Network Working Group W. Simpson, Editor Internet Draft DayDreamer expires in six months November 1995 Photuris Extensions draft-ietf-ipsec-photuris-ext-01.txt Status of this Memo This document is a submission to the IP Security Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the ipsec@ans.net mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material, or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow Directories on: ftp.is.co.za (Africa) nic.nordu.net (Europe) ds.internic.net (US East Coast) ftp.isi.edu (US West Coast) munnari.oz.au (Pacific Rim) Abstract Photuris is an experimental session-key management protocol intended for use with the IP Security Protocols (AH and ESP). Extensible Exchange Schemes and Attributes are provided to enable future implementation changes without affecting the basic protocol. Simpson expires in six months [Page i] DRAFT Photuris Extensions November 1995 1. Additional Exchange Schemes The packet format and basic facilities are already defined for Photuris [Firefly]. Up-to-date values for the Exchange Schemes are specified in the most recent "Assigned Numbers" [RFC-1700]. This document defines the following values: (3) Implementation Optional. Modular Exponentiation using a 1024- bit strong prime (p), expressed in hex: The recommended generator (g) for this prime is 3. Provides 1024 bits of keying material. The cryptographic strength is currently estimated to be equivalent to 86 bits (pessimistic) through 98 bits (optimistic). Exponent lengths of 196 to 256 bits are recommended. The Identification_Message and Change_Message Privacy-Method is DES-CBC-64. The Change_Message Validity-Method is MD5. (4) Implementation Optional. Modular Exponentiation using a 2048- bit strong prime (p), expressed in hex: The recommended generator (g) for this prime is 2. Provides 2048 bits of keying material. The cryptographic strength is currently estimated to be equivalent to ??? bits (pessimistic). Exponent lengths of ??? to 512 bits are recommended. The Identification_Message and Change_Message Privacy-Method is 3DES-CBC-64. The Change_Message Validity-Method is MD5. (5) Implementation Optional. Modular Exponentiation using a 1024- bit strong prime (p), expressed in hex: Simpson expires in six months [Page 1] DRAFT Photuris Extensions November 1995 a478 8e21 84b8 d68b fe02 690e 4dbe 485b 17a8 0bc5 f21d 680f 1a84 1313 9734 f7f2 b0db 4e25 3750 018a ad9e 86d4 9b60 04bb bcf0 51f5 2fcb 66d0 c5fc a63f bfe6 3417 3485 bbbf 7642 e9df 9c74 b85b 6855 e942 13b8 c2d8 9162 abef f434 2435 0e96 be41 edd4 2de9 9a69 6163 8c1d ac59 8bc9 0da0 69b5 0c41 4d8e b865 2adc ff4a 270d 567f The recommended generator (g) for this prime is 5. Provides 1024 bits of keying material. The cryptographic strength is currently estimated to be equivalent to 86 bits (pessimistic) through 98 bits (optimistic). Exponent lengths of 196 to 256 bits are recommended. The Identification_Message and Change_Message Privacy-Method is DES-CBC-64. The Change_Message Validity-Method is MD5. This prime modulus was randomly generated by a freely available program written by Phil Karn, verified using the mpz_probab_prime() function Miller-Rabin test in the Gnu Math Package (GMP) version 1.3.2; and also verified with GMP on another platform by Frank A Stevenson. (6) Reserved. (7) Implementation Optional. Elliptic curve: The Identification_Message and Change_Message Privacy-Method is 3DES-CBC-64. The Change_Message Validity-Method is SHA. (8) Implementation Optional. Modular Exponentiation using a 4096- bit strong prime (p), expressed in hex: The recommended generator (g) for this prime is 2. Provides 4096 bits of keying material. The cryptographic Simpson expires in six months [Page 2] DRAFT Photuris Extensions November 1995 strength is currently estimated to be equivalent to ??? bits (pessimistic). Exponent lengths of ??? to 1024 bits are recommended. The Identification_Message and Change_Message Privacy-Method is 3DES-CBC-64. The Change_Message Validity-Method is SHA. 2. Additional Attributes The basic Attribute formats are already defined for Photuris [Firefly]. Up-to-date values for the Attribute Type are specified in the most recent "Assigned Numbers" [RFC-1700]. This document concerns the following values: A I Type + + 6 SHA + 15 RC5 + 20 Triple DES-CBC, 0-bit IV + 21 Triple DES-CBC, 32-bit IV + 22 Triple DES-CBC, 64-bit IV + 26 PKCS + 27 DNS-SIG certificate + 28 PGP certificate + 29 X.509 certificate chain + 32 Sensitivity Label + 33 VJ Header Compression + 34 LZ77 + 35 Stac LZS + 36 AH-Sequence A Initiator/Responder Attribute-Choice I Identity-Choice + feature must be supported when algorithm optionally supported 2.1. SHA +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Simpson expires in six months [Page 3] DRAFT Photuris Extensions November 1995 Type 6 Length 0 The selected Exchange Scheme SHOULD provide at least 80-bits of cryptographic strength. Attribute-Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-1852], SHA is also used as the key generation cryptographic hash for generating the SPI session-key. All 160- bits of the generated hash are used for the key. Identity-Choice When selected as an Identity-Choice, the resulting Verification field is 160-bits (22 octets including Size). The SHA hash is calculated as described in "Identity Verification". The authentication secret-key (as specified) is selected based on the contents of the Identification field. The Identification field contains a variable precision number. Valid Identifications and secret-keys are preconfigured by the parties. There is no required format or content for the Identification value. The value may be a number or string of any kind. Validity-Method When selected as a Validity-Method, the resulting Verification field is 160-bits (22 octets including Size). The hash is calculated as described in "Change Verification". The leading shared-secret is not padded to any particular alignment. 2.2. RC5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Version | Word-Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Rounds | Key-Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 15 Simpson expires in six months [Page 4] DRAFT Photuris Extensions November 1995 Length 4 Version Indicates the most recent version supported. All implementations must support version 16 (0x10). Word-Size The number of bits used by internal calculations. All implementations must support at least 32-bits. Rounds The number of rounds used. All implementations must support at least 12 rounds. Key-Size The number of octets in the session-key. All implementations must support at least 5 octets. When offered as an Attribute, the Version, Word-Size, Rounds, and Key-Size are set to the maximum supported. When chosen as an Attribute, the Version, Word-Size, Rounds, and Key-Size are set to the actual values to be used. Note that the Key-Size might be limited by available Exchange Schemes. The selected Exchange Scheme SHOULD provide at least Key- Size (in bits) of cryptographic strength. Attribute-Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-xxxx], MD5 is used as the key generation cryptographic hash for generating the SPI session-key. The most significant Key-Size octets of the generated hash are used for the key. Privacy-Method When selected as a Privacy-Method, MD5 is used as the key generation cryptographic hash for generating the privacy session-key. The most significant Key-Size octets of the generated hash are used for the key. The least-significant bits of the ???-bit Initialization Vector (IV) are set to the least-significant bits of the Type, LifeTime, and SPI fields. Encryption begins with the next field, and continues to the end of the data indicated by the UDP Length. Simpson expires in six months [Page 5] DRAFT Photuris Extensions November 1995 2.3. Triple DES-CBC +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 20, 21 or 22 Length 0 This attribute indicates EDE encryption (and DED decryption) with three 56-bit keys. The selected Exchange Scheme SHOULD provide at least 112-bits of cryptographic strength. Attribute-Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-1851], MD5 is used as the key generation cryptographic hash for generating the three SPI session-keys. The first MD5 hash is generated as described in [Firefly]. A second MD5 hash is calculated over the following concatenated values: + the computed shared-secret, + the first 128-bit hash, + the computed shared-secret again. A third MD5 hash is calculated over the following concatenated values: + the computed shared-secret, + the second 128-bit hash, + the computed shared-secret again. In all three keys, the most significant 64-bits of the generated hash are used for the key. The least significant bit of each octet is ignored (or set to parity). Simpson expires in six months [Page 6] DRAFT Photuris Extensions November 1995 Privacy-Method When selected as a Privacy-Method, MD5 is used as the key generation cryptographic hash for generating the privacy session-keys. The three keys are generated as described above. The 64-bit Initialization Vector (IV) is set to the Type, LifeTime, and SPI fields. Encryption begins with the next field, and continues to the end of the data indicated by the UDP Length. 2.4. PGP certificate +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 28 Length 0 When selected as a Signature-Choice, the resulting Signature field size is variable. PGP certificates include an identification of the signature algorithm. As a minimum, it is required that all implementations support MD5 with RSA. A Certificate field always follows the Signature field, and contains a PGP certificate. The PGP formats document is distributed with every copy of PGP. If the implementation cannot handle the given certificate, an Error_Message indicates Signature Failure. PGP certificates include version numbers. All implementations must support version 3 (PGP 2.6) certificates. A certificate chain can include certificates with different version numbers. The length of the RSA key is encoded in each certificate. All implementations must support a minimum of 2048-bit keys. 2.5. X.509 certificate chain +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 29 Simpson expires in six months [Page 7] DRAFT Photuris Extensions November 1995 Length 0 Future extensions to this attribute may add parameter values. This will be indicated by a non- zero value. When selected as a Signature-Choice, the resulting Signature field size is variable. X.509 certificates include an identification of the signature algorithm. As a minimum, it is required that all implementations support MD5 with RSA. A Certificate field always follows the Signature field, and contains a chain of X.509 certificates [??? reference]. If the implementation cannot handle the given certificate chain, an Error_Message indicates Signature Failure. X.509 certificates include version numbers. All implementations must support X.509.v1 (1988) certificates. A certificate chain can include certificates with different version numbers. The length of the RSA key is encoded in each certificate. All implementations must support a minimum of 512-bit keys. Different certificates in the chain may have different signature algorithms and key lengths. To improve performance, an implementation can cache the public keys for the issuers that frequently sign end-user certificates. These cached public keys can be used to verify the final certificate, and avoid the cost of verifying each certificate in the chain. However, the transmitter should always send the entire chain. 2.6. DNS-SIG +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 27 Length 0 Simpson expires in six months [Page 8] DRAFT Photuris Extensions November 1995 2.7. Sensitivity Label +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 32 Length 0 2.8. VJ Header Compression +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Slots | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 33 Length 2 Slots indicates the maximum slot identifier. This is one less than the actual number of slots; the slot identifier has values from zero to Slots. There may be implementations that have problems with small numbers. The example in [RFC-1144] will only work with 3 through 254 slots. Flags (0) All compressed TCP packets must set the C bit in every change mask, and must include the slot identifier. (1) The slot identifer may be compressed. This requires an ability for the implementation to indicate all errors in reception to the decompression module. Synchronization after errors depends on waiting for a packet with the slot identifier. See the discussion in [RFC-1144]. When selected as an Initiator or Responder Attribute-Choice, all data encapsulated in ESP [RFC-1827] is first compressed according to [RFC-1144]. Note that this attribute requires ordered delivery. Therefore, this Simpson expires in six months [Page 9] DRAFT Photuris Extensions November 1995 attribute is principly used for single network hops. 2.9. LZ77 2.10. Stac LZS +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | History-Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Check-Mode | +-+-+-+-+-+-+-+-+ Type 35 Length 3 History-Count two octets, most significant octet first. Specifies the maximum number of Compression Histories. (0) the implementation expects the peer to reset the Compression History at the beginning of every packet. (1) only one history is maintained. Other valid values range from 2 to 65535. The peer is not required to send as many histories as the implementation indicates that it can receive. Check-Mode indicates support of LCB, CRC or Sequence checking. 0 None (default) 1 LCB 2 CRC 4 Sequence Number When offered as an Attribute, the History-Count is set to the maximum histories that can be sent, and the Check-Mode is the XOR of the modes supported. When selected as an Initiator or Responder Attribute-Choice, the History-Count is set to the maximum histories that can be received (less than or equal to the number offered), and the Check-Mode is set to only one of the modes supported. Simpson expires in six months [Page 10] DRAFT Photuris Extensions November 1995 2.11. AH-Sequence +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 36 Length 0 When selected as an Initiator or Responder Attribute-Choice, the previously Reserved field of the Authentication Header (AH) [RFC- 1826] contains a 16-bit sequence number. The SPI Owner (receiver) validates this number within an implementation dependent range of expected values. Any AH protected datagram that fails this test is silently discarded. When the range has been exhausted, the SPI Owner (receiver) expires the SPI, despite any remaining SPI LifeTime. On arrival of an AH protected datagram with an expired SPI, an appropriate ICMP Security Failures message is generated (Type 40 Code 0), and the datagram is discarded. Simpson expires in six months [Page 11] DRAFT Photuris Extensions November 1995 Security Considerations Security issues are the primary topic of this memo. Acknowledgements Robert W Baldwin of RSA provided text for RC5 and X.509 Certificates. References [Firefly] "Photuris" is the latin name for the firefly. "Firefly" is in turn the name for the USA National Security Administration's (classified) key exchange protocol for the STU-III secure telephone. Informed speculation has it that Firefly is based on very similar design principles. [RFC-1700] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, RFC-1700, USC/Information Sciences Institute, October 1994. [RFC-1825] Atkinson, R., "Security Architecture for the Internet Protocol", RFC-1825, Naval Research Laboratory, July 1995. [RFC-1826] [RFC-1827] [RFC-1850] [RFC-1851] [Schneier94] Schneier, B., "Applied Cryptography", John Wiley & Sons, New York, NY, 1994. ISBN 0-471-59756-2. Author's Address Questions about this memo can also be directed to: William Allen Simpson Daydreamer Computer Systems Consulting Services 1384 Fontaine Simpson expires in six months [Page 12] DRAFT Photuris Extensions November 1995 Madison Heights, Michigan 48071 Bill.Simpson@um.cc.umich.edu bsimpson@MorningStar.com Simpson expires in six months [Page 13] DRAFT Photuris Extensions November 1995 Table of Contents 1. Additional Exchange Schemes ........................... 1 2. Additional Attributes ................................. 3 2.1 SHA ............................................. 3 2.2 RC5 ............................................. 4 2.3 Triple DES-CBC .................................. 6 2.4 PGP certificate ................................. 7 2.5 X.509 certificate chain ......................... 7 2.6 DNS-SIG ......................................... 8 2.7 Sensitivity Label ............................... 9 2.8 VJ Header Compression ........................... 9 2.9 LZ77 ............................................ 10 2.10 Stac LZS ........................................ 10 2.11 AH-Sequence ..................................... 11 SECURITY CONSIDERATIONS ...................................... 12 ACKNOWLEDGEMENTS ............................................. 12 REFERENCES ................................................... 12 AUTHOR'S ADDRESS ............................................. 12