Sign in
Version 5.3.0, 2014-04-12
Report a bug

Database of Long-Lived Symmetric Cryptographic Keys

Document type: Active Internet-Draft (karp WG)
Document stream: IETF
Last updated: 2014-02-04 (latest revision 2013-12-05)
Intended RFC status: Proposed Standard
Other versions: plain text, pdf, html

IETF State: Submitted to IESG for Publication
Consensus: Yes
Document shepherd: Brian Weis
Shepherd Write-Up: Last changed 2013-08-06

IESG State: RFC Ed Queue
IANA Action State: RFC-Ed-Ack
RFC Editor State: AUTH48
Responsible AD: Adrian Farrel
Send notices to:,

INTERNET-DRAFT                                               R. Housley
Internet Engineering Task Force (IETF)                   Vigil Security
Intended Status: Standards Track                                T. Polk
                                                             S. Hartman
                                                      Painless Security
                                                               D. Zhang
Expires: 4 June 2014                                    4 December 2013

          Database of Long-Lived Symmetric Cryptographic Keys


   This document specifies the information contained in a conceptual
   database of long-lived cryptographic keys used by many different
   routing  protocols for message security.  The database is designed to
   support both manual and automated key management.  In addition to
   describing the schema for the database, this document describes the
   operations that can be performed on the database as well as the
   requirements for the routing protocols that wish to use the database.
   In many typical scenarios, the protocols do not directly use the
   long-lived key, but rather a key derivation function is used to
   derive a short-lived key from a long-lived key.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

Housley, et al                                                  [Page 1]
INTERNET-DRAFT                                           4 December 2013

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1. Introduction

   This document specifies the information that needs to be included in
   a database of long-lived cryptographic keys in order to key the
   cryptographic authentication of  routing protocols.  This conceptual
   database is designed to separate protocol-specific aspects from both
   manual and automated key management.  The intent is to allow many
   different implementation approaches to the specified cryptographic
   key database, while simplifying specification and heterogeneous
   deployments.  This conceptual database avoids the need to build
   knowledge of any security protocol into key management protocols. It
   minimizes protocol-specific knowledge in operational/management
   interfaces, but it constrains where that knowledge can appear.
   Textual conventions are provided for the representation of keys and
   other identifiers. These conventions should be used when presenting
   keys and identifiers to operational/management interfaces or reading
   keys/identifiers from these interfaces. This satisfies the
   operational requirement that all implementations represent the keys
   and key identifiers in the same way so that cross-vendor
   configuration instructions can be provided.

   Routing protocols can employ the services of more generic security
   protocols such as TCP-AO [RFC5925].  Implementations of routing
   protocols may need to supply keys to databases specific to these
   security protocols as the associated entries in this document's
   conceptual database are manipulated.

   In many instances, the long-lived keys are not used directly in
   security protocols, but rather a key derivation function is used to
   derive short-lived keys from the long-lived key in the database.  In

[include full document text]