Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-56A Title: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography Publication Date(s): March 2006 Withdrawal Date: March 2007 Withdrawal Note: SP 800-56A is superseded in its entirety by the publication of SP 800-56A Revised (March 2007). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-56A Revised Title: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) Author(s): Elaine Barker, Don Johnson, Miles Smid Publication Date(s): March 2007 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-56ar Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-56A Revision 2 (as of August 7, 2015) attached publication: Related information: http://csrc.nist.gov/groups/ST/toolkit/key_management.html Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϳ, 2015 NIST Special Publication 800-56A Recommendation for Pair-Wise March, 2006 Key Establishment Schemes Using Discrete Logarithm Cryptography Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C U R I T Y NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March, 2006 Abstract This Recommendation specifies key establishment schemes using discrete logarithm cryptography, based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography). KEY WORDS: assurances; Diffie-Hellman; elliptic curve cryptography; finite field cryptography; key agreement; key confirmation; key derivation; key establishment; key management; key recovery; key transport; MQV. 2 NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March, 2006 Acknowledgements The National Institute of Standards and Technology (NIST) gratefully acknowledges and appreciates contributions by Rich Davis, Mike Hopper and Laurie Law from the National Security Agency concerning the many security issues associated with this Recommendation. NIST also thanks the many contributions by the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. 3 NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March, 2006 Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This Recommendation has been prepared for use by federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Conformance testing for implementations of key establishment schemes, as specified in this Recommendation, will be conducted within the framework of the Cryptographic Module Validation Program (CMVP), a joint effort of NIST and the Communications Security Establishment of the Government of Canada. An implementation of a key establishment scheme must adhere to the requirements in this Recommendation in order to be validated under the CMVP. The requirements of this Recommendation are indicated by the word “shall.” 4 NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March, 2006 Table of Contents 1. Introduction............................................................................................................ 10 2. Scope and Purpose ............................................................................................... 11 3. Definitions, Symbols and Abbreviations ............................................................. 12 3.1 Definitions...................................................................................................................... 12 3.2 Symbols and Abbreviations ........................................................................................... 16 4. Key Establishment Schemes Overview ............................................................... 20 4.1 Key Agreement Preparations by an Owner ................................................................... 21 4.2 Key Agreement Process................................................................................................. 24 4.3 DLC-based Key Transport Process................................................................................ 25 5. Cryptographic Elements ....................................................................................... 26 5.1 Cryptographic Hash Functions ...................................................................................... 26 5.2 Message Authentication Code (MAC) Algorithm......................................................... 26 5.2.1 MacTag Computation ........................................................................................ 26 5.2.2 MacTag Checking.............................................................................................. 27 5.2.3 Implementation Validation Message ................................................................. 27 5.3 Random Number Generation ......................................................................................... 27 5.4 Nonces........................................................................................................................... 27 5.5 Domain Parameters........................................................................................................ 28 5.5.1 Domain Parameter Generation........................................................................... 28 5.5.1.1 FFC Domain Parameter Generation.................................................... 28 5.5.1.2 ECC Domain Parameter Generation................................................... 29 5.5.2 Assurances of Domain Parameter Validity........................................................ 30 5.5.3 Domain Parameter Management........................................................................ 31 5.6 Private and Public Keys................................................................................................. 31 5.6.1 Private/Public Key Pair Generation................................................................... 31 5 NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March, 2006 5.6.1.1 FFC Key Pair Generation.................................................................... 31 5.6.1.2 ECC Key Pair Generation................................................................... 32 5.6.2 Assurances of the Arithmetic Validity of a Public Key..................................... 32 5.6.2.1 Owner Assurances of Static Public Key Validity............................... 32 5.6.2.2 Recipient Assurances of Static Public Key Validity........................... 33 5.6.2.3 Recipient Assurances of Ephemeral Public Key Validity .................. 33 5.6.2.4 FFC Full Public Key Validation Routine............................................ 34 5.6.2.5 ECC Full Public Key Validation Routine........................................... 34 5.6.2.6 ECC Partial Public Key Validation Routine....................................... 35 5.6.3 Assurances of the Possession of a Static Private Key........................................ 36 5.6.3.1 Owner Assurances of Possession of a Static Private Key................... 37 5.6.3.2 Recipient Assurance of Owner’s Possession of a Static Private Key. 38 5.6.3.2.1 Recipient Obtains Assurance through a Trusted Third Party ............. 38 5.6.3.2.2 Recipient Obtains Assurance Directly from the Claimed Owner....... 38 5.6.4 Key Pair Management........................................................................................ 39 5.6.4.1 Common Requirements on Static and Ephemeral Key Pairs.............. 39 5.6.4.2 Specific Requirements on Static Key Pairs ........................................ 40 5.6.4.3 Specific Requirements on Ephemeral Key Pairs ...............................