rfc2523.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,180 行 · 第 1/3 页
TXT
1,180 行
Network Working Group P. Karn
Request for Comments: 2523 Qualcomm
Category: Experimental W. Simpson
DayDreamer
March 1999
Photuris: Extended Schemes and Attributes
Status of this Memo
This document defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). Copyright (C) Philip Karn
and William Allen Simpson (1994-1999). All Rights Reserved.
Abstract
Photuris is a session-key management protocol. Extensible Exchange-
Schemes are provided to enable future implementation changes without
affecting the basic protocol.
Additional authentication attributes are included for use with the IP
Authentication Header (AH) or the IP Encapsulating Security Protocol
(ESP).
Additional confidentiality attributes are included for use with ESP.
Karn & Simpson Experimental [Page i]
RFC 2523 Schemes and Attributes March 1999
Table of Contents
1. Additional Exchange-Schemes ........................... 1
2. Additional Key-Generation-Function .................... 5
2.1 SHA1 Hash ....................................... 5
3. Additional Privacy-Methods ............................ 5
3.1 DES-CBC over Mask ............................... 5
3.2 DES-EDE3-CBC over Mask .......................... 6
4. Additional Validity-Method ............................ 6
4.1 SHA1-IPMAC Check ................................ 6
5. Additional Attributes ................................. 7
5.1 SHA1-IPMAC ...................................... 7
5.1.1 Symmetric Identification ........................ 8
5.1.2 Authentication .................................. 9
5.2 RIPEMD-160-IPMAC ................................ 9
5.2.1 Symmetric Identification ........................ 10
5.2.2 Authentication .................................. 11
5.3 DES-CBC ......................................... 11
5.4 Invert (Decryption/Encryption) .................. 12
5.5 XOR Whitening ................................... 13
APPENDICES ................................................... 15
A. Exchange-Scheme Selection ............................. 15
A.1 Responder ....................................... 15
A.2 Initiator ....................................... 15
SECURITY CONSIDERATIONS ...................................... 16
ACKNOWLEDGEMENTS ............................................. 16
REFERENCES ................................................... 17
CONTACTS ..................................................... 18
COPYRIGHT .................................................... 19
Karn & Simpson Experimental [Page ii]
RFC 2523 Schemes and Attributes March 1999
1. Additional Exchange-Schemes
The packet format and basic facilities are already defined for
Photuris [RFC-2522].
These optional Exchange-Schemes are specified separately, and no
single implementation is expected to support all of them.
This document defines the following values:
(3) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 3. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
An Exchange-Scheme Size of zero is invalid.
Key-Generation-Function "MD5 Hash"
Privacy-Method "Simple Masking"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
(4) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 2. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Scheme #2.
Key-Generation-Function "MD5 Hash"
Privacy-Method "DES-CBC over Mask"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
(5) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 5. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
An Exchange-Scheme Size of zero is invalid.
Karn & Simpson Experimental [Page 1]
RFC 2523 Schemes and Attributes March 1999
Key-Generation-Function "MD5 Hash"
Privacy-Method "Simple Masking"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
(6) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 3. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Scheme #3.
Key-Generation-Function "MD5 Hash"
Privacy-Method "DES-CBC over Mask"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
(7) Implementation Optional. Any modulus (p) with a variable
generator (g). When the Exchange-Scheme Size is non-zero, the
pair [g,p] is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes. Each is encoded in a separate
Variable Precision Integer (VPI). The generator VPI is
followed by (concatenated to) the modulus VPI, and the result
is nested inside the Exchange-Scheme Value field.
An Exchange-Scheme Size of zero is invalid.
Key-Generation-Function "MD5 Hash"
Privacy-Method "Simple Masking"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
When more than one modulus is specified for a given kind of
Scheme, the Size of the modulus MUST be unique, independent of
the Size of the generator.
(8) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 2. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
Karn & Simpson Experimental [Page 2]
RFC 2523 Schemes and Attributes March 1999
the list of Offered-Schemes.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Schemes #2 and #4.
Key-Generation-Function "SHA1 Hash"
Privacy-Method "DES-EDE3-CBC over Mask"
Validity-Method "SHA1-IPMAC Check"
This combination of features requires a modulus with at least
112-bits of cryptographic strength.
(10) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 5. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Scheme #5.
Key-Generation-Function "MD5 Hash"
Privacy-Method "DES-CBC over Mask"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
(12) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 3. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Schemes #3 and #6.
Key-Generation-Function "SHA1 Hash"
Privacy-Method "DES-EDE3-CBC over Mask"
Validity-Method "SHA1-IPMAC Check"
This combination of features requires a modulus with at least
112-bits of cryptographic strength.
(14) Implementation Optional. Any modulus (p) with a variable
generator (g). When the Exchange-Scheme Size is non-zero, the
pair [g,p] is contained in the Exchange-Scheme Value field in
Karn & Simpson Experimental [Page 3]
RFC 2523 Schemes and Attributes March 1999
the list of Offered-Schemes. Each is encoded in a separate
Variable Precision Integer (VPI). The generator VPI is
followed by (concatenated to) the modulus VPI, and the result
is nested inside the Exchange-Scheme Value field.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Scheme #7.
Key-Generation-Function "MD5 Hash"
Privacy-Method "DES-CBC over Mask"
Validity-Method "MD5-IPMAC Check"
This combination of features requires a modulus with at least
64-bits of cryptographic strength.
When more than one modulus is specified for a given kind of
Scheme, the Size of the modulus MUST be unique, independent of
the Size of the generator.
(20) Implementation Optional. Any modulus (p) with a recommended
generator (g) of 5. When the Exchange-Scheme Size is non-zero,
the modulus is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Schemes #5 and #10.
Key-Generation-Function "SHA1 Hash"
Privacy-Method "DES-EDE3-CBC over Mask"
Validity-Method "SHA1-IPMAC Check"
This combination of features requires a modulus with at least
112-bits of cryptographic strength.
(28) Implementation Optional. Any modulus (p) with a variable
generator (g). When the Exchange-Scheme Size is non-zero, the
pair [g,p] is contained in the Exchange-Scheme Value field in
the list of Offered-Schemes. Each is encoded in a separate
Variable Precision Integer (VPI). The generator VPI is
followed by (concatenated to) the modulus VPI, and the result
is nested inside the Exchange-Scheme Value field.
When the Exchange-Scheme Size field is zero, includes by
reference all of the moduli specified in the list of Offered-
Schemes for Schemes #7 and #14.
Karn & Simpson Experimental [Page 4]
RFC 2523 Schemes and Attributes March 1999
Key-Generation-Function "SHA1 Hash"
Privacy-Method "DES-EDE3-CBC over Mask"
Validity-Method "SHA1-IPMAC Check"
This combination of features requires a modulus with at least
112-bits of cryptographic strength.
When more than one modulus is specified for a given kind of
Scheme, the Size of the modulus MUST be unique, independent of
the Size of the generator.
2. Additional Key-Generation-Function
2.1. SHA1 Hash
SHA1 [FIPS-180-1] is used as a pseudo-random-function for generating
the key(s). The key(s) begin with the most significant bits of the
hash. SHA1 is iterated as needed to generate the requisite length of
key material.
When an individual key does not use all 160-bits of the last hash,
any remaining unused (least significant) bits of the last hash are
discarded. When combined with other uses of key generation for the
same purpose, the next key will begin with a new hash iteration.
3. Additional Privacy-Methods
3.1. DES-CBC over Mask
As described in [RFC-2522] "Privacy-Key Computation", sufficient
privacy-key material is generated to match the message length,
beginning with the next field after the SPI, and including the
Padding. The message is masked by XOR with the privacy-key.
Then, the Key-Generation-Function is iterated to generate a DES key.
The most significant 64-bits (8 bytes) of the generated hash are used
for the privacy-key, and the remainder are discarded. Although
extremely rare, the 64 weak, semi-weak, and possibly weak keys
[Schneier95, pages 280-282] are discarded. The Key-Generation-
Function is iterated until a valid key is obtained.
The least significant bit of each key byte is ignored (or set to
parity when the implementation requires).
The 64-bit CBC IV is zero. Message encryption begins with the next
field after the SPI, and continues to the end of the data indicated
Karn & Simpson Experimental [Page 5]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?