SlideShare une entreprise Scribd logo

Key Commitment Using CMS in ECMQV Key Agreement

Phil Griffin
Phil Griffin

The document describes a key commitment protocol that provides key control in key agreement schemes. It discusses using Cryptographic Message Syntax (CMS) to convey key management information, specifically for committing to cryptographic keys in Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement. Example messages are provided to illustrate the protocol, committing public keys in a first message and distributing the actual keys in a second message.

Technologie
1  sur  13
Télécharger pour lire hors ligne
© GRIFFIN Consulting 2006. All rights reserved. GRIFFIN Consulting Date: 2006-03-31 Key Commitment Using CMS in ECMQV Key Agreement Key Commitment Using Cryptographic Message Syntax (CMS) in Elliptic Curve Menezes-Qu-Vanstone (ECMQV) Key Agreement
Key Commitment Using CMS in ECMQV Key Agreement Copyright notice This document is copyright-protected by Griffin Consulting and all rights are reserved. Unlimited rights of reproduction and distribution are granted, so long as this copyright notice is included in its entirety. Comments on this white paper should be directed to the author at the following address: GRIFFIN Consulting Phillip H. Griffin 1625 Glenwood Avenue Raleigh, North Carolina 27608-2319 USA Tel. + 1 919 291 0019 E-mail information@phillipgriffin.com Web http://phillipgriffin.com The contents of this white paper is provided for informational purposes only and represents the view of the author as of the date it is published. The author makes no warranties, express or implied in this document. ii © GRIFFIN Consulting 2006. All rights reserved.
Key Commitment Using CMS in ECMQV Key Agreement Contents Page Introduction.....................................................................................................................................................iv 1 Scope ...................................................................................................................................................1 2 Terms and definitions.........................................................................................................................1 3 Symbols and abbreviated terms ........................................................................................................2 4 ECMQV key agreement.......................................................................................................................2 4.1 Overview ..............................................................................................................................................2 4.2 Process................................................................................................................................................3 5 Key control ..........................................................................................................................................4 5.1 Key distribution fairness ....................................................................................................................4 5.2 Key commitment .................................................................................................................................4 6 CMS Schema elements.......................................................................................................................4 6.1 DigestedData .......................................................................................................................................4 6.2 ECKeyCommitment.............................................................................................................................5 Annex A (normative) Protocol message examples .......................................................................................6 A.1 Overview ..............................................................................................................................................6 A.2 Commitment ........................................................................................................................................6 A.3 Distribution..........................................................................................................................................7 Bibliography.....................................................................................................................................................9 © GRIFFIN Consulting 2006. All rights reserved iii
Key Commitment Using CMS in ECMQV Key Agreement Introduction The author of this white paper is Phillip H. Griffin, Principal of GRIFFIN Consulting, an Information Security consulting company located in Raleigh, North Carolina. GRIFFIN Consulting provides secure software design and development, national and international security standards committee representation, management and development, training, and related information security consulting services. This document provides important information for readers who want to develop a basic understanding of key management security techniques. Abstract Cryptographic Message Syntax (CMS) [7, 11] used to convey key management information is described in this document, and concrete representations of abstract values are provided in compact binary and XML markup formats. All message examples were created using the XCMS Toolkit designed, developed and licensed by GRIFFIN Consulting. iv © GRIFFIN Consulting 2006. All rights reserved.
Key Commitment Using CMS in ECMQV Key Agreement 1 Scope This white paper describes a key commitment protocol that provides key control in key agreement schemes used for key establishment. Motivation for the use of a key commitment protocol is provided. Particular attention is given to the full, 1-pass ECMQV key agreement scheme, but the key commitment protocol described in this document is applicable to most key agreement schemes. Abstract syntax used to define message components is described and example concrete syntax representations of these abstract values are provided using XML [12] markup and compact binary formats. A discussion on how to form and process key commitment protocol messages using Cryptographic Message Syntax (CMS) syntax is presented. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 encryption (reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the information content of the data 2.2 ephemeral a key or data specific to one execution of a cryptographic scheme 2.3 key agreement scheme a key establishment scheme in which the keying data established is a function of contributions provided by both entities in such a way that neither party can predetermine the value of the keying data 2.4 key derivation function KDF a function that takes as input a shared secret value and outputs keying data suitable for later cryptographic use 2.5 keying data data suitable for use as cryptographic keys 2.6 message set of data elements used to exchange information 2.7 pass a set of data sent from one entity to another or received by one entity from another at a particular stage in the operation of a protocol 2.8 private key an asymmetric (public-key) system, that key of an entity’s key pair that is known only by that © GRIFFIN Consulting 2006. All rights reserved. 1
Key Commitment Using CMS in ECMQV Key Agreement entity 2.9 public key in an asymmetric (public-key) system, that key of an entity’s key pair that is publicly known 2.10 shared secret value an intermediate value in a key establishment scheme from which keying data is derived 3 Symbols and abbreviated terms ANS American National Standard ASN.1 Abstract Syntax Notation One CMS Cryptographic Message Syntax CEK Content Encryption Key DER Distinguished Encoding Rules EC Elliptic Curve IEC International Electrotechnical Commission IETF Internet Engineering Task Force ISO International Organization for Standardization ITU-T International Telecommunication Union - Telecommunication Standardization Sector KEK Key Encryption Key MQV Menezes-Qu-Vanstone OID Information object identifier RFC Request For Comments XCMS XML Cryptographic Message Syntax XER XML Encoding Rules of ASN.1 XML Extensible Markup Language 4 ECMQV key agreement 4.1 Overview The Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement scheme is a mechanism used for key establishment. Using ECMQV, two participants (party A and party B) can construct a shared secret symmetric encryption key. Since both participants contribute public information to construct the shared secret, neither party need trust the other to select the key. 2 © GRIFFIN Consulting 2006. All rights reserved.
Key Commitment Using CMS in ECMQV Key Agreement ECMQV key agreement can be described in terms of a setup procedure, a key deployment procedure, an encryption operation, and a decryption operation. The setup and key deployment procedures are performed before the actual operation of the key agreement scheme. When the key deployment procedure is performed properly, neither party should be able to predetermine any bits of the constructed shared secret key. The ECMQV setup procedure is used to decide which EC domain parameters will be used by the parties to perform the ECMQV key agreement scheme. The setup procedure also determines which (if any) key derivation function (KDF) will be used by the two parties. Cryptographic toolkits and service providers often provide a configuration capability with settings for a default elliptic curve and specified hash function to be used for key derivation. The setup values must be the same for both parties participating in the scheme. The key deployment procedure is used by both participants to distribute one Elliptic Curve (EC) static and one EC ephemeral public key to the other party. Either key may be associated with an identity certificate [4]. The domain parameters associated with these keys must be the same, and must agree with those determined during the setup procedure. Domain parameters may be specified as a "named" elliptic curve [13], whose name is an ASN.1 [1] information object identifier (OID) [5]. For example, the X9.63 [8] standard defines the domain parameters of a 192-bit elliptic curve with a prime characteristic finite field as the named curve ansip192r1, whose information object identifier is the value 1.2.840.10045.3.1.1. Once each participant has the two public keys of the other party, the encryption operation can begin. Either party can initiate operation of the key agreement scheme. Party A can use two remote public keys of party B, along with their own static and ephemeral public-private key pairs, to generate a symmetric Key Encryption Key (KEK). And party B can use two remote public keys of party A, along with their own static and ephemeral public-private key pairs, to generate the same KEK. Operation of the key agreement scheme may be performed using the CMS EnvelopedData message defined in ISO 22895. 4.2 Process Each participant in a full, 1-Pass Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement scheme uses three pairs of keys: 1) a local static public-private key pair, and 2) a local ephemeral public-private key pair, and 3) a remote pair of ephemeral and static public keys. Each participant contributes a static public key and an ephemeral public key to the key construction process. The remote pair of public keys must be provided by each party to the other party. If this distribution of public key information is done fairly, neither participant can predetermine any of the bits of the value of the shared secret key. These three key pairs allow both parties to derive a shared secret key by following the same six step process: 1) initialize the process with a local private key, 2) pass in the associated local public key, 3) pass in a second local private key, 4) pass in the associated local public key, 5) pass in a remote public key, 6) pass in a second remote public key. © GRIFFIN Consulting 2006. All rights reserved. 3
Key Commitment Using CMS in ECMQV Key Agreement 5 Key control 5.1 Key distribution fairness To perform the key distribution procedure for ECMQV key agreement without key control, party A sends its two public keys to party B and party B responds by sending its two public keys to party A. Where there is complete trust between the two parties, this process may be sufficient. But party B may have an unfair advantage over party A, since party A must disclose the keys it will use to operate the key agreement scheme before party B has revealed the keys that it will use. During the time between receiving keys from party A and sending party A its keys, party B has the opportunity to choose the keys it will use to operate the key agreement scheme, based on the keys revealed by party A, before sending its keys to party A. Though in some key agreement applications, this time interval may be very small, even one second allows party B to predetermine some of the bits in the shared secret key that will be derived during operation of the key agreement scheme. Mitchell, Ward and Wilson [14] describe how party B may choose its public keys and predetermine some or all of the bits of the shared secret key. They point out that most key agreement schemes defined in ISO/IEC 11770-3 [6] are vulnerable to such attacks. Longer intervals of time between receiving and sending keys allows a greater number of bits of the shared secret key to be predetermined. A key commitment protocol can be used to eliminate the threat. 5.2 Key commitment A key commitment protocol requires two messages. A first message commits the sender to use specific cryptographic keys in the subsequent operation of a key agreement scheme with the message recipient. A second message distributes the actual keys that the sender committed to in the first message. The first message must contain a hash of the public cryptographic keys the sender is committing to use for key agreement, but not the actual keys. This message is illustrated in the example provided in A.2. This hash must be retained by the message recipient for use when the actual keys are received. The second message must contain the keys, and may contain a hash of the keys that can be verified by the message recipient. This message is illustrated in the example provided in A.3. For 1-pass ECMQV, this message contains the hash of the two cryptographic keys, one ephemeral public key and one static public key. ISO 22895 defines an ASN.1 type named ECKeyCommitment for this purpose. CMS type DigestedData provides a means of exchanging message digest information and optionally, the cryptographic keys needed to implement a key commitment protocol. 6 CMS Schema elements 6.1 DigestedData A digested data CMS message is a value of ASN.1 type DigestedData and contains a message content identifier and a cryptographic hash of the identified content. The message content may be absent or present in the message. Type DigestedData is defined as DigestedData ::= SEQUENCE { version CMSVersion, digestAlgorithm DigestAlgorithmIdentifier, encapContentInfo EncapsulatedContentInfo, digest Digest } 4 © GRIFFIN Consulting 2006. All rights reserved.
Key Commitment Using CMS in ECMQV Key Agreement The values of the components of type DigestedData are as follows:  the version component is a positive integer that indicates the version number of the schema.  the digestAlgorithm component is a value of type DigestAlgorithmIdentifier, which contains two components named algorithm and parameters. The algorithm component identifies a message digest algorithm, and the optional parameters component contains any associated parameters.  the encapContentInfo component is a value of type EncapsulatedContentInfo, which contains two components named eContentType and eContent. The eContentType component identifies the type of content being digested and the optional eContent contains this content when present. In the examples presented in this document, the content is a value of type ECKeyCommitment.  the digest component is a value of type Digest and contains the result of applying the hash function indicated by the digestAlgorithm component to the message content. In the examples presented in this document, the hash function is applied to a value of type ECKeyCommitment. A complete detailed definition of these types can be found in the ISO 22895 standard. Values of the DigestedData type are provided in A.2 and A.3 which describe the two messages needed to implement a key commitment protocol using CMS. 6.2 ECKeyCommitment In the key commitment protocol described in this document, the message digest process is applied to a value of ASN.1 type ECKeyCommitment, which is defined as ECKeyCommitment ::= SEQUENCE { staticPublicKey ECPoint, ephemeralPublicKey ECPoint OPTIONAL } ECPoint ::= OCTET STRING a sequence of two components named staticPublicKey and ephemeralPublicKey. Both components are EC public keys defined as values of type ECPoint. A value of this type is provided in A.1. © GRIFFIN Consulting 2006. All rights reserved. 5
Key Commitment Using CMS in ECMQV Key Agreement Annex A Protocol message examples A.1 Overview The example key commitment messages shown below in subclause A.2 and subclause A.3 are values of CMS type DigestedData. These values are represented as XML markup encoded using the XML Encoding Rules of ASN.1 (XER) [3]. The same abstract values could also be represented in a compact binary format encoded using the Distinguished Encoding Rules (DER) [2] of ASN.1 to reduce the size of the encoded value by 105 octets. For the purpose of illustration, only the XML format is used here. The content to be digested is an XML encoding of a value of ISO 228951 type ECKeyCommitment as it would be used for key control in a key commitment protocol in the key deployment procedure of a key agreement scheme. In both examples, the input to the message digest process is a sequence of two Elliptic Curve Digital Signature Algorithm (ECDSA) public keys represented using XML markup as the value <ECKeyCommitment> <staticPublicKey> 4441443537383246434534324645344544364141 4141394443413643393639303333453134424431 </staticPublicKey> <ephemeralPublicKey> 4530443438323632313331433944423841434639 3745454141353733463531443141354137344630 </ephemeralPublicKey> </ECKeyCommitment> This value contains a static ECDSA public key and an ephemeral ECDSA public key. When input to the message digest process, the value is encoded using canonical XER, which contains no white space. A.2 Commitment The example key commitment message that follows shows the XML encoded DigestedData value displayed with the content to be digested, a value of type ECKeyCommitment, not present in the message. By omitting the content and only transferring the hash of the content, party A can send party B the hash of the public keys party A will use when it participates in the operation of a key agreement scheme, without revealing the keys. Line 1 indicates the version number of the syntax, the value 3. Lines 2-6 describe the message digest algorithm and any associated digest algorithm parameter used to compute the message digest in line 13. Line 4 is the information object identifier of the SHA-256 message digest algorithm. This algorithm has no associated parameters. 1 The ISO 22895 Cryptographic syntax schema combines two US National standards, X9.73 CMS [9] X9.96 XCMS [10] which share a common ASN.1 schema and are aligned with the S/MIME CMS RFC [11] from IETF. 6 © GRIFFIN Consulting 2006. All rights reserved.
Key Commitment Using CMS in ECMQV Key Agreement Line 9 indicates that the type of value digested is ordinary data, and not another CMS type. The associated content is "detached", and not present in this message. Line 13 contains the result of computing a message digest on ordinary data using the SHA-256 message digest algorithm specified in line 4. The message digest size is 256 bits (32 octets) in length and provides 128 bits of security. Disregarding white space, the value is encoded in 295 octets. 000 <DigestedData> 001 <version> 3 </version> 002 <digestAlgorithm> 003 <algorithm> 004 2.16.840.1.101.3.4.2.1 005 </algorithm> 006 </digestAlgorithm> 007 <encapContentInfo> 008 <eContentType> 009 1.2.840.113549.1.7.1 010 </eContentType> 011 </encapContentInfo> 012 <digest> 013 1B1FA4C0B3CFE4F4FE0A299A329C53EF285EC6A392BABC5BC026AC4CFC332812 014 </digest> 015 </DigestedData> The complete DER encoding of the same DigestedData message follows, displayed using hexadecimal notation. Using DER the message is encoded in 65 octets. 303F020103300B0609608648016503040201300B 06092A864886F70D01070104201B1FA4C0B3CFE4 F4FE0A299A329C53EF285EC6A392BABC5BC026AC 4CFC332812 A.3 Distribution The example key distribution message that follows shows the XML encoded DigestedData value displayed with the content to be digested, a value of type ECKeyCommitment, present in the message. The content to be digested is a value of ASN.1 type OCTET STRING, an opaque value. Since the encoded value of ECKeyCommitment is encapsulated in an "octet hole", the details of its structure are obscured. By including the content in the message along with the hash of the content, party A can distribute the public keys it previously committed to use in the operation of a key agreement scheme to party B. Party B can verify that the value in the digest component of type DigestedData is correct, then compare that value to the digest in a prior key commitment message received from party A. If these two digest values are identical, then party A and party B can both assume that the key agreement key distribution procedure was fair. Disregarding white space, the value is encoded in 874 octets. Line 1 indicates the version number of the syntax, the value 3. Lines 2-6 describe the message digest algorithm and any associated digest algorithm parameter used to compute the message digest in line 13. Line 4 is the information object identifier of the SHA-256 message digest algorithm. This algorithm has no associated parameters. 000 <DigestedData> 001 <version> 3 </version> 002 <digestAlgorithm> © GRIFFIN Consulting 2006. All rights reserved. 7
Key Commitment Using CMS in ECMQV Key Agreement 003 <algorithm> 004 2.16.840.1.101.3.4.2.1 005 </algorithm> 006 </digestAlgorithm> 007 <encapContentInfo> 008 <eContentType> 009 1.2.840.113549.1.7.1 010 </eContentType> 011 <eContent> 012 203C45434B6579436F6D6D69746D656E743E0D0A20203C737461746963507562 013 6C69634B65793E0D0A2020203434343134343335333733383332343634333435 014 3334333234363435333434353434333634313431343134313339343434333431 015 3336343333393336333933300A20202033333333343533313334343234343331 016 0D0A20203C2F7374617469635075626C69634B65793E0D0A20203C657068656D 017 6572616C5075626C69634B65793E0D0A20202034353330343433343338333233 018 3633323331333333313433333934343432333834313433343633393337343534 019 353431343133353337333334363335333134340A202020333134313335343133 020 373334343633300D0A20203C2F657068656D6572616C5075626C69634B65793E 021 0D0A203C2F45434B6579436F6D6D69746D656E743E0D0A 022 </eContent> 023 </encapContentInfo> 024 <digest> 025 1B1FA4C0B3CFE4F4FE0A299A329C53EF285EC6A392BABC5BC026AC4CFC332812 026 </digest> 027 </DigestedData> The complete DER encoding of the same DigestedData message follows, displayed using hexadecimal notation. Using DER the message is encoded in 384 octets. 3082017C020103300B06096086480165030402013082014606092A864886F70D01070180820137203 C45434B6579436F6D6D69746D656E743E0D0A20203C7374617469635075626C69634B65793E0D0A20 202034343431343433353337333833323436343334353334333234363435333434353434333634313 4313431343133393434343334313336343333393336333933300A2020203333333334353331333434 32343433310D0A20203C2F7374617469635075626C69634B65793E0D0A20203C657068656D6572616 C5075626C69634B65793E0D0A20202034353330343433343338333233363332333133333331343333 3934343432333834313433343633393337343534353431343133353337333334363335333134340A2 02020333134313335343133373334343633300D0A20203C2F657068656D6572616C5075626C69634B 65793E0D0A203C2F45434B6579436F6D6D69746D656E743E0D0A04201B1FA4C0B3CFE4F4FE0A299A3 29C53EF285EC6A392BABC5BC026AC4CFC332812 8 © GRIFFIN Consulting 2006. All rights reserved.
Key Commitment Using CMS in ECMQV Key Agreement Bibliography [1] ISO/IEC 8824:2001 (All parts) | ITU-T Recommendation X.680-series (2000), Information Technology - Abstract Syntax Notation One (ASN.1) [2] ISO/IEC 8825-1:2001 | ITU-T Recommendation X.690 (2000), Information Technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) [3] ISO/IEC 8825-2:2001 | ITU-T Recommendation X.693 (2000), Information Technology - ASN.1 Encoding Rules: Specification of XML Encoding Rules (XER) [4] ISO/IEC 9594-8 | ITU-T X.509 Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks [5] ISO/IEC 9834-8 | ITU-T Rec. X.667, Information technology – Open Systems Interconnection – Procedures for the operation of OSI Registration Authorities: Generation and Registration of Universally Unique Identifiers (UUIDs) and their Use as ASN.1 Object Identifier Components [6] ISO/IEC 11770-3 Information technology – Security techniques – Key Management: Part 3 - Mechanisms using asymmetric techniques [7] ISO 22895 Financial services – Security techniques – Cryptographic syntax schema [8] ANS X9.63, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography [9] ANS X9.79, Cryptographic Message Syntax (CMS) [10] ANS X9.96, XML Cryptographic Message Syntax (XCMS) [11] RFC 3852, Cryptographic Message Syntax (CMS), http://ietfreport.isoc.org/rfc/rfc3852.txt [12] Extensible Markup Language (XML) 1.0 (Third Edition), Copyright © 1994-2003 World Wide Web ® Consortium (W3C ), (Massachusetts Institute of Technology, European Research Consortium for Informatics and Mathematics, Keio University), W3C Recommendation 04, http://www.w3.org/TR/2004/REC-xml-20040204/ [13] SECG, "Recommended Elliptic Curve Domain Parameters", Standards for Efficient Cryptography Group, 2000, http://www.secg.org/collateral/sec2.pdf [14] C.J. Mitchell, M. Ward and P. Wilson, "Key control in key agreement protocols", ELECTRONICS LETTERS 14th May 1998 Vol. 34 No. 10, pages 980-981, http://www.iee.org/ © GRIFFIN Consulting 2006. All rights reserved. 9

Recommandé

Welcome to the Multi-cloud world
Welcome to the Multi-cloud worldWelcome to the Multi-cloud world
Welcome to the Multi-cloud world
Lew Tucker
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture Design
Cisco Canada
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
AM Publications,India
 
IMS AKAv1 AKv2 Verizon
IMS AKAv1 AKv2 VerizonIMS AKAv1 AKv2 Verizon
IMS AKAv1 AKv2 Verizon
Alok Prasad
 
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloudPresentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
xKinAnx
 
Cisco connect winnipeg 2018 hybrid collaboration
Cisco connect winnipeg 2018 hybrid collaborationCisco connect winnipeg 2018 hybrid collaboration
Cisco connect winnipeg 2018 hybrid collaboration
Cisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
Cisco Canada
 
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET Journal
 

Recommandé

Welcome to the Multi-cloud world
Welcome to the Multi-cloud worldWelcome to the Multi-cloud world
Welcome to the Multi-cloud world
Lew Tucker
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture Design
Cisco Canada
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
AM Publications,India
 
IMS AKAv1 AKv2 Verizon
IMS AKAv1 AKv2 VerizonIMS AKAv1 AKv2 Verizon
IMS AKAv1 AKv2 Verizon
Alok Prasad
 
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloudPresentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
xKinAnx
 
Cisco connect winnipeg 2018 hybrid collaboration
Cisco connect winnipeg 2018 hybrid collaborationCisco connect winnipeg 2018 hybrid collaboration
Cisco connect winnipeg 2018 hybrid collaboration
Cisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
Cisco Canada
 
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET Journal
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco Canada
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
OIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptxOIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptx
VoYat
 
"It's Just A Meeting"
"It's Just A Meeting" "It's Just A Meeting"
"It's Just A Meeting"
Cisco Canada
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Craig Saunders
 
Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...
Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...
Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...
IRJET Journal
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
Rohit Agarwalla
 
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0
KennyNajarro2
 
White paper on understanding sd wan-managed
White paper on understanding sd wan-managedWhite paper on understanding sd wan-managed
White paper on understanding sd wan-managed
Chris Baddeley
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
Elasticsearch
 
Intercloud_Fabric
Intercloud_FabricIntercloud_Fabric
Intercloud_Fabric
Paulo Renato
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
Cisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Secure Enclaves Architecture
Cisco Secure Enclaves Architecture
Cisco Russia
 
Deploying and Managing a Global Blockchain Network
Deploying and Managing a Global Blockchain NetworkDeploying and Managing a Global Blockchain Network
Deploying and Managing a Global Blockchain Network
Duncan Johnston-Watt
 
Sgtn Supply Chain Initiatives V44 S
Sgtn Supply Chain Initiatives V44 SSgtn Supply Chain Initiatives V44 S
Sgtn Supply Chain Initiatives V44 S
James Cofield
 
IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...
IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...
IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...
IRJET Journal
 
Contino Webinar - Migrating your Trading Workloads to the Cloud
Contino Webinar - Migrating your Trading Workloads to the CloudContino Webinar - Migrating your Trading Workloads to the Cloud
Contino Webinar - Migrating your Trading Workloads to the Cloud
Ben Saunders
 
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdfDesign-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
ssuserc6aaff
 
Microservices Design Principles.pdf
Microservices Design Principles.pdfMicroservices Design Principles.pdf
Microservices Design Principles.pdf
Simform
 
ISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security Management
Phil Griffin
 
ITU Kaleidoscope 2013 Presentation
ITU Kaleidoscope 2013 PresentationITU Kaleidoscope 2013 Presentation
ITU Kaleidoscope 2013 Presentation
Phil Griffin
 

Contenu connexe

Similaire à Key Commitment Using CMS in ECMQV Key Agreement

Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdfDesign-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
ssuserc6aaff
 

Similaire à Key Commitment Using CMS in ECMQV Key Agreement (20)

Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 
OIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptxOIS-K8-Multicloud.pptx
OIS-K8-Multicloud.pptx
 
"It's Just A Meeting"
"It's Just A Meeting" "It's Just A Meeting"
"It's Just A Meeting"
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
 
Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...
Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...
Securing Liaison-Less Publisher/Subscriber Systems using Identity Based Encr...
 
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudPSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud
 
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0
 
White paper on understanding sd wan-managed
White paper on understanding sd wan-managedWhite paper on understanding sd wan-managed
White paper on understanding sd wan-managed
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 
Intercloud_Fabric
Intercloud_FabricIntercloud_Fabric
Intercloud_Fabric
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
Cisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Secure Enclaves Architecture
Cisco Secure Enclaves Architecture
 
Deploying and Managing a Global Blockchain Network
Deploying and Managing a Global Blockchain NetworkDeploying and Managing a Global Blockchain Network
Deploying and Managing a Global Blockchain Network
 
Sgtn Supply Chain Initiatives V44 S
Sgtn Supply Chain Initiatives V44 SSgtn Supply Chain Initiatives V44 S
Sgtn Supply Chain Initiatives V44 S
 
IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...
IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...
IRJET- Schemes for Securing Cloud Data when the Cryptographic Material is Exp...
 
Contino Webinar - Migrating your Trading Workloads to the Cloud
Contino Webinar - Migrating your Trading Workloads to the CloudContino Webinar - Migrating your Trading Workloads to the Cloud
Contino Webinar - Migrating your Trading Workloads to the Cloud
 
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdfDesign-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
Design-Guide-to-Run-VMware-NSX-with-Cisco-ACI-white-paper.pdf
 
Microservices Design Principles.pdf
Microservices Design Principles.pdfMicroservices Design Principles.pdf
Microservices Design Principles.pdf
 

Plus de Phil Griffin

Plus de Phil Griffin (6)

ISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security Management
 
ITU Kaleidoscope 2013 Presentation
ITU Kaleidoscope 2013 PresentationITU Kaleidoscope 2013 Presentation
ITU Kaleidoscope 2013 Presentation
 
Proposed ISO/IEC 29150 ASN.1 Schema Corrections
Proposed ISO/IEC 29150 ASN.1 Schema CorrectionsProposed ISO/IEC 29150 ASN.1 Schema Corrections
Proposed ISO/IEC 29150 ASN.1 Schema Corrections
 
Signcrypting information assets
Signcrypting information assetsSigncrypting information assets
Signcrypting information assets
 
Using signcryption to protect biometric information
Using signcryption to protect biometric information Using signcryption to protect biometric information
Using signcryption to protect biometric information
 
Telebiometric information security and safety management
Telebiometric information security and safety managementTelebiometric information security and safety management
Telebiometric information security and safety management
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Key Commitment Using CMS in ECMQV Key Agreement

  • 1. © GRIFFIN Consulting 2006. All rights reserved. GRIFFIN Consulting Date: 2006-03-31 Key Commitment Using CMS in ECMQV Key Agreement Key Commitment Using Cryptographic Message Syntax (CMS) in Elliptic Curve Menezes-Qu-Vanstone (ECMQV) Key Agreement
  • 2. Key Commitment Using CMS in ECMQV Key Agreement Copyright notice This document is copyright-protected by Griffin Consulting and all rights are reserved. Unlimited rights of reproduction and distribution are granted, so long as this copyright notice is included in its entirety. Comments on this white paper should be directed to the author at the following address: GRIFFIN Consulting Phillip H. Griffin 1625 Glenwood Avenue Raleigh, North Carolina 27608-2319 USA Tel. + 1 919 291 0019 E-mail information@phillipgriffin.com Web http://phillipgriffin.com The contents of this white paper is provided for informational purposes only and represents the view of the author as of the date it is published. The author makes no warranties, express or implied in this document. ii © GRIFFIN Consulting 2006. All rights reserved.
  • 3. Key Commitment Using CMS in ECMQV Key Agreement Contents Page Introduction.....................................................................................................................................................iv 1 Scope ...................................................................................................................................................1 2 Terms and definitions.........................................................................................................................1 3 Symbols and abbreviated terms ........................................................................................................2 4 ECMQV key agreement.......................................................................................................................2 4.1 Overview ..............................................................................................................................................2 4.2 Process................................................................................................................................................3 5 Key control ..........................................................................................................................................4 5.1 Key distribution fairness ....................................................................................................................4 5.2 Key commitment .................................................................................................................................4 6 CMS Schema elements.......................................................................................................................4 6.1 DigestedData .......................................................................................................................................4 6.2 ECKeyCommitment.............................................................................................................................5 Annex A (normative) Protocol message examples .......................................................................................6 A.1 Overview ..............................................................................................................................................6 A.2 Commitment ........................................................................................................................................6 A.3 Distribution..........................................................................................................................................7 Bibliography.....................................................................................................................................................9 © GRIFFIN Consulting 2006. All rights reserved iii
  • 4. Key Commitment Using CMS in ECMQV Key Agreement Introduction The author of this white paper is Phillip H. Griffin, Principal of GRIFFIN Consulting, an Information Security consulting company located in Raleigh, North Carolina. GRIFFIN Consulting provides secure software design and development, national and international security standards committee representation, management and development, training, and related information security consulting services. This document provides important information for readers who want to develop a basic understanding of key management security techniques. Abstract Cryptographic Message Syntax (CMS) [7, 11] used to convey key management information is described in this document, and concrete representations of abstract values are provided in compact binary and XML markup formats. All message examples were created using the XCMS Toolkit designed, developed and licensed by GRIFFIN Consulting. iv © GRIFFIN Consulting 2006. All rights reserved.
  • 5. Key Commitment Using CMS in ECMQV Key Agreement 1 Scope This white paper describes a key commitment protocol that provides key control in key agreement schemes used for key establishment. Motivation for the use of a key commitment protocol is provided. Particular attention is given to the full, 1-pass ECMQV key agreement scheme, but the key commitment protocol described in this document is applicable to most key agreement schemes. Abstract syntax used to define message components is described and example concrete syntax representations of these abstract values are provided using XML [12] markup and compact binary formats. A discussion on how to form and process key commitment protocol messages using Cryptographic Message Syntax (CMS) syntax is presented. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 encryption (reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the information content of the data 2.2 ephemeral a key or data specific to one execution of a cryptographic scheme 2.3 key agreement scheme a key establishment scheme in which the keying data established is a function of contributions provided by both entities in such a way that neither party can predetermine the value of the keying data 2.4 key derivation function KDF a function that takes as input a shared secret value and outputs keying data suitable for later cryptographic use 2.5 keying data data suitable for use as cryptographic keys 2.6 message set of data elements used to exchange information 2.7 pass a set of data sent from one entity to another or received by one entity from another at a particular stage in the operation of a protocol 2.8 private key an asymmetric (public-key) system, that key of an entity’s key pair that is known only by that © GRIFFIN Consulting 2006. All rights reserved. 1
  • 6. Key Commitment Using CMS in ECMQV Key Agreement entity 2.9 public key in an asymmetric (public-key) system, that key of an entity’s key pair that is publicly known 2.10 shared secret value an intermediate value in a key establishment scheme from which keying data is derived 3 Symbols and abbreviated terms ANS American National Standard ASN.1 Abstract Syntax Notation One CMS Cryptographic Message Syntax CEK Content Encryption Key DER Distinguished Encoding Rules EC Elliptic Curve IEC International Electrotechnical Commission IETF Internet Engineering Task Force ISO International Organization for Standardization ITU-T International Telecommunication Union - Telecommunication Standardization Sector KEK Key Encryption Key MQV Menezes-Qu-Vanstone OID Information object identifier RFC Request For Comments XCMS XML Cryptographic Message Syntax XER XML Encoding Rules of ASN.1 XML Extensible Markup Language 4 ECMQV key agreement 4.1 Overview The Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement scheme is a mechanism used for key establishment. Using ECMQV, two participants (party A and party B) can construct a shared secret symmetric encryption key. Since both participants contribute public information to construct the shared secret, neither party need trust the other to select the key. 2 © GRIFFIN Consulting 2006. All rights reserved.
  • 7. Key Commitment Using CMS in ECMQV Key Agreement ECMQV key agreement can be described in terms of a setup procedure, a key deployment procedure, an encryption operation, and a decryption operation. The setup and key deployment procedures are performed before the actual operation of the key agreement scheme. When the key deployment procedure is performed properly, neither party should be able to predetermine any bits of the constructed shared secret key. The ECMQV setup procedure is used to decide which EC domain parameters will be used by the parties to perform the ECMQV key agreement scheme. The setup procedure also determines which (if any) key derivation function (KDF) will be used by the two parties. Cryptographic toolkits and service providers often provide a configuration capability with settings for a default elliptic curve and specified hash function to be used for key derivation. The setup values must be the same for both parties participating in the scheme. The key deployment procedure is used by both participants to distribute one Elliptic Curve (EC) static and one EC ephemeral public key to the other party. Either key may be associated with an identity certificate [4]. The domain parameters associated with these keys must be the same, and must agree with those determined during the setup procedure. Domain parameters may be specified as a "named" elliptic curve [13], whose name is an ASN.1 [1] information object identifier (OID) [5]. For example, the X9.63 [8] standard defines the domain parameters of a 192-bit elliptic curve with a prime characteristic finite field as the named curve ansip192r1, whose information object identifier is the value 1.2.840.10045.3.1.1. Once each participant has the two public keys of the other party, the encryption operation can begin. Either party can initiate operation of the key agreement scheme. Party A can use two remote public keys of party B, along with their own static and ephemeral public-private key pairs, to generate a symmetric Key Encryption Key (KEK). And party B can use two remote public keys of party A, along with their own static and ephemeral public-private key pairs, to generate the same KEK. Operation of the key agreement scheme may be performed using the CMS EnvelopedData message defined in ISO 22895. 4.2 Process Each participant in a full, 1-Pass Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement scheme uses three pairs of keys: 1) a local static public-private key pair, and 2) a local ephemeral public-private key pair, and 3) a remote pair of ephemeral and static public keys. Each participant contributes a static public key and an ephemeral public key to the key construction process. The remote pair of public keys must be provided by each party to the other party. If this distribution of public key information is done fairly, neither participant can predetermine any of the bits of the value of the shared secret key. These three key pairs allow both parties to derive a shared secret key by following the same six step process: 1) initialize the process with a local private key, 2) pass in the associated local public key, 3) pass in a second local private key, 4) pass in the associated local public key, 5) pass in a remote public key, 6) pass in a second remote public key. © GRIFFIN Consulting 2006. All rights reserved. 3
  • 8. Key Commitment Using CMS in ECMQV Key Agreement 5 Key control 5.1 Key distribution fairness To perform the key distribution procedure for ECMQV key agreement without key control, party A sends its two public keys to party B and party B responds by sending its two public keys to party A. Where there is complete trust between the two parties, this process may be sufficient. But party B may have an unfair advantage over party A, since party A must disclose the keys it will use to operate the key agreement scheme before party B has revealed the keys that it will use. During the time between receiving keys from party A and sending party A its keys, party B has the opportunity to choose the keys it will use to operate the key agreement scheme, based on the keys revealed by party A, before sending its keys to party A. Though in some key agreement applications, this time interval may be very small, even one second allows party B to predetermine some of the bits in the shared secret key that will be derived during operation of the key agreement scheme. Mitchell, Ward and Wilson [14] describe how party B may choose its public keys and predetermine some or all of the bits of the shared secret key. They point out that most key agreement schemes defined in ISO/IEC 11770-3 [6] are vulnerable to such attacks. Longer intervals of time between receiving and sending keys allows a greater number of bits of the shared secret key to be predetermined. A key commitment protocol can be used to eliminate the threat. 5.2 Key commitment A key commitment protocol requires two messages. A first message commits the sender to use specific cryptographic keys in the subsequent operation of a key agreement scheme with the message recipient. A second message distributes the actual keys that the sender committed to in the first message. The first message must contain a hash of the public cryptographic keys the sender is committing to use for key agreement, but not the actual keys. This message is illustrated in the example provided in A.2. This hash must be retained by the message recipient for use when the actual keys are received. The second message must contain the keys, and may contain a hash of the keys that can be verified by the message recipient. This message is illustrated in the example provided in A.3. For 1-pass ECMQV, this message contains the hash of the two cryptographic keys, one ephemeral public key and one static public key. ISO 22895 defines an ASN.1 type named ECKeyCommitment for this purpose. CMS type DigestedData provides a means of exchanging message digest information and optionally, the cryptographic keys needed to implement a key commitment protocol. 6 CMS Schema elements 6.1 DigestedData A digested data CMS message is a value of ASN.1 type DigestedData and contains a message content identifier and a cryptographic hash of the identified content. The message content may be absent or present in the message. Type DigestedData is defined as DigestedData ::= SEQUENCE { version CMSVersion, digestAlgorithm DigestAlgorithmIdentifier, encapContentInfo EncapsulatedContentInfo, digest Digest } 4 © GRIFFIN Consulting 2006. All rights reserved.
  • 9. Key Commitment Using CMS in ECMQV Key Agreement The values of the components of type DigestedData are as follows:  the version component is a positive integer that indicates the version number of the schema.  the digestAlgorithm component is a value of type DigestAlgorithmIdentifier, which contains two components named algorithm and parameters. The algorithm component identifies a message digest algorithm, and the optional parameters component contains any associated parameters.  the encapContentInfo component is a value of type EncapsulatedContentInfo, which contains two components named eContentType and eContent. The eContentType component identifies the type of content being digested and the optional eContent contains this content when present. In the examples presented in this document, the content is a value of type ECKeyCommitment.  the digest component is a value of type Digest and contains the result of applying the hash function indicated by the digestAlgorithm component to the message content. In the examples presented in this document, the hash function is applied to a value of type ECKeyCommitment. A complete detailed definition of these types can be found in the ISO 22895 standard. Values of the DigestedData type are provided in A.2 and A.3 which describe the two messages needed to implement a key commitment protocol using CMS. 6.2 ECKeyCommitment In the key commitment protocol described in this document, the message digest process is applied to a value of ASN.1 type ECKeyCommitment, which is defined as ECKeyCommitment ::= SEQUENCE { staticPublicKey ECPoint, ephemeralPublicKey ECPoint OPTIONAL } ECPoint ::= OCTET STRING a sequence of two components named staticPublicKey and ephemeralPublicKey. Both components are EC public keys defined as values of type ECPoint. A value of this type is provided in A.1. © GRIFFIN Consulting 2006. All rights reserved. 5
  • 10. Key Commitment Using CMS in ECMQV Key Agreement Annex A Protocol message examples A.1 Overview The example key commitment messages shown below in subclause A.2 and subclause A.3 are values of CMS type DigestedData. These values are represented as XML markup encoded using the XML Encoding Rules of ASN.1 (XER) [3]. The same abstract values could also be represented in a compact binary format encoded using the Distinguished Encoding Rules (DER) [2] of ASN.1 to reduce the size of the encoded value by 105 octets. For the purpose of illustration, only the XML format is used here. The content to be digested is an XML encoding of a value of ISO 228951 type ECKeyCommitment as it would be used for key control in a key commitment protocol in the key deployment procedure of a key agreement scheme. In both examples, the input to the message digest process is a sequence of two Elliptic Curve Digital Signature Algorithm (ECDSA) public keys represented using XML markup as the value <ECKeyCommitment> <staticPublicKey> 4441443537383246434534324645344544364141 4141394443413643393639303333453134424431 </staticPublicKey> <ephemeralPublicKey> 4530443438323632313331433944423841434639 3745454141353733463531443141354137344630 </ephemeralPublicKey> </ECKeyCommitment> This value contains a static ECDSA public key and an ephemeral ECDSA public key. When input to the message digest process, the value is encoded using canonical XER, which contains no white space. A.2 Commitment The example key commitment message that follows shows the XML encoded DigestedData value displayed with the content to be digested, a value of type ECKeyCommitment, not present in the message. By omitting the content and only transferring the hash of the content, party A can send party B the hash of the public keys party A will use when it participates in the operation of a key agreement scheme, without revealing the keys. Line 1 indicates the version number of the syntax, the value 3. Lines 2-6 describe the message digest algorithm and any associated digest algorithm parameter used to compute the message digest in line 13. Line 4 is the information object identifier of the SHA-256 message digest algorithm. This algorithm has no associated parameters. 1 The ISO 22895 Cryptographic syntax schema combines two US National standards, X9.73 CMS [9] X9.96 XCMS [10] which share a common ASN.1 schema and are aligned with the S/MIME CMS RFC [11] from IETF. 6 © GRIFFIN Consulting 2006. All rights reserved.
  • 11. Key Commitment Using CMS in ECMQV Key Agreement Line 9 indicates that the type of value digested is ordinary data, and not another CMS type. The associated content is "detached", and not present in this message. Line 13 contains the result of computing a message digest on ordinary data using the SHA-256 message digest algorithm specified in line 4. The message digest size is 256 bits (32 octets) in length and provides 128 bits of security. Disregarding white space, the value is encoded in 295 octets. 000 <DigestedData> 001 <version> 3 </version> 002 <digestAlgorithm> 003 <algorithm> 004 2.16.840.1.101.3.4.2.1 005 </algorithm> 006 </digestAlgorithm> 007 <encapContentInfo> 008 <eContentType> 009 1.2.840.113549.1.7.1 010 </eContentType> 011 </encapContentInfo> 012 <digest> 013 1B1FA4C0B3CFE4F4FE0A299A329C53EF285EC6A392BABC5BC026AC4CFC332812 014 </digest> 015 </DigestedData> The complete DER encoding of the same DigestedData message follows, displayed using hexadecimal notation. Using DER the message is encoded in 65 octets. 303F020103300B0609608648016503040201300B 06092A864886F70D01070104201B1FA4C0B3CFE4 F4FE0A299A329C53EF285EC6A392BABC5BC026AC 4CFC332812 A.3 Distribution The example key distribution message that follows shows the XML encoded DigestedData value displayed with the content to be digested, a value of type ECKeyCommitment, present in the message. The content to be digested is a value of ASN.1 type OCTET STRING, an opaque value. Since the encoded value of ECKeyCommitment is encapsulated in an "octet hole", the details of its structure are obscured. By including the content in the message along with the hash of the content, party A can distribute the public keys it previously committed to use in the operation of a key agreement scheme to party B. Party B can verify that the value in the digest component of type DigestedData is correct, then compare that value to the digest in a prior key commitment message received from party A. If these two digest values are identical, then party A and party B can both assume that the key agreement key distribution procedure was fair. Disregarding white space, the value is encoded in 874 octets. Line 1 indicates the version number of the syntax, the value 3. Lines 2-6 describe the message digest algorithm and any associated digest algorithm parameter used to compute the message digest in line 13. Line 4 is the information object identifier of the SHA-256 message digest algorithm. This algorithm has no associated parameters. 000 <DigestedData> 001 <version> 3 </version> 002 <digestAlgorithm> © GRIFFIN Consulting 2006. All rights reserved. 7
  • 12. Key Commitment Using CMS in ECMQV Key Agreement 003 <algorithm> 004 2.16.840.1.101.3.4.2.1 005 </algorithm> 006 </digestAlgorithm> 007 <encapContentInfo> 008 <eContentType> 009 1.2.840.113549.1.7.1 010 </eContentType> 011 <eContent> 012 203C45434B6579436F6D6D69746D656E743E0D0A20203C737461746963507562 013 6C69634B65793E0D0A2020203434343134343335333733383332343634333435 014 3334333234363435333434353434333634313431343134313339343434333431 015 3336343333393336333933300A20202033333333343533313334343234343331 016 0D0A20203C2F7374617469635075626C69634B65793E0D0A20203C657068656D 017 6572616C5075626C69634B65793E0D0A20202034353330343433343338333233 018 3633323331333333313433333934343432333834313433343633393337343534 019 353431343133353337333334363335333134340A202020333134313335343133 020 373334343633300D0A20203C2F657068656D6572616C5075626C69634B65793E 021 0D0A203C2F45434B6579436F6D6D69746D656E743E0D0A 022 </eContent> 023 </encapContentInfo> 024 <digest> 025 1B1FA4C0B3CFE4F4FE0A299A329C53EF285EC6A392BABC5BC026AC4CFC332812 026 </digest> 027 </DigestedData> The complete DER encoding of the same DigestedData message follows, displayed using hexadecimal notation. Using DER the message is encoded in 384 octets. 3082017C020103300B06096086480165030402013082014606092A864886F70D01070180820137203 C45434B6579436F6D6D69746D656E743E0D0A20203C7374617469635075626C69634B65793E0D0A20 202034343431343433353337333833323436343334353334333234363435333434353434333634313 4313431343133393434343334313336343333393336333933300A2020203333333334353331333434 32343433310D0A20203C2F7374617469635075626C69634B65793E0D0A20203C657068656D6572616 C5075626C69634B65793E0D0A20202034353330343433343338333233363332333133333331343333 3934343432333834313433343633393337343534353431343133353337333334363335333134340A2 02020333134313335343133373334343633300D0A20203C2F657068656D6572616C5075626C69634B 65793E0D0A203C2F45434B6579436F6D6D69746D656E743E0D0A04201B1FA4C0B3CFE4F4FE0A299A3 29C53EF285EC6A392BABC5BC026AC4CFC332812 8 © GRIFFIN Consulting 2006. All rights reserved.
  • 13. Key Commitment Using CMS in ECMQV Key Agreement Bibliography [1] ISO/IEC 8824:2001 (All parts) | ITU-T Recommendation X.680-series (2000), Information Technology - Abstract Syntax Notation One (ASN.1) [2] ISO/IEC 8825-1:2001 | ITU-T Recommendation X.690 (2000), Information Technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) [3] ISO/IEC 8825-2:2001 | ITU-T Recommendation X.693 (2000), Information Technology - ASN.1 Encoding Rules: Specification of XML Encoding Rules (XER) [4] ISO/IEC 9594-8 | ITU-T X.509 Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks [5] ISO/IEC 9834-8 | ITU-T Rec. X.667, Information technology – Open Systems Interconnection – Procedures for the operation of OSI Registration Authorities: Generation and Registration of Universally Unique Identifiers (UUIDs) and their Use as ASN.1 Object Identifier Components [6] ISO/IEC 11770-3 Information technology – Security techniques – Key Management: Part 3 - Mechanisms using asymmetric techniques [7] ISO 22895 Financial services – Security techniques – Cryptographic syntax schema [8] ANS X9.63, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography [9] ANS X9.79, Cryptographic Message Syntax (CMS) [10] ANS X9.96, XML Cryptographic Message Syntax (XCMS) [11] RFC 3852, Cryptographic Message Syntax (CMS), http://ietfreport.isoc.org/rfc/rfc3852.txt [12] Extensible Markup Language (XML) 1.0 (Third Edition), Copyright © 1994-2003 World Wide Web ® Consortium (W3C ), (Massachusetts Institute of Technology, European Research Consortium for Informatics and Mathematics, Keio University), W3C Recommendation 04, http://www.w3.org/TR/2004/REC-xml-20040204/ [13] SECG, "Recommended Elliptic Curve Domain Parameters", Standards for Efficient Cryptography Group, 2000, http://www.secg.org/collateral/sec2.pdf [14] C.J. Mitchell, M. Ward and P. Wilson, "Key control in key agreement protocols", ELECTRONICS LETTERS 14th May 1998 Vol. 34 No. 10, pages 980-981, http://www.iee.org/ © GRIFFIN Consulting 2006. All rights reserved. 9