summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-benaloh-pct-00.txt
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2003-11-27 21:52:50 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2003-11-27 21:52:50 +0000
commit2c39ed5e0101593043a4656e22c95c219b29ca8c (patch)
tree1ebc322d732f378866b8c3cf57481458a1c6c3b3 /doc/protocol/draft-benaloh-pct-00.txt
parent84d04f0b3dcc9905c9d8942b6c872a0c44850ade (diff)
downloadgnutls-2c39ed5e0101593043a4656e22c95c219b29ca8c.tar.gz
Added historical documents. Got from http://www21.ocn.ne.jp/~k-west/SSLandTLS/index-e.html
Diffstat (limited to 'doc/protocol/draft-benaloh-pct-00.txt')
-rw-r--r--doc/protocol/draft-benaloh-pct-00.txt1684
1 files changed, 1684 insertions, 0 deletions
diff --git a/doc/protocol/draft-benaloh-pct-00.txt b/doc/protocol/draft-benaloh-pct-00.txt
new file mode 100644
index 0000000000..9d6dd35110
--- /dev/null
+++ b/doc/protocol/draft-benaloh-pct-00.txt
@@ -0,0 +1,1684 @@
+Internet Draft Josh Benaloh
+ Butler Lampson
+ Daniel Simon
+ Terence Spies
+ Bennet Yee
+ Microsoft Corp.
+ October 1995
+
+ The Private Communication Technology Protocol
+ <draft-benaloh-pct-00.txt>
+
+1. Status of this Memo
+
+This document is an Internet-Draft. Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its areas,
+and its working groups. Note that other groups may also distribute
+working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time. It is inappropriate to use Internet-Drafts as reference
+material or to cite them other than as "work in progress".
+
+To learn the current status of any Internet-Draft, please check the
+"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+Directories on ds.internic.net (US East Coast), nic.nordu.net
+(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+This Internet-Draft expires 27 March 1996.
+
+
+2. Abstract
+
+This document specifies Version 1 of the Private Communication
+Technology (PCT) protocol, a security protocol that provides privacy
+over the Internet. Like SSL (see [1]), the protocol is intended to
+prevent eavesdropping on communications in client/server applications,
+with servers always being authenticated and clients being
+authenticated at the server's option. However, this protocol corrects
+or improves on several weaknesses of SSL.
+
+
+3. Introduction
+
+The Private Communication Technology (PCT) Protocol is designed to
+provide privacy between two communicating applications (a client and a
+server), and to authenticate the server and (optionally) the client.
+PCT assumes a reliable transport protocol (e.g. TCP) for data
+transmission and reception.
+
+The PCT Protocol is application protocol-independent. A "higher
+level" application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer
+on top of the PCT Protocol transparently. The PCT Protocol begins
+with a handshake phase that negotiates an encryption algorithm and
+(symmetric) session key as well as authenticating a server to the
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 1]
+ Internet Draft The PCT Protocol November 1995
+
+
+client (and, optionally, vice versa), based on certified asymmetric
+public keys. Once transmission of application protocol data begins,
+all data is encrypted using the session key negotiated during the
+handshake.
+
+It should be noted that the PCT protocol does not specify any details
+about verification of certificates with respect to certification
+authorities, revocation lists, and so on. Rather, it is assumed that
+protocol implementations have access to a "black box" which is capable
+of ruling on the validity of received certificates in a manner
+satisfactory to the implementation's user. Such a ruling may, for
+instance, involve remote consultation with a trusted service, or even
+with the actual user through a text or graphic interface.
+
+In addition to encryption and authentication, the PCT protocol
+verifies the integrity of messages using a hash function-based message
+authentication code (MAC).
+
+The PCT protocol's record format is compatible with that of SSL (see
+[1]). Servers implementing both protocols can distinguish between PCT
+and SSL clients because the version number field occurs in the same
+position in the first handshake message in both protocols. In PCT,
+the most significant bit of the protocol version number is set to one.
+
+The PCT protocol differs from SSL chiefly in the design of its
+handshake phase, which differs from SSL's in a number of respects:
+
+- The round and message structures are considerably shorter and
+ simpler: a reconnected session without client authentication
+ requires only one message in each direction, and no other type of
+ connection requires more than two messages in each direction.
+
+- Negotiation for the choice of cryptographic algorithms and formats
+ to use in a session has been extended to cover more protocol
+ characteristics and to allow different characteristics to be
+ negotiated independently. The PCT client and server negotiate, in
+ addition to a cipher type and server certificate type, a hash
+ function type and a key exchange type. If client authentication is
+ requested, a client certificate type and signature type are also
+ negotiated.
+
+- Message authentication has been revamped so that it now uses
+ different keys from the encryption keys. Thus, message
+ authentication keys may be much longer (and message authentication
+ therefore much more secure) than the encryption keys, which may be
+ weak or even non-existent.
+
+- A security hole in SSL's client authentication has been repaired;
+ the PCT client's authentication challenge response now depends on
+ the type of cipher negotiated for the session. SSL's client
+ authentication is independent of the cipher strength used in the
+ session and also of whether the authentication is being performed
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 2]
+ Internet Draft The PCT Protocol November 1995
+
+
+ for a reconnection of an old session or for a new one. As a result,
+ a "man-in-the-middle" attacker who has obtained the session key for
+ a session using weak cryptography can use this broken session to
+ authenticate as the client in a session using strong cryptography.
+ If, for example, the server normally restricts certain sensitive
+ functions to high-security sessions, then this security hole allows
+ intruders to circumvent the restriction.
+
+- A "verify-prelude" field has been added to the handshake phase,
+ with which the client and server can check that the cipher type
+ (and other) negotiations carried out in the clear have not been
+ tampered with. (SSL version 3 uses a similar mechanism, but its
+ complete version 2 compatibility negates its security function,
+ by allowing adversaries simply to alter version numbers as well
+ as cipher types.)
+
+
+
+4. PCT Record Protocol Specification
+
+4.1 PCT Record Header Format
+
+For compatibility with SSL, the PCT protocol uses the same basic
+record format as SSL. In PCT, all data sent is encapsulated in a
+record, an object which is composed of a header and some non-zero
+amount of data. Each record header contains a two- or three-byte
+length code. If the most significant bit is set in the first byte of
+the record length code then the record has no padding and the total
+header length is two bytes; otherwise the record has padding and the
+total header length is three bytes. The record header is transmitted
+before the data portion of the record.
+
+Note that in the long header case (three bytes total), the second most
+significant bit in the first byte has special meaning. When zero, the
+record being sent is a data record. When one, the record being sent
+is a security escape, and the first byte of the record is an
+ESCAPE_TYPE_CODE that indicates the type of escape. (Currently, the
+two examples of security escapes are the "out-of-band data" escape and
+the "redo handshake" escape.) In either case, the length code
+describes how much data is in the record as transmitted; this may be
+greater than the amount of data after decryption, particularly if
+padding was used.
+
+The record length code does not include the number of bytes consumed
+by the record header (two or three). For the two-byte header, the
+record length is computed by (using a "C"-like notation):
+
+RECORD_LENGTH = ((byte[0] & 0x7f) << 8)) | byte[1],
+
+where byte[0] represents the first byte received and byte[1] the
+second byte received. When the three-byte header is used, the record
+length is computed as follows (using a "C"-like notation):
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 3]
+ Internet Draft The PCT Protocol November 1995
+
+
+RECORD_LENGTH = ((byte[0] & 0x3f) << 8)) | byte[1];
+IS_ESCAPE = (byte[0] & 0x40) != 0;
+PADDING_LENGTH = byte[2];
+
+The record header defines a value called PADDING_LENGTH. The
+PADDING_LENGTH value specifies how many bytes of data were appended
+to the original record by the sender. The padding data is used to
+make the record length a multiple of the block cipher's block size
+when a block cipher is used for encryption.
+
+The sender of a "padded" record appends the padding data to the end of
+its normal data and then encrypts the total amount (which is now a
+multiple of the block cipher's block size). The actual value of the
+padding data is unimportant, but the encrypted form of it must be
+transmitted for the receiver to decrypt the record properly. Once the
+total amount being transmitted is known the header can be properly
+constructed with the PADDING value set appropriately.
+
+The receiver of a padded record uses the PADDING_LENGTH value from the
+header when determining the length of the ACTUAL_DATA in the data
+record (see section 4.2).
+
+
+4.2 PCT Record Data Format
+
+The format of the data portion of an encrypted PCT record is slightly
+different from that of SSL. However, not only is the record header
+format identical in both protocols, but the first handshake message
+sent in each direction is also sent in the clear, and contains a
+version number field in the same location in both protocols. (In PCT
+protocol handshake messages, the most significant bit of this field is
+1.) Hence, PCT is still compatible with SSL, in the sense that PCT
+handshake messages can be recognized and distinguished from SSL
+handshake messages by examination of the version number.
+
+The PCT record is composed of two fields (transmitted and received in
+the order shown):
+
+ENCRYPTED_DATA[N+PADDING_LENGTH]
+MAC_DATA[MAC_LENGTH]
+
+The ENCRYPTED_DATA field contains an encryption of the concatenation
+of ACTUAL_DATA (the N bytes of actual data being transmitted) and
+PADDING_DATA (the use of which is explained below). The MAC_DATA
+field contains the "Message Authentication Code" (MAC).
+
+PCT handshake records are sent in the clear, and no MAC is used.
+Consequently PADDING_LENGTH will be zero and MAC_LENGTH will be zero.
+For non-handshake data records, the sender appends a PADDING_DATA
+field containing arbitrary data, so that N + PADDING_LENGTH is the
+appropriate length for the cipher being used to encrypt the data. (In
+the case where a block cipher is used, PADDING_LENGTH must be the
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 4]
+ Internet Draft The PCT Protocol November 1995
+
+
+minimum value such that the length of the concatenation of ACTUAL_DATA
+and PADDING_DATA is an exact multiple of the cipher's block size.
+Otherwise, PADDING_LENGTH is zero.)
+
+MAC_DATA is computed as follows:
+
+MAC_DATA := Hash( MAC_KEY, Hash( ACTUAL_DATA, PADDING_DATA,
+SEQUENCE_NUMBER ) )
+
+If the client is sending the record, then the MAC_KEY is the
+CLIENT_MAC_KEY; if the server is sending the record, then the MAC_KEY
+is the SERVER_MAC_KEY. (The details of the derivation of these keys
+are given in section 5.3.1.) The selection of the hash function used
+to compute MAC_DATA is discussed in sections 5.2.1 and 5.2.2. The
+parameters of the inner invocation of the hash function are input into
+the hash function in the order shown above, with SEQUENCE_NUMBER
+represented in network byte order or "big endian" order. If the
+length of MAC_KEY is not an exact multiple of eight bits, then MAC_KEY
+is considered, for the purposes of MAC computation, to have (fewer
+than eight) zero bits appended to it, to create a string of an
+integral number of bytes for input into the MAC hash function.
+
+The SEQUENCE_NUMBER is a counter which is incremented by both the
+sender and the receiver. For each transmission direction, a pair of
+counters is kept (one by the sender, one by the receiver). Before the
+first (handshake) record is sent or received in a PCT connection all
+sequence numbers are initialized to zero (except in the case of a
+restarting connection with a token-based exchange type, in which case
+the entire cipher state is preserved; see section 5.2.2). The
+sender's sender-to-receiver sequence number is incremented after every
+record sent, and the receiver's sender-to-receiver sequence number is
+incremented after every record received. Sequence numbers are 32-bit
+unsigned quantities, and may not increment past 0xFFFFFFFF. (See
+section 4.3.2.)
+
+The receiver of a record (whether PCT client or server) first uses the
+sender's WRITE_KEY to decrypt the concatenated ACTUAL_DATA and
+PADDING_DATA fields, then uses the sender's MAC_KEY, the ACTUAL_DATA,
+the PADDING_DATA, and the expected value of the sequence number as
+input into the MAC_DATA function described above (the hash function
+algorithm used is determined the same way for the receiver as for the
+sender). The computed MAC_DATA must agree bit for bit with the
+transmitted MAC_DATA. If the two are not identical, then an
+INTEGRITY_CHECK_FAILED error occurs, and it is recommended that the
+record be treated as though it contained no data. (See section 5.4.)
+The same error occurs if N + PADDING_LENGTH is not correct for the
+block cipher used.
+
+The PCT Record Layer is used for all PCT communications, including
+handshake messages, security escapes and application data transfers.
+The PCT Record Layer is used by both the client and the server at all
+times.
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 5]
+ Internet Draft The PCT Protocol November 1995
+
+
+For a two-byte header, the maximum record length is 32767 bytes. For
+a three-byte header, the maximum record length is 16383 bytes. The
+PCT Handshake Protocol messages are constrained to fit in a single PCT
+Record Protocol record. Application protocol messages are allowed to
+consume multiple PCT Record Protocol records.
+
+
+4.3 Security Escapes
+
+4.3.1 Out-Of-Band Data
+
+PCT, like SSL, supports the transmission and reception of "out-of-band
+data". Out of band data is normally defined at the TCP/IP protocol
+level, but because of PCT's privacy enhancements and support for block
+ciphers, this becomes difficult to support.
+
+To send out-of-band data, the sender sends an escape record whose body
+contains a single byte of data which is the ESCAPE_TYPE_CODE value
+PCT_ET_OOB_DATA. The record following the escape record will be
+interpreted as "out-of-band" data and will only be made available to
+the receiver through an unspecified mechanism that is different from
+the receiver's normal data reception method. The escape record and
+the transmitted data record are transmitted normally (i.e. encryption,
+MAC computations, and block cipher padding remain in effect).
+
+Note that the escape record and the associated data record are sent
+using normal TCP sending mechanisms, not using the "out of band"
+mechanisms. Note also that a "Redo Handshake" escape record (see
+below) and its associated handshake messages may be interposed between
+an "Out-of-Band Data" escape record and its associated data record.
+In such a case, the first non-escape, non-handshake record following
+the "Out-of-Band Data" escape record is treated as out-of-band data.
+
+4.3.2 Redo Handshake
+
+PCT allows either the client or the server to request, at any time
+after the handshake phase has been completed for a connection, that
+another handshake phase be performed for that connection. For
+example, either party is required to request another handshake phase
+rather than allow its sequence number to "wrap" beyond 0xFFFFFFFF. In
+addition, it is recommended that implementations enforce limits on the
+duration of both connections and sessions, with respect to the total
+number of bytes sent, the number of records sent, the actual time
+elapsed since the beginning of the connection or session, and, in the
+case of sessions, the number of reconnections made. These limits
+serve to ensure that keys are not used more or longer than it is safe
+to do so; hence the limits may depend on the type and strength of
+cipher, key exchange and authentication used, and may, at the
+implementer's discretion, include indications from the application as
+to the sensitivity of the data being transmitted or received.
+
+To request a new handshake phase for this connection, the sender
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 6]
+ Internet Draft The PCT Protocol November 1995
+
+
+(client or server) sends an escape record whose body contains a single
+byte of data which is the ESCAPE_TYPE_CODE value PCT_ET_REDO_CONN.
+The escape record is transmitted normally (i.e. encryption, MAC
+computations, and block cipher padding remain in effect).
+
+There are several cases to consider to ensure that the message
+pipeline gets flushed and to enable handshake messages to be
+distinguished from data records. The following rules ensure that the
+first messages in the redone handshake are always immediately preceded
+by a "Redo Handshake" escape message.
+
+If the client initiates the "Redo Handshake", it sends the "Redo
+Handshake" escape message immediately followed by a normal
+CLIENT_HELLO message; the server, on receiving the "Redo Handshake"
+escape message, may be in one of two states. If the last message it
+sent was a "Redo Handshake" escape message, then it simply waits for
+the CLIENT_HELLO message; otherwise, it sends a "Redo Handshake"
+escape message in response, and then waits for the CLIENT_HELLO
+message.
+
+If the server initiates the "Redo Handshake", then the server sends
+the "Redo Handshake" escape message and simply waits for a "Redo
+Handshake" escape message in response; this "Redo Handshake" should be
+immediately followed by a normal CLIENT_HELLO message. The client, on
+receiving the server's "Redo Handshake" escape message, may be in one
+of two states. If the last two messages it sent were a "Redo
+Handshake" escape message followed by a CLIENT_HELLO message, then it
+simply waits for a SERVER_HELLO message; otherwise, it sends a "Redo
+Handshake" escape message in response, followed by a CLIENT_HELLO
+message, and then waits for a SERVER_HELLO message.
+
+In all cases, the sender of the "Redo Handshake" escape message
+continues to process incoming messages, but may not send any
+non-handshake messages until the new handshake completes.
+
+The handshake phase that follows the "Redo Handshake" escape message
+is a normal one in most respects; the client may request the
+reconnection of an old session or request that a new session be
+initiated, and the server, on receiving a reconnection request, can
+accept the reconnection or demand that a new session be initiated
+instead. If a new session is being established, then the server must
+request client authentication if and only if client authentication
+was requested during the previous session. Otherwise, client
+authentication is optional. Both parties must verify that the
+specifications negotiated previously in the session (cipher type, key
+exchange type, certificate type, hash function type, client
+certificate type, and signature type), as well as any certificates
+exchanged, are identical to those found in the new handshake phase.
+A mismatch results in a SPECS_MISMATCH or BAD_CERTIFICATE error (see
+section 5.4.) This ensures that the security properties of the
+communication channel do not change.
+
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 7]
+ Internet Draft The PCT Protocol November 1995
+
+
+5. PCT Handshake Protocol Specification
+
+5.1 PCT Handshake Protocol Flow
+
+The PCT Handshake Protocol is used to negotiate security enhancements
+to data sent using the PCT Record Protocol. The security enhancements
+consist of authentication, symmetric encryption, and message
+integrity. Symmetric encryption is facilitated using a "Key Exchange
+Algorithm". PCT version 1 supports RSA {TM} -based key exchange (see
+[13]), Diffie-Hellman key exchange, and FORTEZZA token key exchange.
+
+The PCT Handshake Protocol consists of four messages, sent
+respectively by the client, then server, then client, then server, in
+that order. (Moreover, under certain circumstances, the last two
+messages are omitted.) The messages are named, in order,
+CLIENT_HELLO, SERVER_HELLO, CLIENT_MASTER_KEY, and SERVER_VERIFY.
+
+The general contents of the messages depend upon two criteria: whether
+the connection being made is a reconnection (a continuation of a
+previous session) or a new session and whether the client is to be
+authenticated. (The server is always authenticated.) The first
+criterion is determined by the client and server together; the
+CLIENT_HELLO will have different contents depending on whether a new
+session is being initiated or an old one continued, and the
+SERVER_HELLO message will either confirm a requested continuation of
+an old session, or require that a new session be initiated. The
+second criterion is determined by the server, whose SERVER_HELLO may
+contain a demand for authentication of the client. If the server does
+not require client authentication, and the reconnection of an old
+session is requested by the client and accepted by the server, then
+the CLIENT_MASTER_KEY and SERVER_VERIFY messages are unnecessary, and
+are omitted.
+
+The CLIENT_HELLO message contains a random authentication challenge
+to the server and a request for the type and level of cryptography
+and certification to be used for the session. If the client is
+attempting to continue an old session, then it also supplies that
+session's ID.
+
+In the case of a new session, the SERVER_HELLO message contains a
+certificate and a random connection identifier; this identifier
+doubles as an authentication challenge to the client if the server
+desires client authentication. The CLIENT_MASTER_KEY message sent by
+the client in response includes the master key for the session (from
+which session keys are derived), encrypted using the public key from
+the server's certificate, as well as a certificate and response to the
+server's authentication challenge, if requested. To ensure that
+previous unencrypted handshake messages were not tampered with, their
+keyed hash is included with the CLIENT_MASTER_KEY message. Finally,
+the server sends a SERVER_VERIFY message which includes a response to
+the client's challenge and a random session id for the session.
+
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 8]
+ Internet Draft The PCT Protocol November 1995
+
+
+If the server accepts the old session id, then the SERVER_HELLO
+message contains a response to the client's challenge, and a random
+connection identifier which again doubles as a random challenge to the
+client, if the server requires client authentication. If no client
+authentication is requested, the handshake is finished (although an
+authentication of the client is implicit in the MAC included with the
+client's first data message). Otherwise, the subsequent
+CLIENT_MASTER_KEY message contains the client's response, and the
+SERVER_VERIFY message simply signals to the client to continue.
+
+For a new session, the handshake phase has the following form (items
+in square brackets are included only if client authentication is
+required):
+
+Client Server
+------ ------
+
+CLIENT_HELLO:
+client challenge;
+client's cipher, hash,
+ server-certificate,
+ and key-exchange
+ specification lists
+
+ SERVER_HELLO:
+ connection id/server challenge;
+ server's cipher, hash,
+ server-certificate,
+ and key-exchange
+ specification choices;
+ server certificate
+ [; server's signature-type
+ and client-certificate
+ specification lists]
+
+CLIENT_MASTER_KEY:
+master key, encrypted with
+ server's public key;
+authentication of previous two
+ messages
+[; client's signature-type and
+ client-certificate
+ specification choices;
+client's certificate;
+client's challenge response]
+
+ SERVER_VERIFY:
+ session id;
+ server's challenge response
+
+
+For a reconnection of an old session, the handshake phase has the
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 9]
+ Internet Draft The PCT Protocol November 1995
+
+
+following form (items in square brackets are included if client
+authentication is required):
+
+Client Server
+------ ------
+
+CLIENT_HELLO:
+client challenge;
+session id;
+client's cipher, hash,
+ server-certificate,
+ and key-exchange
+ specification lists
+
+ SERVER_HELLO:
+ connection id/server challenge;
+ old session's cipher, hash,
+ server-certificate,
+ and key-exchange
+ specification choices;
+ server's challenge response
+ [; server's signature-type
+ and client-certificate
+ specification lists]
+
+[CLIENT_MASTER_KEY:
+client's certificate;
+client's challenge response]
+
+
+ [SERVER_VERIFY]
+
+
+Note that the protocol is asymmetric between client and server. The
+client authenticates the server because only the server can decrypt
+the master key which is encrypted with the server's public key, and
+the server's challenge response depends on knowing that master key.
+The server authenticates the client because the client signs its
+challenge response with its public key. The reason for the asymmetry
+is that when there is no client authentication there is no client
+public key, so the client must choose the master key and encrypt it
+with the server public key to hide it from everyone except the server.
+
+Usually the client can safely send data on the underlying transport
+immediately following the CLIENT_MASTER_KEY message, without waiting
+for the SERVER_VERIFY; we call this "initial data". Sending initial
+data is good because it means that PCT adds only one round trip; it is
+not possible to do better without exposing the server to a replay
+attack. However, it is unwise to send initial data if for some reason
+it is important for the client to be sure of being in contact with the
+correct server before sending any data.
+
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 10]
+ Internet Draft The PCT Protocol November 1995
+
+
+5.2 PCT Handshake Protocol Messages
+
+The PCT Handshake Protocol messages are sent using the PCT Record
+Protocol and consist of a single byte message type code, followed by
+some data. The client and server exchange messages as described
+above, sending either one or two messages each. Once the handshake
+has been completed successfully, the client sends its first actual
+data.
+
+Handshake protocol messages are sent in the clear, with the exception
+of the key-exchange-related fields in the CLIENT_MASTER_KEY message,
+some of which involve (public-key) encryption.
+
+The following notation is used for PCT messages:
+
+char MSG_EXAMPLE
+char FIELD1
+char FIELD2
+char THING_LENGTH_MSB
+char THING_LENGTH_LSB
+char THING_DATA[(MSB << 8)|LSB];
+...
+
+This notation defines the data in the protocol message, including the
+message type code. The order is presented top to bottom, with the
+topmost element being transmitted first.
+
+For the "THING_DATA" entry, the MSB and LSB values are actually
+THING_LENGTH_MSB and THING_LENGTH_LSB (respectively) and define the
+number of bytes of data actually present in the message. For example,
+if THING_LENGTH_MSB were one and THING_LENGTH_LSB were four then the
+THING_DATA array would be exactly 260 bytes long. This shorthand is
+used below. Occasionally, a "THING_DATA" field is referred to as
+"THING", with the word "DATA" omitted.
+
+The names of message elements have prefixes that identify the messages
+in which they appear; these prefixes are sometimes omitted in the text
+when the containing messages are obvious.
+
+Length codes are unsigned values, and when the MSB and LSB are
+combined the result is an unsigned value. Length values are in bytes.
+
+
+5.2.1 CLIENT_HELLO (Sent in the clear)
+
+char CH_MSG_CLIENT_HELLO
+char CH_CLIENT_VERSION_MSB
+char CH_CLIENT_VERSION_LSB
+char CH_PAD
+char CH_SESSION_ID_DATA[32]
+char CH_CHALLENGE_DATA[32]
+char CH_OFFSET_MSB
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 11]
+ Internet Draft The PCT Protocol November 1995
+
+
+char CH_OFFSET_LSB
+char CH_CIPHER_SPECS_LENGTH_MSB
+char CH_CIPHER_SPECS_LENGTH_LSB
+char CH_HASH_SPECS_LENGTH_MSB
+char CH_HASH_SPECS_LENGTH_LSB
+char CH_CERT_SPECS_LENGTH_MSB
+char CH_CERT_SPECS_LENGTH_LSB
+char CH_EXCH_SPECS_LENGTH_MSB
+char CH_EXCH_SPECS_LENGTH_LSB
+char CH_KEY_ARG_LENGTH_MSB
+char CH_KEY_ARG_LENGTH_LSB
+char CH_CIPHER_SPECS_DATA[(MSB << 8)|LSB]
+char CH_HASH_SPECS_DATA[(MSB << 8)|LSB]
+char CH_CERT_SPECS_DATA[(MSB << 8)|LSB]
+char CH_EXCH_SPECS_DATA[(MSB << 8)|LSB]
+char CH_KEY_ARG_DATA[(MSB << 8)|LSB]
+
+When a client first connects to a server it is required to send the
+CLIENT_HELLO message. The server is expecting this message from the
+client as its first message. It is an ILLEGAL_MESSAGE error for a
+client to send anything else as its first message. The CLIENT_HELLO
+message begins with the PCT version number, and two fixed-length
+fields followed by an offset to the variable length data. The
+CH_OFFSET field contains the number of bytes used by the various
+fields (currently only length fields) that follow the offset field and
+precede the variable-length fields. For PCT version 1, this offset
+value is always PCT_CH_OFFSET_V1, i.e., ten. However, inclusion of
+this field will allow future versions to be compatible with version 1,
+even if the number of these fields changes: a version 1 server should
+be able to find all the PCT version 1 fields in a higher-version
+CLIENT_HELLO message. The CH_PAD field may contain any value.
+
+The CLIENT_HELLO message includes a string of random bytes used as
+challenge data from the client. Also, if the client finds a session
+identifier in its cache for the server, then that session-identifier
+data is sent. Otherwise, the special PCT_SESSION_ID_NONE value is
+used. In either case, the client specifies in CIPHER_SPECS_DATA,
+HASH_SPECS_DATA, CERT_SPECS_DATA, and EXCH_SPECS_DATA its preferred
+choices of symmetric cipher, key lengths, hash function, certificate,
+and asymmetric key exchange algorithm. However, if a session
+identifier is sent, then these choices are only relevant in the case
+where the server cannot recognize the session identifier, and a new
+session must therefore be initiated. If the server recognizes the
+session, then these fields are ignored by the server.
+
+The CHALLENGE_DATA field contains 32 bytes of random bits, to be used
+to authenticate the server. The CHALLENGE_DATA should be
+cryptographically random, in the same sense as the MASTER_KEY (see
+section 5.3.1).
+
+The CIPHER_SPECS_DATA field contains a list of possible symmetric
+ciphers supported by the client, in order of (the client's)
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 12]
+ Internet Draft The PCT Protocol November 1995
+
+
+preference. Each element in the list is a four-byte field, of which
+the first two bytes contain a code representing a cipher type, the
+third byte contains the encryption key length in bits (0-255), and the
+fourth byte contains the MAC key length in bits, minus 64 (values
+0-255, representing lengths 64-319; this encoding enforces the
+requirement that the MAC key length be at least 64 bits). The entire
+list's length in bytes (four times the number of elements) is placed
+in CIPHER_SPECS_LENGTH.
+
+The HASH_SPECS_DATA field contains a list of possible hash functions
+supported by the client, in order of (the client's) preference. The
+server will choose one of these to be used for computing MACs and
+deriving keys. Each element in the list is a two-byte field
+containing a code representing a hash function choice. The entire
+length of the list (twice the number of elements) is placed in
+HASH_SPECS_LENGTH.
+
+The CERT_SPECS_DATA field contains a list of possible certificate
+formats supported by the client, in order of (the client's)
+preference. Each element in the list is a two-byte field containing a
+code representing a certificate format. The entire length of the list
+(twice the number of elements) is placed in CERT_SPECS_LENGTH.
+
+The EXCH_SPECS_DATA field contains a list of possible asymmetric key
+exchange algorithms supported by the client, in order of (the
+client's) preference. Each element in the list is a two-byte field
+containing a code representing a key exchange algorithm type. The
+entire length of the list (twice the number of elements) is placed in
+EXCH_SPECS_LENGTH.
+
+The KEY_ARG_DATA field contains an initialization vector to be used in
+a reconnected session when the cipher type is a block cipher (any
+cipher type except PCT_CIPHER_RC4, and any key exchange type except
+PCT_EXCH_RSA_PKCS1_TOKEN_RC4). If a new session is being requested
+(i.e., the value of CH_SESSION_ID_DATA is PCT_SESSION_ID_NONE), then
+KEY_ARG_LENGTH must be zero.
+
+The CLIENT_HELLO message must be the first message sent by the client
+to the server. After the message is sent the client waits for a
+SERVER_HELLO message. Any other message returned by the server (other
+than ERROR) generates the PCT_ERR_ILLEGAL_MESSAGE error.
+
+The server, on receiving a CLIENT_HELLO message, checks the version
+number and the offset field to determine where the variable-length
+data fields start. (The OFFSET value should be at least
+PCT_CH_OFFSET_V1.) The server then checks whether there is a non-null
+SESSION_ID field, and if so, whether it recognizes the SESSION_ID. In
+that case, the server responds with a SERVER_HELLO message containing
+a non-zero RESTART_SESSION_OK field, and the appropriate value (see
+below) in the RESPONSE and CONNECTION_ID fields. Otherwise, it checks
+whether the CIPHER_SPECS, HASH_SPECS, CERT_SPECS and EXCH_SPECS lists
+in the CLIENT_HELLO message each contain at least one type supported
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 13]
+ Internet Draft The PCT Protocol November 1995
+
+
+by the server. If so, then the server sends a SERVER_HELLO message to
+the client as described below; otherwise, the server detects a
+SPECS_MISMATCH error.
+
+5.2.2 SERVER_HELLO (Sent in the clear)
+
+char SH_MSG_SERVER_HELLO
+char SH_PAD
+char SH_SERVER_VERSION_MSB
+char SH_SERVER_VERSION_LSB
+char SH_RESTART_SESSION_OK
+char SH_CLIENT_AUTH_REQ
+char SH_CIPHER_SPECS_DATA[4]
+char SH_HASH_SPECS_DATA[2]
+char SH_CERT_SPECS_DATA[2]
+char SH_EXCH_SPECS_DATA[2]
+char SH_CONNECTION_ID_DATA[32]
+char SH_CERTIFICATE_LENGTH_MSB
+char SH_CERTIFICATE_LENGTH_LSB
+char SH_CLIENT_CERT_SPECS_LENGTH_MSB
+char SH_CLIENT_CERT_SPECS_LENGTH_LSB
+char SH_CLIENT_SIG_SPECS_LENGTH_MSB
+char SH_CLIENT_SIG_SPECS_LENGTH_LSB
+char SH_RESPONSE_LENGTH_MSB
+char SH_RESPONSE_LENGTH_LSB
+char SH_CERTIFICATE_DATA[(MSB << 8)|LSB]
+char SH_CLIENT_CERT_SPECS_DATA[(MSB << 8)|LSB]
+char SH_CLIENT_SIG_SPECS_DATA[(MSB << 8)|LSB]
+char SH_RESPONSE_DATA[(MSB << 8)|LSB]
+
+The server sends this message after receiving the client's
+CLIENT_HELLO message. The PCT version number in SH_SERVER_VERSION is
+always the maximum protocol version that the server supports; the
+remainder of the message and all subsequent messages will conform to
+the format specified by the protocol version corresponding to the
+minimum of the client and server protocol version numbers. Unless
+there is an error, the server always returns a random value 32 bytes
+in length in the CONNECTION_ID field. This value doubles as challenge
+data if the server requests client authentication, and should
+therefore be random in the same sense as the challenge data in the
+CLIENT_HELLO message. The SH_PAD field may contain any value.
+
+There are two cases for RESTART_SESSION_OK. In the first case, the
+server returns a zero RESTART_SESSION_OK flag because the CLIENT_HELLO
+message did not contain a session id or because the one it contained
+is unrecognized by the server. In this case, the server must behave
+as follows:
+
+The server selects any choice with which it is compatible, from each
+of the CH_CIPHER_SPECS, CH_HASH_SPECS, CH_CERT_SPECS and CH_EXCH_SPECS
+lists supplied in the CLIENT_HELLO message. (These values are
+returned to the client in the SH_CIPHER_SPECS_DATA,
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 14]
+ Internet Draft The PCT Protocol November 1995
+
+
+SH_HASH_SPECS_DATA, SH_CERT_SPECS_DATA, and SH_EXCH_SPECS_DATA fields,
+respectively.) The certificate of the type specified in
+SH_CERT_SPECS_DATA and SH_EXCH_SPECS_DATA is placed in the
+CERTIFICATE_DATA field. The SH_RESPONSE_DATA field is empty, and its
+length is zero.
+
+In the second case, the server returns a non-zero RESTART_SESSION_OK
+flag because the CLIENT_HELLO message contained a session-identifier
+known by the server (i.e. in the server's session-identifier cache).
+In this case, the server must behave as follows:
+
+The server omits the CERTIFICATE_DATA field (with CERTIFICATE_LENGTH
+set to zero), and sets the CIPHER_SPECS_DATA, HASH_SPECS_DATA,
+CERT_SPECS_DATA and EXCH_SPECS_DATA values to the values stored along
+with the session identifier. There are two subcases: (1) If the
+SH_EXCH_SPECS_DATA does not refer to a TOKEN type, then the
+CLIENT_MAC, SERVER_MAC, CLIENT_WRITE, and SERVER_WRITE keys are
+rederived using the MASTER_KEY from the old session, as well as the
+CONNECTION_ID and CH_CHALLENGE values from the SERVER_HELLO and
+CLIENT_HELLO messages, respectively, for this connection. (2) If the
+SH_EXCH_SPECS_DATA refers to a TOKEN type, then the keys from the
+on-going session are reused. In order to obtain fresh key material or
+change the sequence number, TOKEN implementations must use the redo
+handshake mechanism (PCT_ET_REDO_CONN security escape). When this
+mechanism is used with a TOKEN exchange type, the client must send
+PCT_SESSION_ID_NONE in the CH_SESSION_ID_DATA field of the subsequent
+CLIENT_HELLO message.
+
+The RESPONSE_DATA is constructed by computing the function
+
+Hash( SERVER_MAC_KEY, Hash( "sr", CH_CHALLENGE_DATA,
+SH_CONNECTION_ID_DATA, CH_SESSION_ID_DATA ) ).
+
+The CH_CHALLENGE_DATA and CH_SESSION_ID_DATA values are found in the
+CLIENT_HELLO message for this connection. The SH_CONNECTION_ID_DATA
+value is from this SERVER_HELLO message. The SERVER_MAC_KEY is the
+one rederived for this connection as described in section 5.3.1. If
+the length of SERVER_MAC_KEY is not an exact multiple of eight bits,
+then SERVER_MAC_KEY is considered, for the purposes of MAC
+computation, to have (fewer than eight) zero bits appended to it, to
+create a string of an integral number of bytes for input into the MAC
+hash function. The hash function choice used is determined by the
+SH_HASH_SPECS_DATA field in this SERVER_HELLO message. The values are
+input into the interior invocation of the hash function in the exact
+order specified above, with the string in quotation marks representing
+actual ASCII text.
+
+In both reconnection cases, if the server requires client
+authentication, then the CLIENT_AUTH_REQ field is set to a non-zero
+value. Also, a list of (client) certificate types acceptable to the
+server, in order of (the server's) preference, is placed in the
+CLIENT_CERT_SPECS_DATA field, and a list of (client's) signature
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 15]
+ Internet Draft The PCT Protocol November 1995
+
+
+algorithms supported by the server, in order of (the server's)
+preference, is placed in the CLIENT_SIG_SPECS_DATA field. The
+certificate type values in the list are from the same set of two byte
+codes used for the CERT_SPECS list appearing in the CLIENT_HELLO
+message, and the signature algorithm type codes are also two bytes
+long. (See section 5.3.4 and 5.3.5 below.) The lengths of the lists
+in bytes (twice the number of elements) are placed in the
+CLIENT_CERT_SPECS_LENGTH and CLIENT_SIG_SPECS_LENGTH fields. If no
+client authentication is required, then these length fields, as well
+as the CLIENT_AUTH_REQ field, are set to zero, and the corresponding
+data fields are empty.
+
+When the client receives a SERVER_HELLO message, it checks whether the
+server has accepted a reconnection of an old session or is
+establishing a new session. If a new session is being initiated, and
+client authentication is requested, then the client checks whether it
+is compatible with any of the certificate and signature types listed
+in the CLIENT_CERT_SPECS and CLIENT_SIG_SPECS lists. (Note that the
+server can make client authentication optional for the client simply
+by including PCT_CERT_NONE and PCT_SIG_NONE as a "last resort".) If
+the client can provide a compatible certificate, then it sends a
+CLIENT_MASTER_KEY message as described below; otherwise, it generates
+a SPECS_MISMATCH error.
+
+If the session is an old one, then the client establishes the new
+CLIENT_WRITE_KEY, SERVER_WRITE_KEY, CLIENT_MAC_KEY and SERVER_MAC_KEY
+according to the cipher-specific rules described below in section
+5.3.1. The client then checks the contents of the RESPONSE_DATA field
+in the SERVER_HELLO message for correctness. If the response matches
+the value calculated by the client (exactly as described above for the
+server), then the handshake is finished, and the client begins sending
+data; otherwise, a SERVER_AUTH_FAILED error occurs.
+
+
+5.2.3 CLIENT_MASTER_KEY (sent in the clear, except for encrypted keys)
+
+char CMK_MSG_CLIENT_MASTER_KEY
+char CMK_PAD
+char CMK_CLIENT_CERT_SPECS_DATA[2]
+char CMK_CLIENT_SIG_SPECS_DATA[2]
+char CMK_CLEAR_KEY_LENGTH_MSB
+char CMK_CLEAR_KEY_LENGTH_LSB
+char CMK_ENCRYPTED_KEY_LENGTH_MSB
+char CMK_ENCRYPTED_KEY_LENGTH_LSB
+char CMK_KEY_ARG_LENGTH_MSB
+char CMK_KEY_ARG_LENGTH_LSB
+char CMK_VERIFY_PRELUDE_LENGTH_MSB
+char CMK_VERIFY_PRELUDE_LENGTH_LSB
+char CMK_CLIENT_CERT_LENGTH_MSB
+char CMK_CLIENT_CERT_LENGTH_LSB
+char CMK_RESPONSE_LENGTH_MSB
+char CMK_RESPONSE_LENGTH_LSB
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 16]
+ Internet Draft The PCT Protocol November 1995
+
+
+char CMK_CLEAR_KEY_DATA[(MSB << 8)|LSB]
+char CMK_ENCRYPTED_KEY_DATA[(MSB << 8)|LSB]
+char CMK_KEY_ARG_DATA[(MSB << 8)|LSB]
+char CMK_VERIFY_PRELUDE_DATA[(MSB << 8)|LSB]
+char CMK_CLIENT_CERT_DATA[(MSB << 8)|LSB]
+char CMK_RESPONSE_DATA[(MSB << 8)|LSB]
+
+The client sends this message after receiving the SERVER_HELLO message
+from the server if a new session is being started or if client
+authentication has been requested. If no client authentication has
+been requested in the SERVER_HELLO message and an old session is being
+reconnected (i.e., if the CLIENT_AUTH_REQ field is zero and the
+RESTART_SESSION_OK field is nonzero), then the CLIENT_MASTER_KEY
+message is not sent.
+
+For TOKEN exchange types, both client and server (re)set the sequence
+numbers to zero when this message is sent/received.
+
+The contents of the CLEAR_KEY_DATA, ENCRYPTED_KEY_DATA, and
+KEY_ARG_DATA fields depend on the contents of the SH_CIPHER_SPECS_DATA
+and SH_EXCH_SPECS_DATA fields in the preceding SERVER_HELLO message.
+These will be described for each possible choice of these values in
+section 5.3.1 and 5.3.2, along with how the various keys
+(CLIENT_WRITE_KEY, SERVER_WRITE_KEY, CLIENT_MAC_KEY, and
+SERVER_MAC_KEY) are derived in each case. The CMK_PAD field may
+contain any value.
+
+The CMK_VERIFY_PRELUDE_DATA field contains the value
+
+Hash( CLIENT_MAC_KEY, Hash( "cvp", CLIENT_HELLO, SERVER_HELLO ) ).
+
+If the length of CLIENT_MAC_KEY is not an exact multiple of eight
+bits, then CLIENT_MAC_KEY is considered, for the purposes of MAC
+computation, to have (fewer than eight) zero bits appended to it, to
+create a string of an integral number of bytes for input into the MAC
+hash function. The hash function used is the one specified in
+SH_HASH_SPECS_DATA. The parameters are input into the hash function
+in the order presented above, with the strings in quotation marks
+representing ASCII text. Note that the client need only keep a
+"running hash" of all the values passed in these first two messages as
+they appear, then hash the result using the CLIENT_MAC_KEY when
+generated, to compute the value of VERIFY_PRELUDE.
+
+If SH_CLIENT_AUTH_REQ is zero, then CMK_CLIENT_CERT_SPECS_DATA and
+CMK_CLIENT_SIG_SPECS_DATA are both zero, and the CMK_CLIENT_CERT and
+CMK_RESPONSE_DATA fields are empty. Otherwise, the CMK_RESPONSE_DATA
+field contains the client's authentication response, and the
+CMK_CLIENT_CERT_SPECS_DATA and CMK_CLIENT_SIG_SPECS_DATA fields
+contain the client's choices from the SH_CLIENT_CERT_SPECS_DATA and
+SH_CLIENT_SIG_SPECS_DATA lists, respectively. The
+CMK_CLIENT_CERT_DATA field contains the client's certificate, which
+must match the certificate type specified in the
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 17]
+ Internet Draft The PCT Protocol November 1995
+
+
+CMK_CLIENT_CERT_SPECS_DATA field. Also, the public key in the
+certificate must be a signature key of the type specified in
+CMK_CLIENT_SIG_SPECS_DATA, which in turn must match one of the types
+in the SH_CLIENT_SIG_SPECS_DATA list.
+
+CMK_RESPONSE_DATA is simply a digital signature, using the private
+signature key associated with the public key in the client's
+certificate, of the value in the CMK_VERIFY_PRELUDE_DATA field. The
+signature algorithm is determined by the CMK_CLIENT_SIG_SPECS_DATA
+field. (Note that the signature algorithm may itself require that a
+hash function be applied to the data being signed, apart from the one
+used to compute the value in CMK_VERIFY_PRELUDE_DATA.)
+
+Upon receiving a CLIENT_MASTER_KEY message, the server performs the
+cipher-specific functions described in section 5.3 to establish the
+new CLIENT_WRITE_KEY, SERVER_WRITE_KEY, CLIENT_MAC_KEY and
+SERVER_MAC_KEY. The server then checks the VERIFY_PRELUDE_DATA value,
+the client certificate, and the client response for correctness and
+validity (the latter two only if client authentication had been
+requested). The checks of the VERIFY_PRELUDE_DATA and RESPONSE_DATA
+are performed by recomputing their correct value, and comparing with
+the values received. The certificate is verified using whatever
+mechanism has been implemented to validate certificates, and the
+signature in the RESPONSE_DATA field is verified using the
+verification algorithm associated with the signature scheme being
+used. If all of these values pass their checks, then the server sends
+the SERVER_VERIFY message; otherwise, an error occurs
+(INTEGRITY_CHECK_FAILED, BAD_CERTIFICATE, or CLIENT_AUTH_FAILED,
+respectively).
+
+5.2.4 SERVER_VERIFY (Sent in the clear)
+
+char SV_MSG_SERVER_VERIFY
+char SV_PAD
+char SV_SESSION_ID_DATA[32]
+char SV_RESPONSE_LENGTH_MSB
+char SV_RESPONSE_LENGTH_LSB
+char SV_RESPONSE_DATA[(MSB << 8)|LSB]
+
+The server sends this message upon receiving a valid CLIENT_MASTER_KEY
+message from the client. The SV_PAD field may contain any value. If
+an old session is being reconnected, then the RESPONSE_DATA field is
+empty, its length is zero, and the SESSION_ID_DATA field may contain
+any value. Otherwise, the SV_SESSION_ID_DATA field contains a value
+32 bytes in length, which should be generated randomly (in the same
+sense as the CHALLENGE_DATA field in the CLIENT_HELLO message). The
+value PCT_SESSION_ID_NONE should not be used as a SV_SESSION_ID_DATA
+value. The contents of the SV_RESPONSE_DATA field are constructed by
+computing the function
+
+Hash( SERVER_MAC_KEY, Hash( "sr", CH_CHALLENGE_DATA,
+SH_CONNECTION_ID_DATA, SV_SESSION_ID_DATA ) ).
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 18]
+ Internet Draft The PCT Protocol November 1995
+
+
+The CH_CHALLENGE_DATA and SH_CONNECTION_ID_DATA values, the choice of
+hash function used, and the value of SERVER_MAC_KEY are determined by
+the CLIENT_HELLO, SERVER_HELLO, SERVER_HELLO and CLIENT_MASTER_KEY
+messages, respectively, immediately preceding the SERVER_VERIFY
+message. The values are input into the interior invocation of the
+hash function in the exact order specified above, with the string in
+quotation marks representing actual ASCII text. If the length of
+SERVER_MAC_KEY is not an exact multiple of eight bits, then
+SERVER_MAC_KEY is considered, for the purposes of MAC computation, to
+have (fewer than eight) zero bits appended to it, to create a string
+of an integral number of bytes for intput into the MAC hash function.
+
+When the client receives this message, it verifies the correctness of
+the response data, by computing the hash value as described above and
+comparing it with the one received. If it is correct, then the client
+proceeds with the first data record transmission; otherwise, a
+SERVER_AUTH_FAILED error occurs. An implementation may choose to send
+initial data immediately after the CLIENT_MASTER_KEY message, without
+waiting for the SERVER_VERIFY message to arrive, if verifying the
+server's identity before sending it any data is unimportant.
+
+
+5.3 Algorithm and Certificate Types
+
+5.3.1 Key Exchange Algorithms
+
+PCT version 1 permits the following key exchange types:
+
+PCT_EXCH_RSA_PKCS1
+PCT_EXCH_RSA_PKCS1_TOKEN_DES
+PCT_EXCH_RSA_PKCS1_TOKEN_DES3
+PCT_EXCH_RSA_PKCS1_TOKEN_RC2
+PCT_EXCH_RSA_PKCS1_TOKEN_RC4
+PCT_EXCH_DH_PKCS3
+PCT_EXCH_DH_PKCS3_TOKEN_DES
+PCT_EXCH_DH_PKCS3_TOKEN_DES3
+PCT_EXCH_FORTEZZA_TOKEN
+
+Note that the token-based key exchange types specify cipher as well
+(including, implicitly, the FORTEZZA key exchange type); if one of
+these is chosen, then its choice of cipher overrides whatever choice
+of cipher appears in the SH_CIPHER_SPECS_DATA field of the
+SERVER_HELLO message.
+
+For the PCT_EXCH_RSA_PKCS1 key exchange type, a MASTER_KEY value is
+generated by the client, which should be random in the following
+strong sense: attackers must not be able to predict any of the bits in
+the MASTER_KEY. It is recommended that the bits used be either truly
+random and uniformly generated (using some random physical process) or
+else generated using a cryptographically secure pseudorandom number
+generator, which was in turn seeded with a truly random and uniformly
+generated seed. This MASTER_KEY value is encrypted using the server's
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 19]
+ Internet Draft The PCT Protocol November 1995
+
+
+public encryption key, as obtained from the server's certificate in
+the SH_CERTIFICATE_DATA field of the SERVER_HELLO message. The
+encryption must follow the RSA PKCS#1 standard format (see [2]), block
+type 2. This encryption is sent to the server in the
+CMK_ENCRYPTED_KEY_DATA field of the CLIENT_MASTER_KEY message, and is
+decrypted by the server to obtain the MASTER_KEY.
+
+For the PCT_EXCH_DH_PKCS3 key exchange type, a random private value x
+(generated in the same way as the MASTER_KEY above) and corresponding
+public value y are generated by the client following RSA PKCS#3
+standard format (see [3]). The value y is then sent to the server in
+the CMK_ENCRYPTED_KEY_DATA field of the CLIENT_MASTER_KEY message.
+The client's private value x, along with the public value y' included
+in the server's certificate in the SH_CERTIFICATE_DATA field of the
+SERVER_HELLO message, is used to generate the MASTER_KEY. The server
+uses its private value, x', along with the y value sent by the client,
+to obtain the same MASTER_KEY value.
+
+For the various TOKEN key exchange types, all the key material is
+contained in the CMK_ENCRYPTED_KEY_DATA field, but the format of the
+data is defined by the token implementation, or by other future
+documents.
+
+The length of the MASTER_KEY depends on the key exchange type. For
+the PCT_EXCH_RSA_PKCS1 and PCT_EXCH_DH_PKCS3 exchange types, the
+MASTER_KEY is a 128-bit value. The CLIENT_WRITE_KEY and
+SERVER_WRITE_KEY are computed as follows:
+
+CLIENT_WRITE_KEY_i = Hash( i, "cw", MASTER_KEY, "cw"^i,
+SH_CONNECTION_ID_DATA, "cw"^i, SH_CERTIFICATE_DATA,"cw"^i,
+CH_CHALLENGE_DATA, "cw"^i )
+
+SERVER_WRITE_KEY_i = Hash( i, "svw", MASTER_KEY, "svw"^i,
+SH_CONNECTION_ID_DATA, "svw"^i, CH_CHALLENGE_DATA, "svw"^i )
+
+The values in quotation marks are treated as (sequences of) ASCII
+characters; "x"^i denotes i copies of the string "x" concatenated
+together. The function "Hash" is the one determined by the value of
+SH_HASH_SPECS_DATA. The parameters are input into the hash function
+in the order presented above; the variable i is input as a single-byte
+unsigned integer. The WRITE_KEYs (i.e., CLIENT_WRITE_KEY and
+SERVER_WRITE_KEY) are obtained by concatenating WRITE_KEY_1 through
+WRITE_KEY_m, where m is the negotiated encryption key length (the
+value in the third byte of the SH_CIPHER_SPECS_DATA field) divided by
+the hash output length, in bits, rounded up to the nearest integer.
+This resulting string is then truncated if necessary (by removing bits
+from the end) to produce a string of the correct length.
+
+The CLIENT_MAC_KEY and SERVER_MAC_KEY are computed as follows:
+
+CLIENT_MAC_KEY_i = Hash( i, MASTER_KEY, "cmac"^i,
+SH_CONNECTION_ID_DATA, "cmac"^i, SH_CERTIFICATE_DATA, "cmac"^i,
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 20]
+ Internet Draft The PCT Protocol November 1995
+
+
+CH_CHALLENGE_DATA, "cmac"^i )
+
+SERVER_MAC_KEY_i = Hash( i, MASTER_KEY, "svmac"^i,
+SH_CONNECTION_ID_DATA, "svmac"^i, CH_CHALLENGE_DATA, "svmac"^i )
+
+The values in quotation marks are treated as (sequences of) ASCII
+characters; "x"^i denotes i copies of the string "x" concatenated
+together. The function "Hash" is the one determined by the value of
+SH_HASH_SPECS_DATA. The parameters are input into the hash function
+in the order presented above; the variable i is input as a single-byte
+unsigned integer. The MAC_KEYs (ie., CLIENT_MAC_KEY and
+SERVER_MAC_KEY) are obtained by concatenating MAC_KEY_1 through
+MAC_KEY_m, where m is the negotiated MAC key length (64 plus the value
+in the fourth byte of the SH_CIPHER_SPECS_DATA field) divided by the
+hash output length, in bits, rounded up to the nearest integer. This
+resulting string is then truncated if necessary (by removing bits from
+the end) to produce a string of the correct length.
+
+Note that tokens which are capable of deriving keys using "keyed
+hashes", as described above, are free to use the PCT_EXCH_RSA_PKCS1
+or PCT_EXCH_DH_PKCS3 key exchange type to exchange the MASTER_KEY,
+and then to derive the rest of the keys normally. The TOKEN key
+exchange types are for tokens that cannot do such keyed-hash key
+derivation, and can only use an exchanged key for bulk encryption
+(of, for example, other keys). Such tokens can exchange multiple
+keys by using an initially exchanged MASTER_KEY to encrypt other
+keys, as described above.
+
+5.3.2 Cipher Types
+
+PCT version 1 permits the following cipher types to be specified:
+
+PCT_CIPHER_DES
+PCT_CIPHER_IDEA
+PCT_CIPHER_RC2
+PCT_CIPHER_RC4
+PCT_CIPHER_DES_112
+PCT_CIPHER_DES_168
+
+Each of these types is denoted by a two-byte code, and is followed in
+CIPHER_SPECS_DATA fields by two one-byte length specifications, as
+described in section 5.2.1. An encryption length specification of
+zero associated with any cipher denotes the choice of no encryption; a
+key exchange is performed in such cases solely to share keys for MAC
+computation. The MAC key length must always be at least 64 bits (see
+section 5.2.1).
+
+The CLEAR_KEY_DATA field is used only when encryption keys of length
+less than the standard length for the specified cipher are used;
+otherwise, the field is empty. When a key length is specified which
+is less than the standard key length for the specified cipher, then
+keys of the specified length are derived normally as described in
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 21]
+ Internet Draft The PCT Protocol November 1995
+
+
+section 5.3.1, and then "expanded" to derive standard-length keys.
+The expansion proceeds as follows:
+
+1. Assign to d the result of dividing the standard key length for
+the cipher, in bits, by the output length of the hash function, in
+bits, rounded up to the nearest integer.
+
+2. Divide CLEAR_KEY_DATA sequentially into d equal subsegments.
+(Note that the length of the CLEAR_KEY_DATA field must therefore be a
+multiple of d bytes, and that no two of its d equal parts, when so
+divided, may be identical.) Denote these subsegments CLEAR_KEY_DATA_1
+through CLEAR_KEY_DATA_d.
+
+3. Compute the d hash values
+
+STANDARD_LENGTH_KEY_i := Hash( i, "sl"^i, WRITE_KEY, "sl"^i,
+CLEAR_KEY_DATA_i ).
+
+The values in quotation marks are treated as (sequences of) ASCII
+characters; "x"^i denotes i copies of the string "x" concatenated
+together. The function "Hash" is the one determined by the value of
+SH_HASH_SPECS_DATA. The parameters are input into the hash function
+in the order presented above; the variable i is input as a
+single-byte unsigned integer. The WRITE_KEY is the encryption key
+(CLIENT_WRITE_KEY or SERVER_WRITE_KEY) being expanded to standard
+length. If the length of the WRITE_KEY is not an exact number of
+bytes, then its final byte is padded with zeroes to increase its
+length to an exact number of bytes.
+
+4. Concatenate STANDARD_LENGTH_KEY_1 through STANDARD_LENGTH_KEY_d,
+and then truncate as necessary (by removing bits from the end) to
+produce the STANDARD_LENGTH_KEY which is actually used for encryption.
+
+The KEY_ARG_DATA field contains a random eight-byte value to be used
+as an initialization vector (IV) for the first encrypted message when
+a block cipher (any cipher except RC4) is used. The IV for the first
+block encrypted in any subsequent encrypted message is simply the last
+encrypted block of the previous message. The KEY_ARG_DATA field is
+empty when cipher type PCT_CIPHER_RC4 (or key exchange type
+PCT_EXCH_RSA_PKCS1_TOKEN_RC4) is used.
+
+PCT_CIPHER_DES denotes DES (see [4]). Its standard key length is 56
+bits. PCT_CIPHER_DES_112 and PCT_CIPHER_DES_168 denote ciphers in
+which the input is first encrypted under DES with a first key, then
+"decrypted" under DES with a second key, then encrypted under DES with
+a third key. For PCT_CIPHER_DES_112, the first and third keys are
+identical, and correspond to the initial 56 bits of the 112-bit
+WRITE_KEY. The second key corresponds to the final 56 bits of the
+WRITE_KEY. For PCT_CIPHER_DES_168, the three keys are distinct, and
+correspond to the first, second, and third 56-bit subsegments of the
+WRITE_KEY. All three of these DES-based cipher types have 64-bit data
+blocks and are used with cipher block chaining (CBC).
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 22]
+ Internet Draft The PCT Protocol November 1995
+
+
+The standard key lengths for PCT_CIPHER_DES_112 and PCT_CIPHER_DES_168
+are 112 bits and 168 bits, respectively. If a key length less than
+the standard length is specified for one of these ciphers (or for
+PCT_CIPHER_DES), then the WRITE_KEY is expanded to the standard length
+as described above.
+
+Note that before use, each 56-bit DES key must be "adjusted" to add
+eight parity bits to form an eight-byte DES key (see [4]). Similarly,
+if the specified WRITE_KEY length is less than its corresponding
+standard length, then each WRITE_KEY is expanded to the standard
+length using CLEAR_KEY_DATA as described above, to produce one, two,
+or three keys of 56 bits each, which are then each "adjusted" by
+adding parity bits to form an eight-byte key.
+
+PCT_CIPHER_IDEA denotes the IDEA block cipher (see [5]), with 64-bit
+data blocks and cipher block chaining. This cipher has a standard key
+length of 128 bits.
+
+PCT_CIPHER_RC2 denotes the RC2 block cipher, with 64-bit blocks and
+cipher block chaining. Like IDEA, this cipher has a standard key
+length of 128 bits.
+
+PCT_CIPHER_RC4 denotes the RC4 stream cipher. Like the IDEA and RC2
+block ciphers, this cipher has a standard key length of 128 bits.
+
+5.3.3 Hash Types
+
+PCT version 1 permits the following hash function types to be
+specified:
+
+PCT_HASH_MD5
+PCT_HASH_MD5_TRUNC_64
+PCT_HASH_SHA
+PCT_HASH_SHA_TRUNC_80
+PCT_HASH_DES_DM
+
+PCT_CIPHER_MD5 denotes the MD5 hash function (see [6]), with 128-bit
+output. PCT_CIPHER_MD5_TRUNC_64 denotes the MD5 hash function, with
+its 128-bit output truncated to 64 bits. PCT_HASH_SHA denotes the
+Secure Hash Algorithm (see [7]), with 160-bit output.
+PCT_HASH_SHA_TRUNC_80 denotes the Secure Hash Algorithm, with its
+160-bit output truncated to 80 bits. PCT_HASH_DES_DM denotes the
+DES-based Davies-Meyer hash algorithm (see [8]), with 64-bit output.
+
+
+5.3.4 Certificate Types
+
+PCT version 1 permits the following certificate types to be specified:
+
+PCT_CERT_NONE
+PCT_CERT_X509
+PCT_CERT_PKCS7
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 23]
+ Internet Draft The PCT Protocol November 1995
+
+
+These types apply equally to the client's and server's certificates.
+PCT_CERT_NONE denotes that no certificate is necessary; this type can
+be included by, say, the server as a choice, thereby making
+authentication optional for the client. PCT_CERT_X509 denotes a
+CCITT X.509 standard-conformant certificate (see [9]).
+PCT_CERT_PKCS7 denotes an RSA PKCS#7 standard-conformant certificate
+(see [10]).
+
+
+5.3.5 Signature Types
+
+PCT version 1 permits the following signature key types to be
+specified:
+
+PCT_SIG_NONE
+PCT_SIG_RSA_MD5
+PCT_SIG_RSA_SHA
+PCT_SIG_DSA_SHA
+
+PCT_SIG_NONE denotes that no signature is necessary; this type can be
+included by the server as a choice, thereby making authentication
+optional for the client. PCT_SIG_RSA_MD5 denotes the signature scheme
+consisting of hashing the data to be signed using the MD5 hash
+algorithm, and then performing an RSA private-key signature function
+(the inverse of RSA encryption) on the result. The signature must
+conform to RSA PKCS#1, block type 1 (see [2]). PCT_SIG_RSA_SHA
+denotes the same signature scheme with SHA substituted for MD5.
+PCT_SIG_DSA_SHA denotes the signature scheme consisting of hashing the
+data to be signed using the SHA hash algorithm, then computing a
+signature of the resulting value using the Digital Signature Algorithm
+(DSA; see [11]).
+
+
+5.4 Errors
+
+Error handling in the PCT protocol is very simple. When an error is
+detected during the handshake phase, the detecting party sends a
+message to the other party indicating the error so that both parties
+will know about it, and then closes the connection. If a party
+detects an error after it has sent its last handshake message, the
+detecting party simply closes the connection without sending an error
+message. In the second case there are only two possible errors, and
+the party that does not detect the error can distinguish them as
+follows: if the server sees an aborted connection and the most recent
+message it sent the client was a handshake message, then the error was
+SERVER_AUTH_FAILED; otherwise, the error was INTEGRITY_CHECK_FAILED.
+
+Receiving an error message also causes the receiving party to close
+the connection. Servers and clients should not make any further use
+of any keys, challenges, connection identifiers, or session
+identifiers associated with such an aborted connection.
+
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 24]
+ Internet Draft The PCT Protocol November 1995
+
+
+It is recommended that implementations perform some kind of alert or
+logging function when errors are generated to facilitate monitoring of
+various types of attack on the system.
+
+
+The message sent in the event of a handshake-phase error has the
+following form:
+
+char MSG_ERROR
+char ERROR_CODE_MSB
+char ERROR_CODE_LSB
+char ERROR_INFO_LENGTH_MSB
+char ERROR_INFO_LENGTH_LSB
+char ERROR_INFO_DATA[(MSB << 8)|LSB]
+
+The ERROR_INFO_LENGTH field is zero except in the case of the
+SPECS_MISMATCH error message, which has a six-byte ERROR_INFO_DATA
+field.
+
+The PCT Handshake Protocol defines the following errors:
+
+PCT_ERR_BAD_CERTIFICATE
+
+This error occurs when the client receives a SERVER_HELLO message in
+which the certificate is invalid, either because one or more of the
+signatures in the certificate is invalid, or because the identity or
+attributes on the certificate are in some way incorrect.
+
+PCT_ERR_CLIENT_AUTH_FAILED
+
+This error occurs when the server receives a CLIENT_MASTER_KEY message
+from the client in which the client's authentication response is
+incorrect. The certificate may be invalid, the signature may be
+invalid, or the contents of the signed response may be incorrect.
+
+PCT_ERR_ILLEGAL_MESSAGE
+
+This error occurs under a number of circumstances. For example, it
+occurs when an unrecognized security escape code is received, when an
+unrecognized handshake message is encountered, or when the value of
+CH_OFFSET is to large for its CLIENT_HELLO message.
+
+PCT_ERR_INTEGRITY_CHECK_FAILED
+
+This error occurs when either the client or the server receives a
+message in which the MAC_DATA is incorrect. It is also recommended
+that the record be treated as if it contained no data, in order to
+ensure that applications do not receive and process invalid data
+before learning that it has failed its integrity check.
+
+This error also occurs when the VERIFY_PRELUDE_DATA value sent by the
+client in the CLIENT_MASTER_KEY message (during the handshake phase)
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 25]
+ Internet Draft The PCT Protocol November 1995
+
+
+is incorrect. In this case, an error message is sent.
+
+PCT_ERR_SERVER_AUTH_FAILED
+
+This error occurs when the client receives a SERVER_HELLO or
+SERVER_VERIFY message in which the authentication response is
+incorrect.
+
+PCT_ERR_SPECS_MISMATCH
+
+This error occurs when a server cannot find a cipher, hash function,
+certificate type, or key exchange algorithm it supports in the lists
+supplied by the client in the CLIENT_HELLO message. It also occurs
+when the client cannot find a certificate or signature type it
+supports in the list supplied by the server in a SERVER_HELLO message
+that requests client authentication. (Note that the client or server
+can select the "NONE" option as the last resort for any security
+feature it wishes to make optional. For example, the server can make
+client authentication optional for the client by passing a list of
+certificate and signature types, each list containing the "NONE" type
+as the last entry.) This error may also occur as a result of a
+mismatch in cipher specifications or client authentication requests
+between the initial specifications and those that resulted from a redo
+handshake sequence.
+
+The error message for this error includes a six-byte informational
+field, defined as follows:
+
+char SPECS_MISMATCH_CIPHER
+char SPECS_MISMATCH_HASH
+char SPECS_MISMATCH_CERT
+char SPECS_MISMATCH_EXCH
+char SPECS_MISMATCH_CLIENT_CERT
+char SPECS_MISMATCH_CLIENT_SIG
+
+Each field is set to a non-zero value if and only if the corresponding
+list resulted in a mismatch. For example, if and only if the
+SPECS_MISMATCH error message is being sent because server failed to
+find a certificate type it supports in the list supplied by the client
+in the CH_CERT_SPECS_DATA field, then the SPECS_MISMATCH_CERT field in
+the error message would be non-zero.
+
+5.5 Constants
+
+Following is a list of constant values used in the PCT protocol
+version 1.
+
+5.5.1 Message type codes
+
+These codes are each placed in the first byte of the corresponding
+PCT handshake phase message.
+
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 26]
+ Internet Draft The PCT Protocol November 1995
+
+
+PCT_MSG_CLIENT_HELLO := 0x01
+PCT_MSG_SERVER_HELLO := 0x02
+PCT_MSG_CLIENT_MASTER_KEY := 0x03
+PCT_MSG_SERVER_VERIFY := 0x04
+PCT_MSG_ERROR := 0x05
+
+5.5.2 Specification Type Codes
+
+These are codes used to specify types of cipher, key exchange, hash
+function, certificate, and digital signature in the protocol.
+
+PCT_EXCH_RSA_PKCS1 := 0x0001
+PCT_EXCH_RSA_PKCS1_TOKEN_DES := 0x0002
+PCT_EXCH_RSA_PKCS1_TOKEN_DES3 := 0x0003
+PCT_EXCH_RSA_PKCS1_TOKEN_RC2 := 0x0004
+PCT_EXCH_RSA_PKCS1_TOKEN_RC4 := 0x0005
+PCT_EXCH_DH_PKCS3 := 0x0006
+PCT_EXCH_DH_PKCS3_TOKEN_DES := 0x0007
+PCT_EXCH_DH_PKCS3_TOKEN_DES3 := 0x0008
+PCT_EXCH_FORTEZZA_TOKEN := 0x0009
+
+PCT_CIPHER_DES := 0x0001
+PCT_CIPHER_IDEA := 0x0002
+PCT_CIPHER_RC2 := 0x0003
+PCT_CIPHER_RC4 := 0x0004
+PCT_CIPHER_DES_112 := 0x0005
+PCT_CIPHER_DES_168 := 0x0006
+
+PCT_HASH_MD5 := 0x0001
+PCT_HASH_MD5_TRUNC_64 := 0x0002
+PCT_HASH_SHA := 0x0003
+PCT_HASH_SHA_TRUNC_80 := 0x0004
+PCT_HASH_DES_DM := 0x0005
+
+PCT_CERT_NONE := 0x0000
+PCT_CERT_X509 := 0x0001
+PCT_CERT_PKCS7 := 0x0002
+
+PCT_SIG_NONE := 0x0000
+PCT_SIG_RSA_MD5 := 0x0001
+PCT_SIG_RSA_SHA := 0x0002
+PCT_SIG_DSA_SHA := 0x0003
+
+5.5.3 Error Codes
+
+These codes are used to identify errors, when they occur, in error
+messages.
+
+PCT_ERR_BAD_CERTIFICATE := 0x0001
+PCT_ERR_CLIENT_AUTH_FAILED := 0x0002
+PCT_ERR_ILLEGAL_MESSAGE := 0x0003
+PCT_ERR_INTEGRITY_CHECK_FAILED := 0x0004
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 27]
+ Internet Draft The PCT Protocol November 1995
+
+
+PCT_ERR_SERVER_AUTH_FAILED := 0x0005
+PCT_ERR_SPECS_MISMATCH := 0x0006
+
+5.5.4 Miscellaneous Codes
+
+These include escape type codes, version numbers, and assorted
+constants associated with the PCT protocol.
+
+PCT_SESSION_ID_NONE := 0x00 (32 bytes of zeros)
+
+PCT_ET_OOB_DATA := 0x01
+PCT_ET_REDO_CONN := 0x02
+
+PCT_VERSION_1 := 0x8001
+
+PCT_CH_OFFSET_V1 := 0x000A
+
+PCT_MAX_RECORD_LENGTH_2_BYTE_HEADER := 32767
+PCT_MAX_RECORD_LENGTH_3_BYTE_HEADER := 16383
+
+
+6. Security Considerations
+
+This entire document is about security.
+
+
+References
+
+[1] K. Hickman and T. Elgamal. The SSL Protocol. Internet-draft,
+June 1995.
+
+[2] RSA Laboratories, "PKCS #1: RSA Encryption Standard", Version
+1.5, November 1993.
+
+[3] RSA Laboratories, "PKCS #3: "Diffie-Hellman Key-Agreement
+Standard", Version 1.4, November 1993.
+
+[4] NBS FIPS PUB 46, "Data Encryption Standard", National Bureau of
+Standards, US Department of Commerce, Jan. 1977.
+
+[5] X. Lai, "On the Design and Security of Block Ciphers", ETH Series
+in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992.
+
+[6] R. Rivest, RFC 1321: "The MD5 Message Digest Algorithm", April
+1992.
+
+[7] NIST FIPS PUB 180-1, "Secure Hash Standard", National Institute
+of Standards and Technology, US Department of Commerce, Apr. 1995.
+
+[8] ISO/IEC 9797, "Data Cryptographic Techniques--Data Integrity
+Mechanism Using a Cryptographic Check Function Employing a Block
+Cipher Algorithm", 1989.
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 28]
+ Internet Draft The PCT Protocol November 1995
+
+
+[9] CCITT. Recommendation X.509: "The Directory - Authentication
+Framework". 1988.
+
+[10] RSA Laboratories, "PKCS #7: Cryptographc Message Syntax
+Standard", Version 1.5, November 1993.
+
+[11] NIST FIPS PUB 186, "Digital Signature Standard", National
+Institute of Standards and Technology, US Department of Commerce, May
+1994.
+
+[12] B. Schneier, "Applied Cryptography: Protocols, Algorithms, and
+Source Code in C", John Wiley & Sons, Inc., 1994.
+
+[13] R.L. Rivest, A. Shamir, L. Adelman, "A Method for Obtaining
+Digital Signatures and Public Key Cryptosystems" MIT Laboratory for
+Computer Science and Department of Mathematics, S.L. Graham,
+R.L. Rivest ed. Communications of the ACM, February 1978 (Vol 21,
+No. 2) pages 120-126.
+
+Patent Statement
+
+This version of the PCT protocol relies on the use of patented public
+key encryption technology for authentication and encryption. The
+Internet Standards Process as defined in RFC 1310 requires a written
+statement from the Patent holder that a license will be made
+available to applicants under reasonable terms and conditions prior
+to approving a specification as a Proposed, Draft or Internet
+Standard.
+
+See existing RFCs, including RFC 1170, that discuss known public key
+cryptography patents and licensing terms and conditions.
+
+The Internet Society, Internet Architecture Board, Internet
+Engineering Steering Group and the Corporation for National Research
+Initiatives take no position on the validity or scope of the patents
+and patent applications, nor on the appropriateness of the terms of
+the assurance. The Internet Society and other groups mentioned above
+have not made any determination as to any other intellectual property
+rights which may apply to the practice of this standard. Any further
+consideration of these matters is the user's own responsibility.
+
+Author's Address
+
+Josh Benaloh/Butler Lampson/Daniel R. Simon/Terence Spies/Bennet Yee
+Microsoft Corp.
+One Microsoft Way
+Redmond WA 98052
+USA
+
+pct@microsoft.com
+
+This Internet-Draft expires 27 March 1996.
+
+
+Benaloh/Lampson/Simon/Spies/Yee [Page 29]
+
+
View Lorry Controller Status