[IPsec] About new PRF algorithms (comments to draft-kato-ipsec-camellia-cmac96and128-01)
Tero Kivinen <kivinen@iki.fi> Thu, 06 December 2007 18:43 UTC
Return-path: <ipsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J0Lgg-0000Po-EW; Thu, 06 Dec 2007 13:43:06 -0500
Received: from ipsec by megatron.ietf.org with local (Exim 4.43) id 1J0Lgf-0000Pa-9E for ipsec-confirm+ok@megatron.ietf.org; Thu, 06 Dec 2007 13:43:05 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J0Lge-0000PS-VX for ipsec@ietf.org; Thu, 06 Dec 2007 13:43:04 -0500
Received: from [2001:1bc8:100d::2] (helo=mail.kivinen.iki.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J0Lgd-0006sY-JJ for ipsec@ietf.org; Thu, 06 Dec 2007 13:43:04 -0500
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.13.8/8.12.10) with ESMTP id lB6IglsA004810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Dec 2007 20:42:47 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.13.8/8.12.11) id lB6IgdKn021163; Thu, 6 Dec 2007 20:42:39 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <18264.17055.267459.272412@fireball.kivinen.iki.fi>
Date: Thu, 06 Dec 2007 20:42:39 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org, akato@po.ntts.co.jp, kanda.masayuki@lab.ntt.co.jp, iwata@cse.nagoya-u.ac.jp
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 9 min
X-Total-Time: 8 min
X-Spam-Score: -1.4 (-)
X-Scan-Signature: b2809b6f39decc6de467dcf252f42af1
Cc: paul.hoffman@vpnc.org
Subject: [IPsec] About new PRF algorithms (comments to draft-kato-ipsec-camellia-cmac96and128-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
I read the draft-kato-ipsec-camellia-cmac96and128-01.txt and found one big issue in there. It copies the RFC4434 and RFC4615 mechanism of mixed fixed / variable length keys. Those documents are like they are because we messed up with them, I do not think we want to copy that kind of broken behavior any further. The new draft-hoffman-ikev2bis-02.txt actually removes the fixed length prf text from the IKEv2, and only says that it is used as special case for those two RFCs (RFC 4434, RFC 4615): from draft-hoffman-ikev2bis-02.txt: ... modulus. Ni and Nr are the nonces, stripped of any headers. For historical backwards-compatibility reasons, there are two PRFs that are treated specially in this calculation. If the negotiated PRF is AES-XCBC-PRF-128 [RFC4434] or AES-CMAC-PRF-128 [RFC4615], only the first 64 bits of Ni and the first 64 bits of Nr are used in the calculation. So I think we should change: > The Camellia-CMAC-96 and Camellia-CMAC-PRF-128 Algorithms and Its Use > with IPsec > draft-kato-ipsec-camellia-cmac96and128-01 ... > 5. Camellia-CMAC-PRF-128 > > The Camellia-CMAC-PRF-128 algorithm is identical to Camellia-CMAC > except that the 128-bit key length restriction is removed. > > IKEv2 [5] uses PRFs for multiple purposes, most notably for > generating keying material and authentication of the IKE_SA. The > IKEv2 specification differentiates between PRFs with fixed key sizes > and those with variable key sizes. > > When using Camellia-CMAC-PRF-128 as the PRF described in IKEv2, > Camellia-CMAC-PRF-128 is considered to take fixed size (16 octets) > keys for generating keying material but it takes variable key sizes > for authentication. > > That is, when generating keying material, "half the bits must come > from Ni and half from Nr, taking the first bits of each" as described > in IKEv2, section 2.14; but for authenticating with shared secrets > (IKEv2, section 2.16), the shared secret does not have to be 16 > octets and the length may vary. to: ---------------------------------------------------------------------- 5. Camellia-CMAC-PRF-128 The Camellia-CMAC-PRF-128 algorithm is identical to Camellia-CMAC except that the 128-bit key length restriction is removed. IKEv2 [5] uses PRFs for multiple purposes, most notably for generating keying material and authentication of the IKE_SA. When using Camellia-CMAC-PRF-128 as the PRF described in IKEv2, Camellia-CMAC-PRF-128 is considered to take variable key lenght in all places, and the number of bits of keying material generated when new keys are generated is 128 bits (i.e. when generating keying material the length of SK_d, SK_pi, and SK_pr will be 128 bits). When generating SKEYSEED the full Ni and Nr are used as key for the PRF. ---------------------------------------------------------------------- As I think we do want to start using standard variable length PRF code and specification for all future PRFs. Here is also some small nits in the draft-kato-ipsec-camellia-cmac96and128-01.txt: > 1. Introduction ... > Since optimized source code is provided by several open source > lisences [21], Camellia is also adopted by several open source > projects(Openssl, FreeBSD, Linux and Gran Paradiso). Additional API ^ Missing space. > for Network Security Services (NSS) and IPsec stack of Linux and Free > BSD are prepared or working progress for release. Free BSD should be FreeBSD. > 10. References > 10.1. Normative > [1] National Institute of Standards and Technology, "Recommendation > for Block Cipher Modes of Operation:The CMAC Mode for > Autentication", Special Publication 800-38B, May 2005. > > [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement > Levels", BCP 14, RFC 2119, March 1997. > > [3] Kent, S., "IP Authentication Header", RFC 4302, December 2005. > > [4] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, > December 2005. > > [5] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", > RFC 4306, December 2005. > > [6] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document > Roadmap", RFC 2411, November 1998. I do not think the roadmap document is really a normative reference. Also I am not sure if the RFC 4302, 4303 or 4306 need to be normative refence either, as you can implement Camellia-CMAC-96 and Camellia-CMAC-PRF-128 without reading or understanding those documents (you can most likely also use them in IPsec without reading those documents :). I would move all of those [3]-[6] to the informative refences. > [7] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the > Camellia Encryption Algorithm", RFC 3713, April 2004. > > 10.2. Informative > > [8] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", > RFC 2409, November 1998. I cannot find any references to this in the document. -- kivinen@safenet-inc.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [IPsec] About new PRF algorithms (comments to dra… Tero Kivinen