- 1 - IPSEC Working Group Ashar Aziz INTERNET-DRAFT Sun Microsystems, Inc. Expires in six months February 20, 1995 SKIP extension for Perfect Forward Secrecy (PFS) Status of this Memo This document is a submission to the IETF Internet Protocol Security (IPSEC) Working Group. Comments are solicited and should be addressed to to the working group mailing list (ipsec@ans.net) or to the authors. This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts draft documents are valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. draft-ietf-ipsec-skip-pfs-00.txt [Page 1] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 Abstract This document describes an optional extension specifying how to use an ephemeral Diffie-Hellman exchange in conjunction with the SKIP protocol in order to provide perfect forward secrecy for situations where forward secrecy is necessary. draft-ietf-ipsec-skip-pfs-00.txt [Page 2] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 1. Introduction This document describes how an ephemeral Diffie-Hellman key exchange can be used in conjunction with the SKIP key distributions protocol [1] to provide Perfect Forward Secrecy (PFS) for situations where PFS is required. The certificate discovery protocol [2] is used to exchange ephemeral Diffie-Hellman values by defining a new certificate type for ephemeral DH certificates. This ephemeral certificate is then used to compute an ephemeral master key, which is used in place of the master keys Kijn used in the base SKIP protocol. In addition a new type of Master Key-ID (MKID) type is defined here, to indicate the use of ephemeral master keys. In addition to perfect forward secrecy, principal anonymity is also supported in the context of the ephemeral certificate exchange. No new protocol family is introduced in order to provide PFS with SKIP. Rather, existing mechanisms such as the certificate discovery protocol, and the extensible MKID types are used to optionally provide PFS over the base SKIP protocol. Using an ephemeral Diffie-Hellman exchange introduces greater bilateral state and overhead than is present in the base SKIP protocol. When using ephemeral certificates, certain features of the base SKIP protocol that rely on statelessness (e.g. quick failover of intermediate nodes) become unavailable. Optional use of both the stateless and stateful modes of operation (with the associated lack and presence of PFS) is specified in the context of the SKIP protocol to provide greater flexibility than is possible with protocols that provide only one or the other modes of operation. 2. Cryptographic Description of Ephemeral Certificate Exchange Cryptographic Notation used for describing Ephemeral Certificates: Note: All exponentiations (e.g. g^x) are mod p. The mod p reduction is assumed, and is omitted for the sake of brevity. draft-ietf-ipsec-skip-pfs-00.txt [Page 3] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 g^x: Ephemeral Diffie-Hellman public value of initiator (I) g^y: Ephemeral Diffie-Hellman public value of responder (J) g^i: Certified long-term Diffie-Hellman value of initiator g^j: Certified long-term Diffie-Hellman value of responder Cert_I: Long-Lived Certificate of initiator, containing value g^i Cert_J: Long-Lived Certificate of responder, containing value g^j {Message}K: Message authenticated with a Message Authentication Code (MAC) computed using key K [Message]K: Message encrypted using key K EMKID_J_I: Ephemeral Master Key-ID used in packets from J to I EMKID_I_J: Ephemeral Master Key-ID used in packets from I to J The ephemeral certificate exchange is described using the notation above as follows: I->J: { g^x, g, p, [Cert_I]g^xj, EMKID_J_I}Kij J->I: { g^y, g, p, [Cert_J]g^xj, EMKID_J_I, EMKID_I_J}Kij The ephemeral master key (denoted as EKijn) is computed as EKijn = MD5(Kij | g^xy | n | 01) | MD5( Kij | g^xy | n | 00) where n is the counter from the SKIP header. This master key computation is very similar to the master key computation specified in the base SKIP protocol, with the exception of the inclusion of the ephemeral Diffie-Hellman shared secret g^xy in the master key hash computation. As in the base SKIP protocol, "00" and "01" refer to one byte values containing the values 0 and 1 respectively, and "|" refers to concatenation. The values EMKID_I_J and EMKID_J_I refer to the ephemeral Master Key-ID to be used in SKIP packets sent from I to J and J to I, respectively. I picks the ephemeral MKID to be used in packets sent from J to I, and J picks the ephemeral MKID to be used in packets sent from I to J. In either case, both ephemeral MKIDs identify the same EKijn computed as specified in Section 2 above. This Ekijn is used to encrypt the packet key Kp present in the SKIP header. The encryption of each principal's certificate using g^xj is optional. It is used to provide anonymity of the parties involved in the ephemeral exchange. In case anonymity is not desired or necessary (e.g. node to node communications) the encryption using g^xj may draft-ietf-ipsec-skip-pfs-00.txt [Page 4] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 be omitted. 3. Ephemeral Certificate Format An ephemeral certificate contains essentially an ephemeral randomly generated Diffie-Hellman public value, authenticated using the long- lived certified Diffie-Hellman values used by the base SKIP protocol. The certificate is authenticated using Kij from the base SKIP protocol as a key to compute a MAC over the certificate contents. Each principal involved in an ephemeral certificate exchange computes an ephemeral master key by combining ephemeral Diffie-Hellman shared secret values with the long-lived Diffie-Hellman shared secret values as specified above. This ephemeral master key is then used to encrypt the traffic keys Kp communicated in the SKIP header. In addition to the ephemeral Diffie-Hellman public values, an ephemeral certificate contains the identity and certified Diffie-Hellman public values of the exchange initiator. This identity MAY be encrypted in order to provide anonymity. The following is the format of an ephemeral certificate: draft-ietf-ipsec-skip-pfs-00.txt [Page 5] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 Ephemeral Diffie-Hellman Certificate Format: 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Rsvd | Protocol | Port | Cert MAC Alg | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Validity Interval (Seconds) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DH Public Value Length | DH Public Value (g^x or g^y) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Generator Length | Generator (g) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Modulus Length | Modulus (p) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ephemeral Master Key-ID EMKID_I_J | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ephemeral Master Key-ID EMKID_J_I | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Cert Enc. Alg | Cert Type | Encrypted Cert. Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encrypted Long-Lived Certificate ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ephemeral Certificate MAC ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The version field specifies the version number of the ephemeral certificate. The version field MUST be 1 for this version of the certificate format. The protocol and port # together identify the responder for which the certificate exchange is intended. An example of a responder could be a telnet or ftp process, in which case the protocol field would specify TCP, and the port # would identify the corresponding listener port for the telnet or ftp daemon process. If the protocol field is zero, then draft-ietf-ipsec-skip-pfs-00.txt [Page 6] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 the node, as opposed to a process on the node, is the principal with which the ephemeral certificate exchange takes place. In the certificate sent from J to I (responder to initiator) these fields MUST be zero filled. "Cert MAC Alg" identifies the MAC algorithm which is used to compute a MAC over the certificate contents. The scope of the MAC computation is the entire certificate, with the MAC field treated as zero filled for the purposes of the MAC computation. The "Validity Interval" specifies how long the ephemeral master key derived from this exchange should be used for. This value is in seconds. A responder MAY choose a different value for this field than the initiator, in which case the actual validity interval for this master key is the minimum of the two values in the exchange. At the end of the validity interval, the ephemeral master key and the all associated secret information is destroyed by both the responder and the initiator. A new exchange may be initiated either subsequent or prior to the expiry of the ephemeral master key, in case there is still encrypted traffic that needs to be sent in PFS mode. DH Public Value Length specifies the length of the DH public value field. DH Public Value contains the ephemeral DH public value (g^x or g^y), specified as a string of octets with the most significant octet first. Similarly, Generator Length, Generator and Modulus Length, Modulus specify the lengths and values of the Generator (g) and the Modulus (p) used for the DH computation. A responder MUST use the same values for the generator and modulus as the initiator. The field EMKID_I_J specifies what the ephemeral MKID should be for packets sent from I to J. Since J picks the value of this field, this field MUST be zero filled in the ephemeral certificate sent from I to J. The value of this field is specified in the ephemeral certificate sent from J to I. The field EMKID_J_I specifies what the ephemeral MKID field contains for packets sent from J to I. I picks the value of this field, and J MUST fill in the same value in this field as was present in the ephemeral certificate that J received from I. Each of EMKID_I_J and EMKID_J_I is used only as the Destination MKID in a SKIP header. When used in ephemeral master key mode, the Source MKID MUST be absent, and indicated by a zero filled Source NSID field in the SKIP header. draft-ietf-ipsec-skip-pfs-00.txt [Page 7] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 The combination of an ephemeral Destination MKID and the destination IP address uniquely identififes an ephemeral master key. "Cert Enc. Alg" specifies the encryption algorithm used to encrypt I and J's long-lived certificate. This is the same DH certificate as used in the base SKIP protocol. The type of this certificate is indicated using the "Cert Type" field. This value MUST NOT refer to an ephemeral certificate type. The certificate is encrypted using the low-order key-size bits of g^xj as the encryption key. If the encryption algorithm requires per message variables (e.g. an IV) then this is derived using the high order variable size bits of g^xj. Since only I and J can properly compute g^xj, the encryption of I and J's certificate provides principal anonymity for situations where anonymity is desired. The anonymity protection provided is secure against both active and passive forms of attack. If the "Cert Enc. Alg" field is zero, then the long-lived certificate is in the clear. In this case the field "Encrypted Long-Lived Certificate" contains the long-lived DH certificate in the clear. When J receives an encrypted long-lived certificate, it first computes g^xj in order to decrypt the long-lived DH certificate. Having obtained (and verified) the long-lived certificate (which contains the value g^i) J computes g^ij, and thereby Kij which it uses to verify the MAC field "Certificate MAC" of the ephemeral certificate. If the MAC field is incorrect, the ephemeral certificate MUST be discarded. If the MAC field is correct, J computes EKijn as specified above and responds with its own ephemeral certificate, containing g^y. When I receives an ephemeral certificate, it uses the value EMKID_J_I to locate the request for which this is the corresponding response. A non- zero EMKID_I_J field indicates that this a response to an ephemeral certificate request initiated by I, as opposed to a new certificate exchange initiated by J. .P 4. Informational The following shows an example of how the ephemeral certificate exchange is used in conjunction with the SKIP header. draft-ietf-ipsec-skip-pfs-00.txt [Page 8] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 Assume that the value EMKID_J_I is 1001, and the value EMKID_I_J is 2007 after a succesfull ephemeral certificate exchange. EKijn is computed as described in Section 2 above. SKIP Header in packet sent from I to J 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Clear IP Header protocol = SKIP... (typically 20-bytes) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Rsvd.| Src NSID=0 | Dst NSID=EMKID|NEXT HEADER | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Counter n | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Kij alg. | Crypt alg | MAC Alg. | Comp Alg | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Kp encrypted in EKijn... (typically 8-16 bytes) +-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination MKID (contains the value 2007) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SKIP Header in packet from J to I 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Clear IP Header protocol = SKIP... (typically 20-bytes) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Rsvd.| Src NSID=0 | Dst NSID=EMKID|NEXT HEADER | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Counter n | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Kij alg. | Crypt alg. | MAC Alg. | Comp Alg | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Kp encrypted in EKijn... (typically 8-16 bytes) +-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination MKID (contains the value 1001) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ draft-ietf-ipsec-skip-pfs-00.txt [Page 9] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 5. Certificate Type and Name Space Assignments 5.1 Certificate Type Assignment The ephemeral Diffie-Hellman certificate type as defined in this document is pending assignment by IANA. 5.2 NSID Assignment The NSID for ephemeral MKIDs EMKID is pending assignment by IANA. 6. Generalization for Key-Agreement techniques other than classic DH Although the ephemeral certificate exchange scheme specified above uses the constructions of classic Diffie-Hellman (exponentiation over finite fields) the scheme is fully generalizable to other key-agreement techniques, such as Elliptic Curve (EC) variants of Diffie-Hellman. In order to use these other DH variants, a new ephemeral certificate type may be defined that contains parameters specific to these other DH variant schemes. 7. Security Considerations The topic of this memo is security. References [1] Aziz, A., Markson, T., Prafullchandra, H., "Simple Key Management for Intern et Protocols", (I-D draft-ietf-ipsec-skip-06.txt), Work In Progress [2] Aziz, A., Markson, T., Prafullchandra, H., "Certificate Discovery Protocol", (I-D draft-ietf-ipsec-cdp-00.txt), Work In Progress draft-ietf-ipsec-skip-pfs-00.txt [Page 10] INTERNET-DRAFT Skip Extension for PFS February 22, 1996 Author Information: Ashar Aziz Sun Microsystems, Inc. MS PAL1-550, 2550 Garcia Ave. Mountain View, CA 94043 e-mail: ashar.aziz@Eng.Sun.COM draft-ietf-ipsec-skip-pfs-00.txt [Page 11]