[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
IPSEC Working Group                       R. Canetti, P. Cheng, H. Krawczyk
INTERNET-DRAFT                                IBM Research and the Technion
draft-ietf-ipsec-revised-enc-mode-01.txt                         July  1997
Expire in six months

               A revised encryption mode for ISAKMP/Oakley

                          Status of this Memo

   This document is an Internet Draft. Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and working groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet Drafts as reference
   material or to cite them other than as "work in progress."

   To learn the current status of any Internet Draft, please check the
   "1id-abstracts.txt" listing contained in the Internet Drafts Shadow
   Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
   munnari.oz.au (Australia), ds.internic.net (US East Coast), or
   ftp.isi.edu (US West Coast).

   1. Abstract

   The ISAKMP/Oakley document [HC97] describes a proposed standard for
   using the Oakley Key Exchange Protocol in conjunction with ISAKMP to
   obtain authenticated and secret keying material for use with ISAKMP,
   and for other security associations such as AH and ESP for the IETF
   IPsec DOI.

   The public-key encryption method of carrying out Phase 1 of the key
   exchange in the ISAKMP/Oakley document provides significant security
   advantages over the other alternatives and should be the method of
   choice in many implementations. Unfortunately, as currently
   described in [HC97] the method requires two public key
   encryption and decryption operations from both the Initiator and
   the Responder. The present document describes a small modification
   to this method. The resulting scheme requires only one public key
   encryption and decryption operation from each party, while maintaining
   (and even improving on) the strong security properties of the
   ISAKMP/Oakley public-key encryption mode.

   Remark: This document is NOT self-contained, it is intended as an
   addendum to the authentication methods defined in [HC97].
   In particular, it uses notation and definitions of [HC97].
   Thus, it is best read in conjunction with [HC97].

Canetti, Cheng, Krawczyk                                        [Page i]

INTERNET DRAFT                                             July  1997

   2. Introduction

   The ISAKMP/Oakley  protocol [HC97] defines three alternative methods
   of carrying out Phase 1 of the key exchange. Two of these methods
   are usable by parties that do not already share a secret key.
   These are the Signature Method (Section 5.1 in [HC97]) and the
   Encryption Method (Section 5.2 in [HC97]).

   The Encryption Method enjoys several significant advantages over the
   Signature Method. These advantages are sketched in Section 5.
   However, in the ISAKMP/Oakley draft the Encryption Method requires
   TWO public key encryption and decryption operations for each party.
   This is unnecessarily expensive. (In overloaded or weak processors
   the extra exponentiation may have a significantly adverse effect in

   This document describes a simple modification of the ISAKMP/Oakley
   Encryption Method. The resulting method enjoys the same security
   advantages, and requires only ONE public key encryption and decryption
   operation for each party. This method, called the Revised Encryption
   Method, is presented as an alternative method to the ISAKMP/Oakley
   Encryption Method. In fact, the revised method enjoys even additional
   security advantages on top of the ISAKMP/Oakley Encryption Method,
   as elaborated below. The required changes are minimal.

   The change from the ISAKMP/Oakley Encryption Method is basically as
   follows. There, each party's identity and nonce are encrypted via
   TWO separate applications of the public-key encryption algorithm.
   (In fact, if the party's identity is long then this may require
   additional applications of the public-key encryption algorithm.)

   In the Revised Encryption Method the nonce is still encrypted
   using the public-key encryption algorithm. However, the sending
   party's identity (and also the certificate, if it is sent) is
   encrypted via symmetric encryption (e.g. DES), with a key derived
   from the nonce. This solution adds no significant complexity to the
   implementation and saves a costly long (RSA or other) exponentiation.
   In addition, the Key Exchange payload (ie. the DH challenges) is also
   encrypted using the same derived key. This provides additional
   protection against cryptanalysis of the DH exchange.

   The Revised Encryption mode has another advantage. The (optional)
   Certificate payload is also encrypted using the same derived key.
   Consequently anonymity is preserved even if the certificate is sent
   as part of the exchange.

   The rest of this document is organized as follows. In Section 3
   the Revised Encryption Method is described. The description is
   written in a way so that Section 3 can be read as a replacement to
   Section 5.2 in [HC97]. Section 4 specifies default algorithms.

Canetti, Cheng, Krawczyk                                        [Page 1]

INTERNET DRAFT                                             July  1997

   Section 5 discusses some security advantages of the Encryption
   Method relative to the Signature method.   (These advantages are
   shared by the Revised Encryption Method.) Appendix A holds the
   authentication method value of the new method (see ISAKMP [MSST96]
   and Appendix A of [CH97]).

   3. The new method: Revised Encryption Method of Oakley Phase 1

   Using public key encryption to authenticate the exchange, the
   ancillary information exchanged is encrypted nonces. Each party's
   ability to reconstruct a hash (proving that the other party decrypted
   the nonce) authenticates the exchange.

   In order to perform the public key encryption, the initiator must
   already have the responder's public key. In the case where a party
   has multiple public keys, a hash of the certificate of the initiator
   used to encrypt the ancillary information is passed as part of the
   third message. In this way the responder can determine which
   corresponding private key to use to decrypt the encrypted payloads
   and identity protection is retained.

   The nonces are encrypted with the other party's public key.
   The Key Exchange payloads (KE) and the identities
   of the parties (IDii and IDir) are encrypted with the negotiated
   symmetric encryption algorithm (e.g DES), using a key derived from
   the nonce. If the Initiator's certificate is passed from Initiator
   to Responder then, for anonymity, the certificate is also encrypted
   under the same key. In all these cases only the body of the payload
   is encrypted, the payload header is left in the clear; and the length
   field in the payload header is the length of the ciphertext (including
   any pre-pended information and padding) plus the size of the payload

   That is, Phase 1 (Main Mode) is defined as follows.

          Initiator                        Responder
         -----------                      -----------
          HDR, SA                   -->
                                    <--    HDR, SA
          HDR, [ HASH(1), ]
            <Ni>PubKey_r            -->
                                    <--  HDR, <Nr>PubKey_i
          HDR*, HASH_I              -->
                                    <--    HDR*, HASH_R

Canetti, Cheng, Krawczyk                                        [Page 2]

INTERNET DRAFT                                             July  1997

   HASH(1) is a hash (using the negotiated hash function) of the
   responder's certificate which the initiator is using to encrypt
   the nonce.

   The values of HASH_I and HASH_R are as defined in [HC97], namely,

      HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAp | IDii)
      HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAp | IDir)

   with SKEYID (also defined in [HC97]) being:

      SKEYID = prf(Ni | Nr, CKY-I | CKY-R)

   The notation <...>PubKey refers to public key encryption
   (e.g.  using the RSA algorithm) while the notation <...>Ke
   refers to encryption under the negotiated symmetric cipher.
   The keys for the symmetric cipher are derived as follows.
   First, compute the values Ne_i and Ne_r:

         Ne_i = prf(Ni, CKY-I)
         Ne_r = prf(Nr, CKY-R)

   Next, the keys Ke_i and Ke_r are derived from Ne_i and Ne_r,
   respectively, in the way described in Appendix B of [HC97].
   That is, to derive Ke_i run the procedure described in Appendix B of
   [HC97] for deriving encryption keys used to protect the ISAKMP SA,
   but replacing SKEYID_e with Ne_i. To derive Ke_r run the
   procedure described in Appendix B of [HC97], where SKEYID_e is
   replaced by Ne_r.

   For completeness, we detail the  procedure for deriving Ke_i.
   Ke_r is derived analogously. If the desired length of Ke_i is
   at most the length of Ne_i then Ke_i is the sufficient number
   of most significant bits of Ne_i. If the desired length of Ke_i
   exceeds the length of Ne_i then more bits are generated by applying
   the prf with Ne_i as the key and a byte of 0 as the input.
   The output of the prf is fed back into itself until sufficient
   number of bits are generated. For example, if the output of prf
   is 128-bit long and Ne_i needs to be 320-bit long, then Ne_i is
   the most significant 320 bits of K, where K = K1 | K2 | K3  and

           K1 = prf(Ne_i, 0)
           K2 = prf(Ne_i, K1)
           K3 = prf(Ne_i, K2)

   Note that the values of Ke_i and Ke_r are ephemeral and discarded
   after this use.

Canetti, Cheng, Krawczyk                                        [Page 3]

INTERNET DRAFT                                             July  1997

   If CBC mode is used for the symmetric encryption then the
   initialization vectors (IV) are set as follows. The IV for
   encrypting KE is set to 0. The IV for encrypting IDii (resp., IDir)
   is the last ciphertext block of <KE>Ke_i (resp., <KE>Ke_r).
   The IV for encrypting the certificate
   is the last ciphertext block of <IDii>Ke_i (resp., <IDir>Ke_r).
   Encrypted payloads are padded up to the nearest block
   size. All padding bytes, except for the last one, contain 0x00.
   The last byte of the padding contains the number of the padding
   bytes used, excluding the last one.
   Note that this means that there will always be padding.
   Note also that the IV chaining method used here implies that KE,
   the ID and the certificate have to be encrypted in that order.
   (We stress that this encryption order does not require that these
   payloads appear in that same order in the ISAKMP message; indeed
   [MSST96] does allow for arbitrary ordering of these payloads).

   When a Certificate payload is sent in the context of the Revised
   Encryption Method, it MUST be encrypted in the manner described above.

   Oakley Aggressive Mode in conjunction with the Revised Encryption
   Method is described as follows (using the same notation as above):

          Initiator                        Responder
         -----------                      -----------
          HDR, SA, [ HASH(1),]
            <IDii>Ke_i               -->
                                           HDR, SA, <Nr>PubKey_i,
                                    <--         <IDir>Ke_r, HASH_R
          HDR, HASH_I               -->

   RSA encryption MUST be encoded in PKCS #1 format.  The PKCS
   #1 encoding allows for determination of the actual length of the
   cleartext payload upon decryption.

   4. Algorithms

   The above mode can use any public key encryption algorithm.
   Implementations SHOULD support RSA encryption (see Appendix A
   for the corresponding authentication method value), and MUST
   support DES-CBC as specified in [HC97] for payload encryption.

Canetti, Cheng, Krawczyk                                        [Page 4]

INTERNET DRAFT                                             July  1997

   5. Security Considerations

   In this section we sketch the advantages of authentication by
   public-key encryption, as opposed to authentication by signature.
   First, in the Encryption mode an attacker has to break BOTH the
   the public key encryption in use (e.g. RSA) and DH exchange
   in order to learn the agreed key. In the Signature Mode breaking the
   DH exchange is sufficient. This is a substantial security advantage
   in a scenario where the same prime is used  to secure a large number
   of exchanges: such a prime will become an attractive
   target for cryptanalysis, thus it may provide only weak security.
   It also adds protection against a party that chooses weak parameters
   in the DH exchange, such as a weak prime or short exponents.
   This aspect of security is further enhanced by the encryption of the
   KE payload.

   Next, using encryption for authentication provides for a plausibly
   deniable exchange. There is no proof (in contrast to the use of
   digital signatures) that the conversation ever took place since each
   party could have generated both sides of the exchange.

   Furthermore, unlike other authentication methods, authentication with
   public key encryption allows for identity protection even in
   Aggressive Mode (even certificates are protected in this case).

   We remark that both the ISAKMP/Oakley Encryption Method and the
   Revised Encryption method described here are based on a similar
   mode in [Kra96] where a more extensive discussion on the above issues
   and analysis of security can be found.

   6. Acknowledgments

   We thank Dan Harkins for helpful discussions and suggestions.

   7. References

   [HC97] Harkins, D. and D. Carrel, "The resolution of ISAKMP with
   Oakley", draft-ietf-ipsec-isakmp-oakley-04.txt, July 1997.

   [Kra96] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange
   Mechanism for Internet", from IEEE Proceedings of the 1996 Symposium
   on Network and Distributed Systems Security.

   [MSST96] Maughhan, D., Schertler, M., Schneider, M., and Turner, J.,
   "Internet Security Association and Key Management Protocol (ISAKMP)",
   version 8, draft-ietf-ipsec-isakmp-08.{ps,txt}.

   [Pip96] Piper, D., "The Internet IP Security Domain Of Interpretation
   for ISAKMP", version 3, draft-ietf-ipsec-ipsec-doi-03.txt.

Canetti, Cheng, Krawczyk                                        [Page 5]

INTERNET DRAFT                                             July  1997

   Appendix A: XCHG attribute assigned number

   This Appendix defines a new authentication method value for the
   Revised Encryption Method.  This value is to be negotiated in
   Phase 1 (see [MSST96] and Appendix A in [HC97]).  The value is:

             authentication method value

              Revised RSA Encryption              5

   Authors'  Addresses:

Ran Canetti                              Pau-Chen Cheng
IBM TJ Watson Research Center            IBM TJ Watson Research Center
POB. 704, Yorktown Heights,              POB. 704, Yorktown Heights,
NY 10598                                 NY 10598
Tel. 1-914-784-7076                      Tel. 1-914-784-7446
canetti@watson.ibm.com                   pau@watson.ibm.com

Hugo Krawczyk
IBM TJ Watson Research Center
POB. 704, Yorktown Heights,
NY 10598

Canetti, Cheng, Krawczyk                                        [Page 6]