📄 rfc2523.txt
字号:
For example, the combination "DES-CBC", "Invert", "DES-CBC", "DES-CBC", indicates "Triple DES" outer-CBC EDE encryption (and DED decryption) with three keys [KR96] pursuant to [RFC-1851] et sequitur. The selected Exchange-Scheme SHOULD provide at least 112-bits of cryptographic strength. As described in [RFC-2522] "Session-Key Computation", the Key- Generation-Function is iterated (at least) three times to generate the three independent keys, in the order used for encryption. The most significant 64-bits (8 bytes) of each iteration are used for each successive key, and the remainder are discarded. Each key is examined sequentially, in the order used for encryption. A key that is identical to any previous key MUST be discarded. Any weak keys indicated for the algorithm MUST be discarded. The Key- Generation-Function is iterated until a valid key is obtained before generating the next key. Profile: When negotiated with Photuris, the "DES-EDE3-CBC" transform differs slightly from [RFC-1851], in the same fashion as "DES-CBC" (described earlier).5.5. XOR Whitening +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attribute 10 Length 0 May be selected as an ESP Attribute-Choice, pursuant to [XEX3] et sequitur. The combination "XOR", "DES-CBC", "XOR",Karn & Simpson Experimental [Page 13]
RFC 2523 Schemes and Attributes March 1999 indicates "DESX" encryption with three keys [KR96]. The selected Exchange-Scheme SHOULD provide at least 104-bits of cryptographic strength. As described in [RFC-2522] "Session-Key Computation", the Key- Generation-Function is iterated (at least) three times to generate the three independent keys, in the order used for encryption. The most significant bytes of each iteration are used for each successive key, and the remainder are discarded. Note that this attribute may appear multiple times in the same ESP attribute list, both before and after an encryption transform. For example, "XOR", "DES-CBC", "XOR", "Invert", "DES-CBC", "XOR", "DES-CBC", "XOR", would be one possible combination with Triple DES.Karn & Simpson Experimental [Page 14]
RFC 2523 Schemes and Attributes March 1999A. Exchange-Scheme Selection At first glance, there appear to be a large number of exchange- schemes. In practice, the selection is simple to automate. Each scheme indicates a needed strength. This strength is based upon the functions used in protecting the Photuris Exchanges themselves. Each keyed attribute also indicates a needed strength. This strength is based upon its cryptographic functions. Because the usage of these functions is orthogonal, the same strength value can select an appropriate scheme that meets the needs of both features.A.1. Responder The attributes to be offered to the particular Initiator are examined. For each level of strength specified, a scheme that meets or exceeds the requirements is offered. For example, a Responder offering MD5-IPMAC and SHA1-IPMAC might offer scheme #2 with a 512-bit modulus and a 1024-bit modulus, and scheme #4 with a zero Size (indicating moduli of #2).A.2. Initiator The strength indicated by the application for the Security Association, together with the party privacy policy of the system operator, is used to select from the offered schemes. The strength indicates the minimal level to be chosen, while the party privacy policy indicates whether to choose the minimal or maximal level of available protection. For example, an application might indicate that it desires 80-bits of strength. In that case, only the 1024-bit modulus would be appropriate. The party privacy policy of the system operator would indicate whether to choose scheme #2 with "Simple Masking" or scheme #4 with "DES-CBC over Mask". Alternatively, an application might indicate that it desires 64-bits of strength. The party privacy policy of the system operator would indicate whether to choose scheme #2 with the 512-bit modulus, or scheme #4 with the 1024-bit modulus.Karn & Simpson Experimental [Page 15]
RFC 2523 Schemes and Attributes March 1999Security Considerations Provision for multiple generators does not enhance the security of the Photuris protocol exchange itself. Rather, it provides an opportunity for novelty of moduli, by allowing more forms of moduli to be used. An abundance of moduli inhibits a determined attacker from pre-calculating moduli exchange values, and discourages dedication of resources for analysis of any particular modulus. That is, this protects the community of Photuris users. In addition to preventing various attacks by protecting verification fields, the masking of the message plaintext before encryption is intended to obscure the relation of the number of parties and SPIs active between two IP nodes. The privacy mask dependency on the SPI and SPILT generates a different initial encrypted block for every SPI creation message. This obscurement would be less effective when the SPI and SPILT are invariant or are not created for a particular exchange direction. The number of parties could be revealed by the number of exchanges with differences in the initial encrypted blocks.Acknowledgements Phil Karn was principally responsible for the design of party privacy protection, and provided much of the design rationale text (now removed to a separate document). William Simpson was responsible for the packet formats, and additional Exchange-Schemes, editing and formatting. All such mistakes are his responsibity. Use of encryption for privacy protection is also found in the Station-To-Station authentication protocol [DOW92]. Bart Preneel and Paul C van Oorschot in [PO96] recommended padding between the data and trailing key when hashing for authentication. Niels Provos developed the first implementation with multiple schemes and multiple moduli per scheme (circa July 1997). Special thanks to the Center for Information Technology Integration (CITI) for providing computing resources.Karn & Simpson Experimental [Page 16]
RFC 2523 Schemes and Attributes March 1999References [DBP96] Dobbertin, H., Bosselaers, A., and Preneel, B., "RIPEMD- 160: a strengthened version of RIPEMD", Fast Software Encryption, Third International Workshop, Lecture Notes in Computer Science 1039 (1996), Springer-Verlag, pages 71-82. See also corrections at ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/. [DOW92] Whitfield Diffie, Paul C van Oorshot, and Michael J Wiener, "Authentication and Authenticated Key Exchanges", Designs, Codes and Cryptography, v 2 pp 107-125, Kluwer Academic Publishers, 1992. [FIPS-180-1] "Secure Hash Standard", National Institute of Standards and Technology, U.S. Department Of Commerce, April 1995. Also known as: 59 Fed Reg 35317 (1994). [KR96] Kaliski, B., and Robshaw, M., "Multiple Encryption: Weighing Security and Performance", Dr. Dobbs Journal, January 1996. [PO96] Bart Preneel, and Paul C van Oorshot, "On the security of two MAC algorithms", Advances in Cryptology -- Eurocrypt '96, Lecture Notes in Computer Science 1070 (May 1996), Springer-Verlag, pages 19-32. [RFC-1829] Karn, P., Metzger, P., Simpson, W., "The ESP DES-CBC Transform", July 1995. [RFC-1850] Karn, P., Metzger, P., Simpson, W., "The ESP Triple DES Transform", September 1995. [RFC-1851] Metzger, P., Simpson, W., "IP Authentication using Keyed SHA", September 1995. [RFC-2521] Karn, P., and Simpson, W., "ICMP Security Failures Messages", March 1999. [RFC-2522] Karn, P., and Simpson, W., "Photuris: Session-Key Management Protocol", March 1999. [XEX3] Simpson, W., Baldwin, R., "The ESP DES-XEX3-CBC Transform", Work In Progress, June 1997.Karn & Simpson Experimental [Page 17]
RFC 2523 Schemes and Attributes March 1999Contacts Comments about this document should be discussed on the photuris@adk.gr mailing list. Questions about this document can also be directed to: Phil Karn Qualcomm, Inc. 6455 Lusk Blvd. San Diego, California 92121-2779 karn@qualcomm.com karn@unix.ka9q.ampr.org (preferred) William Allen Simpson DayDreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071 wsimpson@UMich.edu wsimpson@GreenDragon.com (preferred)Karn & Simpson Experimental [Page 18]
RFC 2523 Schemes and Attributes March 1999Full Copyright Statement Copyright (C) The Internet Society (1999). Copyright (C) Philip Karn and William Allen Simpson (1994-1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards (in which case the procedures for copyrights defined in the Internet Standards process must be followed), or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING (BUT NOT LIMITED TO) ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.Karn & Simpson Experimental [Page 19]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -