Internet Engineering Task Force David A. McGrew IP Security Working Group Scott R. Fluhrer INTERNET-DRAFT Cisco Systems, Inc. Expires in January, 2001 Mohammad Peyravian IBM July, 2000 The Stream Cipher Encapsulating Security Payload Status of this Memo This document is an Internet Draft and is in full conformance with all provisions of Section 10 of RFC-2026. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and working groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Table of Contents 1. Abstract...................................................2 2. Notational Conventions.....................................2 3. Stream Ciphers.............................................2 4. The Stream Cipher ESP (SC/ESP).............................3 4.1 The SC/ESP Packet Format................................4 4.2 Key Usage in SC/ESP.....................................4 5. Cipher Specifications and Requirements.....................5 6. Security Considerations....................................5 7. Summary and Rationale......................................7 8. Acknowledgements...........................................8 9. Contact Information........................................8 10. References.................................................8 McGrew, Fluhrer, Peyravian [Page 1] Internet Draft The Stream Cipher ESP July, 2000 1. Abstract This document specifies the use of an additive stream cipher as a confidentiality mechanism within the context of the IPSec Encapsulating Security Payload (ESP) defined by Kent and Atkinson [KA98b]. This transform fits into and extends the framework of ESP CBC-Mode Cipher Algorithms of Pereira and Adams [PA98], and can be used in conjunction with any ESP Authentication Algorithm. The advantages of the Stream Cipher ESP (SC/ESP) transform are twofold: it enables the use of faster ciphers, and the expansion of stream cipher ESP protected packets is less than that of CBC-Mode ESP protected packets. A detailed security analysis of additive encryption of Internet traffic and SC/ESP is being published separately [MF00]. The stream ciphers that can be used by the Stream Cipher ESP must be able to efficiently seek to arbitrary locations in their keystream. This requirement ensures that Stream Cipher ESP packets can be efficiently decrypted even when they are received out of order, and protects against denial of service attacks described against earlier IPSEC stream cipher proposals by Bellovin [B96]. This rest of this document describes additive stream ciphers, defines the Stream Cipher ESP, reviews security considerations, and provides a rationale and a summary. 2. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [B97]. 3. Stream Ciphers An additive stream cipher is a cipher that generates a pseudo-random string of bits called a keystream, and encrypts by bitwise adding this string into the plaintext, modulo two (recall that addition modulo two is the same as exclusive-or). To decrypt, the keystream is bitwise added into the ciphertext modulo two. Stream ciphers and their terminology are well described by Ruppel [R92] and Schneier [S96]. In the rest of this document, we will use the term "stream cipher" to refer to additive stream ciphers. Secure stream ciphers with high encryption rates may be more realizable than block ciphers with similar qualities. There is both practical and theoretical support for this statement. On the practical side, a C implementation of the SEAL cipher [RC98] encrypted 256 byte blocks of data at 16.9 times the rate as did an McGrew, Fluhrer, Peyravian [Page 2] Internet Draft The Stream Cipher ESP July, 2000 optimized C implementation of the Data Encryption Standard [FIPS46], in the authors' experiments on a 32 bit RISC processor. On the theoretical side, there are attacks that a block cipher must be designed to resist (e.g., chosen plaintext attacks) that are not effective against a stream cipher. Additionally, many stream ciphers can be implemented with parallelism. The Internet Protocol is an unreliable transport mechanism, and ESP packets may arrive out of order, and may not arrive at all. The unreliable nature of IP requires that stream ciphers used to encrypt IP packets be able to efficiently generate keystream out of order. We say that a cipher that can do this has the `seek' capability. Such stream ciphers exist; SEAL is one example [RC98]. Many stream ciphers are intended only to produce keystream in order, and cannot efficiently produce unordered segments of keystream. RC4 [S96] and the Output Feedback (OFB) mode [FIPS81] are ciphers with this restriction. It is possible to define a state-caching mechanism that enables the decryption of out-of-order packets with such a cipher. However, such methods are complicated, are expensive in terms of memory and/or processor time, and may be vulnerable to the denial of service attacks described by Bellovin [B96]. Therefore, this specification excludes ciphers with that limitation. 4. The Stream Cipher ESP (SC/ESP) The Stream Cipher Encapsulating Security Payload defines an encryption mechanism for ESP. The ESP packet format and associated semantics as defined in Section 2 of [KA98b] are unchanged, but are specialized for SC/ESP in order to meet the unique requirements of stream ciphers. In the SC/ESP, the ESP Sequence Number as defined in Section 2.2 of [KA98b] is used as an index into the keystream. The keystream is viewed as 2^32 segments of length 64 kilobytes (the maximum length of an IP packet), each segment of which corresponds to a single packet. The segments are indexed from zero to 2^32 - 1. The keystream segment with index zero is not used to encrypt any packet, because ESP packets never use the Sequence Number with value zero. Encryption of a particular packet consists of generating as many bytes of the keystream segment as are needed to encrypt that packet, then bitwise adding that keystream into the fields of the ESP packet that are confidentiality protected. The keystream segment is aligned with the Payload Data; that is, the initial bit of the keystream segment is used to encrypt the initial bit of the McGrew, Fluhrer, Peyravian [Page 3] Internet Draft The Stream Cipher ESP July, 2000 Payload Data, and so on. The number of bytes of the keystream segment that are used to encrypt a particular packet is equal to the length of the Payload Data plus the length of the Padding plus two (for the Pad Length and Next Header fields). An ESP Authentication Algorithm MUST be used with SC/ESP. This provides authentication of the Sequence Number, thus preventing attacks which could manipulate the Sequence Number. 4.1 The SC/ESP Packet Format Each field of an ESP packet is described below, with a specification of its use within SC/ESP. The Payload Data contains only the data described by the Next Header field, i.e., the ciphertext message. There is no Initialization Vector (IV) as described in that section, as a stream cipher does not need an IV. Plaintext Padding must be used to align the Authentication Data field to a four-byte boundary, if needed, and may be used to conceal the length of the message, as described in Section 2.4 of [KA98b]. However, there is no need to pad the plaintext out to a length that is a multiple of a block size, as is done for CBC mode block ciphers. The bitwise nature of additive encryption obviates the need for such padding. The Payload Data, Next Header, Padding, and Padding Length fields are encrypted by bitwise adding those fields, modulo two, with the corresponding length of the segment of keystream indexed by the Sequence Number. The Authentication Data field MUST be present, because an Authentication Algorithm MUST be used with SC/ESP. 4.2 Key Usage in SC/ESP The key used by the stream cipher is shared between the sender and the receiver, and MUST be generated by a uniformly random process [KA98a]. All encryption or decryption associated with a given Security Association (SA) uses the same key. Additive stream ciphers must be protected against key collision and time-memory tradeoff attacks, both of which are possible when the the plaintext source is redundant [MF00]. The SC/ESP can achieve this protection through the use of large keys, as described in Section 5. McGrew, Fluhrer, Peyravian [Page 4] Internet Draft The Stream Cipher ESP July, 2000 5. Cipher Specifications and Requirements A cipher used in SC/ESP must be able to seek to 2^32 distinct locations in its keystream, where each location is separated by 64 Kilobytes (or 2^19 bits). The security requirement on ciphers used in SC/ESP is that a secret key used to generate 2^48 bytes of keystream (the maximum length of the keystream used in SC/ESP) cannot be found by a computationally limited adversary who has been given that keystream. At present, `computationally limited' implies an adversary that cannot perform more than about 2^80 trial encryptions nor store more than about 2^54 ciphertexts, though a precise definition of this term is beyond the scope of this standard. This requirement ensures that SC/ESP will provide privacy even in the case that the vast majority of its plaintext is known to an adversary. In order to specify an instantiation of the SC/ESP transform with a particular cipher, a description of how to produce a 64 Kilobyte segment of keystream given a 32 bit index in network byte order MUST be provided. While this specification refers to stream ciphers, it is worth noting that a seekable keystream generator could be called a keyed pseudorandom function, or a pseudorandom function family in the cryptographic literature [GGM86, RC98]. 6. Security Considerations Additive ciphers do not provide any security service other than privacy. In particular, they do not provide message integrity (see [RK99] or [S96] for a discussion of this security service). A good summary of ciphertext manipulation attacks on stream ciphers can be found in Section 3.4 of [B96] (though the denial of service attacks described in that section do not work against this specification). In SC/ESP, message integrity is provided through the use of an ESP Authentication Algorithm. Such a transform MUST be used with SC/ESP. No bit of keystream in an additive stream cipher should ever be used to encrypt multiple distinct plaintext bits. Such keystream reuse (jokingly called a `two-time pad' system by cryptographers), can seriously compromise security. The NSA's VENONA project [C99] provides a historical example of such a compromise. In the Stream Cipher ESP, a `two-time pad' is avoided by requiring that both keys and Sequence Numbers (and thus the indices to the McGrew, Fluhrer, Peyravian [Page 5] Internet Draft The Stream Cipher ESP July, 2000 keystream segments) be unique. The uniqueness of the Sequence Numbers (for a given SA) is already part of the ESP specification, and is mandated by [KA98b]. Uniqueness of the keys follows from proper key management. To help enforce good key management, manual keying SHOULD NOT be used with a Stream Cipher ESP. If manual keying is used, two different SAs might accidentally use the same SC/ESP key with non-negligible probability, through manual error or procedural inadequacies. The Internet Key Exchange [HC98], or some other automated mechanism, SHOULD be used to establish keys for the Stream Cipher ESP. An additive stream cipher is vulnerable to attacks that use statistical knowledge about the plaintext source to enable key collision and time-memory tradeoff attacks [MF00,H80,Bi96]. These attacks take advantage of commonalities among plaintexts, and provide a way for a cryptanalyst to amortize the computational effort of decryption over many keys, thus reducing the effective key size of the cipher. A detailed analysis of these attacks and their applicability to the encryption of Internet traffic is provided in [MF00]. In summary, the effective key size of SC/ESP, when used in a security system in which m distinct keys are used, is equal to the key size of the cipher less the logarithm (base two) of m. Protection against such attacks can be provided simply by increasing the size of the keys used. In order to provide an effective key size of n bits in a deployment in which SC/ESP 2^m SAs will be created, the true key size will need to be n+m bits. The value of m SHOULD be 32 bits for networks with 50,000 connections (fully meshed networks with up to 200 devices), and SHOULD be 64 bits for networks with 49e+12 connections (fully meshed networks with up to 7,000,000 devices). These choices of m ensures that key collision attacks amortized over a ten year period offer no advantage over exhaustive search, when new SC/ESP keys are established for every connection every hour (note that such an attack requires the storage of all network traffic over the ten year period). These choices will suffice for many networks, though SC/ESP deployments with more stringent security requirements will need to make a detailed assessment of those requirements with respect to the attacks described in [MF00]. Implementations SHOULD use keys that are as large as possible. Please note that in many cases increasing the key size of a cipher does not affect the throughput of that cipher. It is an important point that the m bits of `extra' key provided to thwart these attacks need not be private. In jurisdictions with mandated limits on the length of a secret key, the additional key bits could be made public. This is because those bits are McGrew, Fluhrer, Peyravian [Page 6] Internet Draft The Stream Cipher ESP July, 2000 functionally equivalent to the `salt' that is used to protect passwords from dictionary attacks. The fact that the `extra' key bits are distinct for many different keys defeats the key collision and time-memory tradeoff attacks by reducing the number of keys over which cryptanalytic computation can be amortized. Note that other security protocols which use additive ciphers for the encryption of Internet traffic (e.g., SSL, TLS, SSH) are also vulnerable to the attacks described in [MF00]. Those attacks are generic to additive encryption of redundant plaintext, and are not particular to SC/ESP, ESP, nor IPSEC. 7. Summary and Rationale SC/ESP enables the use of fast stream ciphers, has smaller packet sizes than other currently defined encryption mechanisms, and fits completely into the frameworks defined by [KA98a] and [PA98]. SC/ESP achieves small packet sizes by merging cryptographic synchronization information with a replay protection counter. The use of the ESP Sequence Number as an index, rather than using a field dedicated to this purpose, achieves cryptographic synchronization while reducing the size of an SC/ESP packet. For example, an SC/ESP packet is between eight and fifteen bytes shorter than a comparable ESP DES-CBC packet [MD98], and between sixteen and thirty one bytes shorter than a comparable ESP AES CBC packet [FGK00]. There are no adverse security implications of this dual use of the ESP Sequence Number. This follows from the fact that the only security property that we expect from the stream cipher is privacy, and the security of the cipher is independent of how its keystream is indexed. The foremost motivation for SC/ESP is to enable the use of fast stream ciphers within ESP. However, no ciphers are specified in this document, in order that this document may provide a basis for the standardization of the use of any cipher that meets the criteria outlined in Section 4. SEAL [RC98] satisfies these criteria, as does any block cipher in counter mode [S96]. It has been widely recognized that implementations of counter mode encryption can take advantage of parallelization, while CBC mode encryption is necessarily serialized. CBC mode encryption has the advantage that it is not as vulnerable to typical plaintext attacks as is encryption with an additive stream cipher. This is because CBC is `randomized' through the use of an unpredictable IV. However, additive encryption can achieve the same level of security as CBC mode encryption through an increase in key size as described at the end of Section 5 and in McGrew, Fluhrer, Peyravian [Page 7] Internet Draft The Stream Cipher ESP July, 2000 [MF00]. This strategy of "putting all of the randomization in the key" provides an encryption method that can be as secure as CBC, while providing the advantages outlined above. 8. Acknowledgements We would like to thank Cheryl Madson, Brian Weis, and Scott Fanning for their critical review and useful comments. In addition, thanks are due to Phil Rogaway for discussion and encouragement. 9. Contact Information Questions and comments about this memo can be directed to: David A. McGrew, Ph.D. Scott R. Fluhrer Cisco Systems, Inc. San Jose, CA 95134-1706 USA mcgrew@cisco.com, sfluhrer@cisco.com Mohammad Peravian IBM peyravn@us.ibm.com 10. References [B97] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [KA98a] Kent, S., and R. Atkinson, "Security Architecture for IP", RFC 2401, November 1998. [KA98b] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [B96] S. Bellovin, "Problem Areas for the IP Security Protocols", Sixth USENIX Unix Security Conference, ftp://ftp.research.att.com/dist/smb/badesp.ps. [C99] Crowell, W. P., "Introduction to the VENONA Project", http://www.nsa.gov:8080/docs/venona/index.html. [FIPS46] "Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 46-2, US National Institute of Standards and Technology, http://www.itl.nist.gov/fipspubs/fip46-2.htm. [FGK00] Frankel, S., Glenn, R., Kelley, S., "The Candidate AES McGrew, Fluhrer, Peyravian [Page 8] Internet Draft The Stream Cipher ESP July, 2000 Cipher Algorithms and Their Use With IPsec", Internet Draft draft-ietf-ipsec-ciph-aes-cbc-00.txt, March, 2000. [GGM86] Goldreich, O., Goldwasser, S. and Micali, S., "How to construct random functions", Journal of the ACM, Volume 33, Number 4, 1986, pp. 210-217. [HC98] Harkins, D. and Carrel, D., The Internet Key Exchange (RFC 2409). November, 1998. [H80] Hellman, M. E., "A cryptanalytic time-memory trade-off", IEEE Transactions on Information Theory, July 1980, pp. 401-406. [MD98] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher Algorithm With Explicit IV", RFC 2405, November 1998. [MF00] McGrew, D., and Fluhrer, S., "Attacks on Encryption of Redundant Plaintext and Implications on Internet Security", to be presented at the Seventh Annual Workshop on Selected Areas in Cryptography (SAC 2000). [PA98] Pereira, R. and Adams, R., "The ESP CBC-Mode Cipher Algorithms", RFC 2451. [R92] Rueppel, R., "Stream Ciphers", Chapter 2 of Simmons, G., "Contemporary Cryptology: the Science of Information Integrity," 1992, IEEE Press. [RC94] Rogaway, P. and Coppersmith, D., "A Software-Optimized Encryption Algorithm", Proceedings of the 1994 Fast Software Encryption Workshop, Lecture Notes In Computer Science, Volume 809, Springer-Verlag, 1994, pp. 56-63. [RC98] Rogaway, P. and Coppersmith, D., "A Software-Optimized Encryption Algorithm", Journal of Cryptology, Volume 11, Number 4, Springer-Verlag, 1998, Pages 273-287. Also available on the Internet at http://www.cs.ucdavis.edu/~rogaway/papers/seal-abstract.html. [RK99] Rescorla, E., and Korver, B., "Guidelines for Writing RFC Text on Security Considerations," draft-rescorla-sec-cons-00.txt [S96] Schneier, B. "Applied Cryptography: Protocols, Algorithms, and Source Code in C", Wiley, 1996. McGrew, Fluhrer, Peyravian [Page 9]