| < draft-ietf-ipsec-isakmp-oakley-02.txt | draft-ietf-ipsec-isakmp-oakley-03.txt > | |||
|---|---|---|---|---|
| IPSEC Working Group D. Harkins, D. Carrel, Editors | IPSEC Working Group D. Harkins, D. Carrel | |||
| INTERNET-DRAFT cisco Systems | INTERNET-DRAFT cisco Systems | |||
| draft-ietf-ipsec-isakmp-oakley-02.txt November 1996 | draft-ietf-ipsec-isakmp-oakley-03.txt February 1997 | |||
| Expire in six months | ||||
| The resolution of ISAKMP with Oakley | The resolution of ISAKMP with Oakley | |||
| <draft-ietf-ipsec-isakmp-oakley-02.txt> | <draft-ietf-ipsec-isakmp-oakley-03.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet Draft. Internet Drafts are working | This document is an Internet Draft. Internet Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||
| and working groups. Note that other groups may also distribute | and working groups. Note that other groups may also distribute | |||
| working documents as Internet Drafts. | working documents as Internet Drafts. | |||
| Internet Drafts are draft documents valid for a maximum of six months | Internet Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| skipping to change at page 2, line 27 ¶ | skipping to change at page 2, line 32 ¶ | |||
| a subset necessary to satisfy its goals. It does not claim | a subset necessary to satisfy its goals. It does not claim | |||
| conformance or compliance with the entire Oakley protocol. For | conformance or compliance with the entire Oakley protocol. For | |||
| greater understanding of the Oakley protocol and the mathematics | greater understanding of the Oakley protocol and the mathematics | |||
| behind it, please refer to [Orm96]. | behind it, please refer to [Orm96]. | |||
| 3. Terms and Definitions | 3. Terms and Definitions | |||
| 3.1 Requirements Terminology | 3.1 Requirements Terminology | |||
| In this document, the words that are used to define the significance | In this document, the words that are used to define the significance | |||
| of each particular requirement are usually capitalised. These words | of each particular requirement are capitalised. These words are: | |||
| are: | ||||
| - MUST | - MUST | |||
| This word or the adjective "REQUIRED" means that the item is an | This word or the adjective "REQUIRED" means that the item is an | |||
| absolute requirement of the specification. | absolute requirement of the specification. | |||
| - SHOULD | - SHOULD | |||
| This word or the adjective "RECOMMENDED" means that there might | This word or the adjective "RECOMMENDED" means that there might | |||
| exist valid reasons in particular circumstances to ignore this | exist valid reasons in particular circumstances to ignore this | |||
| skipping to change at page 3, line 19 ¶ | skipping to change at page 3, line 19 ¶ | |||
| HDR is an ISAKMP header whose exchange type is the mode. When | HDR is an ISAKMP header whose exchange type is the mode. When | |||
| writen as HDR* it indicates payload encryption. | writen as HDR* it indicates payload encryption. | |||
| SA is an SA negotiation payload with one or more proposals. An | SA is an SA negotiation payload with one or more proposals. An | |||
| initiator MAY provide multiple proposals for negotiation; a | initiator MAY provide multiple proposals for negotiation; a | |||
| responder MUST reply with only one. | responder MUST reply with only one. | |||
| SAp is the entire body of the SA payload (minus the SA header)-- | SAp is the entire body of the SA payload (minus the SA header)-- | |||
| i.e. all proposals and transforms offered by the Initiator. | i.e. all proposals and transforms offered by the Initiator. | |||
| g^xi and g^xr are the Diffie-Hellman public values of the | ||||
| initiator and responder respectively. | ||||
| KE is the key exchange payload. | KE is the key exchange payload. | |||
| Nx is the nonce payload; x can be: i or r for the ISAKMP initiator | Nx is the nonce payload; x can be: i or r for the ISAKMP initiator | |||
| and responder respectively. | and responder respectively. | |||
| IDx is the identity payload for "x". x can be: "ii" or "ir" for | IDx is the identity payload for "x". x can be: "ii" or "ir" for | |||
| the ISAKMP initiator and responder respectively during phase one | the ISAKMP initiator and responder respectively during phase one | |||
| negotiation; or "ui" or "ur" for the user initiator and responder | negotiation; or "ui" or "ur" for the user initiator and responder | |||
| respectively during phase two. The ID payload format for the | respectively during phase two. The ID payload format for the | |||
| Internet DOI is defined in [Pip96]. | Internet DOI is defined in [Pip96]. | |||
| SIG is the signature payload. The data to sign is exchange- | SIG is the signature payload. The data to sign is exchange- | |||
| specific. | specific. | |||
| CERT is the certificate payload. | CERT is the certificate payload. | |||
| HASH is the hash payload. The contents of the hash are exchange | HASH (and any derivitive such as HASH(2) or HASH_I) is the hash | |||
| specific. | payload. The contents of the hash are specific to the | |||
| authentication method. | ||||
| prf() is the keyed hash function negotiated as part of the ISAKMP | prf(key, msg) is the keyed pseudo-random function-- often a keyed | |||
| SA. | hash function-- used to generate a deterministic output that | |||
| appears pseudo-random. prf's are used both for key derivations | ||||
| and for authentication (i.e. as a keyed MAC). (See [KBC96]). | ||||
| SKEYID is a string derived from secret material known only to the | ||||
| active players in the exchange. | ||||
| SKEYID_e is the keying material used by the ISAKMP SA to protect | SKEYID_e is the keying material used by the ISAKMP SA to protect | |||
| it's messages. | it's messages. | |||
| SKEYID_a is the keying material used by the ISAKMP SA to | SKEYID_a is the keying material used by the ISAKMP SA to | |||
| authenticate it's messages. | authenticate it's messages. | |||
| SKEYID_d is the keying material used to derive keys for non-ISAKMP | ||||
| security associations. | ||||
| <x>y indicates that "x" is encrypted with the key "y". | <x>y indicates that "x" is encrypted with the key "y". | |||
| --> signifies "initiator to responder" communication (requests). | --> signifies "initiator to responder" communication (requests). | |||
| <-- signifies "responder to initiator" communication (replies). | <-- signifies "responder to initiator" communication (replies). | |||
| | signifies concatenation of information-- e.g. X | Y is the | | signifies concatenation of information-- e.g. X | Y is the | |||
| concatentation of X with Y. | concatentation of X with Y. | |||
| [x] indicates that x is optional. | [x] indicates that x is optional. | |||
| Payload encryption (when noted by a '*' after the ISAKMP header) MUST | Payload encryption (when noted by a '*' after the ISAKMP header) MUST | |||
| begin immediately after the ISAKMP header. When communication is | begin immediately after the ISAKMP header. When communication is | |||
| protected, all payloads following the ISAKMP header MUST be | protected, all payloads following the ISAKMP header MUST be | |||
| encrypted. Encryption keys are generated from SKEYID_e in a manner | encrypted. Encryption keys are generated from SKEYID_e in a manner | |||
| that is defined for each algorithm. | that is defined for each algorithm. | |||
| When used to describe the payloads contained in complete message | ||||
| exchanges, the ISAKMP generic header is implicitly included. When | ||||
| used as part of a prf computation, the ISAKMP generic header is not | ||||
| included. For example, the initiator may send the responder the | ||||
| following message: | ||||
| HDR, KE, Ni | ||||
| The ISAKMP header is included in the KE and Ni payloads. But if the | ||||
| initiator generates the following pseudo-random output: | ||||
| HASH = prf(key, Ni | Nr) | ||||
| the ISAKMP headers of the two nonce payloads are not included-- only | ||||
| the body of the payload-- the nonce itself-- is used. | ||||
| 3.3 Perfect Forward Secrecy | 3.3 Perfect Forward Secrecy | |||
| When used in the draft Perfect Forward Secrecy (PFS) refers to the | When used in the draft Perfect Forward Secrecy (PFS) refers to the | |||
| notion that compromise of a single key will permit access to only | notion that compromise of a single key will permit access to only | |||
| data protected by a single key. For PFS to exist the key used to | data protected by a single key. For PFS to exist the key used to | |||
| protect transmission of data MUST NOT be used to derive any | protect transmission of data MUST NOT be used to derive any | |||
| additional keys, and if the key used to protect transmission of data | additional keys, and if the key used to protect transmission of data | |||
| was derived from some other keying material, that material MUST NOT | was derived from some other keying material, that material MUST NOT | |||
| be used to derive any more keys. | be used to derive any more keys. | |||
| Perfect Forward Secrecy for both keys and identities is provided in | Perfect Forward Secrecy for both keys and identities is provided in | |||
| this protocol. (Sections 5.7 and 7). | this protocol. (Sections 5.8 and 7). | |||
| 3.4 Security Association | 3.4 Security Association | |||
| A security association (SA) is a set of policy and key used to | A security association (SA) is a set of policy and key used to | |||
| protect information. The ISAKMP SA is the shared policy and key used | protect information. The ISAKMP SA is the shared policy and key used | |||
| by the negotiating peers in this protocol to protect their | by the negotiating peers in this protocol to protect their | |||
| communication. | communication. | |||
| 4. Introducttion | 4. Introduction | |||
| Oakley defines a method to establish an authenticated key exchange. | Oakley defines a method to establish an authenticated key exchange. | |||
| This includes how payloads are constructed, the information they | This includes how payloads are constructed, the information they | |||
| carry, the order in which they are processed and how they are used. | carry, the order in which they are processed and how they are used. | |||
| While Oakley defines "modes", ISAKMP defines "phases". The | While Oakley defines "modes", ISAKMP defines "phases". The | |||
| relationship between the two is very straightforward. ISAKMP's phase | relationship between the two is very straightforward. ISAKMP's phase | |||
| 1 is where the two ISAKMP peers establish a secure, authenticated | 1 is where the two ISAKMP peers establish a secure, authenticated | |||
| channel with which to communicate. This is called the ISAKMP | channel with which to communicate. This is called the ISAKMP | |||
| Security Association (SA). Oakley's "Main Mode" and "Aggressive Mode" | Security Association (SA). Oakley's "Main Mode" and "Aggressive Mode" | |||
| each accomplish a phase 1 exchange. "Main Mode" and "Aggressive | each accomplish a phase 1 exchange. "Main Mode" and "Aggressive | |||
| Mode" MUST ONLY be used in phase 1. | Mode" MUST ONLY be used in phase 1. | |||
| Phase 2 is where Security Associations are negotiated on behalf of | Phase 2 is where Security Associations are negotiated on behalf of | |||
| services such as AH, ESP or any other service which needs key | services such as IPsec or any other service which needs key material | |||
| material and/or parameter negotiation. Oakley's "Quick Mode" | and/or parameter negotiation. Oakley's "Quick Mode" accomplishes a | |||
| accomplishes a phase 2 exchange. "Quick Mode" MUST ONLY be used in | phase 2 exchange. "Quick Mode" MUST ONLY be used in phase 2. | |||
| phase 2. | ||||
| Oakley's "New Group Mode" is not really a phase 1 or phase 2. It | Oakley's "New Group Mode" is not really a phase 1 or phase 2. It | |||
| follows phase 1, but serves to establish a new group which can be | follows phase 1, but serves to establish a new group which can be | |||
| used in future negotiations. "New Group Mode" MUST ONLY be used in | used in future negotiations. "New Group Mode" MUST ONLY be used in | |||
| phase 2. | phase 2. | |||
| With the use of ISAKMP phases, an implementation can accomplish very | With the use of ISAKMP phases, an implementation can accomplish very | |||
| fast keying when necessary. A single phase 1 negotiation may be used | fast keying when necessary. A single phase 1 negotiation may be used | |||
| for more than one phase 2 negotiation. Additionally a single phase 2 | for more than one phase 2 negotiation. Additionally a single phase 2 | |||
| negotiation can request multiple Security Associations. With these | negotiation can request multiple Security Associations. With these | |||
| optimizations, an implementation can see less than one round trip per | optimizations, an implementation can see less than one round trip per | |||
| SA as well as less than one DH exponentiation per SA. "Main Mode" | SA as well as less than one DH exponentiation per SA. "Main Mode" | |||
| for phase 1 provides identity protection. When identity protection | for phase 1 provides identity protection. When identity protection | |||
| is not needed, "Aggressive Mode" can be used to reduce round trips | is not needed, "Aggressive Mode" can be used to reduce round trips | |||
| even further. Developer hints for doing these optimizations are | even further. Developer hints for doing these optimizations are | |||
| included below. | included below. It should also be noted that using public key | |||
| encryption to authenticate an Aggressive Mode exchange will still | ||||
| The following attributes are required by Oakley and MUST be | provide identity protection. | |||
| negotiated as part of the ISAKMP Security Association. (These | ||||
| attributes pertain only to the ISAKMP Security Association and not to | ||||
| any Security Associations that ISAKMP may be negotiating on behalf of | ||||
| other services.) | ||||
| The following attributes are used by Oakley and are negotiated as | ||||
| part of the ISAKMP Security Association. (These attributes pertain | ||||
| only to the ISAKMP Security Association and not to any Security | ||||
| Associations that ISAKMP may be negotiating on behalf of other | ||||
| services.) | ||||
| - encryption algorithm (e.g. DES, IDEA, Blowfish). | - encryption algorithm (e.g. DES, IDEA, Blowfish). | |||
| - hash algorithm (e.g. MD5, SHA) | - hash algorithm (e.g. MD5, SHA) | |||
| - authentication method (e.g. DSS sig, RSA sig, RSA encryption, | - authentication method (e.g. DSS sig, RSA sig, RSA encryption, | |||
| pre-shared key) | pre-shared key) | |||
| - information about a group over which to do Diffie-Hellman. | - information about a group over which to do Diffie-Hellman. | |||
| The selected hash algorithm MUST support both keyed and unkeyed | - prf (e.g. 3DES-CBC-MAC) | |||
| modes. | ||||
| Oakley implementations MUST support the following default attributes: | All of these attributes are mandatory and MUST be negotiated except | |||
| for the "prf". The "prf" MAY be negotiated, but if it is not, the | ||||
| HMAC (see [KBC96]) version of the negotiated hash algorithm is used | ||||
| as a pseudo-random function. Other non-mandatory attributes are | ||||
| described in Appendix A. The selected hash algorithm MUST support | ||||
| both native and HMAC modes. | ||||
| Oakley implementations MUST support the following attribute values: | ||||
| - DES-CBC with a weak, and semi-weak, key check (weak and semi- | - DES-CBC with a weak, and semi-weak, key check (weak and semi- | |||
| weak keys are referenced in [Sch94] and listed in Appendix A). The | weak keys are referenced in [Sch94] and listed in Appendix A). The | |||
| key is derived according to Appendix B. | key is derived according to Appendix B. | |||
| - MD5 and SHA in native and HMAC mode [KBC96]. | - MD5 and SHA. | |||
| - Authentication via pre-shared keys. The Digital Signature | - Authentication via pre-shared keys. The Digital Signature | |||
| Standard SHOULD be supported; RSA SHOULD also be supported. | Standard SHOULD be supported; RSA SHOULD also be supported. | |||
| - MODP over the default Oakley group (see below). ECP and EC2N | - MODP over the default Oakley group (see below). ECP groups MAY | |||
| groups MAY be supported. | be supported. | |||
| The Oakley modes described here MUST be implemented whenever the IETF | The Oakley modes described here MUST be implemented whenever the IETF | |||
| IPsec DOI [Pip96] is implemented. Other DOIs MAY use the Oakley modes | IPsec DOI [Pip96] is implemented. Other DOIs MAY use the Oakley modes | |||
| described here. | described here. | |||
| 5. Exchanges | 5. Exchanges | |||
| There are two basic methods used to establish an authenticated key | There are two basic methods used to establish an authenticated key | |||
| exchange: Oakley Main Mode and Oakley Aggressive Mode. Each generates | exchange: Oakley Main Mode and Oakley Aggressive Mode. Each generates | |||
| authenticated keying material from an ephemeral Diffie-Hellman | authenticated keying material from an ephemeral Diffie-Hellman | |||
| skipping to change at page 7, line 8 ¶ | skipping to change at page 8, line 34 ¶ | |||
| Oakley Main Mode is an instantiation of the ISAKMP Identity Protect | Oakley Main Mode is an instantiation of the ISAKMP Identity Protect | |||
| Exchange: The first two messages negotiate policy; the next two | Exchange: The first two messages negotiate policy; the next two | |||
| exchange Diffie-Hellman public values and ancillary data (e.g. | exchange Diffie-Hellman public values and ancillary data (e.g. | |||
| nonces) necessary for the exchange; and the last two messages | nonces) necessary for the exchange; and the last two messages | |||
| authenticate the Diffie-Hellman Exchange. The authentication method | authenticate the Diffie-Hellman Exchange. The authentication method | |||
| negotiated as part of the initial ISAKMP exchange influences the | negotiated as part of the initial ISAKMP exchange influences the | |||
| composition of the payloads but not their purpose. The XCHG for | composition of the payloads but not their purpose. The XCHG for | |||
| Oakley Main Mode is ISAKMP Identity Protect. | Oakley Main Mode is ISAKMP Identity Protect. | |||
| Similarly, Oakley Aggressive Mode is an instantiation of the ISAKMP | Similarly, Oakley Aggressive Mode is an instantiation of the ISAKMP | |||
| Base Exchange. The first two messages negotiate policy, exchange | Aggressive Exchange. The first two messages negotiate policy, | |||
| Diffie-Hellman public values and ancillary data necessary for the | exchange Diffie-Hellman public values and ancillary data necessary | |||
| exchange, and identities. In addition the second message | for the exchange, and identities. In addition the second message | |||
| authenticates the responder. The third message authenticates the | authenticates the responder. The third message authenticates the | |||
| initiator and provides a proof of participation in the exchange. The | initiator and provides a proof of participation in the exchange. The | |||
| XCHG for Oakley Aggressive Mode is ISAKMP Base Exchange. The final | XCHG for Oakley Aggressive Mode is ISAKMP Aggressive. The final | |||
| message is not sent under protection of the ISAKMP SA allowing each | message is not sent under protection of the ISAKMP SA allowing each | |||
| party to postpone exponentiation, if desired, until negotiation of | party to postpone exponentiation, if desired, until negotiation of | |||
| this exchange is complete. | this exchange is complete. | |||
| The result of either exchange is two groups of authenticated keying | Quick Mode and New Group Mode have no analog in ISAKMP. The XCHG | |||
| material: | values for Quick Mode and New Group Mode are defined in Appendix A. | |||
| SKEYID_e = prf(g^xy, CKY-I | CKY-R | Ni | Nr | 0) | Three different authentication methods are allowed with either Main | |||
| SKEYID_a = prf(g^xy, CKY-I | CKY-R | Ni | Nr | 1) | Mode or Aggressive Mode-- digital signature, public key encryption, | |||
| or pre-shared key. The value SKEYID is computed seperately for each | ||||
| authentication method. | ||||
| For signatures: SKEYID = prf(Ni | Nr, g^xy) | ||||
| For public key encryption: SKEYID = hash(Ni | Nr) | ||||
| For pre-shared keys: SKEYID = prf(pre-shared-key, Ni | Nr) | ||||
| The result of either Main Mode or Aggressive Mode is three groups of | ||||
| authenticated keying material: | ||||
| SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R, 0) | ||||
| SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R, 1) | ||||
| SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R, 2) | ||||
| and agreed upon policy to protect further communications. The values | and agreed upon policy to protect further communications. The values | |||
| of 0 and 1 above are represented by a single octet. The key used for | of 0, 1, and 2 above are represented by a single octet. The key used | |||
| encryption is derived from SKEYID_e in an algorithm-specific manner | for encryption is derived from SKEYID_e in an algorithm-specific | |||
| (see appendix B). | manner (see appendix B). | |||
| Quick Mode and New Group Mode have no analog in ISAKMP. The XCHG | To authenticate either exchange the initiator of the protocol | |||
| values for Quick Mode and New Group Mode are defined in Appendix A. | generates HASH_I and the responder generates HASH_R where: | |||
| HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAp | IDii) | ||||
| HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAp | IDir) | ||||
| For authentication with digital signatures, HASH_I and HASH_R are | ||||
| signed and verified; for authentication with either public key | ||||
| encryption or pre-shared keys, HASH_I and HASH_R directly | ||||
| authenticate the exchange. | ||||
| As mentioned above, the negotiated authentication method influences | As mentioned above, the negotiated authentication method influences | |||
| the content and use of messages for Phase 1 Oakley Modes, but not | the content and use of messages for Phase 1 Oakley Modes, but not | |||
| their intent. When using public keys for authentication, the Phase 1 | their intent. When using public keys for authentication, the Phase 1 | |||
| Oakley can be accomplished either by using signatures or by using | Oakley can be accomplished either by using signatures or by using | |||
| public key encryption (if the algorithm supports it). Following are | public key encryption (if the algorithm supports it). Following are | |||
| Main Mode Exchanges with different authentication options. | Main Mode Exchanges with different authentication options. | |||
| 5.1 ISAKMP/Oakley Phase 1 Authenticated With Signatures | 5.1 ISAKMP/Oakley Phase 1 Authenticated With Signatures | |||
| Using signatures, the ancillary information exchanged during the | Using signatures, the ancillary information exchanged during the | |||
| second roundtrip are nonces; the exchange is authenticated by signing | second roundtrip are nonces; the exchange is authenticated by signing | |||
| a mutually obtainable hash. Oakley Main Mode with signature | a mutually obtainable hash. Oakley Main Mode with signature | |||
| authentication is described as follows: | authentication is described as follows: | |||
| Initiator Responder | Initiator Responder | |||
| ---------- ----------- | ---------- ----------- | |||
| HDR, SA --> | HDR, SA --> | |||
| <-- HDR, SA | <-- HDR, SA | |||
| HDR, KE, Ni --> | HDR, KE, Ni --> | |||
| <-- HDR, KE, Nr | <-- HDR, KE, Nr | |||
| HDR*, IDii, [ CERT, ] SIG --> | HDR*, IDii, [ CERT, ] SIG_I --> | |||
| <-- HDR*, IDir, [ CERT, ] SIG | <-- HDR*, IDir, [ CERT, ] SIG_R | |||
| Oakley Aggressive mode with signatures in conjunction with ISAKMP is | Oakley Aggressive mode with signatures in conjunction with ISAKMP is | |||
| described as follows: | described as follows: | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR, SA, KE, Ni, IDii --> | HDR, SA, KE, Ni, IDii --> | |||
| <-- HDR, SA, KE, Nr, IDir, | <-- HDR, SA, KE, Nr, IDir, | |||
| [ CERT, ] SIG | [ CERT, ] SIG_R | |||
| HDR, [ CERT, ] SIG --> | HDR, [ CERT, ] SIG_I --> | |||
| In both modes, the signed data in SIG is a signature of a keyed hash | In both modes, the signed data, SIG_I or SIG_R, is the result of the | |||
| of the concatenation of the nonces, cookies, the entire SA offer-- | negotiated digital signature algorithm applied to HASH_I or HASH_R | |||
| everything following the SA header-- that was sent from Initiator to | respectively. | |||
| Responder, and the sender's ID, with g^xy as the key to the hash | ||||
| function. The order of the nonces, and cookies are specific to the | ||||
| direction. In other words, the sender signs, HASH_I, and the | ||||
| responder signs HASH_R where: | ||||
| HASH_I = prf(g^xy, Ni | Nr | CKY-I | CKY-R | SAp | IDii)) | In general the signature will be over HASH_I and HASH_R as above | |||
| HASH_R = prf(g^xy, Nr | Ni | CKY-R | CKY-I | SAp | IDir)) | using the negotiated prf, or the HMAC version of the negotiated hash | |||
| function (if no prf is negotiated). However, this can be overridden | ||||
| for construction of the signature if the signature algorithm is tied | ||||
| to a particular hash algorithm (e.g. DSS is only defined with SHA's | ||||
| 160 bit output). In this case, the signature will be over HASH_I and | ||||
| HASH_R as above, except using the HMAC version of the hash algorithm | ||||
| associated with the signature method. The negotiated prf and hash | ||||
| function would continue to be used for all other proscribed pseudo- | ||||
| random functions. | ||||
| In general the keyed hash will be the HMAC version of the negotiated | RSA signatures MUST be encoded in PKCS #1 format. DSS signatures | |||
| hash function. This can be overridden for construction of the | MUST be encoded as r followed by s. | |||
| signature if the signature algorithm is tied to a particular hash | ||||
| algorithm. In this case, the negotiated hash function would continue | ||||
| to be used for all other proscribed hashing functions. | ||||
| One or more certificate payloads MAY be optionally passed. | One or more certificate payloads MAY be optionally passed. | |||
| 5.2 Oakley Phase 1 Authenticated With Public Key Encryption | 5.2 Oakley Phase 1 Authenticated With Public Key Encryption | |||
| Using public key encryption to authenticate the exchange, the | Using public key encryption to authenticate the exchange, the | |||
| ancillary information exchanged is encrypted nonces. Each party's | ancillary information exchanged is encrypted nonces. Each party's | |||
| ability to reconstruct a hash (proving that the other party decrypted | ability to reconstruct a hash (proving that the other party decrypted | |||
| the nonce) authenticates the exchange. | the nonce) authenticates the exchange. | |||
| In order to perform the public key encryption, the initiator must | In order to perform the public key encryption, the initiator must | |||
| already have the responder's public key. In the case where a party | already have the responder's public key. In the case where a party | |||
| has multiple public keys, a hash of the certificate the initiator is | has multiple public keys, a hash of the certificate the initiator is | |||
| using to encrypt the ancillary information is passed as part of the | using to encrypt the ancillary information is passed as part of the | |||
| third message. In this way the responder can determine which | third message. In this way the responder can determine which | |||
| corresponding private key to use to decrypt the nonce and identity | corresponding private key to use to decrypt the encrypted payloads | |||
| protection is retained. | and identity protection is retained. | |||
| In addition, the identities of the parties (IDii and IDir) are also | In addition to the nonce, the identities of the parties (IDii and | |||
| encrypted with the other parties public key. If the authentication | IDir) are also encrypted with the other parties public key. If the | |||
| method is public key encryption, the nonce and identity payloads MUST | authentication method is public key encryption, the nonce and | |||
| be encrypted with the public key of the other party. | identity payloads MUST be encrypted with the public key of the other | |||
| party. Only the body of the payloads are encrypted, the payload | ||||
| headers are left in the clear. | ||||
| When using encrytion for authentication with Oakley, Main Mode is | When using encrytion for authentication with Oakley, Main Mode is | |||
| defined as follows. | defined as follows. | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR, SA --> | HDR, SA --> | |||
| <-- HDR, SA | <-- HDR, SA | |||
| HDR, KE, [ HASH(1), ] | HDR, KE, [ HASH(1), ] | |||
| <IDii>PubKey_r, | <IDii>PubKey_r, | |||
| <Ni>PubKey_r --> | <Ni>PubKey_r --> | |||
| HDR, KE, <IDir>PubKey_r, | HDR, KE, <IDir>PubKey_i, | |||
| <-- <Nr>PubKey_i | <-- <Nr>PubKey_i | |||
| HDR*, HASH_I --> | HDR*, HASH_I --> | |||
| <-- HDR*, HASH_R | <-- HDR*, HASH_R | |||
| Oakley Aggressive Mode authenticated with encryption is described as | Oakley Aggressive Mode authenticated with encryption is described as | |||
| follows: | follows: | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR, SA, [ HASH(1),] KE, | HDR, SA, [ HASH(1),] KE, | |||
| <IDii>Pubkey_r, | <IDii>Pubkey_r, | |||
| <Ni>PubKey_r --> | <Ni>Pubkey_r --> | |||
| HDR, SA, KE, <Nr>PubKey_i, | HDR, SA, KE, <IDir>PubKey_i, | |||
| <-- IDir, HASH_R | <-- <Nr>PubKey_r, HASH_R | |||
| HDR, HASH_I --> | HDR, HASH_I --> | |||
| Where HASH(1) is a hash (using the negotiated hash function) of the | Where HASH(1) is a hash (using the negotiated hash function) of the | |||
| certificate which the initiator is using to encrypt the nonce and | certificate which the initiator is using to encrypt the nonce and | |||
| identity. The contents of the other hashes (HASH_I and HASH_R) are | identity. | |||
| the results of the HMAC version of the hash algorithm negotiated in | ||||
| the first roundtrip, with a concatenation of the nonces as the key | ||||
| and a concatenation of the shared secret, the cookies, the entire SA | ||||
| offer-- everything following the SA header-- that was sent from | ||||
| Initiator to Responder, and the sender's ID as the hashed data. The | ||||
| order of the nonces and cookies are specific to the direction. In | ||||
| other words: | ||||
| HASH_I = prf(Ni | Nr, g^xy | CKY-I | CKY-R | SAp | IDii)) | RSA encryption MUST be encoded in PKCS #1 format. The payload length | |||
| HASH_R = prf(Nr | Ni, g^xy | CKY-R | CKY-I | SAp | IDir)) | is the length of the entire encrypted payload plus header. The PKCS | |||
| #1 encoding allows for determination of the actual length of the | ||||
| cleartext payload upon decryption. | ||||
| Using encryption for authentication provides for a plausably deniable | Using encryption for authentication provides for a plausably deniable | |||
| exchange. There is no proof (as with a digital signature) that the | exchange. There is no proof (as with a digital signature) that the | |||
| conversation ever took place since each party can completely | conversation ever took place since each party can completely | |||
| reconstruct both sides of the exchange. | reconstruct both sides of the exchange. In addition, security is | |||
| added to secret generation since an attacker would have to | ||||
| successfully break not only the Diffie-Hellman exchange but also both | ||||
| RSA encryptions. This exchange was motivated by [Kra96]. | ||||
| Note that, unlike other authentication methods, authentication with | Note that, unlike other authentication methods, authentication with | |||
| public key encryption allows for identity protection with Aggressive | public key encryption allows for identity protection with Aggressive | |||
| Mode. | Mode. | |||
| 5.3 Oakley Phase 1 Authenticated With a Pre-Shared Key | 5.3 Oakley Phase 1 Authenticated With a Pre-Shared Key | |||
| A key derived by some out-of-band mechanism may also be used to | A key derived by some out-of-band mechanism may also be used to | |||
| authenticate the exchange. The actual establishment of this key is | authenticate the exchange. The actual establishment of this key is | |||
| out of the scope of this document. | out of the scope of this document. | |||
| skipping to change at page 11, line 5 ¶ | skipping to change at page 13, line 31 ¶ | |||
| <-- HDR*, IDir, HASH_R | <-- HDR*, IDir, HASH_R | |||
| Oakley Aggressive mode with a pre-shared key is described as follows: | Oakley Aggressive mode with a pre-shared key is described as follows: | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR, SA, KE, Ni, IDii --> | HDR, SA, KE, Ni, IDii --> | |||
| <-- HDR, SA, KE, Nr, IDir, HASH_R | <-- HDR, SA, KE, Nr, IDir, HASH_R | |||
| HDR, HASH_I --> | HDR, HASH_I --> | |||
| The hash is the result of the HMAC version of the hash algorithm | When using pre-shared key authentication with Main Mode the key can | |||
| negotiated in the first roundtrip with the pre-shared key as the key | only be identified by the IP address of the peers since HASH_I must | |||
| to the HMAC, and a concatenation of the shared secret, the nonces, | be computed before the initiator has processed IDir. Aggressive Mode | |||
| the cookies, the complete SA offer-- everything following the SA | allows for a wider range of identifiers of the pre-shared secret to | |||
| header-- sent from Initiator to Responder, and the sender's ID. The | be used. In addition, Aggressive Mode allows two parties to maintain | |||
| order of the cookies and nonces are specific to the direction. In | multiple, different pre-shared keys and identify the correct one for | |||
| other words, | a particular exchange. | |||
| HASH_I = prf(pre-shared-key, g^xy | Ni | Nr | CKY-I | CKY-R | SAp | ||||
| | IDii) | ||||
| HASH_R = prf(pre-shared-key, g^xy | Nr | Ni | CKY-R | CKY-I | SAp | ||||
| | IDir) | ||||
| 5.4 Oakley Phase 2 - Quick Mode | 5.4 Oakley Phase 2 - Quick Mode | |||
| Oakley Quick Mode is not a complete exchange itself, but is used as | Oakley Quick Mode is not a complete exchange itself, but is used as | |||
| part of the ISAKMP SA negotiation process (phase 2) to derive keying | part of the ISAKMP SA negotiation process (phase 2) to derive keying | |||
| material and negotiate shared policy for non-ISAKMP SAs. The | material and negotiate shared policy for non-ISAKMP SAs. The | |||
| information exchanged along with Oakley Quick Mode MUST be protected | information exchanged along with Oakley Quick Mode MUST be protected | |||
| by the ISAKMP SA-- i.e. all payloads except the ISAKMP header are | by the ISAKMP SA-- i.e. all payloads except the ISAKMP header are | |||
| encrypted. | encrypted. | |||
| skipping to change at page 11, line 40 ¶ | skipping to change at page 14, line 27 ¶ | |||
| An optional Key Exchange payload can be exchanged to allow for an | An optional Key Exchange payload can be exchanged to allow for an | |||
| additional Diffie-Hellman exchange and exponentiation per Quick Mode. | additional Diffie-Hellman exchange and exponentiation per Quick Mode. | |||
| While use of the key exchange payload with Quick Mode is optional it | While use of the key exchange payload with Quick Mode is optional it | |||
| MUST be supported. | MUST be supported. | |||
| Base Quick Mode (without the KE payload) refreshens the keying | Base Quick Mode (without the KE payload) refreshens the keying | |||
| material derived from the exponentiation in phase 1. This does not | material derived from the exponentiation in phase 1. This does not | |||
| provide PFS. Using the optional KE payload, an additional | provide PFS. Using the optional KE payload, an additional | |||
| exponentiation is performed and PFS is provided for the keying | exponentiation is performed and PFS is provided for the keying | |||
| material. If a KE payload is sent, a Diffie-Hellman group (see | material. If a KE payload is sent, a Diffie-Hellman group (see | |||
| section 5.5.1 and Appendix A) MUST be sent as attributes of the SA | section 5.6.1 and [Pip96]) MUST be sent as attributes of the SA being | |||
| being negotiated. | negotiated. | |||
| Quick Mode is defined as follows: | Quick Mode is defined as follows: | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR*, HASH(1), SA, Ni | HDR*, HASH(1), SA, Ni | |||
| [, KE ] [, IDui, IDur ] --> | [, KE ] [, IDui, IDur ] --> | |||
| <-- HDR*, HASH(2), SA, Nr | <-- HDR*, HASH(2), SA, Nr | |||
| [, KE ] [, IDui, IDur ] | [, KE ] [, IDui, IDur ] | |||
| HDR*, HASH(3) --> | HDR*, HASH(3) --> | |||
| Where: | Where: | |||
| HASH(1) and HASH(2) are keyed hashes of the entire message that | HASH(1) and HASH(2) are the prf over the message id (M-ID) from | |||
| follows the hash including payload headers, and HASH(3)-- for | the ISAKMP header concatenated with the entire message that follows | |||
| liveliness-- is a keyed hash of the value zero represented as a | the hash including payload headers, but excluding any padding added | |||
| single octet, followed by a concatenation of the two nonces. For | for encryption. HASH(3)-- for liveliness-- is the prf over the value | |||
| example, the hashes for the above exchange would be: | zero represented as a single octet, followed by a concatenation of | |||
| the message id and the two nonces-- the initiator's followed by the | ||||
| responder's. In other words, the hashes for the above exchange are: | ||||
| HASH(1) = prf( SKEYID_a, SA | Ni [ | KE ] [ | IDui | IDur ] ) | HASH(1) = prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDui | IDur ]) | |||
| HASH(2) = prf( SKEYID_a, SA | Nr [ | KE ] [ | IDui | IDur ] ) | HASH(2) = prf(SKEYID_a, M-ID | SA | Nr [ | KE ] [ | IDui | IDur ]) | |||
| HASH(3) = prf( SKEYID_a, 0 | Ni | Nr ) | HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni | Nr) | |||
| If PFS is not needed, and KE payloads are not exchanged, the new | If PFS is not needed, and KE payloads are not exchanged, the new | |||
| keying material is defined as KEYMAT = prf(SKEYID_e, Ni | Nr | 0). | keying material is defined as KEYMAT = prf(SKEYID_d, SPI | Ni | Nr). | |||
| If PFS is desired and KE payloads were exchanged, the new keying | If PFS is desired and KE payloads were exchanged, the new keying | |||
| material is defined as KEYMAT = prf(g(qm)^xy, Ni | Nr | 0), where | material is defined as KEYMAT = prf(SKEYID_d, g(qm)^xy | SPI | Ni | | |||
| g(qm)^xy is the shared secret from the ephemeral Diffie-Hellman | Nr), where g(qm)^xy is the shared secret from the ephemeral Diffie- | |||
| exchange of this Quick Mode. | Hellman exchange of this Quick Mode. | |||
| In either case, 0 is represented by a single octet. | The SPI is the value from the SPI field in the SA payload. | |||
| For situations where the amount of keying material desired is greater | A single SA negotiation results in two security assocations-- one | |||
| than that supplied by the prf, KEYMAT is expanded by concatenation | inbound and one outbound. Different SPIs for each SA (one chosen by | |||
| and rehashing with a monotonically increasing number represented by a | the initiator, the other by the responder) guarantee a different key | |||
| single octet, i.e. | for each direction. The SPI chosen by the destination of the SA is | |||
| used to derive KEYMAT for that SA. | ||||
| KEYMAT = prf(SKEYID_e, Ni | Nr | 0) | prf(SKEYID_e, Ni | Nr | 1) | For situations where the amount of keying material desired is greater | |||
| ... | than that supplied by the prf, KEYMAT is expanded by feeding the | |||
| results of the prf back into itself and concatenating results until | ||||
| the required keying material has been reached. In other words, | ||||
| repeated until the required keying material has been reached. | KEYMAT = K1 | K2 | K3 | ... | |||
| where | ||||
| K1 = prf(SKEYID_d, [ g(qm)^xy | ] SPI | Ni | Nr) | ||||
| K2 = prf(SKEYID_d, K1 | [ g(qm)^xy | ] SPI | Ni | Nr) | ||||
| K3 = prf(SKEYID_d, K2 | [ g(qm)^xy | ] SPI | Ni | Nr) | ||||
| etc. | ||||
| This keying material (whether with PFS or without, and whether | This keying material (whether with PFS or without, and whether | |||
| derived directly or through concatenation) MUST be used with the | derived directly or through concatenation) MUST be used with the | |||
| negotiated SA. It is up to the service to define how keys are derived | negotiated SA. It is up to the service to define how keys are derived | |||
| from the keying material (see Appendix B). | from the keying material (see Appendix B). | |||
| In the case of an ephemeral Diffie-Hellman exchange in Quick Mode, | In the case of an ephemeral Diffie-Hellman exchange in Quick Mode, | |||
| the exponential (g(qm)^xy) is irretreivably removed from the current | the exponential (g(qm)^xy) is irretreivably removed from the current | |||
| state and SKEYID_e and SKEYID_a (derived from phase 1 negotiation) | state and SKEYID_e and SKEYID_a (derived from phase 1 negotiation) | |||
| continue to protect and authenticate the ISAKMP SA. | continue to protect and authenticate the ISAKMP SA and SKEYID_d | |||
| continues to be used to derive keys. | ||||
| If ISAKMP is acting as a proxy negotiator on behalf of another party | If ISAKMP is acting as a proxy negotiator on behalf of another party | |||
| the identities of the parties MUST be passed as IDui and IDur. Local | the identities of the parties MUST be passed as IDui and IDur. Local | |||
| policy will dictate whether the proposals are acceptible for the | policy will dictate whether the proposals are acceptible for the | |||
| identities specified. If IDs are not exchanged, the negotiation is | identities specified. If IDs are not exchanged, the negotiation is | |||
| assumed to be done on behalf of each ISAKMP peer. If an ID range | assumed to be done on behalf of each ISAKMP peer. If an ID range | |||
| (see Appendix A of [Pip96]) is not acceptable (for example, the | (see Appendix A of [Pip96]) is not acceptable (for example, the | |||
| specified subnet is too large) a BAD_ID_RANGE notify message followed | specified subnet is too large) a BAD_ID_RANGE notify message followed | |||
| by an acceptible ID range, in an ID payload, MUST be sent. | by an acceptible ID range, in an ID payload, MUST be sent. | |||
| skipping to change at page 14, line 16 ¶ | skipping to change at page 16, line 16 ¶ | |||
| exchange as follows: | exchange as follows: | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR*, HASH(1), SA0, SA1, Ni, | HDR*, HASH(1), SA0, SA1, Ni, | |||
| [, KE ] [, IDui, IDur ] --> | [, KE ] [, IDui, IDur ] --> | |||
| <-- HDR*, HASH(2), SA0, SA1, Nr, | <-- HDR*, HASH(2), SA0, SA1, Nr, | |||
| [, KE ] [, IDui, IDur ] | [, KE ] [, IDui, IDur ] | |||
| HDR*, HASH(3) --> | HDR*, HASH(3) --> | |||
| and the keying material for SAx is prf(SKEYID_e, Ni | Nr | x) where x | The keying material is derived identically as in the case of a single | |||
| is the number of the SA negotiated (starting with zero). (In the case | SA. In this case (negotiation of two SA payloads) the result would be | |||
| where one, or all, of the SAs required keys longer than that supplied | four security associations-- two each way for both SAs. | |||
| by the prf, the number merely monotonically increases for this entire | ||||
| exchange-- e.g. SA0 uses 0 and 1; SA1 uses 2 and 3; etc). For ease of | ||||
| processing the HASH payloads MUST immediately follow the ISAKMP | ||||
| header and precede all other payloads. | ||||
| 5.4 Oakley New Group Mode | 5.5 Oakley New Group Mode | |||
| Oakley New Group Mode MUST NOT be used prior to establishment of an | Oakley New Group Mode MUST NOT be used prior to establishment of an | |||
| ISAKMP SA. The description of a new group MUST only follow phase 1 | ISAKMP SA. The description of a new group MUST only follow phase 1 | |||
| negotiation. (It is not a phase 2 exchange, though). | negotiation. (It is not a phase 2 exchange, though). | |||
| Initiator Responder | Initiator Responder | |||
| ----------- ----------- | ----------- ----------- | |||
| HDR*, HASH(1), SA --> | HDR*, HASH(1), SA --> | |||
| <-- HDR*, HASH(2), SA | <-- HDR*, HASH(2), SA | |||
| where HASH(1) is a keyed hash, using SKEYID_a as the key, and the | where HASH(1) is the prf output, using SKEYID_a as the key, and the | |||
| entire SA proposal, body and header, as the data; HASH(2) is a keyed | entire SA proposal, body and header, as the data; HASH(2) is the prf | |||
| hash, using SKEYID_a as the key, and the reply as the data. | output, using SKEYID_a as the key, and the reply as the data. | |||
| The proposal will be an Oakley proposal which specifies the | The proposal will be an Oakley proposal which specifies the | |||
| characteristics of the group (see appendix A, "Oakley Attribute | characteristics of the group (see appendix A, "Oakley Attribute | |||
| Assigned Numbers"). Group descriptions for private Oakley Groups MUST | Assigned Numbers"). Group descriptions for private Oakley Groups MUST | |||
| be greater than or equal to 2^15. If the group is not acceptable, | be greater than or equal to 2^15. If the group is not acceptable, | |||
| the responder MUST reply with a Notify payload with the message type | the responder MUST reply with a Notify payload with the message type | |||
| set to GROUP_NOT_ACCEPTABLE (13). | set to GROUP_NOT_ACCEPTABLE (13). | |||
| ISAKMP implementations MAY require private groups to expire with the | ISAKMP implementations MAY require private groups to expire with the | |||
| SA under which they were established. | SA under which they were established. | |||
| Groups may be directly negotiated in the SA proposal with Oakley Main | Groups may be directly negotiated in the SA proposal with Oakley Main | |||
| Mode. To do this the Prime, Generator, and Group Type are passed as | Mode. To do this the Prime, Generator (using the Generator One | |||
| SA attributes (see Appendix A in [MSST96]). Alternately, the nature | attribute class from Appendix A), and Group Type are passed as SA | |||
| of the group can be hidden using Oakley New Group Mode and only the | attributes (see Appendix A in [MSST96]). Alternately, the nature of | |||
| group identifier is passed in the clear during Main Mode. | the group can be hidden using Oakley New Group Mode and only the | |||
| group identifier is passed in the clear during phase 1 negotiation. | ||||
| 5.5 Oakley Groups | 5.6 Oakley Groups | |||
| [Orm96] defines several groups. The value 0 indicates no group. The | [Orm96] defines several groups. The value 0 indicates no group. The | |||
| value 1 indicates the default group described below. The attriute | value 1 indicates the default group described below. The attribute | |||
| class for "Group" is defined in Appendix A. Other values are also | class for "Group" is defined in Appendix A. Other values are also | |||
| defined in [Orm96]. All values 2^15 and higher are used for private | defined in [Orm96]. All values 2^15 and higher are used for private | |||
| group identifiers. | group identifiers. | |||
| 5.5.1 Oakley Default Group | 5.6.1 Oakley Default Group | |||
| Oakley implementations MUST support a MODP group with the following | Oakley implementations MUST support a MODP group with the following | |||
| prime and generator. This group is assigned id 1 (one). | prime and generator. This group is assigned id 1 (one). | |||
| The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } | The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } | |||
| Its hexadecimal value is | Its hexadecimal value is | |||
| FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 | FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 | |||
| 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD | 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD | |||
| EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 | EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 | |||
| skipping to change at page 17, line 5 ¶ | skipping to change at page 19, line 5 ¶ | |||
| the Diffie-Hellman exponent. Using 2 as a generator is | the Diffie-Hellman exponent. Using 2 as a generator is | |||
| efficient for some modular exponentiation algorithms. [Note | efficient for some modular exponentiation algorithms. [Note | |||
| that 2 is technically not a generator in the number theory | that 2 is technically not a generator in the number theory | |||
| sense, because it omits half of the possible residues mod P. | sense, because it omits half of the possible residues mod P. | |||
| From a cryptographic viewpoint, this is a virtue.] | From a cryptographic viewpoint, this is a virtue.] | |||
| A further discussion of the properties of this group, the motivation | A further discussion of the properties of this group, the motivation | |||
| behind its creation, as well as the definition of several more groups | behind its creation, as well as the definition of several more groups | |||
| can be found in [Orm96]. | can be found in [Orm96]. | |||
| 5.6 Payload Explosion for Complete ISAKMP-Oakley Exchange | 5.7 Payload Explosion for Complete ISAKMP-Oakley Exchange | |||
| This section illustrates how ISAKMP payloads are used with Oakley to: | This section illustrates how ISAKMP payloads are used with Oakley to: | |||
| - establish a secure and authenticated channel between ISAKMP | - establish a secure and authenticated channel between ISAKMP | |||
| processes (phase 1); and | processes (phase 1); and | |||
| - generate key material for, and negotiate, an IPsec SA (phase 2). | - generate key material for, and negotiate, an IPsec SA (phase 2). | |||
| 5.6.1 Phase 1 using Oakley Main Mode | 5.7.1 Phase 1 using Oakley Main Mode | |||
| The following diagram illustrates the payloads exchanged between the | The following diagram illustrates the payloads exchanged between the | |||
| two parties in the first round trip exchange. The initiator MAY | two parties in the first round trip exchange. The initiator MAY | |||
| propose several proposals; the responder MUST reply with one. | propose several proposals; the responder MUST reply with one. | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ ISAKMP Header with XCHG of Oakley Main Mode, ~ | ~ ISAKMP Header with XCHG of Oakley Main Mode, ~ | |||
| ~ and Next Payload of ISA_SA ~ | ~ and Next Payload of ISA_SA ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_PROP ! RESERVED ! Payload Length ! | ! 0 ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Domain of Interpretation (IPsec DOI) ! | ! Domain of Interpretation (IPsec DOI) ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Situation ! | ! Situation ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_TRANS ! RESERVED ! Payload Length ! | ! 0 ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Proposal #1 ! Proto=ISAKMP ! # of Transforms ! | ! Proposal #1 ! Proto=ISAKMP ! # of Transforms ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ SPI (8 octets) ~ | ~ SPI (8 octets) ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_TRANS ! RESERVED ! Payload Length ! | ! ISA_TRANS ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Transform #1 ! RESERVED | OAKLEY ! | ! Transform #1 ! RESERVED | OAKLEY ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ preffered SA attributes ~ | ~ preffered SA attributes ~ | |||
| skipping to change at page 18, line 14 ¶ | skipping to change at page 20, line 14 ¶ | |||
| The second exchange consists of the following payloads: | The second exchange consists of the following payloads: | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ ISAKMP Header with XCHG of Oakley Main Mode, ~ | ~ ISAKMP Header with XCHG of Oakley Main Mode, ~ | |||
| ~ and Next Payload of ISA_KE ~ | ~ and Next Payload of ISA_KE ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_NONCE ! RESERVED ! Payload Length ! | ! ISA_NONCE ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ D-H Public Value (g^x from initiator g^y from responder) ~ | ~ D-H Public Value (g^xi from initiator g^xr from responder) ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! 0 ! RESERVED ! Payload Length ! | ! 0 ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ Ni (from initiator) or Nr (from responder) ~ | ~ Ni (from initiator) or Nr (from responder) ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The shared keys, SKEYID_e and SKEYID_a, are now used to protect and | The shared keys, SKEYID_e and SKEYID_a, are now used to protect and | |||
| authenticate all further communication. Note that both SKEYID_e and | authenticate all further communication. Note that both SKEYID_e and | |||
| SKEYID_a are unauthenticated. | SKEYID_a are unauthenticated. | |||
| skipping to change at page 18, line 45 ¶ | skipping to change at page 20, line 45 ¶ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ signature verified by the public key of the ID above ~ | ~ signature verified by the public key of the ID above ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The key exchange is authenticated over a signed hash as described in | The key exchange is authenticated over a signed hash as described in | |||
| section 5.1. Once the signature has been verified using the | section 5.1. Once the signature has been verified using the | |||
| authentication algorithm negotiated as part of the ISAKMP SA, the | authentication algorithm negotiated as part of the ISAKMP SA, the | |||
| shared keys, SKEYID_e and SKEYID_a can be marked as authenticated. | shared keys, SKEYID_e and SKEYID_a can be marked as authenticated. | |||
| (For brevity, certificate payloads were not exchanged). | (For brevity, certificate payloads were not exchanged). | |||
| 5.6.2 Phase 2 using Oakley Quick Mode | 5.7.2 Phase 2 using Oakley Quick Mode | |||
| The following payloads are exchanged in the first round of Oakley | The following payloads are exchanged in the first round of Oakley | |||
| Quick Mode with ISAKMP SA negotiation. In this hypothetical exchange, | Quick Mode with ISAKMP SA negotiation. In this hypothetical exchange, | |||
| the ISAKMP negotiators are proxies for other parties which have | the ISAKMP negotiators are proxies for other parties which have | |||
| requested authentication. | requested authentication. | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ ISAKMP Header with XCHG of Oakley Quick Mode, ~ | ~ ISAKMP Header with XCHG of Oakley Quick Mode, ~ | |||
| ~ Next Payload of ISA_HASH and the encryption bit set ~ | ~ Next Payload of ISA_HASH and the encryption bit set ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_SA ! RESERVED ! Payload Length ! | ! ISA_SA ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ keyed hash of message ~ | ~ keyed hash of message ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_PROP ! RESERVED ! Payload Length ! | ! ISA_NONCE ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Domain Of Interpretation (DOI) ! | ! Domain Of Interpretation (DOI) ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Situation ! | ! Situation ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_TRANS ! RESERVED ! Payload Length ! | ! 0 ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Proposal #1 ! Protocol=AH ! # of Transforms ! | ! Proposal #1 ! Protocol=AH ! # of Transforms ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ SPI (8 octets) ~ | ~ SPI (8 octets) ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_TRANS ! RESERVED ! Payload Length ! | ! ISA_TRANS ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Transform #1 ! RESERVED | SHA ! | ! Transform #1 ! RESERVED | SHA ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! other SA attributes ! | ! other SA attributes ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_NONCE ! RESERVED ! Payload Length ! | ! 0 ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! Transform #1 ! RESERVED | MD5 ! | ! Transform #1 ! RESERVED | MD5 ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! other SA attributes ! | ! other SA attributes ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_ID ! RESERVED ! Payload Length ! | ! ISA_ID ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ nonce ~ | ~ nonce ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! ISA_ID ! RESERVED ! Payload Length ! | ! ISA_ID ! RESERVED ! Payload Length ! | |||
| skipping to change at page 20, line 21 ¶ | skipping to change at page 22, line 21 ¶ | |||
| ~ ISAKMP Header with XCHG of Oakley Quick Mode, ~ | ~ ISAKMP Header with XCHG of Oakley Quick Mode, ~ | |||
| ~ Next Payload of ISA_HASH and the encryption bit set ~ | ~ Next Payload of ISA_HASH and the encryption bit set ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ! 0 ! RESERVED ! Payload Length ! | ! 0 ! RESERVED ! Payload Length ! | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ hash data ~ | ~ hash data ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| where the contents of the hash are described in 5.4 above. | where the contents of the hash are described in 5.4 above. | |||
| 5.7 Perfect Forward Secrecy Example | 5.8 Perfect Forward Secrecy Example | |||
| This protocol can provide PFS of both keys and identities. The | This protocol can provide PFS of both keys and identities. The | |||
| identies of both the ISAKMP negotiating peer and, if applicable, the | identies of both the ISAKMP negotiating peer and, if applicable, the | |||
| proxy for whom the peers are negotiating can be protected with PFS. | proxy for whom the peers are negotiating can be protected with PFS. | |||
| To provide Perfect Forward Secrecy of both keys and all identities, | To provide Perfect Forward Secrecy of both keys and all identities, | |||
| two parties would perform the following: | two parties would perform the following: | |||
| o A Main Mode Exchange to protect the identities of the ISAKMP | ||||
| o A Main Mode Exchange to protect the identities of the ISAKMP | peers. | |||
| peers. | This establishes an ISAKMP SA. o A Quick Mode Exchange to | |||
| This establishes an ISAKMP SA. | negotiate other security protocol protection. | |||
| o A Quick Mode Exchange to negotiate other security protocol | This establishes a SA on each end for this protocol. o Delete | |||
| protection. | the ISAKMP SA and its associated state. | |||
| This establishes a SA on each end for this protocol. | ||||
| o Delete the ISAKMP SA and its associated state. | ||||
| Since the key for use in the non-ISAKMP SA was derived from the | Since the key for use in the non-ISAKMP SA was derived from the | |||
| single ephemeral Diffie-Hellman exchange PFS is preserved. | single ephemeral Diffie-Hellman exchange PFS is preserved. | |||
| To provide Perfect Forward Secrecy of merely the keys of a non-ISAKMP | To provide Perfect Forward Secrecy of merely the keys of a non-ISAKMP | |||
| security association, it in not necessary to do a phase 1 exchange if | security association, it in not necessary to do a phase 1 exchange if | |||
| an ISAKMP SA exists between the two peers. A single Quick Mode in | an ISAKMP SA exists between the two peers. A single Quick Mode in | |||
| which the optional KE payload is passed, and an additional Diffie- | which the optional KE payload is passed, and an additional Diffie- | |||
| Hellman exchange is performed, is all that is required. At this point | Hellman exchange is performed, is all that is required. At this point | |||
| the state derived from this Quick Mode must be deleted from the | the state derived from this Quick Mode must be deleted from the | |||
| ISAKMP SA as described in section 5.4. | ISAKMP SA as described in section 5.4. | |||
| skipping to change at page 21, line 26 ¶ | skipping to change at page 23, line 31 ¶ | |||
| one Quick Mode. | one Quick Mode. | |||
| An optimization that is often useful is to establish Security | An optimization that is often useful is to establish Security | |||
| Associations with peers before they are needed so that when they | Associations with peers before they are needed so that when they | |||
| become needed they are already in place. This ensures there would be | become needed they are already in place. This ensures there would be | |||
| no delays due to key management before initial data transmission. | no delays due to key management before initial data transmission. | |||
| This optimization is easily implemented by setting up more than one | This optimization is easily implemented by setting up more than one | |||
| Security Association with a peer for each requested Security | Security Association with a peer for each requested Security | |||
| Association and caching those not immediately used. | Association and caching those not immediately used. | |||
| Also, if ISAKMP is implementation is alerted that a SA will soon be | Also, if an ISAKMP implementation is alerted that a SA will soon be | |||
| needed (e.g. to replace an existing SA that will expire in the near | needed (e.g. to replace an existing SA that will expire in the near | |||
| future), then it can establish the new SA before that new SA is | future), then it can establish the new SA before that new SA is | |||
| needed. | needed. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| This entire draft discusses a hybrid protocol, combining Oakley with | This entire draft discusses a hybrid protocol, combining Oakley with | |||
| ISAKMP, to negotiate, and derive keying material for, security | ISAKMP, to negotiate, and derive keying material for, security | |||
| associations in a secure and authenticated manner. | associations in a secure and authenticated manner. | |||
| skipping to change at page 22, line 15 ¶ | skipping to change at page 24, line 19 ¶ | |||
| ISAKMP SA and would therefore not be protected by PFS. If PFS of both | ISAKMP SA and would therefore not be protected by PFS. If PFS of both | |||
| keying material and identities is desired, an ISAKMP peer MUST | keying material and identities is desired, an ISAKMP peer MUST | |||
| establish only one non-ISAKMP security association (e.g. IPsec | establish only one non-ISAKMP security association (e.g. IPsec | |||
| Security Association) per ISAKMP SA. PFS for keys and identities is | Security Association) per ISAKMP SA. PFS for keys and identities is | |||
| accomplished by deleting the ISAKMP SA (and optionally issuing a | accomplished by deleting the ISAKMP SA (and optionally issuing a | |||
| DELETE message) upon establishment of the single non-ISAKMP SA. In | DELETE message) upon establishment of the single non-ISAKMP SA. In | |||
| this way a phase one negotiation is uniquely tied to a single phase | this way a phase one negotiation is uniquely tied to a single phase | |||
| two negotiation, and the ISAKMP SA established during phase one | two negotiation, and the ISAKMP SA established during phase one | |||
| negotiation is never used again. | negotiation is never used again. | |||
| Implementations SHOULD not use Diffie-Hellman exponents of less than | ||||
| 200 bits to avoid adversely effecting the security of both parties. | ||||
| It is assumed that the Diffie-Hellman exponents in this exchange are | ||||
| erased from memory after use. In particular, these exponents must not | ||||
| be derived from long-lived secrets like the seed to a pseudo-random | ||||
| generator. | ||||
| 8. Acknowledgements | 8. Acknowledgements | |||
| This document is the result of close consultation with Hilarie Orman, | This document is the result of close consultation with Hilarie Orman, | |||
| Douglas Maughan, Mark Schertler, Mark Schneider, and Jeff Turner. It | Douglas Maughan, Mark Schertler, Mark Schneider, and Jeff Turner. It | |||
| relies completely on protocols which were written by them. Without | relies completely on protocols which were written by them. Without | |||
| their interest and dedication, this would not have been written. | their interest and dedication, this would not have been written. | |||
| We would also like to thank Cheryl Madson, Harry Varnis, Elfed | We would also like to thank Cheryl Madson, Harry Varnis, Elfed | |||
| Weaver, and Hugo Krawcyzk for technical input. | Weaver, and Hugo Krawcyzk for technical input. | |||
| 9. References | 9. References | |||
| [ACM97] Adams, C.M., "Constructing Symmetric Ciphers Using the CAST | ||||
| Design Procedure", Designs, Codes and Cryptorgraphy (to appear). | ||||
| [KBC96] Krawczyk, H., Bellare, M., Canetti, R., "HMAC: Keyed-Hashing | [KBC96] Krawczyk, H., Bellare, M., Canetti, R., "HMAC: Keyed-Hashing | |||
| for Message Authentication", draft-ietf-ipsec-hmac-md5-01.txt | for Message Authentication", draft-ietf-ipsec-hmac-md5-01.txt | |||
| [Kra96] Krawcyzk, H., "SKEME: A Versatile Secure Key Exchange | [Kra96] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange | |||
| Mechanism for Internet", from IEEE Proceedings of the 1996 Symposium | Mechanism for Internet", from IEEE Proceedings of the 1996 Symposium | |||
| on Network and Distributed Systems Security. | on Network and Distributed Systems Security. | |||
| [MSST96] Maughhan, D., Schertler, M., Schneider, M., and Turner, J., | [MSST96] Maughhan, D., Schertler, M., Schneider, M., and Turner, J., | |||
| "Internet Security Association and Key Management Protocol (ISAKMP)", | "Internet Security Association and Key Management Protocol (ISAKMP)", | |||
| version 6, draft-ietf-ipsec-isakmp-06.{ps,txt}. | version 7, draft-ietf-ipsec-isakmp-07.{ps,txt}. | |||
| [Orm96] Orman, H., "The Oakley Key Determination Protocol", version | [Orm96] Orman, H., "The Oakley Key Determination Protocol", version | |||
| 1, draft-ietf-ipsec-oakley-01.txt. | 1, draft-ietf-ipsec-oakley-01.txt. | |||
| [Pip96] Piper, D., "The Internet IP Security Domain Of Interpretation | [Pip96] Piper, D., "The Internet IP Security Domain Of Interpretation | |||
| for ISAKMP", version 1, draft-ietf-ipsec-ipsec-doi-00.txt. | for ISAKMP", version 2, draft-ietf-ipsec-ipsec-doi-02.txt. | |||
| [Sch94] Schneier, B., "Applied Cryptography, Protocols, Algorithms, | [Sch94] Schneier, B., "Applied Cryptography, Protocols, Algorithms, | |||
| and Source Code in C", 1st edition. | and Source Code in C", 2nd edition. | |||
| Appendix A | Appendix A | |||
| This is a list of DES Weak and Semi-Weak keys. The keys come from | This is a list of DES Weak and Semi-Weak keys. The keys come from | |||
| [Sch94]. All keys are listed in hexidecimal. | [Sch94]. All keys are listed in hexidecimal. | |||
| DES Weak Keys | DES Weak Keys | |||
| 0101 0101 0101 0101 | 0101 0101 0101 0101 | |||
| 1F1F 1F1F E0E0 E0E0 | 1F1F 1F1F E0E0 E0E0 | |||
| E0E0 E0E0 1F1F 1F1F | E0E0 E0E0 1F1F 1F1F | |||
| FEFE FEFE FEFE FEFE | FEFE FEFE FEFE FEFE | |||
| DES Semi-Weak Keys | DES Semi-Weak Keys | |||
| 01FE 01FE 01FE 01FE | 01FE 01FE 01FE 01FE | |||
| 1FE0 1FE0 0EF1 0EF1 | 1FE0 1FE0 0EF1 0EF1 | |||
| 01E0 01E0 01F1 01F1 | 01E0 01E0 01F1 01F1 | |||
| 1FFE 1FFE 0EFE 0EFE | 1FFE 1FFE 0EFE 0EFE | |||
| 011F 011F 010E 010E | 011F 011F 010E 010E | |||
| E0FE E0FE F1FE F1FE | E0FE E0FE F1FE F1FE | |||
| FE01 FE01 FE01 FE01 | FE01 FE01 FE01 FE01 | |||
| E01F E01F F10E F10E | E01F E01F F10E F10E | |||
| E001 E001 F101 F101 | E001 E001 F101 F101 | |||
| FE1F FE1F FE0E FE0E | FE1F FE1F FE0E FE0E | |||
| 1F01 1F01 0E01 0E01 | 1F01 1F01 0E01 0E01 | |||
| FEE0 FEE0 FEF1 FEF1 | FEE0 FEE0 FEF1 FEF1 | |||
| Attribute Assigned Numbers | Attribute Assigned Numbers | |||
| Attributes negotiated during phase one use the following definitions. Phase | Attributes negotiated during phase one use the following definitions. | |||
| two attributes are defined in the applicable DOI specification (for example, | Phase two attributes are defined in the applicable DOI specification | |||
| IPsec attributes are defined in the IPsec DOI), with the exception of a group | (for example, IPsec attributes are defined in the IPsec DOI), with | |||
| description when Quick Mode includes an ephemeral Diffie-Hellman exchange. | the exception of a group description when Quick Mode includes an | |||
| Attribute types can be either Basic (B) or Variable-length (V). Encoding of | ephemeral Diffie-Hellman exchange. Attribute types can be either | |||
| these attributes is defined in the base ISAKMP specification. | Basic (B) or Variable-length (V). Encoding of these attributes is | |||
| defined in the base ISAKMP specification. | ||||
| Attribute Classes | Attribute Classes | |||
| class value type | class value type | |||
| --------------------------------------------------------------------------- | ------------------------------------------------------------------- | |||
| Encryption Algorithm 1 B | Encryption Algorithm 1 B | |||
| Hash Algorithm 2 B | Hash Algorithm 2 B | |||
| Authentication Method 3 B | Authentication Method 3 B | |||
| Group Description 4 B | Group Description 4 B | |||
| Group Type 5 B | Group Type 5 B | |||
| Group Prime 6 V | Group Prime 6 V | |||
| Group Generator One 7 V | Group Generator One 7 V | |||
| Group Generator Two 8 V | Group Generator Two 8 V | |||
| Group Curve A 9 V | Group Curve A 9 V | |||
| Group Curve B 10 V | Group Curve B 10 V | |||
| Life Type 11 B | Life Type 11 B | |||
| Life Duration 12 B/V | Life Duration 12 B/V | |||
| PRF 13 B | ||||
| Key Length 14 B | ||||
| Class Values | Class Values | |||
| Encryption Algorithm | - Encryption Algorithm | |||
| DEC-CBC 1 | DEC-CBC 1 | |||
| IDEA-CBC 2 | IDEA-CBC 2 | |||
| Blowfish-CBC 3 | Blowfish-CBC 3 | |||
| RC5-R12-B64-CBC 4 | ||||
| 3DES-CBC 5 | ||||
| CAST-CBC 6 | ||||
| values 4-65000 are reserved. Values 65001-65535 are for | values 7-65000 are reserved. Values 65001-65535 are for private use | |||
| private use among mutually consenting parties. | among mutually consenting parties. | |||
| Hash Algorithm | - Hash Algorithm | |||
| MD5 1 | MD5 1 | |||
| SHA 2 | SHA 2 | |||
| Tiger 3 | Tiger 3 | |||
| values 4-65000 are reserved. Values 65001-65535 are for | values 4-65000 are reserved. Values 65001-65535 are for private use | |||
| private use among mutually consenting parties. | among mutually consenting parties. | |||
| Authentication Method | - Authentication Method | |||
| pre-shared key 1 | pre-shared key 1 | |||
| DSS signatures 2 | DSS signatures 2 | |||
| RSA signatures 3 | RSA signatures 3 | |||
| RSA encryption 4 | RSA encryption 4 | |||
| values 5-65000 are reserved. Values 65001-65535 are for | values 5-65000 are reserved. Values 65001-65535 are for private use | |||
| private use among mutually consenting parties. | among mutually consenting parties. | |||
| Group Description | - Group Description | |||
| default group (section 5.5.1) 1 | default group (section 5.6.1) 1 | |||
| values 2-32767 are reserved. Values 32768-65535 are for | values 2-32767 are reserved. Values 32768-65535 are for private use | |||
| private use among mutually consenting parties. | among mutually consenting parties. | |||
| Group Type | - Group Type | |||
| MODP (modular exponentiation group) 1 | MODP (modular exponentiation group) 1 | |||
| ECP (elliptic curve group) 2 | ECP (elliptic curve group) 2 | |||
| Life Type | values 3-65000 are reserved. Values 65001-65535 are for private use | |||
| seconds 1 | among mutually consenting parties. | |||
| kilobytes 2 | ||||
| values 3-65000 are reserved. Values 65001-65535 are for | - Life Type | |||
| private use among mutually consenting parties. For a given "Life Type" | seconds 1 | |||
| the value of the "Life Duration" attribute defines the actual length of | kilobytes 2 | |||
| the SA life-- either a number of seconds, or a number of kbytes protected. | ||||
| Additional Exchanges Defined-- XCHG values | values 3-65000 are reserved. Values 65001-65535 are for private use | |||
| Quick Mode 32 | among mutually consenting parties. For a given "Life Type" the | |||
| New Group Mode 33 | value of the "Life Duration" attribute defines the actual length of | |||
| the SA life-- either a number of seconds, or a number of kbytes | ||||
| protected. | ||||
| - PRF | ||||
| 3DES-CBC-MAC 1 | ||||
| values 2-65000 are reserved. Values 65001-65535 are for private use | ||||
| among mutually consenting parties | ||||
| - Key Length | ||||
| When using an Encryption Algorithm that has a variable length key, | ||||
| this attribute specifies the key length in bits. (MUST use network | ||||
| byte order). | ||||
| Additional Exchanges Defined-- XCHG values | ||||
| Quick Mode 32 | ||||
| New Group Mode 33 | ||||
| Appendix B | Appendix B | |||
| Encryption keys used to protect the ISAKMP SA are derived from SKEYID_e in | This appendix describes encryption details to be used ONLY when | |||
| an algorithm-specific manner. When SKEYID_e is not long enough to supply all | encrypting ISAKMP messages. When a service (such as an IPSEC | |||
| the necessary keying material an algorithm requires, the key is derived from | transform) utilizes ISAKMP to generate keying material, all | |||
| a concatenation of SKEYID_e and successive keyed hashes of a single | encryption algorithm specific details (such as key and IV generation, | |||
| character which contains a monotonically increasing counter beginning at | padding, etc...) MUST be defined by that service. ISAKMP does not | |||
| one (1), and SKEYID_e as the key, using the negotiated hash function. | purport to ever produce keys that are suitable for any encryption | |||
| algorithm. ISAKMP produces the requested amount of keying material | ||||
| from which the service MUST generate a suitable key. Details, such | ||||
| as weak key checks, are the responsibility of the service. | ||||
| For example, if (ficticious) algorithm AKULA requires 320-bits of key (and | Encryption keys used to protect the ISAKMP SA are derived from | |||
| has no weak key check) and the prf used to generate SKEYID_e only generates | SKEYID_e in an algorithm-specific manner. When SKEYID_e is not long | |||
| 120 bits of material, the key for AKULA, would be the first 320-bits of | enough to supply all the necessary keying material an algorithm | |||
| Ka, where: | requires, the key is derived from feeding the results of a pseudo- | |||
| random function into itself, concatenating the results, and taking | ||||
| the highest necessary bits. | ||||
| Ka = SKEYID_e | prf(SKEYID_e | 1) | prf(SKEYID_e | 2) | For example, if (ficticious) algorithm AKULA requires 320-bits of key | |||
| (and has no weak key check) and the prf used to generate SKEYID_e | ||||
| only generates 120 bits of material, the key for AKULA, would be the | ||||
| first 320-bits of Ka, where: | ||||
| where prf is the HMAC version of the negotiated hash function. SKEYID_e | Ka = K1 | K2 | K3 | |||
| provides 120-bits, and each of the two additional hashes provide 120-bits, | and | |||
| for a total of 360 bits. | K1 = prf(SKEYID_e, 0) | |||
| K2 = prf(SKEYID_e, K1) | ||||
| K3 = prf(SKEYID_e, K2) | ||||
| Material for the initialization vector (IV material) for CBC mode encryption | where prf is the HMAC version of the negotiated hash function or the | |||
| algorithms is derived from a hash of a concatenation of the initiator's | negotiated prf. Each result of the prf provides 120 bits of material | |||
| public Diffie-Hellman value and the responder's public Diffie-Hellman value | for a total of 360 bits. AKULA would use the first 320 bits of that | |||
| using the negotiated hash algorithm. | 360 bit string. | |||
| In phase 1, material for the initialization vector (IV material) for | ||||
| CBC mode encryption algorithms is derived from a hash of a | ||||
| concatenation of the initiator's public Diffie-Hellman value and the | ||||
| responder's public Diffie-Hellman value using the negotiated hash | ||||
| algorithm. This is used for the first message only. Each message | ||||
| should be padded up to the nearest block size using bytes containing | ||||
| 0x00. The message length in the header MUST include the length of the | ||||
| pad since this reflects the size of the cyphertext. Subsequent | ||||
| messages MUST use the last CBC encryption block from the previous | ||||
| message as their initialization vector. | ||||
| In phase 2, material for the initialization vector for CBC mode | ||||
| encryption of the first message of a Quick Mode exchange is derived | ||||
| from a hash of a concatenation of the last phase 1 CBC output block | ||||
| and the phase 2 message id using the negotiated hash algorithm. The | ||||
| IV for subsequent messages within a Quick Mode exchange is the CBC | ||||
| output block from the previous message. Padding and IVs for | ||||
| subsequent messages are done as in phase 1. | ||||
| Note that the final phase 1 CBC output block, the result of | ||||
| encryption/decryption of the last phase 1 message, must be retained | ||||
| in the ISAKMP SA state to allow for generation of unique IVs for each | ||||
| Quick Mode. Each phase 2 exchange generates IVs independantly to | ||||
| prevent IVs from getting out of sync when two different Quick Modes | ||||
| are started simultaneously. | ||||
| The key for DES-CBC is derived from the first eight (8) non-weak and | The key for DES-CBC is derived from the first eight (8) non-weak and | |||
| semi-weak (see Appendix A) bytes of SKEYID_e. The IV is the first 8 bytes | semi-weak (see Appendix A) bytes of SKEYID_e. The IV is the first 8 | |||
| of the IV material derived above. | bytes of the IV material derived above. | |||
| The key for IDEA-CBC is derived from the first sixteen (16) bytes of SKEYID_e. | The key for IDEA-CBC is derived from the first sixteen (16) bytes of | |||
| The IV is the first 8 bytes of the IV material derived above. | SKEYID_e. The IV is the first eight (8) bytes of the IV material | |||
| derived above. | ||||
| The key for Blowfish-CBC is derived from the first fifty-six (56) bytes of | The key for Blowfish-CBC is either the negotiated key size, or the | |||
| a key derived in the method described above, by concatenating successive | first fifty-six (56) bytes of a key (if no key size is negotiated) | |||
| hashes onto SKEYID_e until the requesite number of bytes has been achieved. | derived in the aforementioned pseudo-random function feedback method. | |||
| The IV is the first 8 bytes of the IV material derived above. | The IV is the first eight (8) bytes of the IV material derived above. | |||
| Editors' Addresses: | The key for RC5-R12-B64-CBC is the negotiated key length, or the | |||
| first sixteen (16) bytes of a key (if no key size is negotiated) | ||||
| derived from the aforementioned pseudo-random function feedback | ||||
| method if necessary. The IV is the first eight (8) bytes of the IV | ||||
| material derived above. The number of rounds MUST be 12 and the block | ||||
| size MUST be 64. | ||||
| The key for 3DES-CBC is the first twenty-four (24) bytes of a key | ||||
| derived in the aforementioned pseudo-random function feedback method. | ||||
| 3DES-CBC is an encrypt-decrypt-encrypt operation using the first, | ||||
| middle, and last eight (8) bytes of the entier 3DES-CBC key. The IV | ||||
| is the first eight (8) bytes of the IV material derived above. | ||||
| The key for CAST-CBC is either the negotiated key size, or the first | ||||
| sixteen (16) bytes of a key derived in the aforementioned pseudo- | ||||
| random function feedback method. The IV is the first eight (8) bytes | ||||
| of the IV material derived above. | ||||
| Support for algorithms other than DES-CBC is purely optional. Some | ||||
| optional algorithms may be subject to intellectual property claims. | ||||
| Authors' Addresses: | ||||
| Dan Harkins <dharkins@cisco.com> | Dan Harkins <dharkins@cisco.com> | |||
| Dave Carrel <carrel@cisco.com> | ||||
| cisco Systems | cisco Systems | |||
| 170 W. Tasman Dr. | 170 W. Tasman Dr. | |||
| San Jose, California, 95134-1706 | San Jose, California, 95134-1706 | |||
| United States of America | United States of America | |||
| +1 408 526 4000 | +1 408 526 4000 | |||
| Editors' Note: | Dave Carrel <carrel@ipsec.org> | |||
| 76 Lippard Ave. | ||||
| San Francisco, CA 94131-2947 | ||||
| United States of America | ||||
| +1 415 337 8469 | ||||
| The editors encourage independent implementation, and | Authors' Note: | |||
| The authors encourage independent implementation, and | ||||
| interoperability testing, of this hybrid exchange. | interoperability testing, of this hybrid exchange. | |||
| End of changes. 105 change blocks. | ||||
| 262 lines changed or deleted | 411 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||