IPSECME S. Shen
Internet-Draft Huawei
Updates: RFC4307 Y. Mao
(if approved) H3C
Expires: January 28, 2010 NSS. Murthy
Freescale Semiconductor
July 27, 2009
Using Advanced Encryption Standard (AES) Counter Mode with IKEv2
draft-ietf-ipsecme-aes-ctr-ikev2-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 28, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Shen, et al. Expires January 28, 2010 [Page 1]
Internet-Draft AES-CTR for IKEv2 July 2009
Abstract
This document describes the usage of Advanced Encryption Standard
Counter Mode (AES_CTR), with an explicit initialization vector, by
IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT
exchange.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used In This Document . . . . . . . . . . . . 3
2. AES Counter Mode . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Key Sizes and Rounds . . . . . . . . . . . . . . . . . . . 4
2.2. Block Size . . . . . . . . . . . . . . . . . . . . . . . . 4
3. IKEv2 Encrypted Payload . . . . . . . . . . . . . . . . . . . 5
3.1. Initialization Vector(IV) . . . . . . . . . . . . . . . . 5
3.2. Integrity Checksum Data . . . . . . . . . . . . . . . . . 5
4. Counter Block Format . . . . . . . . . . . . . . . . . . . . . 6
5. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Keying Material and Nonces . . . . . . . . . . . . . . . . 8
5.2. Encryption identifier . . . . . . . . . . . . . . . . . . 9
5.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.1. Normative References . . . . . . . . . . . . . . . . . . . 13
9.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
Shen, et al. Expires January 28, 2010 [Page 2]
Internet-Draft AES-CTR for IKEv2 July 2009
1. Introduction
IKEv2 [RFC4306] is a component of IPsec used for performing mutual
authentication and establishing and maintaining security associations
(SAs). [RFC4307] defines the set of algorithms that are mandatory to
implement as part of IKEv2, as well as algorithms that should be
implemented because they may be promoted to mandatory at some future
time. [RFC4307] requires that an implementation "SHOULD" support
Advanced Encryption Standard [AES] in Counter Mode [MODES] (AES_CTR)
as a Transform Type 1 Algorithm (encryption).
Although the [RFC4307] specifies that the AES_CTR encryption
algorithm feature SHOULD be supported by IKEv2, no existing document
specifies how IKEv2 can support the feature. This document provides
the specification and usage of AES-CTR counter mode by IKEv2.
All the IKEv2 messages that follow the initial exchange(IKE_SA_INIT)
are cryptographically protected using the cryptographic algorithms
and keys negotiated in the first two messages of the IKEv2 exchange.
These subsequent messages use the syntax of the IKEv2 Encrypted
Payload as explained in [RFC4306].
This document explains how IKEv2 makes use of AES_CTR algorithm for
encrypting IKE messages that follow initial exchange: The second pair
of messages (IKE_AUTH) in initial exchange, messages in
CREATE_CHILD_SA exchange, messages in INFORMATIONAL exchange.
1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Shen, et al. Expires January 28, 2010 [Page 3]
Internet-Draft AES-CTR for IKEv2 July 2009
2. AES Counter Mode
Section 2 of [RFC3686] provides a description of AES_CTR mode
including its characteristics and implementation issues.
RFC 3686 explains the procedure to generate the key material required
when the ESP protocol employs AES-CTR for encryption.
The use of AES algorithm operations in IKEv2 is the same as what
defined in [AES]. The use of Counter Mode is defined the same as how
AES_CTR is used to encrypt ESP payload [RFC3686]. The choices of Key
Size, Rounds and Block Size are defined as following which are
compatible with [RFC3686].
2.1. Key Sizes and Rounds
AES supports three key sizes: 128 bits, 192 bits, and 256 bits. All
IKEv2 implementations MUST support the 128 key size. An IKEv2
implementation MAY support key sizes of 192 and 256 bits.
AES MUST use different rounds for each of the key sizes:
When a 128-bit key is used, implementations MUST use 10 rounds.
When a 192-bit key is used, implementations MUST use 12 rounds.
When a 256-bit key is used, implementations MUST use 14 rounds.
2.2. Block Size
The AES algorithm has a block size of 128 bits (16 octets), i.e., AES
generate 128 bits of key stream. For encryption or decryption, a
user XOR the key stream with 128 bits of plaintext or ciphertext
blocks. If the generated key stream is longer than the plaintext or
ciphertext, the extra key stream bits are simply discarded. For this
reason, AES-CTR does not require the plaintext to be padded to a
multiple of the block size.
Shen, et al. Expires January 28, 2010 [Page 4]
Internet-Draft AES-CTR for IKEv2 July 2009
3. IKEv2 Encrypted Payload
Section 3.14 of IKEv2 [RFC4306] explains the IKEv2 Encrypted Payload.
The encrypted Payload, denoted SK{...} contains other IKEv2 payloads
in encrypted form.
The payload includes an Initialization Vector(IV) whose length is
defined by the encryption algorithm negotiated. It also includes
Integrity Checksum data. These two fields are not encrypted.
3.1. Initialization Vector(IV)
The IV field MUST be eight octets when AES_CTR algorithm is used for
encryption. The IV MUST be chosen by the encryptor in a manner that
ensures that the same IV value is NOT used more than once with a
given encryption key. The encryptor can generate the IV in any
manner that ensures uniqueness. Common approaches to IV generation
include incrementing a counter for each packet and linear feedback
shift registers (LFSRs).
3.2. Integrity Checksum Data
Since it is trivial to construct a forgery AES_CTR ciphertext from a
valid AES_CTR ciphertext, IKEv2 MUST employ an integrity algorithm
when AES_CTR is selected for encrypting the IKEv2 payloads.
AUTH_HMAC_SHA1_96 [RFC2404] is a likely choice.
Shen, et al. Expires January 28, 2010 [Page 5]
Internet-Draft AES-CTR for IKEv2 July 2009
4. Counter Block Format
All the IKEv2 messages following the initial exchange are
cryptographically protected using the cryptographic algorithms and
keys negotiated in the first two messages of the IKEv2 exchange.
These subsequent messages use the syntax of the IKEv2 Encrypted
Payload.
All such messages carry the IV that is necessary to construct the
sequence of counter blocks used to generate the key stream necessary
to decrypt the payload. The AES counter block cipher block is 128
bits.
Figure 1 shows the format of the counter block.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector (IV) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Counter Block Format
The components of the counter block are as follows:
Nonce
The Nonce field is 4 octets. An unpredictably fresh nonce value
MUST be assigned to each security association immediately after it
is established. Section 5.1 explains how IKEv2 is used to
generate the nonce by the two parties individually.
Initialization Vector (IV)
The IV field is 64 bits. The IV MUST be chosen by the encryptor
in a manner that ensures that the same IV value is used only once
for a given encryption key. The encryptor includes the IV in the
IKEv2 message containing encrypted payloads.
Block Counter
The block counter field is the least significant 32 bits of the
counter block. The block counter begins with the value of one,
Shen, et al. Expires January 28, 2010 [Page 6]
Internet-Draft AES-CTR for IKEv2 July 2009
and it is incremented to generate subsequent portions of the key
stream. The block counter is a 32-bit big-endian integer value.
Section 2 provides references to other documents for implementing
AES_CTR encryption/decryption process.
Shen, et al. Expires January 28, 2010 [Page 7]
Internet-Draft AES-CTR for IKEv2 July 2009
5. IKEv2 Conventions
This section describes the conventions used by IKEv2 protocol to
generate encryption keys and nonces for use with AES-CTR algorithm in
IKE-SA negotiation. The identifiers and attributes related to AES-
CTR required during IKE-SA and Child-SA negotiation are also defined.
5.1. Keying Material and Nonces
IKEv2 can be used to establish fresh keys and nonces, as the same
combination of IV and encryption key values MUST not be reused when
AES_CTR algorithm is used for encryption. This section describes the
conventions for generating an unpredictable and secret Nonce and an
encryption key of required lengths using IKEv2.
IKEv2 negotiates four cryptographic algorithms with its peer using
IKE_SA_INIT exchange. They include an encryption algorithm and a
pseudo-random function(PRF). All the payloads of IKEv2 messages that
follow the IKE_SA_INIT exchange are encrypted using the negotiated
encryption algorithm. The pseudo-random function(PRF)is used to
generate the keying material required for the encryption algorithm.
AES_CTR encryption algorithm needs an encryption key and a nonce.
The two directions of traffic flow use different encryption keys and
nonces. Section 2.14 of [RFC4306] details the process of generating
the keying material. SK_ei and SK_er represent the key material to
be used for encryption purposes in the two directions.
The size of the key material (SK_ei and SK_er) to be generated for
AES_CTR algorithm for different key lengths is as follows:
AES_CTR with a 128 bit key
The key material required is 20 octets. The first 16 octets are
the 128-bit AES key, and the remaining four octets are used as the
nonce value in the counter block.
AES_CTR with a 192 bit key
The key material required is 28 octets. The first 24 octets are
the 192-bit AES key, and the remaining four octets are used as the
nonce value in the counter block.
AES_CTR with a 256 bit key
The key material required is 36 octets. The first 32 octets are
the 256-bit AES key, and the remaining four octets are used as the
nonce value in the counter block.
Shen, et al. Expires January 28, 2010 [Page 8]
Internet-Draft AES-CTR for IKEv2 July 2009
5.2. Encryption identifier
IKEv2 uses the IANA allocated encryption identifier of 13 for
ENCR_AES_CTR with an explicit IV (ENCR_AES_CTR 13) as the transform
ID during IKE-SA and Child-SA negotiation.
5.3. Key Length Attribute
Since the AES_CTR algorithm supports three key lengths, the Key
Length attribute MUST be specified in both the IKE-SA and Child-SA
negotiations. The Key Length attribute MUST have a value of 128,
192, or 256.
Shen, et al. Expires January 28, 2010 [Page 9]
Internet-Draft AES-CTR for IKEv2 July 2009
6. Security Considerations
Security considerations explained in section 7 of [RFC3686] are
entirely relevant for this draft also.
AES_CTR provides high confidentiality when used properly. However,
as a stream mode cipher, the security of will lose when AES-CTR is
misused.
Generally, a stream cipher should not use static keys. This is
because key streams will be easily canceled when two ciphertext use
the same key stream (check detailed description of this attack in
[RFC3686]). Therefore, IKEv2 should avoid an identical key being
used for different IKE SA or a same key stream being used on
different blocks of plaintext. Proper use of Nonce and counter as
defined in Section 4 can successfully avoid the risk.
A stream cipher like AES_CTR is also vulnerable under data forgery
attack (check [RFC3686] for a demonstration of this attack).
However, when integrity protection is provided as Section 3.2
requires, this risk is avoided.
Additionally, since AES has a 128-bit block size, regardless of the
mode employed, the ciphertext generated by AES encryption becomes
distinguishable from random values after 2^64 blocks are encrypted
with a single key. Since IKEv2 are not likely to carry traffics in
such a high quantity, this won't be a big concern here. However,
when large amount of traffic appear in the future or under abnormal
circumstances, implementations SHOULD generate a fresh key before
2^64 blocks are encrypted with the same key.
For generic attacks on AES, such as brute force or precalculations,
the requirement of key size provides reasonable security
[Recommendations].
Shen, et al. Expires January 28, 2010 [Page 10]
Internet-Draft AES-CTR for IKEv2 July 2009
7. IANA Considerations
IANA has assigned 13 as the transform ID for ENCR_AES_CTR encryption
with an explicit IV. This ID is to be used during IKE_SA
negotiation.
Shen, et al. Expires January 28, 2010 [Page 11]
Internet-Draft AES-CTR for IKEv2 July 2009
8. Acknowledgments
The authors thank Yaron Sheffer, Paul Hoffman for their direction and
comments on this document.
Shen, et al. Expires January 28, 2010 [Page 12]
Internet-Draft AES-CTR for IKEv2 July 2009
9. References
9.1. Normative References
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the
Internet Key Exchange Version 2 (IKEv2)", RFC 4307,
December 2005.
[AES] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001, <
http://csrc.nist.gov/publications/fips/fips197/
fips-197.pdf>.
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation Methods and Techniques", NIST Special
Publication 800-38A, December 2001, <http://csrc.nist.gov/
publications/nistpubs/800-38a/sp800-38a.pdf>.
9.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004.
[draft-ietf-ipsecme-roadmap-02]
Sheila, S. and S. Suresh, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap",
draft-ietf-ipsecme-roadmap-02 (work in progress),
July 2009.
[Recommendations]
Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
"Recommendation for Key Management - Part1 -
General(Revised)", NIST Special Publication 800-57,
March 2007, <http://csrc.nist.gov/publications/nistpubs/
800-57/SP800-57-Part1.pdf>.
Shen, et al. Expires January 28, 2010 [Page 13]
Internet-Draft AES-CTR for IKEv2 July 2009
Authors' Addresses
Sean Shen
Huawei
No. 9 Xinxi Road
Beijing 100085
China
Email: sshen@huawei.com
Yu Mao
H3C Tech. Co., Ltd
Oriental Electronic Bld.
No.2 Chuangye Road
Shang-Di Information Industry
Hai-Dian District
Beijing 100085
China
Email: maoyu@h3c.com
N S Srinivasa Murthy
UMA PLAZA, NAGARJUNA CIRCLE, PUNJAGUTTA
HYDERABAD 500082
INDIA
Email: ssmurthy.nittala@freescale.com
Shen, et al. Expires January 28, 2010 [Page 14]