IPSEC Working Group                       R. Canetti, P. Cheng, H. Krawczyk
INTERNET-DRAFT                                IBM Research and the Technion
draft-ietf-ipsec-dhless-enc-mode-00.txt                           July 1998
Expire in six months


                  A DH-less encryption mode for IKE
               <draft-ietf-ipsec-dhless-enc-mode-00.txt>


                          Status of this Memo

   This document is an Internet Draft. Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and working groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check
   the "1id-abstracts.txt" listing contained in the Internet-Drafts
   Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
   (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
   (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
   (US West Coast).



   1. Abstract

   The IKE document [HC98] describes a key exchange protocol for
   obtaining authenticated and secret keying material for use with ISAKMP,
   and for other security associations such as AH and ESP for the IETF
   IPsec DOI.

   All the current modes for carrying out Phase 1 of the key exchange
   in [HC98] incorporate a Diffie- Hellman exponentiation. While the DH
   exponentiation enhances the security of the exchange (and in particular
   provides perfect forward secrecy (PFS)), this enhanced secrecy comes
   at a computational cost. In cases where PFS is not a requirement, most
   notably in authentication only scenarios, less expensive solutions
   are possible.

   This draft describes a ``DH-less'' version of the (revised) public-
   key encryption mode of [HC98]. This saves the DH exponentiation,
   which may be significant (especially on low-end machines and busy servers).
   The proposed mode is VERY similar to the existing modes and requires
   only minimal modifications. In particular, it is straightforward
   to implement as an addition to the existing modes.

   Remark: This document is NOT self-contained. It uses notation and
   definitions of [HC98]. It is best read in conjunction with [HC98].


Canetti, Cheng, Krawczyk                                        [Page i]


INTERNET DRAFT                                                  May 1998


   2. Introduction

   The IKE  protocol [HC98] defines four alternative modes of
   carrying out Phase 1 of the key exchange. Three of these modes are
   usable by parties that do not already share a secret key. These are
   the Signature Mode and the (original and revised) Public Key
   Encryption Modes.

   All three public-key based modes involve a Diffie-Hellman
   exponentiation. While this is essential in the Signature Mode, the
   Public Key Encryption Mode can be easily modified to do without
   the DH exponentiation (following [SKEME]).

   The main advantage of the DH exponentiation is perfect forward secrecy
   (PFS): an attacker that breaks the public key encryption at a later
   time (either by cryptanalysis or by obtaining the private key) still
   cannot compute g^xy from g^x and g^y, thus it cannot decipher messages
   encrypted with a key that was computed using g^xy.

   While PFS is very important for some applications, it is not
   a requirement for others. Two important examples are security
   associations that are used only for authentication, and associations
   that need only "ephemeral secrecy" (for example, timely stock quotes).
   See [SKEME] for further discussion.

   This draft describes a "DH-less" variant of the (revised) Public Key
   Encryption Mode. This variant does NOT provide PFS, and the security
   of the key is based solely on the security of the public key encryption
   algorithm in use. It avoids the DH exponentiations. This may be
   a considerable saving, especially for low-end machines or busy servers
   that authenticate all outgoing data.
   We note that in order to learn an exchanged key the attacker needs to
   find the secret private keys of BOTH Initiator AND Responder.

   The modifications from the current (revised) public key encryption mode
   are minimal. Simply delete the DH payloads (<KE_b>Ke_i and <KE_b>Ke_r)
   and in the ensuing computations set g^x = g^y = g^xy = 0 (one octet).



   The rest of this document is organized as follows. In Section 3
   the DHless Encryption Mode is described. The description is
   written in a way so that Section 3 can be read as an additional
   subsection in Section 5 of [HC98]. Appendix A holds the authentication
   mode value of the new mode (see ISAKMP [MSST98] and Appendix A
   of [HC98]).

Canetti, Cheng, Krawczyk                                        [Page 1]


INTERNET DRAFT                                                  May 1998

   3. Phase 1 Authenticated With a DH-less Mode of Public Key Encryption


   This mode is identical to the  Revised PK Encryption Mode
   (Section 5.3 in [HC98]), except for the omission of the DH payloads.
   When using the DH-less encryption mode for authentication, Main Mode
   is defined as follows.

        Initiator                        Responder
       -----------                      -----------
        HDR, SA                   -->
                                  <--    HDR, SA
        HDR, [ HASH(1), ]
          <Ni_b>Pubkey_r,
          <IDii_b>Ke_i,
          [<<Cert-I_b>Ke_i]       -->
                                         HDR, <Nr_b>PubKey_i,
                                  <--         <IDir_b>Ke_r,
        HDR*, HASH_I              -->
                                  <--    HDR*, HASH_R

   Aggressive Mode authenticated with the revised encryption mode is
   described as follows:

        Initiator                        Responder
       -----------                      -----------
        HDR, SA, [ HASH(1),]
          <Ni_b>Pubkey_r,
          <IDii_b>Ke_i
          [, <Cert-I_b>Ke_i ]     -->
                                         HDR, SA, <Nr_b>PubKey_i,
                                              <IDir_b>Ke_r,
                                  <--         HASH_R
        HDR, HASH_I               -->

   where HASH(1) is identical to section 5.2 in [HC98]. For the purpose
   of calculating HASH_I and HASH_R the values of g^xi and g^xr are
   set to an octet of 0. For the purpose of calculating SKEYID_d, SKEYID_a,
   and SKEYID_e, the value g^xy is set to an octet of 0.


   4. Security Considerations

   The public key encryption modes of authentication in IKE require
   strong public key encryption. In particular, resistance to strong
   attacks generally known as "chosen ciphertext attacks" (CCA) is
   necessary.  This is a practical need as well as the basis for a sound
   analysis of these protocols [BeCaKr].  Recently, an explicit chosen
   ciphertext attack on the PKCS #1 encryption standard was demonstrated
   [Ble]. RSA Labs., the authors of PKCS#1, are preparing a new release
   of PKCS #1 that will include the OAEP format of RSA encryption [RSAlabs].
   It is strongly recommended that IKE specifications and implementations
   move to that format which was designed to resist CCA and other attacks.

Canetti, Cheng, Krawczyk                                        [Page 2]


INTERNET DRAFT                                                  May 1998


   References
   ==========

   [BeCaKr] Bellare, M., Canetti, R., and Krawczyk, H.,
   "A Modular Approach to the Design and Analysis of Authentication and
   Key Exchange Protocols", Proceedings of the Thirtieth ACM Symposium on
   the Theory of Computation, May 1998.

   [Ble] Daniel Bleichenbacher,  Chosen Ciphertext Attacks Against Protocols
   Based on the RSA Encryption Standard PKCS #1, Proceedings of Crypto'98,
   August 1998. To appear.


   [HC98] Harkins, D. and D. Carrel, "The resolution of ISAKMP with
   Oakley", draft-ietf-ipsec-isakmp-oakley-08.txt, June 1998.

   [SKEME] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange
   Mechanism for Internet", from IEEE Proceedings of the 1996 Symposium
   on Network and Distributed Systems Security.

   [MSST98] Maughhan, D., Schertler, M., Schneider, M., and Turner, J.,
   "Internet Security Association and Key Management Protocol (ISAKMP)",
   version 9, draft-ietf-ipsec-isakmp-09.{ps,txt}.

   [Pip96] Piper, D., "The Internet IP Security Domain Of Interpretation
   for ISAKMP", version 2, draft-ietf-ipsec-ipsec-doi-02.txt.

   [RSAlabs] http://www.rsa.com/rsalabs/pkcs1/oem_counter.html





   Appendix A: XCHG attribute assigned number
   =========================================

   This Appendix defines a new authentication mode value for the
   Revised Encryption Mode.  This value is to be negotiated in
   Phase 1 (see [MSST98] and Appendix A in [HC98]).  The value is:


             authentication mode value
             ---------------------------

              DHless RSA Encryption              6


Canetti, Cheng, Krawczyk                                        [Page 3]


INTERNET DRAFT                                                  May 1998


   Authors'  Addresses:
   ====================


Ran Canetti                              Pau-Chen Cheng
IBM TJ Watson Research Center            IBM TJ Watson Research Center
POB. 704, Yorktown Heights,              POB. 704, Yorktown Heights,
NY 10598                                 NY 10598
Tel. 1-914-784-7076                      Tel. 1-914-784-7446
canetti@watson.ibm.com                   pau@watson.ibm.com

Hugo Krawczyk
IBM TJ Watson Research Center
POB. 704, Yorktown Heights,
NY 10598
hugo@ee.technion.ac.il

Canetti, Cheng, Krawczyk                                        [Page 4]