draft-ietf-tls-psk-03.txt   draft-ietf-tls-psk-04.txt 
TLS Working Group P. Eronen, Ed. TLS Working Group P. Eronen, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Expires: May 17, 2005 H. Tschofenig, Ed. Expires: May 25, 2005 H. Tschofenig, Ed.
Siemens Siemens
November 16, 2004 November 24, 2004
Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
draft-ietf-tls-psk-03.txt draft-ietf-tls-psk-04.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 17, 2005. This Internet-Draft will expire on May 25, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2004).
Abstract Abstract
This document specifies three sets of new ciphersuites for the This document specifies three sets of new ciphersuites for the
Transport Layer Security (TLS) protocol to support authentication Transport Layer Security (TLS) protocol to support authentication
based on pre-shared keys. These pre-shared keys are symmetric keys, based on pre-shared keys. These pre-shared keys are symmetric keys,
skipping to change at page 4, line 19 skipping to change at page 4, line 19
It is assumed that the reader is familiar with ordinary TLS It is assumed that the reader is familiar with ordinary TLS
handshake, shown below. The elements in parenthesis are not included handshake, shown below. The elements in parenthesis are not included
when PSK key exchange algorithm is used. when PSK key exchange algorithm is used.
Client Server Client Server
------ ------ ------ ------
ClientHello --------> ClientHello -------->
ServerHello ServerHello
(Certificate (Certificate)
)
ServerKeyExchange ServerKeyExchange
(CertificateRequest) (CertificateRequest)
<-------- ServerHelloDone <-------- ServerHelloDone
(Certificate) (Certificate)
ClientKeyExchange ClientKeyExchange
(CertificateVerify) (CertificateVerify)
ChangeCipherSpec ChangeCipherSpec
Finished --------> Finished -------->
ChangeCipherSpec ChangeCipherSpec
<-------- Finished <-------- Finished
skipping to change at page 5, line 33 skipping to change at page 5, line 33
the character string with an appropriate stringprep [10] profile is the character string with an appropriate stringprep [10] profile is
RECOMMENDED. RECOMMENDED.
The format of the ServerKeyExchange and ClientKeyExchange messages is The format of the ServerKeyExchange and ClientKeyExchange messages is
shown below. shown below.
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case psk: /* NEW */ case psk: /* NEW */
opaque psk_identity_hint<0..216-1>; opaque psk_identity_hint<0..2^16-1>;
}; };
} ServerKeyExchange; } ServerKeyExchange;
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case psk: /* NEW */ case psk: /* NEW */
opaque psk_identity<0..216-1>; opaque psk_identity<0..2^16-1>;
} exchange_keys; } exchange_keys;
} ClientKeyExchange; } ClientKeyExchange;
The premaster secret is formed as follows: if the PSK is N octets The premaster secret is formed as follows: if the PSK is N octets
long, concatenate an uint16 with the value N, N zero octets, a second long, concatenate an uint16 with the value N, N zero octets, a second
uint16 with the value N, and the PSK itself. uint16 with the value N, and the PSK itself.
Note 1: All the ciphersuites in this document share the same Note 1: All the ciphersuites in this document share the same
general structure for the premaster secret, namely general structure for the premaster secret, namely
struct { struct {
opaque other_secret<0..216-1>; opaque other_secret<0..2^16-1>;
opaque psk<0..216-1>; opaque psk<0..2^16-1>;
}; };
Here "other_secret" is either zeroes (plain PSK case), or comes Here "other_secret" is either zeroes (plain PSK case), or comes
from the Diffie-Hellman or RSA exchange (DHE_PSK and RSA_PSK, from the Diffie-Hellman or RSA exchange (DHE_PSK and RSA_PSK,
respectively). See Sections 3 and 4 for a more detailed respectively). See Sections 3 and 4 for a more detailed
description. description.
Note 2: Using zeroes for "other_secret" effectively means that Note 2: Using zeroes for "other_secret" effectively means that
only the HMAC-SHA1 part (but not the HMAC-MD5 part) of the TLS PRF only the HMAC-SHA1 part (but not the HMAC-MD5 part) of the TLS PRF
is used when constructing the master secret. See [8] for a more is used when constructing the master secret. See [8] for a more
skipping to change at page 7, line 25 skipping to change at page 7, line 25
PSK identity and identity hint fields have the same meaning as in the PSK identity and identity hint fields have the same meaning as in the
previous section. previous section.
The format of the ServerKeyExchange and ClientKeyExchange messages is The format of the ServerKeyExchange and ClientKeyExchange messages is
shown below. shown below.
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case diffie_hellman_psk: /* NEW */ case diffie_hellman_psk: /* NEW */
opaque psk_identity_hint<0..216-1>; opaque psk_identity_hint<0..2^16-1>;
ServerDHParams params; ServerDHParams params;
}; };
} ServerKeyExchange; } ServerKeyExchange;
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case diffie_hellman_psk: /* NEW */ case diffie_hellman_psk: /* NEW */
opaque psk_identity<0..216-1>; opaque psk_identity<0..2^16-1>;
ClientDiffieHellmanPublic public; ClientDiffieHellmanPublic public;
} exchange_keys; } exchange_keys;
} ClientKeyExchange; } ClientKeyExchange;
The premaster secret is formed as follows. Let Z be the value The premaster secret is formed as follows. Let Z be the value
produced by the Diffie-Hellman exchange (with leading zero bytes produced by the Diffie-Hellman exchange (with leading zero bytes
stripped as in other Diffie-Hellman based ciphersuites). Concatenate stripped as in other Diffie-Hellman based ciphersuites). Concatenate
an uint16 containing the length of Z (in octets), Z itself, an uint16 an uint16 containing the length of Z (in octets), Z itself, an uint16
containing the length of the PSK (in octets), and the PSK itself. containing the length of the PSK (in octets), and the PSK itself.
This corresponds to the general structure for the premaster secrets
(see Note 1 in Section 2) in this document, with "other_secret"
containing Z.
4. RSA_PSK key exchange algorithm 4. RSA_PSK key exchange algorithm
The ciphersuites in this section use RSA and certificates to The ciphersuites in this section use RSA and certificates to
authenticate the server, in addition to using a PSK. authenticate the server, in addition to using a PSK.
As in normal RSA ciphersuites, the server must send a Certificate As in normal RSA ciphersuites, the server must send a Certificate
message. The format of the ServerKeyExchange and ClientKeyExchange message. The format of the ServerKeyExchange and ClientKeyExchange
messages is shown below. messages is shown below.
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case rsa_psk: /* NEW */ case rsa_psk: /* NEW */
opaque psk_identity_hint<0..216-1>; opaque psk_identity_hint<0..2^16-1>;
}; };
} ServerKeyExchange; } ServerKeyExchange;
struct { struct {
select (KeyExchangeAlgorithm) { select (KeyExchangeAlgorithm) {
/* other cases for rsa, diffie_hellman, etc. */ /* other cases for rsa, diffie_hellman, etc. */
case rsa_psk: /* NEW */ case rsa_psk: /* NEW */
opaque psk_identity<0..216-1>; opaque psk_identity<0..2^16-1>;
EncryptedPreMasterSecret; EncryptedPreMasterSecret;
} exchange_keys; } exchange_keys;
} ClientKeyExchange; } ClientKeyExchange;
The EncryptedPreMasterSecret field sent from the client to the server The EncryptedPreMasterSecret field sent from the client to the server
contains a 2-byte version number and a 46-byte random value, contains a 2-byte version number and a 46-byte random value,
encrypted using the server's RSA publi encrypted using the server's RSA public key as described in Section
c key as described in Section
7.4.7.1 of [3]. The actual premaster secret is formed by both 7.4.7.1 of [3]. The actual premaster secret is formed by both
parties as follows: concatenate an uint16 with the value 48, the parties as follows: concatenate an uint16 with the value 48, the
2-byte version number and the 46-byte random value, an uint16 2-byte version number and the 46-byte random value, an uint16
containing the length of the PSK (in octets), and the PSK itself. containing the length of the PSK (in octets), and the PSK itself.
This corresponds to the general structure for the premaster secrets
(see Note 1 in Section 2) in this document, with "other_secret"
containing both the 2-byte version number and the 46-byte random
value.
Neither the normal RSA ciphersuites nor these RSA_PSK ciphersuites Neither the normal RSA ciphersuites nor these RSA_PSK ciphersuites
themselves specify what the certificates contain (in addition to the themselves specify what the certificates contain (in addition to the
RSA public key), or how the certificates are to be validated. In RSA public key), or how the certificates are to be validated. In
particular, it is possible to use the RSA_PSK ciphersuites with particular, it is possible to use the RSA_PSK ciphersuites with
unvalidated self-signed certificates to provide somewhat similar unvalidated self-signed certificates to provide somewhat similar
protection against dictionary attacks as the DHE_PSK ciphersuites protection against dictionary attacks as the DHE_PSK ciphersuites
defined in Section 3. defined in Section 3.
5. IANA considerations 5. IANA considerations
skipping to change at page 12, line 12 skipping to change at page 12, line 12
[10] Hoffman, P. and M. Blanchet, "Preparation of Internationalized [10] Hoffman, P. and M. Blanchet, "Preparation of Internationalized
Strings ("stringprep")", RFC 3454, December 2002. Strings ("stringprep")", RFC 3454, December 2002.
[11] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1", [11] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1",
draft-ietf-tls-rfc2246-bis-08 (work in progress), August 2004. draft-ietf-tls-rfc2246-bis-08 (work in progress), August 2004.
[12] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher Suites [12] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher Suites
to Transport Layer Security (TLS)", RFC 2712, October 1999. to Transport Layer Security (TLS)", RFC 2712, October 1999.
[13] Simon, D., "Addition of Shared Key Authentication to Transport [13] Simon, D., "Addition of Shared Key Authentication to Transport
Layer Security (T Layer Security (TLS)", draft-ietf-tls-passauth-00 (expired),
LS)", draft-ietf-tls-passauth-00 (expired),
November 1996. November 1996.
[14] Taylor, D., Wu, T., Mavroyanopoulos, N. and T. Perrin, "Using [14] Taylor, D., Wu, T., Mavroyanopoulos, N. and T. Perrin, "Using
SRP for TLS Authentication", draft-ietf-tls-srp-08 (work in SRP for TLS Authentication", draft-ietf-tls-srp-08 (work in
progress), August 2004. progress), August 2004.
Authors' and Contributors' Addresses Authors' and Contributors' Addresses
Pasi Eronen Pasi Eronen
Nokia Research Center Nokia Research Center
skipping to change at page 14, line 9 skipping to change at page 14, line 9
ENST Telecom ENST Telecom
46 rue Barrault 46 rue Barrault
75634 Paris 75634 Paris
France France
Email: Ahmed.Serhrouchni@enst.fr Email: Ahmed.Serhrouchni@enst.fr
Appendix A. Changelog Appendix A. Changelog
(This section should be removed by the RFC Editor before (This section should be removed by the RFC Editor before
publication.) publication.)
Changes from -03 to -04:
o Added a note about premaster secret "general structure" in
Sections 3 and 4.
o Something in the I-D submission procedure had removed all
circumflexes from -03 version, turning e.g. "2^16" (two-to-
the sixteenth power) to "216" (two hundred and sixteen).
Let's try again.
Changes from -02 to -03: Changes from -02 to -03:
o Aligned the way the premaster secret is derived. o Aligned the way the premaster secret is derived.
o Specified that identities must be sent as human-readable UTF-8 o Specified that identities must be sent as human-readable UTF-8
strings, not in binary formats. Changed reference to RFC 3629 strings, not in binary formats. Changed reference to RFC 3629
from informative to normative. from informative to normative.
o Selected ciphersuite and alert numbers, and updated IANA o Selected ciphersuite and alert numbers, and updated IANA
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/