I-D: Extended Key exchange protocol

Kai Martius <admin@imib.med.tu-dresden.de> Thu, 05 March 1998 15:38 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA23797 for ipsec-outgoing; Thu, 5 Mar 1998 10:38:07 -0500 (EST)
From: Kai Martius <admin@imib.med.tu-dresden.de>
Organization: Uniklinik TUD
To: ipsec <ipsec@tis.com>
Date: Thu, 05 Mar 1998 16:39:51 +0100
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: I-D: Extended Key exchange protocol
Reply-to: kai@imib.med.tu-dresden.de
X-mailer: Pegasus Mail for Windows (v2.54)
Message-ID: <22F7A41476D@fltserv.imib.med.tu-dresden.de>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Hello,

I have written a draft on an "Extended Key Exchange Protocol" in a 
very first version. 

In short, it describes an extended protocol (E-IKE) based on IKE 
which allows involving more than two parties in the authentication 
process and key exchange. It supports extended SA management / ~ 
establishment by applying security policies of the involved parties 
during the protocol (I've appended the TOC for a short overview)

Feel free to get a copy from  

http://www.imib.med.tu-dresden.de/imib/Internet/index.html

I would appreciate discussion on this with interested people. (I'll 
be in L.A., so also a -hopefully positive ;-)- personal communication 
will be possible...)

Thanks,

Kai


*****
Table of Contents

    1. ABSTRACT                                                     2
    2. DISCUSSION                                                   2
    3. TERMS AND DEFINITIONS                                        3
    4. THE PROTOCOL                                                 4
       4.1 DESIGN OBJECTIVES                                        4
       4.2 INITIAL MESSAGE ROUTING                                  4
       4.3 PROTOCOL USING COMPLETE IKE EXCHANGES                    5
       4.4 PROTOCOL USING A IKE-SECURED CHANNEL                     6
       4.5 MESSAGE FORMAT                                           7
           4.5.1 Message Blocks / Message Matrixes                  7
           4.5.2 Authentication fields / Authentication Methods     8
       4.6 MESSAGE FLOW                                            10
       4.7 MESSAGE MATRIX                                          15
       4.8 RESTRICTIONS                                            16
       4.9 KEY GENERATION                                          17
       4.10 COMPARISON                                             17
    5. LOCAL SA MANAGEMENT                                         19
       5.1 SA BUNDLING                                             19
       5.2 ASYMMETRIC SAS                                          20
    6. SECURITY POLICY MANAGEMENT ON GATEWAYS AND END NODES        20
    7  SECURITY CONSIDERATIONS                                     22
    APPENDIX A.1 - SYMBOLIC FUNCTIONS USED                         22
    APPENDIX A.2 - FIRST PROTOCOL APPROACH                         24
    APPENDIX A.3 - SECOND APPROACH                                 26
    APPENDIX B   - EXAMPLES                                        38
             B.1   REMOTE ACCESS                                   38
             B.2   VPN     


# Kai Martius                                                           #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology  #
# PGP Fingerprint:  to be compared after download of my key             #
# available at http://www.imib.med.tu-dresden.de/imib/personal/kai.html #
#                                                                       #
# See our project (and me) at CeBit'98 fair Hannover/Germany 19-25.3.98 #
# Infos: http://www.inf.tu-dresden.de/~hf2/cebit98                      #

I-D: Extended Key exchange protocol Kai Martius