IPSECME S. Shen Internet-Draft Huawei Updates: RFC4307 Y. Mao (if approved) H3C Expires: May 28, 2010 NSS. Murthy Freescale Semiconductor November 24, 2009 Using Advanced Encryption Standard (AES) Counter Mode with IKEv2 draft-ietf-ipsecme-aes-ctr-ikev2-03 Abstract This document describes the usage of Advanced Encryption Standard Counter Mode (AES-CTR), with an explicit initialization vector, by IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT exchange. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 28, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Shen, et al. Expires May 28, 2010 [Page 1] Internet-Draft AES-CTR for IKEv2 November 2009 Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 2. AES Counter Mode . . . . . . . . . . . . . . . . . . . . . . . 4 3. IKEv2 Encrypted Payload . . . . . . . . . . . . . . . . . . . 7 3.1. Initialization Vector (IV) . . . . . . . . . . . . . . . . 7 3.2. Integrity Checksum Data . . . . . . . . . . . . . . . . . 7 3.3. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Counter Block Format . . . . . . . . . . . . . . . . . . . . . 8 5. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 10 5.1. Keying Material and Nonces . . . . . . . . . . . . . . . . 10 5.2. Encryption identifier . . . . . . . . . . . . . . . . . . 11 5.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15 9.2. Informative References . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Shen, et al. Expires May 28, 2010 [Page 2] Internet-Draft AES-CTR for IKEv2 November 2009 1. Introduction IKEv2 [RFC4306] is a component of IPsec used for performing mutual authentication and establishing and maintaining security associations (SAs). [RFC4307] defines the set of algorithms that are mandatory to implement as part of IKEv2, as well as algorithms that should be implemented because they may be promoted to mandatory at some future time. [RFC4307] requires that an implementation "SHOULD" support Advanced Encryption Standard [AES] in Counter Mode [MODES] (AES-CTR) as a Transform Type 1 Algorithm (encryption). Although the [RFC4307] specifies that the AES-CTR encryption algorithm feature SHOULD be supported by IKEv2, no existing document specifies how IKEv2 can support the feature. This document provides the specification and usage of AES-CTR counter mode by IKEv2. All the IKEv2 messages that follow the initial exchange (IKE_SA_INIT) are cryptographically protected using the cryptographic algorithms and keys negotiated in the first two messages of the IKEv2 exchange. These subsequent messages use the syntax of the IKEv2 Encrypted Payload as explained in [RFC4306]. This document explains how IKEv2 makes use of the AES-CTR algorithm for encrypting IKE messages that follow the initial exchange: The second pair of messages (IKE_AUTH) in the initial exchange, messages in CREATE_CHILD_SA exchanges, messages in INFORMATIONAL exchanges. 1.1. Conventions Used In This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Shen, et al. Expires May 28, 2010 [Page 3] Internet-Draft AES-CTR for IKEv2 November 2009 2. AES Counter Mode This section briefly describes AES and AES Counter Mode and cites the algorithm description part in Section 2.1 of [RFC3686]. AES [AES] is a symmetric block cipher that processes data blocks of 128 bits, using cipher keys with lengths of 128, 192, or 256 bits. The use of AES algorithm operations in IKEv2 is as defined in [AES]. AES in Counter Mode (AES-CTR) is used in IEKv2 in the same way as it is used to encrypt ESP payloads [RFC3686]. NIST has defined five modes of operation for AES and other FIPS- approved block ciphers [MODES]. Each of these modes has different characteristics. The five modes are: ECB (Electronic Code Book), CBC (Cipher Block Chaining), CFB (Cipher FeedBack), OFB (Output FeedBack), and CTR (Counter). Only AES Counter mode (AES-CTR) is discussed in this specification. AES-CTR requires the encryptor to generate a unique per-packet value and communicate this value to the decryptor. This specification calls this per-packet value an initialization vector (IV). The same IV and key combination MUST NOT be used more than once. The encryptor can generate the IV in any manner that ensures uniqueness. Common approaches to IV generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs). This specification calls for the use of a nonce for additional protection against precomputation attacks. The nonce value need not be secret. However, the nonce MUST be unpredictable prior to the establishment of the IKE security association that is making use of AES-CTR. AES-CTR has many properties that make it an attractive encryption algorithm for use in high-speed networking. AES-CTR uses the AES block cipher to create a stream cipher. Data is encrypted and decrypted by XORing with the key stream produced by encrypting sequential counter block values with AES. AES-CTR is easy to implement, and AES-CTR can be pipelined and parallelized. AES-CTR also supports key stream precomputation. Pipelining is possible because AES internally has multiple rounds. A hardware implementation (and some software implementations) can create a pipeline by unwinding the loop implied by this round structure. For example, after a 16-octet block has been input, one round later another 16-octet block can be input, and so on. In AES- CTR, these inputs are the sequential counter block values used to generate the key stream. Shen, et al. Expires May 28, 2010 [Page 4] Internet-Draft AES-CTR for IKEv2 November 2009 Multiple independent AES encrypt implementations can also be used to improve performance. For example, one could use two AES encrypt implementations in parallel to process a sequence of counter block values, doubling the effective throughput. The sender can precompute the key stream. Since the key stream does not depend on any data in the packet, the key stream can be precomputed once the nonce and IV are assigned. This precomputation can reduce packet latency. The receiver cannot perform similar precomputation because the IV will not be known before the packet arrives. AES-CTR uses only the AES encrypt operation (for both encryption and decryption), making AES-CTR implementations smaller than implementations of many other AES modes. When used correctly, AES-CTR provides a high level of confidentiality. Unfortunately, AES-CTR is easy to use incorrectly. Being a stream cipher, any reuse of the per-packet value, called the IV, with the same nonce and key is catastrophic. An IV collision immediately leaks information about the plaintext in both packets. For this reason, it is inappropriate to use this mode of operation with static keys. Extraordinary measures would be needed to prevent reuse of an IV value with the static key across power cycles. To be safe, implementations MUST use fresh keys with AES-CTR. The initial exchange of the IKEv2 protocol [RFC4306] can be used to establish fresh keys for an IKEv2 SA, and it also provides the nonce value. With AES-CTR, it is trivial to use a valid ciphertext to forge other (valid to the decryptor) ciphertexts. Thus, it is equally catastrophic to use AES-CTR without a companion authentication function. Implementations MUST use AES-CTR in conjunction with an authentication function, such as HMAC-SHA-1-96 [RFC2404]. To encrypt a payload with AES-CTR, the encryptor partitions the plaintext, PT, into 128-bit blocks. The final block need not be 128 bits; it can be less. PT = PT[1] PT[2] ... PT[n] Each PT block is XORed with a block of the key stream to generate the ciphertext, CT. The AES encryption of each counter block results in 128 bits of key stream. The most significant 96 bits of the counter block are set to the nonce value, which is 32 bits, followed by the per-packet IV value, which is 64 bits. The least significant 32 bits of the counter block are initially set to one. This counter value is incremented by one to generate subsequent counter blocks, each resulting in another 128 bits of key stream. The encryption of n Shen, et al. Expires May 28, 2010 [Page 5] Internet-Draft AES-CTR for IKEv2 November 2009 plaintext blocks can be summarized as: CTRBLK := NONCE || IV || ONE FOR i := 1 to n-1 DO CT[i] := PT[i] XOR AES(CTRBLK) CTRBLK := CTRBLK + 1 END CT[n] := PT[n] XOR TRUNC(AES(CTRBLK)) The AES() function performs AES encryption with the fresh key. The TRUNC() function truncates the output of the AES encrypt operation to the same length as the final plaintext block, returning the most significant bits. Decryption is similar. The decryption of n ciphertext blocks can be summarized as: CTRBLK := NONCE || IV || ONE FOR i := 1 to n-1 DO PT[i] := CT[i] XOR AES(CTRBLK) CTRBLK := CTRBLK + 1 END PT[n] := CT[n] XOR TRUNC(AES(CTRBLK)) Shen, et al. Expires May 28, 2010 [Page 6] Internet-Draft AES-CTR for IKEv2 November 2009 3. IKEv2 Encrypted Payload Section 3.14 of IKEv2 [RFC4306] explains the IKEv2 Encrypted Payload. The encrypted Payload, denoted SK{...} contains other IKEv2 payloads in encrypted form. The payload includes an Initialization Vector (IV) whose length is defined by the encryption algorithm negotiated. It also includes Integrity Checksum data. These two fields are not encrypted. 3.1. Initialization Vector (IV) The IV field MUST be eight octets when the AES-CTR algorithm is used for encryption. The IV MUST be chosen by the encryptor in a manner that ensures that the same IV value is NOT used more than once with a given encryption key. The encryptor can generate the IV in any manner that ensures uniqueness. See Section 4 for how the IV is used to construct counter blocks for AES-CTR use within IKEv2. 3.2. Integrity Checksum Data Since it is trivial to construct a forgery AES-CTR ciphertext from a valid AES-CTR ciphertext, an integrity algorithm must be used when using AES-CTR. IKEv2 does require Integrity Check Data for the Encrypted Payload as described in section 3.14 of [RFC4306]. The choice of integrity algorithms in IKEv2 is defined in [RFC4307] or its future update documents. 3.3. Padding AES-CTR does not require the plaintext to be padded to a multiple of the block size. For the Padding field in the Encrypted Payload, as required in [RFC4306]: the sender SHOULD set the Pad Length to the minimum value that makes the combination of the Payloads, the Padding, and the Pad Length a multiple of the block size, but the recipient MUST accept any length that results in proper alignment. In this case when AES-CTR is used in IKEv2, the Padding field of the Encrypted Payload SHOULD be empty, and the Pad Length field SHOULD be zero. It should be noticed that the ESP [RFC4303] Encrypted Payload requires alignment on a 4-byte boundary while the IKEv2 [RFC4306] Encrypted Payload does not have such a requirement. Shen, et al. Expires May 28, 2010 [Page 7] Internet-Draft AES-CTR for IKEv2 November 2009 4. Counter Block Format All the IKEv2 messages following the initial exchange are cryptographically protected using the cryptographic algorithms and keys negotiated in the first two messages of the IKEv2 exchange. These subsequent messages use the syntax of the IKEv2 Encrypted Payload. The Encrypted Payload is the XOR of the plaintext and key stream. The key stream is generated by inputing Counter Blocks into the AES algorithm. The AES counter block cipher block is 128 bits. Counter Blocks are defined as in Figure 1. All messages carry the IV that is necessary to construct the sequence of counter blocks used to generate the key stream necessary to decrypt the payload. Figure 1 shows the format of the counter block. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector (IV) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Counter | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Counter Block Format The components of the counter block are as follows: Nonce The Nonce field is 32 bits. As the name implies, the nonce is a single use value. That is, a fresh nonce value MUST be assigned for each security association. It MUST be assigned at the beginning of the security association. The nonce value need not be secret, but it MUST be unpredictable prior to the beginning of the security association. Initialization Vector (IV) The IV field is 64 bits. The IV MUST be chosen by the encryptor in a manner that ensures that the same IV value is used only once for a given encryption key. The encryptor includes the IV in the Shen, et al. Expires May 28, 2010 [Page 8] Internet-Draft AES-CTR for IKEv2 November 2009 IKEv2 message containing encrypted payloads. Block Counter The block counter field is the least significant 32 bits of the counter block. The block counter begins with the value of one, and it is incremented to generate subsequent portions of the key stream. The block counter is a 32-bit big-endian integer value. Section 2 provides references to other documents for implementing the AES-CTR encryption/decryption process. Shen, et al. Expires May 28, 2010 [Page 9] Internet-Draft AES-CTR for IKEv2 November 2009 5. IKEv2 Conventions This section describes the conventions used by the IKEv2 protocol to generate encryption keys and nonces for use with the AES-CTR algorithm in IKE-SA negotiations. The identifiers and attributes related to AES-CTR required during IKE-SA and Child-SA negotiation are also defined. AES supports three key sizes: 128 bits, 192 bits, and 256 bits. All IKEv2 implementations that implement AES-CTR MUST support the 128-bit key size. An IKEv2 implementation MAY support key sizes of 192 and 256 bits. 5.1. Keying Material and Nonces IKEv2 can be used to establish fresh keys and nonces, as the same combination of IV and encryption key values MUST not be reused when the AES-CTR algorithm is used for encryption. This section describes the conventions for generating an unpredictable and secret Nonce and an encryption key of required lengths using IKEv2. IKEv2 negotiates four cryptographic algorithms with its peer using the IKE_SA_INIT exchange. They include an encryption algorithm and a pseudo-random function (PRF). All the payloads of IKEv2 messages that follow the IKE_SA_INIT exchange are encrypted using the negotiated encryption algorithm. The PRF is used to generate the keying material required for the encryption algorithm. The AES-CTR encryption algorithm needs an encryption key and a nonce. The two directions of traffic flow use different encryption keys and nonces. Section 2.14 of [RFC4306] details the process of generating the keying material. SK_ei and SK_er represent the key material to be used for encryption purposes in the two directions. The size of the key material (SK_ei and SK_er) to be generated for the AES-CTR algorithm for different key lengths is as follows: AES-CTR with a 128 bit key The key material required is 20 octets. The first 16 octets are the 128-bit AES key, and the remaining four octets are used as the nonce value in the counter block. AES-CTR with a 192 bit key The key material required is 28 octets. The first 24 octets are the 192-bit AES key, and the remaining four octets are used as the nonce value in the counter block. Shen, et al. Expires May 28, 2010 [Page 10] Internet-Draft AES-CTR for IKEv2 November 2009 AES-CTR with a 256 bit key The key material required is 36 octets. The first 32 octets are the 256-bit AES key, and the remaining four octets are used as the nonce value in the counter block. 5.2. Encryption identifier IKEv2 uses the IANA allocated encryption identifier value of 13 for ENCR_AES_CTR with an explicit IV as the transform ID during IKE-SA and Child-SA negotiation. 5.3. Key Length Attribute Since the AES-CTR algorithm supports three key lengths, the Key Length attribute MUST be specified in both the IKE-SA and Child-SA negotiations. The Key Length attribute MUST have a value of 128, 192, or 256. Shen, et al. Expires May 28, 2010 [Page 11] Internet-Draft AES-CTR for IKEv2 November 2009 6. Security Considerations Security considerations explained in section 7 of [RFC3686] are entirely relevant for this draft also. AES-CTR provides high confidentiality when used properly. However, as a stream mode cipher, the security will be lost when AES-CTR is misused. Generally, a stream cipher should not use static keys. This is because key streams will be easily canceled when two ciphertexts use the same key stream (check the detailed description of this attack in [RFC3686]). Therefore, IKEv2 should avoid an identical key being used for different IKE SAs or the same key stream being used on different blocks of plaintext. Proper use of Nonce and counter as defined in Section 4 can successfully avoid the risk. A stream cipher like AES-CTR is also vulnerable to data forgery attacks (check [RFC3686] for a demonstration of this attack). However, when integrity protection is provided as Section 3.2 requires, this risk is avoided. Additionally, since AES has a 128-bit block size, regardless of the mode employed, the ciphertext generated by AES encryption becomes distinguishable from random values after 2^64 blocks are encrypted with a single key. Since IKEv2 is not likely to carry traffic in such a high quantity, this won't be a big concern here. However, when a large amount of traffic appears in the future or under abnormal circumstances, implementations SHOULD generate a fresh key before 2^64 blocks are encrypted with the same key. For generic attacks on AES, such as brute force or precalculations, the requirement of key size provides reasonable security [Recommendations]. Shen, et al. Expires May 28, 2010 [Page 12] Internet-Draft AES-CTR for IKEv2 November 2009 7. IANA Considerations IANA [IANA-Para] has assigned 13 as the "IKEv2 Encryption Transform ID" to the name "ENCR_AES_CTR" for AES-CTR encryption with an explicit IV, in the IANA "Internet Key Exchange Version 2 (IKEv2) Parameters" registry. This document specifies how to use this transform during IKE_SA negotiations. Hence IANA should add to that entry a reference to this RFC. Shen, et al. Expires May 28, 2010 [Page 13] Internet-Draft AES-CTR for IKEv2 November 2009 8. Acknowledgments The authors thank Yaron Sheffer, Paul Hoffman, Tero Kivinen and Alfred Hoenes for their direction and comments on this document. Shen, et al. Expires May 28, 2010 [Page 14] Internet-Draft AES-CTR for IKEv2 November 2009 9. References 9.1. Normative References [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)", RFC 4307, December 2005. [AES] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, < http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf>. [IANA-Para] Internet Assigned Numbers Authority, "Internet Key Exchange Version 2 (IKEv2) Parameters", September 2009, . [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of Operation Methods and Techniques", NIST Special Publication 800-38A, December 2001, . 9.2. Informative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [Recommendations] Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid, "Recommendation for Key Management - Part1 - General (Revised)", NIST Special Publication 800-57, March 2007, < Shen, et al. Expires May 28, 2010 [Page 15] Internet-Draft AES-CTR for IKEv2 November 2009 http://csrc.nist.gov/publications/nistpubs/800-57/ SP800-57-Part1.pdf>. Shen, et al. Expires May 28, 2010 [Page 16] Internet-Draft AES-CTR for IKEv2 November 2009 Authors' Addresses Sean Shen Huawei 4, South 4th Street, Zhongguancun Beijing 100190 China Email: sean.s.shen@gmail.com Yu Mao H3C Tech. Co., Ltd Oriental Electronic Bld. No.2 Chuangye Road Shang-Di Information Industry Hai-Dian District Beijing 100085 China Email: maoyu@h3c.com N S Srinivasa Murthy Freescale Semiconductor UMA PLAZA, NAGARJUNA CIRCLE, PUNJAGUTTA HYDERABAD 500082 INDIA Email: ssmurthy.nittala@freescale.com Shen, et al. Expires May 28, 2010 [Page 17]