draft-ietf-httpauth-mutual-algo-06.txt | draft-ietf-httpauth-mutual-algo-07.txt | |||
---|---|---|---|---|

HTTPAUTH Working Group Y. Oiwa | HTTPAUTH Working Group Y. Oiwa | |||

Internet-Draft H. Watanabe | Internet-Draft H. Watanabe | |||

Intended status: Experimental H. Takagi | Intended status: Experimental H. Takagi | |||

Expires: February 18, 2017 ITRI, AIST | Expires: May 18, 2017 ITRI, AIST | |||

K. Maeda | K. Maeda | |||

T. Hayashi | T. Hayashi | |||

Lepidum | Lepidum | |||

Y. Ioku | Y. Ioku | |||

Individual | Individual | |||

August 17, 2016 | November 14, 2016 | |||

Mutual Authentication Protocol for HTTP: KAM3-based Cryptographic | Mutual Authentication Protocol for HTTP: KAM3-based Cryptographic | |||

Algorithms | Algorithms | |||

draft-ietf-httpauth-mutual-algo-06 | draft-ietf-httpauth-mutual-algo-07 | |||

Abstract | Abstract | |||

This document specifies cryptographic algorithms for use with the | This document specifies cryptographic algorithms for use with the | |||

Mutual user authentication method for the Hyper-text Transport | Mutual user authentication method for the Hyper-text Transport | |||

Protocol (HTTP). | Protocol (HTTP). | |||

Status of this Memo | Status of this Memo | |||

This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||

skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on February 18, 2017. | This Internet-Draft will expire on May 18, 2017. | |||

Copyright Notice | Copyright Notice | |||

Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

skipping to change at page 2, line 17 ¶ | skipping to change at page 2, line 17 ¶ | |||

the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||

described in the Simplified BSD License. | described in the Simplified BSD License. | |||

Table of Contents | Table of Contents | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||

1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||

2. Cryptographic Overview (Non-normative) . . . . . . . . . . . . 3 | 2. Cryptographic Overview (Non-normative) . . . . . . . . . . . . 3 | |||

3. Authentication Algorithms . . . . . . . . . . . . . . . . . . 4 | 3. Authentication Algorithms . . . . . . . . . . . . . . . . . . 4 | |||

3.1. Support Functions and Notations . . . . . . . . . . . . . 5 | 3.1. Support Functions and Notations . . . . . . . . . . . . . 5 | |||

3.2. Functions for Discrete Logarithm Settings . . . . . . . . 5 | 3.2. Functions for Discrete Logarithm Settings . . . . . . . . 6 | |||

3.3. Functions for Elliptic-Curve Settings . . . . . . . . . . 7 | 3.3. Functions for Elliptic-Curve Settings . . . . . . . . . . 7 | |||

4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||

5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||

5.1. General Implementation Considerations . . . . . . . . . . 9 | 5.1. General Implementation Considerations . . . . . . . . . . 9 | |||

5.2. Cryptographic Assumptions and Considerations . . . . . . . 9 | 5.2. Cryptographic Assumptions and Considerations . . . . . . . 9 | |||

6. Intellectual Properties Notice . . . . . . . . . . . . . . . . 10 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||

7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 6.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | |||

7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | 6.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||

7.2. Informative References . . . . . . . . . . . . . . . . . . 11 | ||||

Appendix A. (Informative) Group Parameters for Discrete | Appendix A. (Informative) Group Parameters for Discrete | |||

Logarithm Based Algorithms . . . . . . . . . . . . . 11 | Logarithm Based Algorithms . . . . . . . . . . . . . 11 | |||

Appendix B. (Informative) Derived Numerical Values . . . . . . . 13 | Appendix B. (Informative) Derived Numerical Values . . . . . . . 13 | |||

Appendix C. (Informative) Draft Change Log . . . . . . . . . . . 14 | Appendix C. (Informative) Draft Change Log . . . . . . . . . . . 14 | |||

C.1. Changes in Httpauth WG Revision 06 . . . . . . . . . . . . 14 | C.1. Changes in Httpauth WG Revision 06 . . . . . . . . . . . . 14 | |||

C.2. Changes in Httpauth WG Revision 05 . . . . . . . . . . . . 14 | C.2. Changes in Httpauth WG Revision 05 . . . . . . . . . . . . 14 | |||

C.3. Changes in Httpauth WG revision 04 . . . . . . . . . . . . 14 | C.3. Changes in Httpauth WG revision 04 . . . . . . . . . . . . 14 | |||

C.4. Changes in Httpauth WG revision 03 . . . . . . . . . . . . 14 | C.4. Changes in Httpauth WG revision 03 . . . . . . . . . . . . 14 | |||

C.5. Changes in Httpauth WG revision 02 . . . . . . . . . . . . 14 | C.5. Changes in Httpauth WG revision 02 . . . . . . . . . . . . 14 | |||

C.6. Changes in Httpauth WG revision 01 . . . . . . . . . . . . 14 | C.6. Changes in Httpauth WG revision 01 . . . . . . . . . . . . 14 | |||

C.7. Changes in Httpauth WG revision 00 . . . . . . . . . . . . 14 | C.7. Changes in Httpauth WG revision 00 . . . . . . . . . . . . 14 | |||

C.8. Changes in HTTPAUTH revision 02 . . . . . . . . . . . . . 14 | C.8. Changes in HTTPAUTH revision 02 . . . . . . . . . . . . . 14 | |||

C.9. Changes in HTTPAUTH revision 01 . . . . . . . . . . . . . 15 | C.9. Changes in HTTPAUTH revision 01 . . . . . . . . . . . . . 15 | |||

C.10. Changes in revision 02 . . . . . . . . . . . . . . . . . . 15 | C.10. Changes in revision 02 . . . . . . . . . . . . . . . . . . 15 | |||

C.11. Changes in revision 01 . . . . . . . . . . . . . . . . . . 15 | C.11. Changes in revision 01 . . . . . . . . . . . . . . . . . . 15 | |||

C.12. Changes in revision 00 . . . . . . . . . . . . . . . . . . 15 | C.12. Changes in revision 00 . . . . . . . . . . . . . . . . . . 15 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||

1. Introduction | 1. Introduction | |||

This document specifies algorithms for use withMutual authentication | This document specifies algorithms for use with Mutual authentication | |||

protocol for Hyper-Text Transport Protocol (HTTP) | protocol for Hyper-Text Transport Protocol (HTTP) | |||

[I-D.ietf-httpauth-mutual]. The algorithms are based on "Augmented | [I-D.ietf-httpauth-mutual] (referred as the "core specification" | |||

Password-based Authenticated Key Exchange" (Augmented PAKE) | hereafter). The algorithms are based on "Augmented Password-based | |||

techniques. In particular, it uses one of three key exchange | Authenticated Key Exchange" (Augmented PAKE) techniques. In | |||

algorithms defined in ISO 11770-4: "Key management - Mechanisms based | particular, it uses one of three key exchange algorithms defined in | |||

on weak secrets" [ISO.11770-4.2006] as its basis. | ISO 11770-4: "Key management - Mechanisms based on weak secrets" | |||

[ISO.11770-4.2006] as its basis. | ||||

In very brief summary, Mutual authentication protocol exchanges four | In very brief summary, Mutual authentication protocol exchanges four | |||

values, K_c1, K_s1, VK_c and VK_s, to perform authenticated key | values, K_c1, K_s1, VK_c and VK_s, to perform authenticated key | |||

exchanges, using the password-derived secret pi and its "augmented | exchanges, using the password-derived secret pi and its "augmented | |||

version" J(pi). This document defines the set of functions K_c1, | version" J(pi). This document defines the set of functions K_c1, | |||

K_s1, and J for a specific algorithm family. | K_s1, and J for a specific algorithm family. | |||

Please note that from the view of cryptographic literature, the | Please note that from the view of cryptographic literature, the | |||

original functionality of Augmented PAKE is separated into the | original functionality of Augmented PAKE is separated into the | |||

functions K_c1 and K_s1 as defined in this draft, and the functions | functions K_c1 and K_s1 as defined in this draft, and the functions | |||

skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 41 ¶ | |||

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||

"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||

"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||

[RFC2119]. | [RFC2119]. | |||

The term "natural numbers" refers to the non-negative integers | The term "natural numbers" refers to the non-negative integers | |||

(including zero) throughout this document. | (including zero) throughout this document. | |||

This document treats both the input (domain) and the output | This document treats both the input (domain) and the output | |||

(codomain) of hash functions to be octet strings. When a natural | (codomain) of hash functions to be octet strings. When a natural | |||

number output is required, the notation INT(H(s)) is used. | number output of hash function H is required, it will be notated like | |||

INT(H(s)). | ||||

2. Cryptographic Overview (Non-normative) | 2. Cryptographic Overview (Non-normative) | |||

The cryptographic primitive used in this algorithm specification is | The cryptographic primitive used in this algorithm specification is | |||

based on a variant of augmented PAKE proposed by T. Kwon, called | based on a variant of augmented PAKE proposed by T. Kwon, called | |||

APKAS-AMP, originally submitted to IEEE P1363.2. The general flow of | APKAS-AMP, originally submitted to IEEE P1363.2. The general flow of | |||

the successful exchange is shown below, for informative purposes | the successful exchange is shown below, for informative purposes | |||

only. The DL-based notations are used, and all group operations (mod | only. The multiplicative notations are used for group operators, and | |||

q and mod r) are omitted. | all modulus operations for finite groups (mod q and mod r) are | |||

omitted. | ||||

Note that the only messages corresponding to the first two messages | ||||

are defined in this specification. Those for latter two messages are | ||||

defined in the main specification [I-D.ietf-httpauth-mutual]. | ||||

C: S_c1 = random | C: S_c1 = random | |||

C: K_c1 = g^(S_c1) | C: K_c1 = g^(S_c1) | |||

----- ID, K_c1 -----> | ----- ID, K_c1 -----> | |||

C: t_1 = H1(K_c1) S: t_1 = H1(K_c1) | C: t_1 = H1(K_c1) S: t_1 = H1(K_c1) | |||

S: fetch J = g^pi by ID | S: fetch J = g^pi by ID | |||

S: S_s1 = random | S: S_s1 = random | |||

S: K_s1 = (J * K_c1^(t_1))^(S_s1) | S: K_s1 = (J * K_c1^(t_1))^(S_s1) | |||

<----- K_s1 ----- | <----- K_s1 ----- | |||

C: t_2 = H2(K_c1, K_s1) S: t_2 = H2(K_c1, K_s1) | C: t_2 = H2(K_c1, K_s1) S: t_2 = H2(K_c1, K_s1) | |||

skipping to change at page 4, line 28 ¶ | skipping to change at page 4, line 27 ¶ | |||

(assumption at this point: z = z' if authentication succeeded) | (assumption at this point: z = z' if authentication succeeded) | |||

C: VK_c = H4(K_c1, K_s1, z) S: VK_c' = H4(K_c1, K_s1, z') | C: VK_c = H4(K_c1, K_s1, z) S: VK_c' = H4(K_c1, K_s1, z') | |||

----- VK_c -------> | ----- VK_c -------> | |||

S: assert(VK_c = VK_c') | S: assert(VK_c = VK_c') | |||

C: VK_s' = H3(K_c1, K_s1, z) S: VK_s = H3(K_c1, K_s1, z') | C: VK_s' = H3(K_c1, K_s1, z) S: VK_s = H3(K_c1, K_s1, z') | |||

<----- VK_s ------ | <----- VK_s ------ | |||

C: assert(VK_s = VK_s') | C: assert(VK_s = VK_s') | |||

Note that the concrete (binary) message formats (mapping to HTTP | ||||

messages), as well as the formal definitions of equations for the | ||||

latter two messages, are defined in core specification | ||||

[I-D.ietf-httpauth-mutual]. The formal definitions for values | ||||

corresponding to the first two messages are defined in the following | ||||

sections. | ||||

3. Authentication Algorithms | 3. Authentication Algorithms | |||

This document specifies one family of APKAS-AMP based algorithm. | This document specifies one family of APKAS-AMP based algorithm. | |||

This family consists of four authentication algorithms, which differ | This family consists of four authentication algorithms, which differ | |||

only in their underlying mathematical groups and security parameters. | only in their underlying mathematical groups and security parameters. | |||

These algorithms do not add any additional parameters. The tokens | These algorithms do not add any additional parameters. The tokens | |||

for these algorithms are | for these algorithms are | |||

o iso-kam3-dl-2048-sha256: for the 2048-bit discrete logarithm | o iso-kam3-dl-2048-sha256: for the 2048-bit discrete logarithm | |||

setting with the SHA-256 hash function. | setting with the SHA-256 hash function. | |||

skipping to change at page 7, line 17 ¶ | skipping to change at page 7, line 21 ¶ | |||

protocol exchange. This functionality is contained in the functions | protocol exchange. This functionality is contained in the functions | |||

VK_c and VK_s.) | VK_c and VK_s.) | |||

3.3. Functions for Elliptic-Curve Settings | 3.3. Functions for Elliptic-Curve Settings | |||

For the elliptic-curve setting, we refer to some of the domain | For the elliptic-curve setting, we refer to some of the domain | |||

parameters by the following symbols: | parameters by the following symbols: | |||

o q: for the prime used to define the group. | o q: for the prime used to define the group. | |||

o G: for the defined point called the generator. | o G: for the point defined with the underlying group called "the | |||

generator". | ||||

o h: for the cofactor of the group. | o h: for the cofactor of the group. | |||

o r: for the order of the subgroup generated by G. | o r: for the order of the subgroup generated by G. | |||

The function P(p) converts a curve point p into an integer | The function P(p) converts a curve point p into an integer | |||

representing point p, by computing x * 2 + (y mod 2), where (x, y) | representing point p, by computing x * 2 + (y mod 2), where (x, y) | |||

are the coordinates of point p. P'(z) is the inverse of function P, | are the coordinates of point p. P'(z) is the inverse of function P, | |||

that is, it converts an integer z to a point p that satisfies P(p) = | that is, it converts an integer z to a point p that satisfies P(p) = | |||

z. If such p exists, it is uniquely defined. Otherwise, z does not | z. If such p exists, it is uniquely defined. Otherwise, z does not | |||

skipping to change at page 10, line 6 ¶ | skipping to change at page 10, line 6 ¶ | |||

The latter usually involves some kinds of exchange transaction to | The latter usually involves some kinds of exchange transaction to | |||

be verified, to avoid security risks or vulnerabilities caused by | be verified, to avoid security risks or vulnerabilities caused by | |||

mixing values from from two or more key exchanges. In the design | mixing values from from two or more key exchanges. In the design | |||

of the algorithms in this document, such a functionality is | of the algorithms in this document, such a functionality is | |||

defined in a generalized manner in the core specification | defined in a generalized manner in the core specification | |||

[I-D.ietf-httpauth-mutual] (see definitions of VK_c and VK_s). If | [I-D.ietf-httpauth-mutual] (see definitions of VK_c and VK_s). If | |||

the algorithm defined above is used in other protocols, this | the algorithm defined above is used in other protocols, this | |||

aspect MUST be given careful consideration. | aspect MUST be given careful consideration. | |||

o The domain parameters chosen and specified in this draft are based | o The domain parameters chosen and specified in this draft are based | |||

on a few assumptions. In the DL setting, q has to be a safe prime | on a few assumptions. In the discrete-logarithm setting, q has to | |||

([(q - 1) / 2] must also be prime), and r should be the largest | be a safe prime ([(q - 1) / 2] must also be prime), and r should | |||

possible value [(q - 1) / 2]. In the EC setting, r has to be | be the largest possible value [(q - 1) / 2]. In the elliptic- | |||

prime. Defining a variation of this algorithm using a different | curve setting, r has to be prime. Defining a variation of this | |||

domain parameter SHOULD be attentive to these conditions. | algorithm using a different domain parameter SHOULD be attentive | |||

to these conditions. | ||||

6. Intellectual Properties Notice | ||||

The National Institute of Advanced Industrial Science and Technology | ||||

(AIST) and Yahoo! Japan, Inc. have jointly submitted a patent | ||||

application on the protocol proposed in this documentation to the | ||||

Patent Office of Japan. The patent is intended to be open to any | ||||

implementer of this protocol and its variants in a non-exclusive | ||||

royalty-free manner. For the details of the patent application and | ||||

its status, please contact the author of this document. | ||||

The elliptic-curve based authentication algorithms might involve | ||||

several existing third-party patents. The authors of the document | ||||

take no position regarding the validity or scope of such patents, and | ||||

other patents as well. | ||||

7. References | 6. References | |||

7.1. Normative References | 6.1. Normative References | |||

[FIPS.180-2.2002] | [FIPS.180-2.2002] | |||

National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||

Hash Standard", FIPS PUB 180-2, August 2002, <http:// | Hash Standard", FIPS PUB 180-2, August 2002, <http:// | |||

csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>. | csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>. | |||

[FIPS.186-4.2013] | [FIPS.186-4.2013] | |||

National Institute of Standards and Technology, "Digital | National Institute of Standards and Technology, "Digital | |||

Signature Standard (DSS)", FIPS PUB 186-4, July 2013, <htt | Signature Standard (DSS)", FIPS PUB 186-4, July 2013, <htt | |||

p://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>. | p://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>. | |||

[I-D.ietf-httpauth-mutual] | [I-D.ietf-httpauth-mutual] | |||

Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi, | Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi, | |||

T., and Y. Ioku, "Mutual Authentication Protocol for | T., and Y. Ioku, "Mutual Authentication Protocol for | |||

HTTP", draft-ietf-httpauth-mutual-09 (work in progress), | HTTP", draft-ietf-httpauth-mutual-11 (work in progress), | |||

August 2016. | November 2016. | |||

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||

Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | |||

RFC2119, March 1997, | RFC2119, March 1997, | |||

<http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||

[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | |||

Diffie-Hellman groups for Internet Key Exchange (IKE)", | Diffie-Hellman groups for Internet Key Exchange (IKE)", | |||

RFC 3526, DOI 10.17487/RFC3526, May 2003, | RFC 3526, DOI 10.17487/RFC3526, May 2003, | |||

<http://www.rfc-editor.org/info/rfc3526>. | <http://www.rfc-editor.org/info/rfc3526>. | |||

7.2. Informative References | 6.2. Informative References | |||

[ISO.11770-4.2006] | [ISO.11770-4.2006] | |||

International Organization for Standardization, | International Organization for Standardization, | |||

"Information technology - Security techniques - Key | "Information technology - Security techniques - Key | |||

management - Part 4: Mechanisms based on weak secrets", | management - Part 4: Mechanisms based on weak secrets", | |||

ISO Standard 11770-4, May 2006. | ISO Standard 11770-4, May 2006. | |||

[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | |||

Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/ | Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/ | |||

RFC6090, February 2011, | RFC6090, February 2011, | |||

End of changes. 17 change blocks. | ||||

48 lines changed or deleted | | 40 lines changed or added | ||

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |