Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 6989

Document Type RFC - Proposed Standard (July 2013; No errata)
Updates RFC 5996
Last updated 2013-07-25
Replaces draft-sheffer-ipsecme-dh-checks
Stream IETF
Formats plain text pdf html
Stream WG state WG Document
Consensus Unknown
Document shepherd Paul Hoffman
Shepherd write-up Show (last changed 2013-04-24)
IESG IESG state RFC 6989 (Proposed Standard)
Telechat date
Responsible AD spt
IESG note Paul Hoffman (paul.hoffman@vpnc.org) is the document shepherd.
Send notices to ipsecme-chairs@ietf.org, draft-ietf-ipsecme-dh-checks@ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                        Y. Sheffer
Request for Comments: 6989                                      Porticor
Updates: 5996                                                 S. Fluhrer
Category: Standards Track                                          Cisco
ISSN: 2070-1721                                                July 2013

                    Additional Diffie-Hellman Tests
        for the Internet Key Exchange Protocol Version 2 (IKEv2)

Abstract

   This document adds a small number of mandatory tests required for the
   secure operation of the Internet Key Exchange Protocol version 2
   (IKEv2) with elliptic curve groups.  No change is required to IKE
   implementations that use modular exponential groups, other than a few
   rarely used so-called Digital Signature Algorithm (DSA) groups.  This
   document updates the IKEv2 protocol, RFC 5996.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6989.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Sheffer & Fluhrer            Standards Track                    [Page 1]
RFC 6989                        DH Tests                       July 2013

Table of Contents

   1. Introduction ....................................................2
      1.1. Conventions Used in This Document ..........................3
   2. Group Membership Tests ..........................................3
      2.1. Sophie Germain Prime MODP Groups ...........................3
      2.2. MODP Groups with Small Subgroups ...........................3
      2.3. Elliptic Curve Groups ......................................4
      2.4. Transition .................................................4
      2.5. Protocol Behavior ..........................................5
   3. Side-Channel Attacks ............................................5
   4. Security Considerations .........................................6
      4.1. DH Key Reuse and Multiple Peers ............................6
      4.2. DH Key Reuse: Variants .....................................7
      4.3. Groups Not Covered by This RFC .............................7
      4.4. Behavior upon Test Failure .................................7
   5. IANA Considerations .............................................8
   6. Acknowledgements ................................................8
   7. References ......................................................9
      7.1. Normative References .......................................9
      7.2. Informative References .....................................9

1.  Introduction

   IKEv2 [RFC5996] consists of the establishment of a shared secret
   using the Diffie-Hellman (DH) protocol, followed by authentication of
   the two peers.  Existing implementations typically use modular
   exponential (MODP) DH groups, such as those defined in [RFC3526].

   IKEv2 does not require that any tests be performed by a peer
   receiving a public Diffie-Hellman key from the other peer.  This is
   fine for the common case of MODP groups.  For other DH groups, when
   peers reuse DH values across multiple IKE sessions, the lack of tests
   by the recipient results in a potential vulnerability (see
   Section 4.1 for more details).  In particular, this is true for
   Elliptic Curve (EC) groups, whose use is becoming ever more popular.
   This document defines such tests for several types of DH groups.

   In addition, this document describes another potential attack related
   to the reuse of DH keys: a timing attack.  This additional material
   is taken from [RFC2412].

   This document updates [RFC5996] by adding security requirements that
Show full document text