Internet Draft Josh Benaloh Butler Lampson Daniel Simon Terence Spies Bennet Yee Microsoft Corp. October 1995 The Private Communication Technology Protocol 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). This Internet-Draft expires 27 March 1996. 2. Abstract This document specifies Version 1 of the Private Communication Technology (PCT) protocol, a security protocol that provides privacy over the Internet. Like SSL (see [1]), the protocol is intended to prevent eavesdropping on communications in client/server applications, with servers always being authenticated and clients being authenticated at the server's option. However, this protocol corrects or improves on several weaknesses of SSL. 3. Introduction The Private Communication Technology (PCT) Protocol is designed to provide privacy between two communicating applications (a client and a server), and to authenticate the server and (optionally) the client. PCT assumes a reliable transport protocol (e.g. TCP) for data transmission and reception. The PCT Protocol is application protocol-independent. A "higher level" application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer on top of the PCT Protocol transparently. The PCT Protocol begins with a handshake phase that negotiates an encryption algorithm and (symmetric) session key as well as authenticating a server to the Benaloh/Lampson/Simon/Spies/Yee [Page 1] Internet Draft The PCT Protocol November 1995 client (and, optionally, vice versa), based on certified asymmetric public keys. Once transmission of application protocol data begins, all data is encrypted using the session key negotiated during the handshake. It should be noted that the PCT protocol does not specify any details about verification of certificates with respect to certification authorities, revocation lists, and so on. Rather, it is assumed that protocol implementations have access to a "black box" which is capable of ruling on the validity of received certificates in a manner satisfactory to the implementation's user. Such a ruling may, for instance, involve remote consultation with a trusted service, or even with the actual user through a text or graphic interface. In addition to encryption and authentication, the PCT protocol verifies the integrity of messages using a hash function-based message authentication code (MAC). The PCT protocol's record format is compatible with that of SSL (see [1]). Servers implementing both protocols can distinguish between PCT and SSL clients because the version number field occurs in the same position in the first handshake message in both protocols. In PCT, the most significant bit of the protocol version number is set to one. The PCT protocol differs from SSL chiefly in the design of its handshake phase, which differs from SSL's in a number of respects: - The round and message structures are considerably shorter and simpler: a reconnected session without client authentication requires only one message in each direction, and no other type of connection requires more than two messages in each direction. - Negotiation for the choice of cryptographic algorithms and formats to use in a session has been extended to cover more protocol characteristics and to allow different characteristics to be negotiated independently. The PCT client and server negotiate, in addition to a cipher type and server certificate type, a hash function type and a key exchange type. If client authentication is requested, a client certificate type and signature type are also negotiated. - Message authentication has been revamped so that it now uses different keys from the encryption keys. Thus, message authentication keys may be much longer (and message authentication therefore much more secure) than the encryption keys, which may be weak or even non-existent. - A security hole in SSL's client authentication has been repaired; the PCT client's authentication challenge response now depends on the type of cipher negotiated for the session. SSL's client authentication is independent of the cipher strength used in the session and also of whether the authentication is being performed Benaloh/Lampson/Simon/Spies/Yee [Page 2] Internet Draft The PCT Protocol November 1995 for a reconnection of an old session or for a new one. As a result, a "man-in-the-middle" attacker who has obtained the session key for a session using weak cryptography can use this broken session to authenticate as the client in a session using strong cryptography. If, for example, the server normally restricts certain sensitive functions to high-security sessions, then this security hole allows intruders to circumvent the restriction. - A "verify-prelude" field has been added to the handshake phase, with which the client and server can check that the cipher type (and other) negotiations carried out in the clear have not been tampered with. (SSL version 3 uses a similar mechanism, but its complete version 2 compatibility negates its security function, by allowing adversaries simply to alter version numbers as well as cipher types.) 4. PCT Record Protocol Specification 4.1 PCT Record Header Format For compatibility with SSL, the PCT protocol uses the same basic record format as SSL. In PCT, all data sent is encapsulated in a record, an object which is composed of a header and some non-zero amount of data. Each record header contains a two- or three-byte length code. If the most significant bit is set in the first byte of the record length code then the record has no padding and the total header length is two bytes; otherwise the record has padding and the total header length is three bytes. The record header is transmitted before the data portion of the record. Note that in the long header case (three bytes total), the second most significant bit in the first byte has special meaning. When zero, the record being sent is a data record. When one, the record being sent is a security escape, and the first byte of the record is an ESCAPE_TYPE_CODE that indicates the type of escape. (Currently, the two examples of security escapes are the "out-of-band data" escape and the "redo handshake" escape.) In either case, the length code describes how much data is in the record as transmitted; this may be greater than the amount of data after decryption, particularly if padding was used. The record length code does not include the number of bytes consumed by the record header (two or three). For the two-byte header, the record length is computed by (using a "C"-like notation): RECORD_LENGTH = ((byte[0] & 0x7f) << 8)) | byte[1], where byte[0] represents the first byte received and byte[1] the second byte received. When the three-byte header is used, the record length is computed as follows (using a "C"-like notation): Benaloh/Lampson/Simon/Spies/Yee [Page 3] Internet Draft The PCT Protocol November 1995 RECORD_LENGTH = ((byte[0] & 0x3f) << 8)) | byte[1]; IS_ESCAPE = (byte[0] & 0x40) != 0; PADDING_LENGTH = byte[2]; The record header defines a value called PADDING_LENGTH. The PADDING_LENGTH value specifies how many bytes of data were appended to the original record by the sender. The padding data is used to make the record length a multiple of the block cipher's block size when a block cipher is used for encryption. The sender of a "padded" record appends the padding data to the end of its normal data and then encrypts the total amount (which is now a multiple of the block cipher's block size). The actual value of the padding data is unimportant, but the encrypted form of it must be transmitted for the receiver to decrypt the record properly. Once the total amount being transmitted is known the header can be properly constructed with the PADDING value set appropriately. The receiver of a padded record uses the PADDING_LENGTH value from the header when determining the length of the ACTUAL_DATA in the data record (see section 4.2). 4.2 PCT Record Data Format The format of the data portion of an encrypted PCT record is slightly different from that of SSL. However, not only is the record header format identical in both protocols, but the first handshake message sent in each direction is also sent in the clear, and contains a version number field in the same location in both protocols. (In PCT protocol handshake messages, the most significant bit of this field is 1.) Hence, PCT is still compatible with SSL, in the sense that PCT handshake messages can be recognized and distinguished from SSL handshake messages by examination of the version number. The PCT record is composed of two fields (transmitted and received in the order shown): ENCRYPTED_DATA[N+PADDING_LENGTH] MAC_DATA[MAC_LENGTH] The ENCRYPTED_DATA field contains an encryption of the concatenation of ACTUAL_DATA (the N bytes of actual data being transmitted) and PADDING_DATA (the use of which is explained below). The MAC_DATA field contains the "Message Authentication Code" (MAC). PCT handshake records are sent in the clear, and no MAC is used. Consequently PADDING_LENGTH will be zero and MAC_LENGTH will be zero. For non-handshake data records, the sender appends a PADDING_DATA field containing arbitrary data, so that N + PADDING_LENGTH is the appropriate length for the cipher being used to encrypt the data. (In the case where a block cipher is used, PADDING_LENGTH must be the Benaloh/Lampson/Simon/Spies/Yee [Page 4] Internet Draft The PCT Protocol November 1995 minimum value such that the length of the concatenation of ACTUAL_DATA and PADDING_DATA is an exact multiple of the cipher's block size. Otherwise, PADDING_LENGTH is zero.) MAC_DATA is computed as follows: MAC_DATA := Hash( MAC_KEY, Hash( ACTUAL_DATA, PADDING_DATA, SEQUENCE_NUMBER ) ) If the client is sending the record, then the MAC_KEY is the CLIENT_MAC_KEY; if the server is sending the record, then the MAC_KEY is the SERVER_MAC_KEY. (The details of the derivation of these keys are given in section 5.3.1.) The selection of the hash function used to compute MAC_DATA is discussed in sections 5.2.1 and 5.2.2. The parameters of the inner invocation of the hash function are input into the hash function in the order shown above, with SEQUENCE_NUMBER represented in network byte order or "big endian" order. If the length of MAC_KEY is not an exact multiple of eight bits, then MAC_KEY is considered, for the purposes of MAC computation, to have (fewer than eight) zero bits appended to it, to create a string of an integral number of bytes for input into the MAC hash function. The SEQUENCE_NUMBER is a counter which is incremented by both the sender and the receiver. For each transmission direction, a pair of counters is kept (one by the sender, one by the receiver). Before the first (handshake) record is sent or received in a PCT connection all sequence numbers are initialized to zero (except in the case of a restarting connection with a token-based exchange type, in which case the entire cipher state is preserved; see section 5.2.2). The sender's sender-to-receiver sequence number is incremented after every record sent, and the receiver's sender-to-receiver sequence number is incremented after every record received. Sequence numbers are 32-bit unsigned quantities, and may not increment past 0xFFFFFFFF. (See section 4.3.2.) The receiver of a record (whether PCT client or server) first uses the sender's WRITE_KEY to decrypt the concatenated ACTUAL_DATA and PADDING_DATA fields, then uses the sender's MAC_KEY, the ACTUAL_DATA, the PADDING_DATA, and the expected value of the sequence number as input into the MAC_DATA function described above (the hash function algorithm used is determined the same way for the receiver as for the sender). The computed MAC_DATA must agree bit for bit with the transmitted MAC_DATA. If the two are not identical, then an INTEGRITY_CHECK_FAILED error occurs, and it is recommended that the record be treated as though it contained no data. (See section 5.4.) The same error occurs if N + PADDING_LENGTH is not correct for the block cipher used. The PCT Record Layer is used for all PCT communications, including handshake messages, security escapes and application data transfers. The PCT Record Layer is used by both the client and the server at all times. Benaloh/Lampson/Simon/Spies/Yee [Page 5] Internet Draft The PCT Protocol November 1995 For a two-byte header, the maximum record length is 32767 bytes. For a three-byte header, the maximum record length is 16383 bytes. The PCT Handshake Protocol messages are constrained to fit in a single PCT Record Protocol record. Application protocol messages are allowed to consume multiple PCT Record Protocol records. 4.3 Security Escapes 4.3.1 Out-Of-Band Data PCT, like SSL, supports the transmission and reception of "out-of-band data". Out of band data is normally defined at the TCP/IP protocol level, but because of PCT's privacy enhancements and support for block ciphers, this becomes difficult to support. To send out-of-band data, the sender sends an escape record whose body contains a single byte of data which is the ESCAPE_TYPE_CODE value PCT_ET_OOB_DATA. The record following the escape record will be interpreted as "out-of-band" data and will only be made available to the receiver through an unspecified mechanism that is different from the receiver's normal data reception method. The escape record and the transmitted data record are transmitted normally (i.e. encryption, MAC computations, and block cipher padding remain in effect). Note that the escape record and the associated data record are sent using normal TCP sending mechanisms, not using the "out of band" mechanisms. Note also that a "Redo Handshake" escape record (see below) and its associated handshake messages may be interposed between an "Out-of-Band Data" escape record and its associated data record. In such a case, the first non-escape, non-handshake record following the "Out-of-Band Data" escape record is treated as out-of-band data. 4.3.2 Redo Handshake PCT allows either the client or the server to request, at any time after the handshake phase has been completed for a connection, that another handshake phase be performed for that connection. For example, either party is required to request another handshake phase rather than allow its sequence number to "wrap" beyond 0xFFFFFFFF. In addition, it is recommended that implementations enforce limits on the duration of both connections and sessions, with respect to the total number of bytes sent, the number of records sent, the actual time elapsed since the beginning of the connection or session, and, in the case of sessions, the number of reconnections made. These limits serve to ensure that keys are not used more or longer than it is safe to do so; hence the limits may depend on the type and strength of cipher, key exchange and authentication used, and may, at the implementer's discretion, include indications from the application as to the sensitivity of the data being transmitted or received. To request a new handshake phase for this connection, the sender Benaloh/Lampson/Simon/Spies/Yee [Page 6] Internet Draft The PCT Protocol November 1995 (client or server) sends an escape record whose body contains a single byte of data which is the ESCAPE_TYPE_CODE value PCT_ET_REDO_CONN. The escape record is transmitted normally (i.e. encryption, MAC computations, and block cipher padding remain in effect). There are several cases to consider to ensure that the message pipeline gets flushed and to enable handshake messages to be distinguished from data records. The following rules ensure that the first messages in the redone handshake are always immediately preceded by a "Redo Handshake" escape message. If the client initiates the "Redo Handshake", it sends the "Redo Handshake" escape message immediately followed by a normal CLIENT_HELLO message; the server, on receiving the "Redo Handshake" escape message, may be in one of two states. If the last message it sent was a "Redo Handshake" escape message, then it simply waits for the CLIENT_HELLO message; otherwise, it sends a "Redo Handshake" escape message in response, and then waits for the CLIENT_HELLO message. If the server initiates the "Redo Handshake", then the server sends the "Redo Handshake" escape message and simply waits for a "Redo Handshake" escape message in response; this "Redo Handshake" should be immediately followed by a normal CLIENT_HELLO message. The client, on receiving the server's "Redo Handshake" escape message, may be in one of two states. If the last two messages it sent were a "Redo Handshake" escape message followed by a CLIENT_HELLO message, then it simply waits for a SERVER_HELLO message; otherwise, it sends a "Redo Handshake" escape message in response, followed by a CLIENT_HELLO message, and then waits for a SERVER_HELLO message. In all cases, the sender of the "Redo Handshake" escape message continues to process incoming messages, but may not send any non-handshake messages until the new handshake completes. The handshake phase that follows the "Redo Handshake" escape message is a normal one in most respects; the client may request the reconnection of an old session or request that a new session be initiated, and the server, on receiving a reconnection request, can accept the reconnection or demand that a new session be initiated instead. If a new session is being established, then the server must request client authentication if and only if client authentication was requested during the previous session. Otherwise, client authentication is optional. Both parties must verify that the specifications negotiated previously in the session (cipher type, key exchange type, certificate type, hash function type, client certificate type, and signature type), as well as any certificates exchanged, are identical to those found in the new handshake phase. A mismatch results in a SPECS_MISMATCH or BAD_CERTIFICATE error (see section 5.4.) This ensures that the security properties of the communication channel do not change. Benaloh/Lampson/Simon/Spies/Yee [Page 7] Internet Draft The PCT Protocol November 1995 5. PCT Handshake Protocol Specification 5.1 PCT Handshake Protocol Flow The PCT Handshake Protocol is used to negotiate security enhancements to data sent using the PCT Record Protocol. The security enhancements consist of authentication, symmetric encryption, and message integrity. Symmetric encryption is facilitated using a "Key Exchange Algorithm". PCT version 1 supports RSA {TM} -based key exchange (see [13]), Diffie-Hellman key exchange, and FORTEZZA token key exchange. The PCT Handshake Protocol consists of four messages, sent respectively by the client, then server, then client, then server, in that order. (Moreover, under certain circumstances, the last two messages are omitted.) The messages are named, in order, CLIENT_HELLO, SERVER_HELLO, CLIENT_MASTER_KEY, and SERVER_VERIFY. The general contents of the messages depend upon two criteria: whether the connection being made is a reconnection (a continuation of a previous session) or a new session and whether the client is to be authenticated. (The server is always authenticated.) The first criterion is determined by the client and server together; the CLIENT_HELLO will have different contents depending on whether a new session is being initiated or an old one continued, and the SERVER_HELLO message will either confirm a requested continuation of an old session, or require that a new session be initiated. The second criterion is determined by the server, whose SERVER_HELLO may contain a demand for authentication of the client. If the server does not require client authentication, and the reconnection of an old session is requested by the client and accepted by the server, then the CLIENT_MASTER_KEY and SERVER_VERIFY messages are unnecessary, and are omitted. The CLIENT_HELLO message contains a random authentication challenge to the server and a request for the type and level of cryptography and certification to be used for the session. If the client is attempting to continue an old session, then it also supplies that session's ID. In the case of a new session, the SERVER_HELLO message contains a certificate and a random connection identifier; this identifier doubles as an authentication challenge to the client if the server desires client authentication. The CLIENT_MASTER_KEY message sent by the client in response includes the master key for the session (from which session keys are derived), encrypted using the public key from the server's certificate, as well as a certificate and response to the server's authentication challenge, if requested. To ensure that previous unencrypted handshake messages were not tampered with, their keyed hash is included with the CLIENT_MASTER_KEY message. Finally, the server sends a SERVER_VERIFY message which includes a response to the client's challenge and a random session id for the session. Benaloh/Lampson/Simon/Spies/Yee [Page 8] Internet Draft The PCT Protocol November 1995 If the server accepts the old session id, then the SERVER_HELLO message contains a response to the client's challenge, and a random connection identifier which again doubles as a random challenge to the client, if the server requires client authentication. If no client authentication is requested, the handshake is finished (although an authentication of the client is implicit in the MAC included with the client's first data message). Otherwise, the subsequent CLIENT_MASTER_KEY message contains the client's response, and the SERVER_VERIFY message simply signals to the client to continue. For a new session, the handshake phase has the following form (items in square brackets are included only if client authentication is required): Client Server ------ ------ CLIENT_HELLO: client challenge; client's cipher, hash, server-certificate, and key-exchange specification lists SERVER_HELLO: connection id/server challenge; server's cipher, hash, server-certificate, and key-exchange specification choices; server certificate [; server's signature-type and client-certificate specification lists] CLIENT_MASTER_KEY: master key, encrypted with server's public key; authentication of previous two messages [; client's signature-type and client-certificate specification choices; client's certificate; client's challenge response] SERVER_VERIFY: session id; server's challenge response For a reconnection of an old session, the handshake phase has the Benaloh/Lampson/Simon/Spies/Yee [Page 9] Internet Draft The PCT Protocol November 1995 following form (items in square brackets are included if client authentication is required): Client Server ------ ------ CLIENT_HELLO: client challenge; session id; client's cipher, hash, server-certificate, and key-exchange specification lists SERVER_HELLO: connection id/server challenge; old session's cipher, hash, server-certificate, and key-exchange specification choices; server's challenge response [; server's signature-type and client-certificate specification lists] [CLIENT_MASTER_KEY: client's certificate; client's challenge response] [SERVER_VERIFY] Note that the protocol is asymmetric between client and server. The client authenticates the server because only the server can decrypt the master key which is encrypted with the server's public key, and the server's challenge response depends on knowing that master key. The server authenticates the client because the client signs its challenge response with its public key. The reason for the asymmetry is that when there is no client authentication there is no client public key, so the client must choose the master key and encrypt it with the server public key to hide it from everyone except the server. Usually the client can safely send data on the underlying transport immediately following the CLIENT_MASTER_KEY message, without waiting for the SERVER_VERIFY; we call this "initial data". Sending initial data is good because it means that PCT adds only one round trip; it is not possible to do better without exposing the server to a replay attack. However, it is unwise to send initial data if for some reason it is important for the client to be sure of being in contact with the correct server before sending any data. Benaloh/Lampson/Simon/Spies/Yee [Page 10] Internet Draft The PCT Protocol November 1995 5.2 PCT Handshake Protocol Messages The PCT Handshake Protocol messages are sent using the PCT Record Protocol and consist of a single byte message type code, followed by some data. The client and server exchange messages as described above, sending either one or two messages each. Once the handshake has been completed successfully, the client sends its first actual data. Handshake protocol messages are sent in the clear, with the exception of the key-exchange-related fields in the CLIENT_MASTER_KEY message, some of which involve (public-key) encryption. The following notation is used for PCT messages: char MSG_EXAMPLE char FIELD1 char FIELD2 char THING_LENGTH_MSB char THING_LENGTH_LSB char THING_DATA[(MSB << 8)|LSB]; ... This notation defines the data in the protocol message, including the message type code. The order is presented top to bottom, with the topmost element being transmitted first. For the "THING_DATA" entry, the MSB and LSB values are actually THING_LENGTH_MSB and THING_LENGTH_LSB (respectively) and define the number of bytes of data actually present in the message. For example, if THING_LENGTH_MSB were one and THING_LENGTH_LSB were four then the THING_DATA array would be exactly 260 bytes long. This shorthand is used below. Occasionally, a "THING_DATA" field is referred to as "THING", with the word "DATA" omitted. The names of message elements have prefixes that identify the messages in which they appear; these prefixes are sometimes omitted in the text when the containing messages are obvious. Length codes are unsigned values, and when the MSB and LSB are combined the result is an unsigned value. Length values are in bytes. 5.2.1 CLIENT_HELLO (Sent in the clear) char CH_MSG_CLIENT_HELLO char CH_CLIENT_VERSION_MSB char CH_CLIENT_VERSION_LSB char CH_PAD char CH_SESSION_ID_DATA[32] char CH_CHALLENGE_DATA[32] char CH_OFFSET_MSB Benaloh/Lampson/Simon/Spies/Yee [Page 11] Internet Draft The PCT Protocol November 1995 char CH_OFFSET_LSB char CH_CIPHER_SPECS_LENGTH_MSB char CH_CIPHER_SPECS_LENGTH_LSB char CH_HASH_SPECS_LENGTH_MSB char CH_HASH_SPECS_LENGTH_LSB char CH_CERT_SPECS_LENGTH_MSB char CH_CERT_SPECS_LENGTH_LSB char CH_EXCH_SPECS_LENGTH_MSB char CH_EXCH_SPECS_LENGTH_LSB char CH_KEY_ARG_LENGTH_MSB char CH_KEY_ARG_LENGTH_LSB char CH_CIPHER_SPECS_DATA[(MSB << 8)|LSB] char CH_HASH_SPECS_DATA[(MSB << 8)|LSB] char CH_CERT_SPECS_DATA[(MSB << 8)|LSB] char CH_EXCH_SPECS_DATA[(MSB << 8)|LSB] char CH_KEY_ARG_DATA[(MSB << 8)|LSB] When a client first connects to a server it is required to send the CLIENT_HELLO message. The server is expecting this message from the client as its first message. It is an ILLEGAL_MESSAGE error for a client to send anything else as its first message. The CLIENT_HELLO message begins with the PCT version number, and two fixed-length fields followed by an offset to the variable length data. The CH_OFFSET field contains the number of bytes used by the various fields (currently only length fields) that follow the offset field and precede the variable-length fields. For PCT version 1, this offset value is always PCT_CH_OFFSET_V1, i.e., ten. However, inclusion of this field will allow future versions to be compatible with version 1, even if the number of these fields changes: a version 1 server should be able to find all the PCT version 1 fields in a higher-version CLIENT_HELLO message. The CH_PAD field may contain any value. The CLIENT_HELLO message includes a string of random bytes used as challenge data from the client. Also, if the client finds a session identifier in its cache for the server, then that session-identifier data is sent. Otherwise, the special PCT_SESSION_ID_NONE value is used. In either case, the client specifies in CIPHER_SPECS_DATA, HASH_SPECS_DATA, CERT_SPECS_DATA, and EXCH_SPECS_DATA its preferred choices of symmetric cipher, key lengths, hash function, certificate, and asymmetric key exchange algorithm. However, if a session identifier is sent, then these choices are only relevant in the case where the server cannot recognize the session identifier, and a new session must therefore be initiated. If the server recognizes the session, then these fields are ignored by the server. The CHALLENGE_DATA field contains 32 bytes of random bits, to be used to authenticate the server. The CHALLENGE_DATA should be cryptographically random, in the same sense as the MASTER_KEY (see section 5.3.1). The CIPHER_SPECS_DATA field contains a list of possible symmetric ciphers supported by the client, in order of (the client's) Benaloh/Lampson/Simon/Spies/Yee [Page 12] Internet Draft The PCT Protocol November 1995 preference. Each element in the list is a four-byte field, of which the first two bytes contain a code representing a cipher type, the third byte contains the encryption key length in bits (0-255), and the fourth byte contains the MAC key length in bits, minus 64 (values 0-255, representing lengths 64-319; this encoding enforces the requirement that the MAC key length be at least 64 bits). The entire list's length in bytes (four times the number of elements) is placed in CIPHER_SPECS_LENGTH. The HASH_SPECS_DATA field contains a list of possible hash functions supported by the client, in order of (the client's) preference. The server will choose one of these to be used for computing MACs and deriving keys. Each element in the list is a two-byte field containing a code representing a hash function choice. The entire length of the list (twice the number of elements) is placed in HASH_SPECS_LENGTH. The CERT_SPECS_DATA field contains a list of possible certificate formats supported by the client, in order of (the client's) preference. Each element in the list is a two-byte field containing a code representing a certificate format. The entire length of the list (twice the number of elements) is placed in CERT_SPECS_LENGTH. The EXCH_SPECS_DATA field contains a list of possible asymmetric key exchange algorithms supported by the client, in order of (the client's) preference. Each element in the list is a two-byte field containing a code representing a key exchange algorithm type. The entire length of the list (twice the number of elements) is placed in EXCH_SPECS_LENGTH. The KEY_ARG_DATA field contains an initialization vector to be used in a reconnected session when the cipher type is a block cipher (any cipher type except PCT_CIPHER_RC4, and any key exchange type except PCT_EXCH_RSA_PKCS1_TOKEN_RC4). If a new session is being requested (i.e., the value of CH_SESSION_ID_DATA is PCT_SESSION_ID_NONE), then KEY_ARG_LENGTH must be zero. The CLIENT_HELLO message must be the first message sent by the client to the server. After the message is sent the client waits for a SERVER_HELLO message. Any other message returned by the server (other than ERROR) generates the PCT_ERR_ILLEGAL_MESSAGE error. The server, on receiving a CLIENT_HELLO message, checks the version number and the offset field to determine where the variable-length data fields start. (The OFFSET value should be at least PCT_CH_OFFSET_V1.) The server then checks whether there is a non-null SESSION_ID field, and if so, whether it recognizes the SESSION_ID. In that case, the server responds with a SERVER_HELLO message containing a non-zero RESTART_SESSION_OK field, and the appropriate value (see below) in the RESPONSE and CONNECTION_ID fields. Otherwise, it checks whether the CIPHER_SPECS, HASH_SPECS, CERT_SPECS and EXCH_SPECS lists in the CLIENT_HELLO message each contain at least one type supported Benaloh/Lampson/Simon/Spies/Yee [Page 13] Internet Draft The PCT Protocol November 1995 by the server. If so, then the server sends a SERVER_HELLO message to the client as described below; otherwise, the server detects a SPECS_MISMATCH error. 5.2.2 SERVER_HELLO (Sent in the clear) char SH_MSG_SERVER_HELLO char SH_PAD char SH_SERVER_VERSION_MSB char SH_SERVER_VERSION_LSB char SH_RESTART_SESSION_OK char SH_CLIENT_AUTH_REQ char SH_CIPHER_SPECS_DATA[4] char SH_HASH_SPECS_DATA[2] char SH_CERT_SPECS_DATA[2] char SH_EXCH_SPECS_DATA[2] char SH_CONNECTION_ID_DATA[32] char SH_CERTIFICATE_LENGTH_MSB char SH_CERTIFICATE_LENGTH_LSB char SH_CLIENT_CERT_SPECS_LENGTH_MSB char SH_CLIENT_CERT_SPECS_LENGTH_LSB char SH_CLIENT_SIG_SPECS_LENGTH_MSB char SH_CLIENT_SIG_SPECS_LENGTH_LSB char SH_RESPONSE_LENGTH_MSB char SH_RESPONSE_LENGTH_LSB char SH_CERTIFICATE_DATA[(MSB << 8)|LSB] char SH_CLIENT_CERT_SPECS_DATA[(MSB << 8)|LSB] char SH_CLIENT_SIG_SPECS_DATA[(MSB << 8)|LSB] char SH_RESPONSE_DATA[(MSB << 8)|LSB] The server sends this message after receiving the client's CLIENT_HELLO message. The PCT version number in SH_SERVER_VERSION is always the maximum protocol version that the server supports; the remainder of the message and all subsequent messages will conform to the format specified by the protocol version corresponding to the minimum of the client and server protocol version numbers. Unless there is an error, the server always returns a random value 32 bytes in length in the CONNECTION_ID field. This value doubles as challenge data if the server requests client authentication, and should therefore be random in the same sense as the challenge data in the CLIENT_HELLO message. The SH_PAD field may contain any value. There are two cases for RESTART_SESSION_OK. In the first case, the server returns a zero RESTART_SESSION_OK flag because the CLIENT_HELLO message did not contain a session id or because the one it contained is unrecognized by the server. In this case, the server must behave as follows: The server selects any choice with which it is compatible, from each of the CH_CIPHER_SPECS, CH_HASH_SPECS, CH_CERT_SPECS and CH_EXCH_SPECS lists supplied in the CLIENT_HELLO message. (These values are returned to the client in the SH_CIPHER_SPECS_DATA, Benaloh/Lampson/Simon/Spies/Yee [Page 14] Internet Draft The PCT Protocol November 1995 SH_HASH_SPECS_DATA, SH_CERT_SPECS_DATA, and SH_EXCH_SPECS_DATA fields, respectively.) The certificate of the type specified in SH_CERT_SPECS_DATA and SH_EXCH_SPECS_DATA is placed in the CERTIFICATE_DATA field. The SH_RESPONSE_DATA field is empty, and its length is zero. In the second case, the server returns a non-zero RESTART_SESSION_OK flag because the CLIENT_HELLO message contained a session-identifier known by the server (i.e. in the server's session-identifier cache). In this case, the server must behave as follows: The server omits the CERTIFICATE_DATA field (with CERTIFICATE_LENGTH set to zero), and sets the CIPHER_SPECS_DATA, HASH_SPECS_DATA, CERT_SPECS_DATA and EXCH_SPECS_DATA values to the values stored along with the session identifier. There are two subcases: (1) If the SH_EXCH_SPECS_DATA does not refer to a TOKEN type, then the CLIENT_MAC, SERVER_MAC, CLIENT_WRITE, and SERVER_WRITE keys are rederived using the MASTER_KEY from the old session, as well as the CONNECTION_ID and CH_CHALLENGE values from the SERVER_HELLO and CLIENT_HELLO messages, respectively, for this connection. (2) If the SH_EXCH_SPECS_DATA refers to a TOKEN type, then the keys from the on-going session are reused. In order to obtain fresh key material or change the sequence number, TOKEN implementations must use the redo handshake mechanism (PCT_ET_REDO_CONN security escape). When this mechanism is used with a TOKEN exchange type, the client must send PCT_SESSION_ID_NONE in the CH_SESSION_ID_DATA field of the subsequent CLIENT_HELLO message. The RESPONSE_DATA is constructed by computing the function Hash( SERVER_MAC_KEY, Hash( "sr", CH_CHALLENGE_DATA, SH_CONNECTION_ID_DATA, CH_SESSION_ID_DATA ) ). The CH_CHALLENGE_DATA and CH_SESSION_ID_DATA values are found in the CLIENT_HELLO message for this connection. The SH_CONNECTION_ID_DATA value is from this SERVER_HELLO message. The SERVER_MAC_KEY is the one rederived for this connection as described in section 5.3.1. If the length of SERVER_MAC_KEY is not an exact multiple of eight bits, then SERVER_MAC_KEY is considered, for the purposes of MAC computation, to have (fewer than eight) zero bits appended to it, to create a string of an integral number of bytes for input into the MAC hash function. The hash function choice used is determined by the SH_HASH_SPECS_DATA field in this SERVER_HELLO message. The values are input into the interior invocation of the hash function in the exact order specified above, with the string in quotation marks representing actual ASCII text. In both reconnection cases, if the server requires client authentication, then the CLIENT_AUTH_REQ field is set to a non-zero value. Also, a list of (client) certificate types acceptable to the server, in order of (the server's) preference, is placed in the CLIENT_CERT_SPECS_DATA field, and a list of (client's) signature Benaloh/Lampson/Simon/Spies/Yee [Page 15] Internet Draft The PCT Protocol November 1995 algorithms supported by the server, in order of (the server's) preference, is placed in the CLIENT_SIG_SPECS_DATA field. The certificate type values in the list are from the same set of two byte codes used for the CERT_SPECS list appearing in the CLIENT_HELLO message, and the signature algorithm type codes are also two bytes long. (See section 5.3.4 and 5.3.5 below.) The lengths of the lists in bytes (twice the number of elements) are placed in the CLIENT_CERT_SPECS_LENGTH and CLIENT_SIG_SPECS_LENGTH fields. If no client authentication is required, then these length fields, as well as the CLIENT_AUTH_REQ field, are set to zero, and the corresponding data fields are empty. When the client receives a SERVER_HELLO message, it checks whether the server has accepted a reconnection of an old session or is establishing a new session. If a new session is being initiated, and client authentication is requested, then the client checks whether it is compatible with any of the certificate and signature types listed in the CLIENT_CERT_SPECS and CLIENT_SIG_SPECS lists. (Note that the server can make client authentication optional for the client simply by including PCT_CERT_NONE and PCT_SIG_NONE as a "last resort".) If the client can provide a compatible certificate, then it sends a CLIENT_MASTER_KEY message as described below; otherwise, it generates a SPECS_MISMATCH error. If the session is an old one, then the client establishes the new CLIENT_WRITE_KEY, SERVER_WRITE_KEY, CLIENT_MAC_KEY and SERVER_MAC_KEY according to the cipher-specific rules described below in section 5.3.1. The client then checks the contents of the RESPONSE_DATA field in the SERVER_HELLO message for correctness. If the response matches the value calculated by the client (exactly as described above for the server), then the handshake is finished, and the client begins sending data; otherwise, a SERVER_AUTH_FAILED error occurs. 5.2.3 CLIENT_MASTER_KEY (sent in the clear, except for encrypted keys) char CMK_MSG_CLIENT_MASTER_KEY char CMK_PAD char CMK_CLIENT_CERT_SPECS_DATA[2] char CMK_CLIENT_SIG_SPECS_DATA[2] char CMK_CLEAR_KEY_LENGTH_MSB char CMK_CLEAR_KEY_LENGTH_LSB char CMK_ENCRYPTED_KEY_LENGTH_MSB char CMK_ENCRYPTED_KEY_LENGTH_LSB char CMK_KEY_ARG_LENGTH_MSB char CMK_KEY_ARG_LENGTH_LSB char CMK_VERIFY_PRELUDE_LENGTH_MSB char CMK_VERIFY_PRELUDE_LENGTH_LSB char CMK_CLIENT_CERT_LENGTH_MSB char CMK_CLIENT_CERT_LENGTH_LSB char CMK_RESPONSE_LENGTH_MSB char CMK_RESPONSE_LENGTH_LSB Benaloh/Lampson/Simon/Spies/Yee [Page 16] Internet Draft The PCT Protocol November 1995 char CMK_CLEAR_KEY_DATA[(MSB << 8)|LSB] char CMK_ENCRYPTED_KEY_DATA[(MSB << 8)|LSB] char CMK_KEY_ARG_DATA[(MSB << 8)|LSB] char CMK_VERIFY_PRELUDE_DATA[(MSB << 8)|LSB] char CMK_CLIENT_CERT_DATA[(MSB << 8)|LSB] char CMK_RESPONSE_DATA[(MSB << 8)|LSB] The client sends this message after receiving the SERVER_HELLO message from the server if a new session is being started or if client authentication has been requested. If no client authentication has been requested in the SERVER_HELLO message and an old session is being reconnected (i.e., if the CLIENT_AUTH_REQ field is zero and the RESTART_SESSION_OK field is nonzero), then the CLIENT_MASTER_KEY message is not sent. For TOKEN exchange types, both client and server (re)set the sequence numbers to zero when this message is sent/received. The contents of the CLEAR_KEY_DATA, ENCRYPTED_KEY_DATA, and KEY_ARG_DATA fields depend on the contents of the SH_CIPHER_SPECS_DATA and SH_EXCH_SPECS_DATA fields in the preceding SERVER_HELLO message. These will be described for each possible choice of these values in section 5.3.1 and 5.3.2, along with how the various keys (CLIENT_WRITE_KEY, SERVER_WRITE_KEY, CLIENT_MAC_KEY, and SERVER_MAC_KEY) are derived in each case. The CMK_PAD field may contain any value. The CMK_VERIFY_PRELUDE_DATA field contains the value Hash( CLIENT_MAC_KEY, Hash( "cvp", CLIENT_HELLO, SERVER_HELLO ) ). If the length of CLIENT_MAC_KEY is not an exact multiple of eight bits, then CLIENT_MAC_KEY is considered, for the purposes of MAC computation, to have (fewer than eight) zero bits appended to it, to create a string of an integral number of bytes for input into the MAC hash function. The hash function used is the one specified in SH_HASH_SPECS_DATA. The parameters are input into the hash function in the order presented above, with the strings in quotation marks representing ASCII text. Note that the client need only keep a "running hash" of all the values passed in these first two messages as they appear, then hash the result using the CLIENT_MAC_KEY when generated, to compute the value of VERIFY_PRELUDE. If SH_CLIENT_AUTH_REQ is zero, then CMK_CLIENT_CERT_SPECS_DATA and CMK_CLIENT_SIG_SPECS_DATA are both zero, and the CMK_CLIENT_CERT and CMK_RESPONSE_DATA fields are empty. Otherwise, the CMK_RESPONSE_DATA field contains the client's authentication response, and the CMK_CLIENT_CERT_SPECS_DATA and CMK_CLIENT_SIG_SPECS_DATA fields contain the client's choices from the SH_CLIENT_CERT_SPECS_DATA and SH_CLIENT_SIG_SPECS_DATA lists, respectively. The CMK_CLIENT_CERT_DATA field contains the client's certificate, which must match the certificate type specified in the Benaloh/Lampson/Simon/Spies/Yee [Page 17] Internet Draft The PCT Protocol November 1995 CMK_CLIENT_CERT_SPECS_DATA field. Also, the public key in the certificate must be a signature key of the type specified in CMK_CLIENT_SIG_SPECS_DATA, which in turn must match one of the types in the SH_CLIENT_SIG_SPECS_DATA list. CMK_RESPONSE_DATA is simply a digital signature, using the private signature key associated with the public key in the client's certificate, of the value in the CMK_VERIFY_PRELUDE_DATA field. The signature algorithm is determined by the CMK_CLIENT_SIG_SPECS_DATA field. (Note that the signature algorithm may itself require that a hash function be applied to the data being signed, apart from the one used to compute the value in CMK_VERIFY_PRELUDE_DATA.) Upon receiving a CLIENT_MASTER_KEY message, the server performs the cipher-specific functions described in section 5.3 to establish the new CLIENT_WRITE_KEY, SERVER_WRITE_KEY, CLIENT_MAC_KEY and SERVER_MAC_KEY. The server then checks the VERIFY_PRELUDE_DATA value, the client certificate, and the client response for correctness and validity (the latter two only if client authentication had been requested). The checks of the VERIFY_PRELUDE_DATA and RESPONSE_DATA are performed by recomputing their correct value, and comparing with the values received. The certificate is verified using whatever mechanism has been implemented to validate certificates, and the signature in the RESPONSE_DATA field is verified using the verification algorithm associated with the signature scheme being used. If all of these values pass their checks, then the server sends the SERVER_VERIFY message; otherwise, an error occurs (INTEGRITY_CHECK_FAILED, BAD_CERTIFICATE, or CLIENT_AUTH_FAILED, respectively). 5.2.4 SERVER_VERIFY (Sent in the clear) char SV_MSG_SERVER_VERIFY char SV_PAD char SV_SESSION_ID_DATA[32] char SV_RESPONSE_LENGTH_MSB char SV_RESPONSE_LENGTH_LSB char SV_RESPONSE_DATA[(MSB << 8)|LSB] The server sends this message upon receiving a valid CLIENT_MASTER_KEY message from the client. The SV_PAD field may contain any value. If an old session is being reconnected, then the RESPONSE_DATA field is empty, its length is zero, and the SESSION_ID_DATA field may contain any value. Otherwise, the SV_SESSION_ID_DATA field contains a value 32 bytes in length, which should be generated randomly (in the same sense as the CHALLENGE_DATA field in the CLIENT_HELLO message). The value PCT_SESSION_ID_NONE should not be used as a SV_SESSION_ID_DATA value. The contents of the SV_RESPONSE_DATA field are constructed by computing the function Hash( SERVER_MAC_KEY, Hash( "sr", CH_CHALLENGE_DATA, SH_CONNECTION_ID_DATA, SV_SESSION_ID_DATA ) ). Benaloh/Lampson/Simon/Spies/Yee [Page 18] Internet Draft The PCT Protocol November 1995 The CH_CHALLENGE_DATA and SH_CONNECTION_ID_DATA values, the choice of hash function used, and the value of SERVER_MAC_KEY are determined by the CLIENT_HELLO, SERVER_HELLO, SERVER_HELLO and CLIENT_MASTER_KEY messages, respectively, immediately preceding the SERVER_VERIFY message. The values are input into the interior invocation of the hash function in the exact order specified above, with the string in quotation marks representing actual ASCII text. If the length of SERVER_MAC_KEY is not an exact multiple of eight bits, then SERVER_MAC_KEY is considered, for the purposes of MAC computation, to have (fewer than eight) zero bits appended to it, to create a string of an integral number of bytes for intput into the MAC hash function. When the client receives this message, it verifies the correctness of the response data, by computing the hash value as described above and comparing it with the one received. If it is correct, then the client proceeds with the first data record transmission; otherwise, a SERVER_AUTH_FAILED error occurs. An implementation may choose to send initial data immediately after the CLIENT_MASTER_KEY message, without waiting for the SERVER_VERIFY message to arrive, if verifying the server's identity before sending it any data is unimportant. 5.3 Algorithm and Certificate Types 5.3.1 Key Exchange Algorithms PCT version 1 permits the following key exchange types: PCT_EXCH_RSA_PKCS1 PCT_EXCH_RSA_PKCS1_TOKEN_DES PCT_EXCH_RSA_PKCS1_TOKEN_DES3 PCT_EXCH_RSA_PKCS1_TOKEN_RC2 PCT_EXCH_RSA_PKCS1_TOKEN_RC4 PCT_EXCH_DH_PKCS3 PCT_EXCH_DH_PKCS3_TOKEN_DES PCT_EXCH_DH_PKCS3_TOKEN_DES3 PCT_EXCH_FORTEZZA_TOKEN Note that the token-based key exchange types specify cipher as well (including, implicitly, the FORTEZZA key exchange type); if one of these is chosen, then its choice of cipher overrides whatever choice of cipher appears in the SH_CIPHER_SPECS_DATA field of the SERVER_HELLO message. For the PCT_EXCH_RSA_PKCS1 key exchange type, a MASTER_KEY value is generated by the client, which should be random in the following strong sense: attackers must not be able to predict any of the bits in the MASTER_KEY. It is recommended that the bits used be either truly random and uniformly generated (using some random physical process) or else generated using a cryptographically secure pseudorandom number generator, which was in turn seeded with a truly random and uniformly generated seed. This MASTER_KEY value is encrypted using the server's Benaloh/Lampson/Simon/Spies/Yee [Page 19] Internet Draft The PCT Protocol November 1995 public encryption key, as obtained from the server's certificate in the SH_CERTIFICATE_DATA field of the SERVER_HELLO message. The encryption must follow the RSA PKCS#1 standard format (see [2]), block type 2. This encryption is sent to the server in the CMK_ENCRYPTED_KEY_DATA field of the CLIENT_MASTER_KEY message, and is decrypted by the server to obtain the MASTER_KEY. For the PCT_EXCH_DH_PKCS3 key exchange type, a random private value x (generated in the same way as the MASTER_KEY above) and corresponding public value y are generated by the client following RSA PKCS#3 standard format (see [3]). The value y is then sent to the server in the CMK_ENCRYPTED_KEY_DATA field of the CLIENT_MASTER_KEY message. The client's private value x, along with the public value y' included in the server's certificate in the SH_CERTIFICATE_DATA field of the SERVER_HELLO message, is used to generate the MASTER_KEY. The server uses its private value, x', along with the y value sent by the client, to obtain the same MASTER_KEY value. For the various TOKEN key exchange types, all the key material is contained in the CMK_ENCRYPTED_KEY_DATA field, but the format of the data is defined by the token implementation, or by other future documents. The length of the MASTER_KEY depends on the key exchange type. For the PCT_EXCH_RSA_PKCS1 and PCT_EXCH_DH_PKCS3 exchange types, the MASTER_KEY is a 128-bit value. The CLIENT_WRITE_KEY and SERVER_WRITE_KEY are computed as follows: CLIENT_WRITE_KEY_i = Hash( i, "cw", MASTER_KEY, "cw"^i, SH_CONNECTION_ID_DATA, "cw"^i, SH_CERTIFICATE_DATA,"cw"^i, CH_CHALLENGE_DATA, "cw"^i ) SERVER_WRITE_KEY_i = Hash( i, "svw", MASTER_KEY, "svw"^i, SH_CONNECTION_ID_DATA, "svw"^i, CH_CHALLENGE_DATA, "svw"^i ) The values in quotation marks are treated as (sequences of) ASCII characters; "x"^i denotes i copies of the string "x" concatenated together. The function "Hash" is the one determined by the value of SH_HASH_SPECS_DATA. The parameters are input into the hash function in the order presented above; the variable i is input as a single-byte unsigned integer. The WRITE_KEYs (i.e., CLIENT_WRITE_KEY and SERVER_WRITE_KEY) are obtained by concatenating WRITE_KEY_1 through WRITE_KEY_m, where m is the negotiated encryption key length (the value in the third byte of the SH_CIPHER_SPECS_DATA field) divided by the hash output length, in bits, rounded up to the nearest integer. This resulting string is then truncated if necessary (by removing bits from the end) to produce a string of the correct length. The CLIENT_MAC_KEY and SERVER_MAC_KEY are computed as follows: CLIENT_MAC_KEY_i = Hash( i, MASTER_KEY, "cmac"^i, SH_CONNECTION_ID_DATA, "cmac"^i, SH_CERTIFICATE_DATA, "cmac"^i, Benaloh/Lampson/Simon/Spies/Yee [Page 20] Internet Draft The PCT Protocol November 1995 CH_CHALLENGE_DATA, "cmac"^i ) SERVER_MAC_KEY_i = Hash( i, MASTER_KEY, "svmac"^i, SH_CONNECTION_ID_DATA, "svmac"^i, CH_CHALLENGE_DATA, "svmac"^i ) The values in quotation marks are treated as (sequences of) ASCII characters; "x"^i denotes i copies of the string "x" concatenated together. The function "Hash" is the one determined by the value of SH_HASH_SPECS_DATA. The parameters are input into the hash function in the order presented above; the variable i is input as a single-byte unsigned integer. The MAC_KEYs (ie., CLIENT_MAC_KEY and SERVER_MAC_KEY) are obtained by concatenating MAC_KEY_1 through MAC_KEY_m, where m is the negotiated MAC key length (64 plus the value in the fourth byte of the SH_CIPHER_SPECS_DATA field) divided by the hash output length, in bits, rounded up to the nearest integer. This resulting string is then truncated if necessary (by removing bits from the end) to produce a string of the correct length. Note that tokens which are capable of deriving keys using "keyed hashes", as described above, are free to use the PCT_EXCH_RSA_PKCS1 or PCT_EXCH_DH_PKCS3 key exchange type to exchange the MASTER_KEY, and then to derive the rest of the keys normally. The TOKEN key exchange types are for tokens that cannot do such keyed-hash key derivation, and can only use an exchanged key for bulk encryption (of, for example, other keys). Such tokens can exchange multiple keys by using an initially exchanged MASTER_KEY to encrypt other keys, as described above. 5.3.2 Cipher Types PCT version 1 permits the following cipher types to be specified: PCT_CIPHER_DES PCT_CIPHER_IDEA PCT_CIPHER_RC2 PCT_CIPHER_RC4 PCT_CIPHER_DES_112 PCT_CIPHER_DES_168 Each of these types is denoted by a two-byte code, and is followed in CIPHER_SPECS_DATA fields by two one-byte length specifications, as described in section 5.2.1. An encryption length specification of zero associated with any cipher denotes the choice of no encryption; a key exchange is performed in such cases solely to share keys for MAC computation. The MAC key length must always be at least 64 bits (see section 5.2.1). The CLEAR_KEY_DATA field is used only when encryption keys of length less than the standard length for the specified cipher are used; otherwise, the field is empty. When a key length is specified which is less than the standard key length for the specified cipher, then keys of the specified length are derived normally as described in Benaloh/Lampson/Simon/Spies/Yee [Page 21] Internet Draft The PCT Protocol November 1995 section 5.3.1, and then "expanded" to derive standard-length keys. The expansion proceeds as follows: 1. Assign to d the result of dividing the standard key length for the cipher, in bits, by the output length of the hash function, in bits, rounded up to the nearest integer. 2. Divide CLEAR_KEY_DATA sequentially into d equal subsegments. (Note that the length of the CLEAR_KEY_DATA field must therefore be a multiple of d bytes, and that no two of its d equal parts, when so divided, may be identical.) Denote these subsegments CLEAR_KEY_DATA_1 through CLEAR_KEY_DATA_d. 3. Compute the d hash values STANDARD_LENGTH_KEY_i := Hash( i, "sl"^i, WRITE_KEY, "sl"^i, CLEAR_KEY_DATA_i ). The values in quotation marks are treated as (sequences of) ASCII characters; "x"^i denotes i copies of the string "x" concatenated together. The function "Hash" is the one determined by the value of SH_HASH_SPECS_DATA. The parameters are input into the hash function in the order presented above; the variable i is input as a single-byte unsigned integer. The WRITE_KEY is the encryption key (CLIENT_WRITE_KEY or SERVER_WRITE_KEY) being expanded to standard length. If the length of the WRITE_KEY is not an exact number of bytes, then its final byte is padded with zeroes to increase its length to an exact number of bytes. 4. Concatenate STANDARD_LENGTH_KEY_1 through STANDARD_LENGTH_KEY_d, and then truncate as necessary (by removing bits from the end) to produce the STANDARD_LENGTH_KEY which is actually used for encryption. The KEY_ARG_DATA field contains a random eight-byte value to be used as an initialization vector (IV) for the first encrypted message when a block cipher (any cipher except RC4) is used. The IV for the first block encrypted in any subsequent encrypted message is simply the last encrypted block of the previous message. The KEY_ARG_DATA field is empty when cipher type PCT_CIPHER_RC4 (or key exchange type PCT_EXCH_RSA_PKCS1_TOKEN_RC4) is used. PCT_CIPHER_DES denotes DES (see [4]). Its standard key length is 56 bits. PCT_CIPHER_DES_112 and PCT_CIPHER_DES_168 denote ciphers in which the input is first encrypted under DES with a first key, then "decrypted" under DES with a second key, then encrypted under DES with a third key. For PCT_CIPHER_DES_112, the first and third keys are identical, and correspond to the initial 56 bits of the 112-bit WRITE_KEY. The second key corresponds to the final 56 bits of the WRITE_KEY. For PCT_CIPHER_DES_168, the three keys are distinct, and correspond to the first, second, and third 56-bit subsegments of the WRITE_KEY. All three of these DES-based cipher types have 64-bit data blocks and are used with cipher block chaining (CBC). Benaloh/Lampson/Simon/Spies/Yee [Page 22] Internet Draft The PCT Protocol November 1995 The standard key lengths for PCT_CIPHER_DES_112 and PCT_CIPHER_DES_168 are 112 bits and 168 bits, respectively. If a key length less than the standard length is specified for one of these ciphers (or for PCT_CIPHER_DES), then the WRITE_KEY is expanded to the standard length as described above. Note that before use, each 56-bit DES key must be "adjusted" to add eight parity bits to form an eight-byte DES key (see [4]). Similarly, if the specified WRITE_KEY length is less than its corresponding standard length, then each WRITE_KEY is expanded to the standard length using CLEAR_KEY_DATA as described above, to produce one, two, or three keys of 56 bits each, which are then each "adjusted" by adding parity bits to form an eight-byte key. PCT_CIPHER_IDEA denotes the IDEA block cipher (see [5]), with 64-bit data blocks and cipher block chaining. This cipher has a standard key length of 128 bits. PCT_CIPHER_RC2 denotes the RC2 block cipher, with 64-bit blocks and cipher block chaining. Like IDEA, this cipher has a standard key length of 128 bits. PCT_CIPHER_RC4 denotes the RC4 stream cipher. Like the IDEA and RC2 block ciphers, this cipher has a standard key length of 128 bits. 5.3.3 Hash Types PCT version 1 permits the following hash function types to be specified: PCT_HASH_MD5 PCT_HASH_MD5_TRUNC_64 PCT_HASH_SHA PCT_HASH_SHA_TRUNC_80 PCT_HASH_DES_DM PCT_CIPHER_MD5 denotes the MD5 hash function (see [6]), with 128-bit output. PCT_CIPHER_MD5_TRUNC_64 denotes the MD5 hash function, with its 128-bit output truncated to 64 bits. PCT_HASH_SHA denotes the Secure Hash Algorithm (see [7]), with 160-bit output. PCT_HASH_SHA_TRUNC_80 denotes the Secure Hash Algorithm, with its 160-bit output truncated to 80 bits. PCT_HASH_DES_DM denotes the DES-based Davies-Meyer hash algorithm (see [8]), with 64-bit output. 5.3.4 Certificate Types PCT version 1 permits the following certificate types to be specified: PCT_CERT_NONE PCT_CERT_X509 PCT_CERT_PKCS7 Benaloh/Lampson/Simon/Spies/Yee [Page 23] Internet Draft The PCT Protocol November 1995 These types apply equally to the client's and server's certificates. PCT_CERT_NONE denotes that no certificate is necessary; this type can be included by, say, the server as a choice, thereby making authentication optional for the client. PCT_CERT_X509 denotes a CCITT X.509 standard-conformant certificate (see [9]). PCT_CERT_PKCS7 denotes an RSA PKCS#7 standard-conformant certificate (see [10]). 5.3.5 Signature Types PCT version 1 permits the following signature key types to be specified: PCT_SIG_NONE PCT_SIG_RSA_MD5 PCT_SIG_RSA_SHA PCT_SIG_DSA_SHA PCT_SIG_NONE denotes that no signature is necessary; this type can be included by the server as a choice, thereby making authentication optional for the client. PCT_SIG_RSA_MD5 denotes the signature scheme consisting of hashing the data to be signed using the MD5 hash algorithm, and then performing an RSA private-key signature function (the inverse of RSA encryption) on the result. The signature must conform to RSA PKCS#1, block type 1 (see [2]). PCT_SIG_RSA_SHA denotes the same signature scheme with SHA substituted for MD5. PCT_SIG_DSA_SHA denotes the signature scheme consisting of hashing the data to be signed using the SHA hash algorithm, then computing a signature of the resulting value using the Digital Signature Algorithm (DSA; see [11]). 5.4 Errors Error handling in the PCT protocol is very simple. When an error is detected during the handshake phase, the detecting party sends a message to the other party indicating the error so that both parties will know about it, and then closes the connection. If a party detects an error after it has sent its last handshake message, the detecting party simply closes the connection without sending an error message. In the second case there are only two possible errors, and the party that does not detect the error can distinguish them as follows: if the server sees an aborted connection and the most recent message it sent the client was a handshake message, then the error was SERVER_AUTH_FAILED; otherwise, the error was INTEGRITY_CHECK_FAILED. Receiving an error message also causes the receiving party to close the connection. Servers and clients should not make any further use of any keys, challenges, connection identifiers, or session identifiers associated with such an aborted connection. Benaloh/Lampson/Simon/Spies/Yee [Page 24] Internet Draft The PCT Protocol November 1995 It is recommended that implementations perform some kind of alert or logging function when errors are generated to facilitate monitoring of various types of attack on the system. The message sent in the event of a handshake-phase error has the following form: char MSG_ERROR char ERROR_CODE_MSB char ERROR_CODE_LSB char ERROR_INFO_LENGTH_MSB char ERROR_INFO_LENGTH_LSB char ERROR_INFO_DATA[(MSB << 8)|LSB] The ERROR_INFO_LENGTH field is zero except in the case of the SPECS_MISMATCH error message, which has a six-byte ERROR_INFO_DATA field. The PCT Handshake Protocol defines the following errors: PCT_ERR_BAD_CERTIFICATE This error occurs when the client receives a SERVER_HELLO message in which the certificate is invalid, either because one or more of the signatures in the certificate is invalid, or because the identity or attributes on the certificate are in some way incorrect. PCT_ERR_CLIENT_AUTH_FAILED This error occurs when the server receives a CLIENT_MASTER_KEY message from the client in which the client's authentication response is incorrect. The certificate may be invalid, the signature may be invalid, or the contents of the signed response may be incorrect. PCT_ERR_ILLEGAL_MESSAGE This error occurs under a number of circumstances. For example, it occurs when an unrecognized security escape code is received, when an unrecognized handshake message is encountered, or when the value of CH_OFFSET is to large for its CLIENT_HELLO message. PCT_ERR_INTEGRITY_CHECK_FAILED This error occurs when either the client or the server receives a message in which the MAC_DATA is incorrect. It is also recommended that the record be treated as if it contained no data, in order to ensure that applications do not receive and process invalid data before learning that it has failed its integrity check. This error also occurs when the VERIFY_PRELUDE_DATA value sent by the client in the CLIENT_MASTER_KEY message (during the handshake phase) Benaloh/Lampson/Simon/Spies/Yee [Page 25] Internet Draft The PCT Protocol November 1995 is incorrect. In this case, an error message is sent. PCT_ERR_SERVER_AUTH_FAILED This error occurs when the client receives a SERVER_HELLO or SERVER_VERIFY message in which the authentication response is incorrect. PCT_ERR_SPECS_MISMATCH This error occurs when a server cannot find a cipher, hash function, certificate type, or key exchange algorithm it supports in the lists supplied by the client in the CLIENT_HELLO message. It also occurs when the client cannot find a certificate or signature type it supports in the list supplied by the server in a SERVER_HELLO message that requests client authentication. (Note that the client or server can select the "NONE" option as the last resort for any security feature it wishes to make optional. For example, the server can make client authentication optional for the client by passing a list of certificate and signature types, each list containing the "NONE" type as the last entry.) This error may also occur as a result of a mismatch in cipher specifications or client authentication requests between the initial specifications and those that resulted from a redo handshake sequence. The error message for this error includes a six-byte informational field, defined as follows: char SPECS_MISMATCH_CIPHER char SPECS_MISMATCH_HASH char SPECS_MISMATCH_CERT char SPECS_MISMATCH_EXCH char SPECS_MISMATCH_CLIENT_CERT char SPECS_MISMATCH_CLIENT_SIG Each field is set to a non-zero value if and only if the corresponding list resulted in a mismatch. For example, if and only if the SPECS_MISMATCH error message is being sent because server failed to find a certificate type it supports in the list supplied by the client in the CH_CERT_SPECS_DATA field, then the SPECS_MISMATCH_CERT field in the error message would be non-zero. 5.5 Constants Following is a list of constant values used in the PCT protocol version 1. 5.5.1 Message type codes These codes are each placed in the first byte of the corresponding PCT handshake phase message. Benaloh/Lampson/Simon/Spies/Yee [Page 26] Internet Draft The PCT Protocol November 1995 PCT_MSG_CLIENT_HELLO := 0x01 PCT_MSG_SERVER_HELLO := 0x02 PCT_MSG_CLIENT_MASTER_KEY := 0x03 PCT_MSG_SERVER_VERIFY := 0x04 PCT_MSG_ERROR := 0x05 5.5.2 Specification Type Codes These are codes used to specify types of cipher, key exchange, hash function, certificate, and digital signature in the protocol. PCT_EXCH_RSA_PKCS1 := 0x0001 PCT_EXCH_RSA_PKCS1_TOKEN_DES := 0x0002 PCT_EXCH_RSA_PKCS1_TOKEN_DES3 := 0x0003 PCT_EXCH_RSA_PKCS1_TOKEN_RC2 := 0x0004 PCT_EXCH_RSA_PKCS1_TOKEN_RC4 := 0x0005 PCT_EXCH_DH_PKCS3 := 0x0006 PCT_EXCH_DH_PKCS3_TOKEN_DES := 0x0007 PCT_EXCH_DH_PKCS3_TOKEN_DES3 := 0x0008 PCT_EXCH_FORTEZZA_TOKEN := 0x0009 PCT_CIPHER_DES := 0x0001 PCT_CIPHER_IDEA := 0x0002 PCT_CIPHER_RC2 := 0x0003 PCT_CIPHER_RC4 := 0x0004 PCT_CIPHER_DES_112 := 0x0005 PCT_CIPHER_DES_168 := 0x0006 PCT_HASH_MD5 := 0x0001 PCT_HASH_MD5_TRUNC_64 := 0x0002 PCT_HASH_SHA := 0x0003 PCT_HASH_SHA_TRUNC_80 := 0x0004 PCT_HASH_DES_DM := 0x0005 PCT_CERT_NONE := 0x0000 PCT_CERT_X509 := 0x0001 PCT_CERT_PKCS7 := 0x0002 PCT_SIG_NONE := 0x0000 PCT_SIG_RSA_MD5 := 0x0001 PCT_SIG_RSA_SHA := 0x0002 PCT_SIG_DSA_SHA := 0x0003 5.5.3 Error Codes These codes are used to identify errors, when they occur, in error messages. PCT_ERR_BAD_CERTIFICATE := 0x0001 PCT_ERR_CLIENT_AUTH_FAILED := 0x0002 PCT_ERR_ILLEGAL_MESSAGE := 0x0003 PCT_ERR_INTEGRITY_CHECK_FAILED := 0x0004 Benaloh/Lampson/Simon/Spies/Yee [Page 27] Internet Draft The PCT Protocol November 1995 PCT_ERR_SERVER_AUTH_FAILED := 0x0005 PCT_ERR_SPECS_MISMATCH := 0x0006 5.5.4 Miscellaneous Codes These include escape type codes, version numbers, and assorted constants associated with the PCT protocol. PCT_SESSION_ID_NONE := 0x00 (32 bytes of zeros) PCT_ET_OOB_DATA := 0x01 PCT_ET_REDO_CONN := 0x02 PCT_VERSION_1 := 0x8001 PCT_CH_OFFSET_V1 := 0x000A PCT_MAX_RECORD_LENGTH_2_BYTE_HEADER := 32767 PCT_MAX_RECORD_LENGTH_3_BYTE_HEADER := 16383 6. Security Considerations This entire document is about security. References [1] K. Hickman and T. Elgamal. The SSL Protocol. Internet-draft, June 1995. [2] RSA Laboratories, "PKCS #1: RSA Encryption Standard", Version 1.5, November 1993. [3] RSA Laboratories, "PKCS #3: "Diffie-Hellman Key-Agreement Standard", Version 1.4, November 1993. [4] NBS FIPS PUB 46, "Data Encryption Standard", National Bureau of Standards, US Department of Commerce, Jan. 1977. [5] X. Lai, "On the Design and Security of Block Ciphers", ETH Series in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992. [6] R. Rivest, RFC 1321: "The MD5 Message Digest Algorithm", April 1992. [7] NIST FIPS PUB 180-1, "Secure Hash Standard", National Institute of Standards and Technology, US Department of Commerce, Apr. 1995. [8] ISO/IEC 9797, "Data Cryptographic Techniques--Data Integrity Mechanism Using a Cryptographic Check Function Employing a Block Cipher Algorithm", 1989. Benaloh/Lampson/Simon/Spies/Yee [Page 28] Internet Draft The PCT Protocol November 1995 [9] CCITT. Recommendation X.509: "The Directory - Authentication Framework". 1988. [10] RSA Laboratories, "PKCS #7: Cryptographc Message Syntax Standard", Version 1.5, November 1993. [11] NIST FIPS PUB 186, "Digital Signature Standard", National Institute of Standards and Technology, US Department of Commerce, May 1994. [12] B. Schneier, "Applied Cryptography: Protocols, Algorithms, and Source Code in C", John Wiley & Sons, Inc., 1994. [13] R.L. Rivest, A. Shamir, L. Adelman, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems" MIT Laboratory for Computer Science and Department of Mathematics, S.L. Graham, R.L. Rivest ed. Communications of the ACM, February 1978 (Vol 21, No. 2) pages 120-126. Patent Statement This version of the PCT protocol relies on the use of patented public key encryption technology for authentication and encryption. The Internet Standards Process as defined in RFC 1310 requires a written statement from the Patent holder that a license will be made available to applicants under reasonable terms and conditions prior to approving a specification as a Proposed, Draft or Internet Standard. See existing RFCs, including RFC 1170, that discuss known public key cryptography patents and licensing terms and conditions. The Internet Society, Internet Architecture Board, Internet Engineering Steering Group and the Corporation for National Research Initiatives take no position on the validity or scope of the patents and patent applications, nor on the appropriateness of the terms of the assurance. The Internet Society and other groups mentioned above have not made any determination as to any other intellectual property rights which may apply to the practice of this standard. Any further consideration of these matters is the user's own responsibility. Author's Address Josh Benaloh/Butler Lampson/Daniel R. Simon/Terence Spies/Bennet Yee Microsoft Corp. One Microsoft Way Redmond WA 98052 USA pct@microsoft.com This Internet-Draft expires 27 March 1996. Benaloh/Lampson/Simon/Spies/Yee [Page 29]