summaryrefslogtreecommitdiff
path: root/doc/protocol/rfc2631.txt
blob: ef738215170170c32a18445c9c9cb19dbec0e8cb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731






Network Working Group                                       E. Rescorla
Request for Comments: 2631                                    RTFM Inc.
Category: Standards Track                                     June 1999


                  Diffie-Hellman Key Agreement Method

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   This document standardizes one particular Diffie-Hellman variant,
   based on the ANSI X9.42 draft, developed by the ANSI X9F1 working
   group. Diffie-Hellman is a key agreement algorithm used by two
   parties to agree on a shared secret. An algorithm for converting the
   shared secret into an arbitrary amount of keying material is
   provided. The resulting keying material is used as a symmetric
   encryption key.  The Diffie-Hellman variant described requires the
   recipient to have a certificate, but the originator may have a static
   key pair (with the public key placed in a certificate) or an
   ephemeral key pair.

Table of Contents

   1. Introduction  . . . . . . . . . . . . . . . . . . . . . . .   2
   1.1. Requirements Terminology  . . . . . . . . . . . . . . . .   2
   2. Overview Of Method  . . . . . . . . . . . . . . . . . . . .   2
   2.1. Key Agreement . . . . . . . . . . . . . . . . . . . . . .   2
   2.1.1. Generation of ZZ  . . . . . . . . . . . . . . . . . . .   3
   2.1.2. Generation of Keying Material . . . . . . . . . . . . .   3
   2.1.3. KEK Computation . . . . . . . . . . . . . . . . . . . .   4
   2.1.4. Keylengths for common algorithms  . . . . . . . . . . .   5
   2.1.5. Public Key Validation . . . . . . . . . . . . . . . . .   5
   2.1.6. Example 1 . . . . . . . . . . . . . . . . . . . . . . .   5
   2.1.7. Example 2 . . . . . . . . . . . . . . . . . . . . . . .   6
   2.2. Key and Parameter Requirements  . . . . . . . . . . . . .   7
   2.2.1. Group Parameter Generation  . . . . . . . . . . . . . .   7
   2.2.1.1. Generation of p, q  . . . . . . . . . . . . . . . . .   8



Rescorla                    Standards Track                     [Page 1]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   2.2.1.2. Generation of g . . . . . . . . . . . . . . . . . . .   9
   2.2.2. Group Parameter Validation  . . . . . . . . . . . . . .   9
   2.3. Ephemeral-Static Mode . . . . . . . . . . . . . . . . . .  10
   2.4. Static-Static Mode  . . . . . . . . . . . . . . . . . . .  10
   2.4. Acknowledgements  . . . . . . . . . . . . . . . . . . . .  10
   2.4. References  . . . . . . . . . . . . . . . . . . . . . . .  11
   Security Considerations  . . . . . . . . . . . . . . . . . . .  12
   Author's Address . . . . . . . . . . . . . . . . . . . . . . .  12
   Full Copyright Statement . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   In [DH76] Diffie and Hellman describe a means for two parties to
   agree upon a shared secret in such a way that the secret will be
   unavailable to eavesdroppers. This secret may then be converted into
   cryptographic keying material for other (symmetric) algorithms.  A
   large number of minor variants of this process exist. This document
   describes one such variant, based on the ANSI X9.42 specification.

1.1.  Requirements Terminology

   Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
   "MAY" that appear in this document are to be interpreted as described
   in [RFC2119].

2.  Overview Of Method

   Diffie-Hellman key agreement requires that both the sender and
   recipient of a message have key pairs. By combining one's private key
   and the other party's public key, both parties can compute the same
   shared secret number. This number can then be converted into
   cryptographic keying material.  That keying material is typically
   used as a key-encryption key (KEK) to encrypt (wrap) a content-
   encryption key (CEK) which is in turn used to encrypt the message
   data.

2.1.  Key Agreement

   The first stage of the key agreement process is to compute a shared
   secret number, called ZZ.  When the same originator and recipient
   public/private key pairs are used, the same ZZ value will result.
   The ZZ value is then converted into a shared symmetric cryptographic
   key. When the originator employs a static private/public key pair,
   the introduction of a public random value ensures that the resulting
   symmetric key will be different for each key agreement.






Rescorla                    Standards Track                     [Page 2]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


2.1.1.  Generation of ZZ

   X9.42 defines that the shared secret ZZ is generated as follows:

     ZZ = g ^ (xb * xa) mod p

   Note that the individual parties actually perform the computations:

     ZZ = (yb ^ xa)  mod p  = (ya ^ xb)  mod p

   where ^ denotes exponentiation

         ya is party a's public key; ya = g ^ xa mod p
         yb is party b's public key; yb = g ^ xb mod p
         xa is party a's private key
         xb is party b's private key
         p is a large prime
         q is a large prime
         g = h^{(p-1)/q} mod p, where
         h is any integer with 1 < h < p-1 such that h{(p-1)/q} mod p > 1
           (g has order q mod p; i.e. g^q mod p = 1 if g!=1)
         j a large integer such that p=qj + 1
         (See Section 2.2 for criteria for keys and parameters)

   In [CMS], the recipient's key is identified by the CMS
   RecipientIdentifier, which points to the recipient's certificate.
   The sender's public key is identified using the
   OriginatorIdentifierOrKey field, either by reference to the sender's
   certificate or by inline inclusion of a public key.

2.1.2.  Generation of Keying Material

   X9.42 provides an algorithm for generating an essentially arbitrary
   amount of keying material from ZZ. Our algorithm is derived from that
   algorithm by mandating some optional fields and omitting others.

     KM = H ( ZZ || OtherInfo)

   H is the message digest function SHA-1 [FIPS-180] ZZ is the shared
   secret value computed in Section 2.1.1. Leading zeros MUST be
   preserved, so that ZZ occupies as many octets as p. For instance, if
   p is 1024 bits, ZZ should be 128 bytes long.  OtherInfo is the DER
   encoding of the following structure:

     OtherInfo ::= SEQUENCE {
       keyInfo KeySpecificInfo,
       partyAInfo [0] OCTET STRING OPTIONAL,
       suppPubInfo [2] OCTET STRING



Rescorla                    Standards Track                     [Page 3]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


     }

     KeySpecificInfo ::= SEQUENCE {
       algorithm OBJECT IDENTIFIER,
       counter OCTET STRING SIZE (4..4) }

   Note that these ASN.1 definitions use EXPLICIT tagging. (In ASN.1,
   EXPLICIT tagging is implicit unless IMPLICIT is explicitly
   specified.)

   algorithm is the ASN.1 algorithm OID of the CEK wrapping algorithm
     with which this KEK will be used. Note that this is NOT an
     AlgorithmIdentifier, but simply the OBJECT IDENTIFIER. No
     parameters are used.

   counter is a 32 bit number, represented in network byte order. Its
     initial value is 1 for any ZZ, i.e. the byte sequence 00 00 00 01
     (hex), and it is incremented by one every time the above key
     generation function is run for a given KEK.

   partyAInfo is a random string provided by the sender. In CMS, it is
     provided as a parameter in the UserKeyingMaterial field (encoded as
     an OCTET STRING). If provided, partyAInfo MUST contain 512 bits.

   suppPubInfo is the length of the generated KEK, in bits, represented
     as a 32 bit number in network byte order. E.g. for 3DES it would be
     the byte sequence 00 00 00 C0.

   To generate a KEK, one generates one or more KM blocks (incrementing
   counter appropriately) until enough material has been generated.  The
   KM blocks are concatenated left to right I.e. KM(counter=1) ||
   KM(counter=2)...

   Note that the only source of secret entropy in this computation is
   ZZ.  Even if a string longer than ZZ is generated, the effective key
   space of the KEK is limited by the size of ZZ, in addition to any
   security level considerations imposed by the parameters p and q.
   However, if partyAInfo is different for each message, a different KEK
   will be generated for each message. Note that partyAInfo MUST be used
   in Static-Static mode, but MAY appear in Ephemeral-Static mode.

2.1.3.  KEK Computation

   Each key encryption algorithm requires a specific size key (n). The
   KEK is generated by mapping the left n-most bytes of KM onto the key.
   For 3DES, which requires 192 bits of keying material, the algorithm
   must be run twice, once with a counter value of 1 (to generate K1',
   K2', and the first 32 bits of K3') and once with a counter value of 2



Rescorla                    Standards Track                     [Page 4]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   (to generate the last 32 bits of K3). K1',K2' and K3' are then parity
   adjusted to generate the 3 DES keys K1,K2 and K3.  For RC2-128, which
   requires 128 bits of keying material, the algorithm is run once, with
   a counter value of 1, and the left-most 128 bits are directly
   converted to an RC2 key. Similarly, for RC2-40, which requires 40
   bits of keying material, the algorithm is run once, with a counter
   value of 1, and the leftmost 40 bits are used as the key.

2.1.4.  Keylengths for common algorithms

   Some common key encryption algorithms have KEKs of the following
   lengths.

     3-key 3DES      192 bits
     RC2-128        128 bits
     RC2-40         40 bits

   RC2 effective key lengths are equal to RC2 real key lengths.

2.1.5.  Public Key Validation

   The following algorithm MAY be used to validate a received public key
   y.

     1. Verify that y lies within the interval [2,p-1]. If it does not,
        the key is invalid.
     2. Compute y^q mod p. If the result == 1, the key is valid.
        Otherwise the key is invalid.

   The primary purpose of public key validation is to prevent a small
   subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static
   mode is used, this check may not be necessary. See also [P1363] for
   more information on Public Key validation.

   Note that this procedure may be subject to pending patents.

2.1.6.  Example 1

   ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
                      0a 0b 0c 0d 0e 0f 10 11 12 13

   The key wrap algorithm is 3DES-EDE wrap.

   No partyAInfo is used.

   Consequently, the input to the first invocation of SHA-1 is:

   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ



Rescorla                    Standards Track                     [Page 5]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   30 1d
      30 13
         06 0b 2a 86 48 86 f7 0d 01 09 10 03 06          ; 3DES wrap OID
         04 04
            00 00 00 01                                        ; Counter
      a2 06
         04 04
         00 00 00 c0                                        ; key length

   And the output is the 20 bytes:

   a0 96 61 39 23 76 f7 04 4d 90 52 a3 97 88 32 46 b6 7f 5f 1e

   The input to the second invocation of SHA-1 is:

   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
   30 1d
      30 13
         06 0b 2a 86 48 86 f7 0d 01 09 10 03 06          ; 3DES wrap OID
         04 04
            00 00 00 02                                        ; Counter
      a2 06
         04 04
         00 00 00 c0                                        ; key length

   And the output is the 20 bytes:

   f6 3e b5 fb 5f 56 d9 b6 a8 34 03 91 c2 d3 45 34 93 2e 11 30

   Consequently,
   K1'=a0 96 61 39 23 76 f7 04
   K2'=4d 90 52 a3 97 88 32 46
   K3'=b6 7f 5f 1e f6 3e b5 fb

   Note: These keys are not parity adjusted

2.1.7.  Example 2

   ZZ is the 20 bytes 00 01 02 03 04 05 06 07 08 09
                      0a 0b 0c 0d 0e 0f 10 11 12 13

   The key wrap algorithm is RC2-128 key wrap, so we need 128 bits (16
   bytes) of keying material.

   The partyAInfo used is the 64 bytes

   01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
   01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01



Rescorla                    Standards Track                     [Page 6]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
   01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01

   Consequently, the input to SHA-1 is:

   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ; ZZ
   30 61
      30 13
         06 0b 2a 86 48 86 f7 0d 01 09 10 03 07           ; RC2 wrap OID
         04 04
            00 00 00 01                                        ; Counter
      a0 42
         04 40
            01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01 ; partyAInfo
            01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
            01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
            01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 01
      a2 06
         04 04
            00 00 00 80                                     ; key length

   And the output is the 20 bytes:

   48 95 0c 46 e0 53 00 75 40 3c ce 72 88 96 04 e0 3e 7b 5d e9

   Consequently,
   K=48 95 0c 46 e0 53 00 75 40 3c ce 72 88 96 04 e0

2.2.  Key and Parameter Requirements

   X9.42 requires that the group parameters be of the form p=jq + 1
   where q is a large prime of length m and j>=2. An algorithm for
   generating primes of this form (derived from the algorithms in FIPS
   PUB 186-1[FIPS-186] and [X942]can be found in appendix A.

   X9.42 requires that the private key x be in the interval [2, (q -
   2)].  x should be randomly generated in this interval. y is then
   computed by calculating g^x mod p.  To comply with this memo, m MUST
   be >=160 bits in length, (consequently, q MUST be at least 160 bits
   long). When symmetric ciphers stronger than DES are to be used, a
   larger m may be advisable. p must be a minimum of 512 bits long.

2.2.1.  Group Parameter Generation

   Agents SHOULD generate domain parameters (g,p,q) using the following
   algorithm, derived from [FIPS-186] and [X942]. When this algorithm is
   used, the correctness of the generation procedure can be verified by
   a third party by the algorithm of 2.2.2.



Rescorla                    Standards Track                     [Page 7]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


2.2.1.1.  Generation of p, q

   This algorithm generates a p, q pair where q is of length m and p is
   of length L.

   1. Set m' = m/160 where / represents integer division with rounding
      upwards. I.e. 200/160 = 2.

   2. Set L'=  L/160

   3. Set N'=  L/1024

   4. Select an arbitrary bit string SEED such that the length of SEED
      >= m

   5. Set U = 0

   6. For i = 0 to m' - 1

        U = U + (SHA1[SEED + i] XOR SHA1[(SEED + m' + i)) * 2^(160 * i)

   Note that for m=160, this reduces to the algorithm of [FIPS-186]

        U = SHA1[SEED] XOR SHA1[(SEED+1) mod 2^160 ].

   5. Form q from U by computing U mod (2^m) and setting the most
      significant bit (the 2^(m-1) bit) and the least significant bit to
      1. In terms of boolean operations, q = U OR 2^(m-1) OR 1. Note
      that 2^(m-1) < q < 2^m

   6. Use a robust primality algorithm to test whether q is prime.

   7. If q is not prime then go to 4.

   8. Let counter = 0

   9. Set R = seed + 2*m' + (L' * counter)

   10. Set V = 0

   12. For i = 0 to L'-1 do

       V = V + SHA1(R + i) * 2^(160 * i)

   13. Set W = V mod 2^L

   14. Set X = W OR 2^(L-1)




Rescorla                    Standards Track                     [Page 8]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   Note that 0 <= W < 2^(L-1) and hence X >= 2^(L-1)

   15. Set p = X - (X mod (2*q)) + 1

   6. If p > 2^(L-1) use a robust primality test to test whether p is
      prime. Else go to 18.

   17. If p is prime output p, q, seed, counter and stop.

   18. Set counter = counter + 1

   19. If counter < (4096 * N) then go to 8.

   20. Output "failure"

   Note: A robust primality test is one where the probability of a non-
   prime number passing the test is at most 2^-80. [FIPS-186] provides a
   suitable algorithm, as does [X942].

2.2.1.2.  Generation of g

   This section gives an algorithm (derived from [FIPS-186]) for
   generating g.

   1. Let j = (p - 1)/q.

   2. Set h = any integer, where 1 < h < p - 1 and h differs
      from any value previously tried.

   3. Set g = h^j mod p

   4. If g = 1 go to step 2

2.2.2.  Group Parameter Validation

   The ASN.1 for DH keys in [PKIX] includes elements j and validation-
   Parms which MAY be used by recipients of a key to verify that the
   group parameters were correctly generated. Two checks are possible:

     1. Verify that p=qj + 1. This demonstrates that the parameters meet
        the X9.42 parameter criteria.
     2. Verify that when the p,q generation procedure of [FIPS-186]
        Appendix 2 is followed with seed 'seed', that p is found when
        'counter' = pgenCounter.

     This demonstrates that the parameters were randomly chosen and
     do not have a special form.




Rescorla                    Standards Track                     [Page 9]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


   Whether agents provide validation information in their certificates
   is a local matter between the agents and their CA.

2.3.  Ephemeral-Static Mode

   In Ephemeral-Static mode, the recipient has a static (and certified)
   key pair, but the sender generates a new key pair for each message
   and sends it using the originatorKey production. If the sender's key
   is freshly generated for each message, the shared secret ZZ will be
   similarly different for each message and partyAInfo MAY be omitted,
   since it serves merely to decouple multiple KEKs generated by the
   same set of pairwise keys. If, however, the same ephemeral sender key
   is used for multiple messages (e.g. it is cached as a performance
   optimization) then a separate partyAInfo MUST be used for each
   message. All implementations of this standard MUST implement
   Ephemeral-Static mode.

   In order to resist small subgroup attacks, the recipient SHOULD
   perform the check described in 2.1.5. If an opponent cannot determine
   success or failure of a decryption operation by the recipient, the
   recipient MAY choose to omit this check. See also [LL97] for a method
   of generating keys which are not subject to small subgroup attack.

2.4.  Static-Static Mode

   In Static-Static mode, both the sender and the recipient have a
   static (and certified) key pair. Since the sender's and recipient's
   keys are therefore the same for each message, ZZ will be the same for
   each message. Thus, partyAInfo MUST be used (and different for each
   message) in order to ensure that different messages use different
   KEKs. Implementations MAY implement Static-Static mode.

   In order to prevent small subgroup attacks, both originator and
   recipient SHOULD either perform the validation step described in
   Section 2.1.5 or verify that the CA has properly verified the
   validity of the key.  See also [LL97] for a method of generating keys
   which are not subject to small subgroup attack.

Acknowledgements

   The Key Agreement method described in this document is based on work
   done by the ANSI X9F1 working group. The author wishes to extend his
   thanks for their assistance.

   The author also wishes to thank Stephen Henson, Paul Hoffman, Russ
   Housley, Burt Kaliski, Brian Korver, John Linn, Jim Schaad, Mark
   Schertler, Peter Yee, and Robert Zuccherato for their expert advice
   and review.



Rescorla                    Standards Track                    [Page 10]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


References

   [CMS]       Housley, R., "Cryptographic Message Syntax", RFC 2630,
               June 1999.

   [FIPS-46-1] Federal Information Processing Standards Publication
               (FIPS PUB) 46-1, Data Encryption Standard, Reaffirmed
               1988 January 22 (supersedes FIPS PUB 46, 1977 January
               15).

   [FIPS-81]   Federal Information Processing Standards Publication
               (FIPS PUB) 81, DES Modes of Operation, 1980 December 2.

   [FIPS-180]  Federal Information Processing Standards Publication
               (FIPS PUB) 180-1, "Secure Hash Standard", 1995 April 17.

   [FIPS-186]  Federal Information Processing Standards Publication
               (FIPS PUB) 186, "Digital Signature Standard", 1994 May
               19.

   [P1363]     "Standard Specifications for Public Key Cryptography",
               IEEE P1363 working group draft, 1998, Annex D.

   [PKIX]      Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
               X.509 Public Key Infrastructure Certificate and CRL
               Profile", RFC 2459, January 1999.

   [LAW98]     L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone,
               "An efficient protocol for authenticated key agreement",
               Technical report CORR 98-05, University of Waterloo,
               1998.

   [LL97]      C.H. Lim and P.J. Lee, "A key recovery attack on discrete
               log-based schemes using a prime order subgroup", B.S.
               Kaliski, Jr., editor, Advances in Cryptology - Crypto
               '97, Lecture Notes in Computer Science, vol. 1295, 1997,
               Springer-Verlag, pp. 249-263.

   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.

   [X942]      "Agreement Of Symmetric Keys Using Diffie-Hellman and MQV
               Algorithms", ANSI draft, 1998.








Rescorla                    Standards Track                    [Page 11]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


Security Considerations

   All the security in this system is provided by the secrecy of the
   private keying material. If either sender or recipient private keys
   are disclosed, all messages sent or received using that key are
   compromised. Similarly, loss of the private key results in an
   inability to read messages sent using that key.

   Static Diffie-Hellman keys are vulnerable to a small subgroup attack
   [LAW98]. In practice, this issue arises for both sides in Static-
   Static mode and for the receiver during Ephemeral-Static mode.
   Sections 2.3 and 2.4 describe appropriate practices to protect
   against this attack. Alternatively, it is possible to generate keys
   in such a fashion that they are resistant to this attack. See [LL97]

   The security level provided by these methods depends on several
   factors. It depends on the length of the symmetric key (typically, a
   2^l security level if the length is l bits); the size of the prime q
   (a 2^{m/2} security level); and the size of the prime p (where the
   security level grows as a subexponential function of the size in
   bits).  A good design principle is to have a balanced system, where
   all three security levels are approximately the same. If many keys
   are derived from a given pair of primes p and q, it may be prudent to
   have higher levels for the primes. In any case, the overall security
   is limited by the lowest of the three levels.

Author's Address

   Eric Rescorla
   RTFM Inc.
   30 Newell Road, #16
   East Palo Alto, CA 94303

   EMail: ekr@rtfm.com

















Rescorla                    Standards Track                    [Page 12]

RFC 2631          Diffie-Hellman Key Agreement Method          June 1999


Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement


   Funding for the RFC Editor function is currently provided by the
   Internet Society.


















Rescorla                    Standards Track                    [Page 13]