The OAKLEY Key Determination Protocol
Network Working Group H. Orman
Request for Comments: 2412 Department of Computer Science
Category: Informational University of Arizona
The OAKLEY Key Determination Protocol
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document describes a protocol, named OAKLEY, by which two
authenticated parties can agree on secure and secret keying material.
The basic mechanism is the Diffie-Hellman key exchange algorithm.
The OAKLEY protocol supports Perfect Forward Secrecy, compatibility
with the ISAKMP protocol for managing security associations, user-
defined abstract group structures for use with the Diffie-Hellman
algorithm, key updates, and incorporation of keys distributed via
Key establishment is the heart of data protection that relies on
cryptography, and it is an essential component of the packet
protection mechanisms described in [RFC2401], for example. A
scalable and secure key distribution mechanism for the Internet is a
necessity. The goal of this protocol is to provide that mechanism,
coupled with a great deal of cryptographic strength.
The Diffie-Hellman key exchange algorithm provides such a mechanism.
It allows two parties to agree on a shared value without requiring
encryption. The shared value is immediately available for use in
encrypting subsequent conversation, e.g. data transmission and/or
authentication. The STS protocol [STS] provides a demonstration of
how to embed the algorithm in a secure protocol, one that ensures
that in addition to securely sharing a secret, the two parties can be
sure of each other's identities, even when an active attacker exists.
Orman Informational [Page 1]
RFC 2412 The OAKLEY Key Determination Protocol November 1998
Because OAKLEY is a generic key exchange protocol, and because the
keys that it generates might be used for encrypting data with a long
privacy lifetime, 20 years or more, it is important that the
algorithms underlying the protocol be able to ensure the security of
the keys for that period of time, based on the best prediction
capabilities available for seeing into the mathematical future. The
protocol therefore has two options for adding to the difficulties
faced by an attacker who has a large amount of recorded key exchange
traffic at his disposal (a passive attacker). These options are
useful for deriving keys which will be used for encryption.
The OAKLEY protocol is related to STS, sharing the similarity of
authenticating the Diffie-Hellman exponentials and using them for
determining a shared key, and also of achieving Perfect Forward
Secrecy for the shared key, but it differs from the STS protocol in
The first is the addition of a weak address validation mechanism
("cookies", described by Phil Karn in the Photuris key exchange
protocol work in progress) to help avoid denial of service
The second extension is to allow the two parties to select
mutually agreeable supporting algorithms for the protocol: the
encryption method, the key derivation method, and the
Thirdly, the authentication does not depend on encryption using
the Diffie-Hellman exponentials; instead, the authentication
validates the binding of the exponentials to the identities of the
The protocol does not require the two parties compute the shared
exponentials prior to authentication.
This protocol adds additional security to the derivation of keys
meant for use with encryption (as opposed to authentication) by
including a dependence on an additional algorithm. The derivation
of keys for encryption is made to depend not only on the Diffie-
Hellman algorithm, but also on the cryptographic method used to
securely authenticate the communicating parties to each other.
Finally, this protocol explicitly defines how the two parties can
select the mathematical structures (group representation and
operation) for performing the Diffie-Hellman algorithm; they can
use standard groups or define their own. User-defined groups
provide an additional degree of long-term security.
Orman Informational [Page 2]
Show full document text