Database of Long-Lived Symmetric Cryptographic Keys

The information below is for an old version of the document
Document Type Active Internet-Draft (karp WG)
Last updated 2012-10-22
Replaces draft-housley-saag-crypto-key-table
Stream IETF
Intended RFC status (None)
Formats plain text pdf html
Stream WG state WG Document
Document shepherd None
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
INTERNET-DRAFT                                               R. Housley
Internet Engineering Task Force (IETF)                   Vigil Security
Intended Status: Standards Track                                T. Polk
                                                             S. Hartman
                                                      Painless Security
                                                               D. Zhang
Expires: 22 April 2013                                  22 October 2012

          Database of Long-Lived Symmetric Cryptographic Keys

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Housley, et al                                                  [Page 1]
INTERNET-DRAFT                                          October 22, 2012


   This document specifies the information contained in a conceptual
   database of long-lived cryptographic keys used by many different
   security protocols.  The database is designed to support both manual
   and automated key management.  In addition to describing the schema
   for the database, this document describes the operations that can be
   performed on the database as well as the requirements for the
   security protocols that wish to use the database.  In many typical
   scenarios, the security protocols do not directly use the long-lived
   key, but rather a key derivation function is used to derive a short-
   lived key from a long-lived key.

1. Introduction

   This document specifies the information that needs to be included in
   a database of long-lived cryptographic keys in order to key the
   authentication of security protocols such as cryptographic
   authentication for routing protocols.  This conceptual database is
   designed to separate protocol-specific aspects from both manual and
   automated key management.  The intent is to allow many different
   implementation approaches to the specified cryptographic key
   database, while simplifying specification and heterogeneous
   deployments.  This conceptual database avoids the need to build
   knowledge of any security protocol into key management protocols. It
   minimizes protocol-specific knowledge in operational/management
   interfaces, but it constrains  where that knowledge can appear.
   Textual conventions are provided for the representation of keys and
   other identifiers. These conventions should be used when presenting
   keys and identifiers to operational/management interfaces or reading
   keys/identifiers from these interfaces. It is an operational
   requirement that all implementations represent the keys and key
   identifiers in the same way so that cross-vendor configuration
   instructions can be provided.

   Security protocols such as TCP-AO [RFC5925] are expected to use per-
   connection state.  Implementations may need to supply keys to the
   protocol-specific databases as the associated entries in the
   conceptual database are manipulated. In many instances, the long-
   lived keys are not used directly in security protocols, but rather a
   key derivation function is used to derive short-lived key from the
   long-lived keys in the database.  In other instances, security
Show full document text