The OAKLEY Key Determination Protocol
RFC 2412

 
Document Type RFC - Informational (November 1998; Errata)
Last updated 2014-05-06
Stream IETF
Formats plain text pdf html
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state RFC 2412 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           H. Orman
Request for Comments: 2412                Department of Computer Science
Category: Informational                            University of Arizona
                                                           November 1998

                 The OAKLEY Key Determination Protocol

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   This document describes a protocol, named OAKLEY, by which two
   authenticated parties can agree on secure and secret keying material.
   The basic mechanism is the Diffie-Hellman key exchange algorithm.

   The OAKLEY protocol supports Perfect Forward Secrecy, compatibility
   with the ISAKMP protocol for managing security associations, user-
   defined abstract group structures for use with the Diffie-Hellman
   algorithm, key updates, and incorporation of keys distributed via
   out-of-band mechanisms.

1. INTRODUCTION

   Key establishment is the heart of data protection that relies on
   cryptography, and it is an essential component of the packet
   protection mechanisms described in [RFC2401], for example.  A
   scalable and secure key distribution mechanism for the Internet is a
   necessity.  The goal of this protocol is to provide that mechanism,
   coupled with a great deal of cryptographic strength.

   The Diffie-Hellman key exchange algorithm provides such a mechanism.
   It allows two parties to agree on a shared value without requiring
   encryption.  The shared value is immediately available for use in
   encrypting subsequent conversation, e.g. data transmission and/or
   authentication.  The STS protocol [STS] provides a demonstration of
   how to embed the algorithm in a secure protocol, one that ensures
   that in addition to securely sharing a secret, the two parties can be
   sure of each other's identities, even when an active attacker exists.

Orman                        Informational                      [Page 1]
RFC 2412         The OAKLEY Key Determination Protocol     November 1998

   Because OAKLEY is a generic key exchange protocol, and because the
   keys that it generates might be used for encrypting data with a long
   privacy lifetime, 20 years or more, it is important that the
   algorithms underlying the protocol be able to ensure the security of
   the keys for that period of time, based on the best prediction
   capabilities available for seeing into the mathematical future.  The
   protocol therefore has two options for adding to the difficulties
   faced by an attacker who has a large amount of recorded key exchange
   traffic at his disposal (a passive attacker).  These options are
   useful for deriving keys which will be used for encryption.

   The OAKLEY protocol is related to STS, sharing the similarity of
   authenticating the Diffie-Hellman exponentials and using them for
   determining a shared key, and also of achieving Perfect Forward
   Secrecy for the shared key, but it differs from the STS protocol in
   several ways.

      The first is the addition of a weak address validation mechanism
      ("cookies", described by Phil Karn in the Photuris key exchange
      protocol work in progress) to help avoid denial of service
      attacks.

      The second extension is to allow the two parties to select
      mutually agreeable supporting algorithms for the protocol: the
      encryption method, the key derivation method, and the
      authentication method.

      Thirdly, the authentication does not depend on encryption using
      the Diffie-Hellman exponentials; instead, the authentication
      validates the binding of the exponentials to the identities of the
      parties.

      The protocol does not require the two parties compute the shared
      exponentials prior to authentication.

      This protocol adds additional security to the derivation of keys
      meant for use with encryption (as opposed to authentication) by
      including a dependence on an additional algorithm.  The derivation
      of keys for encryption is made to depend not only on the Diffie-
      Hellman algorithm, but also on the cryptographic method used to
      securely authenticate the communicating parties to each other.

      Finally, this protocol explicitly defines how the two parties can
      select the mathematical structures (group representation and
      operation) for performing the Diffie-Hellman algorithm; they can
      use standard groups or define their own.  User-defined groups
      provide an additional degree of long-term security.

Orman                        Informational                      [Page 2]
Show full document text