data in a key agreement. It is It is of type <KeyInfo/> and used as a container of other XML structures that could come from external namespace.
KeyNameThe <KeyName/> tag is an optional element of <KeyInfo/> and contains a string value (in which white space is significant) which may be used to communicate a key identifiert to the recipient.
KeyValueThe <KeyValue/> tag contains a single public key that may be useful in validating a signature. The KeyValue element may include externally defined public keys values represented as PCDATA or element types from an external namespace
KeyTransportThe <KeyTransport/> tag is used to encapsulate transported key data. It is used as a container of other XML structures that could come from any namespace.
CarriedKeyNameThe <CarriedKeyName/> tag is optional and used to specified the name of the transported key.
DHKeyValueThe <DHKeyValue/> tag is used to encapsulate a Diffie-Hellman key agreement content. It is designed to follow the XML digital signature standard.
DHParametersThe <DHParameters/> tag is used to to encapsulate a Diffie-Hellman key exchange parameters.
PublicThe <Public/> tag is holding the actual content of a Diffie-Hellman public key.
X509DataThe <X509Data/> tag is an optional element holding one or more identifiers of keys or X509 certificates, or certificates' identifiers or a revocation list. It is in the http://www.w3.org/2000/09/xmldsig# namespace.
PGPDataThe <PGPData/> tag is an optional element used to convey information related to PGP public key pairs and signatures on such keys. It is in the http://www.w3.org/2000/09/xmldsig# namespace.
DSAKeyValueThe <DSAKeyValue/> tag is optional and defines a DSA public key inside a <KeyInfo/> element. It is in the http://www.w3.org/2000/09/xmldsig# namespace.
RSAKeyValueThe <RSAKeyValue/> tag is optional and defines a RSA public key inside a <KeyInfo/> element. It is in the http://www.w3.org/2000/09/xmldsig# namespace.
ElementAttributeValueMeaning
KeyAgreementidCDATAThe agreement ID
lengthnullCDATAThe length of the prime number to be used by default is 768 bits. The length of the prime number to be usedas defined in the IKE Diffie-Hellman groups.
SecurityAssocitationidCDATAThe security association ID or cookie for a party in the negotiation.
AgreementMethodAlgorithmCDATAThe algorythm URI for the key agreement.
DigestMethodAlgorithmCDATAThe algorythm URI for the digest.
EncryptionMethodAlgorithmCDATAThe algorythm URI for the encryption.
SignatureMethodAlgorithmCDATAThe algorythm URI for the signature.

The base key agreement (BKE) is an implementation of the "Diffie-Hellman Method For Key Agreement" (DH). It allows two nodes to create and share a secret key.

DH is not an encryption mechanism as we normally think of them, in that we do not typically use it to encrypt data. Instead, it is a method to securely exchange the keys that encrypt data. DH accomplishes this secure exchange by creating a "shared secret", sometimes called a "key encryption key", between two nodes. The shared secret then encrypts the symmetric key, or "data encryption key" - DES, Triple DES, CAST, IDEA, Blowfish, etc, for secure transmission.

Two nodes intending to agree on a secret key shall employ the first phase of the agreement independently to produce the public values outputs PV and PV'. The nodes shall exchange the outputs.

The nodes shall then employ the second phase independently with the other nodes's public value as input. The mathematics of Diffie-Hellman key agreement ensure that the resulting outputs SK of the second phase are the same for both entities.

1) First the nodes must get the "Diffie-Hellman parameters". A prime number, 'p' (larger than 2) and "base", 'g', an integer that is smaller than 'p'. They can either be hard coded or fetched from a server.

Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange. The strength of any key derived depends in part on the strength of the Diffie-Hellman group the prime numbers are based on:

  • Group 2 (medium) is stronger than Group 1 (low). Group 1 will provide 768 bits of keying material, while Group 2 will provide 1,024 bits. If mismatched groups specified on each peer, negotiation will fail. The group cannot be switched during the negotiation.
  • A larger group results in more entropy and therefore a key which is harder to break.

2) The nodes each secretly generate a private number called 'x', which is less than "p - 1".

3) The nodes next generate the ephemeral public keys, 'y'. They are created with the function:

y = g^x mod p

4) The two nodes now exchange the public keys ('y') and the exchanged numbers are converted into a secret key, 'z'.

z = y^x mod p

'z' can now be used as the key for whatever encryption method is used to transfer information between the two nodes. Mathematically, the two nodes should have generated the same value for 'z'.

z = (g^x mod p)^x' mod p = (g^x' mod p)^x mod p

All of these numbers are positve integers

x^y means: x is raised to the y power

xmody means: x is divided by y and the remainder is returned

Suppose two nodes want to agree on a shared secret key to exchange information securely, they will exchange their public keys in order to encrypt that information. To this goal, the transport XMPP packet SHOULD include an extension of the form:

]]>

In this extension, the only negotiable parameter is the key length that is passed in the length attribute of the <KeyAgreement/> tag. The length attribute is used to retrieve the DH parameter group and the associated prime and generator values. We are using DH groups derived from the Internet Key Exchange protocol (IKE) which is used by IPSec. A summary of these groups and the associated parameters are described later in this document.

An example of using this agreement is to send encrypted password on the wire when registering a new user. Registration is the only time a password needs to be exchanged between an XMPP server and a client. Once that has been carried out, then every authentication can be done through digest.

The client uses an empty <x/> element in the request to signal that it supports the XMPP security extension.

The flow between client and server will look like:

]]>

The server will reply to the request by sending out its own ephemeral public key inside the <x/> extension.

encoded server public key ]]>

The client then generate its own public key, calcultate the shared secret according to the DH method and uses it to encrypt the password accordingly. It includes its own ephemeral public key into the reply to the server inside the <x/> extension.

username encrypted password encoded client public key ]]>

The server now calculates the shared secret according to the DH method and uses its private key to decrypt the password.

]]>

The Diffie-Hellman key agreement algorithm [10] provides a mechanism to allow key establishment in a scalable and secure way. It allows two parties to agree on a shared value without requiring encryption. An Authenticated Key Agreement (AKE) is a secure protocol ensuring that in addition to securely sharing a secret, the two parties can be certain of each other’s identities, even when an active attacker exists.

This AKE uses a hybrid protocol derived from the Internet Key Exchange (IKE) [1] and the OAKLEY key determination protocol [2]. The purpose is to negotiate and provide authenticated key material for security association (SA) in a protected manner. The basic mechanism is the Diffie-Hellman Key Exchange. It provides the following addition to base key agreement:

  • it uses weak address validation mechanism (cookies) to avoid denial of service attacks.
  • it provides negotiation of mutually agreeable supporting algorithm for the protocol, such as the encryption method, the key derivation method and the authentication method.
  • the authentication does not depend on encryption using the DH exponentials, but instead validates the binding of the exponential to the identities of the parties.
  • it does not require the computation of the shared exponential before the authentication.
  • it provides additional security to the derivation of encryption keys, as it is made to depend not only of the DH algorithm but also on the cryptographic method used to securely authenticate the parties to each other.

This key agreement protocol is used to establish a shared key with an assigned identifier and associated identities for two parties. The resulting common keying information state comprise a key name, secret keying material, the identification of the two parties, and three algorithms for use during authentication:

  • encryption for privacy,
  • hashing for protecting the integrity of message and for authentication of message fields
  • authentication to mutually authenticate the parties

The anti clogging tokens, or cookies, provide a weak form of source address identification for both parties. The cookies exchange can be completed before they perform the expensive computations later in the protocol. The cookies are used also for key naming.

  • The construction of the cookies is implementation dependent. It is recommended to make them the result of a one-way function applied to a secret value (changed periodically), and the local and remote addresses. In this way, the cookies remain stateless and expire periodically. Note that this would cause the KEYID's derived from the secret value to also expire, necessitating the removal of any state information associated with it.
  • The encryption functions must be cryptographic transforms which guarantee privacy and integrity for the message data. They include any that satisfy this criteria and are defined for use with RFC2406 [3].
  • The one-way hash functions must be cryptographic transform which can be used as either keyed hash (pseudo-random) or non keyed transforms. They include any that are defined for use with RFC2406 [3].
  • Where nonces are indicated they will be variable precision integers with an entropy value that match the strength attribute of the DH group used in the exchange.

The main exchange has three optional features:

  • stateless cookie exchange,
  • perfect forward secrecy for the keying material,
  • use of signatures (for non-repudiation).

The two parties can use any combination of these features. The general outline of processing is that the Initiator of the exchange begins by specifying as much information as he wishes in his first message. The Responder replies, supplying as much information as he wishes. The two sides exchange messages, supplying more information each time, until their requirements are satisfied.

The choice of how much information to include in each message depends on which options are desirable. For example, if stateless cookies are not a requirement, and perfect forward secrecy for the keying material are not requirements, and if non- repudiatable signatures are acceptable, then the exchange can be completed in three messages. Additional features may increase the number of roundtrips needed for the keying material determination.

The three components of the key determination are:

  • Cookies exchange
  • DH half key exchange
  • Authentication

The initiator can supply as little information as a bare exchange request, carrying no additional information. On the other hand the initiator can begin by supplying all the necessary information for the responder to authenticate the request and complete the key determination quickly, if the responder choose to accept this method. If not the responder can reply with a minimum amount of information.

The following example indicates how two parties can complete a key exchange in three messages. The identities are not secret, the derived keying material is protected by PFS.

By using digital signatures, the two parties will have a proof of communication that can be recorded and presented later to a third party.

The keying material implied by the group exponentials is not needed for completing the exchange. If it is desirable to defer the computation, the implementation can save the "x" and "g^y" values and mark the keying material as "uncomputed". It can be computed from this information later.

InitiatorMessage contentResponder
GRP, CKYi, DHi, EHAo, JIDi, JIDr, Ni, S{JIDi | JIDr | CKYi | 0 | Ni | 0 | GRP | DHi | 0 | EHAo}Ki
GRP, CKYr, DHr, EHAs, JIDi, JIDr, Nr, S{JIDr | JIDi| | CKYr | CKYi | Nr | Ni | GRP | DHr | DHi | EHAs}Kr
GRP, CKYi, CKYr, DHi, EHAs, JIDi, JIDr, Ni, Nr, S{JIDi | JIDr | CKYr | CKYi | Ni | Nr | GRP | DHi | DHr | EHAs}KEY

The result of this exchange is a key with :

  • KEYID = CKYi | CKYr
  • sKEYID = prf(Ni | Nr, KEY | CKYi | CKYr).

The Aggressive Mode example is written to suggest that public key technology is used for the signatures. However, a pseudorandom function can be used, if the parties have previously agreed to such a scheme and have a shared key.

If the first proposal in the EHAo list is an "existing key" method, then the KEYID named in that proposal will supply the keying material for the "signature" which is computed using the "H" algorithm associated with the KEYID.

In this exchage the two parties are minimally aggressive; they use the cookie exchange to delay creation of state, and they use perfect forward secrecy to protect the identities.

They use public key encryption for authentication; digital signatures or pre-shared keys can also be used. The Main mode does not change the use of nonces, prf's, etc., but it does change how much information is transmitted in each message.

The responder considers the ability of the initiator to repeat CKYr as weak evidence that the message originates from a "live" correspondent on the network and the correspondent is associated with the initiator's network address.

The initiator makes similar assumptions when CKYi is repeated to the initiator. All messages must have valid cookies or at least one zero cookie. If both cookies are zero, this indicates a request for a cookie; if only the initiator cookie is zero, it is a response to a cookie request.

Information in messages violating the cookie rules cannot be used for any operations. Note that the Initiator and Responder must agree on one set of EHA algorithms; there is not one set for the Responder and one for the Initiator. The Initiator must include at least MD5 and DES in the initial offer.

InitiatorMessage contentResponder
CKYi, DHi, EHAo, JIDi, JIDr
CKYr, DHr, EHAs, JIDi, JIDr
GRP, CKYi, CKYr, DHi, EHAs, JIDi, JIDr, E{Ni}KEY
GRP, CKYi, CKYr, DHr, JIDi, JIDr, E{Ni | Nr}KEY, prf(Kir, JIDr | JIDi | GRP | DHr | DHi | EHAs )
GRP, CKYi, CKYr, DHi, JIDi, JIDr, prf(Kir, JIDi | JIDr | GRP | DHi | DHr | EHAs )

Where Kir = prf(0, Ni | Nr)

The result of this exchange is a key with :

  • KEYID = CKYi | CKYr
  • sKEYID = prf(Kir, KEY | CKYi | CKYr).

The keying material computed by the key exchange should have at least 90 bits of entropy, which means that it must be at least 90 bits in length. This may be more or less than is required for keying the encryption and/or pseudorandom function transforms.

The transforms used should have auxiliary algorithms which take a variable precision integer and turn it into keying material of the appropriate length. The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:

ContextKeying Material
DigestsKEYID_d = prf(sKEYID, KEY | CKYi | CKYi | 0)
AuthenticationsKEYID_a = prf(sKEYID, SKEYID_d | KEY | CKYi | CKYr | 1)
EncryptionsKEYID_e = prf(sKEYID, SKEYID_a | KEY | CKYi | CKYr | 2)

and agreed upon policy to protect further communications. The values of 0, 1, and 2 above are represented by a single octet. The key used for encryption is derived from sKEYID_e in an algorithm-specific manner.

Encryption keys used to protect the SA are derived from sKEYID_e in an algorithm-specific manner. When SKEYID_e is not long enough to supply all the necessary keying material an algorithm requires, the key is derived from feeding the results of a pseudo-random function into itself, concatenating the results, and taking the highest necessary bits.

For example, if the (ficticious) algorithm MYALGO requires 320-bits of key, and the prf used to generate sKEYID_e only generates 120 bits of material, the key for MYALGO, would be the first 320-bits of Ka, where:

Ka = K1 | K2 | K3 | ...

And

  • K1 = prf(sKEYID_e, 0)
  • K2 = prf(sKEYID_e, K1)
  • K3 = prf(sKEYID_e, K2)
  • ...

prf is the HMAC version of the negotiated hash function and 0 is represented by a single octet. Each result of the prf provides 120 bits of material for a total of 360 bits. MYALGO would use the first 320 bits of that 360 bit string.

The intitiator uses a <SecurityAssociation/> element in the request to list all the EHA algorithms that it supports. In addition it provides its own DH ephemeral public key.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initiator cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value is used as the originator key name for the security association.
  • The available set of confidentiality and HMAC cryptographic algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.
  • The available set of authentication algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification. When the digital signature form of authentication is selected, the relevant end-entity certificate and, optionally, a chain of CA certificates representing a validation path, is assembled and encoded. A set of trusted CA certificates MAY optionally be included via caCertificate elements; if so, the set MUST include the issuer of the initiator's end-entity certificate.

These values are then used to prepare the XML element; this element is transmitted via the existing XMPP iq mechanism:

A32F...245A ]]>

The responder will reply to the request by sending out its own selcted EHA algorithms that will be used in the remainign transaction.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The responder cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value is used as the recipient key name for the security association..
  • The algorithms attributes are checked against the values supported by the user agent. If the receiver is not able to select one set out of the proposed algorithms, an error code 406-Unacceptable is returned.
  • The desired confidentiality and HMAC cryptographic algorithms are selected from the proposed set. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.
  • The desired authentication algorithm is selected from the proposed set. The manner in which this algorithm is selected and all related policy issues are outside the scope of this specification. In the digital signature case, the responder's end-entity certificate MUST be issued by one of the trusted CAs listed in the session1 PDU or by the same issuer as the initiator's end-entity certificate. If the responder does not have acceptable credentials, an error code of 401-Unuthorized occurs.
A32F...245A 324A...BF24 ]]>

The intitiator provides its own DH ephemeral public key.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initator and responder cookies are used as the originator key name and the recipient key name for the security association..
  • A Diffie-Hellman group is selected. The appropriate values for g and p will be used to generate the initiator's public key.
  • An ephemeral private key, x, is generated using g and p for the selected group. This key MUST be generated using an appropriate random number source. The corresponding public key, g^x, is generated and encoded.
A32F...245A 324A...BF24 ... encoded initiator public key ]]>

The responder check the validity of the parameters and eventualy replies with its own DH ephemeral public key.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initator and responder cookies are checked; a mismatch results in an error code of 406 - Unacceptable .
  • The Diffie-Hellman group is checked against the values supported by the user agent. An unsupported group results in an error code of 406 - Unacceptable
  • An ephemeral private key, y, is generated using g and p for the group indicated by the PDU. This key MUST be generated using an appropriate random number source. The corresponding public key, g^y, is generated and encoded.
A32F...245A 324A...BF24 ... encoded initiator public key ]]>

The intitiator provides its nonce encrypted with the agreed algorithm and the public key of the responder.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initator and responder cookies are checked; a mismatch results in the procedure being aborted.
  • The initiator nonce is prepared by first generating a string of 20 random octets (160 random bits). The nonce is then encrypted using the selected encryption algorithm and the shared secret key. The resulting octets are then encoded into a string of base64 characters.
A32F...245A 324A...BF24 ... encoded encrypted initiator nonce ]]>

The responder replies with the concatenation of its own nonce and the initiator nonce encrypted with the agreed algorithm and the public key of the initiator. The packet is authenticated using the agreed signature algorithm.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initator and responder cookies are checked; a mismatch results in an error code of 401 - Unauthorized.
  • The initiator nonce is decrypted using the responder private key.
  • The responder nonce is prepared by first generating a string of 20 random octets (160 random bits). It is then apended to the initiator nonce and the result encrypted using the selected encryption algorithm and the shared secret key. The resulting octets are then encoded into a string of base64 characters.
  • Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:
  1. Kir = hmac (0, initiator's nonce | responder's nonce)
  2. EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  3. HASH_R = hmac (Kir, JID responder | JID initiator | length of DH group | responder DH public key | initiator DH public key | EHAs)
  • HASH_R is encoded in base64.
A32F...245A 324A...BF24 ... encoded encrypted responder nonce ... encoded signature value ]]>

The initiator authenticate the keying material using the agreed signature algorithm.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initator and responder cookies are checked; a mismatch results in the procedure being aborted.
  • The concatenation of the responder and initiator nonce is decrypted using the initiator private key. The original initiator nonce is compared to the result. An invalid nonce results in aborting the procedure. Otherwise the result is used to generate Kir
  • Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:
  1. Kir = hmac (0, initiator's nonce | responder's nonce)
  2. EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  3. HASH_R = hmac (Kir, JID responder | JID initiator | length of DH group | responder DH public key | initiator DH public key | EHAs)
  • The authenticator is verified. A failure results in aborting the procedure.
  • Based on the selected authentication algorithm, the initiator’s authenticator is constructed. A digital signature requires calculating:
  1. HASH_I = hmac (Kir, JID initiator | JID responder | length of DH group | initiator DH public key | responder DH public key | EHAs)
A32F...245A 324A...BF24

... encoded signature value

]]>

The responder acknowledge the keying material.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initator and responder cookies are checked; a mismatch results in an error code of 401 - Unauthorized.
  • Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  1. HASH_I = hmac (Kir, JID initiator | JID responder | length of DH group | initiator DH public key | responder DH public key | EHAs)
  • The authenticator is verified. A failure results in an error code of 406 - Unacceptable.
]]>

The intitiator uses <SecurityAssociation/> element in the request to list all the EHA algorithms that it supports. In addition it provides its own DH ephemeral public key. The message is signed with its own private key.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The initiator cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value will be used as identifier for the initiator leg of the security association.
  • The available set of confidentiality and HMAC cryptographic algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.
  • The available set of authentication algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification. When the digital signature form of authentication is selected, the relevant end-entity certificate and, optionally, a chain of CA certificates representing a validation path, is assembled and encoded. A set of trusted CA certificates MAY optionally be included via caCertificate elements; if so, the set MUST include the issuer of the initiator's end-entity certificate.
  • A Diffie-Hellman group is selected. The appropriate values for g and p will be used to generate the initiator's public key.
  • An ephemeral private key, x, is generated using g and p for the selected group. This key MUST be generated using an appropriate random number source. The corresponding public key, g^x, is generated and encoded.
  • The initiator nonce is prepared by first generating a string of 20 random octets (160 random bits). The resulting octets are then encoded into a string of base64 characters.
  • Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  1. EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  2. SIGN_I = S (JID initiator | JID responder | initiator cookie | 0 | initiator nonce | 0 | length of DH group | initiator DH public key | 0 | EHAs) initiator private key
  • SIGN_I is encoded in base64.
A32F...245A

... encoded initiator public key value

... encoded initiator public key

... encoded initiator nonce value>

... encoded initiator signature value

]]>

The responder will reply to the request by acknowledging the selected EHA algorithms. In addition, it provides its own DH ephemeral public key. The message is signed with its own private key.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • The Diffie-Hellman group is checked against the values supported by the user agent. An unsupported group results in an error code of 406 - Unacceptable
  • Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  1. EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  2. SIGN_I = S (JID initiator | JID responder | initiator cookie | 0 | initiator nonce | 0 | length of DH group | initiator DH public key | 0 | EHAs) initiator public key
  • The authenticator is verified. A failure results in an error code of 401 - Unauthorized.
  • The responder cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value will be used as identifier for the responder leg of the security association.
  • An ephemeral private key, y, is generated using g and p for the group indicated by the PDU. This key MUST be generated using an appropriate random number source. The corresponding public key, g^y, is generated and encoded.
  • The responder nonce is prepared by first generating a string of 20 random octets (160 random bits). The resulting octets are then encoded into a string of base64 characters.
  • Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:
  1. SIGN_R = S (JID responder | JID initiator | responder cookie | initiator cookie | responder nonce | initiator nonce | length of DH group | responder DH public key | initiator DH public key | EHAs) responder private key
  • SIGN_R is encoded in base64.
A32F...245A 324A...BF24

... encoded responder public key value

... encoded responder public key

... encoded responder nonce value>

... encoded responder signature value

]]>

The initiator authenticate the keying material using the agreed signature algorithm.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  1. EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  2. SIGN_R = S (JID responder | JID initiator | responder cookie | initiator cookie | responder nonce | initiator nonce | length of DH group | responder DH public key | initiator DH public key | EHAs) responder public key
  • The authenticator is verified. A failure results in the procedure being aborted.
  • Based on the selected authentication algorithm, the authenticator is constructed. A digital signature requires calculating:
  1. SIGN_I = S (JID initiator | JID responder | initiator cookie | responder cookie | initiator nonce | responder nonce | length of DH group | initiator DH public key | responder DH public key | EHAs) shared secret key
  • SIGN_I is encoded in base64.
A32F...245A 324A...BF24

... encoded signature value

]]>

The responder acknowledge the keying material.

  • The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  • Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  1. EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  2. SIGN_I = S (JID initiator | JID responder | initiator cookie | responder cookie | initiator nonce | responder nonce | length of DH group | initiator DH public key | responder DH public key | EHAs) shared secret key
  • The authenticator is verified. A failure results in an error code of 406 - Unacceptable.
]]>

Conversation keys are transported using the symmetric key wrap feature of XML Encryption embedded in the KeyTransport PDU.

Key transport follow a previous Security Association establishment and the generation of a shared secret key through a key agreement.

InitiatorMessage contentResponder
JIDi, JIDr, CKYe, sKEYID_e, CKYa, sKEYID_a, CKYd, sKEYID_d, S{JIDi | JIDr | Ni | Nr | CKYe | sKEYID_e | CKYa | sKEYID_a | CKYd | sKEYID_d }KEY

The Key Transport assumes that a security association be negotiated for the purpose of securely transporting conversation keys. The sender's user agent employs the following algorithm to generate the keyTransport PDU:

  • The values of initiator and responder MUST be the JIDs of the two participants who negotiated the security association, respectively.
  • The security association identifier is assembled.
  • The payload, which consists of the confidentiality key sKEYID_e, digest key sKEYID_d and the integrity key sKEYID_a , is wrapped in instances of xenc:EncryptedKey as follows:
  1. The Type attribute of the xenc:EncryptedKey element MUST indicate 'content'.
  2. The Id, MimeType and Encoding attributes of the xenc:EncryptedKey element MUST NOT be present.
  3. The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute MUST indicate a valid symmetric key wrap algorithm. Furthermore, the algorithm MUST be the same as was negotiated for the security association.
  4. The ds:KeyInfo element MUST NOT be present. The key to use is the shared secret KEY of the negotiated security association.
  5. The xenc:ContainedKeyName element MUST be present.
  6. The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice.
  • The HMAC is computed using KEY of the negotiated security association. A digital signature requires calculating:
  1. HMAC = prf(KEY, JIDi | JIDr | Ni | Nr | sKEYID_e | key name | sKEYID_e | sKEYID_a key name | sKEYID_a | sKEYID_d key name | sKEYID_d)

These values are then used to prepare the XML KeyTransport element; this element is transmitted via the existing XMPP iq mechanism. The order in which the keys are in the payload is significant. The first mandatory key is sKEYID_e. The second optional key is sKEYID_a. And the last optional key is sKEYID_d.

A32F...245A324A...BF24-enc</ContainedKeyName>

... encoded encrypted confidentiality key

A32F...245A324A...BF24-auth</ContainedKeyName>

... encoded encrypted confidentiality key

A32F...245A324A...BF24-dig</ContainedKeyName>

... encoded encrypted confidentiality key

... encoded signature value

]]>

The receiver's user agent employs the following algorithm to process each KeyTransport PDU:

  • The values of initiator, responder, and security association id MUST indicate an existing security association. An invalid security association results in an error of 401 - Unauthorized.
  • The payload, which consists of the confidentiality key sKEYID_e, digest key sKEYID_d and the intergrity key sKEYID_a, is unwrapped. Any failures result in an error code of 406-Unacceptable.
  • The body of the HMAC element is decoded into the actual HMAC octet string.
  • The HMAC is computed using KEY of the security association. A digital signature requires calculating:
  1. HMAC = prf(KEY, JIDi | JIDr | Ni | Nr | sKEYID_e key name | sKEYID_e | sKEYID_a key name | sKEYID_a | sKEYID_d key name | sKEYID_d)
  • The HMAC is validated. An invalid HMAC results in an error code of 406-Unacceptable.
  • The keys are added to the user agent's key store.

If any errors occur during processing, the error is communicated via the existing XMPP mechanism:

]]>

Public keys are transported embedded in the KeyTransport PDU.

X509 certificates can also be transported in existing XMPP message. The following example uses a presence subscription packet as the vehicle PDU. The subscribee public key and certificate are sent to the initiator of a presence subscription.

CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP ]]>
  • The values of initiator and responder MUST be the JIDs of the two participants in the exchange, respectively.
  • The payload, which consists of the public key of the responder is assembled.
  • The SIGN is computed using the private key of the responder. A digital signature requires calculating:
  1. SIGN = S (JIRi | JIDR | Kr name | Kr) responder private key

These values are then used to prepare the XML KeyTransport element; this element is transmitted via an existing XMPP mechanism. In the following example, the responder public key is sent to the initiator of a presence subscription.

responder@domain key name

... encoded responder public key value

... encoded signature value

]]>

The ultimate goal is the protection of conversation data. The protocol exchanges described above allow the conversation participants to cryptographically protect their conversation data using the conversation keys that they share.

A protected message is defined as a traditional XMPP message whose body content is extended to include the transport of a cryptographically protected message body. The two key features are:

  • the usual body element contains some arbitrary text.
  • the message contains a XMPP x element defining the xmpp:sec namespace; this element transports the protected message.

This mechanism has the advantages of allowing transparent integration with existing XMPP servers and existing XMPP clients.

The sender's user agent employs the following algorithm to generate the protected Message PDU:

  • The security association identifier is assembled.
  • The actual message body is encoded into a character string corresponding to a XMPP message body element. This character string is then wrapped in an instance of xenc:EncryptedData as follows:
  1. The Type attribute of the xenc:EncryptedData element MUST indicate 'element'.
  2. The Id, MimeType and Encoding attributes of the xenc:EncryptedData element MUST NOT be present.
  3. The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute MUST indicate a valid block encryption algorithm.
  4. The ds:KeyInfo element MUST NOT be present. The key to be used is the confidentiality key indicated by the convId attribute.
  5. The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice.
  • Using the HMAC key indicated by the security association, the HMAC is computed. A digital signature requires calculating:
  1. HMAC = prf(sKEYID_d, key name | JID from | JID to | message id | message type | message thread | message subject | message body)

These values are then used to prepare the XML protected element; this element is transmitted via the existing XMPP message mechanism:

The real body is protected. A32F2...45A324A...BF24-enc ... encoded encrypted message content A32F2...45A324A...BF24-auth ... encoded signature value ]]>

The receiver's user agent employs the following algorithm to process each protectedMessage PDU:

  • The values of initiator, responder, and key name MUST indicate an existing security association. An invalid security association results in an error of 406-Unacceptable.
  • The payload, which consists of the actual message body, is unwrapped. Any failures result in an error code of 406-Unacceptable.
  • The body of the HMAC element is decoded into the actual HMAC octet string.
  • Using the HMAC key indicated by the security association, the HMAC is computed. A digital signature requires calculating:
  1. HMAC = prf(sKEYID_d, key name | JID from | JID to | message id | message type | message thread | message subject | message body)
  • The HMAC is validated. An invalid HMAC results in an error code of 406-Unacceptable.

If any errors occur during processing, the error is communicated via the existing XMPP mechanism:

This section discusses algorithms used with the XMPP security specification. Entries contain the identifier to be used as the value of the Algorithm attribute of the EncryptionMethod element or other element representing the role of the algorithm, a reference to the formal specification, definitions for the representation of keys and the results of cryptographic operations where applicable, and general applicability comments.

The table below lists the categories of algorithms. Within each category, a brief name, the level of implementation requirement, and an identifying URI are given for each algorithm.

CategoryAlgorithmURI
Block EncryptionTRIPLEDEStripledes-cbc
AES-128aes128-cbc
AES-192aes192-cbc
AES-256aes256-cbc
Key TransportRSA-v1.5rsa-1_5
RSA-OAEPrsa-oaep-mgf1p
Symmetric Key WrapTRIPLEDES KeyWrapkw-tripledes
AES-128 KeyWrapkw-aes128
AES-256 KeyWrapkw-aes256
AES-192 KeyWrapkw-aes192
Message DigestMD5md5
SHA1sha1
SHA256sha256
SHA512sha512
RIPEMD-160ripemd160
HMAC-MD5hmac-md5
HMAC-SHA1hmac-sha1
HMAC-SHA128hmac-sha128
HMAC-SHA256hmac-sha256
SignatureDSAwithSHA1 (DSS)dsa-sha1
RSAwithSHA1rsa-sha1

An RSA Laboratories Technical Note Version 1.4 Revised November 1, 1993

Supersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC-SIG-91-19. PKCS documents are available by electronic mail to <pkcs@rsa.com>.

This standard describes a method for implementing Diffie-Hellman key agreement, whereby two parties, without any prior arrangements, can agree upon a secret key that is known only to them (and, in particular, is not known to an eavesdropper listening to the dialogue by which the parties agree on the key). This secret key can then be used, for example, to encrypt further communications between the parties.

The intended application of this standard is in protocols for establishing secure connections, such as those proposed for OSI's transport and network layers [ISO90a][ISO90b].

Details on the interpretation of the agreed-upon secret key are outside the scope of this standard, as are details on sources of the pseudorandom bits required by this standard.

X.208 CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.

X.509 CCITT. Recommendation X.509: The Directory—Authentication Framework. 1988.

[DH76] W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22:644-654, 1976.

[Sch90] C.P. Schnorr. Efficient identification and signatures for smart cards. In G. Brassard, editor, Advances in Cryptology—CRYPTO '89 Proceedings, volume 435 of Lecture Notes in Computer Science, pages 239-251. Springer-Verlag, New York, 1990.

[ISO90a] ISO. JTC1/SC6/N6285: Draft Transport Layer Security Protocol. Draft, November 1990.

[ISO90b] ISO. JTC1/SC6/N2559: Draft Network Layer Security Protocol. Draft, September 1990.

For the purposes of this standard, the following definitions apply.

AlgorithmIdentifier: A type that identifies an algorithm (by object identifier) and any associated parameters. This type is defined in X.509.

ASN.1: Abstract Syntax Notation One, as defined in X.208.

Diffie-Hellman parameters: Prime and base.

Diffie-Hellman: The Diffie-Hellman key-agreement protocol, elsewhere called "exponential key agreement," as defined in [DH76].

Upper-case italic symbols (e.g., PV) denote octet strings; lower-case italic symbols (e.g., g) denote integers.

PV public valuep prime
PV' other's public valuex private value
SK secret keyx' other's private value
G basey integer public value
K length of prime in octetsy' other's integer public value
L length of private value in bitsz integer secret key
mod n modulo n

The next four sections specify parameter generation, two phases of Diffie-Hellman key agreement, and an object identifier.

A central authority shall generate Diffie-Hellman parameters, and the two phases of key agreement shall be performed with these parameters. It is possible that more than one instance of parameters may be generated by a given central authority, and that there may be more than one central authority. Indeed, each entity may be its own central authority, with different entities having different parameters. The algorithm identifier for Diffie-Hellman key agreement specifies which Diffie-Hellman parameters are employed.

Two entities intending to agree on a secret key shall employ the first phase independently to produce outputs PV and PV', the public values. The entities shall exchange the outputs.

The entities shall then employ the second phase independently with the other entity's public value as input. The mathematics of Diffie-Hellman key agreement ensure that the outputs SK of the second phase are the same for both entities.

This section describes Diffie-Hellman parameter generation.

A central authority shall select an odd prime p. The central authority shall also select an integer g, the base, that satisfies 0 < g < p. The central authority may optionally select an integer l, the private-value length in bits, that satisfies 2l-1 ≤ p.

The length of the prime p in octets is the integer k satisfying

28(k−1) ≤ p < 28k .

1. The cost of some methods for computing discrete logarithms depends on the the length of the prime, while the cost of others depends on the length of the private value. The intention of selecting a private-value length is to reduce the computation time for key agreement, while maintaining a given level of security. A similar optimization is suggested by Schnorr [Sch90].

2. Some additional conditions on the choice of prime, base, and private-value length may well be taken into account in order to deter discrete logarithm computation. These security conditions fall outside the scope of this standard.

This section describes the first phase of Diffie-Hellman key agreement.

The first phase consists of three steps: private-value generation, exponentiation, and integer-to-octet-string conversion. The input to the first phase shall be the Diffie-Hellman parameters. The output from the first phase shall be an octet string PV, the public value; and an integer x, the private value.

This phase is performed independently by the two parties intending to agree on a secret key.

An integer x, the private value, shall be generated privately and randomly. This integer shall satisfy 0 < x < p−1, unless the central authority specifies a private-value length l, in which case the integer shall satisfy 2l-1 ≤ x < 2l.

The base g shall be raised to the private value x modulo p to give an integer y, the integer public value.

y = gx mod p, 0 < y < p .

This is the classic discrete-exponentiation computation.

The integer public value y shall be converted to an octet string PV of length k, the public value. The public value PV shall satisfy

y = , (1)

where PV1, ..., PVk are the octets of PV from first to last.

In other words, the first octet of PV has the most significance in the integer and the last octet of PV has the least significance.

This section describes the second phase of Diffie-Hellman key agreement.

The second phase consists of three steps: octet-string-to-integer conversion, exponentiation, and integer-to-octet-string conversion. The input to the second phase shall be the Diffie-Hellman parameters; an octet string PV', the other entity's public value; and the private value x. The output from the second phase shall be an octet string SK, the agreed-upon secret key.

This phase is performed independently by the two parties intending to agree on a secret key, after the parties have exchanged public values resulting from the first phase.

The other entity's public value PV' shall be converted to an integer y', the other entity's integer public value. Let PV'1, ..., PV'k be the octets of PV' from first to last. Then the other entity's integer public value y' shall satisfy

y' = .

In other words, the first octet of PV' has the most significance in the integer and the last octet of PV' has the least significance.

The other entity's integer public value y' shall be raised to the private integer x modulo p to give an integer z, the integer secret key.

z = (y')x mod p, 0 < z < p .

This is the classic discrete-exponentiation computation.

Note. The integer secret key z satisfies

z = (y')x = (gx')x = (gx)x' = yx' mod p ,

where x' is the other entity's private value. This mathematical relationship is the reason the two entities arrive at the same key.

The integer secret key z shall be converted to an octet string SK, the secret key, of length k. The secret key SK shall satisfy

z = ,

where SK1, ..., SKk are the octets of SK from first to last.

In other words, the first octet of SK has the most significance in the integer and the last octet of SK has the least significance.

This standard defines two object identifiers: pkcs-3 and DHKeyValue.

The object identifier pkcs-3 identifies this standard.

pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 3 }

The object identifier DHKeyValue identifies the Diffie-Hellman key agreement method defined in Sections 7 and 8.

DHKeyValue OBJECT IDENTIFIER ::= { pkcs-3 1 }

The DHKeyValue object identifier is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type DHParameter for this algorithm.

DHParameter ::= SEQUENCE { prime INTEGER, - p base INTEGER, - g privateValueLength INTEGER OPTIONAL }

The fields of type DHParameter have the following meanings:

  • prime is the prime p.
  • base is the base g.
  • privateValueLength is the optional private-value length l.

Versions 1.0-1.2 were distributed to participants in RSA Data Security, Inc.'s Public-Key Cryptography Standards meetings in February and March 1991.

Version 1.3 is part of the June 3, 1991 initial public release of PKCS. Version 1.3 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-19.

Version 1.4 incorporates several editorial changes, including updates to the references and the addition of a revision history. The following substantive changes were made:

  • Section 6: Parameter generation is modified to allow central authority to select private-value length in bits.
  • Section 7.1: Private-value generation is modified to handle private-value length.
  • Section 9: Optional privateValueLength field is added to DHParameter type.

RSA Laboratories (415) 595-7703 100 Marine Parkway (415) 595-4126 (fax) Redwood City, CA 94065 USA pkcs-editor@rsa.com

Different Diffie-Hellman groups are defined for use in IKE. These groups were generated by Richard Schroeppel at the University of Arizona. Properties of these primes are described in [Orm96].

IKE implementations MAY support a MODP group with the following prime and generator. This group is assigned id 1 (one).

The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } Its hexadecimal value is:

The generator is: 2.

IKE implementations SHOULD support a MODP group with the following prime and generator. This group is assigned id 2 (two).

The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. Its hexadecimal value is:

The generator is 2 (decimal)

IKE implementations MUST support a MODP group with the following prime and generator. This group is assigned id 5 (five). The 1536 bit MODP group has been used for the implementations for quite a long time, but it has not been documented in the current RFCs or drafts.

The prime is 2^1536 - 2^1472 - 1 + 2^64 * {[2^1406 pi] + 741804}. Its hexadecimal value is

The generator is 2.

This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } Its hexadecimal value is

The generator is: 2.

This prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }

Its hexadecimal value is:

The generator is: 2.

This prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }

Its hexadecimal value is :

The generator is: 2.

This prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }

Its hexadecimal value is :

The generator is: 2.

This prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }

Its hexadecimal value is :

The generator is: 2.