	RSA BSAFE Crypto-C	Cryptographic Components for C
		Search

Distributing Diffie-Hellman Parameters

This section outlines how the central authority sends the Diffie-Hellman parameters to the parties seeking agreement on a secret key. This can be performed using the Crypto-C format or BER-encoded format.

: It is not necessary to generate parameters each time two parties wish to agree on a secret key. Any number of key agreements can use the same parameters. However, for increased security it is recommended to generate new parameters regularly.

Crypto-C Format

When sending a copy of the algorithm object to the participants in Crypto-C format the information supplied to B_SetAlgorithmInfo() is sent rather than the object itself.

The algorithm object dhParametersObj was set via B_GenerateParameters(). It is set to the AI_DHKeyAgree. B_GetAlgorithmInfo() returns a pointer to A_DH_KEY_AGREE_PARAMS. Declare a variable to be a pointer to such a structure and pass its address as the argument.

Use B_GetAlgorithmInfo() and write the following.

A_DH_KEY_AGREE_PARAMS *dhKeyAgreeParams =
     (A_DH_KEY_AGREE_PARAMS *)NULL_PTR;
if ((status = B_GetAlgorithmInfo ((POINTER *)&dhKeyAgreeParams,
     dhParametersObj, AI_DHKeyAgree)) != 0)
  break;

The elements of the structure are as follows.

dhKeyAgreeParams->prime.data
dhKeyAgreeParams->prime.len
dhKeyAgreeParams->base.data
dhKeyAgreeParams->base.len
dhKeyAgreeParams->exponentBits

These are the parameters generated by Crypto-C. This is the information the central authority sends to the participants in the key agreement. Copy this information to a file or diskette, for instance, and pass it on to the participants.

It is not possible to e-mail this information over most systems because the data is in binary format, not ASCII. Crypto-C offers encoding and decoding functions to convert between binary and ASCII.

BER Format

The struct detailed above is not standard - it is unique to Crypto-C. If one or both of the parties are not using Crypto-C they are provided the information via the ASN.1 standard, which defines BER and DER.

The central authority puts the parameters into DER format, encodes them, and e-mails the encoding. The parties decode the DER string and convert that information into the parameters in the format of choice.

The parameters were obtained via B_GetAlgorithmInfo() with AI_DHKeyAgree.

Crypto-C returns a pointer to where the information resides, not the information. As soon as the object that contains that information is destroyed, the information is no longer accessible. When the pointer to that information is available, copy it into the buffer.

ITEM *cryptocDHParametersBER;
ITEM myDHParametersBER;

myDHParametersBER.data = NULL_PTR;

if ((status = B_GetAlgorithmInfo ((POINTER *)&cryptocDHParametersBER, myDHParametersObj,
      AI_DHKeyAgreeBER)) != 0)
  break;

myDHParametersBER.len = cryptocDHParametersBER->len;
myDHParametersBER.data = T_malloc (myDHParametersBER.len);
if ((status = (myDHParametersBER.data == NULL_PTR)) != 0)
  break;
T_memcpy (myDHParametersBER.data, cryptocDHParametersBER->data,
          myDHParametersBER.len);

: The conversion into BER or DER is known as BER-encoding or DER-encoding, and the conversion between binary to ASCII is known as encoding and decoding. See Encoding and Converting Data for further information.