From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc1805.txt | 339 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 339 insertions(+) create mode 100644 doc/rfc/rfc1805.txt (limited to 'doc/rfc/rfc1805.txt') diff --git a/doc/rfc/rfc1805.txt b/doc/rfc/rfc1805.txt new file mode 100644 index 0000000..d64c108 --- /dev/null +++ b/doc/rfc/rfc1805.txt @@ -0,0 +1,339 @@ + + + + + + +Network Working Group A. Rubin +Request for Comments: 1805 Bellcore +Category: Informational June 1995 + + + Location-Independent Data/Software Integrity Protocol + +Status of this Memo + + This memo provides information for the Internet community. This memo + does not specify an Internet standard of any kind. Distribution of + this memo is unlimited. + +Abstract + + This memo describes a protocol for adding integrity assurance to + files that are distributed across the Internet. This protocol is + intended for the distribution of software, data, documents, and any + other file that is subject to malicious modification. The protocol + described here is intended to provide assurances of integrity and + time. A trusted third party is required. + +Introduction + + One problem with any system for verifying the integrity of a file is + that the verifying program itself may be attacked. Thus, although + users may be reassured by their software that a file has not changed, + in reality, the file, and the verifier might have both changed. + Because of this danger, a protocol that does not rely on the + distribution of some special software, but rather, is based entirely + on widely used standards, is very useful. It allows users to build + their own software, or obtain trusted copies of software to do + integrity checking independently. Therefore, the protocol described + in this memo is composed of ASCII messages that may be sent using e- + mail or any other means. There is an existing implementation, Betsi + [1], that is designed this way. Betsi has been in existence since + August, 1994, and is operational on the Internet. It can be accessed + by sending e-mail to certify@bellcore.com with subject 'help', or via + the world wide web at http://info.bellcore.com/BETSI/betsi.html. + + + + + + + + + + + + +Rubin Informational [Page 1] + +RFC 1805 Location-Independent Data/Software Integrity Protocol June 1995 + + + The purpose of the proposed protocol is for authors to be able to + distribute their files to users on the internet with guarantees of + time and integrity, by use of a trusted third party. The protocol is + divided into several phases: + + I. Author registration + II. Author verification + III. File Certification + IV. File Distribution + V. File Integrity Verification + + Phases I, III, IV, and V are defined in the protocol. Phase II is + intentionally not defined. Author verification can be different for + different applications, and the particular method chosen for phase II + is identified in phases III and V. It is the hope that further + Internet Drafts will describe the various possibilities for phase II. + This memo describes the method for author verification in the Betsi + system, and makes several recommendations. + +Requirements + + It is important that the integrity and time information be + independent from the location of the file. Lowry [2] defines a syntax + and protocols for location-independent objects. His system requires + that end-users possess special software, and is still in the + prototype stage. The protocol described in this memo has been + implemented, and is already in wide-spread use across the Internet. + It is simple, compact and easy to understand. The disadvantage of a + very complex system is that users may not be inclined to trust the + designers' claims if they cannot understand how it works. + +Assumptions + + The three entities in the protocol are Authors (A), Users (U), and a + Trusted third party (T). The protocol described here is algorithm + independent, and all of the messages are in ASCII. It is assumed + that for each signature scheme used, there is a well-known + verification key associated with T. + + Any signature scheme may be used, as long as there is a standard + ASCII representation of a digital signature. PGP [3] meets all of the + above requirements, but it also requires encryption, and thus, export + restrictions may deter some users. The DSS [4] is recommended, but + some suspect that it contains a trapdoor [5] based on some results by + Simmons [6]. It is also not clear that there is a standard for + generating an ASCII signature using the DSS. + + + + + +Rubin Informational [Page 2] + +RFC 1805 Location-Independent Data/Software Integrity Protocol June 1995 + + +High level view + + The protocol works as follows. In the first phase, authors request to + register with the trusted third party, T. Any registered author can + distribute files with integrity and time assurance. Time assurance + means that there is a guarantee that a file existed at a given time. + In the second phase, T somehow verifies the identity of an author who + requests to register. Registration is not complete until this + verification takes place. + + To distribute a file, a registered author computes a cryptographic + hash of the file, and sends it over an integrity protected channel to + T. T then creates an object containing the hash, the current time, + the name of the author, the name of the file, and some other + information, seals the object, and returns it to the author. The + author can then use the sealed object as a location-independent proof + of the integrity and timeliness of the file. + + Any user who obtains the file and the sealed object, can compute the + cryptographic hash of the file, check the seal on the object, and + verify that the object has not changed. + + The trusted third party must maintain a widely available, dated, and + signed, certificate revocation list (CRL). Users who access a file + with a certificate must check that the CRL is current and complete, + and that the certificate is not listed. + +Author registration + + In the first phase, authors request to register with the trusted + third party, T. The author sends an ASCII message to T containing + keywords followed by values. Some of the fields are optional, and are + marked with a *. The values are represented with angle brackets < >. + + AUTHOR-NAME= + * AUTHOR-ORGANIZATION= + * AUTHOR-EMAIL= + AUTHOR-LOCATION= + * AUTHOR-PHONE-1= + * AUTHOR-PHONE-2= + SIGNATURE-SYSTEM= + * MISC-FIELD-n= + * AUTHOR-PUBLIC-KEY= + * + + Each of the fields contains the keyword and the value on the same + line, except for the public key. An ASCII version of the key is + pasted on the line after the AUTHOR-PUBLIC-KEY keyword. The format + + + +Rubin Informational [Page 3] + +RFC 1805 Location-Independent Data/Software Integrity Protocol June 1995 + + + of this ASCII key will depend on the signature system used. The + public key field is optional. The user may include his own, or one + can be supplied by T during phase II. T responds with a message that + the request was received, and that the user should wait for off-line + verification. If a user receives this confirmation message, and he + did not request to register, he knows that somebody may be attempting + to register on his behalf. + +Author verification + + The trusted third party, T, must verify the identity of the author + who sent the request message in phase I. The rest of the information + in the request is also confirmed. This process takes place off-line. + The method used is intentionally left open, but whatever technique is + used must be identified in phases III and V. + + In the Betsi implementation, T uses the phone company infrastructure. + T calls directory assistance (1-xxx-555-1212) in the city of the + author and asks for the author's number. Then, that number is called, + and T asks the author to verify the information sent in the request. + In particular, T insures that the author has registered his correct + public key. Or, in some cases, T assigns a public key to the author. + As Betsi is only operational in the United States, other mechanisms + need to be in place for verifying identities of people + internationally. Hopefully, standards for doing this will arise. The + rest of the protocol is independent of whatever mechanism is used for + off-line identity and public key verification. + +File certification + + Registered authors can obtain location-independent objects from the + trusted third party, T, that vouch for the integrity and time of any + file. + + An author generates the following ASCII message and signs it with the + signature key that corresponds to the public key that was registered. + + AUTHOR-NAME= + HASH-FUNCTION= + * FILE-LOCATION= + + + Each entry in the consists of two mandatory fields + and one optional one, as follows: + + + + + + + +Rubin Informational [Page 4] + +RFC 1805 Location-Independent Data/Software Integrity Protocol June 1995 + + + The is a fixed-length hexadecimal value + corresponding to the hash of the contents of the file. For MD5, the + output is 32 hexadecimal digits. There is one space between the + fields, and the name of the file contains no spaces. The is optional. The contains at least one + entry, and may contain as many as the author wants. The message is + signed and sent to the trusted third party, T. + + When T receives the request for file certification, he verifies the + signature on the request and creates a location-independent + certificate for the request. The certificate is signed by T, and + contains the following information: + + TRUSTED-PARTY= + AUTHOR-VERIFICATION-METHOD= + AUTHOR-NAME= + AUTHOR-ORGANIZATION= + HASH-FUNCTION= + DATE= + + + The is the same as the one in the author's request. + T signs the message and sends it to the author, who verifies the + signature and the contents of the certificate. Note that the method + for off-line author verification is included in the certificate. + +File distribution + + In the file distribution phase, the author distributes his file, + along with the certificate from T. The file and certificate are + location-independent. That is, the integrity and timeliness of the + file can be verified independently from the location of the file and + the certificate. This means that files can be distributed from + insecure sites, and over insecure networks. + +File integrity verification + + The final phase is file integrity verification. A user obtains the + public key of the trusted third party, T, from several independent + sources, until he is convinced of its authenticity. The user then + verifies the certificate for a file, and decides whether or not he + trusts the method of off-line verification that was used by T. If so, + then he extracts the name of the hash function in the certificate, + and performs the hash function on the actual file. Finally, the user + compares the hash of the file to the hash in the certificate. The + user also checks the date in the certificate if he is concerned with + this information. As a last step, the user checks the highly + available certificate revocation list of T, to see if the current + + + +Rubin Informational [Page 5] + +RFC 1805 Location-Independent Data/Software Integrity Protocol June 1995 + + + certificate is listed. When all of this has concluded, if none of + the assumptions of the system has been violated, then the user is + assured of the integrity and timeliness of the file. + +References + + [1] Rubin, A., "Trusted Distribution of Software over the Internet", + Internet Society Symposium on Network and Distributed System + Security," pp. 47-53, 1995. + + [2] Lowrey, J., "Location-Independent Information Object Security", + Internet Society Symposium on Network and Distributed System + Security," pp. 54-62, 1995. + + [3] Zimmerman, P., "PGP User's Guide", 1992. + + [4] National Institute for Standards and Technology, Digital + Signature Standard (DSS), Federal Register 56(169), 1991. + + [5] Schneier, B., "Applied Cryptography", ISBN 0-471-59756-2. + + [6] Simmons, G., "The Subliminal Channels of the U.S. Digital + Signature Algorithm (DSA)", Proceedings of the 3rd Symposium on: + State and Progress of research in Cryptography, pp. 35-54, 1993. + +Security Considerations + + Security issues are discussed throughout this memo. + +Author's Address + + Aviel D. Rubin + Bellcore + Morristown, NJ 07960 + USA + + Phone: +1 201 829 5922 + Fax: +1 201 829 2645 + EMail: rubin@bellcore.com + + + + + + + + + + + + +Rubin Informational [Page 6] + -- cgit v1.2.3