Proposed List of 1609.2 Mechanisms Requiring SAPs Deliverable Del-2.1.4.1 of the1609.2 Update Project William Whyte, NTRU Cryptosystems June 2009 Introduction This document presents the list of mechanisms based on 1609.2-2006 that require SAPs to be called from the application layer or the WME. These mechanisms are: Sign WSA Verify WSA Sign 1609.2 Message Encrypt 1609.2 Message Process Incoming 1609.2 Secured Message SAPs that are only used for security management are considered to be internal to a Security Management Entity and are omitted. These include: CRL processing (request and response). Certificate Request messages and the appropriate responses Each mechanism description is organized under the following headings: Input: the message to be processed, a byte array Parameters: configuration choices and other information that is obtained from a different source from the message itself and may have a different lifetime from the message. Output: the result of the processing. On success this will consist at least of a byte array containing the processed message. It may additionally contain information relevant to the parameters. Errors: issues that may prevent correct processing of the input (or the processing that would be expected if the input was correct). Newly Stored Parameters: Changes to stored parameters made as a result of processing. The distinction between Input and Parameters is not intended at this point to be a recommendation for how the SAPs should be defined; it is simply an aid to clarity. Since some of the mechanisms described in this document have a large number of Parameters, we intend to seek guidance from the Working Group as to how best to specify parameters and parameter management within the SAPs. For outgoing messages, this document assumes that there are no errors due to badly formed inputs to the SAP. For incoming messages, it is possible that the input has been corrupted in transmission. This document attempts to distinguish between errors due to corruption and errors due to an attack, but it should be noted that there are many errors that may be due to either cause. Sign WSA Input An unsigned WSA Parameters The set of private keys, and the corresponding certificates, that might be used to sign a WSA The list of revoked certificates *** Output A signed WSA Errors No cert available o No cert exists o Cert exists, but… Application scope error Geographic scope error Expired Revoked Some cert in chain expired Some cert in chain revoked Newly Stored Parameters None Verify WSA Input A signed WSA Parameters The set of certificates that might be used to construct and verify a cert chain back to the root cert The list of revoked certificates Current time Current position Last accepted WSA Output On success: The contents of the secured WSA Transmission location Generation time Expiry time Errors Parsing Protocol version mismatch Parse error o Nonsensical length Other “errors” may actually be parse errors Processing Problem with WSA o Possible parse error, possible genuine error Cryptographic verification failed WSA too old WSA from future WSA from too far away Expected but did not find field: Generation time Transmission location Expiry time o Cert / WSA mismatch error WSA outside geographic bounds in cert WSA PSID-and-Priorities not matched by cert PSID-and-Priorities Problem with some certificate in chain (note: can distinguish between signer cert and CA cert if necessary) o Could not construct cert chain to known root o Maybe parse error Cryptographic verification failed Invalid subject type Invalid key Invalid key algorithm Scope fields have unexpected form o PSIDAndPriority Location Genuine error Expired Revoked Newly Stored Parameters WSA certificate if not previously encountered Sign Message Input An application data payload to sign Parameters The set of private keys and certificates belonging to the application that might be used to sign a message The list of revoked certificates Current time Current position Do we use generation time? Do we use transmission location? Do we use expiry time? PSID associated with the message Output On success, the signed message. Errors No cert available o No cert exists o Cert exists, but… Application scope error Geographic scope error Expired Revoked Some cert in chain expired Some cert in chain revoked Newly Stored Parameters None. Encrypt Message Input An application data payload to encrypt An appropriate identifier for each recipient (for example, the certificate to use to encrypt the message) Parameters The list of revoked certificates Current time *** Output On success, the encrypted message. On failure, a list of the recipients for which encryption failed, with the error indicator below. Errors *** A message can be intended to be encrypted for multiple recipients. It’s possible that one of these encryptions will fail for one of the reasons noted below. This document assumes that a single failure will cause the entire operation to fail – in other words, the options are “succeed” or “fail”. It would also be possible to have “partial success” – in other words, if one recipient encryption fails but the other succeeds, to output the result as if the caller had requested to encrypt only for the recipients who succeeded. I think success/failure is cleaner but I’m open to discussion on this. Errors: Unknown recipient Problem with recipient’s cert o Revoked o Expired Newly Stored Parameters None. Process Received Secured Message Input A received secured message Parameters The set of keys that might be used to decrypt an encrypted message The set of certificates that might be used to construct and verify a cert chain back to the root cert The list of revoked certificates Current time Current position Replay cache Do we expect to see generation time? Do we expect to see transmission location? Do we expect to see expiry time? Acceptable PSID *** Output On success: The contents of the secured message Content type of message Inner content type of message if message was encrypted Message transmission location if available Message generation time if available Message expiry time if available Sender identity if available Errors Parsing Protocol version mismatch Parse error o Nonsensical length Other “errors” may actually be parse errors Processing – signed including WSAs Problem with message o Processing error Duplicate message, possible replay attack o Possible parse error, possible genuine error Cryptographic verification failed Message too old Message from future Message from too far away PSID was not acceptable Expected but did not find field: Generation time Transmission location Expiry time o Cert / message mismatch error Message outside geographic bounds in cert Message PSIDs not matched by cert PSIDs Problem with some certificate in chain (note: can distinguish between signer cert and CA cert if necessary) o Could not construct cert chain to known root o Maybe parse error Cryptographic verification failed Invalid subject type Invalid key Invalid key algorithm Scope fields have unexpected form AppID Location o Genuine error Expired Revoked Processing – encrypted Problem with decryption key o Couldn’t find decryption key o Key corresponds to expired local cert o Key corresponds to revoked local cert Crypto processing error o Error decrypting symmetric key with private key o Error decrypting message with private key Newly Stored Parameters Sender public encryption key if available Sender cert chain Other Message Types Do these need SAPs? They seem like they may be internal SAPs within the Security Management entity Certificate Request? Certificate Response processing? CRL processing?