IEEE DRAFT 802.10C : D15 JAN 97

1 INTRODUCTION
1.1 SCOPE AND PURPOSE
1.2 OVERVIEW
2 DEFINITIONS
2.1 ACRONYMS
2.2 SECURITY DEFINITIONS
3 REFERENCES
4 KEY DISTRIBUTION TECHNIQUES
4.1 MANUAL KEY DISTRIBUTION TECHNIQUES
4.2 CENTER-BASED KEY DISTRIBUTION TECHNIQUES
4.3 CERTIFICATE-BASED DISTRIBUTION TECHNIQUES
4.4 MULTICAST KEY DISTRIBUTION TECHNIQUES
5 KEY MANAGEMENT MODEL
5.1 SECURITY ASSOCIATION LIFECYCLE
5.2 KEY MANAGEMENT APPLICATION ENTITY STRUCTURE
5.3 SEQUENCING OF APPLICATION LAYER SERVICES
5.3.1 Manually Distributed Key
5.3.2 Key Center Distribution
5.3.3 Certificate-Based Key Distribution
5.3.4 Multicast Key Distribution
5.3.4.1 Create Multicast Security Association
5.3.4.2 Spawn Multicast Security Association
5.3.5 Spawn Security Association
5.3.6 Delete Security Association
6 SERVICE DEFINITION
6.1 KEY MANAGEMENT APPLICATION ENTITY (KMAE) SERVICES
6.1.1 Create Security Association (Create-SA)
6.1.1.1 Calling AE-Title
6.1.1.2 Called AE-Title
6.1.1.3 Key Management Technique Identifier List
6.1.1.4 Security Policy Identifier
6.1.1.5 Security Association Attributes List
6.1.1.6 Security Association Attributes
6.1.1.7 Calling SAID
6.1.1.8 Called SAID
6.1.1.9 Result
6.1.2 Spawn Security Association (Spawn-SA)
6.1.2.1 Spawn Option
6.1.2.2 Key Transformation Algorithm Identifier
6.1.2.3 Previously Established Calling SAID
6.1.2.4 Previously Established Called SAID
6.1.3 Delete Security Association (Delete-SA)
6.1.4 Create Multicast Security Association
           (Create-MSA)
6.1.4.1 MKCTitle
6.1.4.2 Mcast Address List
6.1.4.3 Mcast Token List
6.1.5 Spawn Multicast Security Association
           (Spawn-MSA)
6.1.5.1 MCastSAID
6.2 KEY PEER APPLICATION SERVICE OBJECT (KPASO) SERVICES
6.2.1 Negotiate Key Management Algorithm (Pick-KM-Alg)
6.2.2 Select Key (Select-Key)
6.2.2.1 Keying Material Identifier
6.2.2.2 TransformAlgorithmIdentifier
6.2.3 Make Key (Make-Key)
6.2.3.1 Key Generation Algorithm Identifier
6.2.3.2 Calling Certificate Path
6.2.3.3 Called Certificate Path
6.2.3.4 Calling Key Generation Algorithm Parameters
6.2.3.5 Called Key Generation Algorithm Parameters
6.2.3.6 Calling Attribute Certification Path
6.2.3.7 Called Attribute Certification Path
6.2.4 Send Key (Send-Key)
6.2.4.1 KEK Identifier
6.2.4.2 Request Parameters
6.2.4.3 Response Parameters
6.2.5 Negotiate Security Association Attributes
           (Pick-SA-Attrs)
6.2.5.1 Escrow Agent Info
6.2.6 Spawn Key (Spawn-Key)
6.2.6.1 Key Transformation Algorithm Identifier
6.2.7 Get Multicast Key (Get-MKey)
6.2.8 Delete Key (Delete-Key)
6.2.9 Release Peer Association (Release-P)
6.2.9.1 Release-request-reason
6.2.9.2 Release-response-reason
6.2.9.3 User Information
6.2.10 Abort Peer Association (Abort-P)
6.2.10.1 Abort Source
6.2.10.2 User Information
6.2.11 Protected Make Key (Protected-Make-Key)
6.2.12 Get Next Multicast Key (Get-Next-MKey)
6.2.13 Please Send Key (Please-Send-Key)
6.3 KEY CENTER APPLICATION SERVICE OBJECT (KCASO)
           SERVICES
6.3.1 Request Key (Request-Key)
6.3.1.1 KDC AE-Title
6.3.1.2 Request Parameters
6.3.1.3 Response Parameters
6.3.2 Translate Key (Translate-Key)
6.3.2.1 KTC AE-Title
6.3.2.2 Request Parameters
6.3.2.3 Response Parameters
6.3.3 Release Center Association (Release-C)
6.3.4 Abort Center Association (Abort-C)
7 SECURITY EXCHANGES
7.1 KEY MANAGEMENT APPLICATION ENTITY (KMAE)
           SECURITY EXCHANGES
7.2 KEY PEER APPLICATION SERVICE OBJECT (KPASO)
           SECURITY EXCHANGES
7.2.1 Negotiate Key Management Algorithm
           (Pick-KM-Alg) Security Exchange
7.2.2 Select Key (Select-Key) Security Exchange
7.2.3 Make Key (Make-Key) Security Exchange
7.2.4 Send Key (Send-Key) Security Exchange
7.2.5 Negotiate Security Association Attributes
           (Pick-SA-Attrs) Security Exchange
7.2.6 Spawn Key (Spawn-Key) Security Exchange
7.2.7 Get Multicast Key (Get-MKey) Security Exchange
7.2.8 Delete Key (Delete-Key) Security Exchange
7.2.9 Protected Make Key (Protected-Make-Key)
7.2.10 Get Next Multicast Key (Get-Next-MKey)
7.2.11 Please Send Key (Please-Send-Key) Security Exchange
7.3 KEY CENTER APPLICATION SERVICE OBJECT (KCASO)
           SECURITY EXCHANGES
7.3.1
7.3.2 Request Key (Request-Key) Security Exchange
7.3.3 Translate Key (Translate-Key) Security Exchange
7.4 OBJECT IDENTIFIERS
7.5 OBJECT CLASS DEFINITIONS
7.5.1 Key Generation Algorithm Object Class
7.5.2 Security Protocol Attributes Object Class
7.5.3 Center Protocol Object Class
7.6 SECURITY TRANSFORMATIONS AND PROTECTION MAPPINGS
7.6.1 Integrity and Privacy Security Transformation
7.6.1.1 Other Details
7.6.2 Integrity Security Transformation
7.6.3 Seal and Encrypt Protection Mapping
7.6.4 Sealed Protection Mapping
8 KMAE CONTROL FUNCTION
8.1 KMAE CONTROL FUNCTION STATE TABLES
8.2 SAMPLE TIMING DIAGRAMS
9 APPENDIX A LOCATING SDE KEY MANAGEMENT ENTITIES
9.1 PROBE FRAMES
9.1.1 Probe Request
9.1.2 Probe Processing
9.1.3 Probe Response
9.2 ADDRESS DISCOVERY SCENARIO
10 APPENDIX B CERTIFICATE REPLACEMENT
10.1 SERVICE DEFINITION (CERT-REPLACE)
10.1.1 Certificate-To-Be-Replaced
10.1.2 Replacement-Indicator
10.2 REPLACE-CERTIFICATE
10.2.1 Replacement-Material
10.3 SECURITY EXCHANGES
11 APPENDIX C COMPROMISED MATERIAL LISTS
11.1 SECURITY DEFINITION (CML-REQUEST)
11.1.1 Name
11.1.2 Attribute-Id
11.1.3 Attribute-Value
11.2 REQUEST-CML
11.3 SECURITY EXCHANGES
12 APPENDIX D KEY DISTRIBUTION SCENARIOS
12.1 MANUAL KEY DISTRIBUTION SCENARIO
12.2 CENTER-BASED KEY DISTRIBUTION SCENARIO
12.3 CERTIFICATE-BASED KEY DISTRIBUTION SCENARIO
12.3.1 X9.44 RSA Key Transfer Scenario
12.3.2 X9.42 Diffie-Hellman Key Agreement Scenario
13 APPENDIX E SDE ATTRIBUTE NEGOTIATIONS
13.1 SECURITY ATTRIBUTES FOR SECURE DATA EXCHANGE (SDE)

Specifies a cryptographic key management architecture and protocol.