Internet DRAFT - draft-jj-tls-private-key-hiding
draft-jj-tls-private-key-hiding
Network Working Group Seung Wook Jung
Internet Draft Soongsil University
Intended status: Standards Track Souhwan Jung
Expires: April 5, 2014 Soongsil University
October 15, 2013
Private Key Hiding for Transport Layer Security (TLS)
draft-jj-tls-private-key-hiding-01
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 15, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents carefully,
as they describe your rights and restrictions with respect to this
document. Code Components extracted from this document must include
Simplified BSD License text as described in Section 4.e of the Trust
Legal Provisions and are provided without warranty as described in
the Simplified BSD License.
Jung & Jung Expires April 15, 2014 [Page 1]
Internet-Draft Private Key Hiding for TLS October 15, 2013
Abstract
This document describes a private key hiding protocol and a joint
private key operation protocol for Transport Layer Security (TLS)
without needing to modify existing TLS.
Table of Contents
1. Introduction ................................................ 3
2. Conventions used in this document............................ 4
3. Private Key Hiding Setup Protocol for TLS .................... 4
3.1. Private Key Hiding Setup Protocol Overview .............. 4
3.2. Private Key Hiding Setup Message ........................ 5
4. Joint Private Key Operation Protocol for TLS ................. 6
4.1. Joint Private Key Operation Protocol Overview ........... 6
4.2. Joint Private Key Operation Message ..................... 7
5. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the RSA [RSA] Key Exchange Algorithm ............... 8
5.1. Private Key Hiding Setup Protocol for the RSA Key Exchange
Algorithm ................................................... 9
5.2. Joint Private Key Operation for the RSA Key Exchange
Algorithm .................................................. 10
6. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the DHE_RSA [TLS] Key Exchange Algorithm .......... 11
6.1. Private Key Hiding Setup Protocol for the DHE_RSA Key
Exchange Algorithm ......................................... 11
6.2. Joint Private Key Operation Protocol for the DHE_RSA Key
Exchange Algorithm ......................................... 12
7. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the DHE_DSS [TLS] Key Exchange Algorithm .......... 13
7.1. Private Key Hiding Setup Protocol for the DHE_DSS Key
Exchange Algorithm ......................................... 13
7.2. Joint Private Key Operation Protocol for DHE_DSS Key Exchange
Algorithm .................................................. 14
8. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the DH_RSA [TLS] and the DH_DSS [TLS] Key Exchange
Algorithm ..................................................... 16
8.1. Private Key Hiding Setup Protocol for the DH_RSA and the
DH_DSS Key Exchange Algorithm............................... 16
8.2. Joint Private Key Operation Protocol for the DH_RSA and the
DH_DSS Key Exchange Algorithm............................... 17
9. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the ECDHE_ECDSA [TLSECC] Key Exchange Algorithm.... 18
9.1. Private Key Hiding Setup Protocol for the ECDHE_ECDSA Key
Exchange Algorithm ......................................... 18
Jung & Jung Expires April 15, 2014 [Page 2]
Internet-Draft Private Key Hiding for TLS October 15, 2013
9.2. Joint Private Key Operation Protocol for the ECDHE_ECDSA Key
Exchange Algorithm ......................................... 19
10. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the ECDH_ECDSA [TLSECC] and the ECDH_RSA [TLSECC] Key
Exchange Algorithm ............................................ 21
10.1. Private Key Hiding Setup Protocol for the ECDH_ECDSA and the
ECDH_RSA Key Exchange Algorithm............................. 21
10.2. Joint Private Key Operation Protocol for the ECDH_ECDSA and
the ECDH_RSA Key Exchange Algorithm ......................... 21
11. Security Considerations.................................... 22
12. IANA Considerations........................................ 22
13. References ................................................ 23
13.1. Normative References.................................. 23
13.2. Informative References................................ 23
14. Acknowledgments ........................................... 23
1. Introduction
The most web services, including cloud computing, take advantage of
[TLS] for secure communication. In the case of cloud computing, a
Service Provider (later called SP) hosted in a Cloud Service Provider
(later called CSP) has to store SP's private key for [TLS] in the
computer machines of CSP. However, in the case of the public cloud
computing model, CSP is a third-party and not trustworthy. Therefore,
mechanisms that SP can hide SP's private key from untrustworthy
entity (later called UTE), CSP, are required, but the private key
operations for [TLS] can be properly conducted without changing TLS
protocols.
This document describes a private key hiding setup protocol for TLS.
The purpose of the private key hiding setup protocol is that SP sends
a Piece of Private Key for UTE (PPKU) derived from the private key of
SP to UTE. At the end of the private key hiding setup protocol, SP
has a Piece of Private Key for SP (PPKS), and UTE has PPKU. It is
infeasible that UTE makes the private key from PPKU. This document
only considers the non-anonymous key exchanges defined in [TLS]. In
addition to the private key hiding setup protocol, a joint private
key operation protocol is described in this document. UTE cannot
properly conduct private key operations only with his/her secret,
PPKU. Therefore, the purpose of the joint private key operation
protocol between SP and UTE is that SP and UTE conduct private key
operations in a cooperative way for TLS using PPKS and PPKU,
respectively. The advantages of using the private key hiding setup
protocol and the joint private key operation protocol are:
Jung & Jung Expires April 15, 2014 [Page 3]
Internet-Draft Private Key Hiding for TLS October 15, 2013
o Security level is higher than traditional TLS from the point of
view of key management, because the attack has to subvert both SP
and UTE in order to get the private key information.
o SP can know when the private key information is used by UTE.
The goals of this document are:
1. Security: the secure private key hiding setup protocol and the
secure joint private key operation protocol for TLS should be
defined, and the private key hiding setup protocol and the joint
private key operation protocol should not reduce the security of
TLS.
2. Compatibility: the private key hiding setup protocol and the joint
private key operation protocol should not require changing TLS
handshake protocols.
3. Interoperability: Independent programmers should be able to
develop applications utilizing the private key hiding setup
protocol and the joint private key operation protocol that can
successfully conduct without the knowledge of one another's code.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
3. Private Key Hiding Setup Protocol for TLS
3.1. Private Key Hiding Setup Protocol Overview
The overview of the private key hiding setup protocol is depicted in
following diagram.
UTE SP
<-- PrivateKeyHidingSetupRequest
PrivateKeyHidingSetupResponse -->
Figure 1 <Private Key Hiding Setup Protocol Overview>
At the setup phase, SP generates the keying material, and generates
the Piece of Private Key for UTE (later called PPKU) using some
secret sharing mechanisms. SP sends a PrivateKeyHidingSetupRequest
Jung & Jung Expires April 15, 2014 [Page 4]
Internet-Draft Private Key Hiding for TLS October 15, 2013
which includes PPKU to UTE. UTE sends a PrivateKeyHidingSetupResponse
to SP after receiving the PrivateKeyHidingSetupRequest.
3.2. Private Key Hiding Setup Message
This section shows the structure of messages for the private key
hiding setup protocol. The used representation language is the same
as that used in [TLS]. These messages will be sent for keying
material setup between SP and UTE.
enum{
private_key_hiding_setup_request(0),
private_key_hiding_setup_response(1)
} PrivateKeyHidingSetupType;
enum {rsa(0), dss(1), dh(2), ecdsa(3), ecdh(4)} KeyType;
struct {
PrivateKeyHidingSetupType msg_type;
unit8 version;
unit24 length; /* bytes in message */
KeyType keyType;
select (PrivateKeyHidingSetupType){
case private_key_hiding_setup_request :
PrivateKeyHidingSetupRequest;
case private_key_hiding_setup_response :
SetupResult result;
};
} PrivateKeyHidingSetup;
A PrivateKeyHidingSetup message with the
private_key_hiding_setup_request type means a
PrivateKeyHidingSetupRequest and A PrivateKeyHidingSetup message with
the private_key_hiding_setup_response type means a
PrivateKeyHidingSetupResponse.
struct {
select (KeyType){
case rsa : RSA_setup;
case dss : DSS_setup;
case dh : DH_setup;
case ecdsa :
case ecdh : EC_setup;
};
} PrivateKeyHidingSetupRequest;
Jung & Jung Expires April 15, 2014 [Page 5]
Internet-Draft Private Key Hiding for TLS October 15, 2013
KeyType means a long-term key type such as RSA, DSA [DSS], DH, ECDSA,
and ECDH. Each message structure for each key type will be described
throughout this document.
enum {success(0), fail(1)} SetupResult;
SetupResult indicates the success or the failure of the private key
hiding setup request message.
4. Joint Private Key Operation Protocol for TLS
4.1. Joint Private Key Operation Protocol Overview
The overview of the joint private key operation protocol is depicted
in following diagram.
Client UTE SP
| | |
| | |
| TLS Client Hello ---->| |
| | |
| |-->JointPrivateKeyOperationRequest |
| | |
| |<--JointPrivateKeyOperationResponse |
| | |
| TLS Finished Message <--| |
| | |
Figure 2 <Joint Private Key Operation Protocol Overview>
After a TLS handshake protocol is started by a TLS client hello
message, UTE sends a joint private key operation request to SP at
some point of the TLS handshaking which depends on the cipher suites
of [TLS].
UTE conducts private key operations with PPKU and the result of
private key operations with PPKU is inserted into the joint private
key operation request message. UTE sends the joint private key
operation request message to SP.
Upon the private key operation request, SP conducts private key
operations, and then inserts the result of private key operation
using PPKS into a joint private key operation response. SP sends the
joint private key operation response to UTE.
Jung & Jung Expires April 15, 2014 [Page 6]
Internet-Draft Private Key Hiding for TLS October 15, 2013
After that, UTE and the client send to each other the Finished
Message for finishing TLS handshaking.
The protocol between the client and UTE is the same as the TLS
handshake protocol exactly defined in [TLS] and the client does not
know that there exists SP.
4.2. Joint Private Key Operation Message
This section shows the structure of messages for the joint private
key operation protocol.
enum{
private_key_operation_request(0),
private_key_operation_response(1)
} JointPrivateKeyOperationProtocolType;
enum {
RSA(0), DHE_RSA(1), DHE_DSS(2), DH_RSA(3), DH_DSS(4),
ECDHE_RSA(5), ECDHE_ECDSA(6), ECDH_ECDSA(7), ECDH_RSA(8)
} JointPrivateKeyOperationType;
struct {
JointPrivateKeyOperationProtocolType msg_type;
unit8 version;
unit24 length; /* bytes in message */
JointPrivateKeyOperationType pko_type;
select (JointPrivateKeyOperationProtocolType) {
case private_key_operation_request :
PreComputedMessage pre_computed_message;
case private_key_operation_response :
ComputedMessage computed_message;
};
} JointPrivateKeyOperation;
The JointPrivateKeyOperation message with the
private_key_operation_request type means a
JointPrivateKeyOperationRequest and the JointPrivateKeyOperation
message with the private_key_operation_response type means a
JointPrivateKeyOperationResponse.
struct {
select (JointPrivateKeyOperationType) {
case RSA : RSA_pre_computed;
case DHE_RSA : DHE_RSA_pre_computed;
case DHE_DSS : DHE_DSA_pre_computed;
case DH_RSA :
Jung & Jung Expires April 15, 2014 [Page 7]
Internet-Draft Private Key Hiding for TLS October 15, 2013
case DH_DSS :
DH_pre_computed;
case ECDHE_RSA : ECDHE_RSA_pre_computed;
case ECDHE_ECDSA : ECDHE_ECDSA_pre_computed;
case ECDH_ECDSA :
case ECDH_RSA:
ECDH_pre_computed;
};
} PreComputedMessage;
The JointPrivateKeyOperationType means key exchange algorithms
defined in Section 7.4.2 of [TLS]. UTE sends these messages as
request for conducting private key operations to SP. Each message
structure for each JointPrivateKeyOperationType will be described
throughout this document.
struct {
select (JointPrivateKeyOperationType) {
case RSA : PreMasterSecret;
case DHE_RSA : DHE_RSA_computed;
case DHE_DSS : DHE_DSA_computed;
case DH_RSA :
case DH_DSS :
DH_computed;
case ECDHE_RSA : ECDHE_RSA_computed;
case ECDHE_ECDSA : ECDHE_ECDSA_computed;
case ECDH_ECDSA :
case ECDH_RSA :
ECDH_computed;
};
} ComputedMessage;
After receiving the JointPrivateKeyOperationRequest, SP conducts
private key operations and generates a ComputedMessage. SP sends then
the ComputedMessage to UTE.
5. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the RSA [RSA] Key Exchange Algorithm
This section describes a private key hiding setup protocol and a
joint private key operation protocol for the RSA key exchange
algorithm of which key to be used for encryption. The connection
between SP and UTE must be secure such as [TLS].
Jung & Jung Expires April 15, 2014 [Page 8]
Internet-Draft Private Key Hiding for TLS October 15, 2013
5.1. Private Key Hiding Setup Protocol for the RSA Key Exchange
Algorithm
For setup, SP generates RSA private keying material and public keying
material as following.
p, q : a random or pseudorandom prime number of which bit length is
longer than 1024 bits
N = p * q
e = encryption key
d = private key which satisfies e*d = 1 mod (p-1)(q-1)
SP then requests a certificate to a trusted Certificate Authority as
the part of the X.509 protocol [PKIX]. Upon the certificate, SP
selects a random or pseudorandom number (d_1) as a Piece of Private
Key for UTE (PPKU). SP computes a Piece of Private Key for SP (PPKS)
as following.
d_1: a random or pseudorandom number in the interval [1, (p-1)*(q-1)-
1]
d = d_1 * d_2 mod (p-1)*(q-1)
PPKU: d_1
PPKS: d_2
SP generates a RSA_setup message as following.
struct {
opaque e<1..2^16-1>;
opaque N<1..2^16-1>;
opaque d_1<1..2^16-1>;
Certificate certificate;
} RSA_setup;
opaque ASN.1Cert<1..2^24-1>;
struct {
ASN.1Cert certificate_list<0..2^24-1>;
} Certificate;
Then, SP sends a PrivateKeyHidingSetup request with the
private_key_hiding_setup_request type as the
Jung & Jung Expires April 15, 2014 [Page 9]
Internet-Draft Private Key Hiding for TLS October 15, 2013
PrivateKeyHidingSetupType and the rsa as the KeyType. UTE sends a
PrivateKeyHidingSetup response with the
private_key_hiding_setup_response type for the
PrivateKeyHidingSetupType and the rsa type as the KeyType. The
Certificate message is defined in Section 7.4.2 of [TLS].
UTE securely stores d_1. Also, UTE stores e, N, and certificate. SP
stores d_2, e, N, and the certificate. SP should securely store d_2.
5.2. Joint Private Key Operation for the RSA Key Exchange Algorithm
When UTE received a ClientKeyExchange message in Section 7.4.7.1 of
[TLS] which includes a EncryptedPreMasterSecret in Section 7.4.7.1 of
[TLS], UTE computes m_1 =
(EncryptedPreMasterSecret.pre_master_secret)^d_1 mod N, where d_1 is
PPKU. Then, UTE generates a RSA_pre_computed message as following.
struct {
opaque m_1<1..2^16-1>
} RSA_pre_computed;
The EncryptedPreMasterSecret message is defined in Section 7.4.7.1 of
[TSL] as following.
struct {
ProtocolVersion client_version;
opaque random[46];
} PreMasterSecret;
struct {
public-key-encrypted PreMasterSecret pre_master_secret;
} EncryptedPreMasterSecret;
UTE inserts the RSA_pre_computed message into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request with the
private_key_operation_request type as the
JointPrivateKeyOperationProtocolType and the RSA type as the
JointPrivateKeyOperationType.
When SP receives the JointPrivateKeyOperation request which includes
the RSA_pre_computed message, SP computes a PreMasterSecret = m_1^d_2
mod N, where d_2 is PPKS. SP inserts the PreMasterSecret into a
JointPrivateKeyOperation response message. SP sends the
JointPrivateKeyOperation response with the
private_key_operation_response type as the
Jung & Jung Expires April 15, 2014 [Page 10]
Internet-Draft Private Key Hiding for TLS October 15, 2013
JointPrivateKeyOperationProtocolType and the RSA type as the
JointPrivateKeyOperationType.
The procedure of the joint private key operation protocol for the RSA
key exchange algorithm is as following.
1. A TLS client and UTE start a TLS handshake Protocol.
2. The client securely generates a random or pseudorandom premaster
secret, PreMasterSecret.random.
3. The client generates a ClientKeyExchange message in Section 7.4.3
of [TLS] which includes the EncryptedPreMasterSecret.
4. The client sends the ClientKeyExchange message to UTE.
5. UTE generates a RSA_pre_computed message using d_1.
6. UTE generates a JointPrivateKeyOperation request and send it to SP.
7. SP generates a PreMasterSecret message and generates a
JointPrivateKeyOperation response using the PreMasterSecret
message.
8. SP sends the JointPrivateKeyOperation response to UTE.
9. UTE sends a ChangeCipherSpec message to the client.
This mechanism and protocol may be extended for RSA_PSK defined in
[TLSPSK]
6. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the DHE_RSA [TLS] Key Exchange Algorithm
This section describes a private key hiding setup protocol and a
joint private key operation protocol for the DHE_RSA key exchange
algorithm where DHE represents Ephemeral Diffie-Hellman. RSA is used
for signing DHE parameters. The connection between SP and UTE must be
secure such as [TLS].
6.1. Private Key Hiding Setup Protocol for the DHE_RSA Key Exchange
Algorithm
SP generates RSA private keying material and public keying material
as described in Section 4.1. Also, PPKU and PPKS are the same in
Section 4.1. The RSA_setup message and the PrivateKeyHidingSetup
message also are the same in Section 4.1.
Jung & Jung Expires April 15, 2014 [Page 11]
Internet-Draft Private Key Hiding for TLS October 15, 2013
6.2. Joint Private Key Operation Protocol for the DHE_RSA Key Exchange
Algorithm
Before UTE sends a ServerKeyExchange in Section 7.4.3 of [TLS], UTE
generates a ServerDHParams in Section 7.4.3 of [TLS]. UTE computes
s_1 = H(signed_params)^d_1 mod N, where d_1 is PPKU. Finally UTE
generates a DHE_RSA_pre_computed message and inserts the
DHE_RSA_pre_computed message into a JointPrivateKeyOperation message.
UTE sends the JointPrivateKeyOperation with the
private_key_operation_request type as the
JointPrivateKeyOperationProtocolType, and the DHE_RSA as the
JointPrivateKeyOperationType.
struct {
opaque s_1<1..2^16-1>
} DHE_RSA_pre_computed;
struct {
opaque ClientHello.random;
opaque ServerHello.random;
ServerDHParams params;
} signed_params;
struct {
opaque dh_p<1..2^16-1>;
opaque dh_g<1..2^16-1>;
opaque dh_Ys<1..2^16-1>;
} ServerDHParams
When SP receives the JointPrivateKeyOperation request message, SP
computes s = s_1^d_1 mod N and generates a DHE_RSA_computed message.
SP inserts the DHE_RSA_computed message into a
JointPrivateKeyOperation response message. SP sends the
JointPrivateKeyOperation message with the
private_key_operation_response type as the
JointPrivateKeyOperationProtocolType and the DHE_RSA type as the
JointPrivateKeyOperationType.
struct {
opaque s<1..2^16-1>
} DHE_RSA_computed;
The procedure of the joint private key operation protocol for the
DHE_RSA key exchange algorithm is as following.
1. A TLS client and UTE start a TLS handshake Protocol.
Jung & Jung Expires April 15, 2014 [Page 12]
Internet-Draft Private Key Hiding for TLS October 15, 2013
2. UTE generates the ServerDHParams message defined in Section 7.4.3
of [TLS].
3. UTE generates a DHE_RSA_pre_computed message and insert it into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request message with the
private_key_operation_request type and the DHE_RSA type to SP.
4. SP generates a DHE_RSA_computed and inserts it into a
JointPrivateKeyOperation response message. SP sends the
JointPrivateKeyOperation response message with the
private_key_operation_response type and the DHE_RSA type to UTE.
5. UTE generates a ServerKeyExchange message using the
DHE_RSA_computed message.
6. UTE sends the ServerKeyExchange message to the client.
7. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the DHE_DSS [TLS] Key Exchange Algorithm
This section describes a private key hiding setup protocol and a
joint private key operation protocol for the DHE_DSS key exchange
algorithm where DSS stands for digital signature Standard [DSS]. DSA
[DSS] is used for signing DHE parameters with the hash algorithm. The
connection between SP and UTE is secure such as [TLS].
7.1. Private Key Hiding Setup Protocol for the DHE_DSS Key Exchange
Algorithm
For setup, SP generates DSA private keying material and public keying
material as following.
p: a random or pseudorandom prime number where 2^(L-1) < p < 2^L for
512 <=L<=1024 and L a multiple of 64.
q: a prime divisor of (p-1), where 2^159 < q < 2^160.
g = h^((p-1)/q) mod p, where h is any integer with 1 < h < (p-1) such
that h^((p-1)/q) mod p > 1.
x : a random or pseudorandom private key with 0 < x < q.
y = g^x mod p.
Jung & Jung Expires April 15, 2014 [Page 13]
Internet-Draft Private Key Hiding for TLS October 15, 2013
SP then requests a certificate to a trusted Certificate Authority as
the part of the X.509 protocol [PKIX]. Upon the certificate, SP
generates a Piece of Private Key for UTE (PPKU) and a Piece of
Private Key for SP (PPKS) as following.
x = x_1 + x_2 mod q, where x_1 is a random or pseudorandom number
with x_1 < q
PPKU: x_1
PPKS: x_2
SP generates a DSS_setup message as following.
struct {
opaque x_1<1..2^16-1>;
opaque p<1..2^16-1>;
opaque q<1..2^16-1>;
opaque g<1..2^16-1>;
Certificate certificate;
} DSS_setup;
Then, SP inserts the DSS_setup message into a PrivateKeyHidingSetup
request message. SP sends the PrivateKeyHidingSetup request message
with the private_key_hiding_setup_request type as the
PrivateKeyHidingSetupType and the dss type as KeyType. UTE responses
a PrivateKeyHidingSetup response message with the
private_key_hiding_setup_response type as the
PrivateKeyHidingSetupType and the dss type for the KeyType.
SP stores x_2, p, q, g, and the certificate. SP should securely store
x_2. UTE securely stores x_2. Also, UTE stores p, q, g, and
certificate.
7.2. Joint Private Key Operation Protocol for DHE_DSS Key Exchange
Algorithm
Before UTE sends the ServerKeyExchange in Section 7.4.3 of [TLS], UTE
generates the ServerDHParams in Section 7.4.3 of [TLS]. UTE selects a
random or pseudorandom value k in the interval [1, q-1]. Then UTE
generates a DHE_DSS_pre_computed as following.
struct {
opaque s_1<1..2^16-1>;
opaque r<1..2^16-1>;
opaque k<1..2^16-1>;
Jung & Jung Expires April 15, 2014 [Page 14]
Internet-Draft Private Key Hiding for TLS October 15, 2013
} DHE_DSS_pre_computed;
s_1 = (k^(-1)*(H(signed_params) + x_1*r)) mod q
r = (g^k mod p) mod q
x_1 is PPKU, H() is a secure one-way hash function, and the
signed_params is defined in Section 6.1.
Finally, UTE inserts the DHE_DSS_pre_computed into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request message with the
private_key_operation_request type as the
JointPrivateKeyOperationProtocolType and the DHE_DSS type as the
JointPrivateKeyOperationType.
When SP receives the JointPrivateKeyOperation request, SP computes s
= s_1 + k^(-1) * x_2 * r mod q and generates a DHE_DSS_computed
message as following.
struct {
opaque s<1..2^16-1>
} DHE_DSS_computed;
SP inserts the DHE_DSS_computed message into a
JointPrivateKeyOperation response message. SP sends the
JointPrivateKeyOperation response message with the
private_key_operation_response type as the
JointPrivateKeyOperationProtocolType and the DHE_DSS type as the
JointPrivateKeyOperationType.
The procedure of the joint private key operation protocol for the
DHE_DSS key exchange algorithm is as following.
1. A TLS client and UTE start a TLS handshake Protocol.
2. UTE generates a ServerDHParams message.
3. UTE generates a DHE_DSS_pre_computed using x_1.
4. UTE inserts the DHE_DSS_pre_computed into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request to SP.
5. SP computes s using x_2 and generates a DHE_DSS_computed message.
Jung & Jung Expires April 15, 2014 [Page 15]
Internet-Draft Private Key Hiding for TLS October 15, 2013
6. SP inserts the DHE_DSS_computed message into a
JointPrivateKeyOperation response message and sends the
JointPrivateKeyOperation resopnse message to UTE.
7. UTE generates a ServerKeyExchange message using the
DHE_DSS_computed message.
8. UTE sends the ServerKeyExchange message to the client.
8. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the DH_RSA [TLS] and the DH_DSS [TLS] Key Exchange
Algorithm
This section describes a private key hiding setup protocol and a
joint private key operation protocol for the DH_DSS and the DH_RSA
key exchange algorithm. The connection between SP and UTE must be
secure such as [TLS].
8.1. Private Key Hiding Setup Protocol for the DH_RSA and the DH_DSS Key
Exchange Algorithm
For setup, SP generates Diffie-Hellman private keying material and
public keying material as following.
dh_p : The prime modulus used for the Diffie-Hellman operation
dh_g : The generator used for the Diffie-Hellman operation
dh_X : The server's Diffie-Hellman private value
dh_Ys : The server's Diffie-Hellman public value (dh_g^dh_X mod dh_p)
SP then requests a certificate to a trusted Certificate Authority as
the part of the X.509 protocol [PKIX]. Upon the certificate, SP
generates a Piece of Private Key for UTE (PPKU) and a Piece of
Private Key for SP (PPKS) as following.
dh_X = x_1 * x_2 mod p-1, where x_1 is a random or pseudorandom
number with x_1 < p-1 and GCD(x_1, p-1) = 1
PPKU: x_1
PPKS: x_2
SP generates a DH_setup message as following.
struct {
Jung & Jung Expires April 15, 2014 [Page 16]
Internet-Draft Private Key Hiding for TLS October 15, 2013
opaque x_1<1..2^16-1>;
opaque dh_p<1..2^16-1>;
opaque dh_g<1..2^16-1>;
Certificate certificate;
} DH_setup;
SP inserts the DH_setup into a PrivateKeyHidingSetup request message.
SP then sends the PrivateKeyHidingSetup request message with the
private_key_hiding_setup_request type as the
PrivateKeyHidingSetupType and the dh type for KeyType. UTE generates
a PrivateKeyHidingSetup response message with the
private_key_hiding_setup_response type as the
PrivateKeyHidingSetupType and the dh type as the KeyType, and sends
it to SP.
SP stores x_2, dh_p, dh_g, and the certificate. SP should securely
store x_2. UTE securely stores x_1. Also, UTE stores dh_p, dh_g, and
certificate.
8.2. Joint Private Key Operation Protocol for the DH_RSA and the DH_DSS
Key Exchange Algorithm
After UTE receives a CertificateVerify message in Section 7.4.8 of
[TLS], UTE computes k_1 = dh_Yc^x_1 mod p, where x_1 is PPKU. UTE
generates a DH_pre_computed message as following.
struct {
opaque k_1<1..2^16-1>;
} DH_pre_computed;
UTE inserts the DH_pre_computed message into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request message with the
private_key_operation_request type as the
JointPrivateKeyOperationProtocolType, and the DH_RSA or the DH_DSS
type as the JointPrivateKeyOperationType.
When SP receives the JointPrivateKeyOperation request, SP computes k
= k_1^x_2 mod p, where x_2 is PPKS. SP generates a DH_computed
message as following.
struct {
opaque k<1..2^16-1>
} DH_computed;
SP inserts the DH_computed into a JointPrivateKeyOperation response
message. SP sends the JointPrivateKeyOperation response message with
Jung & Jung Expires April 15, 2014 [Page 17]
Internet-Draft Private Key Hiding for TLS October 15, 2013
the private_key_operation_response type as the
JointPrivateKeyOperationProtocolType. Also, the
JointPrivateKeyOperation response message is set with the DH_RSA type
or the DH_DSS type as the JointPrivateKeyOperationType.
The procedure of the joint private key operation protocol for the
DH_RSA and the DH_DSS key exchange algorithm is as following.
1. A TLS client and UTE start a TLS handshake Protocol.
2. Upon the CertificateVerify message defined in Section 7.4.8 of
[TLS], UTE computes a DH_pre_computed message and inserts it into
a JointPrivateKeyOperation request message. SP sends the
JointPrivateKeyOperation request message to SP.
3. SP generates a DH_computed message and inserts it into a
JointPrivateKeyOperation response message. SP sends in the
JointPrivateKeyOperation response message to UTE.
4. UTE sends the ChangeCipherSpec message in Section 7.1 of [TLS] to
the client.
9. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the ECDHE_ECDSA [TLSECC] Key Exchange Algorithm
This section describes a private key hiding setup protocol and a
joint private key operation protocol for the DHE_ECDSA key exchange
algorithm. The connection between SP and UTE must be secure such as
[TLS].
9.1. Private Key Hiding Setup Protocol for the ECDHE_ECDSA Key Exchange
Algorithm
For setup, SP generates ECDSA private keying material and public
keying material as following.
d: a random or pseudorandom integer in the interval [1, n-1], where n
is the order of the base point G; d is a private key
Q = d X G: Q is the public key, where X is the elliptic curve point
multiplication by a scalar
SP then requests a certificate to a trusted Certificate Authority as
the part of the X.509 protocol [PKIX]. Upon the certificate, SP
generates a Piece of Private Key for UTE (PPKU) and a Piece of
Private Key for SP (PPKS) as following.
Jung & Jung Expires April 15, 2014 [Page 18]
Internet-Draft Private Key Hiding for TLS October 15, 2013
d = d_1 + d_2 mod n, where d_1 is a random or pseudorandom number in
the interval [1, n-1].
PPKU: d_1
PPKS: d_2
SP generates a EC_setup as following.
struct{
opaque d_1<1..2^16-1>;
ECParameters ecParam;
Certificate certificate;
} EC_setup;
The ECParameters is defiend in Section 5.3 of [TLSECC].
SP inserts the EC_setup into a PrivateKeyHidingSetup request message.
SP then sends the PrivateKeyHidingSetup request message with the
private_key_hiding_setup_request type as the
PrivateKeyHidingSetupType and the ecdsa type as the KeyType. UTE
sends a PrivateKeyHidingSetup response message with the
private_key_hiding_setup_response type as the
PrivateKeyHidingSetupType and the ecdsa type as the KeyType.
SP stores d_2, the ECParameters, and the certificate. SP should
securely store d_2. UTE securely stores d_1. Also, UTE stores ecParam
and certificate.
9.2. Joint Private Key Operation Protocol for the ECDHE_ECDSA Key
Exchange Algorithm
Before UTE sends the ServerKeyExchange defined in Section 7.4.3 of
[TLS], UTE generates a ServerECDHParams in Section 5.4 of [TLSECC].
UTE selects a random or pseudorandom integer k in the interval [1, n-
1]. Then UTE generates a ECDHE_ECDSA_pre_computed as following.
struct {
opaque k<1..2^16-1>;
opaque r<1..2^16-1>;
opaque s_1<1..2^16-1>;
} ECDHE_ECDSA_pre_computed;
r = x_1 mod n, where (x_1, y_1) = k X G
Jung & Jung Expires April 15, 2014 [Page 19]
Internet-Draft Private Key Hiding for TLS October 15, 2013
s_1 = k^(-1)*(e + r*d_1) mod n, where e= H(ClientHello.random +
serverHello.random + ServerECDHParams), d_1 is PPKU, and H() is a
cryptographically secure one-way hash function.
UTE inserts the ECDHE_ECDSA_pre_computed into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request message with the
private_key_operation_request type as the
JointPrivateKeyOperationProtocolType and the ECDHE_ECDSA type as the
JointPrivateKeyOperationType.
When SP receives the JointPrivateKeyOperation request, SP computes s
= s_1 + k^(-1) * d_2 * r mod n and generates a ECDHE_ECDSA_computed
message as following.
struct {
opaque s<1..2^16-1>
} ECDHE_ECDSA_computed;
SP sends a JointPrivateKeyOperation which includes the
ECDHE_ECDSA_computed message with the private_key_operation_response
type as the JointPrivateKeyOperationProtocolType, and the ECDHE_ECDSA
as the JointPrivateKeyOperationType.
The procedure of the joint private key operation protocol for the
ECDHE_ECDSA key exchange algorithm is as following.
1. A TLS client and UTE start a TLS handshake Protocol.
2. Immediately after UTE sends a Server Certificate message in
Section 7.4.2 of [TLS], UTE generates a ECDHE_ECDSA_pre_computed
message.
3. UTE inserts the ECDHE_ECDSA_pre_computed message into a
JointPrivateKeyOperation request message. UTE sends the
JointPrivateKeyOperation request message to SP.
4. When SP receives the JointPrivateKeyOperation request message, SP
generates a ECDHE_ECDSA_computed.
5. SP inserts the ECDHE_ECDSA_computed into a
JointPrivateKeyOperation response message. SP sends the
JointPrivateKeyOperation response to UTE.
6. UTE generates a ServerKeyExchange message in Section 4.3 of
[TLSECC] using the ECDHE_ECDSA_computed and sends it to the client.
Jung & Jung Expires April 15, 2014 [Page 20]
Internet-Draft Private Key Hiding for TLS October 15, 2013
10. Private Key Hiding Setup Protocol and Joint Private Key Operation
Protocol for the ECDH_ECDSA [TLSECC] and the ECDH_RSA [TLSECC] Key
Exchange Algorithm
This section describes a private key hiding setup protocol and a
joint private key operation protocol for the ECDH_ECDSA and the
ECDH_RSA key exchange algorithm. The connection between SP and UTE
must be secure such as [TLS].
10.1. Private Key Hiding Setup Protocol for the ECDH_ECDSA and the
ECDH_RSA Key Exchange Algorithm
SP generates ECDH private keying material and public keying material
as described in Section 9.1. The EC_setup message is the same in
Section 9.1 except PPKU and PPKS.
d = d_1 * d_2 mod n, where d_1 is a random or pseudorandom number in
the interval [1, n-1].
PPKU: d_1
PPKS: d_2
The PrivateKeyHidingSetup request message and the response message
are the same as Section 9.1 except the KeyType. The KeyType SHOULD be
the ecdh.
10.2. Joint Private Key Operation Protocol for the ECDH_ECDSA and the
ECDH_RSA Key Exchange Algorithm
After UTE receives a CertificateVerify message in Section 7.4.8 of
[TLS], UTE computes (x_1, y_1) = ecdh_Yc X d_1, where ecdh_Yc is the
client's public ECDH value. UTE generates a ECDH_pre_computed message
as following.
struct {
opaque x_1<1..2^8-1>;
opaque y_1<1..2^8-1>;
} ECDH_pre_computed;
UTE inserts the ECDH_pre_computed into a JointPrivateKeyOperation
request message. UTE sends the JointPrivateKeyOperation with the
private_key_operation_request type as the
JointPrivateKeyOperationProtocolType. Also, the
JointPrivateKeyOperationType should be the ECDH_RSA or the ECDH_ECDSA.
Jung & Jung Expires April 15, 2014 [Page 21]
Internet-Draft Private Key Hiding for TLS October 15, 2013
When SP receives the JointPrivateKeyOperation request, SP computes (x,
y) = (x_1, y_1) X d_2, where d_2 is PPKS. SP generates a
ECDH_computed message as following.
struct {
opaque x<1..2^8-1>;
opaque y<1..2^8-1>;
} ECDH_computed;
SP inserts the ECDH_computed into a JointPrivateKeyOperation response
message. SP sends the JointPrivateKeyOperation response with the
private_key_operation_response type as the
JointPrivateKeyOperationProtocolType and the ECDH_RSA or the
ECDH_ECDSA as the JointPrivateKeyOperationType.
The procedure of the joint private key operation protocol for the
ECDH_ECDSA and the ECDH_RSA key exchange algorithm is as following.
1. A TLS client and UTE start a TLS handshake Protocol.
2. When UTE receives a CertificateVerify message, UTE generates a
ECDH_pre_computed message.
3. UTE inserts the ECDH_pre_computed message into a
JointPrivateKeyOperation request message.
4. UTE sends the JointPrivateKeyOperation request to SP
5. SP generates a ECDH_computed message and inserts the ECDH_computed
message into a JointPrivateKeyOperation response message.
6. SP sends the JointPrivateKeyOperation response to UTE.
7. UTE sends a ChangeCipherSpec message in Section 7.1 of [TLS] to
the client
11. Security Considerations
Security issues are discussed throughout this memo.
The security considerations are related to the security consideration
of [TLS] and [TLSECC]. The security considerations in [TLS] and
[TLSECC] should be applied properly.
12. IANA Considerations
This document includes request to IANA.
Jung & Jung Expires April 15, 2014 [Page 22]
Internet-Draft Private Key Hiding for TLS October 15, 2013
13. References
13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[DSS] NIST FIPS PUB 186-2, "Digital Signature Standard", National
Institute of Standards and Technology, U.S. Department of
Commerce, 2000.
[RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
Obtaining Digital Signatures and Public-Key Cryptosystems",
Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120-
126.
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[TLSECC] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, May 2006.
13.2. Informative References
[DSS-3] NIST FIPS PUB 186-3, "Digital Signature Standard (DSS)",
National Institute of Standards and Technology, U.S.
Department of Commerce, June 2009.
[PKIX] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", RFC 3280, April 2002.
14. Acknowledgments
Jung & Jung Expires April 15, 2014 [Page 23]
Internet-Draft Private Key Hiding for TLS October 15, 2013
Authors' Addresses
Seung Wook Jung
Soongsil University
511, Sangdo-Dong, Dongjak-Gu
Seoul, 156-743, Korea
Email: seungwookj@ssu.ac.kr
Souhwan Jung
Soongsil University
511, Sangdo-Dong, Dongjak-Gu
Seoul, 156-743, Korea
Email: souhwanj@ssu.ac.kr
Jung & Jung Expires April 15, 2014 [Page 24]
