Network Working Group W. Simpson, Editor Internet Draft DayDreamer expires in six months September 1995 Photuris Extended Attributes draft-ietf-ipsec-photuris-attrib-00.txt Status of this Memo This document is a submission to the IP Security Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the ipsec@ans.net mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material, or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow Directories on: ftp.is.co.za (Africa) nic.nordu.net (Europe) ds.internic.net (US East Coast) ftp.isi.edu (US West Coast) munnari.oz.au (Pacific Rim) Abstract Photuris is an experimental session-key management protocol intended for use with the IP Security Protocols (AH and ESP). Extensible Attributes are provided to enable future implementation changes without affecting the basic protocol. Simpson expires in six months [Page i] DRAFT Photuris Attributes September 1995 1. Additional Attributes The Packet format and basic facilities are already defined for Photuris [Firefly]. Up-to-date values for the Attribute Type are specified in the most recent "Assigned Numbers" [RFC-1700]. This document concerns the following values: A K I/R S V Type + 8 PGP certificate + 9 X.509 certificate chain + 10 DNS-SIG certificate + + 15 RC5 + 20 Triple DES-CBC, 0-bit IV + 21 Triple DES-CBC, 32-bit IV + + 22 Triple DES-CBC, 64-bit IV + + + + 24 SHA + + 26 IDEA + 32 Sensitivity Label + 33 VJ Header Compression + 34 LZ77 + 35 Stac LZS + 36 AH-Sequence x x x x x 255 Organizational A Anonymity Choice K Key Choice I/R Initiator/Responder Attribute Choice S Signature Choice V Validity Choice + feature must be supported when algorithm optionally supported x feature may be supported when algorithm optionally supported 1.1. PGP certificate Type 8 Length 0 When selected as a Signature-Choice, the resulting Signature field size is variable. PGP certificates include an identification of the signature algorithm. As a minimum, it is required that all implementations support MD5 with RSA. Simpson expires in six months [Page 1] DRAFT Photuris Attributes September 1995 A Certificate field always follows the Signature field, and contains a PGP certificate. The PGP formats document is distributed with every copy of PGP. If the implementation cannot handle the given certificate, an Error_Message indicates Signature Failure. PGP certificates include version numbers. All implementations must support version 3 (PGP 2.6) certificates. A certificate chain can include certificates with different version numbers. The length of the RSA key is encoded in each certificate. All implementations must support a minimum of 2048-bit keys. 1.2. X.509 certificate chain Type 9 Length 0 Future extensions to this attribute may add parameter values. This will be indicated by a non- zero value. When selected as a Signature-Choice, the resulting Signature field size is variable. X.509 certificates include an identification of the signature algorithm. As a minimum, it is required that all implementations support MD5 with RSA. A Certificate field always follows the Signature field, and contains a chain of X.509 certificates [??? reference]. If the implementation cannot handle the given certificate chain, an Error_Message indicates Signature Failure. X.509 certificates include version numbers. All implementations must support X.509.v1 (1988) certificates. A certificate chain can include certificates with different version numbers. The length of the RSA key is encoded in each certificate. All implementations must support a minimum of 512-bit keys. Different certificates in the chain may have different signature algorithms and key lengths. To improve performance, an implementation can cache the public keys for the issuers that frequently sign end-user certificates. These cached public keys can be used to verify the final certificate, and avoid the cost of verifying each certificate in the chain. However, Simpson expires in six months [Page 2] DRAFT Photuris Attributes September 1995 the transmitter should always send the entire chain. 1.3. DNS-SIG Type 10 Length 0 1.4. RC5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Version | Word-Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Rounds | Key-Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 15 Length 4 Version Indicates the most recent version supported. All implementations must support version 10. Word-Size The number of bits used by internal calculations. All implementations must support at least 32-bits. Rounds The number of rounds used. All implementations must support at least 12 rounds. Key-Size The number of octets in the session-key. All implementations must support at least 5 octets. When offered as an Attribute, the Version, Word-Size, Rounds, and Key-Size are set to the maximum supported. Anonymity Choice When selected as an Anonymity-Choice, its anonymity session-key uses the most significant Key-Size octets of MD5 generated material. Simpson expires in six months [Page 3] DRAFT Photuris Attributes September 1995 The least-significant bits of the ???-bit Initialization Vector (IV) are set to the least-significant bits of the Type, LifeTime, and SPI fields. Encryption begins with the next field, and continues to the end of the data indicated by the UDP Length. The trailing padding is then removed. Attribute Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-xxxx], its SPI session-key uses the most significant Key-Size bits of Key-Generator-Choice generated material. 1.5. Triple DES-CBC Type 20, 21 or 22 Length 0 Anonymity Choice When selected as an Anonymity-Choice, its anonymity session-key uses the most significant 128-bits of MD5 generated material. The least significant bit of each octet is ignored (parity). For EDE encryption, the first 64-bits of the key material are allocated to both encrypt keys, and the last 64-bits of the key material are allocated to the decrypt key. For DED decryption, the same key bits are used in the appropriate matching order. The 64-bit Initialization Vector (IV) is set to the Type, LifeTime, and SPI fields. Encryption begins with the next field, and continues to the end of the data indicated by the UDP Length. The trailing padding is then removed. Attribute Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-yyyy], its SPI session-key uses the most significant 128-bits of Key-Generator-Choice generated material. The least significant bit of each octet is ignored (parity). Simpson expires in six months [Page 4] DRAFT Photuris Attributes September 1995 For EDE encryption, the first 64-bits of the key material are allocated to both encrypt keys, and the last 64-bits of the key material are allocated to the decrypt key. For DED decryption, the same key bits are used in the appropriate matching order. 1.6. SHA Type 24 Length 0 Key Choice When selected as a Key-Generator-Choice, generates 160-bits of keying material. Attribute Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-zzzz], its SPI session-key uses the entire Key-Generator- Choice generated keying material. Signature Choice When selected as a Signature-Choice, the resulting Signature field is 160-bits (22 octets including Size). The Certificate field contains a value which identifies the party. Typically, the Certificate is an email address. The SHA hash is calculated as described in "Signature Verification", but in addition includes a trailing secret-key, which is selected based on the contents of the Certificate field. Valid Certificates and secret-keys are preconfigured by the peers. Validity Choice When selected as a Validity-Choice, the resulting Verification field is 160-bits (22 octets including Size). Simpson expires in six months [Page 5] DRAFT Photuris Attributes September 1995 The hash is calculated as described in "Change Verification", using the entire leading shared-secret generated keying material. 1.7. IDEA Type 26 Length 0 Anonymity Choice When selected as an Anonymity-Choice, its anonymity session-key uses all 128-bits of MD5 generated material. The 32-bit??? Initialization Vector (IV) is set to the SPI field. Encryption begins with the next field, and continues to the end of the data indicated by the UDP Length. The trailing padding is then removed. Attribute Choice When selected as an Initiator or Responder Attribute-Choice, pursuant to [RFC-IDEA], its SPI session-key uses the most significant 128-bits of Key-Generator-Choice generated material. 1.8. Sensitivity Label 1.9. VJ Header Compression +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Slots | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 31 Length 2 Slots indicates the maximum slot identifier. This is one less than the actual number of slots; the slot Simpson expires in six months [Page 6] DRAFT Photuris Attributes September 1995 identifier has values from zero to Slots. There may be implementations that have problems with small numbers. The example in [RFC-1144] will only work with 3 through 254 slots. Flags (0) All compressed TCP packets must set the C bit in every change mask, and must include the slot identifier. (1) The slot identifer may be compressed. This requires an ability for the implementation to indicate all errors in reception to the decompression module. Synchronization after errors depends on waiting for a packet with the slot identifier. See the discussion in [RFC-1144]. When selected as an Initiator or Responder Attribute-Choice, all data encapsulated in ESP [RFC-1827] is first compressed according to [RFC-1144]. Note that this attribute requires ordered delivery. Therefore, this attribute is principly used for single network hops. 1.10. LZ77 1.11. Stac LZS +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | History-Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Check-Mode | +-+-+-+-+-+-+-+-+ Type 35 Length 3 History-Count two octets, most significant octet first. Specifies the maximum number of Compression Histories. (0) the implementation expects the peer to reset the Compression History at the beginning of every Simpson expires in six months [Page 7] DRAFT Photuris Attributes September 1995 packet. (1) only one history is maintained. Other valid values range from 2 to 65535. The peer is not required to send as many histories as the implementation indicates that it can receive. Check-Mode indicates support of LCB, CRC or Sequence checking. 0 None (default) 1 LCB 2 CRC 4 Sequence Number When offered as an Attribute, the History-Count is set to the maximum histories that can be sent, and the Check-Mode is the XOR of the modes supported. When selected as an Initiator or Responder Attribute-Choice, the History-Count is set to the maximum histories that can be received (less than or equal to the number offered), and the Check-Mode is set to only one of the modes supported. 1.12. AH-Sequence Type 36 Length 0 When selected as an Initiator or Responder Attribute-Choice, the previously Reserved field of the Authentication Header (AH) [RFC- 1826] contains a 16-bit sequence number. The SPI Owner (receiver) validates this number within an implementation dependent range of expected values. Any AH protected datagram that fails this test is silently discarded. When the range has been exhausted, the SPI Owner (receiver) expires the SPI, despite any remaining SPI LifeTime. On arrival of an AH protected datagram with an expired SPI, an appropriate ICMP error message is generated, and the datagram is discarded. Simpson expires in six months [Page 8] DRAFT Photuris Attributes September 1995 1.13. Organizational +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | OUI +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... | Kind | Value(s) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 255 Length >= 4 OUI 3 Octets. The vendor's Organizationally Unique Identifier, assigned by IEEE 802 (see [RFC-1700] for contact details). The bits within the octet are in canonical order, and the most significant octet is transmitted first. Kind 1 octet. Indicates a sub-type for the OUI. There is no standardization for this field. Each OUI implements its own values. Value(s) Zero or more optional values. The size of the value list is indicated by the Length field. When the Length is four, no Value(s) field is present. Some implementors might not need or want to publish their proprietary algorithms and attributes. This OUI mechanism is available to specify these without encumbering the IANA with proprietary number requests. Simpson expires in six months [Page 9] DRAFT Photuris Attributes September 1995 Security Considerations Security issues are the primary topic of this memo. Acknowledgements Robert W Baldwin of RSA provided text for RC5 and X.509 Certificates. References [Firefly] "Photuris" is the latin name for the firefly. "Firefly" is in turn the name for the USA National Security Administration's (classified) key exchange protocol for the STU-III secure telephone. Informed speculation has it that Firefly is based on very similar design principles. [RFC-1700] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, RFC-1700, USC/Information Sciences Institute, October 1994. [RFC-1825] Atkinson, R., "Security Architecture for the Internet Protocol", RFC-1825, Naval Research Laboratory, July 1995. [RFC-1826] [RFC-1827] [Schneier94] Schneier, B., "Applied Cryptography", John Wiley & Sons, New York, NY, 1994. ISBN 0-471-59756-2. Author's Address Questions about this memo can also be directed to: William Allen Simpson Daydreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071 Simpson expires in six months [Page 10] DRAFT Photuris Attributes September 1995 Bill.Simpson@um.cc.umich.edu bsimpson@MorningStar.com Simpson expires in six months [Page 11] DRAFT Photuris Attributes September 1995 Table of Contents 1. Additional Attributes ................................. 1 1.1 PGP certificate ................................. 1 1.2 X.509 certificate chain ......................... 2 1.3 DNS-SIG ......................................... 3 1.4 RC5 ............................................. 3 1.5 Triple DES-CBC .................................. 4 1.6 SHA ............................................. 5 1.7 IDEA ............................................ 6 1.8 Sensitivity Label ............................... 6 1.9 VJ Header Compression ........................... 6 1.10 LZ77 ............................................ 7 1.11 Stac LZS ........................................ 7 1.12 AH-Sequence ..................................... 8 1.13 Organizational .................................. 9 SECURITY CONSIDERATIONS ...................................... 10 ACKNOWLEDGEMENTS ............................................. 10 REFERENCES ................................................... 10 AUTHOR'S ADDRESS ............................................. 10