IETF Logo Mail Archive

[Ipsec] RE: Question / Remark on PRF/MAC in IKEv2 draft-spec (repeat)

"Charlie Kaufman" <charliek@microsoft.com> Thu, 10 March 2005 19:27 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA21590 for <ipsec-archive@lists.ietf.org>; Thu, 10 Mar 2005 14:27:41 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9TIc-0003hu-U7; Thu, 10 Mar 2005 14:26:22 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9TIa-0003hp-H8 for ipsec@megatron.ietf.org; Thu, 10 Mar 2005 14:26:20 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA21418 for <ipsec@ietf.org>; Thu, 10 Mar 2005 14:26:18 -0500 (EST)
Received: from mail2.microsoft.com ([131.107.3.124]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9TLO-00013q-Qa for ipsec@ietf.org; Thu, 10 Mar 2005 14:29:18 -0500
Received: from mailout1.microsoft.com ([157.54.1.117]) by mail2.microsoft.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 10 Mar 2005 11:24:33 -0800
Received: from RED-MSG-51.redmond.corp.microsoft.com ([157.54.12.11]) by mailout1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1802); Thu, 10 Mar 2005 11:24:31 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 10 Mar 2005 11:24:29 -0800
Message-ID: <F5F4EC6358916448A81370AF56F211A5058064C1@RED-MSG-51.redmond.corp.microsoft.com>
Thread-Topic: Question / Remark on PRF/MAC in IKEv2 draft-spec (repeat)
Thread-Index: AcUlWD+j6Mipw7K9TOmh/G6xtDis7gASru5w
From: Charlie Kaufman <charliek@microsoft.com>
To: ventzislav.nikov@philips.com, ipsec@ietf.org
X-OriginalArrivalTime: 10 Mar 2005 19:24:31.0840 (UTC) FILETIME=[C9162E00:01C525A6]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976
Content-Transfer-Encoding: quoted-printable
Cc: Russ Housley <housley@vigilsec.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: [Ipsec] RE: Question / Remark on PRF/MAC in IKEv2 draft-spec (repeat)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Content-Transfer-Encoding: quoted-printable

I don't know why your message was blocked from the ipsec list. Hopefully my reply will make it and I've included your note below.

In answer to your questions:

1) Yes, the label PRF_AES128_CBC in IKEv2 is inconsistent with the label used for the same PRF function in RFC3664 where it is called AES-XCBC-PRF-128. Part of this is because the IKEv2 document always puts the algorithm type as the first element of the name (in this case PRF). But it seems potentially confusing (to say the least) to have the IKEv2 spec say CBC while RFC3664 says XCBC since these imply different algorithms.

I believe the intent was to use the XCBC algorithm and that the IKEv2 spec is in error. I propose changing the IKEv2 spec during AUTH48 to specify PRF_AES128_XCBC to reduce possible confusion. The IKEv2 already refers to RFC3664 for the definition of the algorithm.

2) The current spec says that when using shared keys the AUTH payload is computed using the negotiated PRF algorithm. One could argue that it would be cryptographically preferable to do the outer computation with the negotiated MAC algorithm rather than the negotiated PRF algorithm, but I don't believe there are any weaknesses introduced by using the PRF so I don't believe it should be changed at this late date given that there are working implementations that such a change would break.

Paul... can you confirm that PRF is what the implementations in the bakeoff used?

	--Charlie

________________________________________
From: ventzislav.nikov@philips.com [mailto:ventzislav.nikov@philips.com] 
Sent: Thursday, March 10, 2005 2:01 AM
To: ipsec@lists.tislabs.com; Charlie Kaufman
Subject: Question / Remark on PRF/MAC in IKEv2 draft-spec (repeat)



Hello, 

I send again the mail from 28.02.05 sent to ipsec@ietf.org which is still waiting for the approval ?!? 
--------------- 
Your mail to 'Ipsec' with the subject

   Question / Remark on PRF/MAC in IKEv2 draft-spec

Is being held until the list moderator can review it for approval. 
----------------- 

1)
In the draft-ietf-ipsec-ikev2-xx the PRF (pseudo random function) is specified to has tag: 
PRF_AES128_CBC (referring to RFC3664), but in RFC 3664 it is 
"The AES-XCBC-PRF-128 Algorithm for the IKE". 
So it is not CBC but XCBC right?

2) 
In Section 2.15 "Authentication of the IKE_SA" the AUTH field is explained. 
First the document states that the signature or MAC is computed over a <text> with a <key>. 
In case the key is symmetric (e.g. derived from EAP-SIM subprotocol into IKEv2) the document states that 
AUTH = prf(prf(<key>,"Key Pad for IKEv2"), <text>) i.e. 
deciphered it is NewKey = prf(<key>,"Key Pad for IKEv2") and then AUTH = prf(NewKey, <text>). 
But what I expected instead is AUTH = MAC(NewKey, <text>). 

Note that there is subtle difference between PRF and MAC as cryptographic functions from one side and 
from other side (practical) even the algorithms are the same (e.g. HMAC-MD5, HMAC-SHA1, AES-XCBC) 
MAC is always truncated to 96 bits! 

So, could you confirm that AUTH is computed using MAC instead of PRF? 

Regards 
Ventzislav Nikov

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email