Browse Prior Art Database

Diffie-Hellman Proof-of-Possession Algorithms (RFC2875) Disclosure Number: IPCOM000003476D
Original Publication Date: 2000-Jul-01
Included in the Prior Art Database: 2019-Feb-13
Document File: 23 page(s) / 30K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

H. Prafullchandra: AUTHOR [+1]

Related Documents

10.17487/RFC2875: DOI


This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair. [STANDARDS-TRACK]

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 8% of the total text.

Network Working Group H. Prafullchandra Request for Comments: 2875 Critical Path Inc Category: Standards Track J. Schaad July 2000

Diffie-Hellman Proof-of-Possession Algorithms

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.


This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair. This behavior is needed for such operations as creating the signature of a PKCS #10 certification request. These algorithms are designed to provide a proof-of- possession rather than general purpose signing.

1. Introduction

PKCS #10 [RFC2314] defines a syntax for certification requests. It assumes that the public key being requested for certification corresponds to an algorithm that is capable of signing/encrypting. Diffie-Hellman (DH) is a key agreement algorithm and as such cannot be directly used for signing or encryption.

This document describes two new proof-of-possession algorithms using the Diffie-Hellman key agreement process to provide a shared secret as the basis of an integrity check value. In the first algorithm, the value is constructed for a specific recipient/verifier by using a public key of that verifier. In the second algorithm, the value is constructed for arbitrary verifiers.

Prafullchandra & Schaad Standards Track [Page 1]

RFC 2875 Diffie-Hellman Proof-of-Possession Algorithms July 2000

2. Terminology

The following definitions will be used in this document

DH certificate = a certificate whose SubjectPublicKey is a DH public value and is signed with any signature algorithm (e.g. RSA or DSA).

3. Static DH Proof-of-Possession Process

The steps for creating a DH POP are:

1. An entity (E) chooses the group parameters for a DH key agreement.

This is done simply by selecting the group parameters from a certificate for the recipient of the POP process.

A certificate with the correct group parameters has to be available. Let these common DH parameters be g and p; and let this DH key-pair be known as the Recipient key pair (Rpub and Rpriv).

Rpub = g^x mod p (where x=Rpriv, the private DH value and ^ denotes exponentiation)

2. The entity generates a DH public/private key-pair using the parameters from step 1.

For an entity E:

Epriv = DH private value = y Epub = DH public value = g^y mod p

3. The POP computation process will then consist of:

a) The value to be signed is obtained. (For a RFC2314 object, the value is the DER encoded certificationRequestInfo field represented as an octet string.) This will be the ‘text’ referred to in [RFC2104], the data to which HMAC-SHA1 is applied.

b) A shared DH secret is computed, a...