You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

xep-0102.xml 99KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689
  1. <?xml version='1.0'?>
  2. <!DOCTYPE xep SYSTEM 'xep.dtd' [
  3. <!ENTITY % ents SYSTEM "xep.ent">
  4. %ents;
  5. ]>
  6. <?xml-stylesheet type='text/xsl' href='xep.xsl'?>
  7. <xep>
  8. <header>
  9. <title>Security Extensions</title>
  10. <abstract>Security extensions for Jabber/XMPP.</abstract>
  11. &LEGALNOTICE;
  12. <number>0102</number>
  13. <status>Deferred</status>
  14. <type>Standards Track</type>
  15. <sig>Standards</sig>
  16. <dependencies/>
  17. <supersedes/>
  18. <supersededby/>
  19. <shortname>Not yet assigned</shortname>
  20. <author>
  21. <firstname>Jean-Louis</firstname>
  22. <surname>Seguineau</surname>
  23. <email>jean-louis.seguineau@antepo.com</email>
  24. <jid>jlseguineau@im.antepo.com</jid>
  25. </author>
  26. <revision>
  27. <version>0.1</version>
  28. <date>2003-06-25</date>
  29. <initials>jls</initials>
  30. <remark>Initial version.</remark>
  31. </revision>
  32. </header>
  33. <section1 topic='Introduction'>
  34. <p>While the benefits of IM are clear and compelling, the risks associated with sharing sensitive information in an IM environment are often overlooked. We need a mechanism that permits communities of users to protect their IM conversations. This document presents an extension protocol that can be incorporated into the existing XMPP protocol to provide such a mechanism. </p>
  35. <p>In addition to its ability to protect instant message data, the proposed protocol may also serve as a foundation for securing other data transported via XMPP extensions. </p>
  36. </section1>
  37. <section1 topic='Terms and Definitions'>
  38. <table caption='Terms and Definitions'>
  39. <tr><td>Term</td><td>Definition</td></tr>
  40. <tr><td>User</td><td>A user is simply any XMPP user. Users are uniquely identified by a JID; they connect to XMPP hosts using a XMPP node. Users produce and consume information, and we wish to provide them with mechanisms that can be used to protect this information.</td></tr>
  41. <tr><td>Community</td><td>A community is a collection of users who wish to communicate via XMPP. No restrictions or assumptions are made about the size of communities or the geographical, organizational, or national attributes of the members. Communities are assumed to be dynamic and ad-hoc. Users typically join communities by the simple act of invitation. All members of a community are assumed to be peers. The members of communities share information among themselves, and we wish to provide them with mechanisms that can permit information to only be shared by community members.</td></tr>
  42. <tr><td>Conversation</td><td>A conversation is the set of messages that flows among the members of a community via some network. Conversations consist of both the actual conversation data produced and consumed by the various users as well as the XMPP protocol elements that transport it. Members participate in a conversation when they are the source or destination of this traffic.</td></tr>
  43. <tr><td>Initiator</td><td>The initiator is the user who requested a security session negotiation. Initiator's are identified by their JID.</td></tr>
  44. <tr><td>Responder</td><td>The responder is the user who responded to a security session negotiation request. Responder's are identified by their JID.</td></tr>
  45. <tr><td>Concatentation operator</td><td>The '|' character is used in character or octet string expressions to indicate concatenation.</td></tr>
  46. <tr><td>PFS</td><td>Perfect Forward Secrecy. In cryptography, is said of a key-establishment protocol in which the compromise of a session key or long-term private key after a given session does not cause the compromise of any earlier session.</td></tr>
  47. <tr><td>GRP</td><td>The definition of a Diffie-Hellman group length</td></tr>
  48. <tr><td>DHx</td><td>The Diffie-Hellman ephemeral public keys for the initiator (x=i) and the responder (x=r)</td></tr>
  49. <tr><td>KEY</td><td>The Diffie-Hellman ephemeral session secret that is agreed to during a key exchange negotiation.</td></tr>
  50. <tr><td>CKYx</td><td>A 64 bits pseudo-random number or cookie generated by the initiator (x=i) and responder (x=r) in the authenticated key exchange.</td></tr>
  51. <tr><td>KEYID</td><td>The concatenation of CKI-I and CKI-r and the domain of interpretation. It is the name of the keying material.</td></tr>
  52. <tr><td>sKEYID</td><td>This is the keying material named by KEYID. It is never transmitted but is used in the various calculations made by the exchanging parties.</td></tr>
  53. <tr><td>EHAo</td><td>A list of encryption/hash/authentication algorithms choices.</td></tr>
  54. <tr><td>EHAs</td><td>The selected reference encryption/hash/authentication choice.</td></tr>
  55. <tr><td>Nx</td><td>The nonces selected by the initiator (x=i) and the responder (x=r)</td></tr>
  56. <tr><td>JIDx</td><td>The identities of the initiator (x=i) and the responder (x=r)</td></tr>
  57. <tr><td>E{value}Kx</td><td>The encryption of value with the public key of the initiator (x=i) and the responder (x=r). Encryption is done using the algorithm associated with the authentication method. Usually this will be RSA</td></tr>
  58. <tr><td>D{value}Kx</td><td>The decryption of value with the public key of the initiator (x=i) and the responder (x=r). Decryption is done using the algorithm associated with the authentication method. Usually this will be RSA</td></tr>
  59. <tr><td>S{value}Kx</td><td>The signature of value with the private key of the initiator (x=i) and the responder (x=r). Signing is done using the algorithm associated with the authentication method. Usually this will be RSA or DSS</td></tr>
  60. <tr><td>prf(a, b)</td><td>The result of applying pseudo-random function "a" to data "b". One may think of "a" as a key or as a value that characterizes the function prf; in the latter case it is the index into a family of functions. Each function in the family provides a "hash" or one-way mixing of the input.</td></tr>
  61. <tr><td>prf(0, b)</td><td>The application of a one-way function to data "b". The similarity with the previous notation is deliberate and indicates that a single algorithm, e.g. MD5, might will used for both purposes. In the first case a "keyed" MD5 transform would be used with key "a"; in the second case the transform would have the fixed key value zero, resulting in a one-way function.</td></tr>
  62. <tr><td>hmac(a, b)</td><td>This indicates the HMAC algorithm. pseudo-random function "a" to data "b".</td></tr>
  63. </table>
  64. </section1>
  65. <section1 topic="Requirements And Considerations">
  66. <p>The proposed protocol is designed to address the specific requirements and considerations presented in this section. </p>
  67. <section2 topic="Security Requirements">
  68. <section3 topic="Data Protection">
  69. <p>A secure IM system must permit conversation participants to preserve the following properties of their conversation data: </p>
  70. <table>
  71. <tr><td>Property</td><td>Description</td></tr>
  72. <tr><td>confidentiality</td><td>Conversation data must only be disclosed to authorized recipients</td></tr>
  73. <tr><td>integrity</td><td>Conversation data must not be altered</td></tr>
  74. <tr><td>data origin authentication</td><td>Recipients must be able to determine the identity of the sender and trust that the message did, in fact, come from the sender. It is important to note that this requirement does not include the requirement of a durable digital signature on conversation data.</td></tr>
  75. <tr><td>replay protection</td><td>Recipients must be able to detect and ignore duplicate conversation data.</td></tr>
  76. </table>
  77. <p>These are established, traditional goals of information security applied to the conversation data. In the IM environment, these goals protect against the following attacks: </p>
  78. <ul>
  79. <li>eavesdropping, snooping, etc. </li>
  80. <li>masquerading as a conversation participant </li>
  81. <li>forging messages </li>
  82. </ul>
  83. <p>Preserving the availability of conversation data is not addressed by this protocol. </p>
  84. <p>Finally, note that this protocol does not concern any authentication between an XMPP node and an XMPP host. </p>
  85. </section3>
  86. <section3 topic="Data Classification">
  87. <p>A secure IM system must support a data classification feature through the use of security labeling. Conversation participants must be able to associate a security label with each piece of conversation data. This label may be used to specify a data classification level for the conversation data. </p>
  88. </section3>
  89. <section3 topic="End To End Protection">
  90. <p>It is easy to imagine XMPP systems in which the servers play active, fundamental roles in the protection of conversation data. Such systems could offer many advantages, like: </p>
  91. <ul>
  92. <li>allowing the servers to function as credential issuing authorities,
  93. </li>
  94. <li>allowing the servers to function as policy enforcement points. </li>
  95. </ul>
  96. <p>Unfortunately, such systems have significant disadvantages when one considers the nature of instant messaging: </p>
  97. <ul>
  98. <li>Many servers may be un-trusted, public servers.
  99. </li>
  100. <li>In many conversation communities, decisions of trust and membership can only be adequately defined by the members themselves.
  101. </li>
  102. <li>In many conversation communities, membership in the community changes in real time based upon the dynamics of the conversation.
  103. </li>
  104. <li>In many conversation communities, the data classification of the conversation changes in real time based upon the dynamics of the conversation. </li>
  105. </ul>
  106. <p>Furthermore, the use of gateways to external IM systems is a further complication. </p>
  107. <p>Based on this analysis, we propose that security be entirely controlled in an end to end fashion by the conversation participants themselves via their user agent software. </p>
  108. </section3>
  109. <section3 topic="Trust Issues">
  110. <p>Similarly, we believe that trust decisions are in the hands of the conversation participants. A security protocol and appropriate user agents must provide a mechanism for them to make informed decisions. </p>
  111. </section3>
  112. <section3 topic="Cryptosystem Design Considerations">
  113. <p>One of the accepted axioms of security is that people must avoid the temptation to start from scratch and produce new, untested algorithms and protocols. History has demonstrated that such approaches are likely to contain flaws and that considerable time and effort are required to identify and address all of these flaws. Any new security protocol should be based on existing, established algorithms and protocols. </p>
  114. </section3>
  115. </section2>
  116. <section2 topic="2.2 Environmental Considerations">
  117. <p>Any new IM security protocol must integrate smoothly into the existing IM environment, and it must also recognize the nature of the transactions performed by conversation participants. These considerations are especially important: </p>
  118. <ul>
  119. <li>dynamic communities. The members of a community are defined in near real time by the existing members.
  120. </li>
  121. <li>dynamic conversations. Conversations may involve any possible subset of the entire set of community members. </li>
  122. </ul>
  123. <p>Addressing these considerations becomes especially crucial when selecting a conference keying mechanism. </p>
  124. </section2>
  125. <section2 topic="Usability">
  126. <p>Given the requirement to place the responsibility for the protection of conversation data in the hands of the participants, it is imperative to address some fundamental usability issues: </p>
  127. <ul>
  128. <li>Overall ease of use is a requirement. For protocol purposes, one implication is that some form of authentication via passphrases is necessary. While we recognize that this can have appalling consequences, especially when we realize that a passphrase may be shared by all of the community members, we also recognize its utility.
  129. </li>
  130. <li>PKIs are well established in many large organizations, and some communities will prefer to rely on credentials issued from these authorities. We must allow the use of existing PKI credentials and trust models rather than impose closed, XMPP-specific credentials.
  131. </li>
  132. <li>Performance must not be negatively impacted. This is particularly true if we consider that most communities are composed of human users conversing in real time. For protocol purposes, one obvious implication is the desire to minimize computationally expensive public key operations. </li>
  133. </ul>
  134. </section2>
  135. <section2 topic="Development And Deployment">
  136. <p>To successfully integrate into the existing XMPP environment, an extension protocol for security must satisfy the following: </p>
  137. <ul>
  138. <li>It must be an optional extension of the existing XMPP protocol.
  139. </li>
  140. <li>It must be transparent to existing XMPP servers.
  141. </li>
  142. <li>It must function gracefully in cases where some community members are not running a user agent that supports the protocol.
  143. </li>
  144. <li>It must make good use of XML.
  145. </li>
  146. <li>It must avoid encumbered algorithms.
  147. </li>
  148. <li>It must be straightforward to implement using widely available cryptographic toolkits.
  149. </li>
  150. <li>It must not require a PKI. </li>
  151. </ul>
  152. </section2>
  153. <section2 topic="XML Processing">
  154. <p>Since cryptographic operations are applied to data that is transported within an XML stream, the protocol defines a set of rules to ensure a consistent interpretation by all conversation participants. </p>
  155. <section3 topic="Transporting Binary Content">
  156. <p>Binary data, such as the result of an HMAC, is always transported in an encoded form; the only supported encoding scheme is base64.</p>
  157. <p>Senders MAY include arbitrary white space within the character stream. Senders SHOULD NOT include any other characters outside of the encoding set. </p>
  158. <p>Receivers MUST ignore all characters not in the encoding set. </p>
  159. </section3>
  160. <section3 topic="Transporting Encrypted Content">
  161. <p>Encrypted data is always transported in an encoded form; the only supported encoding scheme is base64.</p>
  162. <p>Senders MAY include arbitrary white space within the character stream. Senders SHOULD NOT include any other characters outside of the encoding set. </p>
  163. <p>Receivers MUST ignore all characters not in the encoding set. </p>
  164. </section3>
  165. <section3 topic="Performing HMAC Computation">
  166. <p>HMACs are computed over a specific collection of attribute values and character data; when computing an HMAC the following rules apply: </p>
  167. <ul>
  168. <li>All characters MUST be HMACed in their pure Unicode form encoded in UTF-16. </li>
  169. </ul>
  170. <ul>
  171. <li>The octets in each character MUST be processed in network byte order. </li>
  172. </ul>
  173. <ul>
  174. <li>For a given element, the attribute values that are HMACed MUST be processed in the specified order regardless of the order in which they appear in the element tag. </li>
  175. </ul>
  176. <ul>
  177. <li>For each attribute value, the computation MUST only include characters from the anticipated set defined in this specification; in particular, white space MUST always be ignored. </li>
  178. </ul>
  179. <ul>
  180. <li>For character data that is represented in a base64 encoded form, the computation MUST only include valid characters from the encoding set. </li>
  181. </ul>
  182. </section3>
  183. <section3 topic="Performing Cryptographic Operations">
  184. <p>The following algorithm is used to encrypt a character string: </p>
  185. <ul>
  186. <li>The character string MUST be represented in Unicode encoded in UTF-16. </li>
  187. </ul>
  188. <ul>
  189. <li>The octets in each character MUST be processed in network byte order. </li>
  190. </ul>
  191. <ul>
  192. <li>Appropriate cryptographic algorithm parameters, such as an IV for a block cipher, are generated. </li>
  193. </ul>
  194. <ul>
  195. <li>The octet string derived from the character string is padded with up to 256 octets of arbitrary padding data. There MUST be at least one padding octet. The last octet of the padding MUST indicate the number of preceeding octets in the stream. All padding octets except the last octet SHOULD be randomly generated. When block ciphers are used, the padding MUST result in a stream of octets that is a multiple of the cipher's block size. </li>
  196. </ul>
  197. </section3>
  198. </section2>
  199. </section1>
  200. <section1 topic="xmpp:sec namespace">
  201. <section2 topic="Elements within the extension">
  202. <p>When used to extend existing XMPP construct, the container element is an &lt;x/&gt; element. Each &lt;x/&gt; element could have one &lt;SecurityAssociation/&gt; to refer to a particular security session, one &lt;KeyAgreement/&gt; element which would contain the information for an an exchange of keys. The &lt;x/&gt; element could have its content authenticated by one &lt;Signature/&gt; element which contains the information about signature of information exchanged between two nodes. The &lt;x/&gt; element may contains one &lt;KeyTransport/&gt; element which contains the information about keys to be securely exchanged between two nodes.</p>
  203. <p>When used in an IQ XMPP construct, the container element is a &lt;query/&gt; element. Each &lt;query/&gt; element could have one &lt;SecurityAssociation/&gt; to refer to a particular security session, one &lt;KeyAgreement/&gt; element which would contain the information for an an exchange of keys. The &lt;query/&gt; element could have its content authenticated by one &lt;Signature/&gt; element which contains the information about signature of information exchanged between two nodes. The &lt;query/&gt; element may contains one &lt;KeyTransport/&gt; element which contains the information about keys to be securely exchanged between two nodes.</p>
  204. <p>Each &lt;SecurityAssociation/&gt; element may have &lt;DigestMethod/&gt;, &lt;EncryptionMethod/&gt; and &lt;SignatureMethod/&gt; elements to specify the actual algorithms set that will be used in a key exchange.</p>
  205. <p>Each &lt;KeyAgreement/&gt; element may have a &lt;DHKeyValue/&gt; and a &lt; DHParamters/&gt; elements to specify the actual data and parameters used in the key exchange. It may also contain a &lt;KA-Nonce/&gt; element to specify a nonce to be used in a key exchange.</p>
  206. </section2>
  207. <section2 topic="Attributes">
  208. <table>
  209. <tr><td>Attribute</td><td>Meaning</td></tr>
  210. <tr><td>id</td><td>The id attribute hold the agreement or security association ID, when present.</td></tr>
  211. <tr><td>length</td><td>The length attribute hold the require number of bits in the prime number used to generate the DH key pair.</td></tr>
  212. </table>
  213. </section2>
  214. <section2 topic="Elements">
  215. <table>
  216. <tr><td>Element</td><td>Meaning</td></tr>
  217. <tr><td>SecurityAssociation</td><td>The &lt;SecurityAssociation/&gt; tag is used to encapsulate EncryptionMethod, DigestMethod, SignatureMethod data. It is used as a container for the different algorithm definition that are negotiated for the session.</td></tr>
  218. <tr><td>AgreementMethod</td><td>The &lt;AgreementMethod/&gt; tag is an optional element that identifies the key agreement algorithm to be applied to an object.</td></tr>
  219. <tr><td>DigestMethod</td><td>The &lt;DigestMethod/&gt; tag is an optional element that identifies the digest algorithm to be applied to an object.</td></tr>
  220. <tr><td>DigestValue</td><td>The &lt;DigestValue/&gt; tag is an optional element that contains the encoded value of a digest.</td></tr>
  221. <tr><td>EncryptionMethod</td><td>The &lt;EncryptionMethod/&gt; tag is an optional element that describes the encryption algorithm applied to the cipher data. If the element is absent, the encryption algorithm must be known by the recipient or the decryption will fail.</td></tr>
  222. <tr><td>Signature</td><td>The &lt;Signature/&gt; tag is used to encapsulate signature data. It is used as a container of other XML structures that could come from any namespace.</td></tr>
  223. <tr><td>SignatureMethod</td><td>The &lt;SignatureMethod/&gt; tag is an optional element that specifies the algorithm used for signature generation and validation.</td></tr>
  224. <tr><td>SignatureValue</td><td>The &lt;SignatureValue/&gt; tag is an optional element that contains the encoded value of a signature.</td></tr>
  225. <tr><td>SignedInfo</td><td>The &lt;SignedInfo/&gt; tag includes the canonicalization algorithm, a signature algorithm, and one or more references. The SignedInfo element may contain an optional ID attribute that will allow it to be referenced by other signatures and objects. It is in the http://www.w3.org/2000/09/xmldsig# namespace.</td></tr>
  226. <tr><td>KA-Nonce</td><td>The &lt;KA-Nonce/&gt; tag is an optional element under &lt;KeyAgreement/&gt; to assure that different keying material is generated even for repeated agreements using the same sender and recipient public keys.</td></tr>
  227. <tr><td>KeyAgreement</td><td>The &lt;KeyAgreement/&gt; tag is used to encapsulate key agreement data. It is used as a container of other XML structures that could come from external namespace.</td></tr>
  228. <tr><td>KeyInfo</td><td>The &lt;KeyInfo/&gt; tag is used to encapsulate key information data. It enables the recipient to obtain the key needed to validate a signature. &lt;KeyInfo/&gt; may contain keys, names, certificates and other public key management information, such as in-band key distribution or key agreement data. It is used as a container of other XML structures that could come from external namespace.</td></tr>
  229. <tr><td>OriginatorKeyInfo</td><td>The &lt;OriginatorKeyInfo/&gt; tag is used to encapsulate originator key information data in a key agreement. It is of type &lt;KeyInfo/&gt; and used as a container of other XML structures that could come from external namespace.</td></tr>
  230. <tr><td>RecipientKeyInfo</td><td>The &lt;RecipientKeyInfo/&gt; tag is used to encapsulate recipient key information data in a key agreement. It is It is of type &lt;KeyInfo/&gt; and used as a container of other XML structures that could come from external namespace.</td></tr>
  231. <tr><td>KeyName</td><td>The &lt;KeyName/&gt; tag is an optional element of &lt;KeyInfo/&gt; and contains a string value (in which white space is significant) which may be used to communicate a key identifiert to the recipient.</td></tr>
  232. <tr><td>KeyValue</td><td>The &lt;KeyValue/&gt; tag contains a single public key that may be useful in validating a signature. The KeyValue element may include externally defined public keys values represented as PCDATA or element types from an external namespace</td></tr>
  233. <tr><td>KeyTransport</td><td>The &lt;KeyTransport/&gt; tag is used to encapsulate transported key data. It is used as a container of other XML structures that could come from any namespace.</td></tr>
  234. <tr><td>CarriedKeyName</td><td>The &lt;CarriedKeyName/&gt; tag is optional and used to specified the name of the transported key.</td></tr>
  235. <tr><td>DHKeyValue</td><td>The &lt;DHKeyValue/&gt; tag is used to encapsulate a Diffie-Hellman key agreement content. It is designed to follow the XML digital signature standard.</td></tr>
  236. <tr><td>DHParameters</td><td>The &lt;DHParameters/&gt; tag is used to to encapsulate a Diffie-Hellman key exchange parameters.</td></tr>
  237. <tr><td>Public</td><td>The &lt;Public/&gt; tag is holding the actual content of a Diffie-Hellman public key.</td></tr>
  238. <tr><td>X509Data</td><td>The &lt;X509Data/&gt; tag is an optional element holding one or more identifiers of keys or X509 certificates, or certificates' identifiers or a revocation list. It is in the http://www.w3.org/2000/09/xmldsig# namespace.</td></tr>
  239. <tr><td>PGPData</td><td>The &lt;PGPData/&gt; tag is an optional element used to convey information related to PGP public key pairs and signatures on such keys. It is in the http://www.w3.org/2000/09/xmldsig# namespace.</td></tr>
  240. <tr><td>DSAKeyValue</td><td>The &lt;DSAKeyValue/&gt; tag is optional and defines a DSA public key inside a &lt;KeyInfo/&gt; element. It is in the http://www.w3.org/2000/09/xmldsig# namespace.</td></tr>
  241. <tr><td>RSAKeyValue</td><td>The &lt;RSAKeyValue/&gt; tag is optional and defines a RSA public key inside a &lt;KeyInfo/&gt; element. It is in the http://www.w3.org/2000/09/xmldsig# namespace.</td></tr>
  242. </table>
  243. </section2>
  244. <section2 topic="Attributes values">
  245. <table>
  246. <tr><td>Element</td><td>Attribute</td><td>Value</td><td>Meaning</td></tr>
  247. <tr><td>KeyAgreement</td><td>id</td><td>CDATA</td><td>The agreement ID</td></tr>
  248. <tr><td>length</td><td>null</td><td>CDATA</td><td>The length of the prime number to be used by default is 768 bits. The length of the prime number to be usedas defined in the IKE Diffie-Hellman groups.</td></tr>
  249. <tr><td>SecurityAssocitation</td><td>id</td><td>CDATA</td><td>The security association ID or cookie for a party in the negotiation.</td></tr>
  250. <tr><td>AgreementMethod</td><td>Algorithm</td><td>CDATA</td><td>The algorythm URI for the key agreement.</td></tr>
  251. <tr><td>DigestMethod</td><td>Algorithm</td><td>CDATA</td><td>The algorythm URI for the digest.</td></tr>
  252. <tr><td>EncryptionMethod</td><td>Algorithm</td><td>CDATA</td><td>The algorythm URI for the encryption.</td></tr>
  253. <tr><td>SignatureMethod</td><td>Algorithm</td><td>CDATA</td><td>The algorythm URI for the signature.</td></tr>
  254. </table>
  255. </section2>
  256. </section1>
  257. <section1 topic="Base Key Agreement">
  258. <section2 topic="Overview">
  259. <p>The base key agreement (BKE) is an implementation of the "Diffie-Hellman Method For Key Agreement" (DH). It allows two nodes to create and share a secret key. </p>
  260. <p>DH is not an encryption mechanism as we normally think of them, in that we do not typically use it to encrypt data. Instead, it is a method to securely exchange the keys that encrypt data. DH accomplishes this secure exchange by creating a "shared secret", sometimes called a "key encryption key", between two nodes. The shared secret then encrypts the symmetric key, or "data encryption key" - DES, Triple DES, CAST, IDEA, Blowfish, etc, for secure transmission.</p>
  261. <p>Two nodes intending to agree on a secret key shall employ the first phase of the agreement independently to produce the public values outputs PV and PV'. The nodes shall exchange the outputs.</p>
  262. <p>The nodes shall then employ the second phase independently with the other nodes's public value as input. The mathematics of Diffie-Hellman key agreement ensure that the resulting outputs SK of the second phase are the same for both entities.</p>
  263. <p>1) First the nodes must get the "Diffie-Hellman parameters". A prime number, 'p' (larger than 2) and "base", 'g', an integer that is smaller than 'p'. They can either be hard coded or fetched from a server.</p>
  264. <p>Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange. The strength of any key derived depends in part on the strength of the Diffie-Hellman group the prime numbers are based on: </p>
  265. <ul>
  266. <li>Group 2 (medium) is stronger than Group 1 (low). Group 1 will provide 768 bits of keying material, while Group 2 will provide 1,024 bits. If mismatched groups specified on each peer, negotiation will fail. The group cannot be switched during the negotiation.
  267. </li>
  268. <li>A larger group results in more entropy and therefore a key which is harder to break.</li>
  269. </ul>
  270. <p>2) The nodes each secretly generate a private number called 'x', which is less than "p - 1". </p>
  271. <p>3) The nodes next generate the ephemeral public keys, 'y'. They are created with the function: </p>
  272. <p> y = g^x mod p</p>
  273. <p>4) The two nodes now exchange the public keys ('y') and the exchanged numbers are converted into a secret key, 'z'. </p>
  274. <p> z = y^x mod p</p>
  275. <p>'z' can now be used as the key for whatever encryption method is used to transfer information between the two nodes. Mathematically, the two nodes should have generated the same value for 'z'. </p>
  276. <p> z = (g^x mod p)^x' mod p = (g^x' mod p)^x mod p</p>
  277. <p> All of these numbers are positve integers</p>
  278. <p> x^y means: x is raised to the y power</p>
  279. <p> xmody means: x is divided by y and the remainder is returned </p>
  280. <p>Suppose two nodes want to agree on a shared secret key to exchange information securely, they will exchange their public keys in order to encrypt that information. To this goal, the transport XMPP packet SHOULD include an extension of the form:</p>
  281. <example caption="Key agreement Application">
  282. <![CDATA[
  283. <x xmlns="xmpp:sec">
  284. <KeyAgreement length="1024">
  285. <DHKeyValue>
  286. <Public&gt;...&lt;/Public>
  287. </DHKeyValue>
  288. </KeyAgreement>
  289. </x>
  290. ]]>
  291. </example>
  292. <p>In this extension, the only negotiable parameter is the key length that is passed in the length attribute of the &lt;KeyAgreement/&gt; tag. The length attribute is used to retrieve the DH parameter group and the associated prime and generator values. We are using DH groups derived from the Internet Key Exchange protocol (IKE) which is used by IPSec. A summary of these groups and the associated parameters are described later in this document.</p>
  293. <section3 topic="Secure password registration">
  294. <p>An example of using this agreement is to send encrypted password on the wire when registering a new user. Registration is the only time a password needs to be exchanged between an XMPP server and a client. Once that has been carried out, then every authentication can be done through digest.</p>
  295. <p>The client uses an empty &lt;x/&gt; element in the request to signal that it supports the XMPP security extension.</p>
  296. <p>The flow between client and server will look like:</p>
  297. <example caption="Client requests register parameters">
  298. <![CDATA[
  299. <iq to="domain" type="get" id="req-0">
  300. <x xmlns="jabber:iq:register">
  301. <x xmlns="xmpp:sec">
  302. <KeyAgreement length="1024"/>
  303. </x>
  304. </query>
  305. </iq>
  306. ]]>
  307. </example>
  308. <p>The server will reply to the request by sending out its own ephemeral public key inside the &lt;x/&gt; extension.</p>
  309. <example caption="Server respond with register parameters">
  310. <![CDATA[
  311. <iq from="domain" type="result" id="req-0">
  312. <x xmlns="jabber:iq:register">
  313. <username/>
  314. <password/>
  315. <x xmlns="xmpp:sec">
  316. <KeyAgreement>
  317. <DHKeyValue>
  318. <Public>encoded server public key</Public>
  319. </DHKeyValue>
  320. </KeyAgreement>
  321. </x>
  322. </query>
  323. </iq>
  324. ]]>
  325. </example>
  326. <p>The client then generate its own public key, calcultate the shared secret according to the DH method and uses it to encrypt the password accordingly. It includes its own ephemeral public key into the reply to the server inside the &lt;x/&gt; extension.</p>
  327. <example caption="Client sends register parameters">
  328. <![CDATA[
  329. <iq to="domain" type="set" id="req-1">
  330. <x xmlns="jabber:iq:register">
  331. <username>username</username>
  332. <password>encrypted password</password>
  333. <x xmlns="xmpp:sec">
  334. <KeyAgreement>
  335. <DHKeyValue>
  336. <Public>encoded client public key</Public>
  337. </DHKeyValue>
  338. </KeyAgreement>
  339. </x>
  340. </query>
  341. </iq>
  342. ]]>
  343. </example>
  344. <p>The server now calculates the shared secret according to the DH method and uses its private key to decrypt the password.</p>
  345. <example caption="Server acknowledge register">
  346. <![CDATA[
  347. <iq to="domain" type="result" id="req-1"/>
  348. ]]>
  349. </example>
  350. </section3>
  351. </section2>
  352. </section1>
  353. <section1 topic="Authenticated Key Agreement">
  354. <section2 topic="Introduction">
  355. <p>The Diffie-Hellman key agreement algorithm provides a mechanism to allow key establishment in a scalable and secure way. It allows two parties to agree on a shared value without requiring encryption. An Authenticated Key Agreement (AKE) is a secure protocol ensuring that in addition to securely sharing a secret, the two parties can be certain of each other&#8217;s identities, even when an active attacker exists.</p>
  356. <p>This AKE uses a hybrid protocol derived from the Internet Key Exchange (IKE) and the OAKLEY key determination protocol. The purpose is to negotiate and provide authenticated key material for security association (SA) in a protected manner. The basic mechanism is the Diffie-Hellman Key Exchange. It provides the following addition to base key agreement:</p>
  357. <ul>
  358. <li>it uses weak address validation mechanism (cookies) to avoid denial of service attacks.
  359. </li>
  360. <li>it provides negotiation of mutually agreeable supporting algorithm for the protocol, such as the encryption method, the key derivation method and the authentication method.
  361. </li>
  362. <li>the authentication does not depend on encryption using the DH exponentials, but instead validates the binding of the exponential to the identities of the parties.
  363. </li>
  364. <li>it does not require the computation of the shared exponential before the authentication.
  365. </li>
  366. <li>it provides additional security to the derivation of encryption keys, as it is made to depend not only of the DH algorithm but also on the cryptographic method used to securely authenticate the parties to each other.
  367. </li>
  368. </ul>
  369. <p>This key agreement protocol is used to establish a shared key with an assigned identifier and associated identities for two parties. The resulting common keying information state comprise a key name, secret keying material, the identification of the two parties, and three algorithms for use during authentication:</p>
  370. <ul>
  371. <li>encryption for privacy,
  372. </li>
  373. <li>hashing for protecting the integrity of message and for authentication of message fields
  374. </li>
  375. <li>authentication to mutually authenticate the parties </li>
  376. </ul>
  377. <p>The anti clogging tokens, or cookies, provide a weak form of source address identification for both parties. The cookies exchange can be completed before they perform the expensive computations later in the protocol. The cookies are used also for key naming.</p>
  378. <ul>
  379. <li>The construction of the cookies is implementation dependent. It is recommended to make them the result of a one-way function applied to a secret value (changed periodically), and the local and remote addresses. In this way, the cookies remain stateless and expire periodically. Note that this would cause the KEYID's derived from the secret value to also expire, necessitating the removal of any state information associated with it. </li>
  380. <li>The encryption functions must be cryptographic transforms which guarantee privacy and integrity for the message data. They include any that satisfy this criteria and are defined for use with &rfc2406;.</li>
  381. <li>The one-way hash functions must be cryptographic transform which can be used as either keyed hash (pseudo-random) or non keyed transforms. They include any that are defined for use with <cite>RFC2406</cite>.</li>
  382. <li>Where nonces are indicated they will be variable precision integers with an entropy value that match the strength attribute of the DH group used in the exchange.</li>
  383. </ul>
  384. </section2>
  385. <section2 topic="Key Exchange Protocol">
  386. <p>The main exchange has three optional features: </p>
  387. <ul>
  388. <li>stateless cookie exchange, </li>
  389. <li>perfect forward secrecy for the keying material, </li>
  390. <li>use of signatures (for non-repudiation). </li>
  391. </ul>
  392. <p>The two parties can use any combination of these features. The general outline of processing is that the Initiator of the exchange begins by specifying as much information as he wishes in his first message. The Responder replies, supplying as much information as he wishes. The two sides exchange messages, supplying more information each time, until their requirements are satisfied. </p>
  393. <p>The choice of how much information to include in each message depends on which options are desirable. For example, if stateless cookies are not a requirement, and perfect forward secrecy for the keying material are not requirements, and if non- repudiatable signatures are acceptable, then the exchange can be completed in three messages. Additional features may increase the number of roundtrips needed for the keying material determination. </p>
  394. <p>The three components of the key determination are:</p>
  395. <ul>
  396. <li>Cookies exchange</li>
  397. <li>DH half key exchange</li>
  398. <li>Authentication</li>
  399. </ul>
  400. <p>The initiator can supply as little information as a bare exchange request, carrying no additional information. On the other hand the initiator can begin by supplying all the necessary information for the responder to authenticate the request and complete the key determination quickly, if the responder choose to accept this method. If not the responder can reply with a minimum amount of information.</p>
  401. <section3 topic="Aggressive Mode Key Exchange">
  402. <p>The following example indicates how two parties can complete a key exchange in three messages. The identities are not secret, the derived keying material is protected by PFS.</p>
  403. <p>By using digital signatures, the two parties will have a proof of communication that can be recorded and presented later to a third party.</p>
  404. <p>The keying material implied by the group exponentials is not needed for completing the exchange. If it is desirable to defer the computation, the implementation can save the "x" and "g^y" values and mark the keying material as "uncomputed". It can be computed from this information later.</p>
  405. <table>
  406. <tr><td>Initiator</td><td>Message content</td><td>Responder</td></tr>
  407. <tr><td>&#61920;</td><td>GRP, CKYi, DHi, EHAo, JIDi, JIDr, Ni, S{JIDi | JIDr | CKYi | 0 | Ni | 0 | GRP | DHi | 0 | EHAo}Ki</td><td>&#61920;</td></tr>
  408. <tr><td>&#61919;</td><td>GRP, CKYr, DHr, EHAs, JIDi, JIDr, Nr, S{JIDr | JIDi| | CKYr | CKYi | Nr | Ni | GRP | DHr | DHi | EHAs}Kr</td><td>&#61919;</td></tr>
  409. <tr><td>&#61920;</td><td>GRP, CKYi, CKYr, DHi, EHAs, JIDi, JIDr, Ni, Nr, S{JIDi | JIDr | CKYr | CKYi | Ni | Nr | GRP | DHi | DHr | EHAs}KEY</td><td>&#61920;</td></tr>
  410. </table>
  411. <p>The result of this exchange is a key with :</p>
  412. <ul>
  413. <li>KEYID = CKYi | CKYr </li>
  414. <li>sKEYID = prf(Ni | Nr, KEY | CKYi | CKYr). </li>
  415. </ul>
  416. <p>The Aggressive Mode example is written to suggest that public key technology is used for the signatures. However, a pseudorandom function can be used, if the parties have previously agreed to such a scheme and have a shared key. </p>
  417. <p>If the first proposal in the EHAo list is an "existing key" method, then the KEYID named in that proposal will supply the keying material for the "signature" which is computed using the "H" algorithm associated with the KEYID. </p>
  418. </section3>
  419. <section3 topic="Main Mode Key Exchange">
  420. <p>In this exchage the two parties are minimally aggressive; they use the cookie exchange to delay creation of state, and they use perfect forward secrecy to protect the identities. </p>
  421. <p>They use public key encryption for authentication; digital signatures or pre-shared keys can also be used. The Main mode does not change the use of nonces, prf's, etc., but it does change how much information is transmitted in each message. </p>
  422. <p>The responder considers the ability of the initiator to repeat CKYr as weak evidence that the message originates from a "live" correspondent on the network and the correspondent is associated with the initiator's network address. </p>
  423. <p>The initiator makes similar assumptions when CKYi is repeated to the initiator. All messages must have valid cookies or at least one zero cookie. If both cookies are zero, this indicates a request for a cookie; if only the initiator cookie is zero, it is a response to a cookie request. </p>
  424. <p>Information in messages violating the cookie rules cannot be used for any operations. Note that the Initiator and Responder must agree on one set of EHA algorithms; there is not one set for the Responder and one for the Initiator. The Initiator must include at least MD5 and DES in the initial offer. </p>
  425. <table>
  426. <tr><td>Initiator</td><td>Message content</td><td>Responder</td></tr>
  427. <tr><td>&#61920;</td><td>CKYi, DHi, EHAo, JIDi, JIDr</td><td>&#61920;</td></tr>
  428. <tr><td>&#61919;</td><td>CKYr, DHr, EHAs, JIDi, JIDr</td><td>&#61919;</td></tr>
  429. <tr><td>&#61920;</td><td>GRP, CKYi, CKYr, DHi, EHAs, JIDi, JIDr, E{Ni}KEY</td><td>&#61920;</td></tr>
  430. <tr><td>&#61919;</td><td>GRP, CKYi, CKYr, DHr, JIDi, JIDr, E{Ni | Nr}KEY, prf(Kir, JIDr | JIDi | GRP | DHr | DHi | EHAs )</td><td>&#61919;</td></tr>
  431. <tr><td>&#61920;</td><td>GRP, CKYi, CKYr, DHi, JIDi, JIDr, prf(Kir, JIDi | JIDr | GRP | DHi | DHr | EHAs )</td><td>&#61920;</td></tr>
  432. </table>
  433. <p>Where Kir = prf(0, Ni | Nr)</p>
  434. <p>The result of this exchange is a key with :</p>
  435. <ul>
  436. <li>KEYID = CKYi | CKYr </li>
  437. <li>sKEYID = prf(Kir, KEY | CKYi | CKYr). </li>
  438. </ul>
  439. </section3>
  440. <section3 topic="Deriving key material for Cryptographic Transforms">
  441. <p>The keying material computed by the key exchange should have at least 90 bits of entropy, which means that it must be at least 90 bits in length. This may be more or less than is required for keying the encryption and/or pseudorandom function transforms.</p>
  442. <p>The transforms used should have auxiliary algorithms which take a variable precision integer and turn it into keying material of the appropriate length. The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:</p>
  443. <table>
  444. <tr><td>Context</td><td>Keying Material</td></tr>
  445. <tr><td>Digest</td><td>sKEYID_d = prf(sKEYID, KEY | CKYi | CKYi | 0)</td></tr>
  446. <tr><td>Authentication</td><td>sKEYID_a = prf(sKEYID, SKEYID_d | KEY | CKYi | CKYr | 1)</td></tr>
  447. <tr><td>Encryption</td><td>sKEYID_e = prf(sKEYID, SKEYID_a | KEY | CKYi | CKYr | 2)</td></tr>
  448. </table>
  449. <p>and agreed upon policy to protect further communications. The values of 0, 1, and 2 above are represented by a single octet. The key used for encryption is derived from sKEYID_e in an algorithm-specific manner.</p>
  450. <p>Encryption keys used to protect the SA are derived from sKEYID_e in an algorithm-specific manner. When SKEYID_e is not long enough to supply all the necessary keying material an algorithm requires, the key is derived from feeding the results of a pseudo-random function into itself, concatenating the results, and taking the highest necessary bits.</p>
  451. <p>For example, if the (ficticious) algorithm MYALGO requires 320-bits of key, and the prf used to generate sKEYID_e only generates 120 bits of material, the key for MYALGO, would be the first 320-bits of Ka, where:</p>
  452. <p> Ka = K1 | K2 | K3 | ...</p>
  453. <p> </p>
  454. <p> And</p>
  455. <ul>
  456. <li>K1 = prf(sKEYID_e, 0)</li>
  457. <li>K2 = prf(sKEYID_e, K1)</li>
  458. <li>K3 = prf(sKEYID_e, K2)</li>
  459. <li>...</li>
  460. </ul>
  461. <p>prf is the HMAC version of the negotiated hash function and 0 is represented by a single octet. Each result of the prf provides 120 bits of material for a total of 360 bits. MYALGO would use the first 320 bits of that 360 bit string.</p>
  462. </section3>
  463. </section2>
  464. <section2 topic="Authenticated Key Exchange Application">
  465. <section3 topic="Main Mode Key Exchange">
  466. <section4 topic="Initiator request Security Association parameters">
  467. <p>The intitiator uses a &lt;SecurityAssociation/&gt; element in the request to list all the EHA algorithms that it supports. In addition it provides its own DH ephemeral public key.</p>
  468. <ul>
  469. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  470. </li>
  471. <li>The initiator cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value is used as the originator key name for the security association.</li>
  472. </ul>
  473. <ul>
  474. <li>The available set of confidentiality and HMAC cryptographic algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.
  475. </li>
  476. <li>The available set of authentication algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification. When the digital signature form of authentication is selected, the relevant end-entity certificate and, optionally, a chain of CA certificates representing a validation path, is assembled and encoded. A set of trusted CA certificates MAY optionally be included via caCertificate elements; if so, the set MUST include the issuer of the initiator's end-entity certificate.
  477. </li>
  478. </ul>
  479. <p>These values are then used to prepare the XML element; this element is transmitted via the existing XMPP iq mechanism: </p>
  480. <code><![CDATA[
  481. <iq from="initiator@domain" to="responder@domain" type="get" id="req-0">
  482. <query xmlns="xmpp:sec">
  483. <SecurityAssociation id="SA@domain">
  484. <OriginatorKeyInfo>
  485. <KeyName>A32F...245A</KeyName>
  486. </OriginatorKeyInfo>
  487. <EncryptionMethod Algorithm="des"/>
  488. <EncryptionMethod Algorithm="tripledes-cbc"/>
  489. <EncryptionMethod Algorithm="aes128"/>
  490. <EncryptionMethod Algorithm="aes129"/>
  491. <EncryptionMethod Algorithm="aes256"/>
  492. <DigestMethod Algorithm="hmac-md5"/>
  493. <DigestMethod Algorithm="hmac-sha1"/>
  494. <DigestMethod Algorithm="hmac-sha128"/>
  495. <DigestMethod Algorithm="hmac-sha256"/>
  496. <DigestMethod Algorithm="hmac-ripemd128"/>
  497. <DigestMethod Algorithm="hmac-ripemd160"/>
  498. <SignatureMethod Algorithm="dsa-sha1"/>
  499. <SignatureMethod Algorithm="rsa-sha1"/>
  500. </SecurityAssociation>
  501. </query>
  502. </iq>
  503. ]]></code>
  504. </section4>
  505. <section4 topic="Responder select Security Association parameters">
  506. <p>The responder will reply to the request by sending out its own selcted EHA algorithms that will be used in the remainign transaction. </p>
  507. <ul>
  508. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  509. </li>
  510. <li>The responder cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value is used as the recipient key name for the security association..
  511. </li>
  512. <li>The algorithms attributes are checked against the values supported by the user agent. If the receiver is not able to select one set out of the proposed algorithms, an error code 406-Unacceptable is returned.
  513. </li>
  514. <li>The desired confidentiality and HMAC cryptographic algorithms are selected from the proposed set. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.
  515. </li>
  516. <li>The desired authentication algorithm is selected from the proposed set. The manner in which this algorithm is selected and all related policy issues are outside the scope of this specification. In the digital signature case, the responder's end-entity certificate MUST be issued by one of the trusted CAs listed in the session1 PDU or by the same issuer as the initiator's end-entity certificate. If the responder does not have acceptable credentials, an error code of 401-Unuthorized occurs.
  517. </li>
  518. </ul>
  519. <code><![CDATA[
  520. <iq from="responder@domain" to="initiator@domain" type="result" id="req-0">
  521. <query xmlns="xmpp:sec">
  522. <SecurityAssociation id="SA@domain">
  523. <OriginatorKeyInfo>
  524. <KeyName>A32F...245A</KeyName>
  525. </OriginatorKeyInfo>
  526. <RecipientKeyInfo>
  527. <KeyName>324A...BF24</KeyName>
  528. </RecipientKeyInfo>
  529. <EncryptionMethod Algorithm="tripledes-cbc"/>
  530. <DigestMethod Algorithm="hmac-sha1"/>
  531. <SignatureMethod Algorithm="rsa-sha1"/>
  532. </SecurityAssociation>
  533. </query>
  534. </iq>
  535. ]]></code>
  536. </section4>
  537. <section4 topic="Initiator provides its ephemeral public key">
  538. <p>The intitiator provides its own DH ephemeral public key.</p>
  539. <ul>
  540. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  541. </li>
  542. <li>The initator and responder cookies are used as the originator key name and the recipient key name for the security association..
  543. </li>
  544. <li>A Diffie-Hellman group is selected. The appropriate values for g and p will be used to generate the initiator's public key.
  545. </li>
  546. <li>An ephemeral private key, x, is generated using g and p for the selected group. This key MUST be generated using an appropriate random number source. The corresponding public key, g^x, is generated and encoded. </li>
  547. </ul>
  548. <code><![CDATA[
  549. <iq from="initiator@domain" to="responder@domain" type="get" id="req-1">
  550. <query xmlns="xmpp:sec">
  551. <SecurityAssociation id="SA@domain">
  552. <OriginatorKeyInfo>
  553. <KeyName>A32F...245A</KeyName>
  554. </OriginatorKeyInfo>
  555. <RecipientKeyInfo>
  556. <KeyName>324A...BF24</KeyName>
  557. </RecipientKeyInfo>
  558. </SecurityAssociation>
  559. <KeyAgreement length="1024">
  560. <DHKeyValue>
  561. <Public>
  562. ... encoded initiator public key
  563. </Public>
  564. </DHKeyValue>
  565. </KeyAgreement>
  566. </query>
  567. </iq>
  568. ]]></code>
  569. </section4>
  570. <section4 topic="Responder provides its ephemeral public key">
  571. <p>The responder check the validity of the parameters and eventualy replies with its own DH ephemeral public key.</p>
  572. <ul>
  573. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  574. </li>
  575. <li>The initator and responder cookies are checked; a mismatch results in an error code of 406 - Unacceptable .
  576. </li>
  577. <li>The Diffie-Hellman group is checked against the values supported by the user agent. An unsupported group results in an error code of 406 - Unacceptable
  578. </li>
  579. <li>An ephemeral private key, y, is generated using g and p for the group indicated by the PDU. This key MUST be generated using an appropriate random number source. The corresponding public key, g^y, is generated and encoded. </li>
  580. </ul>
  581. <code><![CDATA[
  582. <iq from="responder@domain" to="initiator@domain" type="result" id="req-1">
  583. <query xmlns="xmpp:sec">
  584. <SecurityAssociation id="SA@domain">
  585. <OriginatorKeyInfo>
  586. <KeyName>A32F...245A</KeyName>
  587. </OriginatorKeyInfo>
  588. <RecipientKeyInfo>
  589. <KeyName>324A...BF24</KeyName>
  590. </RecipientKeyInfo>
  591. </SecurityAssociation>
  592. <KeyAgreement length="1024">
  593. <DHKeyValue>
  594. <Public>
  595. ... encoded initiator public key
  596. </Public>
  597. </DHKeyValue>
  598. </KeyAgreement>
  599. </query>
  600. </iq>
  601. ]]></code>
  602. </section4>
  603. <section4 topic="Initiator provides its encrypted nonce">
  604. <p>The intitiator provides its nonce encrypted with the agreed algorithm and the public key of the responder.</p>
  605. <ul>
  606. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  607. </li>
  608. <li>The initator and responder cookies are checked; a mismatch results in the procedure being aborted.
  609. </li>
  610. <li>The initiator nonce is prepared by first generating a string of 20 random octets (160 random bits). The nonce is then encrypted using the selected encryption algorithm and the shared secret key. The resulting octets are then encoded into a string of base64 characters. </li>
  611. </ul>
  612. <code><![CDATA[
  613. <iq from="initiator@domain" to="responder@domain" type="get" id="req-1">
  614. <query xmlns="xmpp:sec">
  615. <SecurityAssociation id="SA@domain">
  616. <OriginatorKeyInfo>
  617. <KeyName>A32F...245A</KeyName>
  618. </OriginatorKeyInfo>
  619. <RecipientKeyInfo>
  620. <KeyName>324A...BF24</KeyName>
  621. </RecipientKeyInfo>
  622. </SecurityAssociation>
  623. <KeyAgreement>
  624. <KA-Nonce>
  625. <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
  626. Type="http://www.w3.org/2001/04/xmlenc#Element">
  627. <CipherData>
  628. <CipherValue>
  629. ... encoded encrypted initiator nonce
  630. </CipherValue>
  631. </CipherData>
  632. </EncryptedData>
  633. </KA-Nonce>
  634. </KeyAgreement>
  635. </query>
  636. </iq>
  637. ]]></code>
  638. </section4>
  639. <section4 topic="Responder provides its encrypted nonce">
  640. <p>The responder replies with the concatenation of its own nonce and the initiator nonce encrypted with the agreed algorithm and the public key of the initiator. The packet is authenticated using the agreed signature algorithm.</p>
  641. <ul>
  642. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  643. </li>
  644. <li>The initator and responder cookies are checked; a mismatch results in an error code of 401 - Unauthorized.
  645. </li>
  646. <li>The initiator nonce is decrypted using the responder private key.
  647. </li>
  648. <li>The responder nonce is prepared by first generating a string of 20 random octets (160 random bits). It is then apended to the initiator nonce and the result encrypted using the selected encryption algorithm and the shared secret key. The resulting octets are then encoded into a string of base64 characters.
  649. </li>
  650. <li>Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:
  651. </li>
  652. </ul>
  653. <ol>
  654. <li>Kir = hmac (0, initiator's nonce | responder's nonce)
  655. </li>
  656. <li>EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  657. </li>
  658. <li>HASH_R = hmac (Kir, JID responder | JID initiator | length of DH group | responder DH public key | initiator DH public key | EHAs)
  659. </li>
  660. </ol>
  661. <ul>
  662. <li>HASH_R is encoded in base64. </li>
  663. </ul>
  664. <code><![CDATA[
  665. <iq from="responder@domain" to="initiator@domain" type="result" id="req-1">
  666. <query xmlns="xmpp:sec">
  667. <SecurityAssociation id="SA@domain">
  668. <OriginatorKeyInfo>
  669. <KeyName>A32F...245A</KeyName>
  670. </OriginatorKeyInfo>
  671. <RecipientKeyInfo>
  672. <KeyName>324A...BF24</KeyName>
  673. </RecipientKeyInfo>
  674. </SecurityAssociation>
  675. <KeyAgreement>
  676. <KA-Nonce>
  677. <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
  678. Type="http://www.w3.org/2001/04/xmlenc#Element">
  679. <CipherData>
  680. <CipherValue>
  681. ... encoded encrypted responder nonce
  682. </CipherValue>
  683. </CipherData>
  684. </EncryptedData>
  685. </KA-Nonce>
  686. </KeyAgreement>
  687. <Signature
  688. xmlns="http://www.w3.org/2000/09/xmldsig#"
  689. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  690. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#xmldsig-core-schema.xsd">
  691. <SignaturetValue>
  692. ... encoded signature value
  693. </SignatureValue>
  694. </Signature>
  695. </query>
  696. </iq>
  697. ]]></code>
  698. </section4>
  699. <section4 topic="Initiator authenticate the final agreement">
  700. <p>The initiator authenticate the keying material using the agreed signature algorithm.</p>
  701. <ul>
  702. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  703. </li>
  704. <li>The initator and responder cookies are checked; a mismatch results in the procedure being aborted.
  705. </li>
  706. <li>The concatenation of the responder and initiator nonce is decrypted using the initiator private key. The original initiator nonce is compared to the result. An invalid nonce results in aborting the procedure. Otherwise the result is used to generate Kir
  707. </li>
  708. <li>Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:
  709. </li>
  710. </ul>
  711. <ol>
  712. <li>Kir = hmac (0, initiator's nonce | responder's nonce)
  713. </li>
  714. <li>EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  715. </li>
  716. <li>HASH_R = hmac (Kir, JID responder | JID initiator | length of DH group | responder DH public key | initiator DH public key | EHAs)
  717. </li>
  718. </ol>
  719. <ul>
  720. <li>The authenticator is verified. A failure results in aborting the procedure.
  721. </li>
  722. <li>Based on the selected authentication algorithm, the initiator&#8217;s authenticator is constructed. A digital signature requires calculating:
  723. </li>
  724. </ul>
  725. <ol>
  726. <li>HASH_I = hmac (Kir, JID initiator | JID responder | length of DH group | initiator DH public key | responder DH public key | EHAs)
  727. </li>
  728. </ol>
  729. <code><![CDATA[
  730. <iq from="initiator@domain" to="responder@domain" type="set" id="req-2">
  731. <query xmlns="xmpp:sec">
  732. <SecurityAssociation id="SA@domain">
  733. <OriginatorKeyInfo>
  734. <KeyName>A32F...245A</KeyName>
  735. </OriginatorKeyInfo>
  736. <RecipientKeyInfo>
  737. <KeyName>324A...BF24</KeyName>
  738. </RecipientKeyInfo>
  739. </SecurityAssociation>
  740. <Signature
  741. xmlns="http://www.w3.org/2000/09/xmldsig#"
  742. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  743. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#
  744. xmldsig-core-schema.xsd">
  745. <SignaturetValue>
  746. <p>... encoded signature value</p>
  747. </SignatureValue>
  748. </Signature>
  749. </query>
  750. </iq>
  751. ]]></code>
  752. </section4>
  753. <section4 topic="Responder checks the final agreement">
  754. <p>The responder acknowledge the keying material.</p>
  755. <ul>
  756. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  757. </li>
  758. <li>The initator and responder cookies are checked; a mismatch results in an error code of 401 - Unauthorized.
  759. </li>
  760. <li>Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  761. </li>
  762. </ul>
  763. <ol>
  764. <li>HASH_I = hmac (Kir, JID initiator | JID responder | length of DH group | initiator DH public key | responder DH public key | EHAs)
  765. </li>
  766. </ol>
  767. <ul>
  768. <li>The authenticator is verified. A failure results in an error code of 406 - Unacceptable.
  769. </li>
  770. </ul>
  771. <code><![CDATA[
  772. <iq from="responder@domain" to="initiator@domain" type="result" id="req-2"/>
  773. ]]></code>
  774. </section4>
  775. </section3>
  776. <section3 topic="Aggressive Mode Key Exchange">
  777. <section4 topic="Initiator provides all Security Association parameters">
  778. <p>The intitiator uses &lt;SecurityAssociation/&gt; element in the request to list all the EHA algorithms that it supports. In addition it provides its own DH ephemeral public key. The message is signed with its own private key.</p>
  779. <ul>
  780. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  781. </li>
  782. <li>The initiator cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value will be used as identifier for the initiator leg of the security association.
  783. </li>
  784. <li>The available set of confidentiality and HMAC cryptographic algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.
  785. </li>
  786. <li>The available set of authentication algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification. When the digital signature form of authentication is selected, the relevant end-entity certificate and, optionally, a chain of CA certificates representing a validation path, is assembled and encoded. A set of trusted CA certificates MAY optionally be included via caCertificate elements; if so, the set MUST include the issuer of the initiator's end-entity certificate.
  787. </li>
  788. <li>A Diffie-Hellman group is selected. The appropriate values for g and p will be used to generate the initiator's public key.
  789. </li>
  790. <li>An ephemeral private key, x, is generated using g and p for the selected group. This key MUST be generated using an appropriate random number source. The corresponding public key, g^x, is generated and encoded.
  791. </li>
  792. <li>The initiator nonce is prepared by first generating a string of 20 random octets (160 random bits). The resulting octets are then encoded into a string of base64 characters.
  793. </li>
  794. <li>Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  795. </li>
  796. </ul>
  797. <ol>
  798. <li>EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  799. </li>
  800. <li>SIGN_I = S (JID initiator | JID responder | initiator cookie | 0 | initiator nonce | 0 | length of DH group | initiator DH public key | 0 | EHAs) initiator private key
  801. </li>
  802. </ol>
  803. <ul>
  804. <li>SIGN_I is encoded in base64. </li>
  805. </ul>
  806. <code><![CDATA[
  807. <iq from="initiator@domain" to="responder@domain" type="get" id="req-0">
  808. <query xmlns="xmpp:sec">
  809. <SecurityAssociation id="SA@domain">
  810. <OriginatorKeyInfo>
  811. <KeyName>A32F...245A</KeyName>
  812. <RSAKeyValue>
  813. <p>... encoded initiator public key value </p>
  814. </RSAKeyValue>
  815. </OriginatorKeyInfo>
  816. <EncryptionMethod Algorithm="tripledes-cbc"/>
  817. <DigestMethod Algorithm="hmac-sha1"/>
  818. <SignatureMethod Algorithm="rsa-sha1"/>
  819. </SecurityAssociation>
  820. <KeyAgreement length="1024">
  821. <DHKeyValue>
  822. <Public>
  823. <p>... encoded initiator public key</p>
  824. </Public>
  825. </DHKeyValue>
  826. <KA-Nonce>
  827. <p>... encoded initiator nonce value>
  828. </KA-Nonce>
  829. </KeyAgreement>
  830. <Signature
  831. xmlns="http://www.w3.org/2000/09/xmldsig#"
  832. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  833. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#xmldsig-core-schema.xsd">
  834. <SignatureValue>
  835. <p>... encoded initiator signature value</p>
  836. </SignatureValue>
  837. </Signature>
  838. </query>
  839. </iq>
  840. ]]></code>
  841. </section4>
  842. <section4 topic="Responder respond to Security Association parameters">
  843. <p>The responder will reply to the request by acknowledging the selected EHA algorithms. In addition, it provides its own DH ephemeral public key. The message is signed with its own private key.</p>
  844. <ul>
  845. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  846. </li>
  847. <li>The Diffie-Hellman group is checked against the values supported by the user agent. An unsupported group results in an error code of 406 - Unacceptable
  848. </li>
  849. <li>Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  850. </li>
  851. </ul>
  852. <ol>
  853. <li>EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  854. </li>
  855. <li>SIGN_I = S (JID initiator | JID responder | initiator cookie | 0 | initiator nonce | 0 | length of DH group | initiator DH public key | 0 | EHAs) initiator public key
  856. </li>
  857. </ol>
  858. <ul>
  859. <li>The authenticator is verified. A failure results in an error code of 401 - Unauthorized.
  860. </li>
  861. <li>The responder cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value will be used as identifier for the responder leg of the security association.
  862. </li>
  863. <li>An ephemeral private key, y, is generated using g and p for the group indicated by the PDU. This key MUST be generated using an appropriate random number source. The corresponding public key, g^y, is generated and encoded.
  864. </li>
  865. <li>The responder nonce is prepared by first generating a string of 20 random octets (160 random bits). The resulting octets are then encoded into a string of base64 characters.
  866. </li>
  867. <li>Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:
  868. </li>
  869. </ul>
  870. <ol>
  871. <li>SIGN_R = S (JID responder | JID initiator | responder cookie | initiator cookie | responder nonce | initiator nonce | length of DH group | responder DH public key | initiator DH public key | EHAs) responder private key
  872. </li>
  873. </ol>
  874. <ul>
  875. <li>SIGN_R is encoded in base64. </li>
  876. </ul>
  877. <code><![CDATA[
  878. <iq from="responder@domain" to="initiator@domain" type="result" id="req-0">
  879. <query xmlns="xmpp:sec">
  880. <SecurityAssociation id="SA@domain">
  881. <OriginatorKeyInfo>
  882. <KeyName>A32F...245A</KeyName>
  883. </OriginatorKeyInfo>
  884. <RecipientKeyInfo>
  885. <KeyName>324A...BF24</KeyName>
  886. <RSAKeyValue>
  887. <p>... encoded responder public key value </p>
  888. </RSAKeyValue>
  889. </RecipientKeyInfo>
  890. </SecurityAssociation>
  891. <KeyAgreement length="1024">
  892. <DHKeyValue>
  893. <Public>
  894. <p>... encoded responder public key</p>
  895. </Public>
  896. </DHKeyValue>
  897. <KA-Nonce>
  898. <p>... encoded responder nonce value>
  899. </KA-Nonce>
  900. </KeyAgreement>
  901. <Signature
  902. xmlns="http://www.w3.org/2000/09/xmldsig#"
  903. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  904. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#
  905. xmldsig-core-schema.xsd">
  906. <SignatureValue>
  907. <p>... encoded responder signature value</p>
  908. </SignatureValue>
  909. </Signature>
  910. </query>
  911. </iq>
  912. ]]></code>
  913. </section4>
  914. <section4 topic="Initiator authenticate the final agreement">
  915. <p>The initiator authenticate the keying material using the agreed signature algorithm.</p>
  916. <ul>
  917. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  918. </li>
  919. <li>Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  920. </li>
  921. </ul>
  922. <ol>
  923. <li>EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  924. </li>
  925. <li>SIGN_R = S (JID responder | JID initiator | responder cookie | initiator cookie | responder nonce | initiator nonce | length of DH group | responder DH public key | initiator DH public key | EHAs) responder public key
  926. </li>
  927. </ol>
  928. <ul>
  929. <li>The authenticator is verified. A failure results in the procedure being aborted.
  930. </li>
  931. <li>Based on the selected authentication algorithm, the authenticator is constructed. A digital signature requires calculating:
  932. </li>
  933. </ul>
  934. <ol>
  935. <li>SIGN_I = S (JID initiator | JID responder | initiator cookie | responder cookie | initiator nonce | responder nonce | length of DH group | initiator DH public key | responder DH public key | EHAs) shared secret key
  936. </li>
  937. </ol>
  938. <ul>
  939. <li>SIGN_I is encoded in base64. </li>
  940. </ul>
  941. <code><![CDATA[
  942. <iq from="initiator@domain" to="responder@domain" type="set" id="req-2">
  943. <query xmlns="xmpp:sec">
  944. <SecurityAssociation id="SA@domain">
  945. <OriginatorKeyInfo>
  946. <KeyName>A32F...245A</KeyName>
  947. </OriginatorKeyInfo>
  948. <RecipientKeyInfo>
  949. <KeyName>324A...BF24</KeyName>
  950. </RecipientKeyInfo>
  951. </SecurityAssociation>
  952. <Signature
  953. xmlns="http://www.w3.org/2000/09/xmldsig#"
  954. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  955. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#
  956. xmldsig-core-schema.xsd">
  957. <SignaturetValue>
  958. <p>... encoded signature value</p>
  959. </SignatureValue>
  960. </Signature&gt;&lt;/query>
  961. </iq>
  962. ]]></code>
  963. </section4>
  964. <section4 topic="Responder check the final agreement">
  965. <p>The responder acknowledge the keying material.</p>
  966. <ul>
  967. <li>The values of initiator and responder MUST be the JIDs of the two participants, respectively.
  968. </li>
  969. <li>Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:
  970. </li>
  971. </ul>
  972. <ol>
  973. <li>EHAs = (Encryption algorithm URI | Digest algorithm URI | Signature algorithm URI)
  974. </li>
  975. <li>SIGN_I = S (JID initiator | JID responder | initiator cookie | responder cookie | initiator nonce | responder nonce | length of DH group | initiator DH public key | responder DH public key | EHAs) shared secret key
  976. </li>
  977. </ol>
  978. <ul>
  979. <li>The authenticator is verified. A failure results in an error code of 406 - Unacceptable.
  980. </li>
  981. </ul>
  982. <code><![CDATA[
  983. <iq from="responder@domain" to="initiator@domain" type="result" id="req-2"/>
  984. ]]></code>
  985. </section4>
  986. </section3>
  987. </section2>
  988. </section1>
  989. <section1 topic="Key Transport">
  990. <section2 topic="Conversation Key Transport">
  991. <p>Conversation keys are transported using the symmetric key wrap feature of XML Encryption embedded in the KeyTransport PDU. </p>
  992. <section3 topic="Key transport exchange">
  993. <p>Key transport follow a previous Security Association establishment and the generation of a shared secret key through a key agreement.</p>
  994. <table>
  995. <tr><td>Initiator</td><td>Message content</td><td>Responder</td></tr>
  996. <tr><td>&#61920;</td><td>JIDi, JIDr, CKYe, sKEYID_e, CKYa, sKEYID_a, CKYd, sKEYID_d, S{JIDi | JIDr | Ni | Nr | CKYe | sKEYID_e | CKYa | sKEYID_a | CKYd | sKEYID_d }KEY</td><td>&#61920;</td></tr>
  997. </table>
  998. </section3>
  999. <section3 topic="Generating And Sending a Conversation Key Transport PDU">
  1000. <p>The Key Transport assumes that a security association be negotiated for the purpose of securely transporting conversation keys. The sender's user agent employs the following algorithm to generate the keyTransport PDU: </p>
  1001. <ul>
  1002. <li>The values of initiator and responder MUST be the JIDs of the two participants who negotiated the security association, respectively.
  1003. </li>
  1004. <li>The security association identifier is assembled.
  1005. </li>
  1006. <li>The payload, which consists of the confidentiality key sKEYID_e, digest key sKEYID_d and the integrity key sKEYID_a , is wrapped in instances of xenc:EncryptedKey as follows:
  1007. </li>
  1008. </ul>
  1009. <ol>
  1010. <li>The Type attribute of the xenc:EncryptedKey element MUST indicate 'content'.
  1011. </li>
  1012. <li>The Id, MimeType and Encoding attributes of the xenc:EncryptedKey element MUST NOT be present.
  1013. </li>
  1014. <li>The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute MUST indicate a valid symmetric key wrap algorithm. Furthermore, the algorithm MUST be the same as was negotiated for the security association.
  1015. </li>
  1016. <li>The ds:KeyInfo element MUST NOT be present. The key to use is the shared secret KEY of the negotiated security association.
  1017. </li>
  1018. <li>The xenc:ContainedKeyName element MUST be present.
  1019. </li>
  1020. <li>The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice. </li>
  1021. </ol>
  1022. <ul>
  1023. <li>The HMAC is computed using KEY of the negotiated security association. A digital signature requires calculating:
  1024. </li>
  1025. </ul>
  1026. <ol>
  1027. <li>HMAC = prf(KEY, JIDi | JIDr | Ni | Nr | sKEYID_e | key name | sKEYID_e | sKEYID_a key name | sKEYID_a | sKEYID_d key name | sKEYID_d)
  1028. </li>
  1029. </ol>
  1030. <p>These values are then used to prepare the XML KeyTransport element; this element is transmitted via the existing XMPP iq mechanism. The order in which the keys are in the payload is significant. The first mandatory key is sKEYID_e. The second optional key is sKEYID_a. And the last optional key is sKEYID_d. </p>
  1031. <code><![CDATA[
  1032. <iq from="initiator@domain" to="responder@domain" type="set" id="req-0">
  1033. <query xmlns="xmpp:sec">
  1034. <SecurityAssociation id="negotiated SA id"/>
  1035. <KeyTransport>
  1036. <EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'
  1037. Type='http://www.w3.org/2001/04/xmlenc#Content'>
  1038. <ContainedKeyName>A32F...245A324A...BF24-enc&lt;/ContainedKeyName>
  1039. <EncryptionMethod Algorithm="kw-tripledes"/>
  1040. <CipherData>
  1041. <CipherValue>
  1042. <p>... encoded encrypted confidentiality key</p>
  1043. </CipherValue>
  1044. </CipherData>
  1045. </EncryptedKey>
  1046. <EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'
  1047. Type='http://www.w3.org/2001/04/xmlenc#Content'>
  1048. <ContainedKeyName>A32F...245A324A...BF24-auth&lt;/ContainedKeyName>
  1049. <EncryptionMethod Algorithm="kw-tripledes"/>
  1050. <CipherData>
  1051. <CipherValue>
  1052. <p>... encoded encrypted confidentiality key</p>
  1053. </CipherValue>
  1054. </CipherData>
  1055. </EncryptedKey>
  1056. <EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'
  1057. Type='http://www.w3.org/2001/04/xmlenc#Content'>
  1058. <ContainedKeyName>A32F...245A324A...BF24-dig&lt;/ContainedKeyName>
  1059. <EncryptionMethod Algorithm="kw-tripledes"/>
  1060. <CipherData>
  1061. <CipherValue>
  1062. <p>... encoded encrypted confidentiality key</p>
  1063. </CipherValue>
  1064. </CipherData>
  1065. </EncryptedKey>
  1066. </KeyTransport>
  1067. <Signature
  1068. xmlns="http://www.w3.org/2000/09/xmldsig#"
  1069. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  1070. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#
  1071. xmldsig-core-schema.xsd">
  1072. <SignedInfo>
  1073. <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa"/>
  1074. <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  1075. </SignedInfo>
  1076. <SignaturetValue>
  1077. <p>... encoded signature value</p>
  1078. </SignatureValue>
  1079. </Signature>
  1080. </query>
  1081. </iq>
  1082. ]]></code>
  1083. </section3>
  1084. <section3 topic="Receiving and Processing the Conversation Key Transport PDU">
  1085. <p>The receiver's user agent employs the following algorithm to process each KeyTransport PDU: </p>
  1086. <ul>
  1087. <li>The values of initiator, responder, and security association id MUST indicate an existing security association. An invalid security association results in an error of 401 - Unauthorized.
  1088. </li>
  1089. <li>The payload, which consists of the confidentiality key sKEYID_e, digest key sKEYID_d and the intergrity key sKEYID_a, is unwrapped. Any failures result in an error code of 406-Unacceptable.
  1090. </li>
  1091. <li>The body of the HMAC element is decoded into the actual HMAC octet string.
  1092. </li>
  1093. <li>The HMAC is computed using KEY of the security association. A digital signature requires calculating:
  1094. </li>
  1095. </ul>
  1096. <ol>
  1097. <li>HMAC = prf(KEY, JIDi | JIDr | Ni | Nr | sKEYID_e key name | sKEYID_e | sKEYID_a key name | sKEYID_a | sKEYID_d key name | sKEYID_d)
  1098. </li>
  1099. </ol>
  1100. <ul>
  1101. <li>The HMAC is validated. An invalid HMAC results in an error code of 406-Unacceptable.
  1102. </li>
  1103. <li>The keys are added to the user agent's key store. </li>
  1104. </ul>
  1105. <p>If any errors occur during processing, the error is communicated via the existing XMPP mechanism: </p>
  1106. <code><![CDATA[
  1107. <iq from="responder@domain" to="initiator@domain" type="result" id="req-0"/>
  1108. ]]></code>
  1109. </section3>
  1110. </section2>
  1111. <section2 topic="Public Key Transport">
  1112. <p>Public keys are transported embedded in the KeyTransport PDU. </p>
  1113. <section3 topic="Certificate transport">
  1114. <p>X509 certificates can also be transported in existing XMPP message. The following example uses a presence subscription packet as the vehicle PDU. The subscribee public key and certificate are sent to the initiator of a presence subscription.</p>
  1115. <code><![CDATA[
  1116. <presence from="responder@domain" to="initiator@domain" type="subscribed">
  1117. <x xmlns="xmpp:sec">
  1118. <KeyTransport>
  1119. <KeyInfo>
  1120. <X509Data>
  1121. <X509IssuerSerial>
  1122. <X509IssuerName>
  1123. CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP
  1124. </X509IssuerName>
  1125. <X509SerialNumber&gt;12345678&lt;/X509SerialNumber>
  1126. </X509IssuerSerial>
  1127. <X509SKI&gt;31d97bd7&lt;/X509SKI>
  1128. </X509Data>
  1129. <X509Data>
  1130. <X509SubjectName&gt;Subject of Certificate B&lt;/X509SubjectName>
  1131. </X509Data>
  1132. <X509Data>
  1133. <X509Certificate&gt;MIICXTCCA..&lt;/X509Certificate>
  1134. <X509Certificate&gt;MIICPzCCA...&lt;/X509Certificate>
  1135. <X509Certificate&gt;MIICSTCCA...&lt;/X509Certificate>
  1136. </X509Data>
  1137. </KeyInfo>
  1138. </KeyTransport>
  1139. </x>
  1140. </presence>
  1141. ]]></code>
  1142. </section3>
  1143. <section3 topic="Other Public Keys Transport">
  1144. <ul>
  1145. <li>The values of initiator and responder MUST be the JIDs of the two participants in the exchange, respectively.
  1146. </li>
  1147. <li>The payload, which consists of the public key of the responder is assembled. </li>
  1148. </ul>
  1149. <ul>
  1150. <li>The SIGN is computed using the private key of the responder. A digital signature requires calculating:
  1151. </li>
  1152. </ul>
  1153. <ol>
  1154. <li>SIGN = S (JIRi | JIDR | Kr name | Kr) responder private key
  1155. </li>
  1156. </ol>
  1157. <p>These values are then used to prepare the XML KeyTransport element; this element is transmitted via an existing XMPP mechanism. In the following example, the responder public key is sent to the initiator of a presence subscription.</p>
  1158. <code><![CDATA[
  1159. <presence from="responder@domain" to="initiator@domain" type="subscribed">
  1160. <x xmlns="xmpp:sec">
  1161. <KeyTransport>
  1162. <KeyInfo>
  1163. <KeyName>responder@domain key name</KeyName>
  1164. <RSAKeyValue>
  1165. <p>... encoded responder public key value </p>
  1166. </RSAKeyValue>
  1167. </KeyInfo>
  1168. </KeyTransport>
  1169. <Signature
  1170. xmlns="http://www.w3.org/2000/09/xmldsig#"
  1171. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  1172. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#xmldsig-core-schema.xsd">
  1173. <SignedInfo>
  1174. <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa"/>
  1175. </SignedInfo>
  1176. <SignaturetValue>
  1177. <p>... encoded signature value</p>
  1178. </SignatureValue>
  1179. </Signature>
  1180. </x>
  1181. </presence>
  1182. ]]></code>
  1183. </section3>
  1184. </section2>
  1185. </section1>
  1186. <section1 topic="Message Protection">
  1187. <section2 topic="Overview">
  1188. <p>The ultimate goal is the protection of conversation data. The protocol exchanges described above allow the conversation participants to cryptographically protect their conversation data using the conversation keys that they share. </p>
  1189. </section2>
  1190. <section2 topic="Message Protection Mechanism">
  1191. <p>A protected message is defined as a traditional XMPP message whose body content is extended to include the transport of a cryptographically protected message body. The two key features are: </p>
  1192. <ul>
  1193. <li>the usual body element contains some arbitrary text.
  1194. </li>
  1195. <li>the message contains a XMPP x element defining the xmpp:sec namespace; this element transports the protected message. </li>
  1196. </ul>
  1197. <p>This mechanism has the advantages of allowing transparent integration with existing XMPP servers and existing XMPP clients. </p>
  1198. </section2>
  1199. <section2 topic="Generating And Sending the Protected Message PDU">
  1200. <p>The sender's user agent employs the following algorithm to generate the protected Message PDU: </p>
  1201. <ul>
  1202. <li>The security association identifier is assembled.
  1203. </li>
  1204. <li>The actual message body is encoded into a character string corresponding to a XMPP message body element. This character string is then wrapped in an instance of xenc:EncryptedData as follows: </li>
  1205. </ul>
  1206. <ol>
  1207. <li>The Type attribute of the xenc:EncryptedData element MUST indicate 'element'.
  1208. </li>
  1209. <li>The Id, MimeType and Encoding attributes of the xenc:EncryptedData element MUST NOT be present.
  1210. </li>
  1211. <li>The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute MUST indicate a valid block encryption algorithm.
  1212. </li>
  1213. <li>The ds:KeyInfo element MUST NOT be present. The key to be used is the confidentiality key indicated by the convId attribute.
  1214. </li>
  1215. <li>The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice. </li>
  1216. </ol>
  1217. <ul>
  1218. <li>Using the HMAC key indicated by the security association, the HMAC is computed. A digital signature requires calculating:
  1219. </li>
  1220. </ul>
  1221. <ol>
  1222. <li>HMAC = prf(sKEYID_d, key name | JID from | JID to | message id | message type | message thread | message subject | message body)
  1223. </li>
  1224. </ol>
  1225. <p>These values are then used to prepare the XML protected element; this element is transmitted via the existing XMPP message mechanism: </p>
  1226. <code><![CDATA[
  1227. <message from="initiator@domain" to="responder@ domain" id="msg-0">
  1228. <body>
  1229. The real body is protected.
  1230. </body>
  1231. <x xmlns="xmpp:security">
  1232. <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
  1233. Type="http://www.w3.org/2001/04/xmlenc#Element">
  1234. <KeyInfo>
  1235. <KeyName>A32F2...45A324A...BF24-enc</KeyName>
  1236. </KeyInfo>
  1237. <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
  1238. <CipherData>
  1239. <CipherValue>
  1240. ... encoded encrypted message content
  1241. </CipherValue>
  1242. </CipherData>
  1243. </EncryptedData>
  1244. <Signature
  1245. xmlns="http://www.w3.org/2000/09/xmldsig#"
  1246. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  1247. xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#xmldsig-core-schema.xsd">
  1248. <SignedInfo>
  1249. <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa"/>
  1250. </SignedInfo>
  1251. <KeyInfo>
  1252. <KeyName>A32F2...45A324A...BF24-auth</KeyName>
  1253. </KeyInfo>
  1254. <SignatureValue>
  1255. ... encoded signature value
  1256. </SignatureValue>
  1257. </Signature>
  1258. </x>
  1259. </message>
  1260. ]]></code>
  1261. </section2>
  1262. <section2 topic="Receiving and Processing the Protected Message PDU">
  1263. <p>The receiver's user agent employs the following algorithm to process each protectedMessage PDU: </p>
  1264. <ul>
  1265. <li>The values of initiator, responder, and key name MUST indicate an existing security association. An invalid security association results in an error of 406-Unacceptable.
  1266. </li>
  1267. <li>The payload, which consists of the actual message body, is unwrapped. Any failures result in an error code of 406-Unacceptable.
  1268. </li>
  1269. <li>The body of the HMAC element is decoded into the actual HMAC octet string.
  1270. </li>
  1271. <li>Using the HMAC key indicated by the security association, the HMAC is computed. A digital signature requires calculating:
  1272. </li>
  1273. </ul>
  1274. <ol>
  1275. <li>HMAC = prf(sKEYID_d, key name | JID from | JID to | message id | message type | message thread | message subject | message body)
  1276. </li>
  1277. </ol>
  1278. <ul>
  1279. <li>The HMAC is validated. An invalid HMAC results in an error code of 406-Unacceptable. </li>
  1280. </ul>
  1281. <p>If any errors occur during processing, the error is communicated via the existing XMPP mechanism: </p>
  1282. </section2>
  1283. </section1>
  1284. <section1 topic="Algorithms">
  1285. <p>This section discusses algorithms used with the XMPP security specification. Entries contain the identifier to be used as the value of the Algorithm attribute of the EncryptionMethod element or other element representing the role of the algorithm, a reference to the formal specification, definitions for the representation of keys and the results of cryptographic operations where applicable, and general applicability comments.</p>
  1286. <p>The table below lists the categories of algorithms. Within each category, a brief name, the level of implementation requirement, and an identifying URI are given for each algorithm.</p>
  1287. <table>
  1288. <tr><td>Category</td><td>Algorithm</td><td>URI</td></tr>
  1289. <tr><td>Block Encryption</td><td>TRIPLEDES</td><td>tripledes-cbc</td></tr>
  1290. <tr><td colspan='2'>AES-128</td><td>aes128-cbc</td></tr>
  1291. <tr><td colspan='2'>AES-192</td><td>aes192-cbc</td></tr>
  1292. <tr><td colspan='2'>AES-256</td><td>aes256-cbc</td></tr>
  1293. <tr><td>Key Transport</td><td>RSA-v1.5</td><td>rsa-1_5</td></tr>
  1294. <tr><td colspan='2'>RSA-OAEP</td><td>rsa-oaep-mgf1p</td></tr>
  1295. <tr><td>Symmetric Key Wrap</td><td>TRIPLEDES KeyWrap</td><td>kw-tripledes</td></tr>
  1296. <tr><td colspan='2'>AES-128 KeyWrap</td><td>kw-aes128</td></tr>
  1297. <tr><td colspan='2'>AES-256 KeyWrap</td><td>kw-aes256</td></tr>
  1298. <tr><td colspan='2'>AES-192 KeyWrap</td><td>kw-aes192</td></tr>
  1299. <tr><td>Message Digest</td><td>MD5</td><td>md5</td></tr>
  1300. <tr><td colspan='2'>SHA1</td><td>sha1</td></tr>
  1301. <tr><td colspan='2'>SHA256</td><td>sha256</td></tr>
  1302. <tr><td colspan='2'>SHA512</td><td>sha512</td></tr>
  1303. <tr><td colspan='2'>RIPEMD-160</td><td>ripemd160</td></tr>
  1304. <tr><td colspan='2'>HMAC-MD5</td><td>hmac-md5</td></tr>
  1305. <tr><td colspan='2'>HMAC-SHA1</td><td>hmac-sha1</td></tr>
  1306. <tr><td colspan='2'>HMAC-SHA128</td><td>hmac-sha128</td></tr>
  1307. <tr><td colspan='2'>HMAC-SHA256</td><td>hmac-sha256</td></tr>
  1308. <tr><td>Signature</td><td>DSAwithSHA1 (DSS)</td><td>dsa-sha1</td></tr>
  1309. <tr><td colspan='2'>RSAwithSHA1</td><td>rsa-sha1</td></tr>
  1310. </table>
  1311. </section1>
  1312. <section1 topic="PKCS #3: Diffie-Hellman Key-Agreement Standard">
  1313. <p>An RSA Laboratories Technical Note
  1314. Version 1.4
  1315. Revised November 1, 1993<note>upersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC-SIG-91-19. PKCS documents are available by electronic mail to &lt;pkcs@rsa.com&gt;.</note></p>
  1316. <section2 topic="Scope">
  1317. <p>This standard describes a method for implementing Diffie-Hellman key agreement, whereby two parties, without any prior arrangements, can agree upon a secret key that is known only to them (and, in particular, is not known to an eavesdropper listening to the dialogue by which the parties agree on the key). This secret key can then be used, for example, to encrypt further communications between the parties.</p>
  1318. <p>The intended application of this standard is in protocols for establishing secure connections, such as those proposed for OSI's transport and network layers [ISO90a][ISO90b].</p>
  1319. <p>Details on the interpretation of the agreed-upon secret key are outside the scope of this standard, as are details on sources of the pseudorandom bits required by this standard.</p>
  1320. </section2>
  1321. <section2 topic="References">
  1322. <p>X.208 CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.</p>
  1323. <p>X.509 CCITT. Recommendation X.509: The Directory&#8212;Authentication Framework. 1988.</p>
  1324. <p>[DH76] W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22:644-654, 1976.</p>
  1325. <p>[Sch90] C.P. Schnorr. Efficient identification and signatures for smart cards. In G. Brassard, editor, Advances in Cryptology&#8212;CRYPTO '89 Proceedings, volume 435 of Lecture Notes in Computer Science, pages 239-251. Springer-Verlag, New York, 1990.</p>
  1326. <p>[ISO90a] ISO. JTC1/SC6/N6285: Draft Transport Layer Security Protocol. Draft, November 1990.</p>
  1327. <p>[ISO90b] ISO. JTC1/SC6/N2559: Draft Network Layer Security Protocol. Draft, September 1990.</p>
  1328. </section2>
  1329. <section2 topic="Definitions">
  1330. <p>For the purposes of this standard, the following definitions apply.</p>
  1331. <p>AlgorithmIdentifier: A type that identifies an algorithm (by object identifier) and any associated parameters. This type is defined in X.509.</p>
  1332. <p>ASN.1: Abstract Syntax Notation One, as defined in X.208.</p>
  1333. <p>Diffie-Hellman parameters: Prime and base.</p>
  1334. <p>Diffie-Hellman: The Diffie-Hellman key-agreement protocol, elsewhere called "exponential key agreement," as defined in [DH76].</p>
  1335. </section2>
  1336. <section2 topic="Symbols and abbreviations">
  1337. <p>Upper-case italic symbols (e.g., PV) denote octet strings; lower-case italic symbols (e.g., g) denote integers.</p>
  1338. <table>
  1339. <tr><td>PV public value</td><td>p prime</td></tr>
  1340. <tr><td>PV' other's public value</td><td>x private value</td></tr>
  1341. <tr><td>SK secret key</td><td>x' other's private value</td></tr>
  1342. <tr><td>G base</td><td>y integer public value</td></tr>
  1343. <tr><td>K length of prime in octets</td><td>y' other's integer public value</td></tr>
  1344. <tr><td>L length of private value in bits</td><td>z integer secret key</td></tr>
  1345. <tr><td>mod n modulo n</td></tr>
  1346. </table>
  1347. </section2>
  1348. <section2 topic="General overview">
  1349. <p>The next four sections specify parameter generation, two phases of Diffie-Hellman key agreement, and an object identifier.</p>
  1350. <p>A central authority shall generate Diffie-Hellman parameters, and the two phases of key agreement shall be performed with these parameters. It is possible that more than one instance of parameters may be generated by a given central authority, and that there may be more than one central authority. Indeed, each entity may be its own central authority, with different entities having different parameters. The algorithm identifier for Diffie-Hellman key agreement specifies which Diffie-Hellman parameters are employed.</p>
  1351. <p>Two entities intending to agree on a secret key shall employ the first phase independently to produce outputs PV and PV', the public values. The entities shall exchange the outputs.</p>
  1352. <p>The entities shall then employ the second phase independently with the other entity's public value as input. The mathematics of Diffie-Hellman key agreement ensure that the outputs SK of the second phase are the same for both entities.</p>
  1353. </section2>
  1354. <section2 topic="Parameter generation">
  1355. <p>This section describes Diffie-Hellman parameter generation. </p>
  1356. <p>A central authority shall select an odd prime p. The central authority shall also select an integer g, the base, that satisfies 0 &lt; g &lt; p. The central authority may optionally select an integer l, the private-value length in bits, that satisfies 2l-1 &#8804; p.</p>
  1357. <p>The length of the prime p in octets is the integer k satisfying</p>
  1358. <p>28(k&#8722;1) &#8804; p &lt; 28k .</p>
  1359. <section3 topic="Notes">
  1360. <p>1. The cost of some methods for computing discrete logarithms depends on the the length of the prime, while the cost of others depends on the length of the private value. The intention of selecting a private-value length is to reduce the computation time for key agreement, while maintaining a given level of security. A similar optimization is suggested by Schnorr [Sch90].</p>
  1361. <p>2. Some additional conditions on the choice of prime, base, and private-value length may well be taken into account in order to deter discrete logarithm computation. These security conditions fall outside the scope of this standard.</p>
  1362. </section3>
  1363. </section2>
  1364. <section2 topic="Phase I">
  1365. <p>This section describes the first phase of Diffie-Hellman key agreement.</p>
  1366. <p>The first phase consists of three steps: private-value generation, exponentiation, and integer-to-octet-string conversion. The input to the first phase shall be the Diffie-Hellman parameters. The output from the first phase shall be an octet string PV, the public value; and an integer x, the private value.</p>
  1367. <p>This phase is performed independently by the two parties intending to agree on a secret key.</p>
  1368. <section3 topic="Private-value generation">
  1369. <p>An integer x, the private value, shall be generated privately and randomly. This integer shall satisfy 0 &lt; x &lt; p&#8722;1, unless the central authority specifies a private-value length l, in which case the integer shall satisfy 2l-1 &#8804; x &lt; 2l.</p>
  1370. </section3>
  1371. <section3 topic="Exponentiation">
  1372. <p>The base g shall be raised to the private value x modulo p to give an integer y, the integer public value.</p>
  1373. <p>y = gx mod p, 0 &lt; y &lt; p .</p>
  1374. <p>This is the classic discrete-exponentiation computation. </p>
  1375. </section3>
  1376. <section3 topic="Integer-to-octet-string conversion">
  1377. <p>The integer public value y shall be converted to an octet string PV of length k, the public value. The public value PV shall satisfy</p>
  1378. <p> y = , (1)</p>
  1379. <p>where PV1, ..., PVk are the octets of PV from first to last.</p>
  1380. <p>In other words, the first octet of PV has the most significance in the integer and the last octet of PV has the least significance.</p>
  1381. </section3>
  1382. </section2>
  1383. <section2 topic="Phase II">
  1384. <p>This section describes the second phase of Diffie-Hellman key agreement.</p>
  1385. <p>The second phase consists of three steps: octet-string-to-integer conversion, exponentiation, and integer-to-octet-string conversion. The input to the second phase shall be the Diffie-Hellman parameters; an octet string PV', the other entity's public value; and the private value x. The output from the second phase shall be an octet string SK, the agreed-upon secret key.</p>
  1386. <p>This phase is performed independently by the two parties intending to agree on a secret key, after the parties have exchanged public values resulting from the first phase.</p>
  1387. <section3 topic="Octet-string-to-integer conversion">
  1388. <p>The other entity's public value PV' shall be converted to an integer y', the other entity's integer public value. Let PV'1, ..., PV'k be the octets of PV' from first to last. Then the other entity's integer public value y' shall satisfy</p>
  1389. <p>y' = .</p>
  1390. <p>In other words, the first octet of PV' has the most significance in the integer and the last octet of PV' has the least significance.</p>
  1391. </section3>
  1392. <section3 topic="Exponentiation">
  1393. <p>The other entity's integer public value y' shall be raised to the private integer x modulo p to give an integer z, the integer secret key.</p>
  1394. <p>z = (y')x mod p, 0 &lt; z &lt; p .</p>
  1395. <p>This is the classic discrete-exponentiation computation.</p>
  1396. <p>Note. The integer secret key z satisfies</p>
  1397. <p>z = (y')x = (gx')x = (gx)x' = yx' mod p ,</p>
  1398. <p>where x' is the other entity's private value. This mathematical relationship is the reason the two entities arrive at the same key.</p>
  1399. </section3>
  1400. <section3 topic="Integer-to-octet-string conversion">
  1401. <p>The integer secret key z shall be converted to an octet string SK, the secret key, of length k. The secret key SK shall satisfy</p>
  1402. <p>z = ,</p>
  1403. <p>where SK1, ..., SKk are the octets of SK from first to last.</p>
  1404. <p>In other words, the first octet of SK has the most significance in the integer and the last octet of SK has the least significance.</p>
  1405. </section3>
  1406. </section2>
  1407. <section2 topic="Object identifier">
  1408. <p>This standard defines two object identifiers: pkcs-3 and DHKeyValue.</p>
  1409. <p>The object identifier pkcs-3 identifies this standard.</p>
  1410. <p>pkcs-3 OBJECT IDENTIFIER ::=
  1411. { iso(1) member-body(2) US(840) rsadsi(113549)
  1412. pkcs(1) 3 }</p>
  1413. <p>The object identifier DHKeyValue identifies the Diffie-Hellman key agreement method defined in Sections 7 and 8.</p>
  1414. <p>DHKeyValue OBJECT IDENTIFIER ::= { pkcs-3 1 }</p>
  1415. <p>The DHKeyValue object identifier is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type DHParameter for this algorithm.</p>
  1416. <p>DHParameter ::= SEQUENCE {
  1417. prime INTEGER, - p
  1418. base INTEGER, - g
  1419. privateValueLength INTEGER OPTIONAL }</p>
  1420. <p>The fields of type DHParameter have the following meanings:</p>
  1421. <ul>
  1422. <li>prime is the prime p.</li>
  1423. <li>base is the base g.</li>
  1424. <li>privateValueLength is the optional private-value length l.</li>
  1425. </ul>
  1426. </section2>
  1427. <section2 topic="Revision history">
  1428. <section3 topic="Versions 1.0-1.2">
  1429. <p>Versions 1.0-1.2 were distributed to participants in RSA Data Security, Inc.'s Public-Key Cryptography Standards meetings in February and March 1991.</p>
  1430. </section3>
  1431. <section3 topic="Version 1.3">
  1432. <p>Version 1.3 is part of the June 3, 1991 initial public release of PKCS. Version 1.3 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-19.</p>
  1433. </section3>
  1434. <section3 topic="Version 1.4">
  1435. <p>Version 1.4 incorporates several editorial changes, including updates to the references and the addition of a revision history. The following substantive changes were made:</p>
  1436. <ul>
  1437. <li>Section 6: Parameter generation is modified to allow central authority to select private-value length in bits.</li>
  1438. <li>Section 7.1: Private-value generation is modified to handle private-value length.</li>
  1439. <li>Section 9: Optional privateValueLength field is added to DHParameter type.</li>
  1440. </ul>
  1441. </section3>
  1442. </section2>
  1443. <section2 topic="Author's address">
  1444. <p>RSA Laboratories (415) 595-7703
  1445. 100 Marine Parkway (415) 595-4126 (fax)
  1446. Redwood City, CA 94065 USA pkcs-editor@rsa.com</p>
  1447. </section2>
  1448. </section1>
  1449. <section1 topic="IKE Diffie-Hellman Groups">
  1450. <p>Different Diffie-Hellman groups are defined for use in IKE. These groups were generated by Richard Schroeppel at the University of Arizona. Properties of these primes are described in [Orm96]. </p>
  1451. <section2 topic="768-bit MODP - modp1">
  1452. <p>IKE implementations MAY support a MODP group with the following prime and generator. This group is assigned id 1 (one). </p>
  1453. <p>The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } Its hexadecimal value is: </p>
  1454. <code><![CDATA[
  1455. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
  1456. 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B
  1457. 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9
  1458. A63A3620 FFFFFFFF FFFFFFFF
  1459. ]]></code>
  1460. <p>The generator is: 2. </p>
  1461. </section2>
  1462. <section2 topic="1024-bit MODP Group - modp2">
  1463. <p>IKE implementations SHOULD support a MODP group with the following prime and generator. This group is assigned id 2 (two). </p>
  1464. <p>The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. Its hexadecimal value is: </p>
  1465. <code><![CDATA[
  1466. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
  1467. 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B
  1468. 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9
  1469. A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6
  1470. 49286651 ECE65381 FFFFFFFF FFFFFFFF
  1471. ]]></code>
  1472. <p>The generator is 2 (decimal)</p>
  1473. </section2>
  1474. <section2 topic="1536-bit MODP Group - modp5">
  1475. <p>IKE implementations MUST support a MODP group with the following prime and generator. This group is assigned id 5 (five). The 1536 bit MODP group has been used for the implementations for quite a long time, but it has not been documented in the current RFCs or drafts. </p>
  1476. <p>The prime is 2^1536 - 2^1472 - 1 + 2^64 * {[2^1406 pi] + 741804}. Its hexadecimal value is </p>
  1477. <code><![CDATA[
  1478. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
  1479. 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B
  1480. 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9
  1481. A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6
  1482. 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8
  1483. FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1484. 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
  1485. ]]></code>
  1486. <p>The generator is 2. </p>
  1487. </section2>
  1488. <section2 topic="2048-bit MODP Group">
  1489. <p>This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } Its hexadecimal value is </p>
  1490. <code><![CDATA[
  1491. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1492. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1493. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1494. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1495. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1496. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1497. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1498. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1499. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1500. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1501. 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
  1502. ]]></code>
  1503. <p>The generator is: 2. </p>
  1504. </section2>
  1505. <section2 topic="3072-bit MODP Group">
  1506. <p>This prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }</p>
  1507. <p>Its hexadecimal value is:</p>
  1508. <code><![CDATA[
  1509. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1510. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1511. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1512. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1513. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1514. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1515. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1516. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1517. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1518. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1519. 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
  1520. ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
  1521. ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
  1522. F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
  1523. BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
  1524. 43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF
  1525. ]]></code>
  1526. <p>The generator is: 2. </p>
  1527. </section2>
  1528. <section2 topic="4096-bit MODP Group">
  1529. <p>This prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } </p>
  1530. <p>Its hexadecimal value is :</p>
  1531. <code><![CDATA[
  1532. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1533. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1534. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1535. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1536. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1537. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1538. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1539. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1540. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1541. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1542. 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
  1543. ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
  1544. ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
  1545. F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
  1546. BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
  1547. 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
  1548. 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
  1549. 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
  1550. 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
  1551. 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
  1552. 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199
  1553. FFFFFFFF FFFFFFFF
  1554. ]]></code>
  1555. <p>The generator is: 2. </p>
  1556. </section2>
  1557. <section2 topic="6144-bit MODP Group">
  1558. <p>This prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } </p>
  1559. <p>Its hexadecimal value is :</p>
  1560. <code><![CDATA[
  1561. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1562. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1563. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1564. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1565. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1566. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1567. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1568. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1569. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1570. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1571. 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
  1572. ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
  1573. ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
  1574. F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
  1575. BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
  1576. 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
  1577. 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
  1578. 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
  1579. 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
  1580. 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
  1581. 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492
  1582. 36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD
  1583. F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831
  1584. 179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B
  1585. DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF
  1586. 5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6
  1587. D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3
  1588. 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA
  1589. CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328
  1590. 06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C
  1591. DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE
  1592. 12BF2D5B 0B7474D6 E694F91E 6DCC4024 FFFFFFFF FFFFFFFF
  1593. ]]></code>
  1594. <p>The generator is: 2. </p>
  1595. </section2>
  1596. <section2 topic="8192-bit MODP Group">
  1597. <p>This prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } </p>
  1598. <p>Its hexadecimal value is :</p>
  1599. <code><![CDATA[
  1600. FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
  1601. 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
  1602. EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
  1603. E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
  1604. EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  1605. C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
  1606. 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
  1607. 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
  1608. E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
  1609. DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
  1610. 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
  1611. ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
  1612. ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
  1613. F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
  1614. BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
  1615. 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
  1616. 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
  1617. 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
  1618. 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
  1619. 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
  1620. 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492
  1621. 36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD
  1622. F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831
  1623. 179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B
  1624. DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF
  1625. 5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6
  1626. D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3
  1627. 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA
  1628. CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328
  1629. 06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C
  1630. DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE
  1631. 12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4
  1632. 38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300
  1633. 741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568
  1634. 3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9
  1635. 22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B
  1636. 4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A
  1637. 062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36
  1638. 4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1
  1639. B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92
  1640. 4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47
  1641. 9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71
  1642. 60C980DD 98EDD3DF FFFFFFFF FFFFFFFF
  1643. ]]></code>
  1644. <p>The generator is: 2. </p>
  1645. </section2>
  1646. </section1>
  1647. </xep>