Internet Engineering Task Force Mark Baugher(Cisco) INTERNET-DRAFT Thomas Hardjono (Verisign) Document: draft-ietf-msec-gdoi-03.txt Hugh Harney (Sparta) Expires: July, 2002 Brian Weis (Cisco) January 16, 2002 The Group Domain of Interpretation <draft-ietf-msec-gdoi-03.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document presents an ISAMKP Domain of Interpretation (DOI) for group key management to support secure group communications. The "GDOI" incorporates the definition of a Phase 1 SA of the Internet DOI, and proposes new payloads and exchanges according to the ISAKMP standard. The GDOI manages group security associations, which are used by IPSEC and potentially other data security protocols running at the IP or application layers. These security associations protect one or more key-encrypting keys, traffic-encrypting keys, or data shared by group members. Comments on this document should be sent to msec@securemulticast.org. Baugher, et. al. Standards Track - Expires July, 2002 1 The GDOI Domain of Interpretation January, 2002 Table of Contents 1.0 Introduction......................................................3 1.1 GDOI Applications...............................................4 1.2 Extending GDOI..................................................5 2.0 ISAKMP Phase 1 protocol...........................................5 2.1 DOI value.....................................................5 2. 2 UDP port.....................................................5 3.0 GROUPKEY-PULL Exchange............................................5 3.1 Authorization...................................................5 3.2 Messages........................................................5 3.2.1 Perfect Forward Secrecy.....................................7 3.2.2 ISAKMP Header Initialization................................8 3.3 Initiator Operations............................................8 3.4 Receiver Operations.............................................9 4.0 GROUPKEY-PUSH Message.............................................9 4.1 Perfect Forward Secrecy (PFS)..................................10 4.2 Forward and Backward Access Control............................10 4.3 Delegation of Key Management...................................10 4.4 Use of signature keys..........................................10 4.5 ISAKMP Header Initialization...................................11 4.6 Deletion of SAs................................................11 4.7 Initiator Operations...........................................11 4.8 Receiver Operations............................................12 5.0 Payloads and Defined Values......................................12 5.1 Identification Payload.........................................13 5.1.1 Identification Type Values.................................13 5.2 Security Association Payload...................................14 5.2.1 Payloads following the SA payload..........................14 5.3 SA KEK payload.................................................15 5.3.1 KEK Attributes.............................................17 5.3.2 KEK_MANAGEMENT_ALGORITHM...................................17 5.3.3 KEK_ALGORITHM..............................................17 5.3.4 KEK_KEY_LENGTH.............................................18 5.3.5 KEK_KEY_LIFETIME...........................................18 5.3.6 SIG_HASH_ALGORITHM.........................................18 5.3.7 SIG_ALGORITHM..............................................19 5.3.8 SIG_KEY_LENGTH.............................................19 5.3.9 KE_OAKLEY_GROUP............................................19 5.4 SA TEK Payload.................................................19 5.4.1 PROTO_IPSEC_ESP............................................20 5.4.2 Other Security Protocols...................................22 5.5 Key Download Payload...........................................22 5.5.1 TEK Download Type..........................................23 5.5.2 KEK Download Type..........................................24 5.5.3 LKH Download Type..........................................25 5.6 Sequence Number Payload........................................27 Baugher, et. al. Standards Track - Expires July, 2002 2 The GDOI Domain of Interpretation January, 2002 5.7 Proof of Possession............................................27 5.8 Nonce..........................................................28 7.0 Security Considerations..........................................28 8.0 IANA Considerations..............................................28 8.1 ISAKMP DOI.....................................................28 8.2 Payload Types..................................................28 8.3 New Namespaces.................................................29 8.3 UDP Port.......................................................29 9.0 Acknowledgements.................................................29 10.0 References......................................................29 Authors Addresses....................................................30 1.0 Introduction This document presents an ISAMKP Domain of Interpretation (DOI) for group key management called the ?Group Domain of Interpretation? (GDOI). In this group key management model, the GDOI protocol is run between a group member and a ?group controller/key server? (GCKS), which establishes security associations [Section 4.6.2 RFC2401] among authorized group members. ISAKMP defines two "phases" of negotiation [p.16 RFC2408]. The GDOI incorporates the Phase 1 security association (SA) definition from the Internet DOI [RFC2407, RFC2409]. The Phase 2 exchange is defined in this document, and proposes new payloads and exchanges according to the ISAKMP standard [p. 14 RFC2408]. There are six new payloads: 1) GDOI SA 2) SA KEK (SAK) which follows the SA payload 3) SA TEK (SAT) which follows the SA payload 4) Key Download Array (KD) 5) Sequence number (SEQ) 6) Proof of Possession (POP) There are two new exchanges. 1) A Phase 2 exchange creates Re-key and Data-Security Protocol SAs. The new Phase 2 exchange, called "GROUPKEY-PULL," downloads keys for a group?s ?Re-key? SA and/or ?Data-security? SA. The Re-key SA includes a key encrypting key, or KEK, common to the group; a Data- security SA includes a data encryption key, or TEK, used by a data- security protocol to encrypt or decrypt data traffic [Section 2.1 RFC2407]. The SA for the KEK or TEK includes authentication keys, encryption keys, cryptographic policy, and attributes. The GROUPKEY- PULL exchange uses "pull" behavior since the member initiates the retrieval of these SAs from a GCKS. 2) A datagram subsequently establishes additional Rekey and/or Data- Security Protocol SAs. Baugher, et. al. Standards Track - Expires July, 2002 3 The GDOI Domain of Interpretation January, 2002 The GROUPKEY-PUSH datagram is "pushed" from the GCKS to the members to create or update a Re-key or Data-security SA. A Re-key SA protects GROUPKEY-PUSH messages. Thus, a GROUPKEY-PULL is necessary to establish at least one Re-key SA in order to protect subsequent GROUPKEY-PUSH messages. The GDOI sender encrypts the GROUPKEY-PUSH message using the KEK Re-key SA. GDOI accommodates the use of arrays of KEKs for group key management algorithms using the Logical Key Hierarchy (LKH) algorithm to efficiently add and remove group members [RFC2627]. Although the GROUPKEY-PUSH specified by this document can be used to refresh a Re-key SA, the most common use of GROUPKEY-PUSH is to establish a Data-security SA for a data security protocol. GDOI can accommodate future extensions to support a variety of data security protocols. This document only specifies data-security SAs for one security protocol, IPsec ESP. A separate RFC will specify support for other data security protocols such as a future secure Real-time Transport Protocol. A security protocol uses the TEK and "owns" the data-security SA in the same way that IPsec ESP uses the IKE Phase 2 keys and owns the Phase 2 SA; for GDOI, IPsec ESP uses the TEK. GDOI uses the Phase 1 exchanges defined in [RFC2409] and definitions and an ISAKMP-compliant header from [RFC2408]. "GDOI" is the declared domain of interpretation in the header used in the Phase 1 and subsequent GDOI Phase 2 (GROUPKEY-PULL) exchanges. Thus, GDOI is a group security association management protocol: All GDOI messages are used to create, maintain, or delete security associations for a group. As described above, these security associations protect one or more key-encrypting keys, traffic- encrypting keys, or data shared by group members for multicast and groups-security applications. The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC 2119 [RFC2119]. 1.1 GDOI Applications Secure multicast applications include video broadcast and multicast file transfer. In a business environment, many of these applications require network security and may use IPsec ESP to secure their data traffic. Section 5.4.1 specifies how GDOI carries the needed SA parameters for ESP. In this way, GDOI supports multicast ESP with group authentication of ESP packets using the shared, group key (authentication of unique sources of ESP packets is not possible). GDOI can also secure group applications that do not use multicast transport such as video-on-demand. For example, the GROUPKEY-PUSH message may establish a pair-wise IPsec ESP SA for a member of a subscription group without the need for key management exchanges and costly asymmetric cryptography. Baugher, et. al. Standards Track - Expires July, 2002 4 The GDOI Domain of Interpretation January, 2002 1.2 Extending GDOI Not all secure multicast or multimedia applications can use IPsec ESP. Many Real Time Transport Protocol applications, for example, require security above the IP layer to preserve RTP header compression efficiencies and transport-independence [RFC1889]. A future RTP security protocol may benefit from using GDOI to establish group SAs for multicast and unicast security services. In order to add a new data security protocol, a new RFC MUST specify the data- security SA parameters conveyed by GDOI for that security protocol; these parameters are listed in section 5.4.2 of this document. 2.0 ISAKMP Phase 1 protocol The GDOI uses ISAKMP phase 1 exchanges as defined in [RFC2409]. The following sections define characteristics which are unique for these exchanges when used for GDOI. 2.1 DOI value The Phase 1 SA payload has a DOI value. That value MUST be the GDOI DOI value as defined later in this document. 2. 2 UDP port. GDOI MUST NOT run on port 500 (the port commonly used for IKE). A new port number MUST be defined by IANA for GDOI. 3.0 GROUPKEY-PULL Exchange The goal of the GROUPKEY-PULL exchange is to establish a Re-key and/or Data-security SAs at the member for a particular group. A Phase 1 SA (as defined in [RFC2407]) protects the GROUPKEY-PULL; there may be multiple GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL exchange downloads the group key encrypting key (KEK) or KEK array under the protection of the Phase 1 SA. 3.1 Authorization There are two alternative means for authorizing the GROUPKEY-PULL message. First, the Phase 1 identity can be used to authorize the Phase 2 (GROUPKEY-PULL) request for a group key. Second, a new identity can be passed in the GROUPKEY-PULL request. The new identity could be specific to the group and use a certificate that is signed by the group owner to identify the holder as an authorized group member. The Proof-of-Possession payload validates that the holder possesses the secret key associated with the Phase 2 identity. 3.2 Messages The GROUPKEY-PULL is an Phase 2 exchange. Phase 1 computes SKEYID_a from the DH keying material exchanged in Phase 1. SKEYID_a is the Baugher, et. al. Standards Track - Expires July, 2002 5 The GDOI Domain of Interpretation January, 2002 "key" in the keyed hash used in the GROUPKEY-PULL HASH payloads. As with the IKE HASH payload generation [RFC 2409 section 5.5], each GROUPKEY-PULL message hashes a uniquely defined set of values. Nonces permute the HASH and provide some protection against replay attacks. Replay protection is important to protect the GCKS from attacks that a key management server will attract. The GROUPKEY-PULL uses nonces to guarantee "liveliness", or against replay of a recent GROUPKEY-PULL message. The replay attack is only useful in the context of the current Phase 1. If a GROUPKEY-PULL message is replayed based on a previous Phase 1, the HASH calculation will fail due to a wrong SKEYID_a. The message will fail processing before the nonce is ever evaluated. In order for either peer to get the benefit of the replay protection it must postpone as much processing as possible until it receives the message in the protocol that proves the peer is live. For example, the Responder MUST NOT compute the shared Diffie-Hellman number (if KE payloads were included) or install the new SAs until it receives a message with Nr included properly in the HASH payload. Nonces require an additional message in the protocol exchange to ensure that the GCKS does not add a group member until it proves liveliness. The GROUPKEY-PULL member-initiator expects to find its nonce, Ni, in the HASH of a returned message. And the GROUPKEY-PULL GKCS responder expects to see its nonce, Nr, in the HASH of a returned message before providing group-keying material as in the following exchange. Initiator (Member) Responder (GCKS) ------------------ ---------------- HDR*, HASH(1), Ni, ID --> <-- HDR*, HASH(2), Nr, SA HDR*, HASH(3) [,KE_I] --> [,CERT] [,POP_I] <-- HDR*, HASH(4),[KE_R,][SEQ,] KD [,CERT] [,POP_R] Hashes are computed as follows: HASH(1) = prf(SKEYID_a, M-ID | Ni | ID) HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA) HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | KE_I ][ | POP_I ]) HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | KE_R ] [ | SEQ | ] KD [ | POP_R]) POP payload is constructed as described in Section 5.7. * Protected by the Phase 1 SA, encryption occurs after HDR HDR is an ISAKMP header payload that uses the Phase 1 cookies and a message identifier (M-ID) as in IKE [RFC2409]. Note that nonces are included in the first two exchanges, with the GCKS returning only the SA policy payload before liveliness is proven. The HASH payloads [RFC2409] prove that the peer has the Phase 1 secret (SKEYID_a) and the nonce for the exchange identified by message id, M-ID. Once Baugher, et. al. Standards Track - Expires July, 2002 6 The GDOI Domain of Interpretation January, 2002 liveliness is established, the last message completes the real processing of downloading the KD payload. In addition to the Nonce and HASH payloads, the member-initiator identifies the group it wishes to join through the ISAKMP ID payload. The GCKS responder informs the member of the current value of the sequence number in the SEQ payload; the sequence number orders the GROUPKEY-PUSH datagrams (section 4); the member MUST check to see that the sequence number is greater than in the previous SEQ payload the member holds for the group (if it holds any) before installing any new SAs . The SEQ payload MUST be present if the SA payload contains an SA KEK attribute. The GCKS responder informs the member of the cryptographic policies of the group in the SA payload, which describes the DOI, KEK and/or TEK keying material, and authentication transforms. The SPIs are also determined by the GCKS and downloaded in the SA payload chain (see section 5.2). The SA KEK attribute contains the ISAKMP cookie pair for the Re-key SA, which is not negotiated but downloaded. The SA TEK attribute contains an SPI as defined in section 5.4 of this document. The second message downloads this SA payload. If a Re-key SA is defined in the SA payload, then KD will contain the KEK; if one or more Data-security SAs are defined in the SA payload, KD will contain the TEKs. This is useful if there is an initial set of TEKs for the particular group and can obviate the need for future TEK GROUPKEY-PUSH messages (described in section 4). As described above, the member may establish an identity in the GROUPKEY-PULL exchange in an optional CERT payload that is separate from the Phase 1 identity. When the member passes a new CERT, a proof of possession (POP) payload accompanies it. The POP payload demonstrates that the member or GCKS has used the very secret that authenticates it. POP_I is an ISAKMP SIG payload containing a hash including the nonces Ni and Nr signed by the member, when the member passes a CERT, signed by the Group Owner to prove its authorization. POP_R contains the hash including the concatenated nonces Ni and Nr signed by the GCKS, when the GCKS passes a CERT, signed by the group owner, to prove its authority to provide keys for a particular group. The use of the nonce pair for the POP payload, transformed through a pseudo-random function (prf) and encrypted, is designed to withstand compromise of the Phase 1 key. 3.2.1 Perfect Forward Secrecy If PFS is desired and the optional KE payload is used in the exchange, then both sides compute a DH secret and use it to protect the new keying material contained in KD. The GCKS responder will xor the DH secret with the KD payload and send it to the member Initiator, which recovers the KD by repeating this operation as in the Oakley IEXTKEY procedure [RFC2412]. 3.2.2 ISAKMP Header Initialization Baugher, et. al. Standards Track - Expires July, 2002 7 The GDOI Domain of Interpretation January, 2002 Cookies are used in the ISAKMP header as a weak form of denial of service protection. The GDOI GROUPKEY-PULL exchange uses cookies according to ISAKMP [RFC2408]. Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0). Major Version is 1 and Minor Version is 0 according to ISAKMP [RFC2408, Section 3.1]. The Exchange Type has value 240 for the GDOI GROUPKEY-PULL exchange. Flags, Message ID, and Length are according to ISAKMP [RFC2408, Section 3.1] 3.3 Initiator Operations Before a group member (GDOI initiator) contacts the GCKS, it must determine the group identifier and acceptable Phase 1 policy via an out-of-band method such as SDP. Phase 1 is initiated using the GDOI DOI in the SA payload. Once Phase 1 is complete the initiator state machine moves to the GDOI protocol. To construct the first GDOI message the initiator chooses Ni and creates a nonce payload, builds an identity payload including the group identifier, and generates HASH(1). Upon receipt of the second GDOI message, the initiator validates HASH(2), extracts the nonce Nr, and interprets the SA payload. If the policy in the SA payload is acceptable (e.g., the security protocol and cryptographic protocols can be supported by the initiator), the initiator continues the protocol. If the group policy uses certificates for authorization, the initiator generates a hash including Ni and Nr and signs it. This becomes the contents of the POP payload. If necessary, a CERT payload is constructed which holds the public key corresponding to the private key used to sign the POP payload. The initiator constructs the third GDOI message by including the CERT and POP payloads (if needed) and creating HASH(3). Upon receipt of the fourth GDOI messages, the initiator validates HASH(4). If the responder sent CERT and POP_R payloads, the POP signature is validated. If a SEQ payload is present, the sequence number in the SEQ payload must be checked against any previously received sequence number for this group. If it is less than the previously received number, it should be considered stale and ignored. This could happen if two GROUPKEY-PULL messages happened in parallel, and the sequence number changed between the times the results of two GROUPKEY-PULL messages were returned from the GCKS. Baugher, et. al. Standards Track - Expires July, 2002 8 The GDOI Domain of Interpretation January, 2002 The initiator interprets the KD key packets, matching the SPIs in the key packets to SPIs previously sent in the SA payloads identifying particular policy. For TEKs, once the keys and policy are matched, the initiator is ready to send or receive packets matching the TEK policy. (If policy and keys had been previously received for this TEK policy, the initiator may decide instead to ignore this TEK policy in case it is stale.) If this group has a KEK, the KEK policy and keys are marked as ready for use. 3.4 Receiver Operations The GCKS (responder) passively listens for incoming requests from group members. The Phase 1 authenticates the group member and sets up the secure session with them. Upon receipt of the first GDOI message the GCKS validates HASH(1), extracts the Nr and group identifier in the ID payload. It verifies that its database contains the group information for the group identifier. The GCKS constructs the second GDOI message, including a nonce Nr, and the policy for the group in an SA payload, followed by SA TEK payloads for traffic SAs, and SA KEK policy (if the group controller will be sending Re-key messages to the group). Upon receipt of the third GDOI message the GCKS validates HASH(3). If the initiator sent CERT and POP_I payloads, the POP signature is validated. The GCKS constructs the fourth GDOI message, including the SEQ payload (if the GCKS sends rekey messages), the KD payload containing keys corresponding to policy previously sent in the SA TEK and SA KEK payloads, and the CERT and POP payloads (if needed). 4.0 GROUPKEY-PUSH Message GDOI sends control information securely using group communications. Typically this will be using IP multicast distribution of a GROUPKEY- PUSH message but it can also be "pushed" using unicast delivery if IP multicast is not possible. The GROUPKEY-PUSH message replaces a Re- key SA KEK or KEK array, and/or creates a new Data-security SA (see section 1.3). Member GCKS or Delegate ------ ---------------- <---- HDR*, SEQ, SA, KD, [CERT,] SIG * Protected by the Re-key SA KEK; encryption occurs after HDR Baugher, et. al. Standards Track - Expires July, 2002 9 The GDOI Domain of Interpretation January, 2002 HDR is defined below. The SEQ payload is defined in the Payloads section. The SA defines the policy (e.g. protection suite) and attributes (e.g. SPI) for a Re-key and/or Data-security SAs. The GCKS or delegate optionally provides a CERT payload for verification of the SIG. KD is the key download payload as described in the Payloads section. The SIG payload is a signature of a hash of the entire message before encryption (including the header and excluding the SIG payload itself), prefixed with the string "rekey". The prefixed string ensures that the signature of the Rekey datagram cannot be used for any other purpose in the GDOI protocol. If the SA defines an LKH-style KEK array or single KEK, KD contains a KEK or KEK array for a new Re-key SA, which has a new cookie pair. When the KD payload carries a new SA KEK attribute (section 5.3), a Re-key SA is replaced with a new SA having the same group identifier (ID specified in message 1 of section 3.1) and incrementing the same sequence counter, which is initialized in message 4 of section 3.1. If the SA defines an SA TEK payload, this informs the member that a new Data-security SA has been created, with keying material carried in KD (Section 5.5). 4.1 Perfect Forward Secrecy (PFS) The GROUPKEY-PUSH message is protected by the group KEK though in all cases, the GROUPKEY-PUSH message carries new key downloads, among other information. A freshly generated secret must protect the key download for the GROUPKEY-PUSH message to have PFS. This issue is for further study. 4.2 Forward and Backward Access Control Through GROUPKEY-PUSH, the GDOI supports algorithms such as LKH that have the property of denying access to a new group key by a member removed from the group (forward access control) and to an old group key by a member added to the group (backward access control). An unrelated notion to PFS, "forward access control" and "backward access control" have been called "perfect forward security" and "perfect backward security" in the literature [RFC2627]. 4.3 Delegation of Key Management GDOI supports delegation of GROUPKEY-PUSH datagrams through the delegation capabilities of the PKI. However, GDOI does not explicitly specify how the GCKS identifies delegates, but leaves this to the PKI that is used by a particular GDOI implementation. 4.4 Use of signature keys The GCKS SHOULD NOT use the same key to sign the SIG payload in the GROUPKEY-PUSH message as was used for authorization in the GROUPKEY- PULL POP payload. If the same key must be used, a different hash Baugher, et. al. Standards Track - Expires July, 2002 10 The GDOI Domain of Interpretation January, 2002 function SHOULD be used as a base for the POP payload than is used as a base for the SIG payload. 4.5 ISAKMP Header Initialization Unlike ISAKMP or IKE, the cookie pair is completely determined by the GCKS. The cookie pair in the GDOI ISAKMP header identifies the Re-key SA to differentiate the secure groups managed by a GCKS. Thus, GDOI uses the cookie fields as an SPI Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0). Major Version is 1 and Minor Version is 0 according to ISAKMP [RFC2408, Section 3.1]. The Exchange Type has value 241 for the GDOI GROUPKEY-PUSH message. Flags, Message ID, and Length are according to ISAKMP [RFC2408, Section 3.1] 4.6 Deletion of SAs There are times the GCKS may want to signal to receivers to delete SAs, for example at the end of a broadcast. Deletion of keys may be accomplished by sending an ISAKMP Delete payload as part of a GDOI GROUPKEY-PUSH message. 4.7 Initiator Operations An initiator (GCKS or delegate) may initate a Rekey message for one of several reasons, e.g. the group membership has changed or keys are due to expire. To begin the rekey datagram the GCKS builds an ISAKMP HDR with the correct cookie pair, and a SEQ payload that includes a sequence number which is one greater than the previous rekey datagram. An SA payload is then added. This is identical in structure and meaning to a SA payload sent in a GROUPKEY-PULL exchange. If there are changes to the KEK (in the case of a static KEK) or in group membership (in the case of LKH) an SA_KEK attribute is added to the SA. If there are one or more new TEKs then SA_TEK attributes are added to describe that policy. A KD payload is then added. This is identical in structure and meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an SA_KEK attribute was included in the SA payload then corresponding KEK keys (or a KEK array) is included. TEK keys are sent for each SA_TEK attribute included in the SA payload. The payloads following the HDR are then encrypted using the current KEK encryption key. Baugher, et. al. Standards Track - Expires July, 2002 11 The GDOI Domain of Interpretation January, 2002 A CERT payload is added if the initiator needs to provide its certificate. Finally, the initiator hashes the string "rekey" followed by the key management message already formed. The hash is signed, placed in a SIG payload and added to the datagram. The datagram can now be sent. 4.8 Receiver Operations A group member receiving the GROUPKEY-PUSH datagram matches the cookie pair in the ISAKMP HDR to an existing SA. The message is decrypted, and the form of the datagram is validated. This weeds out obvious ill-formed messages (which may be sent as part of a Denial of Service attack on the group). The signature of the decrypted message is then validated, possibly using the CERT payload if it is included. The sequence number in the SEQ payload is validated to ensure that it is greater than the previously received sequence number, and that it fits within a window of acceptable values. The SA and KD payloads are processed which results in a new GDOI Rekey SA (if the SA payload included an SA_KEK attribute) and/or new IPsec SAs being added to the system. 5.0 Payloads and Defined Values This document specifies use of several ISAKMP payloads, which are defined in accordance with RFC2408. The following payloads are extended or further specified. Next Payload Type Value ----------------- ----- Security Association (SA) 1 Identification (ID) 5 Nonce (N) 10 Several new payload formats are required in the group security exchanges. The Payload types for the new headers are defined in the ISAKMP "Private USE" range. Next Payload Type Value ----------------- ----- RESERVED 128 - 129 SA KEK Payload (SAK) 130 SA TEK Payload (SAT) 131 Key Download (KD) 132 Sequence Number (SEQ) 133 Proof of Possession (POP) 134 RESERVED 135 - 200 GDOI Private Use 201 - 255 Baugher, et. al. Standards Track - Expires July, 2002 12 The GDOI Domain of Interpretation January, 2002 5.1 Identification Payload The Identification Payload is used to identify a group identity that will later be associated with Security Associations for the group. A group identity may map to a specific IP multicast group, or may specify a more general identifier, such as one that represents a set of related multicast streams. The Identification Payload is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ID Type ! RESERVE2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Identification Payload fields are defined as follows: o Next Payload (1 octet) - Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, this field will be zero (0). o RESERVED (1 octet) - Unused, must be zero (0). o Payload Length (2 octets) - Length, in octets, of the identification data, including the generic header. o Identification Type (1 octet) - Value describing the identity information found in the Identification Data field. o RESERVED2 (2 octets) - Unused, must be zero (0). O Identification Data (variable length) - Value, as indicated by the Identification Type. 5.1.1 Identification Type Values The following table lists the assigned values for the Identification Type field found in the Identification Payload. ID Type Value ------- ----- RESERVED 0 - 10 ID_KEY_ID 11 RESERVED 12 - 127 Private Use 128 - 255 Baugher, et. al. Standards Track - Expires July, 2002 13 The GDOI Domain of Interpretation January, 2002 5.1.1.1 ID_KEY_ID In the context of a GDOI ID payload, ID_KEY_ID specifies a four (4)- octet group identifier. 5.2 Security Association Payload The Security Association payload is defined in RFC 2408. For the GDOI, it is used by the GCKS to assert security attributes for both Re-key and Data-security SAs 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! DOI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SA Attribute Next Payload ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The Security Association Payload fields are defined as follows: o Next Payload (1 octet) - Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The next payload MUST NOT be a SAK Payload or SAT Payload type, but the next non-Security Association type payload. o RESERVED (1 octet) - Must be zero. o Payload Length (2 octets) is the octet length of the current payload including the generic header and all TEK and KEK payloads. o DOI (4 octets) - Is the GDOI, which is value 196 pending assignment by the IANA. o SA Attribute Next Payload (1 octet) - Must be either a SAK Payload or a SAT Payload. See section 5.3.2 for a description of which circumstances are required for each payload type to be present. o RESERVED (2 octets) - Must be zero. 5.2.1 Payloads following the SA payload Payloads that define specific security association attributes for the KEK and/or TEKs used by the group MUST follow the SA payload. How many of each payload is dependant upon the group policy. There may be zero or one SAK Payloads, and zero or more SAT Payloads, where either one SAK or SAT payload MUST be present. This latitude allows for various group policies to be accommodated. For example if the group policy does not require the use of a Re-key SA, the GCKS would not need to send an SA KEK attribute to the group member since all SA updates would be performed using the Registration Baugher, et. al. Standards Track - Expires July, 2002 14 The GDOI Domain of Interpretation January, 2002 SA. Alternatively, group policy might use a Re-key SA but choose to download a KEK to the group member only as part of the Registration SA. Therefore, the KEK policy (in the SA KEK attribute) would not be necessary as part of the Re-key SA message SA payload. Specifying multiple SATs allows multiple sessions to be part of the same group and multiple streams to be associated with a session (e.g., video, audio, and text) but each with individual security association policy. 5.3 SA KEK payload The SA KEK (SAK) payload contains security attributes for the KEK method for a group and parameters specific to the GROUPKEY-PULL operation. The source and destination identities describe the identities used for the GROUPKEY-PULL datagram. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! ! ~ SPI ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! POP Algorithm ! POP Key Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ KEK Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAK Payload fields are defined as follows: o Next Payload (1 octet) - Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload types for this message are a SAT Payload or zero to indicate there is no SA TEK payload. o RESERVED (1 octet) - Must be zero. o Payload Length (2 octets) - Length of this payload, including the KEK attributes. o Protocol (1 octet) - Value describing an IP protocol ID (e.g., UDP/TCP) for the rekey datagram. Baugher, et. al. Standards Track - Expires July, 2002 15 The GDOI Domain of Interpretation January, 2002 o SRC ID Type (1 octet) - Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPSEC Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o SRC ID Port (2 octets) - Value specifying a port associated with the source Id. A value of zero means that the SRC ID Port field should be ignored. o SRC ID Data Len (1 octet) - Value specifying the length of the SRC Identification Data field. o SRC Identification Data (variable length) - Value, as indicated by the SRC ID Type. o DST ID Type (1 octet) - Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPSEC Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o DST ID Prot (1 octet) - Value describing an IP protocol ID (e.g., UDP/TCP). o DST ID Port (2 octets) - Value specifying a port associated with the source Id. o DST ID Data Len (1 octet) - Value specifying the length of the DST Identification Data field. o DST Identification Data (variable length) - Value, as indicated by the DST ID Type. o SPI (16 octets) - Security Parameter Index for the KEK. The SPI must be the ISAKMP Header cookie pair where the first 8 octets become the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8 octets become the "Responder Cookie" in the same HDR. As described above, these cookies are assigned by the GCKS. o POP Algorithm (2 octets) - The POP payload algorithm. Defined values are specified in the following table. If no POP algorithm is defined by the KEK policy this field must be zero. Algorithm Type Value -------------- ----- RESERVED 0 POP_ALG_RSA 1 POP_ALG_DSS 2 POP_ALG_ECDSS 3 RESERVED 4-127 Private Use 128-255 Baugher, et. al. Standards Track - Expires July, 2002 16 The GDOI Domain of Interpretation January, 2002 o POP Key Length (2 octets) - Length of the POP payload key. If no POP algorithm is defined in the KEK policy this field must be zero. o KEK Attributes - Contains KEK policy attributes associated with the group. The following sections describe the possible attributes. Any or all attributes may be optional, depending on the group policy. 5.3.1 KEK Attributes The following attributes may be present in a SAK Payload. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). ID Class Value Type -------- ----- ---- RESERVED 0 KEK_MANAGEMENT_ALGORITHM 1 B KEK_ALGORITHM 2 B KEK_KEY_LENGTH 3 B KEK_KEY_LIFETIME 4 V SIG_HASH_ALGORITHM 5 B SIG_ALGORITHM 6 B SIG_KEY_LENGTH 7 B KE_OAKLEY_GROUP 10 B The following attributes may only be included in a GROUPKEY-PULL message: KEK_MANAGEMENT_ALGORITHM, KE_OAKLEY_GROUP. 5.3.2 KEK_MANAGEMENT_ALGORITHM The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management algorithm used to provide forward or backward access control (i.e., used to exclude group members). Defined values are specified in the following table. KEK Management Type Value ------------------- ----- RESERVED 0 LKH 1 RESERVED 2-127 Private Use 128-255 5.3.3 KEK_ALGORITHM The KEK_ALGORITHM class specifies the encryption algorithm using with the KEK. Defined values are specified in the following table. Algorithm Type Value -------------- ----- RESERVED 0 Baugher, et. al. Standards Track - Expires July, 2002 17 The GDOI Domain of Interpretation January, 2002 KEK_ALG_DES 1 KEK_ALG_3DES 2 KEK_ALG_AES 3 RESERVED 4-127 Private Use 128-255 5.3.3.1 KEK_ALG_DES This algorithm specifies DES using the Cipher Block Chaining (CBC) mode as described in [FIPS81]. 5.3.3.2 KEK_ALG_3DES This algorithm specifies 3DES using three independent keys as described in "Keying Option 1" in [FIPS46-3]. 5.3.3.3 KEK_ALG_AES This algorithm specifies AES as described in [FIPS197]. The mode of operation for AES is Cipher Block Chaining (CBC) as recommended in [AES- MODES]. 5.3.4 KEK_KEY_LENGTH The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in bits). 5.3.5 KEK_KEY_LIFETIME The KEK_KEY_LIFETIME class specifies the maximum time for which the KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a four (4) octet number defining a valid time period in seconds. 5.3.6 SIG_HASH_ALGORITHM SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The following tables define the algorithms for SIG_HASH_ALGORITHM. Algorithm Type Value -------------- ----- RESERVED 0 SIG_HASH_MD5 1 SIG_HASH_SHA1 2 RESERVED 3-127 PRIVATE USE 128-255 SIG_HASH_ALGORITHM is not required if the SIG_ALGORITHM is SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1. Baugher, et. al. Standards Track - Expires July, 2002 18 The GDOI Domain of Interpretation January, 2002 5.3.7 SIG_ALGORITHM The SIG_ALGORITHM class specifies the SIG payload signature algorithm. Defined values are specified in the following table. Algorithm Type Value -------------- ----- RESERVED 0 SIG_ALG_RSA 1 SIG_ALG_DSS 2 SIG_ALG_ECDSS 3 RESERVED 4-127 Private Use 128-255 5.3.7.1 SIG_ALG_RSA This algorithm specifies the RSA digital signature algorithm as described in [RSA]. 5.3.7.2 SIG_ALG_DSS This algorithm specifies the DSS digital signature algorithm as described in [FIPS186-2]. 5.3.7.3 SIG_ALG_ECDSS This algorithm specifies the Eliptic Curve digital signature algorithm as described in [FIPS186-2]. 5.3.8 SIG_KEY_LENGTH The SIG_KEY_LENGTH class specifies the length of the SIG payload key. 5.3.9 KE_OAKLEY_GROUP The KE_OAKLEY_GROUP class defines the OAKLEY Group used to compute the PFS secret in the optional KE payload of the GDOI GROUPKEY-PULL exchange. This attribute uses the values assigned to Group Definitions in the IANA IPsec-registry [IPSEC-REG]. 5.4 SA TEK Payload The SA TEK (SAT) payload contains security attributes for a single TEK associated with a group. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! Baugher, et. al. Standards Track - Expires July, 2002 19 The GDOI Domain of Interpretation January, 2002 ! Protocol-ID ! TEK Protocol-Specific Payload ~ +-+-+-+-+-+-+-+-+ ~ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAT Payload fields are defined as follows: o Next Payload (1 octet) - Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload types for this message are another SAT Payload or zero to indicate there are no more security association attributes. o RESERVED (1 octet) - Must be zero. o Payload Length (2 octets) - Length of this payload, including the TEK Protocol-Specific Payload. o Protocol-ID (1 octet) - Value specifying the Security Protocol. The following table defines values for the Security Protocol Protocol ID Value ----------- ----- RESERVED 0 GDOI_PROTO_IPSEC_ESP 1 RESERVED 2-127 PRIVATE USE 128-255 o TEK Protocol-Specific Payload (variable) - Payload which describes the attributes specific for the Protocol-ID. 5.4.1 PROTO_IPSEC_ESP The TEK Protocol-Specific payload for ESP is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Transform ID ! SPI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI ! RFC 2407 SA Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAT Payload fields are defined as follows: Baugher, et. al. Standards Track - Expires July, 2002 20 The GDOI Domain of Interpretation January, 2002 o Protocol (1 octet) - Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the SRC Id Prot field should be ignored. o SRC ID Type (1 octet) - Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPSEC Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o SRC ID Port (2 octets) - Value specifying a port associated with the source Id. A value of zero means that the SRC ID Port field should be ignored. o SRC ID Data Len (1 octet) - Value specifying the length of the SRC Identification Data field. o SRC Identification Data (variable length) - Value, as indicated by the SRC ID Type. Set to three bytes of zero for multiple-source multicast groups that use a common TEK for all senders. o DST ID Type (1 octet) - Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPSEC Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o DST ID Prot (1 octet) - Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the DST Id Prot field should be ignored. o DST ID Port (2 octets) - Value specifying a port associated with the source Id. A value of zero means that the DST ID Port field should be ignored. o DST ID Data Len (1 octet) - Value specifying the length of the DST Identification Data field. o DST Identification Data (variable length) - Value, as indicated by the DST ID Type. o Transform ID (1 octet) - Value specifying which ESP transform is to be used. The list of valid values are defined in the IPSEC ESP Transform Identifiers section of the IANA isakmpd-registry [ISAKMP- REG]. o SPI (4 octets) - Security Parameter Index for ESP. o RFC 2407 Attributes - ESP Attributes from RFC 2407 Section 4.5. The GDOI supports all IPSEC DOI SA Attributes for PROTO_IPSEC_ESP excluding the Group Description [RFC2407, section 4.5], which MUST NOT be sent by a GDOI implementation and is ignored by a GDOI implementation if received. All mandatory IPSEC DOI attributes are mandatory in GDOI PROTO_IPSEC_ESP. The Authentication Algorithm attribute of the IPSEC DOI is group authentication in GDOI. Baugher, et. al. Standards Track - Expires July, 2002 21 The GDOI Domain of Interpretation January, 2002 5.4.2 Other Security Protocols Besides ESP, GDOI should serve to establish SAs for secure groups needed by other Security Protocols that operate at the transport, application, and internetwork layers. These other Security Protocols, however, are in the process of being developed or do not yet exist. The following information needs to be provided for a Security Protocol to the GDOI. o The Protocol-ID for the particular Security Protocol o The SPI Size o The method of SPI generation o The transforms, attributes and keys needed by the Security Protocol All Security Protocols must provide the information in the bulleted list above to guide the GDOI implementation for that protocoland will be specified in separate documents. 5.5 Key Download Payload The Key Download Payload contains group keys for the group specified in the SA Payload. These key download payloads can have several security attributes applied to them based upon the security policy of the group as defined by the associated SA Payload. When included as part of the Re-key SA with an optional KE payload, The Key Download Payload will be xor'ed with the new Diffie-Hellman shared secret. The xor operation will begin at the "Number of Key Packets" field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Number of Key Packets ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ Key Packets ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The Key Download Payload fields are defined as follows: o Next Payload (1 octet) - Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) - Unused, set to zero. Baugher, et. al. Standards Track - Expires July, 2002 22 The GDOI Domain of Interpretation January, 2002 o Payload Length (2 octets) - Length in octets of the current payload, including the generic payload header. o Number of Key Packets (2 octets) -- Contains the total number of both TEK and Rekey arrays being passed in this data block. o Key Packets Several types of key packets are defined. Each Key Packet has the following format. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! KD Type ! RESERVED ! KD Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI Size ! SPI (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ Key Packet Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o Key Download (KD) Type (1 octet) -- Identifier for the Key Data field of this Key Packet. Key Download Type Value ----------------- ----- RESERVED 0 TEK 1 KEK 2 LKH 3 RESERVED 4-127 Private Use 128-255 "KEK" is a single key whereas LKH is an array of key-encrypting keys o RESERVED (1 octet) - Unused, set to zero. o Key Download Length (2 octets) -- Length in octets of the Key Packet data following this field. o SPI Size (1 octet) - Value specifying the length in octets of the SPI as defined by the Protocol-Id. o SPI (variable length) - Security Parameter Index which matches a SPI previously sent in an SAK or SAT Payload. o Key Packet Attributes (variable length) -- Contains Key information. The format of this field is specific to the value of the KD Type field. The following sections describe the format of each KD Type. 5.5.1 TEK Download Type Baugher, et. al. Standards Track - Expires July, 2002 23 The GDOI Domain of Interpretation January, 2002 The following attributes may be present in a SAT Payload. Exactly one attribute matching each type sent in the SAT payload MUST be present. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes which are defined as TV are marked as Basic (B); attributes which are defined as TLV are marked as Variable (V). TEK Class Value Type --------- ----- ---- RESERVED 0 TEK_ALGORITHM_KEY 1 V TEK_INTEGRITY_KEY 2 V TEK_SOURCE_AUTH_KEY 3 V If no TEK key packets are included in a Registration KD payload, the group member can expect to receive the TEK as part of a Re-key SA. At least one TEK must be included in each Re-key KD payload. Multiple TEKs may be included if multiple streams associated with the SA are to be rekeyed. 5.5.1.1 TEK_ALGORITHM_KEY The TEK_ALGORITHM_KEY class declares that the encryption key for this SPI is contained as the Key Packet Attribute. The encryption algorithm that will use this key was specified in the SAT payload. DES keys will consist of 64 bits (the 56 key bits with parity bit). Triple DES keys will be be specified as 64 bits (including parity bits) in the order that they are to be used for encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3). 5.5.1.2 TEK_INTEGRITY_KEY The TEK_INTEGRITY_KEY class declares that the integrity key for this SPI is contained as the Key Packet Attribute. The integrity algorithm that will use this key was specified in the SAT payload. Thus GDOI assumes that both the symmetric encryption and integrity keys are pushed to the member. SHA keys will consist of 160 bits, and MD5 keys will consist of 128 bits. 5.5.1.3 TEK_SOURCE_AUTH_KEY The TEK_SOURCE_AUTH_KEY class declares that the source authentication key for this SPI is contained in the Key Packet Attribute. The source authentication algorithm that will use this key was specified in the SAT payload. 5.5.2 KEK Download Type Baugher, et. al. Standards Track - Expires July, 2002 24 The GDOI Domain of Interpretation January, 2002 The following attributes may be present in a SAK Payload. Exactly one attribute matching each type sent in the SAK payload MUST be present. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes which are defined as TV are marked as Basic (B); attributes which are defined as TLV are marked as Variable (V). KEK Class Value Type --------- ----- ---- RESERVED 0 KEK_ALGORITHM_KEY 1 V SIG_ALGORITHM_KEY 2 V If the KEK key packet is included, there MUST be only one present in the KD payload. 5.5.2.1 KEK_ALGORITHM_KEY The KEK_ALGORITHM_KEY class declares the encryption key for this SPI is contained in the Key Packet Attribute. The encryption algorithm that will use this key was specified in the SAK payload. If the mode of operation for the algorithm requires an Initialization Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY before the actual key. 5.5.2.2 SIG_ALGORITHM_KEY The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the SAK payload. 5.5.3 LKH Download Type The LKH key packet is comprised of attributes representing different leaves in the LKH key tree. The following attributes are used to pass an LKH KEK array in the KD payload. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes which are defined as TV are marked as Basic (B); attributes which are defined as TLV are marked as Variable (V). KEK Class Value Type --------- ----- ---- RESERVED 0 KEK_LKH 1 V If an LKH key packet is included in the KD payload, there must be only one present. Baugher, et. al. Standards Track - Expires July, 2002 25 The GDOI Domain of Interpretation January, 2002 5.5.3.1 KEK_LKH This attribute consists of a header block, followed by one or more LKH keys. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! Leaf ID ! Number of ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ LKH Keys ! ! +-+-+-+-+-+-+-+-+ LKH Keys ! ~ ~ +---------------------------------------------------------------+ The KEK_LKH attribute fields are defined as follows: o LKH version (1 octet) - Contains the version of the LKH protocol which the data is formatted in. o Leaf ID (2 octets) -- This is the Leaf Node ID of the LKH sequence contained in this Key Packet Data block. o Number of LKH Keys (2 octets) -- This value is the number of distinct LKH keys in this sequence. Each LKH Key is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH ID ! Key Type ! ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key Creation Date ! ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key expiration Date ! ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key Handle ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ! ! ! ~ Key Data ~ +---------------------------------------------------------------+ o LKH ID (2 octets) -- This is the position of this key in the binary tree structure used by LKH. o Key Type (1 octet) -- This is the encryption algorithm for which this key data is to be used. This value is specified in the Policy Token. o Key Creation Date (4 octets) -- This is the time value of when this key data was originally generated. Baugher, et. al. Standards Track - Expires July, 2002 26 The GDOI Domain of Interpretation January, 2002 o Key Expiration Date (4 octets) -- This is the time value of when this key is no longer valid for use. o Key Handle (4 octets) -- This is the randomly generated value to uniquely identify a key. o Key Data (variable length) -- This is the actual encryption key data, which is dependent on the Key Type algorithm for its format. 5.6 Sequence Number Payload The Sequence Number Payload (SEQ) provides an anti-replay protection for GROUPKEY-PUSH messages. Its use is similar to the Sequence Number field defined in the IPsec ESP protocol [RFC2406]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Sequence Number ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Sequence Number Payload fields are defined as follows: o Next Payload (1 octet) - Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) - Unused, set to zero. o Payload Length (2 octets) - Length in octets of the current payload, including the generic payload header. o Sequence Number (4 octets) - This field contains a monotonically increasing counter value for the group. It is initialized to zero by the GCKS, and incremented in each subsequently-transmitted message. Thus the first packet sent for a given Rekey SA will have a Sequence Number of 1. The GDOI implementation keeps a sequence counter as an attribute for the Rekey SA and increments the counter upon receipt of a GROUPKEY-PUSH message. The current value of the sequence number must be transmitted to group members as a part of the Registration SA SA payload. A group member must keep a sliding receive window. The window must be treated as in the ESP protocol [RFC2406] Section 3.4.3. 5.7 Proof of Possession The Proof of Possession Payload is used as part of group membership authorization during a GDOI exchange. The Proof of Possession Payload Baugher, et. al. Standards Track - Expires July, 2002 27 The GDOI Domain of Interpretation January, 2002 is identical to an ISAKMP SIG payload. However, the usage is entirely different. The GCKS, GCKS delegate or member signs a prf (i.e., RFC 2409 keyed MAC) of the following values: POP_HASH = prf("pop" | Ni | Nr) The "pop" prefix ensures that the signature of the POP payload cannot be used for any other purpose in the GDOI protocol. 5.8 Nonce The data portion of the Nonce payload (i.e., Ni_b and Nr_b included in the HASHs) MUST be a value between 8 and 128 bytes. 7.0 Security Considerations GDOI is a security association (SA) protocol for groups of senders and receivers. This protocol uses best-known practices for defense against man-in-middle, connection hijacking, replay, reflection, and denial-of-service (DOS) attacks. GDOI may inherit the problems of its ancestors, ISAKMP [RFC2408] and Internet Key Exchange [RFC2409]. Some problems remain to be addressed in ISAKMP and IKE [FS00]. GDOI should benefit, however, from improvements to its ancestor protocols just as it benefits from years of experience and work embodied in those protocols Of course, GDOI supports secure groups and differs from ISAKMP and IKE in authorization, policy, SA structure, and exchanges. The SA structure is more complex than ISAKMP and IKE. Complexity is bad for a Security Protocol because it makes correctness analysis more difficult than in a simpler protocol and may lead to implementation problems. The distribution of keying material using multicast techniques, moreover, is novel. Novelty is bad for a key management protocol because it can contain unexpected results and problems. 8.0 IANA Considerations 8.1 ISAKMP DOI A new ISAKMP DOI number needs to be assigned to GDOI. RFC 2407 indicates that the namespace for DOI values is in STD-2, although that does not yet exist such as section there. The present document is in accordance with the "Supported Security Protocols" section in [RFC2408]. 8.2 Payload Types New ISAKMP Next Payload types need to be allocated for GDOI payload types. No ISAKMP registry for payload types currently exists, but the Private Use payload type namespace can be further partitioned for the GDOI DOI. See Section 5.0 for the payloads defined in this document. Baugher, et. al. Standards Track - Expires July, 2002 28 The GDOI Domain of Interpretation January, 2002 8.3 New Namespaces The present document describes many new namespaces for use in the GDOI payloads. Those may be found in subsections under Section 5.0. A new GDOI registry should be created for these namespaces. 8.3 UDP Port A new UDP port is required for GDOI. 9.0 Acknowledgements The authors thank Ran Canetti, Cathy Meadows and Andrea Colegrove. Ran has advised the authors on secure group cryptography, which has led to changes in the exchanges and payload definitions. Cathy identified several problems in previous versions of this document, including a replay attack against the proof of possession exchange, as well as several man-in-the-middle. Andrea has contributed to the group policy section of this draft. 10.0 References [AES-MODES] "Recommendation for Block Cipher Modes of Operation", United States of American, National Institute of Science and Technology, NIST Special Publication 800-38A 2001 Edition, December 2001. [FIPS46-3] "Data Encryption Standard (DES)", United States of American, National Institute of Science and Technology, Federal Information Processing Standard (FIPS) 46-3, October 1999. [FIPS81] "DES Modes of Operation", United States of American, National Institute of Science and Technology, Federal Information Processing Standard (FIPS) 81, December 1980. [FIPS186-2] "Digital Signature Standard (DSS)", United States of American, National Institute of Science and Technology, Federal Information Processing Standard (FIPS) 186-2, January 2000. [FIPS197] "Advanced Encryption Standard (AES)", United States of American, National Institute of Science and Technology, Federal Information Processing Standard (FIPS) 197, November 2001. [FS00] N. Ferguson and B. Schneier, A Cryptographic Evaluation of IPsec, CounterPane, http://www.counterpane.com/ipsec.html. [IPSEC-REG] http://www.iana.org/assignments/ipsec-registry [ISAKMP-REG] http://www.iana.org/assignments/isakmp-registry [NAI] http://www.nai.com/media/pdf/products/tns/6_PGP_VPN_001.pdf Baugher, et. al. Standards Track - Expires July, 2002 29 The GDOI Domain of Interpretation January, 2002 [RFC1889] H. Schulzrinne, S. Casner, R. Frederick, V. Jacobson, RTP: A Transport Protocol for Real-Time Applications, January 1996. [RFC2093] Harney, H., and Muckenhirn, C., "Group Key Management Protocol (GKMP) Specification," RFC 2093, July 1997. [RFC2094] Harney, H., and Muckenhirn, C., "Group Key Management Protocol (GKMP) Architecture," RFC 2094, July 1997. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Level", BCP 14, RFC 2119, March 1997. [RFC2327] M. Handley, V. Jacobson, SDP: Session Description Protocol, April 1998. [RFC2367] D. McDonald, C. Metz, B. Phan, PF_KEY Key Management API, Version 2, July 1998. [RFC2401] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol, November 1998 [RFC2406] S. Kent, R. Atkinson, IP Encapsulating Security Payload (ESP), November 1998. [RFC2407] D. Piper, The Internet IP Domain of Interpretation for ISAKMP, November 1998. [RFC2408] D. Maughan, M. Shertler, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol, November 1998. [RFC2409] D. Harkins, D. Carrel, The Internet Key Exchange (IKE), November, 1998. [RFC2412] H. Orman, The OAKLEY Key Determination Protocol, November 1998. [RFC2627] D. M. Wallner, E. Harder, R. C. Agee, Key Management for Multicast: Issues and Architectures, September 1998. [RSA] RSA Laboratories, "PKCS #1 v2.0: RSA Encryption Standard", October 1998. [STS] Diffie, P. van Oorschot, M. J. Wiener, Authentication and Authenticated Key Exchanges, Designs, Codes and Cryptography, 2, 107- 125 (1992), Kluwer Academic Publishers. Authors Addresses Mark Baugher Cisco Systems 5510 SW Orchid Street Portland, OR 97219, USA Baugher, et. al. Standards Track - Expires July, 2002 30 The GDOI Domain of Interpretation January, 2002 (503) 245-4543 mbaugher@cisco.com Thomas Hardjono VeriSign 401 Edgewater Place, Suite 280 Wakefield, MA 01880 Tel: 781-245-6996 Email: thardjono@verisign.com Hugh Harney Sparta 9861 Broken Land Parkway Columbia, MD 21046 (410) 381-9400 x203 hh@sparta.com Brian Weis Cisco Systems 170 W. Tasman Drive, San Jose, CA 95134-1706, USA (408) 526-4796 bew@cisco.com Baugher, et. al. Standards Track - Expires July, 2002 31
Datatracker
Report a datatracker bug
draft-ietf-msec-gdoi-03
Internet-Draft
| Document | Document type |
This is an older version of an Internet-Draft that was ultimately published as RFC 3547.
Expired & archived
|
|
|---|---|---|---|
| Select version | |||
| Compare versions | |||
| Author | |||
| Replaces | draft-irtf-smug-gdoi | ||
| RFC stream |
|
||
| Other formats | |||
| Additional resources | Mailing list discussion |