Diffie-Hellman Proof-of-Possession Algorithms (RFC2875)
Original Publication Date: 2000-Jul-01
Included in the Prior Art Database: 2000-Sep-13
Internet Society Requests For Comment (RFCs)
H. Prafullchandra: AUTHOR [+2]
This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair. This behavior is needed for such operations as creating the signature of a PKCS #10 certification request. These algorithms are designed to provide a proof-of- possession rather than general purpose signing.
Network Working Group H. Prafullchandra
Request for Comments: 2875 Critical Path Inc
Category: Standards Track J. Schaad
Diffie-Hellman Proof-of-Possession Algorithms
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document describes two methods for producing an integrity check
value from a Diffie-Hellman key pair. This behavior is needed for
such operations as creating the signature of a PKCS #10 certification
request. These algorithms are designed to provide a proof-of-
possession rather than general purpose signing.
PKCS #10 [RFC2314] defines a syntax for certification requests. It
assumes that the public key being requested for certification
corresponds to an algorithm that is capable of signing/encrypting.
Diffie-Hellman (DH) is a key agreement algorithm and as such cannot
be directly used for signing or encryption.
This document describes two new proof-of-possession algorithms using
the Diffie-Hellman key agreement process to provide a shared secret
as the basis of an integrity check value. In the first algorithm,
the value is constructed for a specific recipient/verifier by using a
public key of that verifier. In the second algorithm, the value is
constructed for arbitrary verifiers.
The following definitions will be used in this document
DH certificate = a certificate whose SubjectPublicKey is a DH public
value and is signed with any signature algorithm (e.g. RSA or DSA).
3. Static DH Proof-of-Possession Process
The steps for creating a DH POP are:
1. An entity (E) chooses the group parameters for a DH key
This is done simply by selecting the group parameters from a
certificate for the recipient of the POP process.
A certificate with the correct group parameters has to be
available. Let these common DH parameters be g and p; and let
this DH key-pair be known as the Recipient key pair (Rpub and
Rpub = g^x mod p (where x=Rpriv, the private DH value and
^ denotes exponentiation)
2. The entity generates a DH public/private key-pair using the
parameters from step 1.
For an entity E:
Epriv = DH private value = y
Epub = DH public value = g^y mod p
3. The POP computation process will then consist of:
a) The value to be signed is obtained. (For a RFC2314 obje...