Diffie-Hellman Proof-of-Possession Algorithms
RFC 2875

Document Type RFC - Proposed Standard (July 2000; No errata)
Obsoleted by RFC 6955
Authors Jim Schaad  , Hemma Prafullchandra 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2875 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                  H. Prafullchandra
Request for Comments: 2875                             Critical Path Inc
Category: Standards Track                                      J. Schaad
                                                               July 2000

             Diffie-Hellman Proof-of-Possession Algorithms

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


   This document describes two methods for producing an integrity check
   value from a Diffie-Hellman key pair.  This behavior is needed for
   such operations as creating the signature of a PKCS #10 certification
   request.  These algorithms are designed to provide a proof-of-
   possession rather than general purpose signing.

1. Introduction

   PKCS #10 [RFC2314] defines a syntax for certification requests. It
   assumes that the public key being requested for certification
   corresponds to an algorithm that is capable of signing/encrypting.
   Diffie-Hellman (DH) is a key agreement algorithm and as such cannot
   be directly used for signing or encryption.

   This document describes two new proof-of-possession algorithms using
   the Diffie-Hellman key agreement process to provide a shared secret
   as the basis of an integrity check value.  In the first algorithm,
   the value is constructed for a specific recipient/verifier by using a
   public key of that verifier.  In the second algorithm, the value is
   constructed for arbitrary verifiers.

Prafullchandra & Schaad     Standards Track                     [Page 1]
RFC 2875     Diffie-Hellman Proof-of-Possession Algorithms     July 2000

2. Terminology

   The following definitions will be used in this document

   DH certificate = a certificate whose SubjectPublicKey is a DH public
   value and is signed with any signature algorithm (e.g. RSA or DSA).

3. Static DH Proof-of-Possession Process

   The steps for creating a DH POP are:

   1. An entity (E) chooses the group parameters for a DH key

      This is done simply by selecting the group parameters from a
      certificate for the recipient of the POP process.

      A certificate with the correct group parameters has to be
      available. Let these common DH parameters be g and p; and let
      this DH key-pair be known as the Recipient key pair (Rpub and

      Rpub = g^x mod p         (where x=Rpriv, the private DH value and
                                ^ denotes exponentiation)

   2. The entity generates a DH public/private key-pair using the
      parameters from step 1.

      For an entity E:

         Epriv = DH private value = y
         Epub  = DH public value  = g^y mod p

   3. The POP computation process will then consist of:

      a) The value to be signed is obtained. (For a RFC2314 object, the
         value is the DER encoded certificationRequestInfo field
         represented as an octet string.) This will be the `text'
         referred to in [RFC2104], the data to which HMAC-SHA1 is

      b) A shared DH secret is computed, as follows,

                shared secret = ZZ = g^xy mod p

Prafullchandra & Schaad     Standards Track                     [Page 2]
RFC 2875     Diffie-Hellman Proof-of-Possession Algorithms     July 2000

         [This is done by the entity E as Rpub^y and by the Recipient
         as Epub^x, where Rpub is retrieved from the Recipient's DH
         certificate (or is the one that was locally generated by the
         Entity) and Epub is retrieved from the actual certification

      c) A temporary key K is derived from the shared secret ZZ as

            K = SHA1(LeadingInfo | ZZ | TrailingInfo),
               where "|" means concatenation.

            LeadingInfo ::= Subject Distinguished Name from certificate
            TrailingInfo ::= Issuer Distinguished Name from certificate

      d) Compute HMAC-SHA1 over the data `text' as per [RFC2104] as:

            SHA1(K XOR opad, SHA1(K XOR ipad, text))

            opad (outer pad) = the byte 0x36 repeated 64 times and
            ipad (inner pad) = the byte 0x5C repeated 64 times.


          (1)  Append zeros to the end of K to create a 64 byte string
               (e.g., if K is of length 16 bytes it will be appended
               with 48 zero bytes 0x00).
          (2)  XOR (bitwise exclusive-OR) the 64 byte string computed
               in step (1) with ipad.
          (3)  Append the data stream `text' to the 64 byte string
Show full document text