Publicly Verifiable Nominations Committee (NomCom) Random Selection
RFC 3797
| Document | Type |
RFC
- Informational
(June 2004)
Errata
Obsoletes RFC 2777
Was
draft-eastlake-rfc2777bis-selection
(individual in gen area)
|
|
|---|---|---|---|
| Author | Donald E. Eastlake 3rd | ||
| Last updated | 2022-07-21 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| IESG | Responsible AD | Harald T. Alvestrand | |
| Send notices to | (None) |
RFC 3797
Internet Engineering Task Force (IETF) D. Harkins, Ed.
Request for Comments: 8110 HP Enterprise
Category: Informational W. Kumari, Ed.
ISSN: 2070-1721 Google
March 2017
Opportunistic Wireless Encryption
Abstract
This memo specifies an extension to IEEE Std 802.11 to provide for
opportunistic (unauthenticated) encryption to the wireless media.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8110.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Harkins & Kumari Informational [Page 1]
RFC 8110 Opportunistic Wireless Encryption March 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. 802.11 Network Access . . . . . . . . . . . . . . . . . . . . 4
4. Opportunistic Wireless Encryption . . . . . . . . . . . . . . 5
4.1. Cryptography . . . . . . . . . . . . . . . . . . . . . . 5
4.2. OWE Discovery . . . . . . . . . . . . . . . . . . . . . . 6
4.3. OWE Association . . . . . . . . . . . . . . . . . . . . . 7
4.4. OWE Post-Association . . . . . . . . . . . . . . . . . . 8
4.5. OWE PMK Caching . . . . . . . . . . . . . . . . . . . . . 10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Implementation Considerations . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
Harkins & Kumari Informational [Page 2]
RFC 8110 Opportunistic Wireless Encryption March 2017
1. Introduction
This memo describes Opportunistic Wireless Encryption (OWE) -- a mode
of opportunistic security [RFC7435] for IEEE Std 802.11 that provides
encryption of the wireless medium but no authentication.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.2. Notation
This memo uses the following notation:
y = F(X)
An element-to-scalar mapping function. For an elliptic curve
group, it takes a point on the curve and returns the
x-coordinate; for a finite field element, it is the identity
function, just returning the element itself.
Z = DH(x,Y)
For an elliptic curve, DH(x,Y) is the multiplication of point Y
by the scalar value x, creating a point on the curve Z; for
finite field cryptography, DH(x,Y) is an exponentiation of
element Y to the power of x (implied modulo a field defining
prime, p) resulting in an element Z.
a = len(b)
Indicates the length in bits of the string b.
2. Background
Internet access has become an expected service at many locations --
for example, coffee shops, airports, and hotels. In many cases, this
is offered over "Open" (unencrypted) wireless networks, because
distributing a passphrase (or using other authentication solutions)
is not convenient or realistic. Ideally, users would always use a
VPN when using an untrusted network, but often they don't. This
leaves their traffic vulnerable to sniffing attacks, for example,
from someone in the adjacent hotel room running Wireshark, pervasive
monitors, etc.
In addition, many businesses (for example, coffee shops and bars)
offer free Wi-Fi as an inducement to customers to enter and remain in
the premises. Many customers will use the availability of free Wi-Fi
as a deciding factor in which business to patronize. Since these
Harkins & Kumari Informational [Page 3]
RFC 8110 Opportunistic Wireless Encryption March 2017
businesses are not Internet service providers, they are often
unwilling and/or unqualified to perform complex configuration on
their network. In addition, customers are generally unwilling to do
complicated provisioning on their devices just to obtain free Wi-Fi.
This leads to a popular deployment technique -- a network protected
using a shared and public Pre-Shared Key (PSK) that is printed on a
sandwich board at the entrance, on a chalkboard on the wall, or on a
menu. The PSK is used in a cryptographic handshake, defined in
[IEEE802.11], called the "4-way handshake" to prove knowledge of the
PSK and derive traffic encryption keys for bulk wireless data.
The belief is that this protects the wireless medium from passive
sniffing and simple attacks. That belief is erroneous. Since the
PSK is known by everyone, it is possible for a passive attacker to
observe the 4-way handshake and compute the traffic encryption keys
used by a client and access point (AP). If the attacker is too late
to observe this exchange, he can issue a forged "deauthenticate"
frame that will cause the client and/or AP to reset the 802.11 state
machine and cause them to go through the 4-way handshake again,
thereby allowing the passive attacker to determine the traffic keys.
With OWE, the client and AP perform a Diffie-Hellman key exchange
during the access procedure and use the resulting pairwise secret
with the 4-way handshake instead of using a shared and public PSK in
the 4-way handshake.
OWE requires no special configuration or user interaction but
provides a higher level of security than a common, shared, and public
PSK. OWE not only provides more security to the end user, it is also
easier to use both for the provider and the end user because there
are no public keys to maintain, share, or manage.
3. 802.11 Network Access
Wi-Fi access points (APs) advertise their presence through frames
called "beacons". These frames inform clients within earshot of the
SSID (Service Set Identifier) the AP is advertising, the AP's Media
Access Control (MAC) address (known as its "BSSID" (Basic Service Set
Identifier)), security policy governing access, the symmetric ciphers
it uses for unicast and broadcast frames, QoS information, as well as
support for other optional features of [IEEE802.11]. Wi-Fi clients
can actively discover APs by issuing "probe requests", which are
queries for APs that respond with "probe responses". A probe
response carries essentially the same information as a beacon.
Harkins & Kumari Informational [Page 4]
RFC 8110 Opportunistic Wireless Encryption March 2017
After an AP is discovered by a client, actively through probing or
passively through beacons, the client initiates a two-step method to
gain network access. The first step is "802.11 authentication". For
most methods of access, this is an empty exchange known as "Open
Authentication" -- basically, the client says, "authenticate me", and
the AP responds, "ok, you're authenticated&"Pool too big.\n" );
exit ( 1 );
}
selected = (unsigned short *) malloc ( (size_t)pool );
if ( !selected )
{
printf ( "Out of memory.\n" );
exit ( 1 );
}
selection = getinteger ( "Type number of items to be selected:\n" );
if ( selection > pool )
{
printf ( "Pool too small.\n" );
exit ( 1 );
}
if ( selection == pool )
printf ( "All of the pool is selected.\n" );
else
{
err = printf ( "Approximately %.1f bits of entropy needed.\n",
NPentropy ( selection, pool ) + 0.1 );
if ( err <= 0 ) exit ( 1 );
}
for ( i = 0, keysize = 0; i < 16; ++i )
{
if ( keysize > 500 )
{
printf ( "Too much input.\n" );
exit ( 1 );
}
/* get the "random" inputs. echo back to user so the user may
be able to tell if truncation or other glitches occur. */
err = printf (
"\nType #%d randomness or 'end' followed by new line.\n"
"Up to 16 integers or the word 'float' followed by up\n"
"to 16 x.y format reals.\n", i+1 );
if ( err <= 0 ) exit ( 1 );
gets ( buffer );
Eastlake 3rd Informational [Page 11]
RFC 3797 Verifiable Random Selection June 2004
j = sscanf ( buffer,
"%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld",
&array[0], &array[1], &array[2], &array[3],
&array[4], &array[5], &array[6], &array[7],
&array[8], &array[9], &array[10], &array[11],
&array[12], &array[13], &array[14], &array[15] );
if ( j == EOF )
exit ( j );
if ( !j )
if ( buffer[0] == 'e' )
break;
else
{ /* floating point code by Matt Crawford */
j = sscanf ( buffer,
"float %ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
"%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
"%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
"%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]",
&array[0], sarray[0], &array[1], sarray[1],
&array[2], sarray[2], &array[3], sarray[3],
&array[4], sarray[4], &array[5], sarray[5],
&array[6], sarray[6], &array[7], sarray[7],
&array[8], sarray[8], &array[9], sarray[9],
&array[10], sarray[10], &array[11], sarray[11],
&array[12], sarray[12], &array[13], sarray[13],
&array[14], sarray[14], &array[15], sarray[15] );
if ( j == 0 || j & 1 )
printf ( "Bad format." );
else {
for ( k = 0, j /= 2; k < j; k++ )
{
/* strip trailing zeros */
for ( k2=strlen(sarray[k]); sarray[k][--k2]=='0';)
sarray[k][k2] = '\0';
err = printf ( "%ld.%s\n", array[k], sarray[k] );
if ( err <= 0 ) exit ( 1 );
keysize += sprintf ( &key[keysize], "%ld.%s",
array[k], sarray[k] );
}
keysize += sprintf ( &key[keysize], "/" );
}
}
else
{ /* sort values, not a very efficient algorithm */
for ( k2 = 0; k2 < j - 1; ++k2 )
for ( k = 0; k < j - 1; ++k )
if ( array[k] > array[k+1] )
Eastlake 3rd Informational [Page 12]
RFC 3797 Verifiable Random Selection June 2004
{
temp = array[k];
array[k] = array[k+1];
array[k+1] = temp;
}
for ( k = 0; k < j; ++k )
{ /* print for user check */
err = printf ( "%ld ", array[k] );
if ( err <= 0 ) exit ( 1 );
keysize += sprintf ( &key[keysize], "%ld.", array[k] );
}
keysize += sprintf ( &key[keysize], "/" );
}
} /* end for i */
/* have obtained all the input, now produce the output */
err = printf ( "Key is:\n %s\n", key );
if ( err <= 0 ) exit ( 1 );
for ( i = 0; i < pool; ++i )
selected [i] = (unsigned short)(i + 1);
printf ( "index hex value of MD5 div selected\n" );
for ( usel = 0, remaining = (unsigned short)pool;
usel < selection;
++usel, --remaining )
{
unch1 = (unsigned char)usel;
unch2 = (unsigned char)(usel>>8);
/* prefix/suffix extended to 2 bytes by Donald Eastlake */
MD5Init ( &ctx );
MD5Update ( &ctx, &unch2, 1 );
MD5Update ( &ctx, &unch1, 1 );
MD5Update ( &ctx, (unsigned char *)key, keysize );
MD5Update ( &ctx, &unch2, 1 );
MD5Update ( &ctx, &unch1, 1 );
MD5Final ( uc16, &ctx );
k = longremainder ( remaining, uc16 );
/* printf ( "Remaining = %d, remainder = %d.\n", remaining, k ); */
for ( j = 0; j < pool; ++j )
if ( selected[j] )
if ( --k < 0 )
{
printf ( "%2d "
"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X "
"%2d -> %2d <-\n",
usel+1, uc16[0],uc16[1],uc16[2],uc16[3],uc16[4],uc16[5],uc16[6],
uc16[7],uc16[8],uc16[9],uc16[10],uc16[11],uc16[12],uc16[13],
uc16[14],uc16[15], remaining, selected[j] );
selected[j] = 0;
Eastlake 3rd Informational [Page 13]
RFC 3797 Verifiable Random Selection June 2004
break;
}
}
printf ( "\nDone, type any character to exit.\n" );
getchar ();
return 0;
}
/* prompt for a positive non-zero integer input */
/****************************************************************/
long int getinteger ( char *string )
{
long int i;
int j;
char tin[257];
while ( 1 )
{
printf ( string );
printf ( "(or 'exit' to exit) " );
gets ( tin );
j = sscanf ( tin, "%ld", &i );
if ( ( j == EOF )
|| ( !j && ( ( tin[0] == 'e' ) || ( tin[0] == 'E' ) ) )
)
exit ( j );
if ( ( j == 1 ) &&
( i > 0 ) )
return i;
} /* end while */
}
/* get remainder of dividing a 16 byte unsigned int
by a small positive number */
/****************************************************************/
int longremainder ( unsigned short divisor,
unsigned char dividend[16] )
{
int i;
long int kruft;
if ( !divisor )
return -1;
for ( i = 0, kruft = 0; i < 16; ++i )
{
kruft = ( kruft << 8 ) + dividend[i];
kruft %= divisor;
Eastlake 3rd Informational [Page 14]
RFC 3797 Verifiable Random Selection June 2004
}
return kruft;
} /* end longremainder */
/* calculate how many bits of entropy it takes to select N from P */
/****************************************************************/
/* P!
log ( ----------------- )
2 N! * ( P - N )!
*/
double NPentropy ( int N, int P )
{
int i;
double result = 0.0;
if ( ( N < 1 ) /* not selecting anything? */
|| ( N >= P ) /* selecting all of pool or more? */
)
return 0.0; /* degenerate case */
for ( i = P; i > ( P - N ); --i )
result += log ( i );
for ( i = N; i > 1; --i )
result -= log ( i );
/* divide by [ log (base e) of 2 ] to convert to bits */
result /= 0.69315;
return result;
} /* end NPentropy */
Eastlake 3rd Informational [Page 15]
RFC 3797 Verifiable Random Selection June 2004
Appendix A: History of NomCom Member Selection
For reference purposes, here is a list of the IETF Nominations
Committee member selection techniques and chairs so far:
YEAR CHAIR SELECTION METHOD
1993/1994 Jeff Case Clergy
1994/1995 Fred Baker Clergy
1995/1996 Guy Almes Clergy
1996/1997 Geoff Huston Spouse
1997/1998 Mike St.Johns Algorithm
1998/1999 Donald Eastlake 3rd RFC 2777
1999/2000 Avri Doria RFC 2777
2000/2001 Bernard Aboba RFC 2777
2001/2002 Theodore Ts'o RFC 2777
2002/2003 Phil Roberts RFC 2777
2003/2004 Rich Draves RFC 2777
Clergy = Names were written on pieces of paper, placed in a
receptacle, and a member of the clergy picked the NomCom members.
Spouse = Same as Clergy except chair's spouse made the selection.
Algorithm = Algorithmic selection based on similar concepts to those
documented in RFC 2777 and herein.
RFC 2777 = Algorithmic selection using the algorithm and reference
code provided in RFC 2777 (but not the fake example sources of
randomness).
Appendix B: Changes from RFC 2777
This document differs from [RFC 2777], the previous version, in three
primary ways as follows:
(1) Section 5, on problems actually encountered with using these
recommendations for selecting an IETF NomCom and on how to handle
them, has been added.
(2) The selection algorithm code has been modified to handle pools of
up to 2**16-1 elements and the counter based prefix and suffix
concatenated with the key string before hashing has been extended
to two bytes.
(3) Mention has been added that the algorithm documented herein was
used by IANA to select the Internationalized Domain Name ACE
prefix and some minor wording changes made.
Eastlake 3rd Informational [Page 16]
RFC 3797 Verifiable Random Selection June 2004
(4) References have been divided into Informative and Normative.
(5) The list in Appendix A has been brought up to date.
Acknowledgements
Matt Crawford and Erik Nordmark made major contributions to this
document. Comments by Bernard Aboba, Theodore Ts'o, Jim Galvin,
Steve Bellovin, and others have been incorporated.
References
Normative References
[ASCII] "USA Standard Code for Information Interchange", X3.4,
American National Standards Institute: New York, 1968.
[RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992.
[RFC 1750] Eastlake, 3rd, D., Crocker, S. and J. Schiller,
"Randomness Recommendations for Security", RFC 1750,
December 1994.
[RFC 3174] Eastlake, 3rd, D. and P. Jones, "US Secure Hash Algorithm
1 (SHA1)", RFC 3174, September 2001.
Informative References
[RFC 3777] Galvin, J., "IAB and IESG Selection, Confirmation, and
Recall Process: Operation of the Nominating and Recall
Committees", BCP 10, RFC 3777, April 2004.
[RFC 2777] Eastlake, 3rd, D., "Publicly Verifiable Nomcom Random
Selection", RFC 2777, February 2000.
[RFC 3490] Falstrom, P., Hoffman, P. and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
Eastlake 3rd Informational [Page 17]
RFC 3797 Verifiable Random Selection June 2004
Author's Address
Donald E. Eastlake, 3rd
Motorola Laboratories
155 Beaver Street
Milford, MA 01757 USA
Phone: +1-508-786-7554(w)
+1-508-634-2066(h)
EMail: Donald.Eastlake@motorola.com
Eastlake 3rd Informational [Page 18]
RFC 3797 Verifiable Random Selection June 2004
Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Eastlake 3rd Informational [Page 19]