1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts
are working documents of the Internet Engineering Task Force (IETF),
its areas and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum
of six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work
in progress".
To learn the current status of any Internet-Draft,
please check the "1id-abstracts.txt" listing contained
in the Internet-Drafts Shadow Directories on ds.internic.net (US
East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast),
or munnari.oz.au (Pacific Rim).
This Internet-Draft expires 10 October 1996.
2. Abstract
This document specifies Version 2 of the Private
Communication Technology (PCT) protocol, a security protocol that
provides privacy over the Internet. The protocol is intended to
prevent eavesdropping on connection-based communications in client/server
applications, with at least one of the two always being authenticated,
and each having the option of requiring authentication of the
other. PCT is somewhat similar to SSL ([1]); however, PCT version
1 corrects or improves on several weaknesses of SSL, and version
2 also adds a number of new features. PCT version 2 is fully compatible
with PCT version 1.
3. Introduction
The Private Communication Technology (PCT) Protocol
is designed to provide privacy between two communicating applications
(a client and a server), and to authenticate at least one of the
two (typically the server) to the other. The PCT Protocol is application
protocol-independent. A "higher level" application protocol
(e.g. HTTP, FTP, TELNET, etc.) can layer on top of the PCT Protocol
transparently.
In the PCT protocol, all data is transmitted in the
form of variable-length records, each of which has a record header.
These records are used to transmit both PCT protocol messages
(including handshake, error, and key management messages) and
application data messages. Exchanges of records between a client
and server are grouped into "connections", which are
in turn grouped into "sessions". Every PCT connection
belongs to some particular session.
Every PCT protocol connection begins with a handshake
phase, during which a sequence of handshake messages (comprising
the PCT Handshake Protocol) are exchanged, which negotiate a (symmetric)
session key for the connection, as well as performing the requested
authentications based on certified asymmetric public (signature
or key exchange) keys (or on previously shared private "password"
keys). Once transmission of application protocol data messages
begins in a connection, all data (including error and key management
messages) is encrypted using encryption keys derived from a "master
key" exchanged during some handshake phase of the connection's
session, as well as from the handshake messages that began the
connection. In addition to encryption and authentication, the
PCT protocol verifies the integrity of messages using a hash function-based
message authentication code (MAC).
PCT assumes a reliable transport protocol (e.g. TCP)
for PCT record transmission and reception during the handshake
phase (and afterwards as well in version 1); however, use of datagram
records in version 2 makes it possible for individual records
to be sent independently (as "datagrams"), with neither
order nor eventual delivery guaranteed.
It should be noted that the PCT protocol does not
specify any details about verification of identities or certificates
with respect to account administrators, certification authorities,
revocation lists, and so on. Rather, it is assumed that protocol
implementations have access to a "black box" which is
capable of ruling on the validity of received identities and certificates
in a manner satisfactory to the implementation's user. Such a
ruling may, for instance, involve remote consultation with a trusted
service, or even with the actual user through a text or graphic
interface.
The PCT protocol's compatibility with, and differences
from, SSL ([1]) are outlined in the specification of PCT version
1 ([2]). PCT version 2 is fully compatible with PCT version 1,
in that an implementation of version 1 is a valid (though less
feature-rich) implementation of version 2. If either the client
or server (or both) identifies itself during the handshake phase
as using PCT version 1, then the session conforms to the PCT version
1 specification, and features introduced in version 2 are not
available. PCT version 1 compatibility details are given in section
8.
PCT version 2 is different from PCT version 1 in
the following respects:
- PCT version 2 has a revised record format which
allows handshake records, error records and data records, as well
as "key management" and "datagram" records
(two new record types) to be explicitly recognized and distinguished
from each other based on header information. Record headers can
also indicate continuations of previous records, allowing protocol
messages of any type to span multiple records, just as user data
already does in PCT version 1. Finally, encapsulating user data
in a new "data message" format allows the invocation
(using assigned data message types) of intermediate processing,
such as compression/decompression,
- PCT version 2 "datagram" records are
independently decryptable, allowing encrypted data to be sent
securely across unreliable transports, where neither delivery
nor correct order are guaranteed.
- PCT version 2 "key management" records
allow encryption and/or message authentication keys to be temporarily
changed within a session, to support the transport of pre-encrypted
data.
- PCT version 2 adds a "closing connection"
key management message to ensure that connections aren't prematurely
closed by someone unauthorized to do so.
- PCT version 2 message authentication is altered
to include record headers.
- The handshake phase of PCT version 2 allows a wider,
more symmetrical variety of authentication options: either client
or server or both may be authenticated, each by means of either
a key exchange or signature public key and certificate.
- PCT version 2 allows a new "private"
authentication type, in which authentication is based on a previously
shared identity-associated private key, rather than a certified
public key.
4. PCT Record Protocol Specification
4.1 Notation
The following notation is used in this specification
to represent data field formats in various protocol messages:
char MSG_EXAMPLE
char FIELD1
char FIELD2
char THING_LENGTH[2]
char ANOTHER_THING_LENGTH[4]
char THING_DATA[([0] << 8)|[1]]
char ANOTHER_THING_DATA[([0]<<24)|([1]<<16)|([2]<<8)|[3]]
...
The order is presented top to bottom, with the topmost
field being transmitted first. The "FIELD1" and "FIELD2"
fields are each one byte long; the "THING_LENGTH" and
"ANOTHER_THING_LENGTH" fields have lengths of two and
four bytes, respectively, as indicated by the numbers in square
brackets following the field labels. Their bytes are indexed by
their offset from the beginning of the field, starting with THING_LENGTH[0]
and ANOTHER_THING_LENGTH[0], which are the first bytes transmitted
in their respective fields.
In the "THING_DATA" and "ANOTHER_THING_DATA"
entries, the values in square brackets indicate byte offset indices
in THING_LENGTH and ANOTHER_THING_LENGTH, respectively. As presented
above, the notation refers to combining the bytes of the LENGTH
field in order to form an unsigned integer, with the bytes arranged
in decreasing order of significance. This integer defines the
number of bytes of data in the corresponding DATA field. For example,
if THING_LENGTH[0] were one and THING_LENGTH[1] were four then
the THING_DATA array would be exactly 260 bytes long. And if the
values of the four bytes of ANOTHER_THING_LENGTH were zero, one,
two and four, respectively, then ANOTHER_THING_DATA would be exactly
66,052 bytes long. This shorthand form is used throughout the
specification; occasionally, a "THING_DATA" field is
referred to as "THING", with the word "DATA"
omitted.
Individual bits within a data field are denoted as
follows:
LEAST_SIGNIFICANT_BIT := 0x0001
NEXT_LEAST_SIG_BIT := 0x0002
THIRD_LEAST_SIG_BIT := 0x0004
...
These bit identifiers correspond to the least, second-least
and third-least significant bits (in that order) in a two-byte
data field. The associated hexadecimal values consist of all zero
bits except for the identified bit.
Computations involving a hash function (sometimes
iterated) are denoted as follows:
COMPUTATION_RESULT_i = Hash( "ASCII string hash input 1"^i,
HASH_INPUT_2, HASH_INPUT_3^i, Hash( "ASCII string hash input 4",
HASH_INPUT_5, i ) )
The values in quotation marks are treated as (sequences
of) ASCII characters; "x"^i (or VARIABLE^i) denotes
i copies of the string "x" (or variable VARIABLE, respectively)
concatenated together. The parameters are input into the hash
function in the order presented; the variable i, wherever it appears
as an input value, is input as a single-byte unsigned integer.
If any input has a length which is not an integral number of bytes,
then (fewer than eight) zero bits are appended to its last byte
to produce an input which is an integral number of bytes. The
value of COMPUTATION_RESULT is obtained by concatenating the COMPUTATION_RESULT_i
values in order, for values of i in a specified range. (If no
subscript i is present in the specified formula, then the implied
range includes only the value 1.) If the resulting value requires
truncation, then the truncation is performed by removing bits
from the end to obtain a string of the required length.
In the case of elements of specifically named records
or messages, the names of record or message elements have prefixes
that identify the messages in which they appear. These prefixes
are sometimes omitted in the text when the containing messages
are obvious, or when the same elements have more than one possible
prefix.
4.2 PCT Record Format
4.2.1 Record header format
A PCT record consists of a four-byte header followed
by a variable-length body. The maximum length of the body is 32763
bytes.
The PCT record header formats differ in versions
1 and 2. The version 2 record header will be described in this
section; its compatibility with the version 1 header (which is
described fully in [2]) is explained in section 8.
The PCT version 2 record header has the following
structure:
char RH_RECORD_LENGTH[2]
char RH_RECORD_TYPE[2]
RECORD_LENGTH is an unsigned integer representing
the length of the (cleartext) data following the length field
in the record header (including the RH_RECORD_TYPE field and the
subsequent record body). The first (most significant) bit of the
first (most significant) byte of this field is set to one, for
backward compatibility reasons (see section 9); this bit must
be reset to zero to obtain the correct unsigned integer value.
Note that if encryption expands the length of the data, the length
of the (fully or partially encrypted) record body plus RH_RECORD_TYPE
field will not match the value in RECORD_LENGTH; the effect of
each cipher on data length is described in section 6.1.5.
RECORD_TYPE is a two-byte field indicating the type
of contents in the record, and in particular, how the record should
be processed. PCT version 2 defines a number of record type values
for specific record types; other record types are used to identify
PCT version 1 (or SSL version 2 or 3) connections, for appropriate
processing. These are RT_VERSION_1_CH, RT_VERSION_1_SH, RT_SSL_VERSION_2_CH,
RT_SSL_VERSION_2_SH and RT_SSL_VERSION_3, respectively. (Note
that type RT_SSL_VERSION_3 is defined only on the first, or most
significant, byte; the second, or least significant byte can have
any value.) The normal PCT version 2 record types are RT_HANDSHAKE,
RT_DATAGRAM, RT_KEY_MGMT, RT_ERROR, and RT_USER_DATA; their associated
record data formats are described in section 4.3. All other defined
record types are reserved, and must never be used. One of them,
RT_CD_RESERVED, is also explicitly defined to preclude use in
future versions.
4.3 PCT Record Body Formats
4.3.1 Handshake Record Body Format
PCT version 2 Handshake records (those with RECORD_TYPE
RT_HANDSHAKE) have a very simple body format:
char HS_MSG_TYPE[2]
char HS_RECORD_FLAGS[2]
char HS_HANDSHAKE_DATA[RH_RECORD_LENGTH - 6]
The possible HS_MSG_TYPE values are HS_CLIENT_HELLO,
HS_SERVER_HELLO, HS_CLIENT_MASTER_KEY, HS_SERVER_VERIFY, and HS_CLIENT_VERIFY.
HS_RECORD_FLAGS is a two-byte field containing informational flags
about the handshake record. The only two flags defined in PCT
version 2 are the last (least significant) two bits of HS_RECORD_FLAGS:
HS_FLAG_TO_BE_CONTD := 0x0001
HS_FLAG_CONTINUATION := 0x0002
The last (least significant) bit, HS_FLAG_TO_BE_CONTD,
indicates when set that the next record received of the same type
is to be considered a continuation of the current one. The second-least-significant
bit, HS_FLAG_CONTINUATION, indicates when set that the record
is to be considered a continuation of the previous record received
of the same type. (For PCT version 1 compatibility reasons, a
CLIENT_HELLO message must not be continued over more than one
handshake record.) The remaining flag bits are reserved, and must
be set to zero.
The HS_HANDSHAKE_DATA field contains data from a
PCT handshake message; the structure of these messages is described
in section 5.2. Note that a single handshake message may stretch
across more than one handshake record; in that case the appropriate
flags are set in the record header. (A restriction on how a handshake
message is fragmented among records is given in section 5.2.)
4.3.2 Datagram Records
A datagram record is an independently decryptable
data record; its enclosed data message can be decrypted, and its
MAC checked, regardless of whether previous records were delivered
in order (or at all). Datagrams can hence be used if the underlying
transport does not guarantee in-order delivery of records; for
example, it makes possible the transmission of "out-of-band"
data for rapid delivery in a TCP connection.
The format of PCT version 2 datagram records is as
follows:
char DG_ENCRYPTED_KEY_LENGTH[2]
char DG_ENCRYPTED_KEY_DATA[([0] << 8)|[1]]
char DG_ENCRYPTED_DATA[ENCRYPTED_LENGTH]
char DG_MAC_DATA[MAC_LENGTH]
The DG_ENCRYPTED_KEY_DATA field contains the key
information necessary to perform decryption and MAC verification
of the datagram record; its contents are described in section
6.1.3. The DG_ENCRYPTED_DATA field contains an encryption of ACTUAL_DATA
(consisting of the ACTUAL_LENGTH bytes of the datagram's enclosed
data message). The DG_MAC_DATA field contains the "Message
Authentication Code" (MAC); its contents are described in
section 7.3. Note that ACTUAL_LENGTH can be calculated directly
as RECORD_LENGTH - ENCRYPTED_KEY_LENGTH - MAC_LENGTH - 4. The
length of the encrypted datagram record body plus RH_RECORD_TYPE
field may be greater than RECORD_LENGTH, as a result of expansion
during encryption; see section 6.1.5.
4.3.3 Other Record Types
The bodies of PCT version 2 key management, error
and user data records (those with RECORD_TYPE RT_KEY_MGMT, RT_ERROR
and RT_USER_DATA, respectively) contain encrypted data, in the
following data format:
char DT_ENCRYPTED_DATA[ENCRYPTED_LENGTH]
char DT_MAC_DATA[MAC_LENGTH]
The ENCRYPTED_DATA field contains an encryption of
ACTUAL_DATA (consisting of the ACTUAL_LENGTH bytes of the enclosed
data message). The MAC_DATA field contains the "Message Authentication
Code" (MAC); its contents are described in section 7.3. ACTUAL_LENGTH
can be calculated directly as RECORD_LENGTH - MAC_LENGTH - 2.
4.4 Key Management Messages
Key management messages have the following format:
char KM_KEY_MGMT_TYPE[2]
char KM_NEW_HASH_TYPE[2]
char KM_NEW_CIPHER_TYPE[4]
char KM_WRITE_KEY_LENGTH[2]
char KM_WRITE_KEY_DATA[([0] << 8)|[1]]
There are four possible values of KM_KEY_MGMT_TYPE:
KM_TYPE_FIXED_KEY (setting up the transmission of pre-encrypted
data), KM_TYPE_RESUME_KEY (used to end transmission of pre-encrypted
data), KM_TYPE_REDO_HANDSHAKE (triggering a new run of the handshake
protocol), and KM_TYPE_CLOSE_CONN (preceding the closure of a
connection).
4.4.1 Preencrypted data
A KM_KEY_MGMT_TYPE value of KM_TYPE_FIXED_KEY indicates
that the key management message contains a fixed encryption key
with which subsequent data records will be encrypted until further
notice. Using this type of key management message, a client or
server can send data that has been pre-encrypted and stored in
encrypted form. Note that pre-encrypted data can be pre-MAC'd
as well. (See section 7.3.) Note also that a key management message
of this type must not be sent unless both client and server have
indicated support for the pre-encrypted data feature during the
handshake phase associated with this connection; see sections
5.2.1 and 5.2.2.
In a message of type KM_TYPE_FIXED_KEY, KM_NEW_CIPHER_TYPE
contains a cipher type code, and KM_NEW_HASH_TYPE contains a hash
function type code (see sections 6.2 and 6.3, respectively). These
types must be supported by the receiver of this message, as indicated
in during the handshake phase for this connection. (See sections
5.2.1 and 5.2.2.) The fixed encryption key (WRITE_KEY) is sent
in the field KM_WRITE_KEY_DATA.
Note that the encryption and MAC calculation used
for the key management message itself, and for subsequent non-data
records, are not altered. However, subsequent data records in
the same direction are encrypted using the WRITE_KEY sent in the
KM_WRITE_KEY_DATA field, until a key management message of type
KM_TYPE_FIXED_KEY or KM_TYPE_RESUME_KEY is sent and received,
or until the connection closes. (Note that pre-encrypted data
is not "nested"; a KM_TYPE_FIXED_KEY message is treated
as a KM_TYPE_RESUME_KEY message immediately followed by a KM_TYPE_FIXED_KEY
message.)
4.4.2 Restoring original key
A key management message of type KM_TYPE_RESUME_KEY
restores the value of the encryption key used for data records
transmitted in the same direction to the value originally negotiated
during the handshake phase of the current connection. This key
is used until the connection closes, or until a key management
message of type KM_TYPE_FIXED_KEY or KM_TYPE_REDO_HANDSHAKE is
received.
In this message, the KM_CIPHER_TYPE and KM_HASH_TYPE
messages are set to their original values negotiated during the
handshake phase for the current connection. (See section 5.2.2.)
The remaining data fields are empty, and their length is zero.
4.4.3 Closing connection
If both client and server indicated support for the
"closing connection" feature during the handshake phase
of the current connection (see sections 5.2.1 and 5.2.2), then
the connection is "closure-monitored", and closure of
a connection is handled in a special way. Whenever a client or
server is about to close a closure-monitored connection without
an error, at any point following the completion of the handshake
phase of the protocol, an exchange of key management messages
of type KM_TYPE_CLOSE_CONN is initiated first. In both messages,
the KM_NEW_CIPHER_TYPE and KM_NEW_HASH_TYPE fields contain the
current cipher and hash types, respectively, and the remaining
data fields are empty, with length zero. The sender of one of
these messages simply waits for a message of the same type to
be received in reply, then closes the connection; a receiver of
such a message who has not yet sent one replies with a message
of the same type, then closes the connection. A closure-monitored
connection closed without an error before receipt of a message
of this type results in a CONN_BROKEN error (see section 4.6).
4.4.4 Redo handshake
If both client and server indicated support for the
"redo handshake" feature during the handshake phase
of the current connection (see sections 5.2.1 and 5.2.2), then
the connection is "redo-enabled", and either the client
or the server may request, at any time after the handshake phase
has been completed for a connection, that another handshake phase
be performed for that connection. For example, either party may
request another handshake phase instead of closing the connection
in order to avoid allowing a sequence number to "wrap"
beyond 0xFFFFFFFF (see section 7.3). In addition, it is recommended
that implementations enforce limits on the duration of both connections
and sessions, with respect to the total number of bytes sent,
the number of records sent, the actual time elapsed since the
beginning of the connection or session, and, in the case of sessions,
the number of reconnections made. These limits serve to ensure
that keys are not used more or longer than it is safe to do so;
hence the limits may depend on the type and strength of cipher,
key exchange and authentication used, and may, at the implementer's
discretion, include indications from the application as to the
sensitivity of the data being transmitted or received. They may
be enforced using closure of the connection or (in a redo-enabled
connection) "redo handshake" key management messages.
To request a new handshake phase for the current
connection, the sender (client or server) sends a key management
message of type KM_TYPE_REDO_HANDSHAKE. The KM_NEW_CIPHER_TYPE
and KM_NEW_HASH_TYPE fields contain the current cipher and hash
types, respectively, and the remaining data fields are empty,
with length zero.
There are several cases to consider to ensure that
messages are dealt with in the correct order. The following rules
ensure that the first messages in the redone handshake are always
immediately preceded by a "redo handshake" key management
message.
If the client initiates the "redo handshake",
it sends the "redo handshake" message immediately followed
by a normal CLIENT_HELLO handshake message; the server, on receiving
the "redo handshake" message, may be in one of two states.
If the last message it sent was a "redo handshake" message,
then it simply waits for the CLIENT_HELLO message; otherwise,
it sends a "redo handshake" message in response, and
then waits for the CLIENT_HELLO message.
If the server initiates the "redo handshake",
then the server sends the "redo handshake" message and
simply waits for a "Redo Handshake" message in response;
this "redo handshake" message should be immediately
followed by a normal CLIENT_HELLO handshake message. The client,
on receiving the server's "redo handshake" message,
may be in one of two states. If the last two messages it sent
were a "redo handshake" message followed by a CLIENT_HELLO
message, then it simply waits for a SERVER_HELLO handshake message;
otherwise, it sends a "redo handshake" message in response,
followed by a CLIENT_HELLO message, and then waits for a SERVER_HELLO
message.
In all cases, the sender of the "redo handshake"
message continues to process incoming messages, but may not send
any non-handshake messages until the new handshake completes.
If the connection is closure-monitored (see section 4.4.3), then
the sending of an unprovoked "closing connection" key
management message between the sending of a "redo handshake"
message and the completion of the subsequent handshake is not
permitted. However, in such connections the sender of a "redo
handshake" message must be prepared to receive a "closing
connection" message instead of a "redo handshake"
message; in this case the sender responds with a "closing
connection" message and closes the connection.
The handshake phase that follows a "redo handshake"
message exchange is a normal one in most respects; the client
may request the reconnection of an old session or request that
a new session be initiated, and the server, on receiving a reconnection
request, can accept the reconnection or demand that a new session
be initiated instead. If a new session is being established, then
both client and server must request the same type of authentication
requested in the previous session; if one or the other was not
authenticated in the previous session, then requesting authentication
from the non-authenticated party in the new handshake phase is
permitted. Both parties must verify that the specifications negotiated
previously in the session (cipher type, key exchange type, certificate
type and certifier, hash function type, signature types, and so
on), as well as any certificates exchanged, are identical to those
found in the new handshake phase (with the exception of new types
and certificates for an authentication performed in this handshake,
but not in the previous one). A mismatch results in a SPECS_MISMATCH
or BAD_CERTIFICATE error (see section 4.6.) This ensures that
the security properties of the communication channel do not change
for the worse.
4.5 Data messages
Data messages contain user data to be delivered back
to the application using PCT. Each data record or datagram record
contains exactly one data message (corresponding to the ACTUAL_DATA
field in the description of these records), and data messages
are never continued across multiple messages.
PCT version 2 Data messages have the following format:
char DM_MESSAGE_TYPE[2]
char DM_MESSAGE_DATA[MESSAGE_LENGTH]
The only defined MESSAGE_TYPE in PCT version 2 is
DM_TYPE_USER_DATA; the data in messages of this type is presented
directly to the application. However, implementations of PCT can
assign types to other values to indicate types of preprocessing,
such as particular compression/decompression algorithms, to be
performed before passing the data in MESSAGE_DATA to the application.
Such implementations should allow messages to be nested in the
obvious way, with each preprocessing step yielding another data
message of the correct format, and the last step yielding a data
message of type DM_TYPE_USER_DATA. The permissible message types
for a particular connection are negotiated during the handshake
phase; see sections 5.2.1 and 5.2.2. An unrecognized message type
results in an ILLEGAL_MESSAGE error (see section 4.6).
For message type DM_TYPE_USER_DATA, the DM_MESSAGE_DATA
field contains user data to be passed to the application. For
other message types, DM_MESSAGE_DATA contains data which, after
the preprocessing determined by the message type, yields another
data message. MESSAGE_LENGTH (for the data message directly contained
in the data or datagram record) is calculated as ACTUAL_LENGTH
- 2, or RECORD_LENGTH - ENCRYPTED_KEY_LENGTH - MAC_LENGTH - 6
if the message is contained in a datagram record and RECORD_LENGTH
- MAC_LENGTH - 4 if it is contained in a data record.
4.6 Error messages
Error handling in the PCT protocol is very simple.
When an error is detected before a connection is closed, the detecting
party sends a message to the other party indicating the error
so that both parties will know about it, and then closes the connection.
In the case of closure-monitored connections (see section 4.4.3),
the error message replaces the "closing connection"
key management message. Receiving an error message also causes
the receiving party to close the connection. (No "closing
connection" message is ever sent in reply to an error message
before closure.)
Servers and clients should not make any further use
of any keys, challenges, connection identifiers, or session identifiers
associated with a connection aborted due to an error. It is recommended
that implementations perform some kind of alert or logging function
when errors are generated to facilitate monitoring of various
types of attack on the system.
Error messages have the following format:
char ER_ERROR_TYPE[2]
char ER_ERROR_INFO_LENGTH[2]
char ER_ERROR_INFO_DATA[([0] << 8)|[1]]
The ERROR_INFO_LENGTH field is zero except in the
case of the SPECS_MISMATCH error message, which has a two-byte
ERROR_INFO_DATA field. Note that when an error message is sent
before the end of the handshake phase of the protocol, the record
containing it is left unencrypted, and its MAC is omitted.
The following errors are defined in PCT version 2:
PCT_ERR_BAD_CERTIFICATE
This error occurs when the client or server receives
a handshake message in which a key-exchange public key certificate
is invalid, either because one or more of the signatures in the
certificate is invalid, or because the identity or attributes
on the certificate are in some way incorrect.
PCT_ERR_CLIENT_AUTH_FAILED
This error occurs when the server receives a CLIENT_MASTER_KEY
or CLENT_VERIFY message from the client in which the client's
authentication response is incorrect. The certificate may be invalid,
the signature may be invalid, or the contents of the signed response
may be incorrect.
PCT_ERR_CONN_BROKEN
This error occurs when a closure-monitored connection
(see section 4.4.3) is closed without an error message or a "closing
connection" key management message having been received.
Since this error only occurs after a connection has been closed,
no error message is sent.
PCT_ERR_ILLEGAL_MESSAGE
This error occurs under a number of circumstances.
For example, it occurs when an unrecognized handshake message
is encountered, or when the value of CH_OFFSET is to large for
its CLIENT_HELLO message.
PCT_ERR_INTEGRITY_CHECK_FAILED
This error occurs when either the client or the server
receives a record in which the MAC_DATA is incorrect. It is also
recommended that such a record be treated as if had not been received,
in order to ensure that applications do not receive and process
invalid data before learning that it has failed its integrity
check.
PCT_ERR_SERVER_AUTH_FAILED
This error occurs when the client receives a SERVER_HELLO
or SERVER_VERIFY message in which the authentication response
is incorrect.
PCT_ERR_SPECS_MISMATCH
This error occurs when a server cannot find a cipher,
hash function, certificate type, or key exchange algorithm it
supports in the lists supplied by the client in the CLIENT_HELLO
message. This error may also occur as a result of a mismatch in
cipher specifications or client authentication requests between
the initial specifications and those that resulted from a redo
handshake sequence.
The error message for this error includes a two-byte
informational field, with eight flags defined as follows:
SPECS_MISMATCH_CIPHER = 0x0001
SPECS_MISMATCH_HASH = 0x0002
SPECS_MISMATCH_EXCH = 0x0004
SPECS_MISMATCH_SIG = 0x0008
SPECS_MISMATCH_CERT = 0x0010
SPECS_MISMATCH_CERTIFIER = 0x0020
SPECS_MISMATCH_COMBINATION = 0x0040
Each flag is set if and only if the corresponding
list resulted in a mismatch. For example, if and only if the SPECS_MISMATCH
error message is being sent because server failed to find a certificate
type it supports in the list supplied by the client in the CH_CERT_LIST_DATA
field, then the SPECS_MISMATCH_CERT flag in the error message
would be non-zero. The SPECS_MISMATCH_COMBINATION flag indicates
that while there were matches found in each individual category,
all available certificates were incompatible with all the type
entries in at least one of the relevant lists (CH_CERT_LIST_DATA,
CH_CERTIFIER_LIST_DATA, CH_EXCH_LIST_DATA and CH_SIG_LIST_DATA).
5. PCT Handshake Phase
5.1 PCT handshake protocol overview
5.1.1 PCT handshake protocol introduction
The PCT Handshake Protocol (version 2) is performed
during the handshake phase at the start of every connection, and
is used to negotiate security enhancements (authentication, symmetric
encryption, and message integrity) to data sent during the rest
of the connection.
The version 2 PCT Handshake Protocol consists of
five messages, sentrespectively by the client, then server, then
client, then server, then client, in that order. (Moreover, under
certain circumstances, some or all of the last three messages
are omitted.) The messages are named, in order, CLIENT_HELLO,
SERVER_HELLO, CLIENT_MASTER_KEY, SERVER_VERIFY, and CLIENT_VERIFY.
The general contents of these messages depend upon
two criteria: how/if a "master key" for the session
is to be exchanged, and how/if each of the client and server are
to be authenticated. At least one of the two must be authenticated
by some means; authentication of either--or both--may be based
on either a key exchange, a digital signature, or (for one of
the two) a previously shared "password" key, or, in
the case of a connection in the same session as a previous one,
on a "master key" shared previously in the session.
The first criterion is determined by the client and
server together:first, the CLIENT_HELLO message may contain a
request to "reconnect" using a previously shared master
key from a particular session (in which case no new key exchange
is necessary). The SERVER_HELLO message will either confirm a
requested continuation of the session through the new connection,
or require that a new session be initiated, with a new key exchange.
PCT version 2 supports RSA {TM} -based key exchange (see [14],
[3]), Diffie-Hellman key exchange (see [4], [15]) and FORTEZZA
KEA token key exchange. The chosen key exchange is used by client
and server in the case of a new session to obtain a new shared
master key. This master key is used to derive keys for encryption
and message integrity (or "message authentication")
for the connection and for other connections associated with the
same session. Note that key exchanges have an implicit associated
direction, with a master key being, in effect, sent from one party
to the other (literally in the case of RSA key exchange, and more
metaphorically in the case of Diffie-Hellman/FORTEZZA KEA key
exchange). Hence a direction must also be chosen for the exchange.
In fact, the parties may agree to perform two key exchanges, one
in each direction; in that case, the master key for the session
is computed using both of the sent keys. In this document, the
term "encrypted master key" refers either to an RSA-encrypted
master key, or to the second (typically uncertified) Diffie-Hellman/FORTEZZA
KEA public value sent in a Diffie-Hellman or FORTEZZA KEA key
exchange. The key exchange is said to be directed towards the
receiver of this encrypted master key.
The second criterion is determined in a similar fashion:
if the connection is the first of a new session, then the client
may request authentication of the server by key exchange, or by
digital signature, or by private password, or by any one of a
specified subset of these options. The client also offers the
server a choice among the client authentication options (from
among these choices) available. The server, in turn, selects a
preferred authentication method if a choice is offered, and may
make a similar request from among the client authentication options
offered. All these authentications are "linked" to the
key exchange performed during the handshake, so that not only
the identity of the authenticated party, but also that party's
association to the handshake's key exchange as performed, is verified.
If no key exchange is performed, then both client
and server are authenticated using the shared master key for the
reconnected session, rather than any of the methods described
above.
In addition to key exchange and authentication, the
handshake protocol performs two other tasks: negotiation of cryptographic
parameters, and handshake verification. The first is accomplished
by the CLIENT_HELLO and SERVER_HELLO messages. The CLIENT_HELLO
includes a list of codes for acceptable types of symmetric cipher
and cryptographic hash function for use during the session, as
well as key exchange and signature algorithms, certificate types
and certifiers, and authentication methods acceptable for use
during the handshake protocol. The server responds in the SERVER_HELLO
message with its choices from among these lists of acceptable
types. The second task is performed during the first authentication;
it is based on a cryptographic hash of all the handshake message
data passed up to that point. Verification of this authenticated
hash value by its receiver assures that the handshake was not
tampered with in transit.
5.1.2 PCT handshake authentication
The four types of authentication permissible in PCT
version 2 are key-exchange, digital signature, private password,
and reconnection. Each follows a particular protocol flow, which
is essentially independent of which party is being authenticated
(except regarding the assignment of roles to the client and server).
In each case, client and server both issue random challenges (in
the CLIENT_HELLO and SERVER_HELLO messages, respectively); these
challenges, and all information exchanged up to and including
the completion of the key exchange(s), are incorporated into an
authentication response by the party being authenticated (the
"responder", as opposed to the "challenger",
to whom the response is sent). Hence the authentication response
cannot be sent until the sending of both challenges, as well as
the key exchange(s), have been completed (although it may appear
in the last message which contributes to one of these).
In key-exchange-based authentication, the responder
sends a certified public key, which the authenticating party (the
"challenger") uses to send a master key. In the case
of Diffie-Hellman/FORTEZZA KEA key exchange, the challenger's
value is normally randomly chosen, whereas the responder's is
fixed and certified; the master key computed by the challenger
can also be derived using the responder's private key and the
challenger's sent value. In the case of RSA key exchange, the
master key is randomly chosen at the time of the key exchange
by the challenger and encrypted using the responder's certified
public key. The responder then combines the received master key
(which may first be combined with another sent master key, in
the case of two-way key exchange) with all handshake message data
sent so far, including both challenges and all of the key exchange
data, to compute a response. This response is in the form of a
keyed hash, which is verified by the challenger to confirm that
the responder could derive the master key correctly, and therefore
holds the correct private key. (A keyed hash is simply the application
of a cryptographic hash function to a key and some other input
data; the assumed properties of the hash function make the function
result for any other data input infeasible to compute for anyone
not possessing the key.)
A key-exchange-based authentication therefore has
the following message flow:
Challenger Responder
---------- ---------
Challenger's Responder's
Challenge Challenge
[Certified public
key-exchange key]
Random encrypted
master key/public
Diffie-Hellman value
Keyed hash response
The challenges always appear in the CLIENT_HELLO and SERVER_HELLO messages. The certified key may not need to be sent, if the responder already possesses it (perhaps from a previous session).
In signature-based authentication, the responder
simply sends a certified digital signature public key, accompanied
by a digital signature, using the associated private key, of a
cryptographic hash of all handshake messages up to the one being
sent. (Note that this value is therefore derived from the completed
key exchange, as well as both challenges). The challenger verifies
the signature using the responder's certified public key. A signature-based
authentication has the following message flow:
Challenger Responder
---------- ---------
Challenger's Responder's
Challenge Challenge
Key Exchange(s)
Certified public
signature key,
signature response
Again, the challenge messages always appear in the
CLIENT_HELLO and SERVER_HELLO messages. The public key certificate
may not be necessary, but is sent regardless, since it can accompany
the digital signature in the same message, and therefore has no
cost in extra messages. A certificate-identifying code may be
used in its place if understood by both parties; see section 6.4.
Password-based authentication is similar to signature-based
authentication; the exchanged master key is combined with the
shared password and all the handshake message data sent so far,
including the identity of the responder, the exchanged master
key and both challenges, to produce a keyed hash response which
is sent by the responder and verified by the challenger.
A special case of this authentication is a doubly-certified
Diffie-Hellman key exchange, in which one party is authenticated
by certified Diffie-Hellman key-exchange public key, and the challenger's
sent value is not random but rather another certified Diffie-Hellman
public key. In this case, the challenger's identity is represented
by the certificate for the public value sent, and the exchanged
master key received by the responder is also treated simultaneously
as the challenger's password. (If both parties are to be authenticated
by certified Diffie-Hellman key exchange, then each sends a randomly
chosen public value to the other, and the final master key is
obtained by combining the two keys exchanged.)
It is recommended that shared private keys used for
password-based authentication be machine-generated and cryptographically
random in the same sense as the master key (see section 6.1.3).
However, because the distribution of password-style shared private
keys is outside the scope of this protocol, and is therefore vulnerable
to possible insecure implementations, the following constraints
on password-based authentication are imposed:
1. Only one of the client and server, not both, may
be authenticated using password-based authentication.
2. Password-based authentication may only be used
if the other party is also authenticated, using either key exchange-
or signature-based authentication.
3. If the other party is authenticated using signature-based
authentication, then the password-based authentication response
must be sent only after the other party's authentication response
has been sent and verified.
These constraints protect poorly chosen password-style
shared private keys from off-line brute force attacks. However,
even a well-chosen shared private key is vulnerable if not kept
strictly confidential by both parties sharing it. Implementations
must therefore ensure this confidentiality. Poorly-chosen or poorly-guarded
passwords are of course still vulnerable to other attacks.
A password-based authentication has the following
message flow:
Challenger Responder
---------- ---------
Challenger's Responder's
Challenge Challenge
Key Exchange(s)
responder's identity/
certified D-H public
value, keyed hash response
Finally, in the case of authentication based on a
master key exchanged earlier in the session, the response is computed
from both challenges, the shared master key, and the session identifier.
(The client's response is in fact implicit; by computing a correct
MAC for its first data message, the client demonstrates its possession
of the session's master key.) This authentication has the following
flow:
Challenger Responder
---------- ---------
Challenger's Responder's
Challenge Challenge
keyed hash response
5.1.3 Handshake key exchange
In the full handshake protocol, authentications are
interleaved with at least one key exchange (and with each other,
if both client and server are being authenticated). The interleaving
is designed to compress the authentications and key exchange(s)
into as few messages as possible. For example, a client has the
option of sending an encrypted public key and/or (possibly certified)
key-exchange public key in the CLIENT_HELLO message, along with
its challenge. The latter allows the client to "receive"
a client-directed key exchange, while the former initiates a server-directed
key exchange. However, the client may not have the server's key-exchange
public key, and may not anticipate a request for a client-directed
key exchange; hence, sending of the encrypted master key and/or
client key-exchange certificate may be postponed to the CLIENT_MASTER_KEY
message.
In general, each possible key exchange has a "regular"
and "quick" flow. A client-directed key exchange may
occur beginning in the CLIENT_MASTER_KEY message, when the client
sends a (possibly certified) key-exchange public key, then continues
in the SERVER_VERIFY message with the server sending an encrypted
master key. In the quick version, the client may (or may not)
send the (certified) public key in the CLIENT_HELLO message, and
the server, upon receiving it (or having received it at some time
in the past) sends an encrypted master key in the SERVER_HELLO
message. Similarly, normal server-directed key exchange begins
in the SERVER_HELLO message with a (possibly certified) key-exchange
public key, and continues with an encrypted master key in the
following CLIENT_MASTER_KEY message. In the quick version, the
client, having received the server's public key previously, sends
an encrypted master key immediately, in the CLIENT_HELLO message.
5.1.4 PCT Handshake Protocol flow
The contents of PCT version 2 handshake protocol
can be summarized as follows:
The CLIENT_HELLO message contains a random authentication
challenge to the server and a request for the type and level of
cryptography, certification, authentication and (if necessary)
digital signature to be used for the session, if it is to be a
new one. If the client is attempting to continue an old session,
then it also supplies that session's identifier. The client can
also send a "quick certificate", in anticipation of
a client authentication request from the server, and even a "quick
master key", if the client already has a satisfactory server's
key-exchange public key.
If the server accepts the old session identifier,
then the SERVER_HELLO message contains a response to the client's
challenge, and a random connection identifier which doubles as
a random challenge to the client. The handshake is then finished
(although an authentication of the client is implicit in the MAC
included with the client's first data message).
In the case of a new session, the SERVER_HELLO message
contains a random connection identifier; this identifier doubles
as an authentication challenge to the client if the server desires
client authentication. The server also responds with its choices
for type and level of cryptography, certification, authentication
and (if necessary) digital signature (from among those offered
by the client). In addition, the server sends a certificate for
the type of authentication requested by the client (if any), and
sends a "quick master key" and/or "quick response"
in response to the client's "quick certificate" and/or
"quick master key", respectively, if appropriate. In
the latter case, the response may require an accompanying digital
signature public-key certificate or "identity indicator"
(directing the client to the correct shared password), and the
handshake protocol completes at this point if no client authentication
is required.
The CLIENT_MASTER_KEY message sent by the client
(assuming that it is necessary) includes a (possibly certified)
key-exchange public key, if requested by the server. It also contains
an encrypted master key, if the server sent a key-exchange public
key, and an authentication response (accompanied by an identity
indicator or digital signature public key certificate, if appropriate)
if client authentication by signature or password was requested,
and the key exchange has been completed. If the server's authentication
response has also been received (or was not required), then the
handshake protocol completes at this point.
The SERVER_VERIFY message sent next by the server,
if necessary, contains an encrypted master key sent to the client,
if requested, and/or an authentication response (possibly accompanied
by a digital signature public key certificate or identity indicator)
to the encrypted master key sent in the previous message. Unless
the former requires an authentication response, the protocol completes
at this point.
Finally, the CLIENT_VERIFY message, if needed, contains
the client's authentication response to the key exchange completed
by the encrypted master key sent in the SERVER_VERIFY message.
Usually the client or server can safely begin sending
data records on the underlying transport immediately following
its own last handshake message, without waiting for a response
even if one is expected. In most instances, therefore, PCT adds
only a single round-trip to the connection's setup cost. Sometimes
the cost is even less; for instance, a server can begin sending
data immediately after sending the SERVER_HELLO message if the
client initiated a quick server-directed key exchange and only
server authentication is required, or if a successful reconnection
of an established session has occurred (note that in this case
the client cannot send data until receiving the SERVER_HELLO message
containing the server's challenge).
5.2 PCT Handshake messages
PCT version 2 Handshake messages are sent in handshake
records, whose format is described in section 4.3.1. These records
are sent in the clear (unencrypted), although some of the key-exchange-related
fields involve (public-key) encryption. A single handshake message
may span across more than one handshake record; however, only
data fields associated with four-byte length fields may do so.
These fields are always the last ones in a message; the remaining
ones (including all length fields) must be contained within the
first handshake record used for the handshake message. (Note that
for PCT version 1 compatibility reasions, the CLIENT_HELLO message
has no such fields.)
5.2.1 CLIENT_HELLO
char CH_SESSION_ID_DATA[30]
char CH_CHALLENGE_DATA[30]
char CH_CLIENT_VERSION[2]
char CH_OFFSET[2]
char CH_CIPHER_LIST_LENGTH[2]
char CH_HASH_LIST_LENGTH[2]
char CH_CERT_LIST_LENGTH[2]
char CH_EXCH_LIST_LENGTH[2]
char CH_KEY_ARG_LENGTH[2]
char CH_MSG_LIST_LENGTH[2]
char CH_SIG_LIST_LENGTH[2]
char CH_CERTIFIER_LIST_LENGTH[2]
char CH_QUICK_PUBLIC_VALUE_LENGTH[2]
char CH_QUICK_SERVER_PUBLIC_VALUE_LENGTH[2]
char CH_QUICK_ENCRYPTED_KEY_LENGTH[2]
char CH_AUTH_OPTIONS[2]
char CH_CIPHER_LIST_DATA[([0] << 8)|[1]]
char CH_HASH_LIST_DATA[([0] << 8)|[1]]
char CH_CERT_LIST_DATA[([0] << 8)|[1]]
char CH_EXCH_LIST_DATA[([0] << 8)|[1]]
char CH_KEY_ARG_DATA[([0] << 8)|[1]]
char CH_MSG_LIST_DATA[([0] << 8)|[1]]
char CH_SIG_LIST_DATA[([0] << 8)|[1]]
char CH_CERTIFIER_LIST_DATA[([0] << 8)|[1]]
char CH_QUICK_PUBLIC_VALUE_DATA[([1] << 8)|[1]]
char CH_QUICK_SERVER_PUBLIC_VALUE_DATA[([0] << 8)|[1]]
char CH_QUICK_ENCRYPTED_KEY_DATA[([0] << 8)|[1]]
When a client first connects to a server it is required
to send the CLIENT_HELLO message. The server is expecting this
message from the client as its first message. It is an ILLEGAL_MESSAGE
error for a client to send anything else as its first message.
The CLIENT_HELLO message begins with two fixed-length fields followed
by a two-byte version number and an offset to the variable length
data. The version number field CH_CLIENT_VERSION is always set
to PCT_VERSION_V2 in PCT version 2. The CH_OFFSET field contains
the number of bytes used by the various fields (length fields
plus the AUTH_OPTIONS field) that follow the offset field and
precede the variable-length fields. For PCT version 2, this offset
value is always PCT_CH_OFFSET_V2, i.e., 24. However, inclusion
of this field will allow future versions to be compatible with
version 2, even if the number of these fields changes, just as
inclusion of this field helps make PCT version 2 CLIENT_HELLO
messages understandable to PCT version 1 servers.
The CH_CHALLENGE_DATA field is a string of 30 bytes
of random bits, to be used as authentication challenge data from
the client. The CHALLENGE_DATA should be cryptographically random,
in the same sense as the MASTER_KEY (see section 6.1.3). If the
client finds a session identifier in its cache for the server,
then that session-identifier data is sent in the field CH_SESSION_ID_DATA.
Otherwise, the special PCT_SESSION_ID_NONE value is used. In either
case, the client specifies in CIPHER_LIST_DATA, HASH_LIST_DATA,
EXCH_LIST_DATA and SIG_LIST_DATA its preferred choices of symmetric
cipher, key lengths, hash function, asymmetric key exchange algorithm
and digital signature algorithm. However, if a session identifier
is sent, then these choices are only relevant in the case where
the server cannot recognize the session identifier, and a new
session must therefore be initiated. If the server recognizes
the session, then these fields are ignored by the server. Similarly,
if the client requires server authentication in the event of a
new session initiation, then the CERT_LIST_DATA and CERTIFIER_LIST_DATA
lists contain the client's preferred choices of certificate type
and certifier; otherwise, these lists are empty, and their length
is zero. Finally, the MSG_LIST_DATA list contains a list of data
message types (other than the DM_TYPE_USER_DATA) supported by
the client; if the client supplies a session identifier and the
server recognizes it, then this list is ignored, and the list
negotiated previously in the session is used instead.
The AUTH_OPTIONS field contains the values of twelve
flags that determine the flow of the remainder of the protocol
if a new session is being initiated. The flags are associated
with the twelve low-order bits of the AUTH_OPTIONS field, and
are named, in order (from least to most significant bit), as follows:
CH_DEMAND_KEY_EXCH_SEND := 0x0001
CH_DEMAND_AUTH_KEY_EXCH := 0x0002
CH_DEMAND_AUTH_SIG := 0x0004
CH_DEMAND_AUTH_PASSWORD := 0x0008
CH_OFFER_KEY_EXCH_RECEIVE := 0x0010
CH_OFFER_AUTH_KEY_EXCH := 0x0020
CH_OFFER_AUTH_SIG := 0x0040
CH_OFFER_AUTH_PASSWORD := 0x0080
CH_REQUEST_RECONNECT := 0x0100
CH_REQUEST_CLOSURE_MON := 0x0200
CH_REQUEST_REDO_ENABLE := 0x0400
CH_OFFER_CERTIFIER_TRYOUT := 0x0800
If the CH_DEMAND_KEY_EXCH_SEND flag is set to one,
then the client requires that the server accept an encrypted master
key from the client as part of the key exchange. If the CH_OFFER_KEY_EXCH_RECEIVE
flag is set to one, then the client is willing to receive an encrypted
master key from the server as part of the key exchange. If both
flags are set, then both conditions hold; the client requires
that the server receive a key exchange, and will also accept one,
at the server's option. In the case of uncertified Diffie-Hellman/FORTEZZA
KEA key exchange, the flags simply refer to the "receiver"
sending the public value first, followed by the "sender";
in other cases, the holder of the private key associated with
the RSA public key or certified Diffie-Hellman/FORTEZZA KEA public
value is always the "receiver". (Doubly certified Diffie-Hellman/FORTEZZA
KEA key exchange is discussed in section 5.1.2.) Note that both
client and server are assumed willing to be the (possibly sole)
sender of an encrypted master key; hence, even if the CH_DEMAND_KEY_EXCH_SEND
flag is set to zero, and the CH_OFFER_KEY_EXCH_RECEIVE flag is
set to one, the client has neither ruled out being the sender,
nor demanded to be the receiver, of an encrypted master key.
The six AUTH flags refer to types of authentication:
the client requires the server to authenticate by one of the means
for which the associated CH_DEMAND_AUTH flag is set to one, and
offers to authenticate itself, at the server's option, by any
of the means for which the associated CH_OFFER_AUTH flag is set
to one. (The abbreviations "KEY_EXCH", "SIG"
and "PASSWORD" stand for key-exchange-based, digital
signature-based and shared password-based authentication, respectively.)
The settings of the flags must be consistent with at least one
key exchange and one authentication occurring; i.e., at least
one of the six authentication flags and at least one of the two
key exchange flags must be set to one. Moreover, the constraints
on password-based authentication must be obeyed. (See sections
5.1.2 and 7.2.)
The CH_REQUEST_RECONNECT flag indicates, when set to one, that the client is requesting that the current connection be part of an existing session; in this case, the CH_SESSION_ID field must contain that session's identifier. The CH_REQUEST_CLOSURE_MON flag indicates, when set to one, that the client wishes the current session to be closure-monitored (see section 4.4.3). The CH_REQUEST_REDO_ENABLE flag indicates, when set to one, that the client wishes the current session to be redo-enabled (see section 4.4.4). Finally, the CH_OFFER_CERTIFIER_TRYOUT flag indicates, when set to one, that the list of acceptable certifiers in CH_CERTIFIER_LIST is not exhaustive (see below).
The CIPHER_LIST_DATA field contains a list of possible
symmetric ciphers supported by the client, in order of (the client's)
preference. Each element in the list is a four-byte field, of
which the first two bytes contain a code representing a cipher
type, the third byte contains the encryption key length in bits
(0-255), and the fourth byte contains the MAC key length in bits,
minus 64 (values 0-255, representing lengths 64-319; this encoding
enforces the requirement that the MAC key length be at least 64
bits). The entire list's length in bytes (four times the number
of elements) is placed in CIPHER_LIST_LENGTH.
The HASH_LIST_DATA field contains a list of possible
hash functions supported by the client, in order of (the client's)
preference. The server will choose one of these to be used for
computing MACs and deriving keys. Each element in the list is
a two-byte field containing a code representing a hash function
choice. The entire length of the list (twice the number of elements)
is placed in HASH_LIST_LENGTH.
The CERT_LIST_DATA field contains a list of possible
certificate formats supported by the client, in order of (the
client's) preference. Each element in the list is a two-byte field
containing a code representing a certificate format. The entire
length of the list (twice the number of elements) is placed in
CERT_LIST_LENGTH.
The EXCH_LIST_DATA field contains a list of possible
asymmetric key exchange algorithms supported by the client, in
order of (the client's) preference. Each element in the list is
a two-byte field containing a code representing a key exchange
algorithm type. The entire length of the list (twice the number
of elements) is placed in EXCH_LIST_LENGTH.
The KEY_ARG_DATA field contains an initialization
vector to be used in a reconnected session when the cipher type
is a block cipher (see section 6.1.5). If a new session is being
requested (i.e., if the CH_REQUEST_RECONNECT flag is set to zero),
then KEY_ARG_LENGTH must be zero.
The MSG_LIST_DATA field contains a list of data message
types (other than DM_TYPE_USER_DATA) supported by the client.
Each element in the list is a two-byte field containing a code
representing a data message type. The entire length of the list
(twice the number of elements) is placed in MSG_LIST_LENGTH.
The SIG_LIST_DATA field contains a list of possible
signature algorithms supported by the client, in order of (the
client's) preference. Each element in the list is a two-byte field
containing a code representing a signature algorithm type. The
entire length of the list (twice the number of elements) is placed
in SIG_LIST_LENGTH.
The CERTIFIER_LIST_DATA field contains a list of
identifiers of possible certificate sources recognized by the
client, in order of (the client's) preference. Each element in
the list is a zero-delimited string. The entire length of the
list is placed in CERTIFIER_LIST_LENGTH. A client may indicate,
by setting the CH_OFFER_CERTIFIER_TRYOUT flag to one, that the
certifier list does not imply rejection of all other certifiers;
for example, the client may provide an abbreviated (or even empty)
certifier list to avoid constructing an exhaustive list of accepted
certifiers, or may lack a naming convention for certifiers known
to be compatible with that of the server. The client may still
in that case reject a certificate offered by the server.
The CH_QUICK_PUBLIC_VALUE_DATA field may, at the
client's option, contain a (possibly certified) key-exchange public
key. If the field is non-empty, then the CH_OFFER_KEY_EXCH_RECEIVE
flag must be set to one. If the CH_OFFER_AUTH_KEY_EXCH flag is
also set to one, then the CH_QUICK_PUBLIC_VALUE_DATA field, if
non-empty, contains a certificate (including key-exchange public
key); otherwise the field, if non-empty, contains an uncertified
key exchange public value. The exact format of this field is described
in section 6.1.2. If the client expects the server to demand client
authentication by key exchange, then this public key/certificate
may expedite the expected key exchange/authentication; however,
the server may still indicate in the subsequent SERVER_HELLO message
that a public key or certificate of another type (or from a different
certifier) is required.
The CH_QUICK_SERVER_PUBLIC_VALUE_DATA and CH_QUICK_ENCRYPTED_KEY_DATA
fields may, at the client's option, contain, respectively, the
public value from a key-exchange public key certificate attributed
to the server, and an encrypted master key (or Diffie-Hellman/FORTEZZA
KEA public value) decryptable by the holder of the private key
associated with the certified key-exchange public key. The format
of these fields is described in section 6.1.2. If the client already
possesses a certified key-exchange public key belonging to the
server, then use of these fields will expedite the resulting key
exchange. However, in unusual circumstances, the server may still
"disavow" the key exchange--that is, refuse to receive
it, and offer only some other key exchange type, direction or
certificate. (For example, the public key used by the client may
be incorrect or out-of-date.) Note that if these fields are used
by the client, then the CH_REQUEST_KEY_EXCH_SEND flag must be
set to one.
The server, on receiving a CLIENT_HELLO message,
checks the version number and the offset field to determine where
the variable-length data fields start. (The OFFSET value should
be at least PCT_CH_OFFSET_V2 for versions 2 and higher.) The server
then checks whether the CH_REQUEST_RECONNECT flag is set to one,
and if so, whether it recognizes the SESSION_ID. In that case,
the server responds with a SERVER_HELLO message with the SH_ACCEPT_RECONNECT
flag set, and the appropriate values (see below) in the RESPONSE
and CONNECTION_ID fields.
Otherwise, it examines the CIPHER_LIST and HASH_LIST
lists in the CLIENT_HELLO message to select a cipher and hash
function. The server also examines the AUTH_OPTIONS flags and
CERT_LIST, CERTIFIER_LIST, SIG_LIST and EXCH_LIST lists to select
a key exchange type and direction(s) and an authentication combination
for itself (including authentication type, certificate type and
certifier) which is acceptable to both the client and the server,
if one or more of the CH_DEMAND_AUTH flags were set. Finally,
the server examines the same lists to choose a sublist from each
with which it is compatible, if it requires client authentication
as well. If such selections are possible, then the server sends
a SERVER_HELLO message to the client as described below; otherwise,
the server detects a SPECS_MISMATCH error. The server also examines
the quick key-exchange public value (if sent) for compatibility,
and/or decrypts the quick encrypted master key, if possible.
5.2.2 SERVER_HELLO
char SH_SERVER_VERSION[2]
char SH_AUTH_OPTIONS[2]
char SH_CIPHER_SPECS_DATA[4]
char SH_HASH_SPECS_DATA[2]
char SH_EXCH_SPECS_DATA[2]
char SH_CONNECTION_ID_DATA[30]
char SH_SESSION_ID_DATA[30]
char SH_ALT_CIPHER_LIST_LENGTH[2]
char SH_ALT_HASH_LIST_LENGTH[2]
char SH_MSG_LIST_LENGTH[2]
char SH_EXCH_LIST_LENGTH[2]
char SH_CERT_LIST_LENGTH[2]
char SH_SIG_LIST_LENGTH[2]
char SH_QUICK_ENCRYPTED_KEY_LENGTH[2]
char SH_RESPONSE_LENGTH[2]
char SH_CERTIFIER_LIST_LENGTH[4]
char SH_PUBLIC_VALUE_LENGTH[4]
char SH_SIG_CERT_LENGTH[4]
char SH_ALT_CIPHER_LIST_DATA[([0] << 8)|[1]]
char SH_ALT_HASH_LIST_DATA[([0] << 8)|[1]]
char SH_MSG_LIST_DATA[([0] << 8)|[1]]
char SH_EXCH_LIST_DATA[([0] << 8)|[1]]
char SH_CERT_LIST_DATA[([0] << 8)|[1]]
char SH_SIG_LIST_DATA[([0] << 8)|[1]]
char SH_QUICK_ENCRYPTED_KEY_DATA[([0] << 8)|[1]]
char SH_RESPONSE_DATA[([0] << 8)|[1]]
char SH_CERTIFIER_LIST_DATA[([0] << 24)|([1] << 16)|([2] << 8)|[3]]
char SH_PUBLIC_VALUE_DATA[([0] << 24)|([1] << 16)|([2] << 8)|[3]]
char SH_SIG_CERT_DATA[([0] << 24)|([1] <<
16)|([2] << 8)|[3]]
The server sends this message after receiving the
client's CLIENT_HELLO message. The PCT version number in SH_SERVER_VERSION
is always the maximum protocol version that the server supports;
the remainder of the SERVER_HELLO message and all subsequent messages
will conform to the format specified by the protocol version corresponding
to the minimum of the client and server protocol version numbers,
as indicated by the CH_CLIENT_VERSION and SH_SERVER_VERSION fields.
Unless there is an error, the server always returns a random value
30 bytes in length in the CONNECTION_ID field. This value doubles
as challenge data if the server requests client authentication,
and should therefore be random in the same sense as the challenge
data in the CLIENT_HELLO message.
The SH_AUTH_OPTIONS field contains twelve flags,
associated with the twelve low-order bits of the SH_AUTH_OPTIONS
field; they are named, in order (from least to most significant
bit), as follows:
SH_ACCEDE_KEY_EXCH_RECEIVE := 0x0001
SH_ACCEDE_AUTH_KEY_EXCH := 0x0002
SH_ACCEDE_AUTH_SIG := 0x0004
SH_ACCEDE_AUTH_PASSWORD := 0x0008
SH_ACCEPT_KEY_EXCH_SEND := 0x0010
SH_ACCEPT_AUTH_KEY_EXCH := 0x0020
SH_ACCEPT_AUTH_SIG := 0x0040
SH_ACCEPT_AUTH_PASSWORD := 0x0080
SH_ACCEPT_RECONNECT := 0x0100
SH_ACCEPT_CLOSURE_MON := 0x0200
SH_ACCEPT_REDO_ENABLE := 0x0400
SH_OFFER_CERTIFIER_TRYOUT := 0x0800
The SH_ACCEPT_CLOSURE_MON flag is set to one if and
only if the CH_REQUEST_CLOSURE_MON flag is set to one, and the
server also prefers the current connection to be closure-monitored
(see section 4.4.3). The SH_ACCEPT_REDO_ENABLE flag is set to
one if and only if the CH_REQUEST_REDO_ENABLE flag is set to one,
and the server also prefers the current connection to be redo-enabled
(see section 4.4.4).
If the server recognizes the contents of the CH_SESSION_ID_DATA
ield of the CLIENT_HELLO message as session identifier for a session
for which the master key is still available to the server, then
the SH_ACCEPT_RECONNECT flag in the SH_AUTH_OPTIONS field is set
to one. Also, the SH_SESSION_ID_DATA field echoes the CH_SESSION_ID_DATA
field. Moreover, the server sets the CIPHER_SPECS_DATA and HASH_SPECS_DATA
fields to the values stored along with the session identifier.
There are two subcases: (1) If the SH_EXCH_SPECS_DATA value does
not refer to a TOKEN type (see section 6.1), then the CLIENT_MAC,
SERVER_MAC, CLIENT_WRITE, and SERVER_WRITE keys are rederived
using the MASTER_KEY from the old session, as well as the CONNECTION_ID
and CH_CHALLENGE values from the SERVER_HELLO and CLIENT_HELLO
messages, respectively, for this connection. (2) If the SH_EXCH_SPECS_DATA
refers to a TOKEN type, then the keys from the ongoing session
continue to be used. In order to obtain fresh key material or
reset the sequence number, TOKEN implementations must use the
redo handshake mechanism (KM_REDO_HANDSHAKE key management message),
or else not request (or not accept) reconnections of an established
session. When this mechanism is used with a TOKEN exchange type,
the client must set the CH_REQUEST_RECONNECT flag to one and send
PCT_SESSION_ID_NONE in the CH_SESSION_ID_DATA field of the subsequent
CLIENT_HELLO message. (See section 4.4.4.)
In the case of a reconnection, all the remaining data fields are empty except for SH_RESPONSE_DATA, whose contents are described in section 7.2. Also, all of the flags in SH_AUTH_OPTIONS are set to zero except SH_ACCEPT_RECONNECT and possibly SH_ACCEPT_CLOSURE_MON and/or SH_ACCEPT_REDO_ENABLE.
If the server does not recognize the session identifier
provided by he client (or if the CH_REQUEST_RECONNECT flag was
set to zero), then the server sets the SH_ACCEPT_RECONNECT flag
to zero in the SH_AUTH_OPTIONS field. A unique session identifier
(which must not equal PCT_SESSION_ID_NONE) is also placed in the
SH_SESSION_ID_DATA field; this value need not be cryptographically
random, but values should not be used repeatedly (a continually
increasing counter, for instance, would be sufficient). The server
then selects any choice with which it is compatible, from each
of the CH_CIPHER_LIST, CH_HASH_LIST and CH_EXCH_LIST lists supplied
in the CLIENT_HELLO message. (These values are returned to the
client in the SH_CIPHER_SPECS_DATA, SH_HASH_SPECS_DATA and SH_EXCH_SPECS_DATA
fields, respectively.) If no cipher type (respectively, hash type,
key exchange type) from the CH_CIPHER_LIST (respectively, CH_HASH_LIST,
CH_EXCH_LIST) is acceptable to the server, then a SPECS_MISMATCH
error occurs.
Alternate cipher and hash types from CH_CIPHER_LIST and CH_HASH_LIST, respectively, with which the server is compatible may be placed in the SH_ALT_CIPHER_LIST and SH_ALT_HASH_LIST lists (whose formats are identical to those of CH_CIPHER_LIST and CH_HASH_LIST, respectively); these lists can then be used by the client in determining whether pre-encrypted, pre-MAC'd data will be understandable to the server. (Filling these lists is optional for the server; an empty list simply means that the client has no assurance that the server supports any cipher or hash type other than the one selected for the session.) Finally, the SH_MSG_LIST list contains a list of those data message types from CH_MSG_LIST which the server also supports; the format of the two message type lists is identical.
The server also examines the CH_AUTH_OPTIONS flags
to select server authentication and key exchange options acceptable
to both (as indicated by the CH_AUTH_OPTIONS flags and the server's
own requirements/compatibilities), and to offer a set of acceptable
client authentication options. In particular, these must include
a server authentication type if any of the CH_DEMAND_AUTH flags
is set to one, at least one client authentication type if client
authentication is required by the server, and a key exchange direction
(or two) acceptable to both client and server, as indicated by
the CH_DEMAND_KEY_EXCH_SEND and CH_OFFER_KEY_EXCH_RECEIVE flags
and the server's own requirements. (The restrictions on password-based
authentication must also be obeyed; see section 5.1.2.). If no
such set of types is available that is acceptable to both client
and server, then a SPECS_MISMATCH error occurs. If at least one
such set of types is found, then the server sets the associated
flags in SH_AUTH_OPTIONS (at most one SH_ACCEDE_AUTH flag and
at least one SH_ACCEDE/ACCEPT_KEY_EXCH flag); these determine
the type of server authentication to be performed, if any, and
the direction of the key exchange(s), as well as the set of client
authentication options acceptable to the server. The type of the
key exchange(s) (they must both be of the same type, if there
are two) is selected by the server, nd indicated by the code in
the SH_EXCH_SPECS field.
If the server requires client authentication, then
the server also selects those choices from the CH_SIG_LIST, CH_CERT_LIST
and CH_CERTIFIER_LIST lists that are also acceptable CH_OFFER_CERTIFIER_TRYOUT
is set to one). These server-selected lists are placed in the
SH_SIG_LIST_DATA, SH_CERT_LIST_DATA and SH_CERTIFIER_LIST_DATA
fields, respectively; their format is identical to those of the
corresponding fields in the CLIENT_HELLO message. If the server
does not require client authentication, then the SH_SIG_LIST,
SH_CERT_LIST and SH_CERTIFIER_LIST fields are empty, and their
length is zero. The server may also, like the client, demand certificate-based
authentication but set the SH_OFFER_CERTIFIER_TRYOUT flag to one.
In this case, the server simply reserves the right to reject certificates
from unacceptable certifiers, and its list of acceptable ones
is not assumed exhaustive.
If the SH_ACCEDE_KEY_EXCH_RECEIVE flag is set to
one and the CH_QUICK_SERVER_CERT field is either empty or contains
an incorrect public value, then the SH_PUBLIC_VALUE_DATA field
contains a (possibly certified) key-exchange public key of a type
compatible with the chosen key exchange type specified in the
SH_EXCH_SPECS_DATA field. If, moreover, the SH_ACCEDE_AUTH_KEY_EXCH
flag is set to one, then the key-exchange public key is contained
in a certificate whose type and certifier are found in the CH_CERT_LIST
and CH_CERTIFIER_LIST lists, respectively (if CH_CERTIFIER_LIST
is non-empty). Otherwise, the public key is uncertified. The format
of the SH_PUBLIC_VALUE_DATA field is described in section 6.1.2.
If the SH_ACCEDE_KEY_EXCH_RECEIVE flag is set to zero, then the
SH_PUBLIC_VALUE_DATA field is empty, and its length is zero.
If the client sent an acceptable key-exchange public
key certificate in the CH_QUICK_PUBLIC_VALUE field of the CLIENT_HELLO
message, then the server responds with an RSA-encrypted master
key (or randomly chosen Diffie-Hellman/FORTEZZA KEA public value)
in the SH_QUICK_ENCRYPTED_KEY field of the SERVER_HELLO message.
(The format of this field is described in section 6.1.2.)
If the client sent an acceptable certified server
key-exchange public key and encrypted master key in the CH_QUICK_SERVER_CERT
and CH_QUICK_ENCRYPTED_KEY fields of the CLIENT_HELLO message,
and if the SH_ACCEPT_KEY_EXCH_SEND flag in the SH_AUTH_OPTIONS
field is set to zero, then the key exchange is completed, and
the server must place an authentication response, constructed
as described in section 7.2, in SH_RESPONSE_DATA if one of the
CH_DEMAND_AUTH flags is set to one. If the SH_ACCEDE_AUTH_SIG
flag is set to one, then the SH_SIG_CERT_DATA field contains a
certified digital signature public key acceptable to the client
(as indicated by the CH_SIG_LIST, CH_CERT_LIST and CH_CERTIFIER_LIST
lists), in the format of a PUBLIC_VALUE field of type PV_CERTIFICATE
(see section 6.1.2). If the SH_ACCEDE_AUTH_PASSWORD flag is set
to one, then an identity indicator (such as an account identifier
or, in the case of doubly certified Diffie-Hellman key exchange,
a certificate for the Diffie-Hellman public value supplied by
the server in the key exchange) is placed in the SH_SIG_CERT_DATA
field. Otherwise the SH_SIG_CERT_DATA field is empty, and its
length is zero.
When the client receives a SERVER_HELLO message,
it checks whether the server has accepted a reconnection of an
old session or is establishing a new session. If the session is
an old one, then the client establishes the new CLIENT_WRITE_KEY,
SERVER_WRITE_KEY, CLIENT_MAC_KEY and SERVER_MAC_KEY according
to the cipher-specific rules described in section 6.1.4. The client
then checks the contents of the RESPONSE_DATA field in the SERVER_HELLO
message for correctness. If the response exactly matches the value
calculated by the client (following the procedures in sections
7.1 and 7.2), then the handshake is finished, and the client proceeds
to the CLIENT_MASTER_KEY message, if necessary, or else begins
sending data; otherwise, a SERVER_AUTH_FAILED error occurs.
If a new session is being initiated, the client records
the chosen cipher, hash, key exchange and signature types, and
the lists of alternate cipher and hash types and supported data
message types. If certificate-based client authentication is required
the client checks the list of certificate types and certifiers
to see if it has a satisfactory certificate; lack of one results
in a SPECS_MISMATCH error. If an acceptable quick encrypted master
key was sent, the client decrypts the master key for use in obtaining
a MAC_KEY and WRITE_KEY for each transmission direction as described
in section 6.1.4. Finally, if a non-empty RESPONSE_DATA field
was included, thenthe client checks it for correctness. If it
exactly matches the value calculated by the client (following
the procedures in sections 7.1 and 7.2), then the client proceeds
to the CLIENT_MASTER_KEY handshake message (or, if the handshake
is completed, begins sending data); otherwise, a SERVER_AUTH_FAILED
error occurs.
5.2.3 CLIENT_MASTER_KEY
char CMK_ENCRYPTED_KEY_LENGTH[2]
char CMK_RESPONSE_LENGTH[2]
char CMK_SIG_CERT_LENGTH[4]
char CMK_PUBLIC_VALUE_LENGTH[4]
char CMK_ENCRYPTED_KEY_DATA[([0] << 8)|[1]]
char CMK_RESPONSE_DATA[([0] << 8)|[1]]
char CMK_SIG_CERT_DATA[([0] << 24)|([1] << 16)|([2] << 8)|[3]]
char CMK_PUBLIC_VALUE_DATA[([0] << 24)|([1]
<< 16)|([2] << 8)|[3]]
The client sends this message after receiving the
SERVER_HELLO message from the server if not all the key exchanges
and authentications (as indicated by the SH_AUTH_OPTIONS field)
have yet been completed.
If SH_ACCEPT_AUTH_SIG is set to one, and no other
client authentication option is both acceptable to the server
and preferred by the client, then CMK_SIG_CERT_DATA contains a
certified digital signature public key acceptable to the server
(as indicated by the (SH_CERT_LIST, SH_CERTIFIER_LIST and SH_SIG_LIST
lists), in the form of a PUBLIC_VALUE field of type PV_CERTIFICATE
(see section 6.1.2). If SH_ACCEPT_AUTH_PASSWORD is set to one,
then CMK_SIG_CERT_DATA contains an identity indicator (such as
an account identifier, or, in the case of doubly certified Diffie-Hellman
key exchange, a certificate for the Diffie-Hellman public value
supplied by the server in the key exchange). Otherwise the CMK_SIG_CERT_DATA
field is empty, and its length is zero.
If SH_ACCEPT_KEY_EXCH_SEND is set to one, and an
acceptable encrypted master key has not already been sent in the
SH_QUICK_ENCRYPTED_KEY field of the SERVER_HELLO message, then
CMK_PUBLIC_VALUE_DATA contains an RSA key exchange public key
or Diffie-Hellman/FORTEZZA KEA public value. If SH_ACCEPT_AUTH_KEY_EXCH
is set to one, and no other client authentication option is both
acceptable to the server and preferred by the client, then this
public value is contained in a certificate acceptable to the server
(as indicated by the SH_EXCH_SPECS_DATA field and the SH_CERT_LIST
and SH_CERTIFIER_LIST lists); otherwise, the value is uncertified.
If the SH_ACCEPT_KEY_EXCH_SEND flag is set to zero, or if an acceptable
encrypted master key was sent in the SERVER_HELLO message, then
CMK_PUBLIC_VALUE_DATA is empty.
If SH_ACCEDE_KEY_EXCH_RECEIVE is set to one, and
if SH_PUBLIC_VALUE_DATA was not empty (indicating that the contents
of the CH_QUICK_ENCRYPTED_KEY field in the CLIENT_HELLO message
were either absent or not acceptable), then CMK_ENCRYPTED_KEY
contains an RSA-encrypted master key (or randomly chosen Diffie-Hellman/FORTEZZA
KEA public value); see section 6.1.2. If SH_ACCEDE_KEY_EXCH_RECEIVE
is set to one, or if SH_PUBLIC_VALUE_DATA is empty, then CMK_ENCRYPTED_KEY
is empty, with length zero.
If all key exchanges are completed by the sending
of the CLIENT_MASTER_KEY message, and if one of the SH_ACCEPT_AUTH
flags is set to one, then the contents of the CMK_RESPONSE field
are as described in section 7.2; otherwise, this field is empty,
and its length is zero.
Upon receiving a CLIENT_MASTER_KEY message, the server
verifies the certificates and/or authentication response, if they
are required; errors in any of these result in a BAD_CERTIFICATE
or CLIENT_AUTH_FAILED error, respectively. If an encrypted master
key was sent, the server decrypts the master key for use in obtaining
a MAC_KEY and WRITE_KEY for each transmission direction as described
in section 6.1.4. The server then proceeds to the SERVER_VERIFY
message, if necessary, or else begins transmitting data.
5.2.4 SERVER_VERIFY
char SV_ENCRYPTED_KEY_LENGTH[2]
char SV_RESPONSE_LENGTH[2]
char SV_SIG_CERT_LENGTH[4]
char SV_ENCRYPTED_KEY_DATA[([0] << 8)|[1]]
char SV_RESPONSE_DATA[([0] << 8)|[1]]
char SV_SIG_CERT_DATA[([0] << 24)|([1] <<
16)|([2] << 8)|[3]]
The server sends this message upon receiving a valid
CLIENT_MASTER_KEY message from the client, if not all key exchanges
and authentications have been completed.
If SH_SIG_CERT_DATA was empty, and either SH_ACCEDE_AUTH_SIG
or SH_ACCEDE_AUTH_PASSWORD is set to one, then the SV_SIG_CERT_DATA
field must not be empty. If SH_ACCEDE_AUTH_SIG is set to one,
then SV_SIG_CERT_DATA must contains a certified digital signature
public key acceptable to the client (as indicated by the (CH_SIG_LIST,
CH_CERT_LIST and CH_CERTIFIER_LIST lists), in the form of a PUBLIC_VALUE
field of type PV_CERTIFICATE (see section 6.1.2). If SH_ACCEPT_AUTH_PASSWORD
is set to one, then SV_SIG_CERT_DATA contains an identity indicator
(such as an account identifier, or, in the case of doubly certified
Diffie-Hellman key exchange, a certificate for the Diffie-Hellman
public value supplied by the server in the key exchange). Otherwise
the SV_SIG_CERT_DATA field is empty, and its length is zero.
If SH_ACCEPT_KEY_EXCH_SEND is set to one, and if
CMK_PUBLIC_VALUE_DATA was not empty (indicating that the contents
of the SH_QUICK_ENCRYPTED_KEY field in the SERVER_HELLO message
were either absent or not acceptable), then SV_ENCRYPTED_KEY contains
an RSA-encrypted master key (or randomly chosen Diffie-Hellman/FORTEZZA
KEA public value). The format of this field is described in section
6.1.2. If SH_ACCEPT_KEY_EXCH_SEND is set to one, or if CMK_PUBLIC_VALUE
is empty, then SV_ENCRYPTED_KEY is empty, with length zero.
If one of the SH_ACCEPT_AUTH flags is set to one,
then the contents of the SV_RESPONSE field are as described in
section 7.2; otherwise, this field is empty, and its length is
zero.
Upon receiving the SERVER_VERIFY message, the client
verifies the certificates and/or authentication response, if they
are required; errors in any of these result in a BAD_CERTIFICATE
or SERVER_AUTH_FAILED error, respectively. If an encrypted master
key was sent, the client decrypts the master key for use in obtaining
a MAC_KEY and WRITE_KEY for each transmission direction as described
in section 6.1.4. The client then proceeds to the CLIENT_VERIFY
message, if necessary, or else begins transmitting data.
5.2.5 CLIENT_VERIFY
char CV_RESPONSE_LENGTH[2]
char CV_SIG_CERT_LENGTH[4]
char CV_RESPONSE_DATA[([0] << 8)|[1]]
char CV_SIG_CERT_DATA[([0] << 24)|([1] <<
16)|([2] << 8)|[3]]
The client sends this message upon receiving a valid
SERVER_VERIFY message from the client, if client authentication
has not been completed. This message is never necessary unless
SH_ACCEPT_KEY_EXCH_SEND was set to one.
If either SH_ACCEDE_AUTH_SIG or SH_ACCEDE_AUTH_PASSWORD
is set to one, then the CV_SIG_CERT_DATA field must not be empty.
If SH_ACCEDE_AUTH_SIG is set to one, then CV_SIG_CERT_DATA must
contain a certified digital signature public key acceptable to
the server (as indicated by the (SH_SIG_LIST, SH_CERT_LIST and
SH_CERTIFIER_LIST lists), in the form of a PUBLIC_VALUE field
of type PV_CERTIFICATE (see section 6.1.2). If SH_ACCEPT_AUTH_PASSWORD
is set to one, then CV_SIG_CERT_DATA contains an identity indicator
(such as an account identifier, or, in the case of doubly certified
Diffie-Hellman key exchange, a certificate for the Diffie-Hellman
public value supplied by the server in the key exchange). Otherwise
the CV_SIG_CERT_DATA field is empty, and its length is zero. The
contents of the CV_RESPONSE field are as described in section
7.2.
Upon receiving the CLIENT_VERIFY message, the server
verifies the certificate, if required, and the authentication
response; errors in either of these result in a BAD_CERTIFICATE
or CLIENT_AUTH_FAILED rror, respectively. The server may then
begin transmitting data.
6. Algorithm and Certificate Types
6.1 Key exchange algorithms
6.1.1 Key exchange algorithm types
PCT version 2 permits the following key exchange
types:
PCT_EXCH_RSA_PKCS1
PCT_EXCH_RSA_PKCS1_TOKEN_DES
PCT_EXCH_RSA_PKCS1_TOKEN_DES3
PCT_EXCH_RSA_PKCS1_TOKEN_RC2
PCT_EXCH_RSA_PKCS1_TOKEN_RC4
PCT_EXCH_DH_PKCS3
PCT_EXCH_DH_PKCS3_TOKEN_DES
PCT_EXCH_DH_PKCS3_TOKEN_DES3
PCT_EXCH_FORTEZZA_TOKEN
Note that the token-based key exchange types (those
types whose labels contain the word TOKEN) specify cipher as well
(including, implicitly, the FORTEZZA KEA key exchange type); if
one of these is chosen, then its choice of cipher overrides whatever
choice of cipher appears in the SH_CIPHER_SPECS_DATA field of
the SERVER_HELLO message.
These key exchanges may use the (QUICK_)PUBLIC_VALUE
field in any handshake message, as well as the (QUICK_)ENCRYPTED_KEY
field in the subsequent handshake message. The (first) public
value sent is said to be sent by (or previously obtained from)
the "receiver", and the second value by the "sender".
If the sender is the client, then the key exchange is said to
be "server-directed"; if the sender is the server, then
it is said to be "client-directed".
6.1.2 Key exchange field formats
The format of the (QUICK_)PUBLIC_VALUE field in any
handshake message in which it appears is as follows:
char PV_PUBLIC_VALUE_TYPE[2]
char PV_USER_INFO_LENGTH[4]
char PV_PARAMETER_1_LENGTH[2]
char PV_PARAMETER_2_LENGTH[2]
char PV_USER_INFO_DATA[([0] << 24)|([1] << 16)|([2] << 8)|[3]]
char PV_PARAMETER_1_DATA[([0] << 8)|[1]]
char PV_PARAMETER_2_DATA[([0] << 8)|[1]]
There are five permissible values for PUBLIC_VALUE_TYPE.
If PV_TYPE_CERTIFICATE is specified, then a certificate of a type
acceptable to the key exchange sender (as indicated by the CH_CERT_LIST
in the CLIENT_HELLO message, or the SH_CERT_LIST list, in the
SERVER_HELLO message, as appropriate) appears in the PV_USER_INFO
field, and both PV_PARAMETER fields are empty, with length zero.
(The PV_PARAMETER_1_LENGTH field contains the two-byte certificate
type code identifying the type of the certificate sent; this field
is not, however, interpreted as the length of the PV_PARAMETER_1_LENGTH
field, which is still empty; see section 6.4.) If PV_TYPE_PKCS_TOKEN
is specified, then the PV_USER_INFO field contains a PKCS-format
public key of the type (RSA or Diffie-Hellman) indicated by the
SH_EXCH_SPECS field in the SERVER_HELLO message. If PV_TYPE_KEA
is specified, then the PV_USER_INFO field contains a KEA public
value exactly as generated by the FORTEZZA token, and both PV_PARAMETER
fields are empty, with length zero. If PV_TYPE_EPHEMERAL_RSA is
specified, then PV_USER_INFO contains the RSA modulus from the
RSA public value being sent; PV_PARAMETER_1 contains the associated
RSA exponent; and PV_PARAMETER_2 is empty, with length zero. If
PV_TYPE_EPHEMERAL_DH is specified, then PV_USER_INFO contains
the actual Diffie-Hellman public value; PV_PARAMETER_1 contains
the generator used to construct it; and PV_PARAMETER_2 contains
the prime modulus used to construct it. For both EPHEMERAL public
value types, the values in all fields are represented with the
most significant byte first, and in descending order, with the
least significant byte last.
The (QUICK_)ENCRYPTED_KEY_DATA field in any handshake
message in which it appears has the following format:
char EK_ENCRYPTED_KEY_1_LENGTH[2]
char EK_ENCRYPTED_KEY_2_LENGTH[2]
char EK_ENCRYPTED_KEY_3_LENGTH[2]
char EK_KEY_ARG_LENGTH[2]
char EK_ENCRYPTED_KEY_1_DATA[([0] << 8)|[1]]
char EK_ENCRYPTED_KEY_2_DATA[([0] << 8)|[1]]
char EK_ENCRYPTED_KEY_3_DATA[([0] << 8)|[1]]
char EK_KEY_ARG_DATA[([0] << 8)|[1]]
Details of the use of these subfields is described
below.
6.1.3 Master key exchange
For the PCT_EXCH_RSA_PKCS1 key exchange type, a MASTER_KEY
value is generated by the sender, which should be random in the
following strong sense: attackers must not be able to predict
any of the bits in the MASTER_KEY. It is recommended that the
bits used be either truly random and uniformly generated (using
some random physical process) or else generated using a cryptographically
secure pseudorandom number generator, which was in turn seeded
with a truly random and uniformly generated seed. This MASTER_KEY
value is encrypted using the receiver's (possibly certified) public
encryption key, as obtained from the (QUICK_)PUBLIC_VALUE_DATA
field of some handshake message (or possibly some time earlier,
if the key is certified). The encryption must follow the RSA PKCS#1
standard format (see [3]), block type 2. This encryption is sent
to the server in the EK_ENCRYPTED_KEY_1_DATA subfield in the (QUICK_)ENCRYPTED_KEY_DATA
field of the handshake message following the one containing the
public value used (or the sender's first handshake message, if
the public key was obtained at an earlier time). The encrypted
key is decrypted by the receiver to obtain the MASTER_KEY. If
two key exchanges of this type are performed (one in each direction),
then the MASTER_KEY value is simply the concatenation of the two
values, in the order in which they were sent. Use of the ENCRYPTED_KEY_2_DATA
subfield is described in section 6.1.5; the ENCRYPTED_KEY_3_DATA
subfield is left empty, with length zero.
For the PCT_EXCH_DH_PKCS3 key exchange type, a random
private value x (generated in the same way as the MASTER_KEY above)
and corresponding public value y are generated by the sender following
RSA PKCS#3 standard format (see [4]). The value y is then sent
to the receiver in the EK_ENCRYPTED_KEY_1_DATA subfield of the
(QUICK_)ENCRYPTED_KEY_DATA field of some handshake message. The
sender's private value x, along with the (possibly certified)
public value y' included in the (QUICK_)PUBLIC_VALUE_DATA field
of the previous handshake message (or possibly obtained earlier),
is used to generate the MASTER_KEY. The receiver uses its private
value, x', along with the y value sent by the sender, to obtain
the same MASTER_KEY value. If two key exchanges of this type are
performed (one in each direction), then the MASTER_KEY is simply
the concatenation of the two values, in the order in which they
were sent. Use of the ENCRYPTED_KEY_2_DATA subfield is described
in section 6.1.5; the ENCRYPTED_KEY_3_DATA subfield is left empty,
with length zero.
For the various TOKEN key exchange types, an encrypted
CLIENT_WRITE_KEY is contained in the ENCRYPTED_KEY_1_DATA subfield,
and an encrypted SERVER_WRITE_KEY is contained in the ENCRYPTED_KEY_2_DATA
subfield of the (QUICK_)ENCRYPTED_KEY field. The format of the
data is defined by the token implementation. For example, in the
case of FORTEZZA tokens, the ENCRYPTED_KEY_1_DATA subfield (like
the (QUICK_)PUBLIC_VALUE field sent before it, or obtained earlier),
contains a KEA public value generated by the token for key exchange.
The result is a CLIENT_WRITE_KEY shared by sender and receiver,
which is used, along with the initialization vector in the accompanying
EK_KEY_ARG_DATA field, if needed (see section 6.1.5), to encrypt
the SERVER_WRITE_KEY sent in the ENCRYPTED_KEY_2_DATA subfield.
In all token types, this shared encryption key is used to encrypt
a 128-bit MASTER_KEY value for MAC_KEY derivation (as described
below). This MASTER_KEY is sent in the EK_ENCYRYPTED_KEY_3_DATA
field of the ENCRYPTED_KEY_DATA subfield accompanying the encryption
key material, and uses the initialization vector in the accompanying
EK_KEY_ARG_DATA field, if needed (see section 6.1.5).
The length of the MASTER_KEY depends on the key exchange
type, and on how many key exchanges were performed. It is 128
bits if one RSA key exchange was performed, and 256 bits if two
exchanges were performed and the results concatenated. For Diffie-Hellman
key exchange, it is the length of the receiver's public value
if one key exchange was performed, and the sum of the lengths
of each receiver's public value if two key exchanges were performed.
For token-based key exchange types, the MASTER_KEY (which is only
relevant for MAC derivation) is 128 bits long.
6.1.4 Key derivation
The CLIENT_WRITE_KEY_SEED and SERVER_WRITE_KEY_SEED
are used (for non-token key exchange types) to compute the CLIENT_WRITE_KEY
and SERVER_WRITE_KEY, respectively. They are computed as follows:
CLIENT_WRITE_KEY_SEED_i = Hash( i, "cw", MASTER_KEY, "cw"^i,
SH_CONNECTION_ID_DATA, "cw"^i, SH_SESSION_ID_DATA,"cw"^i,
CH_CHALLENGE_DATA, "cw"^i )
SERVER_WRITE_KEY_SEED_i = Hash( i, "svw", MASTER_KEY, "svw"^i,
SH_CONNECTION_ID_DATA, "svw"^i, CH_CHALLENGE_DATA,
"svw"^i )
The function "Hash" is the one determined
by the value of SH_HASH_SPECS_DATA (see section 5.2.2). The value
of i ranges from 1 to m, where m is the negotiated encryption
key length (the value in the third byte of the SH_CIPHER_SPECS_DATA
field) divided by the hash output length, in bits, rounded up
to the nearest integer. This resulting string is then truncated
if necessary to produce a string of the correct length.
When a token key exchange type is used, no WRITE_KEY_SEED
values are computed, and the client and server WRITE_KEY values
are defined by the specific key exchange method for the token.
For example, the encryption keys exchanged in the KEA key exchange
process described in section 6.1.3 become the CLIENT_WRITE_KEY
and SERVER_WRITE_KEY for the session.
The CLIENT_MAC_KEY_SEED and SERVER_MAC_KEY_SEED are
always computed as follows:
CLIENT_MAC_KEY_SEED_i = Hash( i, MASTER_KEY, "cmac"^i,
SH_CONNECTION_ID_DATA, "cmac"^i, SH_SESSION_ID_DATA, "cmac"^i,
CH_CHALLENGE_DATA, "cmac"^i )
SERVER_MAC_KEY_SEED_i = Hash( i, MASTER_KEY, "svmac"^i,
SH_CONNECTION_ID_DATA, "svmac"^i, CH_CHALLENGE_DATA,
"svmac"^i )
The function "Hash" is the one determined by the value of SH_HASH_SPECS_DATA (see section 5.2.2). The value of i ranges from 1 through m, where m is the negotiated MAC key length (64 plus the value in the fourth byte of the SH_CIPHER_SPECS_DATA field) divided by the hash output length, in bits, rounded up to the nearest integer. The resulting string is then truncated if necessary to produce a string (CLIENT_MAC_KEY_SEED or SERVER_MAC_KEY_SEED) of the correct MAC_KEY length. This string is then padded, by repeatedly appending the byte PCT_MAC_KEY_PAD_BYTE , until it is the standard key length for the hash function used in MAC computation (each hash function has an associated standard MAC key length; see section 6.3). This final result is the MAC_KEY (CLIENT_MAC_KEY or SERVER_MAC_KEY).
Note that tokens which are capable of deriving keys
using "keyed hashes", as described above, are free to
use the PCT_EXCH_RSA_PKCS1 or PCT_EXCH_DH_PKCS3 key exchange type
to exchange the MASTER_KEY, and then to derive the rest of the
keys normally. The TOKEN key exchange types are for tokens that
cannot do such keyed-hash key derivation, and can only use an
exchanged key for bulk encryption (of, for example, the MASTER_KEY
value used for MAC_KEY derivation). Such tokens can exchange multiple
keys by using an initially exchanged encryption key to encrypt
other keys, as described above.
Key derivation for datagram records is somewhat different
from normal key derivation. In a datagram record, the necessary
key information is contained in the DG_ENCRYPTED_KEY field at
the beginning of a datagram record. Its ENCRYPTED_KEY_1_DATA subfield
contains a 16-byte random value, which should be cryptographically
random in the same sense as the MASTER_KEY (see section 6.1.3).
This value is used to generate the new WRITE_KEY (in the case
of non-token key exchange types) and the MAC_KEY for the datagram.
These are generated by computing a temporary MASTER_KEY as follows:
TEMP_MASTER_KEY_i = Hash( i, MASTER_KEY, "tmk"^i,
ENCRYPTED_KEY_1_DATA )
The function "Hash" is the one determined
by the value of SH_HASH_SPECS_DATA in the most recent SERVER_HELLO
handshake message for this connection (see section 5.2.2). The
value of i ranges from 1 through m, where m is 128 divided by
the hash output length, in bits, rounded up to the nearest integer.
The resulting concatenated string is then truncated if necessary
to produce a 128-bit string. The new WRITE_KEYs (in the case of
non-token key exchange types) and new MAC_KEYs are then computed
normally, except that MASTER_KEY is replaced with TEMP_MASTER_KEY.
If the current keys were generated using a token-type
key exchange, then the DG_ENCRYPTED_KEY_2_DATA subfield contains
the key information necessary to decrypt the datagram, encrypted
in a manner that the token can decrypt. (Note that the token type
must support this type of context-independent encryption of keys;
otherwise, this type of key management message is not permitted.)
For example, when FORTEZZA tokens are used, the DG_ENCRYPTED_KEY_2_DATA
subfield contains the WRITE_KEY encrypted, as a key, using the
current WRITE_KEY.
The DG_KEY_ARG_DATA subfield contains an arbitrary
initialization vector, whose use is also explained in section
6.1.5, if a block cipher is being used; otherwise, the field is
empty, and its length is zero.
6.1.5 Key expansion and cipher use
Every cipher has an associated standard key length
(see section 6.2). When a non-token key exchange type has been
used, and encryption keys of standard length for the specified
cipher have been specified in the SH_CIPHER_SPECS field, then
the values of CLIENT_WRITE_KEY and SERVER_WRITE_KEY are simply
CLIENT_WRITE_KEY_SEED and SERVER_WRITE_KEY_SEED, respectively,
and the ENCRYPTED_KEY_2_DATA subfield accompanying the encrypted
master key(s) is empty. Otherwise, the EK_ENCRYPTED_KEY_2_DATA
subfield(s) accompanying the encrypted master key(s) in the key
exchange(s) contain(s) random "salt" for encryption
key derivation. (The salt should be cryptographically random in
the same sense as the MASTER_KEY; see section 6.1.3.) If only
one key exchange occurred, then the salt data used (which we will
call CLEAR_KEY_DATA) is just the value in the ENCRYPTED_KEY_2_DATA
subfield accompanying the encrypted master key; if two key exchanges
are used, then both EK_ENCRYPTED_KEY_2_DATA fields accompanying
the encrypted master keys contain this random data, and CLEAR_KEY_DATA
is their concatenation, in the order in which they were sent.
When a key length is specified which is less than the standard
key length for the specified cipher, then keys of the specified
length are derived normally as described in section 6.1.4, and
then "expanded" to derive standard-length keys. The
expansion proceeds as follows:
1. Assign to d the result of dividing the standard
key length for the cipher, in bits, by the output length of the
hash function, in bits, rounded up to the nearest integer.
2. Divide CLEAR_KEY_DATA sequentially into d equal
subsegments. (Note that the length of the CLEAR_KEY_DATA field
must therefore be a multiple of d bytes, and that no two of its
d equal parts, when so divided, may be identical.) Denote these
subsegments CLEAR_KEY_DATA_1 through CLEAR_KEY_DATA_d.
3. Compute the d hash values
WRITE_KEY_i := Hash( i, "sl"^i, WRITE_KEY_SEED,
"sl"^i, CLEAR_KEY_DATA_i ).
The function "Hash" is the one determined
by the value of SH_HASH_SPECS_DATA. The WRITE_KEY_SEED is the
encryption key seed value (CLIENT_WRITE_KEY_SEED or SERVER_WRITE_KEY_SEED)
being expanded to standard length.
4. Concatenate WRITE_KEY_1 through WRITE_LENGTH_KEY_d,
and then truncate as necessary to produce the WRITE_KEY which
is actually used for encryption.
The EK_KEY_ARG_DATA subfield accompanying the (last)
encrypted master key contains a random eight-byte value to be
used as an initialization vector (IV) for the first encrypted
message when a block cipher (any cipher except RC4) is used. The
IV for the first block encrypted in any subsequent encrypted message
is simply the last encrypted block of the previous message. The
EK_KEY_ARG_DATA subfield is empty when cipher type PCT_CIPHER_RC4
(or key exchange type PCT_EXCH_RSA_PKCS1_TOKEN_RC4) is used.
The use of a block cipher also may cause the data
length to increase during encryption, because the ciphertext produced
by block ciphers must always be an integer multiple of the cipher's
block size. Hence when a block cipher is used, the length of the
(fully or partially) encrypted record must be computed from the
RH_RECORD_LENGTH value in the record header. ENCRYPTED_LENGTH,
the length of the encrypted portion of a record, is computed as
the smallest multiple of the cipher's block size that is at least
ACTUAL_LENGTH, where ACTUAL_LENGTH, the length of the encrypted
data before encryption, is computed as RH_RECORD_LENGTH minus
the lengths of the unencrypted portions of the record body (RH_RECORD_LENGTH
- MAC_LENGTH - DG_ENCRYPTED_KEY_LENGTH - 4 in the case of a datagram
record, and RH_RECORD_LENGTH - MAC_LENGTH - 2 in the case of other
encrypted record types). If a block cipher is not used for encryption,
then the length of the encrypted data is unchanged by encryption,
and the length of the record body is therefore simply RH_RECORD_LENGTH.
Otherwise, the length of the entire encrypted record body is ENCRYPTED_LENGTH
+ DG_MAC_LENGTH + DG_ENCRYPTED_KEY_LENGTH + 2 in the case of datagram
records, and ENCRYPTED_LENGTH + MAC_LENGTH for other encrypted
record types.
6.2 Cipher Types
PCT version 2 permits the following cipher types
to be specified:
PCT_CIPHER_DES
PCT_CIPHER_IDEA
PCT_CIPHER_RC2
PCT_CIPHER_RC4
PCT_CIPHER_DES_112
PCT_CIPHER_DES_168
Each of these types is denoted by a two-byte code,
and is followed in CIPHER_SPECS_DATA fields by two one-byte length
specifications, as described in section 5.2.1. An encryption length
specification of zero associated with any cipher denotes the choice
of no encryption; a key exchange is performed in such cases solely
to share keys for MAC computation.
PCT_CIPHER_DES denotes DES (see [5]). Its standard
key length is 56 bits. PCT_CIPHER_DES_112 and PCT_CIPHER_DES_168
denote ciphers in which the input is first encrypted under DES
with a first key, then "decrypted" under DES with a
second key, then encrypted under DES with a third key. For PCT_CIPHER_DES_112,
the first and third keys are identical, and correspond to the
initial 56 bits of the 112-bit WRITE_KEY. The second key corresponds
to the final 56 bits of the WRITE_KEY. For PCT_CIPHER_DES_168,
the three keys are distinct, and correspond to the first, second,
and third 56-bit subsegments of the WRITE_KEY. All three of these
DES-based cipher types have 64-bit data blocks and are used with
cipher block chaining (CBC).
The standard key lengths for PCT_CIPHER_DES_112 and
PCT_CIPHER_DES_168 are 112 bits and 168 bits,
respectively. If a key length less than the
standard length is specified for one of these ciphers (or for
PCT_CIPHER_DES), then the WRITE_KEY_SEED is calculated,
then expanded to the standard length as described above.
Note that before use, each 56-bit DES key must be
"adjusted" to add eight parity bits
to form an eight-byte DES key (see [5]). Similarly, if
the specified WRITE_KEY length is less than its corresponding
standard length, then each WRITE_KEY_SEED is expanded
to the standard length using CLEAR_KEY_DATA
as described above, to produce one, two, or
three keys of 56 bits each, which are then each "adjusted"
by adding parity bits to form an eight-byte
key.
PCT_CIPHER_IDEA denotes the IDEA block cipher (see
[6]), with 64-bit data blocks and cipher block
chaining. This cipher has a standard key length
of 128 bits.
PCT_CIPHER_RC2 denotes the RC2 block cipher, with
64-bit blocks and cipher block chaining. Like
IDEA, this cipher has a standard key length
of 128 bits.
PCT_CIPHER_RC4 denotes the RC4 stream cipher. Like
the IDEA and RC2 block ciphers, this cipher
has a standard key length of 128 bits.
6.3 Hash Types
PCT version 2 permits the following hash function
types to be specified:
PCT_HASH_MD5
PCT_HASH_MD5_TRUNC_64
PCT_HASH_SHA
PCT_HASH_SHA_TRUNC_80
The "truncated" hash types (PCT_HASH_MD5_TRUNC_64
and PCT_HASH_SHA_TRUNC_80) are identical to their non-truncated
versions (PCT_HASH_MD5 and PCT_HASH_SHA, respectively),
with the following exception: when used in
the second ("outer") iteration of a MAC or
authentication response, their output is truncated to half its
normal length. (Hence the resulting MAC or authentication response
is also only half the normal length of the hash function's output.)
PCT_HASH_MD5 denotes the MD5 hash function (see [7]),
with 128-bit output. (Hence PCT_HASH_MD5_TRUNC_64 has 64-bit output
in the cases described above.) PCT_HASH_SHA
denotes the Secure Hash Algorithm (see [8]), with 160-bit output.
(Hence PCT_HASH_SHA_TRUNC_80 has 80-bit output
in the cases described above.) The standard MAC key length
for all of the above hash functions is 512 bits.
6.4 Certificate Types
PCT version 2 permits the following certificate types
to be specified:
PCT_CERT_X509
PCT_CERT_PKCS7
PCT_CERT_PRIVATE
THese types apply equally to the client's and server's
certificates. PCT_CERT_X509 denotes a CCITT X.509 standard-conformant
certificate (see [10]). PCT_CERT_PKCS7 denotes an RSA PKCS#7 standard-conformant
certificate (see [11]). PCT_CERT_PRIVATE denotes a private format
understood by both the client and server; for instance, it may
refer to an account identifier using which a certificate lookup
can be performed on some agreed-upon certificate database.
6.5 Signature Types
PCT version 2 permits the following signature key
types to be specified:
PCT_SIG_RSA_MD5
PCT_SIG_RSA_SHA
PCT_SIG_DSA_SHA
PCT_SIG_RSA_MD5 denotes the signature scheme consisting
of hashing the data to be signed using the MD5 hash algorithm,
and then performing an RSA private-key signature function (the
inverse of RSA encryption) on the result. The signature must conform
to RSA PKCS#1, block type 1 (see [3]). PCT_SIG_RSA_SHA denotes
the same signature scheme with SHA substituted for MD5. PCT_SIG_DSA_SHA
denotes the signature scheme consisting of hashing the data to
be signed using the SHA hash algorithm, then computing a signature
of the resulting value using the Digital Signature Algorithm (DSA;
see [12]).
7. Response and verification formats
7.1 Prelude verification
In order to guard against alteration of handshake
messages before the master key has been exchanged (and MACs therefore
made possible), a "prelude verification" is incorporated
into every authentication response. Basically, the prelude verification
is a cryptographic hash of all handshake messages up to and including
the one in which the first authentication response is included
(with the response field itself omitted).
Whichever message contains it, the prelude verification
value is computed as:
VERIFY_PRELUDE_DATA = Hash( "vpd", CLIENT_HELLO,
SERVER_HELLO , CLIENT_MASTER_KEY, SERVER_VERIFY, CLIENT_VERIFY
) ).
For the purposes of this computation, the handshake
messages are assumed to contain their associated message headers
(i.e., their HS_MSG_TYPE and HS_RECORD_FLAGS fields) and record
headers. Also, the message in which the first non-empty RESPONSE_DATA
field is sent is assumed for this computation not to include its
RESPONSE_DATA field (although its correct length is included),
and subsequent messages in the handshake are assumed to be empty,
zero-length values.
The hash function used is the one specified in SH_HASH_SPECS_DATA.
Note that the client and server need only keep a "running
hash" of all the values passed in each handshake message
as they appear, terminating at the appropriate point to compute
the value of VERIFY_PRELUDE_DATA.
7.2 Authentication responses
The format of an authentication response depends
on the type of authentication required. Because each type of authentication
response may be sent in one of several possible handshake messages
(and by either party), the formats are described separately here,
and apply wherever the authentication response (RESPONSE_DATA)
field is non-empty.
In the case of key exchange-based authentication,
the contents of the RESPONSE_DATA field are computed as follows:
RESPONSE_DATA = Hash( MAC_KEY, Hash( "ke",
VERIFY_PRELUDE_DATA ) ).
In the case of digital signature-based authentication,
the contents of the RESPONSE_DATA field are computed as follows:
RESPONSE_DATA = Signature( VERIFY_PRELUDE_DATA ).
In the case of private "password"-based
authentication, the contents of the RESPONSE_DATA field are computed
as follows:
RESPONSE_DATA = Hash( MAC_KEY, Hash( "ppw",
IDENTITY, PASSWORD, VERIFY_PRELUDE_DATA ) ).
Finally, in the case of authentication of a reconnection
of a previously established session, the contents of the RESPONSE_DATA
field are computed as follows:
RESPONSE_DATA = Hash( MAC_KEY, Hash( "recon",
VERIFY_PRELUDE_DATA ) ).
The computation of the VERIFY_PRELUDE_DATA value
is described in section 7.1. The MAC_KEY is the CLIENT_MAC_KEY
if the field is in the CLIENT_MASTER_KEY or CLIENT_VERIFY message,
and SERVER_MAC_KEY if the field is in the SERVER_HELLO or SERVER_VERIFY
message. (The origin of these MAC keys is described in section
6.1.4.) The hash function choice used is determined by the SH_HASH_SPECS_DATA
field in this SERVER_HELLO message.
When a digital signature is used, the signature algorithm
is determined by the type of signature public key found in the
certificate passed in the SIG_CERT_DATA field accompanying the
RESPONSE_DATA field. (Note that the signature algorithm may itself
require that a hash function be applied to the data being signed,
apart from the one used to compute the value in VERIFY_PRELUDE_DATA.)
When a private password is used, IDENTITY is the
identity of the client or server being authenticated (the contents
of the SIG_CERT_DATA field accompanying the response), and PASSWORD
is the shared private key used in the authentication. (Note that
the same shared password can in principle be used to authenticate
either the client to the server or vice versa, although not both
simultaneously.) In the case of a doubly certified Diffie-Hellman
key exchange, the password is simply the response sender's MAC
key generated as a result of the key exchange; it is considered
equivalent to a password because it does not change from connection
to connection or from session to session.
7.3 Message Authentication Codes
All PCT version 2 records which are encrypted also
include a message authentication code (MAC). This value allows
the receiver to verify that the record containing it has originated
with the correct party, and has not been inserted or tampered
with by someone else in transit.
The basic PCT MAC is in the form of a keyed hash
of the encrypted data; that is, a MAC function based on a cryptographic
hash function is computed on the encrypted data and the sender's
MAC key. (The derivation of MAC keys is described in section 6.1.)
The cryptographic hash function used is determined by the code
contained in the SH_HASH_SPECS_DATA field in the most recent SERVER_HELLO
message sent during a successful handshake phase this session.
A list of cryptographic hash functions permitted in PCT version
2, and their associated codes and output lengths, is given in
section 6.3. The MAC is placed in the MAC_DATA field of the record
in which it is found; its length (MAC_LENGTH) is the output length
of the hash function used.
The MAC value is computed differently for datagram
records and for other records. In datagram records, the MAC is
computed as follows:
DG_MAC_DATA = Hash( MAC_KEY, Hash( RECORD_HEADER_DATA,
DG_ENCRYPTED_KEY_LENGTH, DG_ENCRYPTED_KEY_DATA, DG_ENCRYPTED_DATA
) )
If the client is sending the record, then the MAC_KEY
is the CLIENT_MAC_KEY; if the server is sending the record, then
the MAC_KEY is the SERVER_MAC_KEY. (The derivation of these keys
is described in section 6.1.) RECORD_HEADER_DATA contains the
four-byte contents of the datagram record's record header, as
described in section 4.2.1.
For other records containing MACs, the MAC is computed
as follows:
DT_MAC_DATA = Hash( MAC_KEY, Hash( DATA_TYPE, RECORD_HEADER_DATA,
DT_ENCRYPTED_DATA, SEQUENCE_NUMBER ) )
If the client is sending the record, then the MAC_KEY
is the CLIENT_MAC_KEY; if the server is sending the record, then
the MAC_KEY is the SERVER_MAC_KEY. (The details of the derivation
of these keys are given in section 6.1.4.) The value of DATA_TYPE
is either the empty string, or the four-byte ASCII string "pecd"
if the record contains pre-encrypted data (see section 4.4.1).
RECORD_HEADER_DATA contains the four-byte contents of the record
header described in section 4.2.1.
SEQUENCE_NUMBER is the value (represented in network
byte order, or "big endian" order) of a counter which
is incremented by both the sender and the receiver. For each transmission
direction, a pair of counters is kept (one by the sender, one
by the receiver). Before the first (handshake) record is sent
or received in a PCT connection all sequence number counters are
initialized to zero (except in the case of a restarting connection
with a token-based exchange type, in which case the entire cipher
state is preserved; see section 5.2.2). The sender's sender-to-receiver
sequence number is incremented after every record sent, and the
receiver's sender-to-receiver sequence number is incremented after
every record received. (Note that this increment occurs regardless
of whether or not a record is, or has, a continuation record.)
Sequence number counters are 32-bit unsigned quantities, and may
not increment past 0xFFFFFFFF. (See section 4.4.4.)
MACs for pre-encrypted data can be (mostly) precomputed
as well. The inner invocation of the hash function in the computation
of DT_MAC_DATA contains information that will be known at encryption
time, assuming non-datagram transmission and receiver support
for the hash function chosen by the sender for MAC calculation.
Hence, the output of this inner invocation of the hash function
can be stored along with the pre-encrypted data, and the MAC calculated
efficiently at transmission time using the normal MAC_KEY, the
pre-calculated hash value, and the hash function used in the pre-calculation.
A separate sequence number is used for MACs in pre-encrypted data
records until a KM_TYPE_RESUME_KEY message or another KM_TYPE_FIXED_KEY
message is sent and received. This sequence number begins at zero
for the first data record sent and received after the KM_TYPE_FIXED_KEY
message, and is incremented for each data record sent. Replays
of non-pre-encrypted data as pre-encrypted data are prevented
by the DATA_TYPE value "pecd", which cannot correspond
to a record header prefix, in the MAC computation.
In addition to the special sequence number for pre-encrypted
data, the normal sequence number for the same transmission direction
continues to increment normally as pre-encrypted data messages
are sent and received. This original sequence number is returned
to use, thus incremented, when the next key management message
of type KM_TYPE_RESUME_KEY or KM_TYPE_FIXED_KEY is sent and received.
The receiver of an encrypted record containing a
MAC uses the appropriate MAC_KEY and the received value of ENCRYPTED_DATA
to compute the correct value of MAC_DATA. The computed MAC_DATA
must agree bit for bit with the transmitted MAC_DATA. If the two
are not identical, then an INTEGRITY_CHECK_FAILED error occurs,
and it is recommended that the record be treated as though it
had not been received. (See section 4.6.)
8. Constants
Following is a list of constant values used in the
PCT protocol version 1.
8.1 Record and message type codes
These codes are each placed in the record or message
type fields of PCT records and messages.
RT_HANDSHAKE := 0x0301
RT_KEY_MGMT := 0x0302
RT_DATAGRAM := 0x0303
RT_ERROR := 0x0304
RT_USER_DATA := 0x0305
RT_PCT_VERSION_1_CH := 0x0180
RT_PCT_VERSION_1_SH := 0x0280
RT_SSL_VERSION_2_CH := 0x0100
RT_SSL_VERSION_3_CH := 0x00**
RT_CD_RESERVED := 0x6364
RT_KR_RESERVED := 0x6B72
RT_ESCROW := 0x0310
HS_CLIENT_HELLO := 0x0000
HS_SERVER_HELLO := 0x0001
HS_CLIENT_MASTER_KEY := 0x0002
HS_SERVER_VERIFY := 0x0003
HS_CLIENT_VERIFY := 0x0004
KM_TYPE_FIXED_KEY := 0x0001
KM_TYPE_RESUME_KEY := 0x0002
KM_TYPE_REDO_HANDSHAKE := 0x0003
KM_TYPE_CLOSE_CONN := 0x0004
DM_TYPE_USER_DATA := 0x0000
PV_TYPE_CERTIFICATE := 0x0001
PV_TYPE_PKCS_TOKEN := 0x0002
PV_TYPE_KEA := 0x0003
PV_TYPE_EPHEMERAL_RSA := 0x0004
PV_TYPE_EPHEMERAL_DH := 0x0005
EW_TYPE_MASTER_KEY := 0x0001
EW_TYPE_WRITE_KEYS := 0x0002
8.2 Specification Type Codes
These are codes used to specify types of cipher,
key exchange, hash function, certificate, and digital signature
in the protocol.
PCT_EXCH_RSA_PKCS1 := 0x0001
PCT_EXCH_RSA_PKCS1_TOKEN_DES := 0x0002
PCT_EXCH_RSA_PKCS1_TOKEN_DES3 := 0x0003
PCT_EXCH_RSA_PKCS1_TOKEN_RC2 := 0x0004
PCT_EXCH_RSA_PKCS1_TOKEN_RC4 := 0x0005
PCT_EXCH_DH_PKCS3 := 0x0006
PCT_EXCH_DH_PKCS3_TOKEN_DES := 0x0007
PCT_EXCH_DH_PKCS3_TOKEN_DES3 := 0x0008
PCT_EXCH_FORTEZZA_TOKEN := 0x0009
PCT_CIPHER_DES := 0x0001
PCT_CIPHER_IDEA := 0x0002
PCT_CIPHER_RC2 := 0x0003
PCT_CIPHER_RC4 := 0x0004
PCT_CIPHER_DES_112 := 0x0005
PCT_CIPHER_DES_168 := 0x0006
PCT_HASH_MD5 := 0x0001
PCT_HASH_MD5_TRUNC_64 := 0x0002
PCT_HASH_SHA := 0x0003
PCT_HASH_SHA_TRUNC_80 := 0x0004
PCT_HASH_DES_DM := 0x0005
PCT_CERT_NONE := 0x0000
PCT_CERT_X509 := 0x0001
PCT_CERT_PKCS7 := 0x0002
PCT_CERT_PRIVATE := 0x0003
PCT_SIG_NONE := 0x0000
PCT_SIG_RSA_MD5 := 0x0001
PCT_SIG_RSA_SHA := 0x0002
PCT_SIG_DSA_SHA := 0x0003
8.3 Error Codes
These codes are used to identify errors, when they
occur, in error messages.
PCT_ERR_BAD_CERTIFICATE := 0x0001
PCT_ERR_CLIENT_AUTH_FAILED := 0x0002
PCT_ERR_ILLEGAL_MESSAGE := 0x0003
PCT_ERR_INTEGRITY_CHECK_FAILED := 0x0004
PCT_ERR_SERVER_AUTH_FAILED := 0x0005
PCT_ERR_SPECS_MISMATCH := 0x0006
PCT_ERR_CONN_BROKEN := 0x0007
8.4 Miscellaneous Codes
These include PCT version 1 escape type codes, version
numbers, and assorted constants associated with the PCT protocol.
PCT_VERSION_V2 := 0x0002
PCT_SESSION_ID_NONE := 0x00 (32 bytes of zeros)
PCT_MAC_KEY_PAD_BYTE := 0x36
PCT_ET_OOB_DATA := 0x01
PCT_ET_REDO_CONN := 0x02
PCT_CH_OFFSET_V1 := 0x000A
PCT_CH_OFFSET_V2 := 0x0018
PCT_MAX_RECORD_LENGTH_2_BYTE_HEADER := 32767
PCT_MAX_RECORD_LENGTH_3_BYTE_HEADER := 16383
PCT_MAX_RECORD_LENGTH_V2 := 32763
9. PCT version 1 compatibility
PCT version 1 is a subset of PCT version 2; however,
because of differing formats, connections are identified as either
using version 1 or version 2. The identification occurs during
the handshake phase; a value of RT_PCT_VERSION_1_CH in the RH_RECORD_TYPE
field of a record header indicates a PCT version 1 CLIENT_HELLO
message, and a value of RT_PCT_VERSION_1_SH in the RH_RECORD_TYPE
field of a record header indicates a PCT version 1 SERVER_HELLO
message. If the former is the first record received in a connection,
it signals to the receiver that it is expected to be a server
in a PCT version 1 connection. The client and server then follow
the PCT version 1 protocol for the remainder of the connection.
If the latter is the response received to a PCT version 2 CLIENT_HELLO
message, it signals to the receiver that it is expected to be
a client in a PCT version 1 type connection. The client and server
then follow the PCT version 1 protocol for the remainder of the
connection. The PCT version 1 protocol is specified in [2].
Note that a PCT version 1 server implementation that
correctly uses the CH_OFFSET field to determine the location of
the data fields in the CLIENT_HELLO message can successfully interpret
a PCT version 2 CLIENT_HELLO message, and reply with a PCT version
1 SERVER_HELLO message. However, reconnections in a continued
session must maintain the same version as the first connection
for the session.
Note also that a PCT version 1 record header may
have a three-byte record length field; this format can always
be recognized by a first (most significant) bit of zero in the
RH_RECORD_LENGTH field.
10. Security Considerations
This entire document is about security.
References
[1] K. Hickman and T. Elgamal. The SSL Protocol.
Internet-draft, June 1995.
[2] J. Benaloh, B. Lampson, D. Simon, T. Spies and
B. Yee. The PCT Protocol. Internet Draft, October 1995.
[3] RSA Laboratories, "PKCS #1: RSA Encryption
Standard", Version 1.5, November 1993.
[4] RSA Laboratories, "PKCS #3: "Diffie-Hellman
Key-Agreement Standard", Version 1.4, November 1993.
[5] NBS FIPS PUB 46, "Data Encryption Standard",
National Bureau of Standards, US Department of Commerce, Jan.
1977.
[6] X. Lai, "On the Design and Security of Block
Ciphers", ETH Series in Information Processing, v. 1, Konstanz:
Hartung-Gorre Verlag, 1992.
[7] R. Rivest, RFC 1321: "The MD5 Message Digest
Algorithm", April 1992.
[8] NIST FIPS PUB 180-1, "Secure Hash Standard",
National Institute of Standards and Technology, US Department
of Commerce, Apr. 1995.
[9] ISO/IEC 9797, "Data Cryptographic Techniques--Data
Integrity Mechanism Using a Cryptographic Check Function Employing
a Block Cipher Algorithm", 1989.
[10] CCITT. Recommendation X.509: "The Directory
- Authentication Framework". 1988.
[11] RSA Laboratories, "PKCS #7: Cryptographic
Message Syntax Standard", Version 1.5, November 1993.
[12] NIST FIPS PUB 186, "Digital Signature Standard",
National Institute of Standards and Technology, US Department
of Commerce, May 1994.
[13] B. Schneier, "Applied Cryptography: Protocols,
Algorithms, and Source Code in C", John Wiley & Sons,
Inc., 1994.
[14] R.L. Rivest, A. Shamir, L. Adelman, "A
Method for Obtaining Digital Signatures and Public Key Cryptosystems",
MIT Laboratory for Computer Science and Department of Mathematics,
S.L. Graham, R.L. Rivest ed. Communications of the ACM, February
1978 (Vol 21, No. 2) pp. 120-126.
[15] W. Diffie and M.E. Hellman, "New directions
in Cryptography", IEEE Transactions on Information Theory,
November 1976 (Vol. IT-22, No. 6) pp. 644-654.
Appendix A: Escrow Support
To facilitate the escrow of keys used in PCT connections
(across firewalls, for instance), we describe here a protocol
which can be used to encapsulate PCT records, passing the encryption
keys for the connection to a third party. The protocol involves
a distinct escrow record type (RT_ESCROW). An escrow record header
has the normal format, although all flags must always be set to
zero. The record itself has the following format:
char EW_ESCROW_TYPE[2]
char EW_KEY_ID[16]
char EW_KEY_1_LENGTH[2]
char EW_KEY_2_LENGTH[2]
char EW_KEY_1_DATA[([0] << 8)|[1]]
char EW_KEY_2_DATA[([0] << 8)|[1]]
char EW_ENCLOSED_RECORD_DATA[DATA_LENGTH]
The two defined escrow record types are EW_TYPE_MASTER_KEY
and EW_TYPE_WRITE_KEYS. In the first type, EW_KEY_1_DATA contains
the MASTER_KEY for this session, and EW_KEY_2_DATA is empty, with
length zero. In the second type, EW_KEY_1_DATA contains the sender's
WRITE_KEY, and EW_KEY_2_DATA contains the non-sender's WRITE_KEY.
These keys are encrypted using a key and format determined by
the EW_KEY_ID field, which contains a 16-byte identifier for the
key used in the encryption. The format of the encryption, and
the key distribution method used, are left to the implementation's
discretion. (For example, a PCT connection between sender and
escrower can be used to exchange a symmetric key and associated
identifier; alternatively, a fixed key-exchange RSA public key
can be designated as the escrow key to be used.) ENCLOSED_RECORD_DATA
holds a normal PCT record, whose length can be calculated from
the escrow record's header and the lengths of the other fields
in the escrow record. (Note that the normal length limit for an
escrow record thus imposes a shorter-than-normal limit on the
size of the encapsulated record.)
In a normal connection, the first record sent after
all key exchanges in the handshake have completed might be encapsulated
in an escrow record; the key(s) so escrowed would be in effect
until the next escrow encapsulation. For example, in a connection
between a client and server each operating "behind"
a firewall, the client and server would each encapsulate their
last handshake message (or first data message) in an escrow record,
and pass it to the firewall. Each firewall would receive the encapsulated
record, decrypt the escrowed key(s), then pass the enclosed record
through itself unaltered. Thereafter, each firewall would be able
to read all messages passing in each direction, until a change
of key occurred (prompted by, say, a key management message, which
would presumably have to be enclosed in another escrow record).
The type of escrow used depends on the level of trust
between client or server and escrower. If a master key is escrowed,
then the escrower is capable of not only decrypting but also altering
messages, recalculating MACs accordingly. On the other hand, if
only the encryption keys are escrowed, then the escrower is incapable
not only of altering messages, but also of verifying MACs (to
determine, for instance, if the correct encryption key was supplied).
Furthermore, since the shared master key is used to derive independent
keys for datagram messages, escrow of only encryption keys makes
incoming datagram traffic unreadable to the escrower.
Patent Statement
This version of the PCT protocol relies on the use
of patented public key encryption technology for authentication
and encryption. The Internet Standards Process as defined in RFC
1310 requires a written statement from the Patent holder that
a license will be made available to applicants under reasonable
terms and conditions prior to approving a specification as a Proposed,
Draft or Internet Standard.
See existing RFCs, including RFC 1170, that discuss
known public key cryptography patents and licensing terms and
conditions.
The Internet Society, Internet Architecture Board,
Internet Engineering Steering Group and the Corporation for National
Research Initiatives take no position on the validity or scope
of the patents and patent applications, nor on the appropriateness
of the terms of the assurance. The Internet Society and other
groups mentioned above have not made any determination as to any
other intellectual property rights which may apply to the practice
of this standard. Any further consideration of these matters is
the user's own responsibility.
Author's Address
Daniel R. Simon
Microsoft Corp.
One Microsoft Way
Redmond WA 98052
USA
This Internet-Draft expires 10 October 1996.