Skip to main content

IBAKE: Identity-Based Authenticated Key Exchange
draft-cakulev-ibake-06

The information below is for an old version of the document that is already published as an RFC.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 6539.
Authors Ioannis Broustis , Violeta Cakulev , Ganapathy Sundaram
Last updated 2015-10-14 (Latest revision 2011-11-13)
RFC stream Independent Submission
Intended RFC status Informational
Formats
Stream ISE state (None)
Consensus boilerplate Unknown
Document shepherd (None)
IESG IESG state Became RFC 6539 (Informational)
Action Holders
(None)
Telechat date (None)
Responsible AD Sean Turner
Send notices to rfc-ise@rfc-editor.org
draft-cakulev-ibake-06
Network Working Group                                         V. Cakulev
Internet-Draft                                               G. Sundaram
Intended status: Informational                               I. Broustis
Expires: May 17, 2012                                     Alcatel Lucent
                                                       November 14, 2011

            IBAKE: Identity-Based Authenticated Key Exchange
                       draft-cakulev-ibake-06.txt

Abstract

   Cryptographic protocols based on public key methods are based on
   certificates and public key infrastructure (PKI) to support
   certificate management.  The emerging field of Identity Based
   Encryption protocols allows to simplify the infrastructure
   requirements via a Private-key Generator (PKG) while providing the
   same flexibility.  However one significant limitation of Identity
   Based Encryption methods is that the PKG can end up being a de-facto
   key escrow server with undesirable consequences.  Another observed
   deficiency is a lack of mutual authentication of communicating
   parties.  Here, Identity Based Authenticated Key Exchange (IBAKE)
   Protocol is specified which does not suffer from the key escrow
   problem and in addition provides mutual authentication and a perfect
   forward and backwards secrecy.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 17, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Cakulev, et al.           Expires May 17, 2012                  [Page 1]
Internet-Draft                    IBAKE                    November 2011

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Requirements notation  . . . . . . . . . . . . . . . . . . . .  4
     2.1.  Definitions  . . . . . . . . . . . . . . . . . . . . . . .  4
     2.2.  Abbreviations  . . . . . . . . . . . . . . . . . . . . . .  4
     2.3.  Conventions  . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Identity Based Authenticated Key Exchange  . . . . . . . . . .  6
     3.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  IBAKE Message Exchange . . . . . . . . . . . . . . . . . .  7
     3.3.  Discussion . . . . . . . . . . . . . . . . . . . . . . . .  8
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
     4.1.  General  . . . . . . . . . . . . . . . . . . . . . . . . . 11
     4.2.  IBAKE Protocol . . . . . . . . . . . . . . . . . . . . . . 12
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 14
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 15
     6.2.  Informative References . . . . . . . . . . . . . . . . . . 15
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16

Cakulev, et al.           Expires May 17, 2012                  [Page 2]
Internet-Draft                    IBAKE                    November 2011

1.  Introduction

   Authenticated Key Agreements are cryptographic protocols where two or
   more participants, authenticate each other and agree on a key for
   future communication.  These protocols could be symmetric key or
   asymmetric public key protocols.  Symmetric key protocols require an
   out-of-band security mechanism to bootstrap a secret key.  On the
   other hand, public key protocols require certificates and large scale
   public key infrastructure.  Clearly public key methods are more
   flexible, however the requirement for certificates and a large scale
   public key infrastructure have proved to be challenging.  In
   particular, efficient methods to support large scale certificate
   revocation and management have proved to be elusive.

   Recently, Identity Based Encryption (IBE) protocols have been
   proposed as a viable alternative to public key methods by simplifying
   the PKI requirements and replacing them with a Private-key Generator
   (PKG) to generate private keys.  However, one significant limitation
   of Identity Based Encryption methods is that the PKG can end up being
   a de-facto key escrow server with undesirable consequences.  Another
   limitation is a lack of mutual authentication between communicating
   parties.  Here an Identity Based Authenticated Key Agreement Protocol
   is specified which does not suffer from the key escrow problem and
   Provides mutual authentication.  In addition, the scheme described in
   this document allows the use of time-bound public identities and
   corresponding public and private keys, resulting in automatic
   expiration of private keys at the end of a time span indicated in the
   identity itself.  With the self-expiration of the public identities,
   the traditional real-time validity verification and revocation is not
   required.  For example, if the public identity is bound to one day,
   then, at the end of the day, the Public/Private Key pair issued to
   this peer will simply not be valid anymore.  Nevertheless, just like
   with Public-Key-based certificate systems, if there is a need to
   revoke keys before the designated expiry time, communication with a
   third party will be needed.  Finally, the protocol also provides
   forward and backwards secrecy of session keys.

Cakulev, et al.           Expires May 17, 2012                  [Page 3]
Internet-Draft                    IBAKE                    November 2011

2.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.1.  Definitions

   Identity-Based Encryption (IBE): Identity-based encryption (IBE) is a
   public-key encryption technology that allows a public key to be
   calculated from an identity and set of public parameters, and the
   corresponding private key to be calculated from the public key.  The
   public key can then be used by an Initiator to encrypt messages which
   the recipient can decrypt using the corresponding private key.  IBE
   framework is defined in [RFC5091], [RFC5408] and [RFC5409].

2.2.  Abbreviations

   EC          Elliptic Curve

   IBE         Identity Based Encryption

   IBAKE       Identity Based Authenticated Key Exchange

   IDi         Initiator's Identity

   IDr         Responder's Identity

   K_PR        Private Key

   K_PUB       Public Key

   PKG         Private-key Generator

   PKI         Public Key Infrastructure

2.3.  Conventions

   o  E is an elliptic curve over a finite field F

   o  P is a point on E of large prime order

   o  e: E x E -> G is a bi-linear map on E. G is the group of n-th
      roots of unity where n is a function of the number of points on E
      over F. Typical example of a bi-linear map is the Weil pairing
      [BF].

Cakulev, et al.           Expires May 17, 2012                  [Page 4]
Internet-Draft                    IBAKE                    November 2011

   o  s is a non-zero positive integer. s is a secret stored in a
      Private-key Generator (PKG).  This is a system-wide secret and not
      revealed outside the PKG.

   o  Ppub = sP is the public key of the system that is known to all
      participants. sP denotes a point in E, and denotes the point P
      added to itself s times where addition refers to the group
      operation one E.

   o  H1 is a known hash function that takes a string and assigns it to
      a point on the elliptic curve, i.e., H1(A) = QA on E, where A is
      usually based on the identity.

   o  dA = sQA is the private key computed by the PKG, corresponding to
      the public identity A, and delivered only to A

   o  H2 is a known hash function that takes an element of G and assigns
      it to a string

   o  E(k, A) denotes that A is IBE-encrypted with the key k

   o  s||t denotes concatenation of the strings s and t

   o  K_PUBx denotes Public Key of x

Cakulev, et al.           Expires May 17, 2012                  [Page 5]
Internet-Draft                    IBAKE                    November 2011

3.  Identity Based Authenticated Key Exchange

3.1.  Overview

   IBAKE consists of a three-way exchange between an Initiator and a
   Responder.  In the figure below, a conceptual signaling diagram of
   IBAKE is depicted.

               +---+                             +---+
               | I |                             | R |
               +---+                             +---+

                              MESSAGE_1
                 ---------------------------------->
                              MESSAGE_2
                 <----------------------------------
                              MESSAGE_3
                 ---------------------------------->

                 Figure 1: Example IBAKE Message Exchange

   The Initiator (I) and Responder (R) are attempting to mutually
   authenticate each other and agree on a key using IBAKE.  This
   specification assumes that the Initiator and the Responder trust a
   third party, the Private-key Generator (PKG).  Rather than a single
   PKG, several different PKGs may be involved, e.g. one for the
   Initiator and one for the Responder.  The Initiator and the Responder
   do not share any credentials, however they know or can obtain each
   other's public parameters.  This specification does not make any
   assumption on when and how the Private Keys are obtained.  However,
   to complete the protocol described (i.e. to decrypt encrypted
   messages in the IBAKE protocol exchange) the Initiator and the
   Responder need to have their respective Private Keys.  The procedures
   needed to obtain the private keys and public parameters are outside
   of scope of this specification.  The details of these procedures can
   be found in [RFC5091] and [RFC5408].  Finally, the protocol described
   relies on the use of elliptic curves.  Section 3.3 discusses the
   choice of elliptic curves.  However, how the Initiator and the
   Responder agree on a specific elliptic curve is left to application
   that is leveraging IBAKE protocol (see [I-D.cakulev-emu-eap-ibake]
   for example).

   The Initiator chooses random x.  In the first step, the Initiator
   computes xP (i.e., P, as a point on E, added to itself x times using
   the addition law on E), encrypts xP, IDi and IDr using Responder's
   public key (e.g., K_PUBr=H1(IDr||date)) and includes this encrypted

Cakulev, et al.           Expires May 17, 2012                  [Page 6]
Internet-Draft                    IBAKE                    November 2011

   information in a MESSAGE_1 message sent to the Responder.  In this
   step encryption refers to identity based encryption described in
   [RFC5091] and [RFC5408].

   The Responder, upon receiving the message, IBE-decrypts it using its
   private key (e.g. private key for that date), and obtains xP.  The
   Responder next chooses random y and computes yP.  The Responder then
   IBE-encrypts Initiator's identity (IDi), its own identity (IDr), xP,
   and yP using Initiator's Public Key (e.g., K_PUBi=H1(IDi||date)).
   The Responder includes this encrypted information in MESSAGE_2
   message sent to the Initiator.

   The Initiator upon receiving and IBE-decrypting MESSAGE_2 obtains yP.
   Subsequently, the Initiator sends MESSAGE_3 message to the Responder,
   including IBE-encrypted IDi, IDr and yP.  At this point both the
   Initiator and the Responder are able to compute the same session key
   as xyP.

3.2.  IBAKE Message Exchange

   Initially, the Initiator selects a random x and computes xP; The
   Initiator MUST use a fresh, random value for x on each run of the
   protocol.  The Initiator then encrypts xP, IDi and IDr using
   Responder's public key (e.g., K_PUBr=H1(IDr||date)).  The Initiator
   includes this encrypted information in a MESSAGE_1 and sends it to
   the Responder as shown below.

   Initiator    ---->      Responder

      MESSAGE_1 = E(K_PUBr, IDi || IDr || xP)

   Upon receiving MESSAGE_1 message, the Responder SHALL perform the
   following:

   o  Decrypt the message as specified in [RFC5091] and [RFC5408]

   o  Obtain xP

   o  The Responder selects a random y and computes yP.  The Responder
      MUST use a fresh, random value for x on each run of the protocol.

   o  Encrypt the Initiator's identity (IDi), its own identity (IDr), xP
      and yP using Initiator's Public Key (K_PUBi).

Cakulev, et al.           Expires May 17, 2012                  [Page 7]
Internet-Draft                    IBAKE                    November 2011

   Responder   ---->  Initiator

      MESSAGE_2 = E(K_PUBi, IDi || IDr || xP || yP)

   Upon receiving MESSAGE_2 message, the Initiator SHALL perform the
   following:

   o  Decrypt the message as specified in [RFC5091] and [RFC5408]

   o  Verify that the received xP is the same as sent in MESSAGE_1

   o  Obtain yP

   o  Encrypt its own identity (IDi), the Responder's identity (IDr) and
      yP using Responder's Public Key (K_PUBi).

   Initiator    ---->      Responder

      MESSAGE_3 = E(K_PUBr, IDi || IDr || yP)

   Upon receiving MESSAGE_3 message, the Responder SHALL perform the
   following:

   o  Decrypt the message as specified in [RFC5091] and [RFC5408].

   o  Verify that the received yP is the same as sent in MESSAGE_2

   If any of the above verifications fails, the protocol halts;
   otherwise, following this exchange both the Initiator and the
   Responder have authenticated each other and are able to compute xyP
   as the session key.  At this point, both protocol participants MUST
   discard all intermediate cryptographic values, including x and y.
   Similarly, both parties MUST immediately discard these values
   whenever the protocol terminates as a result of a verification
   failure or timeout.

3.3.  Discussion

   Properties of the protocol are as follows:

   o  Immunity from key escrow: Observe that all the steps in the
      protocol exchange are encrypted using IBE.  So clearly the PKG can
      decrypt all the exchanges.  However, given the above made
      assumption that PKGs are trusted and well behaved (e.g., PKGs will
      not mount an active Man-in-the-Middle attack), the PKG cannot

Cakulev, et al.           Expires May 17, 2012                  [Page 8]
Internet-Draft                    IBAKE                    November 2011

      compute the session key.  This is because of the hardness of the
      elliptic curve Diffie-Hellman problem.  In other words, given xP
      and yP it is computationally hard to compute xyP.

   o  Mutually Authenticated Key Agreement: Observe that all the steps
      in the protocol exchange are encrypted using IBE.  In particular
      only the Responder and its corresponding PKG can decrypt the
      contents of the MESSAGE_1 and MESSAGE_3 sent by the Initiator, and
      similarly only the Initiator and its corresponding PKG can decrypt
      the contents of the MESSAGE_2 sent by the Responder.  Again, given
      the above made assumption that PKGs are trusted and well behaved
      (e.g., a PKG will not impersonate a user it issued a Private Key
      to) upon receiving MESSAGE_2, the Initiator can verify the
      Responder's authenticity since xP could have been sent in
      MESSAGE_2 only after decryption of the contents of MESSAGE_1 by
      the Responder.  Similarly, upon receiving MESSAGE_3, the Responder
      can verify the Initiator's authenticity since yP could have been
      sent back in MESSAGE_3 only after correctly decrypting the
      contents of MESSAGE_2 and this is possible only by the Initiator.
      Finally both the Initiator and the Responder can agree on the same
      session key.  In other words, the protocol is a mutually
      authenticated key agreement protocol based on IBE.  The hardness
      of the key agreement protocol relies on the hardness of the
      Elliptic curve Diffie-Hellman problem.  So clearly in any
      practical implementation care should be devoted to the choice of
      elliptic curve.

   o  Perfect forward and backwards secrecy: Since x and y are random,
      xyP is always fresh and unrelated to any past or future sessions
      between the Initiator and the Responder.

   o  No passwords: Clearly the IBAKE protocol does not require any
      offline exchange of passwords or secret keys between the Initiator
      and the Responder.  In fact the method is applicable to any two
      parties communicating for the first time through any communication
      network.  The only requirement is to ensure that both the
      Initiator and the Responder are aware of each other's public keys
      and public parameters of PKG which generated the corresponding
      private keys.

   o  PKG availability: Observe that PKGs need not be contacted during
      IBAKE protocol exchange, which dramatically reduces availability
      requirements on PKG.

   o  Choice of elliptic curves: This specification relies on the use of
      elliptic curves for both IBE encryption as well as for Elliptic
      Curve Diffie-Hellman exchange.  When making a decision on the
      choice of elliptic curves, it is beneficial to choose two

Cakulev, et al.           Expires May 17, 2012                  [Page 9]
Internet-Draft                    IBAKE                    November 2011

      different elliptic curves, one for the internal calculations of
      Elliptic Curve Diffie-Hellman values xP and yP, and another for
      the IBE encryption/decryption.  For the calculations of Elliptic
      Curve Diffie-Hellman values, it is beneficial to use the NIST
      recommended curves [FIPS-186].  These curves make the calculations
      simpler while keeping the security high.  On the other hand,
      identity-based encryption (IBE) systems are based on bilinear
      pairings.  Therefore, the choice of an elliptic curve for IBE is
      restricted to a family of supersingular elliptic curves over
      finite fields of large prime characteristic.  The appropriate
      elliptic curves for IBE encryption are described in [RFC5091].

   o  Implementation considerations: An implementation of IBAKE would
      consist of two primary modules, i.e., point addition operations
      over a NIST curve, and IBE operations over a super-singular curve.
      The implementation of both modules only needs to be aware of the
      following parameters: (a) the full description of the curves that
      are in use (fixed or negotiated), (b) the public parameters of the
      KGF used for the derivation of IBE private keys and (c) the exact
      public identity of each IBAKE participant.  The knowledge of these
      parameters is sufficient to perform ECC operations in different
      terminals and produce the same results, independently of the
      implementation.

Cakulev, et al.           Expires May 17, 2012                 [Page 10]
Internet-Draft                    IBAKE                    November 2011

4.  Security Considerations

   This draft is based on the basic Identity Based Encryption protocol,
   as specified in [BF], [RFC5091]), [RFC5408] and [RFC5409], and as
   such inherits some properties of that protocol.  For instance, by
   concatenating the "date" with the identity (to derive the public
   key), the need for any key revocation mechanisms is virtually
   eliminated.  Moreover, by allowing the participants to acquire
   multiple private keys (e.g., for duration of contract) the
   availability requirements on the PKG are also reduced without any
   reduction in security.  The granularity associated with the "date" is
   a matter of security policy, and as such a decision made by the PKG
   administrator.  However, the granularity applicable to any given
   participant should be publicly available and known to other
   participants.  For example, this information can be made available in
   the same venue which provides "public information" of PKG server
   (i.e., P, sP) needed to execute IB encryption.

4.1.  General

   Attacks on the cryptographic algorithms used in Identity Based
   Encryption are outside the scope of this document.  It is assumed
   that any administrator will pay attention to the desired strengths of
   the relevant cryptographic algorithms based on an up to date
   understanding of the strength of these algorithms from published
   literature as well as known attacks.

   It is assumed that the PKGs are secure, not compromised, trusted, and
   will not engage in launching active attacks independently or in a
   collaborative environment.  Nevertheless, if an active adversary can
   fool the parties that it is a legitimate PKG then it can mount a
   successful MitM attack.  Therefore, care should be taken when
   choosing a PKG.  In addition, any malicious insider could potentially
   launch passive attacks (by decryption of one or more message
   exchanges offline).  While it is in the best interest of
   administrators to prevent such issue, it is hard to eliminate this
   problem.  Hence, it is assumed that such problems will persist, and
   hence the session key agreement protocols are designed to protect
   participants from passive adversaries.

   It is also assumed that the communication between participants and
   their respective PKGs is secure.  Therefore, in any implementation of
   the protocols described in this document, administrators of any PKG
   have to ensure that communication with participants is secure and not
   compromised.

   Finally, concatenating the "date" to the identity ensures that the
   corresponding private key is applicable only to that date.  This

Cakulev, et al.           Expires May 17, 2012                 [Page 11]
Internet-Draft                    IBAKE                    November 2011

   serves to limit the damages related to a leakage or compromise of
   private keys to just that date.  This in particular, eliminates the
   revocation mechanisms that are typical to various certificate based
   public key protocols.

4.2.  IBAKE Protocol

   For the basic IBAKE protocol from a cryptographic perspective
   following security considerations apply.

   In every step Identity Based Encryption (IBE) is used, with the
   recipient's public key.  This guarantees that only the intended
   recipient of the message and its corresponding PKG can decrypt the
   message [BF].

   Next, the use of identities within the encrypted payload is intended
   to eliminate some basic reflection attacks.  For instance, suppose we
   did not use identities as part of the encrypted payload, in the first
   step of the IBAKE protocol (i.e., MESSAGE_1 of Figure 1 in
   Section 3.1).  Furthermore, assume an adversary who has access to the
   conversation between initiator and responder and can actively snoop
   into packets and drop/modify them before routing them to the
   destination.  For instance, assume that the IP source address and
   destination address can be modified by the adversary.  After the
   first message is sent by the initiator (to the responder), the
   adversary can take over and trap the packet.  Next the adversary can
   modify the IP source address to include adversary's IP address,
   before routing it onto the responder.  The responder will assume the
   request for an IBAKE session came from the adversary, and will
   execute step 2 of the IBAKE protocol (i.e., MESSAGE_2 of Figure 1 in
   Section 3.1) but encrypt it using the adversary's public key.  The
   above message can be decrypted by the adversary (and only by the
   adversary).  In particular, since the second message includes the
   challenge sent by the initiator to the responder, the adversary will
   now learn the challenge sent by the initiator.  Following this, the
   adversary can carry on a conversation with the initiator "pretending"
   to be the responder.  This attack will be eliminated if identities
   are used as part of the encrypted payload.  In summary, at the end of
   the exchange both initiator and responder can mutually authenticate
   each other and agree on a session key.

   Recall that Identity Based Encryption guarantees that only the
   recipient of the message can decrypt the message using the private
   key.  The caveat being, the PKG which generated the private key of
   recipient of message can decrypt the message as well.  However, the
   PKG cannot learn the public key "xyP" given "xP" and "yP" based on
   the hardness of the Elliptic Curve Diffie-Hellman problem.  This
   property of resistance to passive key escrow from the PKG, is not

Cakulev, et al.           Expires May 17, 2012                 [Page 12]
Internet-Draft                    IBAKE                    November 2011

   applicable to the basic IBE protocols proposed in [RFC5091]),
   [RFC5408] and [RFC5409].

   Observe that the protocol works even if the initiator and responder
   belong to two different PKGs.  In particular, the parameters used for
   encryption to the responder and parameters used for encryption to the
   initiator can be completely different and independent of each other.
   Moreover, the Elliptic Curve used to generate the session key "xyP"
   can be completely different and chosen during the key exchange.  If
   such flexibility is desired, then it would be required to add
   optional extra data to the protocol to exchange the algebraic
   primitives used in deriving the session key.

   In addition to mutual authentication, and resistance to passive
   escrow, the Diffie-Hellman property of the session key exchange
   guarantees perfect secrecy of keys.  In others, accidental leakage of
   one session key does not compromise past or future session keys
   between the same initiator and responder.

Cakulev, et al.           Expires May 17, 2012                 [Page 13]
Internet-Draft                    IBAKE                    November 2011

5.  IANA Considerations

   At this time there are no IANA considerations.

Cakulev, et al.           Expires May 17, 2012                 [Page 14]
Internet-Draft                    IBAKE                    November 2011

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

6.2.  Informative References

   [BF]       Boneh, D. and M. Franklin, "Identity-Based Encryption from
              the Weil Pairing", in SIAM J. of Computing, Vol. 32,
              No. 3, pp. 586-615, 2003.

   [FIPS-186]
              National Institute of Standards and Technology, "FIPS Pub
              186-3: Digital Signature Standard (DSS)", June 2009.

   [I-D.cakulev-emu-eap-ibake]
              Cakulev, V. and I. Broustis, "An EAP Authentication Method
              Based on Identity-Based Authenticated Key Exchange",
              draft-cakulev-emu-eap-ibake-00 (work in progress),
              March 2011.

   [RFC5091]  Boyen, X. and L. Martin, "Identity-Based Cryptography
              Standard (IBCS) #1: Supersingular Curve Implementations of
              the BF and BB1 Cryptosystems", RFC 5091, December 2007.

   [RFC5408]  Appenzeller, G., Martin, L., and M. Schertler, "Identity-
              Based Encryption Architecture and Supporting Data
              Structures", RFC 5408, January 2009.

   [RFC5409]  Martin, L. and M. Schertler, "Using the Boneh-Franklin and
              Boneh-Boyen Identity-Based Encryption Algorithms with the
              Cryptographic Message Syntax (CMS)", RFC 5409,
              January 2009.

Cakulev, et al.           Expires May 17, 2012                 [Page 15]
Internet-Draft                    IBAKE                    November 2011

Authors' Addresses

   Violeta Cakulev
   Alcatel Lucent
   600 Mountain Ave.
   3D-517
   Murray Hill, NJ  07974
   US

   Phone: +1 908 582 3207
   Email: violeta.cakulev@alcatel-lucent.com

   Ganapathy S. Sundaram
   Alcatel Lucent
   600 Mountain Ave.
   3D-517
   Murray Hill, NJ  07974
   US

   Phone: +1 908 582 3209
   Email: ganesh.sundaram@alcatel-lucent.com

   Ioannis Broustis
   Alcatel Lucent
   600 Mountain Ave.
   3D-526
   Murray Hill, NJ  07974
   US

   Phone: +1 908 582 3744
   Email: ioannis.broustis@alcatel-lucent.com

Cakulev, et al.           Expires May 17, 2012                 [Page 16]