summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-ietf-tls-psk-05.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/draft-ietf-tls-psk-05.txt')
-rw-r--r--doc/protocol/draft-ietf-tls-psk-05.txt900
1 files changed, 0 insertions, 900 deletions
diff --git a/doc/protocol/draft-ietf-tls-psk-05.txt b/doc/protocol/draft-ietf-tls-psk-05.txt
deleted file mode 100644
index a9e5403564..0000000000
--- a/doc/protocol/draft-ietf-tls-psk-05.txt
+++ /dev/null
@@ -1,900 +0,0 @@
-
-
-TLS Working Group P. Eronen, Ed.
-Internet-Draft Nokia
-Expires: June 17, 2005 H. Tschofenig, Ed.
- Siemens
- December 17, 2004
-
-
- Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
- draft-ietf-tls-psk-05.txt
-
-Status of this Memo
-
- This document is an Internet-Draft and is subject to all provisions
- of section 3 of RFC 3667. By submitting this Internet-Draft, each
- author represents that any applicable patent or other IPR claims of
- which he or she is aware have been or will be disclosed, and any of
- which he or she become aware will be disclosed, in accordance with
- RFC 3668.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as
- Internet-Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on June 17, 2005.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2004).
-
-Abstract
-
- This document specifies three sets of new ciphersuites for the
- Transport Layer Security (TLS) protocol to support authentication
- based on pre-shared keys. These pre-shared keys are symmetric keys,
- shared in advance among the communicating parties. The first set of
- ciphersuites uses only symmetric key operations for authentication.
- The second set uses a Diffie-Hellman exchange authenticated with a
- pre-shared key; and the third set combines public key authentication
- of the server with pre-shared key authentication of the client.
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 1]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-1. Introduction
-
- Usually TLS uses public key certificates [3] or Kerberos [12] for
- authentication. This document describes how to use symmetric keys
- (later called pre-shared keys or PSKs), shared in advance among the
- communicating parties, to establish a TLS connection.
-
- There are basically two reasons why one might want to do this:
-
- o First, TLS may be used in performance-constrained environments
- where the CPU power needed for public key operations is not
- available.
-
- o Second, pre-shared keys may be more convenient from a key
- management point of view. For instance, in closed environments
- where the connections are mostly configured manually in advance,
- it may be easier to configure a PSK than to use certificates.
- Another case is when the parties already have a mechanism for
- setting up a shared secret key, and that mechanism could be used
- to "bootstrap" a key for authenticating a TLS connection.
-
- This document specifies three sets of new ciphersuites for TLS.
- These ciphersuites use new key exchange algorithms, and re-use
- existing cipher and MAC algorithms from [3] and [2]. A summary of
- these ciphersuites is shown below.
-
- CipherSuite Key Exchange Cipher Hash
-
- TLS_PSK_WITH_RC4_128_SHA PSK RC4_128 SHA
- TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK 3DES_EDE_CBC SHA
- TLS_PSK_WITH_AES_128_CBC_SHA PSK AES_128_CBC SHA
- TLS_PSK_WITH_AES_256_CBC_SHA PSK AES_256_CBC SHA
- TLS_DHE_PSK_WITH_RC4_128_SHA DHE_PSK RC4_128 SHA
- TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE_PSK 3DES_EDE_CBC SHA
- TLS_DHE_PSK_WITH_AES_128_CBC_SHA DHE_PSK AES_128_CBC SHA
- TLS_DHE_PSK_WITH_AES_256_CBC_SHA DHE_PSK AES_256_CBC SHA
- TLS_RSA_PSK_WITH_RC4_128_SHA RSA_PSK RC4_128 SHA
- TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA_PSK 3DES_EDE_CBC SHA
- TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA_PSK AES_128_CBC SHA
- TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA_PSK AES_256_CBC SHA
-
- The first set of ciphersuites (with PSK key exchange algorithm),
- defined in Section 2 use only symmetric key algorithms, and are thus
- especially suitable for performance-constrained environments.
-
- The ciphersuites in Section 3 (with DHE_PSK key exchange algorithm)
- use a PSK to authenticate a Diffie-Hellman exchange. These
- ciphersuites protect against dictionary attacks by passive
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 2]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- eavesdroppers (but not active attackers), and also provide Perfect
- Forward Secrecy (PFS).
-
- The third set of ciphersuites (with RSA_PSK key exchange algorithm),
- defined in Section 4, combine public key based authentication of the
- server (using RSA and certificates) with mutual authentication using
- a PSK.
-
-1.1 Applicability statement
-
- The ciphersuites defined in this document are intended for a rather
- limited set of applications, usually involving only a very small
- number of clients and servers. Even in such environments, other
- alternatives may be more appropriate.
-
- If the main goal is to avoid PKIs, another possibility worth
- considering is to use self-signed certificates with public key
- fingerprints. Instead of manually configuring a shared secret in,
- for instance, some configuration file, a fingerprint (hash) of the
- other party's public key (or certificate) could be placed there
- instead.
-
- It is also possible to use the SRP (Secure Remote Password)
- ciphersuites for shared secret authentication [14]. SRP was designed
- to be used with passwords, and incorporates protection against
- dictionary attacks. However, it is computationally more expensive
- than the PSK ciphersuites in Section 2.
-
-1.2 Conventions used in this document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [1].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 3]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-2. PSK key exchange algorithm
-
- This section defines the PSK key exchange algorithm and associated
- ciphersuites. These ciphersuites use only symmetric key algorithms.
-
- It is assumed that the reader is familiar with ordinary TLS
- handshake, shown below. The elements in parenthesis are not included
- when PSK key exchange algorithm is used, and "*" indicates a
- situation-dependent message that is not always sent.
-
- Client Server
- ------ ------
-
- ClientHello -------->
- ServerHello
- (Certificate)
- ServerKeyExchange*
- (CertificateRequest)
- <-------- ServerHelloDone
- (Certificate)
- ClientKeyExchange
- (CertificateVerify)
- ChangeCipherSpec
- Finished -------->
- ChangeCipherSpec
- <-------- Finished
- Application Data <-------> Application Data
-
-
- The client indicates its willingness to use pre-shared key
- authentication by including one or more PSK ciphersuites in the
- ClientHello message. If the TLS server also wants to use pre-shared
- keys, it selects one of the PSK ciphersuites, places the selected
- ciphersuite in the ServerHello message, and includes an appropriate
- ServerKeyExchange message (see below). The Certificate and
- CertificateRequest payloads are omitted from the response.
-
- Both clients and servers may have pre-shared keys with several
- different parties. The client indicates which key to use by
- including a "PSK identity" in the ClientKeyExchange message (note
- that unlike in [7], the session_id field in ClientHello message keeps
- its usual meaning). To help the client in selecting which identity
- to use, the server can provide a "PSK identity hint" in the
- ServerKeyExchange message. If no hint is provided, the
- ServerKeyExchange message is omitted.
-
- It is expected that different types of identities are useful for
- different applications running over TLS. This document does not
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 4]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- therefore mandate the use of any particular type of identity (such as
- IPv4 address or FQDN) or identity hint; neither is specified how
- exactly the client uses the hint (if it uses it at all).
-
- To increase the chances for successful interoperation between
- applications that do agree on what type of identity is used, the
- identity MUST be first converted to a character string, and then
- encoded to octets using UTF-8 [5]. For instance,
-
- o IPv4 addresses are sent as dotted-decimal strings (e.g.,
- "192.0.1.2"), not as 32-bit integers in network byte order.
-
- o Domain names are sent in their usual text form (e.g.,
- "www.example.com" or "embedded\.dot.example.net"), not in DNS
- protocol wire format.
-
- o X.500 Distinguished Names are sent in their string representation
- [9], not as BER-encoded ASN.1.
-
- In situations where the identity is entered by a person, processing
- the character string with an appropriate stringprep [10] profile is
- RECOMMENDED.
-
- The format of the ServerKeyExchange and ClientKeyExchange messages is
- shown below.
-
- struct {
- select (KeyExchangeAlgorithm) {
- /* other cases for rsa, diffie_hellman, etc. */
- case psk: /* NEW */
- opaque psk_identity_hint<0..2^16-1>;
- };
- } ServerKeyExchange;
-
- struct {
- select (KeyExchangeAlgorithm) {
- /* other cases for rsa, diffie_hellman, etc. */
- case psk: /* NEW */
- opaque psk_identity<0..2^16-1>;
- } exchange_keys;
- } ClientKeyExchange;
-
-
-
-
-
-
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 5]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- The premaster secret is formed as follows: if the PSK is N octets
- long, concatenate an uint16 with the value N, N zero octets, a second
- uint16 with the value N, and the PSK itself.
-
- Note 1: All the ciphersuites in this document share the same
- general structure for the premaster secret, namely
-
- struct {
- opaque other_secret<0..2^16-1>;
- opaque psk<0..2^16-1>;
- };
-
- Here "other_secret" is either zeroes (plain PSK case), or comes
- from the Diffie-Hellman or RSA exchange (DHE_PSK and RSA_PSK,
- respectively). See Sections 3 and 4 for a more detailed
- description.
-
- Note 2: Using zeroes for "other_secret" effectively means that
- only the HMAC-SHA1 part (but not the HMAC-MD5 part) of the TLS PRF
- is used when constructing the master secret. See [8] for a more
- detailed rationale.
-
- The TLS handshake is authenticated using the Finished messages as
- usual.
-
- If the server does not recognize the PSK identity, it MAY respond
- with an "unknown_psk_identity" alert message. Alternatively, if the
- server wishes to hide the fact that the PSK identity was not known,
- it MAY continue the protocol as if the PSK identity existed but the
- key was incorrect: that is, respond with a "decrypt_error" alert.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 6]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-3. DHE_PSK key exchange algorithm
-
- This section defines additional ciphersuites that use a PSK to
- authenticate a Diffie-Hellman exchange. These ciphersuites give some
- additional protection against dictionary attacks, and also provide
- Perfect Forward Secrecy (PFS). See Section 6 for discussion of
- related security considerations.
-
- When these ciphersuites are used, the ServerKeyExchange and
- ClientKeyExchange messages also include the Diffie-Hellman
- parameters. The PSK identity and identity hint fields have the same
- meaning as in the previous section (note that the ServerKeyExchange
- message is always sent even if no PSK identity hint is provided).
-
- The format of the ServerKeyExchange and ClientKeyExchange messages is
- shown below.
-
- struct {
- select (KeyExchangeAlgorithm) {
- /* other cases for rsa, diffie_hellman, etc. */
- case diffie_hellman_psk: /* NEW */
- opaque psk_identity_hint<0..2^16-1>;
- ServerDHParams params;
- };
- } ServerKeyExchange;
-
- struct {
- select (KeyExchangeAlgorithm) {
- /* other cases for rsa, diffie_hellman, etc. */
- case diffie_hellman_psk: /* NEW */
- opaque psk_identity<0..2^16-1>;
- ClientDiffieHellmanPublic public;
- } exchange_keys;
- } ClientKeyExchange;
-
- The premaster secret is formed as follows. Let Z be the value
- produced by the Diffie-Hellman exchange (with leading zero bytes
- stripped as in other Diffie-Hellman based ciphersuites). Concatenate
- an uint16 containing the length of Z (in octets), Z itself, an uint16
- containing the length of the PSK (in octets), and the PSK itself.
-
- This corresponds to the general structure for the premaster secrets
- (see Note 1 in Section 2) in this document, with "other_secret"
- containing Z.
-
-
-
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 7]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-4. RSA_PSK key exchange algorithm
-
- The ciphersuites in this section use RSA and certificates to
- authenticate the server, in addition to using a PSK.
-
- As in normal RSA ciphersuites, the server must send a Certificate
- message. The format of the ServerKeyExchange and ClientKeyExchange
- messages is shown below. If no PSK identity hint is provided, the
- ServerKeyExchange message is omitted.
-
- struct {
- select (KeyExchangeAlgorithm) {
- /* other cases for rsa, diffie_hellman, etc. */
- case rsa_psk: /* NEW */
- opaque psk_identity_hint<0..2^16-1>;
- };
- } ServerKeyExchange;
-
- struct {
- select (KeyExchangeAlgorithm) {
- /* other cases for rsa, diffie_hellman, etc. */
- case rsa_psk: /* NEW */
- opaque psk_identity<0..2^16-1>;
- EncryptedPreMasterSecret;
- } exchange_keys;
- } ClientKeyExchange;
-
- The EncryptedPreMasterSecret field sent from the client to the server
- contains a 2-byte version number and a 46-byte random value,
- encrypted using the server's RSA public key as described in Section
- 7.4.7.1 of [3]. The actual premaster secret is formed by both
- parties as follows: concatenate an uint16 with the value 48, the
- 2-byte version number and the 46-byte random value, an uint16
- containing the length of the PSK (in octets), and the PSK itself.
-
- This corresponds to the general structure for the premaster secrets
- (see Note 1 in Section 2) in this document, with "other_secret"
- containing both the 2-byte version number and the 46-byte random
- value.
-
- Neither the normal RSA ciphersuites nor these RSA_PSK ciphersuites
- themselves specify what the certificates contain (in addition to the
- RSA public key), or how the certificates are to be validated. In
- particular, it is possible to use the RSA_PSK ciphersuites with
- unvalidated self-signed certificates to provide somewhat similar
- protection against dictionary attacks as the DHE_PSK ciphersuites
- defined in Section 3.
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 8]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-5. IANA considerations
-
- IANA does not currently have a registry for TLS-related numbers, so
- there are no IANA actions associated with this document.
-
- For easier reference in the future, the ciphersuite numbers defined
- in this document are summarized below.
-
- CipherSuite TLS_PSK_WITH_RC4_128_SHA = { 0x00, 0x8A };
- CipherSuite TLS_PSK_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x8B };
- CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA = { 0x00, 0x8C };
- CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA = { 0x00, 0x8D };
- CipherSuite TLS_DHE_PSK_WITH_RC4_128_SHA = { 0x00, 0x8E };
- CipherSuite TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x8F };
- CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA = { 0x00, 0x90 };
- CipherSuite TLS_DHE_PSK_WITH_AES_256_CBC_SHA = { 0x00, 0x91 };
- CipherSuite TLS_RSA_PSK_WITH_RC4_128_SHA = { 0x00, 0x92 };
- CipherSuite TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x93 };
- CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA = { 0x00, 0x94 };
- CipherSuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA = { 0x00, 0x95 };
-
- This document also defines a new TLS alert message,
- unknown_psk_identity(115).
-
-6. Security Considerations
-
- As with all schemes involving shared keys, special care should be
- taken to protect the shared values and to limit their exposure over
- time.
-
-6.1 Perfect forward secrecy (PFS)
-
- The PSK and RSA_PSK ciphersuites defined in this document do not
- provide Perfect Forward Secrecy (PFS). That is, if the shared secret
- key (in PSK ciphersuites), or both the shared secret key and the RSA
- private key (in RSA_PSK ciphersuites), is somehow compromised, an
- attacker can decrypt old conversations.
-
- The DHE_PSK ciphersuites provide Perfect Forward Secrecy if a fresh
- DH private key is generated for each handshake.
-
-6.2 Brute-force and dictionary attacks
-
- Use of a fixed shared secret of limited entropy (for example, a PSK
- that is relatively short, or was chosen by a human and thus may
- contain less entropy than its length would imply) may allow an
- attacker to perform a brute-force or dictionary attack to recover the
- secret. This may be either an off-line attack (against a captured
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 9]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- TLS handshake messages), or an on-line attack where the attacker
- attempts to connect to the server and tries different keys.
-
- For the PSK ciphersuites, an attacker can get the information
- required for an off-line attack by eavesdropping a TLS handshake, or
- by getting a valid client to attempt connection with the attacker (by
- tricking the client to connect to wrong address, or intercepting a
- connection attempt to the correct address, for instance).
-
- For the DHE_PSK ciphersuites, an attacker can obtain the information
- by getting a valid client to attempt connection with the attacker.
- Passive eavesdropping alone is not sufficient.
-
- For the RSA_PSK ciphersuites, only the server (authenticated using
- RSA and certificates) can obtain sufficient information for an
- off-line attack.
-
- It is RECOMMENDED that implementations that allow the administrator
- to manually configure the PSK also provide a functionality for
- generating a new random PSK, taking [4] into account.
-
-6.3 Identity privacy
-
- The PSK identity is sent in cleartext. While using a user name or
- other similar string as the PSK identity is the most straightforward
- option, it may lead to problems in some environments since an
- eavesdropper is able to identify the communicating parties. Even
- when the identity does not reveal any information itself, reusing the
- same identity over time may eventually allow an attacker to perform
- traffic analysis to identify the parties. It should be noted that
- this is no worse than client certificates, since they are also sent
- in cleartext.
-
-6.4 Implementation notes
-
- The implementation notes in [11] about correct implementation and use
- of RSA (including Section 7.4.7.1) and Diffie-Hellman (including
- Appendix F.1.1.3) apply to the DHE_PSK and RSA_PSK ciphersuites as
- well.
-
-7. Acknowledgments
-
- The protocol defined in this document is heavily based on work by Tim
- Dierks and Peter Gutmann, and borrows some text from [7] and [2].
- The DHE_PSK and RSA_PSK ciphersuites are based on earlier work in
- [6].
-
- Valuable feedback was also provided by Philip Ginzboorg, Peter
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 10]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- Gutmann, David Jablon, Nikos Mavroyanopoulos, Bodo Moeller, Eric
- Rescorla, and Mika Tervonen.
-
- When the first version of this draft was almost ready, the authors
- learned that something similar had been proposed already in 1996
- [13]. However, this draft is not intended for web password
- authentication, but rather for other uses of TLS.
-
-8. References
-
-8.1 Normative References
-
- [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", RFC 2119, March 1997.
-
- [2] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites
- for Transport Layer Security (TLS)", RFC 3268, June 2002.
-
- [3] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
- 2246, January 1999.
-
- [4] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
- Recommendations for Security", RFC 1750, December 1994.
-
- [5] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
- 3629, November 2003.
-
-8.2 Informative References
-
- [6] Badra, M., Cherkaoui, O., Hajjeh, I. and A. Serhrouchni,
- "Pre-Shared-Key key Exchange methods for TLS",
- draft-badra-tls-key-exchange-00 (work in progress), August
- 2004.
-
- [7] Gutmann, P., "Use of Shared Keys in the TLS Protocol",
- draft-ietf-tls-sharedkeys-02 (expired), October 2003.
-
- [8] Krawczyk, H., "Re: TLS shared keys PRF", message on
- ietf-tls@lists.certicom.com mailing list 2004-01-13,
- http://www.imc.org/ietf-tls/mail-archive/msg04098.html.
-
- [9] Zeilenga, K., "LDAP: String Representation of Distinguished
- Names", draft-ietf-ldapbis-dn-15 (work in progress), October
- 2004.
-
- [10] Hoffman, P. and M. Blanchet, "Preparation of Internationalized
- Strings ("stringprep")", RFC 3454, December 2002.
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 11]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- [11] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1",
- draft-ietf-tls-rfc2246-bis-09 (work in progress), December
- 2004.
-
- [12] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher Suites
- to Transport Layer Security (TLS)", RFC 2712, October 1999.
-
- [13] Simon, D., "Addition of Shared Key Authentication to Transport
- Layer Security (TLS)", draft-ietf-tls-passauth-00 (expired),
- November 1996.
-
- [14] Taylor, D., Wu, T., Mavroyanopoulos, N. and T. Perrin, "Using
- SRP for TLS Authentication", draft-ietf-tls-srp-08 (work in
- progress), August 2004.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 12]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-Authors' and Contributors' Addresses
-
- Pasi Eronen
- Nokia Research Center
- P.O. Box 407
- FIN-00045 Nokia Group
- Finland
- Email: pasi.eronen@nokia.com
-
-
- Hannes Tschofenig
- Siemens
- Otto-Hahn-Ring 6
- Munich, Bayern 81739
- Germany
- Email: Hannes.Tschofenig@siemens.com
-
-
- Mohamad Badra
- ENST Telecom
- 46 rue Barrault
- 75634 Paris
- France
- Email: Mohamad.Badra@enst.fr
-
-
- Omar Cherkaoui
- UQAM University
- Montreal (Quebec)
- Canada
- Email: cherkaoui.omar@uqam.ca
-
-
- Ibrahim Hajjeh
- ENST Telecom
- 46 rue Barrault
- 75634 Paris
- France
- Email: Ibrahim.Hajjeh@enst.fr
-
-
- Ahmed Serhrouchni
- ENST Telecom
- 46 rue Barrault
- 75634 Paris
- France
- Email: Ahmed.Serhrouchni@enst.fr
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 13]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-Appendix A. Changelog
-
- (This section should be removed by the RFC Editor before
- publication.)
-
- Changes from -04 to -05:
-
- o Omit ServerKeyExchange message (in PSK/RSA_PSK versions) if no
- identity hint is provided.
-
- Changes from -03 to -04:
-
- o Added a note about premaster secret "general structure" in
- Sections 3 and 4.
-
- o Something in the I-D submission procedure had removed all
- circumflexes from -03 version, turning e.g. "2^16" (two-to-
- the sixteenth power) to "216" (two hundred and sixteen).
- Let's try again.
-
- Changes from -02 to -03:
-
- o Aligned the way the premaster secret is derived.
-
- o Specified that identities must be sent as human-readable UTF-8
- strings, not in binary formats. Changed reference to RFC 3629
- from informative to normative.
-
- o Selected ciphersuite and alert numbers, and updated IANA
- considerations section to match this.
-
- o Reworded some text about dictionary attacks in Section 6.2.
-
- Changes from -01 to -02:
-
- o Clarified text about DHE_PSK ciphersuites in Section 1.
-
- o Clarified explanation of HMAC-SHA1/MD5 use of PRF in Section 2.
-
- o Added note about certificate validation and self-signed
- certificates in Section 4.
-
- o Added Mohamad Badra et al. as contributors.
-
- Changes from draft-ietf-tls-psk-00 to -01:
-
- o Added DHE_PSK and RSA_PSK key exchange algorithms, and updated
- other text accordingly
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 14]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
- o Removed SHA-1 hash from PSK key exchange premaster secret
- construction (since premaster secret doesn't need to be 48 bytes).
-
- o Added unknown_psk_identity alert message.
-
- o Updated IANA considerations section.
-
- Changes from draft-eronen-tls-psk-00 to draft-ietf-tls-psk-00:
-
- o Updated dictionary attack considerations based on comments from
- David Jablon.
-
- o Added a recommendation about using UTF-8 in the identity field.
-
- o Removed Appendix A comparing this document with
- draft-ietf-tls-sharedkeys-02.
-
- o Removed IPR comment about SPR.
-
- o Minor editorial changes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 15]
-
-Internet-Draft PSK Ciphersuites for TLS November 24, 2004
-
-
-Intellectual Property Statement
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
- Copyright (C) The Internet Society (2004). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-Eronen & Tschofenig Expires June 17, 2005 [Page 16]
-
-
View Lorry Controller Status