Secure PSK Authentication for IKE
draft-harkins-ipsecme-spsk-auth-07

The information below is for an old version of the document
Document Type Active Internet-Draft (individual in sec area)
Last updated 2012-03-15 (latest revision 2012-03-09)
Stream IETF
Intended RFC status Experimental
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd None
IESG IESG state IESG Evaluation::Revised I-D Needed
Telechat date
Needs a YES.
Responsible AD spt
IESG note Paul Hoffman (paul.hoffman@vpnc.org) is the document shepherd.
Send notices to dharkins@arubanetworks.com, draft-harkins-ipsecme-spsk-auth@tools.ietf.org, paul.hoffman@vpnc.org
Network Working Group                                         D. Harkins
Internet-Draft                                            Aruba Networks
Intended status: Experimental                              March 9, 2012
Expires: September 10, 2012

                   Secure PSK Authentication for IKE
                   draft-harkins-ipsecme-spsk-auth-07

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 10, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal Provisions
   Relating to IETF Documents (http://trustee.ietf.org/license-info)
   in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This memo describes a secure pre-shared key authentication method for
   IKE.  It is resistant to dictionary attack and retains security even
   when used with weak pre-shared keys.

Harkins                Expires September 10, 2012               [Page 1]
Internet-Draft      Secure PSK Authentication for IKE         March 2012

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Keyword Definitions  . . . . . . . . . . . . . . . . . . .  3
   2.  Usage Scenarios  . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Notation . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Discrete Logarithm Cryptography  . . . . . . . . . . . . . . .  5
     4.1.  Elliptic Curve Cryptography (ECP) Groups . . . . . . . . .  5
     4.2.  Finite Field Cryptography (MODP) Groups  . . . . . . . . .  6
   5.  Random Numbers . . . . . . . . . . . . . . . . . . . . . . . .  7
   6.  Using Passwords and Raw Keys For Authentication  . . . . . . .  8
   7.  Assumptions  . . . . . . . . . . . . . . . . . . . . . . . . .  9
   8.  Secure PSK Authentication Message Exchange . . . . . . . . . .  9
     8.1.  Negotiation of Secure PSK Authentication . . . . . . . . . 10
     8.2.  Fixing the Secret Element, SKE . . . . . . . . . . . . . . 10
       8.2.1.  ECP Operation to Select SKE  . . . . . . . . . . . . . 11
       8.2.2.  MODP Operation to Select SKE . . . . . . . . . . . . . 12
     8.3.  Encoding and Decoding of Group Elements and Scalars  . . . 13
       8.3.1.  Encoding and Decoding of Scalars . . . . . . . . . . . 13
       8.3.2.  Encoding and Decoding of ECP Elements  . . . . . . . . 13
       8.3.3.  Encoding and Decoding of MODP Elements . . . . . . . . 14
     8.4.  Message Generation and Processing  . . . . . . . . . . . . 14
       8.4.1.  Generation of a Commit . . . . . . . . . . . . . . . . 14
       8.4.2.  Processing of a Commit . . . . . . . . . . . . . . . . 15
         8.4.2.1.  Validation of an ECP Element . . . . . . . . . . . 15
         8.4.2.2.  Validation of a MODP Element . . . . . . . . . . . 15
         8.4.2.3.  Commit Processing Steps  . . . . . . . . . . . . . 15
       8.4.3.  Authentication of the Exchange . . . . . . . . . . . . 16
     8.5.  Payload Format . . . . . . . . . . . . . . . . . . . . . . 16
       8.5.1.  Commit Payload . . . . . . . . . . . . . . . . . . . . 16
     8.6.  IKEv2 Messaging  . . . . . . . . . . . . . . . . . . . . . 17
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 19
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 21
     12.2. Informative References . . . . . . . . . . . . . . . . . . 21
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22

Harkins                Expires September 10, 2012               [Page 2]
Internet-Draft      Secure PSK Authentication for IKE         March 2012
Show full document text