draft-ietf-tls-psk-04.txt   draft-ietf-tls-psk-05.txt 
TLS Working Group P. Eronen, Ed. TLS Working Group P. Eronen, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Expires: May 25, 2005 H. Tschofenig, Ed. Expires: June 17, 2005 H. Tschofenig, Ed.
Siemens Siemens
November 24, 2004 December 17, 2004
Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
draft-ietf-tls-psk-04.txt draft-ietf-tls-psk-05.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 36 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 25, 2005. This Internet-Draft will expire on June 17, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2004).
Abstract Abstract
This document specifies three sets of new ciphersuites for the This document specifies three sets of new ciphersuites for the
Transport Layer Security (TLS) protocol to support authentication Transport Layer Security (TLS) protocol to support authentication
based on pre-shared keys. These pre-shared keys are symmetric keys, based on pre-shared keys. These pre-shared keys are symmetric keys,
skipping to change at page 4, line 12 skipping to change at page 4, line 12
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1]. document are to be interpreted as described in [1].
2. PSK key exchange algorithm 2. PSK key exchange algorithm
This section defines the PSK key exchange algorithm and associated This section defines the PSK key exchange algorithm and associated
ciphersuites. These ciphersuites use only symmetric key algorithms. ciphersuites. These ciphersuites use only symmetric key algorithms.
It is assumed that the reader is familiar with ordinary TLS It is assumed that the reader is familiar with ordinary TLS
handshake, shown below. The elements in parenthesis are not included handshake, shown below. The elements in parenthesis are not included
when PSK key exchange algorithm is used. when PSK key exchange algorithm is used, and "*" indicates a
situation-dependent message that is not always sent.
Client Server Client Server
------ ------ ------ ------
ClientHello --------> ClientHello -------->
ServerHello ServerHello
(Certificate) (Certificate)
ServerKeyExchange ServerKeyExchange*
(CertificateRequest) (CertificateRequest)
<-------- ServerHelloDone <-------- ServerHelloDone
(Certificate) (Certificate)
ClientKeyExchange ClientKeyExchange
(CertificateVerify) (CertificateVerify)
ChangeCipherSpec ChangeCipherSpec
Finished --------> Finished -------->
ChangeCipherSpec ChangeCipherSpec
<-------- Finished <-------- Finished
Application Data <-------> Application Data Application Data <-------> Application Data
skipping to change at page 4, line 46 skipping to change at page 4, line 47
ciphersuite in the ServerHello message, and includes an appropriate ciphersuite in the ServerHello message, and includes an appropriate
ServerKeyExchange message (see below). The Certificate and ServerKeyExchange message (see below). The Certificate and
CertificateRequest payloads are omitted from the response. CertificateRequest payloads are omitted from the response.
Both clients and servers may have pre-shared keys with several Both clients and servers may have pre-shared keys with several
different parties. The client indicates which key to use by different parties. The client indicates which key to use by
including a "PSK identity" in the ClientKeyExchange message (note including a "PSK identity" in the ClientKeyExchange message (note
that unlike in [7], the session_id field in ClientHello message keeps that unlike in [7], the session_id field in ClientHello message keeps
its usual meaning). To help the client in selecting which identity its usual meaning). To help the client in selecting which identity
to use, the server can provide a "PSK identity hint" in the to use, the server can provide a "PSK identity hint" in the
ServerKeyExchange message (note that if no hint is provided, a ServerKeyExchange message. If no hint is provided, the
ServerKeyExchange message is still sent). ServerKeyExchange message is omitted.
It is expected that different types of identities are useful for It is expected that different types of identities are useful for
different applications running over TLS. This document does not different applications running over TLS. This document does not
therefore mandate the use of any particular type of identity (such as therefore mandate the use of any particular type of identity (such as
IPv4 address or FQDN) or identity hint; neither is specified how IPv4 address or FQDN) or identity hint; neither is specified how
exactly the client uses the hint (if it uses it at all). exactly the client uses the hint (if it uses it at all).
To increase the chances for successful interoperation between To increase the chances for successful interoperation between
applications that do agree on what type of identity is used, the applications that do agree on what type of identity is used, the
identity MUST be first converted to a character string, and then identity MUST be first converted to a character string, and then
skipping to change at page 7, line 14 skipping to change at page 7, line 14
3. DHE_PSK key exchange algorithm 3. DHE_PSK key exchange algorithm
This section defines additional ciphersuites that use a PSK to This section defines additional ciphersuites that use a PSK to
authenticate a Diffie-Hellman exchange. These ciphersuites give some authenticate a Diffie-Hellman exchange. These ciphersuites give some
additional protection against dictionary attacks, and also provide additional protection against dictionary attacks, and also provide
Perfect Forward Secrecy (PFS). See Section 6 for discussion of Perfect Forward Secrecy (PFS). See Section 6 for discussion of
related security considerations. related security considerations.
When these ciphersuites are used, the ServerKeyExchange and When these ciphersuites are used, the ServerKeyExchange and
ClientKeyExchange also include the Diffie-Hellman parameters. The ClientKeyExchange messages also include the Diffie-Hellman
PSK identity and identity hint fields have the same meaning as in the parameters. The PSK identity and identity hint fields have the same
previous section. meaning as in the previous section (note that the ServerKeyExchange
message is always sent even if no PSK identity hint is provided).
The format of the ServerKeyExchange and ClientKeyExchange messages is The format of the ServerKeyExchange and ClientKeyExchange messages is
shown below. shown below.
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case diffie_hellman_psk: /* NEW */ case diffie_hellman_psk: /* NEW */
opaque psk_identity_hint<0..2^16-1>; opaque psk_identity_hint<0..2^16-1>;
ServerDHParams params; ServerDHParams params;
skipping to change at page 8, line 12 skipping to change at page 8, line 12
(see Note 1 in Section 2) in this document, with "other_secret" (see Note 1 in Section 2) in this document, with "other_secret"
containing Z. containing Z.
4. RSA_PSK key exchange algorithm 4. RSA_PSK key exchange algorithm
The ciphersuites in this section use RSA and certificates to The ciphersuites in this section use RSA and certificates to
authenticate the server, in addition to using a PSK. authenticate the server, in addition to using a PSK.
As in normal RSA ciphersuites, the server must send a Certificate As in normal RSA ciphersuites, the server must send a Certificate
message. The format of the ServerKeyExchange and ClientKeyExchange message. The format of the ServerKeyExchange and ClientKeyExchange
messages is shown below. messages is shown below. If no PSK identity hint is provided, the
ServerKeyExchange message is omitted.
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case rsa_psk: /* NEW */ case rsa_psk: /* NEW */
opaque psk_identity_hint<0..2^16-1>; opaque psk_identity_hint<0..2^16-1>;
}; };
} ServerKeyExchange; } ServerKeyExchange;
struct { struct {
skipping to change at page 12, line 6 skipping to change at page 12, line 6
http://www.imc.org/ietf-tls/mail-archive/msg04098.html. http://www.imc.org/ietf-tls/mail-archive/msg04098.html.
[9] Zeilenga, K., "LDAP: String Representation of Distinguished [9] Zeilenga, K., "LDAP: String Representation of Distinguished
Names", draft-ietf-ldapbis-dn-15 (work in progress), October Names", draft-ietf-ldapbis-dn-15 (work in progress), October
2004. 2004.
[10] Hoffman, P. and M. Blanchet, "Preparation of Internationalized [10] Hoffman, P. and M. Blanchet, "Preparation of Internationalized
Strings ("stringprep")", RFC 3454, December 2002. Strings ("stringprep")", RFC 3454, December 2002.
[11] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1", [11] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1",
draft-ietf-tls-rfc2246-bis-08 (work in progress), August 2004. draft-ietf-tls-rfc2246-bis-09 (work in progress), December
2004.
[12] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher Suites [12] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher Suites
to Transport Layer Security (TLS)", RFC 2712, October 1999. to Transport Layer Security (TLS)", RFC 2712, October 1999.
[13] Simon, D., "Addition of Shared Key Authentication to Transport [13] Simon, D., "Addition of Shared Key Authentication to Transport
Layer Security (TLS)", draft-ietf-tls-passauth-00 (expired), Layer Security (TLS)", draft-ietf-tls-passauth-00 (expired),
November 1996. November 1996.
[14] Taylor, D., Wu, T., Mavroyanopoulos, N. and T. Perrin, "Using [14] Taylor, D., Wu, T., Mavroyanopoulos, N. and T. Perrin, "Using
SRP for TLS Authentication", draft-ietf-tls-srp-08 (work in SRP for TLS Authentication", draft-ietf-tls-srp-08 (work in
skipping to change at page 14, line 10 skipping to change at page 14, line 10
46 rue Barrault 46 rue Barrault
75634 Paris 75634 Paris
France France
Email: Ahmed.Serhrouchni@enst.fr Email: Ahmed.Serhrouchni@enst.fr
Appendix A. Changelog Appendix A. Changelog
(This section should be removed by the RFC Editor before (This section should be removed by the RFC Editor before
publication.) publication.)
Changes from -04 to -05:
o Omit ServerKeyExchange message (in PSK/RSA_PSK versions) if no
identity hint is provided.
Changes from -03 to -04: Changes from -03 to -04:
o Added a note about premaster secret "general structure" in o Added a note about premaster secret "general structure" in
Sections 3 and 4. Sections 3 and 4.
o Something in the I-D submission procedure had removed all o Something in the I-D submission procedure had removed all
circumflexes from -03 version, turning e.g. "2^16" (two-to- circumflexes from -03 version, turning e.g. "2^16" (two-to-
the sixteenth power) to "216" (two hundred and sixteen). the sixteenth power) to "216" (two hundred and sixteen).
Let's try again. Let's try again.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/