Network Working Group P. Karn Request for Comments: 2522 Qualcomm Category: Experimental W. Simpson DayDreamer March 1999 Photuris: Session-Key Management Protocol Status of this Memo This document defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). Copyright (C) Philip Karn and William Allen Simpson (1994-1999). All Rights Reserved. Abstract Photuris is a session-key management protocol intended for use with the IP Security Protocols (AH and ESP). This document defines the basic protocol mechanisms. Karn & Simpson Experimental [Page i] RFC 2522 Photuris Protocol March 1999 Table of Contents 1. Introduction .......................................... 1 1.1 Terminology ..................................... 1 1.2 Protocol Overview ............................... 3 1.3 Security Parameters ............................. 5 1.4 LifeTimes ....................................... 6 1.4.1 Exchange LifeTimes .............................. 6 1.4.2 SPI LifeTimes ................................... 7 1.5 Random Number Generation ........................ 8 2. Protocol Details ...................................... 9 2.1 UDP ............................................. 9 2.2 Header Format ................................... 10 2.3 Variable Precision Integers ..................... 11 2.4 Exchange-Schemes ................................ 13 2.5 Attributes ...................................... 13 3. Cookie Exchange ....................................... 14 3.0.1 Send Cookie_Request ............................. 14 3.0.2 Receive Cookie_Request .......................... 15 3.0.3 Send Cookie_Response ............................ 15 3.0.4 Receive Cookie_Response ......................... 16 3.1 Cookie_Request .................................. 17 3.2 Cookie_Response ................................. 18 3.3 Cookie Generation ............................... 19 3.3.1 Initiator Cookie ................................ 19 3.3.2 Responder Cookie ................................ 20 4. Value Exchange ........................................ 21 4.0.1 Send Value_Request .............................. 21 4.0.2 Receive Value_Request ........................... 22 4.0.3 Send Value_Response ............................. 22 4.0.4 Receive Value_Response .......................... 23 4.1 Value_Request ................................... 24 4.2 Value_Response .................................. 25 4.3 Offered Attribute List .......................... 26 5. Identification Exchange ............................... 28 5.0.1 Send Identity_Request ........................... 29 5.0.2 Receive Identity_Request ........................ 29 5.0.3 Send Identity_Response .......................... 30 5.0.4 Receive Identity_Response ....................... 30 5.1 Identity_Messages ............................... 31 5.2 Attribute Choices List .......................... 33 5.3 Shared-Secret ................................... 34 5.4 Identity Verification ........................... 34 Karn & Simpson Experimental [Page ii] RFC 2522 Photuris Protocol March 1999 5.5 Privacy-Key Computation ......................... 36 5.6 Session-Key Computation ......................... 37 6. SPI Messages .......................................... 38 6.0.1 Send SPI_Needed ................................. 38 6.0.2 Receive SPI_Needed .............................. 39 6.0.3 Send SPI_Update ................................. 39 6.0.4 Receive SPI_Update .............................. 39 6.0.5 Automated SPI_Updates ........................... 40 6.1 SPI_Needed ...................................... 41 6.2 SPI_Update ...................................... 43 6.2.1 Creation ........................................ 44 6.2.2 Deletion ........................................ 45 6.2.3 Modification .................................... 45 6.3 Validity Verification ........................... 45 7. Error Messages ........................................ 46 7.1 Bad_Cookie ...................................... 47 7.2 Resource_Limit .................................. 47 7.3 Verification_Failure ............................ 48 7.4 Message_Reject .................................. 49 8. Public Value Exchanges ................................ 50 8.1 Modular Exponentiation Groups ................... 50 8.2 Moduli Selection ................................ 50 8.2.1 Bootstrap Moduli ................................ 51 8.2.2 Learning Moduli ................................. 51 8.3 Generator Selection ............................. 51 8.4 Exponent Selection .............................. 52 8.5 Defective Exchange Values ....................... 53 9. Basic Exchange-Schemes ................................ 54 10. Basic Key-Generation-Function ......................... 55 10.1 MD5 Hash ........................................ 55 11. Basic Privacy-Method .................................. 55 11.1 Simple Masking .................................. 55 12. Basic Validity-Method ................................. 55 12.1 MD5-IPMAC Check ................................. 55 13. Basic Attributes ...................................... 56 13.1 Padding ......................................... 56 13.2 AH-Attributes ................................... 57 13.3 ESP-Attributes .................................. 57 13.4 MD5-IPMAC ....................................... 58 13.4.1 Symmetric Identification ........................ 58 Karn & Simpson Experimental [Page iii] RFC 2522 Photuris Protocol March 1999 13.4.2 Authentication .................................. 59 13.5 Organizational .................................. 60 APPENDICES ................................................... 61 A. Automaton ............................................. 61 A.1 State Transition Table .......................... 62 A.2 States .......................................... 65 A.2.1 Initial ......................................... 65 A.2.2 Cookie .......................................... 66 A.2.3 Value ........................................... 66 A.2.4 Identity ........................................ 66 A.2.5 Ready ........................................... 66 A.2.6 Update .......................................... 66 B. Use of Identification and Secrets ..................... 67 B.1 Identification .................................. 67 B.2 Group Identity With Group Secret ................ 67 B.3 Multiple Identities With Group Secrets .......... 68 B.4 Multiple Identities With Multiple Secrets ....... 69 OPERATIONAL CONSIDERATIONS ................................... 70 SECURITY CONSIDERATIONS ...................................... 70 HISTORY ...................................................... 71 ACKNOWLEDGEMENTS ............................................. 72 REFERENCES ................................................... 73 CONTACTS ..................................................... 75 COPYRIGHT .................................................... 76 Karn & Simpson Experimental [Page iv] RFC 2522 Photuris Protocol March 1999 1. Introduction Photuris [Firefly] establishes short-lived session-keys between two parties, without passing the session-keys across the Internet. These session-keys directly replace the long-lived secret-keys (such as passwords and passphrases) that have been historically configured for security purposes. The basic Photuris protocol utilizes these existing previously configured secret-keys for identification of the parties. This is intended to speed deployment and reduce administrative configuration changes. This document is primarily intended for implementing the Photuris protocol. It does not detail service and application interface definitions, although it does mention some basic policy areas required for the proper implementation and operation of the protocol mechanisms. Since the basic Photuris protocol is extensible, new data types and protocol behaviour should be expected. The implementor is especially cautioned not to depend on values that appear in examples to be current or complete, since their purpose is primarily pedagogical. 1.1. Terminology In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [RFC-2119]. byte An 8-bit quantity; also known as "octet" in standardese. exchange-value The publically distributable value used to calculate a shared-secret. As used in this document, refers to a Diffie-Hellman exchange, not the public part of a public/private key-pair. private-key A value that is kept secret, and is part of an asymmetric public/private key-pair. public-key A publically distributable value that is part of an asymmetric public/private key-pair. secret-key A symmetric key that is not publically distributable. As used in this document, this is distinguished from an asymmetric public/private Karn & Simpson Experimental [Page 1] RFC 2522 Photuris Protocol March 1999 key-pair. An example is a user password. Security Association (SA) A collection of parameters describing the security relationship between two nodes. These parameters include the identities of the parties, the transform (including algorithm and algorithm mode), the key(s) (such as a session-key, secret-key, or appropriate public/private key-pair), and possibly other information such as sensitivity labelling. Security Parameters Index (SPI) A number that indicates a particular set of uni- directional attributes used under a Security Association, such as transform(s) and session- key(s). The number is relative to the IP Destination, which is the SPI Owner, and is unique per IP (Next Header) Protocol. That is, the same value MAY be used by multiple protocols to concurrently indicate different Security Association parameters. session-key A key that is independently derived from a shared- secret by the parties, and used for keying one direction of traffic. This key is changed frequently. shared-secret As used in this document, the calculated result of the Photuris exchange. SPI Owner The party that corresponds to the IP Destination; the intended recipient of a protected datagram. SPI User The party that corresponds to the IP Source; the sender of a protected datagram. transform A cryptographic manipulation of a particular set of data. As used in this document, refers to certain well-specified methods (defined elsewhere). For example, AH-MD5 [RFC-1828] transforms an IP datagram into a cryptographic hash, and ESP-DES-CBC [RFC- 1829] transforms plaintext to ciphertext and back again. Karn & Simpson Experimental [Page 2] RFC 2522 Photuris Protocol March 1999 Many of these terms are hierarchically related: Security Association (bi-directional) - one or more lists of Security Parameters (uni-directional) -- one or more Attributes --- may have a key --- may indicate a transform Implementors will find details of cryptographic hashing (such as MD5), encryption algorithms and modes (such as DES), digital signatures (such as DSS), and other algorithms in [Schneier95]. 1.2. Protocol Overview The Photuris protocol consists of several simple phases: 1. A "Cookie" Exchange guards against simple flooding attacks sent with bogus IP Sources or UDP Ports. Each party passes a "cookie" to the other. In return, a list of supported Exchange-Schemes are offered by the Responder for calculating a shared-secret. 2. A Value Exchange establishes a shared-secret between the parties. Each party passes an Exchange-Value to the other. These values are used to calculate a shared-secret. The Responder remains stateless until a shared-secret has been created. In addition, supported attributes are offered by each party for use in establishing new Security Parameters. 3. An Identification Exchange identifies the parties to each other, and verifies the integrity of values sent in phases 1 and 2. In addition, the shared-secret provides a basis to generate separate session-keys in each direction, which are in turn used for conventional authentication or encryption. Additional security attributes are also exchanged as needed. This exchange is masked for party privacy protection using a message privacy-key based on the shared-secret. This protects the identities of the parties, hides the Security Parameter attribute values, and improves security for the exchange protocol and security transforms. 4. Additional messages may be exchanged to periodically change the session-keys, and to establish new or revised Security Parameters. Karn & Simpson Experimental [Page 3] RFC 2522 Photuris Protocol March 1999 These exchanges are also masked for party privacy protection in the same