 1/draftietfhttpauthmutualalgo03.txt 20160106 21:15:21.001680111 0800
+++ 2/draftietfhttpauthmutualalgo04.txt 20160106 21:15:21.037680979 0800
@@ 1,25 +1,25 @@
HTTPAUTH Working Group Y. Oiwa
InternetDraft H. Watanabe
Intended status: Experimental H. Takagi
Expires: January 7, 2016 ITRI, AIST
+Expires: July 10, 2016 ITRI, AIST
K. Maeda
T. Hayashi
Lepidum
Y. Ioku
Individual
 July 6, 2015
+ January 7, 2016
Mutual Authentication Protocol for HTTP: KAM3based Cryptographic
Algorithms
 draftietfhttpauthmutualalgo03
+ draftietfhttpauthmutualalgo04
Abstract
This document specifies some cryptographic algorithms which will be
used for the Mutual user authentication method for the Hypertext
Transport Protocol (HTTP).
Status of this Memo
This InternetDraft is submitted in full conformance with the
@@ 28,67 +28,68 @@
InternetDrafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as InternetDrafts. The list of current Internet
Drafts is at http://datatracker.ietf.org/drafts/current/.
InternetDrafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use InternetDrafts as reference
material or to cite them other than as "work in progress."
 This InternetDraft will expire on January 7, 2016.
+ This InternetDraft will expire on July 10, 2016.
Copyright Notice
 Copyright (c) 2015 IETF Trust and the persons identified as the
+ Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/licenseinfo) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Overview (Nonnormative) . . . . . . . . . . . . 3
3. Authentication Algorithms . . . . . . . . . . . . . . . . . . 4
3.1. Support Functions and Notations . . . . . . . . . . . . . 5
 3.2. Functions for DiscreteLogarithm Settings . . . . . . . . 6
+ 3.2. Functions for DiscreteLogarithm Settings . . . . . . . . 5
3.3. Functions for EllipticCurve Settings . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
5.1. General Implementation Considerations . . . . . . . . . . 9
5.2. Cryptographic Assumptions and Considerations . . . . . . . 9
6. Notice on intellectual properties . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. (Informative) Group Parameters for
DiscreteLogarithm Based Algorithms . . . . . . . . . 11
Appendix B. (Informative) Derived Numerical Values . . . . . . . 13
Appendix C. (Informative) Draft Change Log . . . . . . . . . . . 14
 C.1. Changes in HTTPAUTHWG revision 03 . . . . . . . . . . . . 14
 C.2. Changes in HTTPAUTHWG revision 02 . . . . . . . . . . . . 14
 C.3. Changes in HTTPAUTHWG revision 01 . . . . . . . . . . . . 14
 C.4. Changes in HTTPAUTHWG revision 00 . . . . . . . . . . . . 14
 C.5. Changes in HTTPAUTH revision 02 . . . . . . . . . . . . . 14
 C.6. Changes in HTTPAUTH revision 01 . . . . . . . . . . . . . 14
 C.7. Changes in revision 02 . . . . . . . . . . . . . . . . . . 14
 C.8. Changes in revision 01 . . . . . . . . . . . . . . . . . . 15
 C.9. Changes in revision 00 . . . . . . . . . . . . . . . . . . 15
+ C.1. Changes in HTTPAUTHWG revision 04 . . . . . . . . . . . . 14
+ C.2. Changes in HTTPAUTHWG revision 03 . . . . . . . . . . . . 14
+ C.3. Changes in HTTPAUTHWG revision 02 . . . . . . . . . . . . 14
+ C.4. Changes in HTTPAUTHWG revision 01 . . . . . . . . . . . . 14
+ C.5. Changes in HTTPAUTHWG revision 00 . . . . . . . . . . . . 14
+ C.6. Changes in HTTPAUTH revision 02 . . . . . . . . . . . . . 14
+ C.7. Changes in HTTPAUTH revision 01 . . . . . . . . . . . . . 14
+ C.8. Changes in revision 02 . . . . . . . . . . . . . . . . . . 15
+ C.9. Changes in revision 01 . . . . . . . . . . . . . . . . . . 15
+ C.10. Changes in revision 00 . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
This document specifies some algorithms for Mutual authentication
protocol for HyperText Transport Protocol (HTTP)
[ID.ietfhttpauthmutual]. The algorithms are based on socalled
"Augmented Passwordbased Authenticated Key Exchange" (Augmented
PAKE) techniques. In particular, it uses one of three key exchange
algorithm defined in the ISO 117704: "Key management  Mechanisms
@@ 187,24 +188,20 @@
For the ellipticcurve settings, the underlying groups are the
elliptic curves over the prime fields P256 and P521, respectively,
specified in the appendix D.1.2 of FIPS PUB 1864 [FIPS.1864.2013]
specification. The hash functions H, which are referenced by the
core document, are SHA256 for the P256 curve and SHA512 for the
P521 curve, respectively. Cofactors of these curves are 1. The
hash iteration count nIterPi is 16384. The representation of the
parameters kc1, ks1, vkc, and vks is hexfixednumber.
 [[Editorial Note: remove before submission] We should take a care on
 recent hot discussion topic on the choice of elliptic curves for
 cryptography.]]

Note: This algorithm is based on the Key Agreement Mechanism 3 (KAM3)
defined in Section 6.3 of ISO/IEC 117704 [ISO.117704.2006] with a
few modifications/improvements. However, implementers should use
this document as the normative reference, because the algorithm has
been changed in several minor details as well as major improvements.
3.1. Support Functions and Notations
The algorithm definitions use several support functions and notations
defined below:
@@ 294,28 +291,30 @@
o h: for the cofactor of the group.
o r: for the order of the subgroup generated by G.
The function P(p) converts a curve point p into an integer
representing point p, by computing x * 2 + (y mod 2), where (x, y)
are the coordinates of point p. P'(z) is the inverse of function P,
that is, it converts an integer z to a point p that satisfies P(p) =
z. If such p exists, it is uniquely defined. Otherwise, z does not
 represent a valid curve point. The operator + indicates the
 ellipticcurve group operation, and the operation [x] * p denotes an
 integermultiplication of point p: it calculates p + p + ... (x
 times) ... + p. See the literature on ellipticcurve cryptography
 for the exact algorithms used for those functions (e.g. Section 3 of
 [RFC6090], which uses different notations, though.) 0_E represents
 the infinity point. The equation (x / y mod z) denotes a natural
 number w less than z that satisfies (w * y) mod z = x mod z.
+ represent a valid curve point.
+
+ The operator + indicates the ellipticcurve group operation, and the
+ operation [x] * p denotes an integermultiplication of point p: it
+ calculates p + p + ... (x times) ... + p. See the literature on
+ ellipticcurve cryptography for the exact algorithms used for those
+ functions (e.g. Section 3 of [RFC6090], which uses different
+ notations, though.) 0_E represents the infinity point. The equation
+ (x / y mod z) denotes a natural number w less than z that satisfies
+ (w * y) mod z = x mod z.
The function J is defined as
J(pi) = [pi] * G.
The value of K_c1 is derived as
K_c1 = P(K_c1'), where K_c1' = [S_c1] * G,
where S_c1 is a random number within range [1, r1]. The value of
@@ 446,40 +444,45 @@
csrc.nist.gov/publications/fips/fips1802/fips1802.pdf>.
[FIPS.1864.2013]
National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 1864, July 2013, .
[ID.ietfhttpauthmutual]
Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi,
T., and Y. Ioku, "Mutual Authentication Protocol for
 HTTP", draftietfhttpauthmutual05 (work in progress),
 July 2015.
+ HTTP", draftietfhttpauthmutual06 (work in progress),
+ January 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 Requirement Levels", BCP 14, RFC 2119, March 1997.
+ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
+ RFC2119, March 1997,
+ .
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
DiffieHellman groups for Internet Key Exchange (IKE)",
 RFC 3526, May 2003.
+ RFC 3526, DOI 10.17487/RFC3526, May 2003,
+ .
7.2. Informative References
[ISO.117704.2006]
International Organization for Standardization,
"Information technology  Security techniques  Key
management  Part 4: Mechanisms based on weak secrets",
ISO Standard 117704, May 2006.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
 Curve Cryptography Algorithms", RFC 6090, February 2011.
+ Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/
+ RFC6090, February 2011,
+ .
Appendix A. (Informative) Group Parameters for DiscreteLogarithm Based
Algorithms
The MODP group used for the isokam3dl2048sha256 algorithm is
defined by the following parameters.
The prime is:
q = 0xFFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
@@ 595,90 +598,94 @@
 values.      
 minimum  2048  4096  1  1  
 allowed S_c1      
+++++++
(The numbers marked with an * do not include any enclosing quotation
marks.)
Appendix C. (Informative) Draft Change Log
C.1. Changes in HTTPAUTHWG revision 03
+C.1. Changes in HTTPAUTHWG revision 04
+
+ o Authors address updated.
+
+C.2. Changes in HTTPAUTHWG revision 03
o IANA registration information added.
C.2. Changes in HTTPAUTHWG revision 02
+C.3. Changes in HTTPAUTHWG revision 02
o No technical changes: references updated.
C.3. Changes in HTTPAUTHWG revision 01
+C.4. Changes in HTTPAUTHWG revision 01
o Changed behavior on failed generation of K_s1.
o Security considerations updated.
C.4. Changes in HTTPAUTHWG revision 00
+C.5. Changes in HTTPAUTHWG revision 00
o Added a note on the choice of elliptic curves.
C.5. Changes in HTTPAUTH revision 02
+C.6. Changes in HTTPAUTH revision 02
o Added nIterPi parameter to adjust to the changes to the core
draft.
o Added a note on the verification of exchange transaction.
C.6. Changes in HTTPAUTH revision 01
+C.7. Changes in HTTPAUTH revision 01
o Notation change: integer output of hash function will be notated
as INT(H(*)), changed from H(*).
C.7. Changes in revision 02
+C.8. Changes in revision 02
o Implementation hints in appendix changed (number of characters for
base64fixednumber does not contain doublequotes).
C.8. Changes in revision 01
+C.9. Changes in revision 01
o Parameter names renamed.
o Some expressions clarified without changing the value.
C.9. Changes in revision 00
+C.10. Changes in revision 00
The document is separated from the revision 08 of the core
documentation.
Authors' Addresses
Yutaka Oiwa
National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute
 Tsukuba Central 2
+ Tsukuba Central 1
111 Umezono
Tsukubashi, Ibaraki
JP
Email: mutualauthcontactml@aist.go.jp
Hajime Watanabe
National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute
 Tsukuba Central 2
+ Tsukuba Central 1
111 Umezono
Tsukubashi, Ibaraki
JP
Hiromitsu Takagi
National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute
 Tsukuba Central 2
+ Tsukuba Central 1
111 Umezono
Tsukubashi, Ibaraki
JP
Kaoru Maeda
Lepidum Co. Ltd.
#602, Village Sasazuka 3
1303 Sasazuka
Shibuyaku, Tokyo
JP