summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6539.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc6539.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc6539.txt')
-rw-r--r--doc/rfc/rfc6539.txt731
1 files changed, 731 insertions, 0 deletions
diff --git a/doc/rfc/rfc6539.txt b/doc/rfc/rfc6539.txt
new file mode 100644
index 0000000..520818b
--- /dev/null
+++ b/doc/rfc/rfc6539.txt
@@ -0,0 +1,731 @@
+
+
+
+
+
+
+Independent Submission V. Cakulev
+Request for Comments: 6539 G. Sundaram
+Category: Informational I. Broustis
+ISSN: 2070-1721 Alcatel Lucent
+ March 2012
+
+
+ IBAKE: Identity-Based Authenticated Key Exchange
+
+Abstract
+
+ Cryptographic protocols based on public-key methods have been
+ traditionally based on certificates and Public Key Infrastructure
+ (PKI) to support certificate management. The emerging field of
+ Identity-Based Encryption (IBE) protocols allows simplification of
+ infrastructure requirements via a Private-Key Generator (PKG) while
+ providing the same flexibility. However, one significant limitation
+ of IBE methods is that the PKG can end up being a de facto key escrow
+ server, with undesirable consequences. Another observed deficiency
+ is a lack of mutual authentication of communicating parties. This
+ document specifies the Identity-Based Authenticated Key Exchange
+ (IBAKE) protocol. IBAKE does not suffer from the key escrow problem
+ and in addition provides mutual authentication as well as perfect
+ forward and backward secrecy.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6539.
+
+Independent Submissions Editor Note
+
+ This document specifies the Identity-Based Authenticated Key Exchange
+ (IBAKE) protocol. Due to its specialized nature, this document
+ experienced limited review within the Internet Community. Readers of
+ this RFC should carefully evaluate its value for implementation and
+ deployment.
+
+
+
+Cakulev, et al. Informational [Page 1]
+
+RFC 6539 IBAKE March 2012
+
+
+Copyright Notice
+
+ Copyright (c) 2012 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. Requirements Notation ...........................................3
+ 2.1. IBE: Definition ............................................3
+ 2.2. Abbreviations ..............................................3
+ 2.3. Conventions ................................................4
+ 3. Identity-Based Authenticated Key Exchange .......................5
+ 3.1. Overview ...................................................5
+ 3.2. IBAKE Message Exchange .....................................6
+ 3.3. Discussion .................................................7
+ 4. Security Considerations .........................................9
+ 4.1. General ....................................................9
+ 4.2. IBAKE Protocol ............................................10
+ 5. References .....................................................12
+ 5.1. Normative References ......................................12
+ 5.2. Informative References ....................................12
+
+1. Introduction
+
+ Authenticated key agreements are cryptographic protocols where two or
+ more participants authenticate each other and agree on key material
+ used for securing future communication. These protocols could be
+ symmetric key or asymmetric public-key protocols. Symmetric-key
+ protocols require an out-of-band security mechanism to bootstrap a
+ secret key. On the other hand, public-key protocols traditionally
+ require certificates and a large-scale Public Key Infrastructure
+ (PKI). Clearly, public-key methods are more flexible; however, the
+ requirement for certificates and a large-scale PKI have proved to be
+ challenging. In particular, efficient methods to support large-scale
+ certificate revocation and management have proved to be elusive.
+
+ Recently, Identity-Based Encryption (IBE) protocols have been
+ proposed as a viable alternative to public-key methods by replacing
+ the PKI with a Private-Key Generator (PKG). However, one significant
+ limitation of IBE methods is that the PKG can end up being a de facto
+
+
+
+Cakulev, et al. Informational [Page 2]
+
+RFC 6539 IBAKE March 2012
+
+
+ key escrow entity (i.e., an entity that has sufficient information to
+ decrypt communicated data), with undesirable consequences. Another
+ limitation is a lack of mutual authentication between communicating
+ parties. This document specifies an Identity-Based Authenticated Key
+ Encryption (IBAKE) protocol that does not suffer from the key escrow
+ problem and that provides mutual authentication. In addition, the
+ scheme described in this document allows the use of time-bound public
+ identities and corresponding public and private keys, resulting in
+ automatic expiration of private keys at the end of a time span
+ indicated in the identity itself. With the self-expiration of the
+ public identities, the traditional real-time validity verification
+ and revocation procedures used with certificates are not required.
+ For example, if the public identity is bound to one day, then, at the
+ end of the day, the public/private key pair issued to this peer will
+ simply not be valid anymore. Nevertheless, just as with public-key-
+ based certificate systems, if there is a need to revoke keys before
+ the designated expiry time, communication with a third party will be
+ needed. Finally, the protocol also provides forward and backward
+ secrecy of session keys; i.e., a session key produced using IBAKE is
+ always fresh and unrelated to any past or future sessions between the
+ protocol participants.
+
+2. Requirements Notation
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+2.1. IBE: Definition
+
+ Identity-Based Encryption (IBE) is a public-key encryption technology
+ that allows a public key to be calculated from an identity and a set
+ of public parameters, and the corresponding private key to be
+ calculated from the public key. The public key can then be used by
+ an Initiator to encrypt messages that the recipient can decrypt using
+ the corresponding private key. The IBE framework is defined in
+ [RFC5091], [RFC5408], and [RFC5409].
+
+2.2. Abbreviations
+
+ EC Elliptic Curve
+
+ IBE Identity-Based Encryption
+
+ IBAKE Identity-Based Authenticated Key Exchange
+
+ IDi Initiator's Identity
+
+
+
+
+Cakulev, et al. Informational [Page 3]
+
+RFC 6539 IBAKE March 2012
+
+
+ IDr Responder's Identity
+
+ K_PUB Public Key
+
+ PKG Private-Key Generator
+
+ PKI Public Key Infrastructure
+
+2.3. Conventions
+
+ o E is an elliptic curve over a finite field F.
+
+ o P is a point on E of large prime order.
+
+ o s is a non-zero positive integer. s is a secret stored in a PKG.
+ This is a system-wide secret and not revealed outside the PKG.
+
+ o sP is the public key of the system that is known to all
+ participants. sP denotes a point on E, and denotes the point P
+ added to itself s times where addition refers to the group
+ operation on E.
+
+ o H1 is a known hash function that takes a string and assigns it to
+ a point on the elliptic curve, i.e., H1(A) = QA on E, where A is
+ usually based on the identity.
+
+ o E(k, A) denotes that A is IBE-encrypted with the key k.
+
+ o s||t denotes concatenation of the strings s and t.
+
+ o K_PUBx denotes a public key of x.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Cakulev, et al. Informational [Page 4]
+
+RFC 6539 IBAKE March 2012
+
+
+3. Identity-Based Authenticated Key Exchange
+
+3.1. Overview
+
+ IBAKE consists of a three-way exchange between an Initiator and a
+ Responder. In the figure below, a conceptual signaling diagram of
+ IBAKE is depicted.
+
+ +---+ +---+
+ | I | | R |
+ +---+ +---+
+
+ MESSAGE_1
+ ---------------------------------->
+ MESSAGE_2
+ <----------------------------------
+ MESSAGE_3
+ ---------------------------------->
+
+ Figure 1: Example IBAKE Message Exchange
+
+ The Initiator (I) and Responder (R) are attempting to mutually
+ authenticate each other and agree on a key using IBAKE. This
+ specification assumes that the Initiator and the Responder trust a
+ third party -- the PKG. Rather than a single PKG, different PKGs may
+ be involved, e.g., one for the Initiator and one for the Responder.
+ The Initiator and the Responder do not share any credentials;
+ however, they know or can obtain each other's public identity (key)
+ as well as the public parameters of each other's PKG. This
+ specification does not make any assumption on when and how the
+ private keys are obtained. However, to complete the protocol
+ described (i.e., to decrypt encrypted messages in the IBAKE protocol
+ exchange), the Initiator and the Responder need to have their
+ respective private keys. The procedures needed to obtain the private
+ keys and public parameters are outside the scope of this
+ specification. The details of these procedures can be found in
+ [RFC5091] and [RFC5408]. Finally, the protocol described in this
+ document relies on the use of elliptic curves. Section 3.3 discusses
+ the choice of elliptic curves. However, how the Initiator and the
+ Responder agree on a specific elliptic curve is left to the
+ application that is leveraging the IBAKE protocol (see [EAP-IBAKE],
+ for example).
+
+ The Initiator chooses a random x. In the first step, the Initiator
+ computes xP (i.e., P, as a point on E, added to itself x times using
+ the addition law on E); encrypts xP, the IDi, and the IDr using the
+ Responder's public key (e.g., K_PUBr=H1(IDr||date)); and includes
+
+
+
+
+Cakulev, et al. Informational [Page 5]
+
+RFC 6539 IBAKE March 2012
+
+
+ this encrypted information in MESSAGE_1 sent to the Responder. In
+ this step, encryption refers to IBE as described in [RFC5091] and
+ [RFC5408].
+
+ The Responder, upon receiving the message, IBE-decrypts it using its
+ private key (e.g., a private key for that date), and obtains xP. The
+ Responder further chooses a random y and computes yP. The Responder
+ then IBE-encrypts the Initiator's identity (IDi), its own identity
+ (IDr), xP, and yP using the Initiator's public key (e.g.,
+ K_PUBi=H1(IDi||date)). The Responder includes this encrypted
+ information in MESSAGE_2 sent to the Initiator.
+
+ The Initiator, upon receiving and IBE-decrypting MESSAGE_2, obtains
+ yP. Subsequently, the Initiator sends MESSAGE_3, which includes the
+ IBE-encrypted IDi, IDr, and yP, to the Responder. At this point,
+ both the Initiator and the Responder are able to compute the same
+ session key as xyP.
+
+3.2. IBAKE Message Exchange
+
+ Initially, the Initiator selects a random x and computes xP; the
+ Initiator MUST use a fresh, random value for x on each run of the
+ protocol. The Initiator then encrypts xP, the IDi, and the IDr using
+ the Responder's public key (e.g., K_PUBr=H1(IDr||date)). The
+ Initiator includes this encrypted information in MESSAGE_1 and sends
+ it to the Responder, as shown below.
+
+ Initiator ----> Responder
+
+ MESSAGE_1 = E(K_PUBr, IDi || IDr || xP)
+
+ Upon receiving MESSAGE_1, the Responder SHALL perform the following:
+
+ o Decrypt the message as specified in [RFC5091] and [RFC5408].
+
+ o Obtain xP.
+
+ o Select a random y and compute yP. The Responder MUST use a fresh,
+ random value for x on each run of the protocol.
+
+ o Encrypt the Initiator's identity (IDi), its own identity (IDr),
+ xP, and yP using the Initiator's public key (K_PUBi).
+
+ Responder ----> Initiator
+
+ MESSAGE_2 = E(K_PUBi, IDi || IDr || xP || yP)
+
+
+
+
+
+Cakulev, et al. Informational [Page 6]
+
+RFC 6539 IBAKE March 2012
+
+
+ Upon receiving MESSAGE_2, the Initiator SHALL perform the following:
+
+ o Decrypt the message as specified in [RFC5091] and [RFC5408].
+
+ o Verify that the received xP is the same as that sent in MESSAGE_1.
+
+ o Obtain yP.
+
+ o Encrypt its own identity (IDi), the Responder's identity (IDr),
+ and yP using the Responder's public key (K_PUBi).
+
+ Initiator ----> Responder
+
+ MESSAGE_3 = E(K_PUBr, IDi || IDr || yP)
+
+ Upon receiving MESSAGE_3, the Responder SHALL perform the following:
+
+ o Decrypt the message as specified in [RFC5091] and [RFC5408].
+
+ o Verify that the received yP is the same as that sent in MESSAGE_2.
+
+ If any of the above verifications fail, the protocol halts;
+ otherwise, following this exchange, both the Initiator and the
+ Responder have authenticated each other and are able to compute xyP
+ as the session key. At this point, both protocol participants MUST
+ discard all intermediate cryptographic values, including x and y.
+ Similarly, both parties MUST immediately discard these values
+ whenever the protocol terminates as a result of a verification
+ failure or timeout.
+
+3.3. Discussion
+
+ Properties of the protocol are as follows:
+
+ o Immunity from key escrow: Observe that all of the steps in the
+ protocol exchange are encrypted using IBE. So, clearly, the PKG
+ can decrypt all of the exchanges. However, given the assumption
+ that PKGs are trusted and well behaved (e.g., PKGs will not mount
+ an active man-in-the-middle (MitM) attack), they cannot compute
+ the session key. This is because of the hardness of the Elliptic
+ Curve Diffie-Hellman problem. In other words, given xP and yP, it
+ is computationally hard to compute xyP.
+
+ o Mutually authenticated key agreement: Observe that all of the
+ steps in the protocol exchange are encrypted using IBE. In
+ particular, only the Responder and its corresponding PKG can
+ decrypt the contents of MESSAGE_1 and MESSAGE_3 sent by the
+ Initiator, and similarly only the Initiator and its corresponding
+
+
+
+Cakulev, et al. Informational [Page 7]
+
+RFC 6539 IBAKE March 2012
+
+
+ PKG can decrypt the contents of MESSAGE_2 sent by the Responder.
+ Again, given the assumption made above -- that PKGs are trusted
+ and well behaved (e.g., a PKG will not impersonate a user to which
+ it issued a private key) -- upon receiving MESSAGE_2, the
+ Initiator can verify the Responder's authenticity, since xP could
+ have been sent in MESSAGE_2 only after decryption of the contents
+ of MESSAGE_1 by the Responder. Similarly, upon receiving
+ MESSAGE_3, the Responder can verify the Initiator's authenticity,
+ since yP could have been sent back in MESSAGE_3 only after correct
+ decryption of the contents of MESSAGE_2 by the Initiator.
+ Finally, both the Initiator and the Responder can agree on the
+ same session key. In other words, IBAKE is a mutually
+ authenticated key agreement protocol based on IBE. The hardness
+ of the key agreement protocol relies on the hardness of the
+ Elliptic Curve Diffie-Hellman problem. Thus, in any practical
+ implementation, care should be devoted to the choice of elliptic
+ curve.
+
+ o Perfect forward and backward secrecy: Since x and y are random,
+ xyP is always fresh and unrelated to any past or future sessions
+ between the Initiator and the Responder.
+
+ o No passwords: Clearly, the IBAKE protocol does not require any
+ offline exchange of passwords or secret keys between the Initiator
+ and the Responder. In fact, the method is applicable to any two
+ parties communicating for the first time through any communication
+ network. The only requirement is to ensure that both the
+ Initiator and the Responder are aware of each other's public keys
+ and the public parameters of the PKG that generated the
+ corresponding private keys.
+
+ o PKG availability: Observe that PKGs need not be contacted during
+ an IBAKE protocol exchange, which dramatically reduces the
+ availability requirements on PKGs.
+
+ o Choice of elliptic curves: This specification relies on the use of
+ elliptic curves for both IBE and Elliptic Curve Diffie-Hellman
+ exchange. When making a decision on the choice of elliptic
+ curves, it is beneficial to choose two different elliptic curves
+ -- a non-supersingular curve for the internal calculations of
+ Elliptic Curve Diffie-Hellman values xP and yP, and a
+ supersingular curve for the IBE encryption/decryption. For the
+ calculations of Elliptic Curve Diffie-Hellman values, it is
+ beneficial to use the curves recommended by NIST [FIPS-186].
+ These curves make the calculations simpler while keeping the
+ security high. On the other hand, IBE systems are based on
+ bilinear pairings. Therefore, the choice of an elliptic curve for
+
+
+
+
+Cakulev, et al. Informational [Page 8]
+
+RFC 6539 IBAKE March 2012
+
+
+ IBE is restricted to a family of supersingular elliptic curves
+ over finite fields of large prime characteristic. The appropriate
+ elliptic curves for IBE are described in [RFC5091].
+
+ o Implementation considerations: An implementation of IBAKE would
+ consist of two primary modules, i.e., point addition operations
+ over a NIST curve, and IBE operations over a supersingular curve.
+ The implementation of both modules only needs to be aware of the
+ following parameters: (a) the full description of the curves that
+ are in use (fixed or negotiated), (b) the public parameters of the
+ PKG used for the derivation of IBE private keys, and (c) the exact
+ public identity of each IBAKE participant. The knowledge of these
+ parameters is sufficient to perform Elliptic Curve Cryptography
+ (ECC) operations in different terminals and produce the same
+ results, independently of the implementation.
+
+4. Security Considerations
+
+ This document is based on the basic IBE protocol, as specified in
+ [BF], [RFC5091]), [RFC5408], and [RFC5409], and as such inherits some
+ properties of that protocol. For instance, by concatenating the
+ "date" with the identity (to derive the public key), the need for any
+ key revocation mechanisms is virtually eliminated. Moreover, by
+ allowing the participants to acquire multiple private keys (e.g., for
+ duration of contract) the availability requirements on the PKG are
+ also reduced without any reduction in security. The granularity
+ associated with the date is a matter of security policy and as such
+ is a decision made by the PKG administrator. However, the
+ granularity applicable to any given participant should be publicly
+ available and known to other participants. For example, this
+ information can be made available in the same venue that provides
+ "public information" on a PKG server (i.e., P, sP) needed to
+ execute IBE.
+
+4.1. General
+
+ Attacks on the cryptographic algorithms used in IBE are outside the
+ scope of this document. It is assumed that any administrator will
+ pay attention to the desired strengths of the relevant cryptographic
+ algorithms based on an up-to-date understanding of the strength of
+ these algorithms from published literature, as well as to known
+ attacks.
+
+ It is assumed that the PKGs are secure, not compromised, trusted, and
+ will not engage in launching active attacks independently or in a
+ collaborative environment. Nevertheless, if an active adversary can
+ fool the parties into believing that it is a legitimate PKG, then it
+ can mount a successful MitM attack. Therefore, care should be taken
+
+
+
+Cakulev, et al. Informational [Page 9]
+
+RFC 6539 IBAKE March 2012
+
+
+ when choosing a PKG. In addition, any malicious insider could
+ potentially launch passive attacks (by decryption of one or more
+ message exchanges offline). While it is in the best interest of
+ administrators to prevent such an issue, it is hard to eliminate this
+ problem. Hence, it is assumed that such problems will persist, and
+ hence the session key agreement protocols are designed to protect
+ participants from passive adversaries.
+
+ It is also assumed that the communication between participants and
+ their respective PKGs is secure. Therefore, in any implementation of
+ the protocols described in this document, administrators of any PKG
+ have to ensure that communication with participants is secure and not
+ compromised.
+
+ Finally, concatenating the date to the identity ensures that the
+ corresponding private key is applicable only to that date. This
+ serves to limit the damage related to a leakage or compromise of
+ private keys to just that date. This, in particular, eliminates the
+ revocation mechanisms that are typical to various certificate-based
+ public key protocols.
+
+4.2. IBAKE Protocol
+
+ For the basic IBAKE protocol, from a cryptographic perspective, the
+ following security considerations apply.
+
+ In every step, IBE is used, with the recipient's public key. This
+ guarantees that only the intended recipient of the message and its
+ corresponding PKG can decrypt the message [BF].
+
+ Next, the use of identities within the encrypted payload is intended
+ to eliminate some basic reflection attacks. For instance, suppose we
+ did not use identities as part of the encrypted payload, in the first
+ step of the IBAKE protocol exchange (i.e., MESSAGE_1 of Figure 1 in
+ Section 3.1). Furthermore, assume that an adversary has access to
+ the conversation between the Initiator and the Responder and can
+ actively snoop packets and drop/modify them before routing them to
+ the destination. For instance, assume that the IP source address and
+ destination address can be modified by the adversary. After the
+ first message is sent by the Initiator (to the Responder), the
+ adversary can take over and trap the packet. Next, the adversary can
+ modify the IP source address to include the adversary's IP address,
+ before routing it on to the Responder. The Responder will assume
+ that the request for an IBAKE session came from the adversary, and
+ will execute step 2 of the IBAKE protocol exchange (i.e., MESSAGE_2
+ of Figure 1 in Section 3.1) but encrypt it using the adversary's
+ public key. The above message can be decrypted by the adversary (and
+ only by the adversary). In particular, since the second message
+
+
+
+Cakulev, et al. Informational [Page 10]
+
+RFC 6539 IBAKE March 2012
+
+
+ includes the challenge sent by the Initiator to the Responder, the
+ adversary will now learn the challenge sent by the Initiator.
+ Following this, the adversary can carry on a conversation with the
+ Initiator, "pretending" to be the Responder. This attack will be
+ eliminated if identities are used as part of the encrypted payload.
+ In summary, at the end of the exchange, both the Initiator and the
+ Responder can mutually authenticate each other and agree on a
+ session key.
+
+ Recall that IBE guarantees that only the recipient of the message can
+ decrypt the message using the private key, with the caveat that the
+ PKG that generated the private key of the recipient of the message
+ can decrypt the message as well. However, the PKG cannot learn the
+ public key xyP given xP and yP, based on the hardness of the Elliptic
+ Curve Diffie-Hellman problem. This property of resistance to passive
+ key escrow from the PKG is not applicable to the basic IBE protocols
+ proposed in [RFC5091]), [RFC5408], and [RFC5409].
+
+ Observe that the protocol works even if the Initiator and Responder
+ belong to two different PKGs. In particular, the parameters used for
+ encryption to the Responder and parameters used for encryption to the
+ Initiator can be completely different and independent of each other.
+ Moreover, the elliptic curve used to generate the session key xyP can
+ be completely different and can be chosen during the key exchange.
+ If such flexibility is desired, then it would be required to add
+ optional extra data to the protocol to exchange the algebraic
+ primitives used in deriving the session key.
+
+ In addition to mutual authentication and resistance to passive
+ escrow, the Diffie-Hellman property of the session key exchange
+ guarantees perfect secrecy of keys. In other words, accidental
+ leakage of one session key does not compromise past or future session
+ keys between the same Initiator and Responder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Cakulev, et al. Informational [Page 11]
+
+RFC 6539 IBAKE March 2012
+
+
+5. References
+
+5.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+5.2. Informative References
+
+ [BF] Boneh, D. and M. Franklin, "Identity-Based Encryption
+ from the Weil Pairing", in SIAM Journal on Computing,
+ Vol. 32, No. 3, pp. 586-615, 2003.
+
+ [EAP-IBAKE] Cakulev, V. and I. Broustis, "An EAP Authentication
+ Method Based on Identity-Based Authenticated Key
+ Exchange", Work in Progress, February 2012.
+
+ [FIPS-186] National Institute of Standards and Technology, "Digital
+ Signature Standard (DSS)", FIPS Pub 186-3, June 2009.
+
+ [RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography
+ Standard (IBCS) #1: Supersingular Curve Implementations
+ of the BF and BB1 Cryptosystems", RFC 5091,
+ December 2007.
+
+ [RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity-
+ Based Encryption Architecture and Supporting Data
+ Structures", RFC 5408, January 2009.
+
+ [RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin
+ and Boneh-Boyen Identity-Based Encryption Algorithms with
+ the Cryptographic Message Syntax (CMS)", RFC 5409,
+ January 2009.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Cakulev, et al. Informational [Page 12]
+
+RFC 6539 IBAKE March 2012
+
+
+Authors' Addresses
+
+ Violeta Cakulev
+ Alcatel Lucent
+ 600 Mountain Ave.
+ 3D-517
+ Murray Hill, NJ 07974
+ US
+
+ Phone: +1 908 582 3207
+ EMail: violeta.cakulev@alcatel-lucent.com
+
+
+ Ganapathy S. Sundaram
+ Alcatel Lucent
+ 600 Mountain Ave.
+ 3D-517
+ Murray Hill, NJ 07974
+ US
+
+ Phone: +1 908 582 3209
+ EMail: ganesh.sundaram@alcatel-lucent.com
+
+
+ Ioannis Broustis
+ Alcatel Lucent
+ 600 Mountain Ave.
+ 3D-526
+ Murray Hill, NJ 07974
+ US
+
+ Phone: +1 908 582 3744
+ EMail: ioannis.broustis@alcatel-lucent.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Cakulev, et al. Informational [Page 13]
+