📄 rfc2523.txt
字号:
Network Working Group P. KarnRequest for Comments: 2523 QualcommCategory: Experimental W. Simpson DayDreamer March 1999 Photuris: Extended Schemes and AttributesStatus of this Memo This document defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (1999). Copyright (C) Philip Karn and William Allen Simpson (1994-1999). All Rights Reserved.Abstract Photuris is a session-key management protocol. Extensible Exchange- Schemes are provided to enable future implementation changes without affecting the basic protocol. Additional authentication attributes are included for use with the IP Authentication Header (AH) or the IP Encapsulating Security Protocol (ESP). Additional confidentiality attributes are included for use with ESP.Karn & Simpson Experimental [Page i]
RFC 2523 Schemes and Attributes March 1999Table of Contents 1. Additional Exchange-Schemes ........................... 1 2. Additional Key-Generation-Function .................... 5 2.1 SHA1 Hash ....................................... 5 3. Additional Privacy-Methods ............................ 5 3.1 DES-CBC over Mask ............................... 5 3.2 DES-EDE3-CBC over Mask .......................... 6 4. Additional Validity-Method ............................ 6 4.1 SHA1-IPMAC Check ................................ 6 5. Additional Attributes ................................. 7 5.1 SHA1-IPMAC ...................................... 7 5.1.1 Symmetric Identification ........................ 8 5.1.2 Authentication .................................. 9 5.2 RIPEMD-160-IPMAC ................................ 9 5.2.1 Symmetric Identification ........................ 10 5.2.2 Authentication .................................. 11 5.3 DES-CBC ......................................... 11 5.4 Invert (Decryption/Encryption) .................. 12 5.5 XOR Whitening ................................... 13 APPENDICES ................................................... 15 A. Exchange-Scheme Selection ............................. 15 A.1 Responder ....................................... 15 A.2 Initiator ....................................... 15 SECURITY CONSIDERATIONS ...................................... 16 ACKNOWLEDGEMENTS ............................................. 16 REFERENCES ................................................... 17 CONTACTS ..................................................... 18 COPYRIGHT .................................................... 19Karn & Simpson Experimental [Page ii]
RFC 2523 Schemes and Attributes March 19991. Additional Exchange-Schemes The packet format and basic facilities are already defined for Photuris [RFC-2522]. These optional Exchange-Schemes are specified separately, and no single implementation is expected to support all of them. This document defines the following values: (3) Implementation Optional. Any modulus (p) with a recommended generator (g) of 3. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. An Exchange-Scheme Size of zero is invalid. Key-Generation-Function "MD5 Hash" Privacy-Method "Simple Masking" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. (4) Implementation Optional. Any modulus (p) with a recommended generator (g) of 2. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Scheme #2. Key-Generation-Function "MD5 Hash" Privacy-Method "DES-CBC over Mask" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. (5) Implementation Optional. Any modulus (p) with a recommended generator (g) of 5. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. An Exchange-Scheme Size of zero is invalid.Karn & Simpson Experimental [Page 1]
RFC 2523 Schemes and Attributes March 1999 Key-Generation-Function "MD5 Hash" Privacy-Method "Simple Masking" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. (6) Implementation Optional. Any modulus (p) with a recommended generator (g) of 3. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Scheme #3. Key-Generation-Function "MD5 Hash" Privacy-Method "DES-CBC over Mask" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. (7) Implementation Optional. Any modulus (p) with a variable generator (g). When the Exchange-Scheme Size is non-zero, the pair [g,p] is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. Each is encoded in a separate Variable Precision Integer (VPI). The generator VPI is followed by (concatenated to) the modulus VPI, and the result is nested inside the Exchange-Scheme Value field. An Exchange-Scheme Size of zero is invalid. Key-Generation-Function "MD5 Hash" Privacy-Method "Simple Masking" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. When more than one modulus is specified for a given kind of Scheme, the Size of the modulus MUST be unique, independent of the Size of the generator. (8) Implementation Optional. Any modulus (p) with a recommended generator (g) of 2. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field inKarn & Simpson Experimental [Page 2]
RFC 2523 Schemes and Attributes March 1999 the list of Offered-Schemes. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Schemes #2 and #4. Key-Generation-Function "SHA1 Hash" Privacy-Method "DES-EDE3-CBC over Mask" Validity-Method "SHA1-IPMAC Check" This combination of features requires a modulus with at least 112-bits of cryptographic strength. (10) Implementation Optional. Any modulus (p) with a recommended generator (g) of 5. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Scheme #5. Key-Generation-Function "MD5 Hash" Privacy-Method "DES-CBC over Mask" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. (12) Implementation Optional. Any modulus (p) with a recommended generator (g) of 3. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Schemes #3 and #6. Key-Generation-Function "SHA1 Hash" Privacy-Method "DES-EDE3-CBC over Mask" Validity-Method "SHA1-IPMAC Check" This combination of features requires a modulus with at least 112-bits of cryptographic strength. (14) Implementation Optional. Any modulus (p) with a variable generator (g). When the Exchange-Scheme Size is non-zero, the pair [g,p] is contained in the Exchange-Scheme Value field inKarn & Simpson Experimental [Page 3]
RFC 2523 Schemes and Attributes March 1999 the list of Offered-Schemes. Each is encoded in a separate Variable Precision Integer (VPI). The generator VPI is followed by (concatenated to) the modulus VPI, and the result is nested inside the Exchange-Scheme Value field. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Scheme #7. Key-Generation-Function "MD5 Hash" Privacy-Method "DES-CBC over Mask" Validity-Method "MD5-IPMAC Check" This combination of features requires a modulus with at least 64-bits of cryptographic strength. When more than one modulus is specified for a given kind of Scheme, the Size of the modulus MUST be unique, independent of the Size of the generator. (20) Implementation Optional. Any modulus (p) with a recommended generator (g) of 5. When the Exchange-Scheme Size is non-zero, the modulus is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Schemes #5 and #10. Key-Generation-Function "SHA1 Hash" Privacy-Method "DES-EDE3-CBC over Mask" Validity-Method "SHA1-IPMAC Check" This combination of features requires a modulus with at least 112-bits of cryptographic strength. (28) Implementation Optional. Any modulus (p) with a variable generator (g). When the Exchange-Scheme Size is non-zero, the pair [g,p] is contained in the Exchange-Scheme Value field in the list of Offered-Schemes. Each is encoded in a separate Variable Precision Integer (VPI). The generator VPI is followed by (concatenated to) the modulus VPI, and the result is nested inside the Exchange-Scheme Value field. When the Exchange-Scheme Size field is zero, includes by reference all of the moduli specified in the list of Offered- Schemes for Schemes #7 and #14.Karn & Simpson Experimental [Page 4]
RFC 2523 Schemes and Attributes March 1999 Key-Generation-Function "SHA1 Hash" Privacy-Method "DES-EDE3-CBC over Mask" Validity-Method "SHA1-IPMAC Check" This combination of features requires a modulus with at least 112-bits of cryptographic strength. When more than one modulus is specified for a given kind of Scheme, the Size of the modulus MUST be unique, independent of the Size of the generator.2. Additional Key-Generation-Function2.1. SHA1 Hash SHA1 [FIPS-180-1] is used as a pseudo-random-function for generating the key(s). The key(s) begin with the most significant bits of the hash. SHA1 is iterated as needed to generate the requisite length of key material. When an individual key does not use all 160-bits of the last hash, any remaining unused (least significant) bits of the last hash are discarded. When combined with other uses of key generation for the same purpose, the next key will begin with a new hash iteration.3. Additional Privacy-Methods3.1. DES-CBC over Mask As described in [RFC-2522] "Privacy-Key Computation", sufficient privacy-key material is generated to match the message length, beginning with the next field after the SPI, and including the Padding. The message is masked by XOR with the privacy-key. Then, the Key-Generation-Function is iterated to generate a DES key. The most significant 64-bits (8 bytes) of the generated hash are used for the privacy-key, and the remainder are discarded. Although extremely rare, the 64 weak, semi-weak, and possibly weak keys [Schneier95, pages 280-282] are discarded. The Key-Generation- Function is iterated until a valid key is obtained. The least significant bit of each key byte is ignored (or set to parity when the implementation requires). The 64-bit CBC IV is zero. Message encryption begins with the next field after the SPI, and continues to the end of the data indicatedKarn & Simpson Experimental [Page 5]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -