(ACP) 16th MEETING OF WORKING GROUP M

advertisement
ACP-WGM16/WP-15
International Civil Aviation Organization
17 May 2010
WORKING PAPER
AERONAUTICAL COMMUNICATIONS PANEL (ACP)
16th MEETING OF WORKING GROUP M (Maintenance)
Paris, France 17-19 May 2010
Agenda Item 3a: ATN/OSI Document 9880 Update Status – Security Updates
Amendment Proposal
for
One Key Pair for Key Agreement and Signing
Prepared by: FAA
Presented by: Vic Patel
SUMMARY
This working paper includes draft updates to ICAO Doc 9880 to allow the use
of one key pair for key agreement and signing.
ACTION
The working group is invited to review Amendment Proposal and consider
approving the change to Doc 9880.
ACP-WGM16/WP-15
1.
-2-
INTRODUCTION
1.1
One of recommendations of the Honeywell Validation Report is use one key pair for key
agreement and signing in Doc 9880.
2.
2.1
DISCUSSION
This AP proposes allowing the use a single key pair for both key agreement and signing.
2.2
In developing the ARINC 823, ACARS Message Security (AMS), airline participants,
including the USAF, recommended that AMS provisions specify a single key pair, to be used for both key
agreement and signing.
2.3
Section 13.5.1 of the Handbook of Applied Cryptography states, “The principle of key
separation is that key for different purposes should be cryptographically separated.”
2.4
Section 5.6.4.2 of NIST SP 800-56A states, “A static key pair may be used in more than
one key establishment scheme. However, one static public/private key pair shall not be used for different
purposes (for example, a digital signature key pair is not to be used for key establishment or vice versa).”
2.5
Section 5.2 of NIST SP 800-57 Part 1 states, “In general, a single key should be used for
only one purpose (e.g., encryption, authentication, key wrapping, random number generation, or
digital signatures).
2.6
Section 5.4.1.2 of Doc 9880 specifies that each ATN application or ATN router shall be
bound to a static key pair associated to the ATN elliptic curve domain parameters. This requirement is in
the context of the ATN Key Agreement Scheme.
2.7
Section 5.5.1.2 of Doc 9880 specifies that each signing ATN application, ATN router, or
CA shall be bound to a signing key pair associated to the ATN elliptic curve domain parameters.
2.8
Note 3 in section 6.3.7 of Doc 9880 states that the Key Usage parameter refers to the type
of compressed certificate path that is desired and is an ASN.1 type KeyUsage. Key Usage will have an
abstract value of either digitalSignature or keyAgreement.
AMENDMENT PROPOSAL #XXX
Title:
AP working paper number and date
Document(s) Affected:
Document Version:
Sections of Documents Affected:
One Key Pair for Key Agreement and
Signing
M16/WPxx 17 May 2010
ICAO Dc 9880 Part IV-B
Draft June 2009
5.4.1.2, 5.5.1.2, 6.3.7
-3-
ACP-WGM16/WP-15
Vic Patel
Coordinator's Address:
Coordinator's Phone:
Coordinator's Fax:
Coordinator's E-mail Address:
Category:
Problem description:
Background:
Backwards compatibility:
Amendment Proposal:
WG-M Status:
ATO-P, AJP-1740
William J. Hughes Technical Center
Atlantic City Airport, NJ, 08405
USA
+1 609 485 5046
+1 609 485 5630
vidyut.patel@faa.gov
Doc 9880 specifies the use of distinct key pairs
for key agreement and signing. In developing
the ARINC 823, ACARS Message Security
(AMS), airline participants, including the
USAF, recommended that AMS provisions
specify a single key pair, to be used for both
key agreement and signing.
One of recommendations of the Honeywell
Validation Report is to use a single key pair for
key agreement and signing.
See below.
SUBMITTED 5/17/2010
Replace section 5.4.1.2 with the following:
5.4.1.2
Each ATN application or ATN router performing key agreement shall be bound to a static
key pair associated to the ATN elliptic curve domain parameters.
Replace section 5.4.1.2 with the following:
5.5.1.2
Each signing ATN application, ATN router, or CA shall be bound to a key pair
associated to the ATN elliptic curve domain parameters.
Replace Note 3 in section 6.3.7 with the following:
Note 3. The Key Usage parameter refers to the type of compressed certificate path that is desired
and is an ASN.1 type KeyUsage. Key Usage will have an abstract value of either digitalSignature,
keyAgreement, or both digitalSignature and keyAgreement.
3.
3.1
ACTION BY THE MEETING
The ACP WG-M is invited to:
1. Review the revisions to Doc 9880 identified by the AP in this Working Paper and
provide comments and feedback regarding the proposed changes as described.
ACP-WGM16/WP-15
-4-
3.2
Due to guidance in the Handbook of Applied Cryptography and the requirement in NIST
SP 800-56A, the FAA recommends that the requirements for key agreement and signing not be combined
but that use of a common key be permitted as a matter of Certificate Policy.
3.3
The FAA recommends acceptance of these changes and requests endorsement by the
Working Group to update Doc 9880 as described in the AP.
Download