draft-ietf-msec-gdoi-update-00.txt   draft-ietf-msec-gdoi-update-01.txt 
MSEC Working Group B. Weis MSEC Working Group B. Weis
Internet-Draft S. Rowles Internet-Draft S. Rowles
Expires: December 18, 2006 Cisco Systems Expires: April 20, 2007 Cisco Systems
June 16, 2006 October 17, 2006
Updates to the Group Domain of Interpretation (GDOI) Updates to the Group Domain of Interpretation (GDOI)
draft-ietf-msec-gdoi-update-00 draft-ietf-msec-gdoi-update-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 18, 2006. This Internet-Draft will expire on April 20, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This memo describes updates to the Group Domain of Interpretation This memo describes updates to the Group Domain of Interpretation
(GDOI) [RFC3547]. It provides clarification where the original text (GDOI) [RFC3547]. It provides clarification where the original text
is unclear. It also includes a discussion of algorithm agility is unclear. It also includes a discussion of algorithm agility
skipping to change at page 2, line 20 skipping to change at page 2, line 20
2. Cryptographic Algorithm agility . . . . . . . . . . . . . . . 4 2. Cryptographic Algorithm agility . . . . . . . . . . . . . . . 4
2.1. Phase 1 protocol . . . . . . . . . . . . . . . . . . . . . 4 2.1. Phase 1 protocol . . . . . . . . . . . . . . . . . . . . . 4
2.2. GROUPKEY-PUSH message . . . . . . . . . . . . . . . . . . 4 2.2. GROUPKEY-PUSH message . . . . . . . . . . . . . . . . . . 4
2.3. IPsec TEK Distribution . . . . . . . . . . . . . . . . . . 5 2.3. IPsec TEK Distribution . . . . . . . . . . . . . . . . . . 5
2.4. Certificate Payload . . . . . . . . . . . . . . . . . . . 5 2.4. Certificate Payload . . . . . . . . . . . . . . . . . . . 5
2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 5 2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 5
3. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 6 3. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 6
3.1. SA Payload . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. SA Payload . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 6
3.3. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 7
3.4. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 7 3.4. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 7 3.5. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 9
3.6. TEK Integrity Key Length . . . . . . . . . . . . . . . . . 7 3.6. TEK Integrity Key Length . . . . . . . . . . . . . . . . . 9
3.7. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 8 3.7. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 9
3.8. Minimum defined attributes . . . . . . . . . . . . . . . . 9 3.8. Minimum defined attributes . . . . . . . . . . . . . . . . 11
3.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 9 3.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 11
4. GCKS and Group Member Authorization . . . . . . . . . . . . . 10 4. GCKS and Group Member Authorization . . . . . . . . . . . . . 12
4.1. Authorization using the CERT/POP Payloads . . . . . . . . 10 4.1. Authorization using the CERT/POP Payloads . . . . . . . . 12
4.2. Authorization through other methods . . . . . . . . . . . 10 4.2. Authorization through other methods . . . . . . . . . . . 12
5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 12 5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 13
5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 12 5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 13
5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 12 5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
Intellectual Property and Copyright Statements . . . . . . . . . . 21 Intellectual Property and Copyright Statements . . . . . . . . . . 22
1. Introduction 1. Introduction
The Group Domain of Interpretation (GDOI) is a group key management The Group Domain of Interpretation (GDOI) is a group key management
protocol fitting into the Multicast Security Group Key Management protocol fitting into the Multicast Security Group Key Management
Architecture [RFC4046]. GDOI is used to disseminate policy and Architecture [RFC4046]. GDOI is used to disseminate policy and
corresponding secrets to a group of participants. GDOI is corresponding secrets to a group of participants. GDOI is
implemented on hosts and intermediate systems to protect group IP implemented on hosts and intermediate systems to protect group IP
communication (e.g., IP multicast packets) by encapsulating them with communication (e.g., IP multicast packets) by encapsulating them with
the IP Encapsulating Security Payload (ESP) [RFC4303] packets. the IP Encapsulating Security Payload (ESP) [RFC4303] packets.
skipping to change at page 4, line 11 skipping to change at page 4, line 11
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Cryptographic Algorithm agility 2. Cryptographic Algorithm agility
Algorithm agility was a goal during the development of GDOI, and RFC Algorithm agility was a goal during the development of GDOI, and RFC
3547 generally provides the ability to add new algorithms as 3547 generally provides the ability to add new algorithms as
necessary. However, further analysis has shown that there are places necessary. However, further analysis has shown that there are places
where algorithm agility is not complete. This section discusses the where algorithm agility is not complete. This section discusses the
use cryptographic algorithms within GDOI, points out variances in use of cryptographic algorithms within GDOI, points out variances in
algorithm agility, and proposes clarifications without changing any algorithm agility, and proposes clarifications without changing any
payload formats within the protocol. payload formats within the protocol.
Recent published attacks on the SHA-1 algorithm motivate its Recent published attacks on the SHA-1 algorithm motivate its
replacement as a cryptographic algorithm. The ability for GDOI to replacement as a cryptographic algorithm. The ability for GDOI to
move to the SHA-256 algorithm is explicitly discussed. Later move to the SHA-256 algorithm is explicitly discussed. Later
sections on this document propose some enhancements to the GDOI sections on this document propose some enhancements to the GDOI
protocol to provide for an easier means of supporting this and protocol to provide for an easier means of supporting this and
additional hash functions. additional hash functions.
skipping to change at page 4, line 39 skipping to change at page 4, line 39
4 of [RFC2409], which is usually a hash algorithm using the HMAC 4 of [RFC2409], which is usually a hash algorithm using the HMAC
[RFC2104] construction. IKEv1 negotiates which encryption ciphers [RFC2104] construction. IKEv1 negotiates which encryption ciphers
and hash algorithms are to be used. and hash algorithms are to be used.
IKEv1 cipher algorithms come from the "Encryption Algorithm" list in IKEv1 cipher algorithms come from the "Encryption Algorithm" list in
the IANA IPsec registry [IPSEC-REG], and the hash algorithms come the IANA IPsec registry [IPSEC-REG], and the hash algorithms come
from the "Hash Algorithm" list in the same registry. The IANA IPsec from the "Hash Algorithm" list in the same registry. The IANA IPsec
registry currently includes the SHA2-256, which is intended to be the registry currently includes the SHA2-256, which is intended to be the
SHA-256 algorithm. SHA-256 algorithm.
In summary, are no cryptographic algorithm agility issues with The In summary, there are no cryptographic algorithm agility issues with
IKEv1 Phase 1 protocol when used as a GDOI "phase 1" protocol. For a the IKEv1 Phase 1 protocol when used as a GDOI "phase 1" protocol.
more detailed analysis o the use of hash algorithms in IKE and IPsec, For a more detailed analysis of the use of hash algorithms in IKE and
see [I-D.hoffman-ike-ipsec-hash-use]. IPsec, see [I-D.hoffman-ike-ipsec-hash-use].
2.2. GROUPKEY-PUSH message 2.2. GROUPKEY-PUSH message
The GROUPKEY-PUSH message is protected by an encryption cipher for The GROUPKEY-PUSH message is protected by an encryption cipher for
confidentiality and a digital signature for message integrity. The confidentiality and a digital signature for message integrity. The
encryption cipher is described by the IANA GDOI registry as the encryption cipher is described by the IANA GDOI registry as the
KEK_ALGORITHM attribute [GDOI-REG]. The digital signature comprises KEK_ALGORITHM attribute [GDOI-REG]. The digital signature comprises
both a hash algorithm defined by the GDOI SIG_HASH_ALGORITHM both a hash algorithm defined by the GDOI SIG_HASH_ALGORITHM
attribute and a public key signature algorithm defined by the attribute and a public key signature algorithm defined by the
SIG_ALGORITHM attribute. This memo adds the SHA-256 algorithm to the SIG_ALGORITHM attribute. This memo adds the SHA-256 algorithm to the
SIG_HASH_ALGORITHM attribute in a later section. SIG_HASH_ALGORITHM attribute in a later section.
In summary, are no cryptographic algorithm agility issues with the In summary, there are no cryptographic algorithm agility issues with
GROUPKEY-PUSH message. the GROUPKEY-PUSH message.
2.3. IPsec TEK Distribution 2.3. IPsec TEK Distribution
IPsec SAs are distributed by GDOI. An IPsec ESP SA can include an IPsec SAs are distributed by GDOI. An IPsec ESP SA can include an
encryption cipher for confidentiality and an algorithm for packet encryption cipher for confidentiality and an algorithm for packet
authentication. The encryption ciphers are defined by the IPsec ESP authentication. The encryption ciphers are defined by the IPsec ESP
Transform Identifiers defined in the IANA ISAKMP registry [ISAKMP- Transform Identifiers defined in the IANA ISAKMP registry [ISAKMP-
REG]. The packet authentication method is distributed via an REG]. The packet authentication method is distributed via an
"Authentication Algorithm" SA attribute. SHA-256 may be chosen as "Authentication Algorithm" SA attribute. SHA-256 may be chosen as
the authentication algorithm with HMAC-SHA2-256. Similarly, an IPsec the authentication algorithm with HMAC-SHA2-256. Similarly, an IPsec
AH SA is defined by choosing AH_SHA2-256 as the "AH Transform AH SA is defined by choosing AH_SHA2-256 as the "AH Transform
Identifier". Identifier".
In summary, are no cryptographic algorithm agility issues during TEK In summary, there are no cryptographic algorithm agility issues
distribution. during TEK distribution.
2.4. Certificate Payload 2.4. Certificate Payload
Messages in the GROUPKEY-PULL and GROUPKEY-PUSH protocols may include Messages in the GROUPKEY-PULL and GROUPKEY-PUSH protocols may include
a Certificate Payload (CERT). Certificate digital signatures, and a Certificate Payload (CERT). Certificate digital signatures, and
the algorithm agility thereof, are outside the scope of this memo. the algorithm agility thereof, are outside the scope of this memo.
2.5. POP Payload 2.5. POP Payload
The GDOI Proof of Possession (POP) payload may be included in the The GDOI Proof of Possession (POP) payload may be included in the
GROUPKEY-PULL protocol. It contains a digital signature over the GROUPKEY-PULL protocol. It contains a digital signature over the
hash of s set of nonces, which provides the current possession of the hash of a set of identities and nonces, which provides the current
peer. The digital signature algorithm is defined as the "POP possession of the peer. The digital signature algorithm is defined
Algorithm" in the IANA GDOI registry [GDOI-REG]. However, identity as the "POP Algorithm" in the IANA GDOI registry [GDOI-REG].
of the hash algorithm to create the signed data was omitted in RFC However, identity of the hash algorithm to create the signed data was
3547. omitted in RFC 3547.
In summary, the POP Payload has an algorithm agility deficiency with In summary, the POP Payload has an algorithm agility deficiency with
regards to the hash algorithm. This memo remedies this omission in a regards to the hash algorithm. This memo remedies this omission in a
clarification section below. clarification section below.
3. RFC 3547 Clarification 3. RFC 3547 Clarification
Implementation experience of RFC 3547 has revealed a few areas of Implementation experience of RFC 3547 has revealed a few areas of
text that are not sufficiently clear. This section provides text that are not sufficiently clear. This section provides
clarifying text for those areas. clarifying text for those areas.
3.1. SA Payload 3.1. SA Payload
The units of the SIG_KEY_LENGTH value was not explicitly specified in The SA KEK payload includes the "POP Key Length" field, which is
RFC 3547. The value is a number representing the length of keys in meant to declare the length of a POP signature key. Unfortunately,
bits. it is not clear as to whether this refers to the GCKS POP signature
key or all entities' POP signature keys. The intent of conveying the
length was to ensure that a group member has the capability to
validate the GCKS POP payload, so this memo specifies that the value
is taken to indicate the length of only the GCKS signature key.
Additionally, the units of this field are not explicitly specified in
RFC 3547. The value is a number representing the length of key in
bits. In the case of POP_ALG_RSA, the value represents the size of
the modulus.
The units of the SIG_KEY_LENGTH KEK attribute value was not
explicitly specified in RFC 3547. The value is a number representing
the length of the KEK encryption key in bits.
The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to by the The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to by the
truncated name PROTO_IPSEC_ESP. truncated name PROTO_IPSEC_ESP.
RFC3547 explicitly specifies that if a KEK cipher requires an IV, RFC3547 explicitly specifies that if a KEK cipher requires an IV,
then the IV MUST precede the key in the KEK_ALGORITHM_KEY KD payload then the IV MUST precede the key in the KEK_ALGORITHM_KEY KD payload
attribute. However, it should be noted that this IV length is not attribute. However, it should be noted that this IV length is not
included in the KEK_KEY_LEN SA payload attribute sent in the SA included in the KEK_KEY_LEN SA payload attribute sent in the SA
payload. The KEK_KEY_LEN includes only the actual length of the payload. The KEK_KEY_LEN includes only the actual length of the
cipher key. cipher key.
skipping to change at page 6, line 46 skipping to change at page 7, line 9
3.2. SIG Payload 3.2. SIG Payload
The GROUPKEY-PUSH message SIG payload is further clarified here; the The GROUPKEY-PUSH message SIG payload is further clarified here; the
SIG payload is a signature of the entire GROUPKEY-PUSH message (not SIG payload is a signature of the entire GROUPKEY-PUSH message (not
including the SIG payload) before it's been encrypted. The HASH is including the SIG payload) before it's been encrypted. The HASH is
taken over the string 'rekey', the GROUPKEY-PUSH HDR, SEQ, SA, KD, taken over the string 'rekey', the GROUPKEY-PUSH HDR, SEQ, SA, KD,
and optionally the CERT payload. After the SIG payload is created and optionally the CERT payload. After the SIG payload is created
using the signature of the above hash, the current KEK encryption key using the signature of the above hash, the current KEK encryption key
encrypts all the payloads following the GROUPKEY-PUSH HDR. encrypts all the payloads following the GROUPKEY-PUSH HDR.
The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1
[RFC3447] encoding method is employed. To match existing practice,
this memo requires that it be the EMSA-PKCS1-v1_5 encoding method.
3.3. SEQ Payload 3.3. SEQ Payload
Each GROUPKEY-PUSH message contains a sequence number, which provides Each GROUPKEY-PUSH message contains a sequence number, which provides
anti-replay protection for a KEK. Thus, the GCKS returns a SEQ anti-replay protection for a KEK. Thus, the GCKS returns a SEQ
payload in the GROUPKEY-PULL exchange only if a KEK attribute also payload in the GROUPKEY-PULL exchange only if a KEK attribute also
exists in the SA payload. exists in the SA payload.
A KEK sequence number is associated with a single SPI (i.e., the A KEK sequence number is associated with a single SPI (i.e., the
single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP HDR). single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP HDR).
When a new KEK is distributed by a GCKS, it contains a new SPI and When a new KEK is distributed by a GCKS, it contains a new SPI and
skipping to change at page 7, line 40 skipping to change at page 8, line 7
contains a digital signature over a hash. Some RFC 3547 text contains a digital signature over a hash. Some RFC 3547 text
erroneously describes it as a "prf()". erroneously describes it as a "prf()".
RFC 3547 omitted including a method of specifying the hash function RFC 3547 omitted including a method of specifying the hash function
type used in the POP payload. As a result, the GCKS or group member type used in the POP payload. As a result, the GCKS or group member
do not have a means by which to agree which hash algorithm should be do not have a means by which to agree which hash algorithm should be
used. To remedy this omission without changing the protocol, this used. To remedy this omission without changing the protocol, this
memo specifies that the hash algorithm passed in the memo specifies that the hash algorithm passed in the
SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm. SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm.
The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1
[RFC3447] encoding method is employed. To match existing practice,
this memo requires that it be the EMSA-PKCS1-v1_5 encoding method.
Meadows and Pavlovic have published a paper [MP04] describing a means
by which a rogue GDOI device (i.e., GCKS or group member) can gain
access to a group for which it is not a group member. The rogue
device perpetrates a man-in-the-middle attack, which can occur if the
following conditions are true:
1. The rogue GDOI participant convinces an authorized member of the
group (i.e., victim group member) that it is a GCKS for that
group, and it also convinces the GCKS (i.e., victim GCKS) of that
group it is an authorized group member.
2. The victim group member, victim GCKS, and rogue group member all
share IKEv1 authentication credentials.
3. The victim GCKS does not properly verify that the IKEv1
authentication credentials used to protect a GROUPKEY-PULL
protocol are authorized to be join the group.
The point of proof-of-possession is to prove that the owner of the
identity associated with the Phase 1 key is the same as the owner of
the key distributed in the CERT. This attack can be mitigated by
adding the Phase 1 identities into the hashed data. This memo
replaces the method of computing POP_HASH, which is:
POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID |
Ni | Nr)
where the fields are hashed as follows:
o The string "pop" without a NULL termination character.
o The IKE Phase 1 identity of the GCKS as distributed in the
"identification Data" portion of the ID payload. Because the
length of the identity is variable, the length of the
Identification Data MUST be hashed as a four octet value with the
length located in the least significant bits (in big-endian
format). The length value is hashed before the data value.
o The IKE Phase 1 identity of the group member as distributed in the
"identification Data" portion of the ID payload. Because the
length of the identity is variable, the length of the
Identification Data MUST be hashed as a four octet value with the
length located in the least significant bits (in big-endian
format). The length value is hashed before the data value.
o The initiator nonce Ni, as passed in the first GROUPKEY-PULL
message.
o The responder nonce Nr, as passed in the second GROUPKEY-PULL
message.
3.5. CERT Payload 3.5. CERT Payload
Receivers of the POP payload need the sender's public key in order to Receivers of the POP payload need the sender's public key in order to
validate the POP. However the source of that public key is not validate the POP. However the source of that public key is not
explicitly defined. For example, if the certificate passed in the explicitly defined. For example, if the certificate passed in the
CERT payload is an attribute certificate (not containing a public CERT payload is an attribute certificate (not containing a public
key) then no public key is available. To remedy this omission, this key) then no public key is available. To remedy this omission, this
memo specifies that the certificate passed in the CERT payload MUST memo specifies that the certificate passed in the CERT payload MUST
be an identity certificate (including a public key). be an identity certificate (including a public key).
skipping to change at page 8, line 49 skipping to change at page 10, line 24
1. The GCKS and group member MUST derive an encryption key and IV 1. The GCKS and group member MUST derive an encryption key and IV
(if needed by the encryption algorithm mode) using the dhEphem (if needed by the encryption algorithm mode) using the dhEphem
method described in Section 6.1.21 of [NIST.800-56A.2006]. method described in Section 6.1.21 of [NIST.800-56A.2006].
2. The key derivation function MUST be the preferred key derivation 2. The key derivation function MUST be the preferred key derivation
function described in Section 5.8.1 of [NIST.800-56A.2006]. The function described in Section 5.8.1 of [NIST.800-56A.2006]. The
"kdf" function MUST be algorithm defined in the group policy as "kdf" function MUST be algorithm defined in the group policy as
the SIG_HASH_ALGORITHM attribute. The "keydatalen" input will be the SIG_HASH_ALGORITHM attribute. The "keydatalen" input will be
the number of bits necessary for the encryption algorithm plus the number of bits necessary for the encryption algorithm plus
the number of bits needed by the algorithm mode (if any). The the number of bits needed by the algorithm mode (if any). The
"AlgorithmID" value will be the value of SIG_HASH_ALGORITHM. The following kdf "OtherInfo" values MUST be hashed:
"PartyUInfo" value will be the IKE Phase 1 identity of the GCKS,
whereas the "PartyVInfo" value will be the IKE Phase 1 identity * AlgorithmID: This value represents the encryption algorithm
of the group member. No "SuppPubInfo" or "SuppPrivInfo" values with which the derived keying material will be used (i.e.,
are included as input to the "kdf" function. KEK_ALGORITHM). The value is hashed as a two octet value with
the algorithm id located in the least significant bits (in
big-endian format).
* PartyUInfo: This value will be the IKE Phase 1 identity of the
GCKS as distributed in the "identification Data" portion of
the ID payload. Because the length of the identity is
variable, the length of the Identification Data MUST be hashed
as a four octet value with the length located in the least
significant bits (in big-endian format). The length value is
hashed before the data value.
* PartyVInfo: This value will be the IKE Phase 1 identity of the
group member as distributed in the "identification Data"
portion of the ID payload. Because the length of the identity
is variable, the length of the Identification Data MUST be
hashed as a four octet value with the length located in the
least significant bits (in big-endian format). The length
value is hashed before the data value.
3. The result of the hash will be used as input to the encryption 3. The result of the hash will be used as input to the encryption
algorithm described in the KEK_ALGORITHM attribute. If the algorithm described in the KEK_ALGORITHM attribute. If the
algorithm mode requires an IV, the initial bits (in big-endian algorithm mode requires an IV, the initial bits (in big-endian
format) of the derived keying material will be used as the IV. format) of the derived keying material will be used as the IV.
The subsequent bits are used as the encryption key, encrypting The subsequent bits are used as the encryption key, encrypting
the bytes of the KD payload as described in Section 5.4 of RFC the bytes of the KD payload as described in Section 5.4 of RFC
3547. Note that the length of the KD payload may be larger due 3547. Note that the length of the KD payload may be larger due
to cipher block padding. If so, the KD payload length must be to cipher block padding. If so, the KD payload length must be
modified to reflect the actual length of the ciphertext. modified to reflect the actual length of the ciphertext.
3.8. Minimum defined attributes 3.8. Minimum defined attributes
Minimum attributes that must be sent as part of an SA KEK: Minimum attributes that must be sent as part of an SA KEK:
KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a
skipping to change at page 10, line 16 skipping to change at page 12, line 16
A GDOI group member SHOULD be configured with policy describing which A GDOI group member SHOULD be configured with policy describing which
IKEv1 identities are authorized to act as GCKS for a group. IKEv1 identities are authorized to act as GCKS for a group.
The following sections clarify the need for a GCKS to authorize group The following sections clarify the need for a GCKS to authorize group
members. Authorization is needed regardless of whether the CERT and members. Authorization is needed regardless of whether the CERT and
POP payloads are mandated in group policy. POP payloads are mandated in group policy.
4.1. Authorization using the CERT/POP Payloads 4.1. Authorization using the CERT/POP Payloads
Meadows and Pavlovic have published a paper [MP04] describing a means A GCKS conforming with RFC 3547 SHOULD perform authorization based on
by which a rogue GDOI device (i.e., GCKS or group member) can gain the IKEv1 authentication credentials. When the CERT and POP payloads
access to a group for which it is not a group member. The rogue are used for authorization, the GCKS and group member SHOULD verify
devices perpetrates a man-in-the-middle attack, which can occur if that the identify in the CERT payload is syntactically the same
the following conditions are true: identity as used in the IKEv1 authentication credentials. For the
1. The rogue GDOI participant convinces an authorized member of the
group (i.e., victim group member) that it is a GCKS for that
group, and it also convinces the GCKS (i.e., victim GCKS) of that
group it is an authorized group member.
2. The victim group member, victim GCKS, and rogue group member all
share IKEv1 authentication credentials.
3. The victim GCKS does not properly verify that the IKEv1
authentication credentials used to protect a GROUPKEY-PULL
protocol are authorized to be join the group.
The Meadows and Pavlovic paper recommends changes to the GDOI
protocol which would remove this attack. Since this memo seeks to
maintain backward compatibility with RFC 3547, these changes are not
yet implemented. In the meantime the attack can be mitigated when a
GCKS conforming with RFC 3547 performs authorization based on the
IKEv1 authentication credentials. When the CERT and POP payloads are
used for authorization, the GCKS and group member SHOULD verify that
the identify in the CERT payload is syntactically the same identity
as used in the IKEv1 authentication credentials. For the
authorization check to succeed, the two credentials are compared and authorization check to succeed, the two credentials are compared and
found to be identical. This stops a group member from authenticating found to be identical. This stops a group member from authenticating
to the GCKS with its own credential, yet including another group to the GCKS with its own credential, yet including another group
member's credentials and proof-of-possession in the CERT and POP member's credentials and proof-of-possession in the CERT and POP
payloads. payloads.
4.2. Authorization through other methods 4.2. Authorization through other methods
Although the use of CERT and POP payloads are optional, the need for When the use of CERT and POP payloads are not mandated in group
authorization is still very real. When the use of CERT and POP policy, the GCKS SHOULD have a means of recognizing authorized group
payloads are not mandated in group policy, the GCKS SHOULD have a members for each group, where the recognition is based on IKEv1
means of recognizing authorized group members for each group, where authentication credentials. For example, the GCKS may have a list of
the recognition is based on IKEv1 authentication credentials. For authorized IKEv1 identifiers stored for each Group. The
example, the GCKS may have a list of authorized IKEv1 identifiers authorization check SHOULD be made after receipt of the ID payload
stored for each Group. The authorization check SHOULD be made after containing a group id the group member is requesting to join.
receipt of the ID payload containing a group id the group member is
requesting to join.
5. New GDOI Attributes 5. New GDOI Attributes
This section contains new attributes to be are defined as part of This section contains new attributes to be are defined as part of
GDOI. GDOI.
5.1. Signature Hash Algorithm 5.1. Signature Hash Algorithm
RFC 3547 defines two signature hash algorithms (MD5 and SHA-1). RFC 3547 defines two signature hash algorithms (MD5 and SHA-1).
However, steady advances in technology have rendered both hash However, steady advances in technology have rendered both hash
skipping to change at page 18, line 30 skipping to change at page 19, line 30
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2407] Piper, D., "The Internet IP Security Domain of [RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998. Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998. (IKE)", RFC 2409, November 1998.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
Group Domain of Interpretation", RFC 3547, July 2003. Group Domain of Interpretation", RFC 3547, July 2003.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management "Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, April 2005. Architecture", RFC 4046, April 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005. December 2005.
skipping to change at page 19, line 4 skipping to change at page 20, line 8
9.2. Informative References 9.2. Informative References
[GDOI-REG] [GDOI-REG]
Internet Assigned Numbers Authority, "Group Domain of Internet Assigned Numbers Authority, "Group Domain of
Interpretation (GDOI) Payload Type Values", IANA Registry, Interpretation (GDOI) Payload Type Values", IANA Registry,
December 2004, December 2004,
<http://www.iana.org/assignments/gdoi-payloads>. <http://www.iana.org/assignments/gdoi-payloads>.
[I-D.hoffman-ike-ipsec-hash-use] [I-D.hoffman-ike-ipsec-hash-use]
Hoffman, P., "Use of Hash Algorithms in IKE and IPsec", Hoffman, P., "Use of Hash Algorithms in IKE and IPsec",
draft-hoffman-ike-ipsec-hash-use-02 (work in progress), draft-hoffman-ike-ipsec-hash-use-03 (work in progress),
March 2006. July 2006.
[IPSEC-REG] [IPSEC-REG]
Internet Assigned Numbers Authority, "Internet Key Internet Assigned Numbers Authority, "Internet Key
Exchange (IKE) Attributes IKE Attributes", IANA Registry, Exchange (IKE) Attributes IKE Attributes", IANA Registry,
December 2005, December 2005,
<http://www.iana.org/assignments/ipsec-registry>. <http://www.iana.org/assignments/ipsec-registry>.
[ISAKMP-REG] [ISAKMP-REG]
Internet Assigned Numbers Authority, "Internet Security Internet Assigned Numbers Authority, "Internet Security
Association and Key Management Protocol (ISAKMP) Association and Key Management Protocol (ISAKMP)
 End of changes. 26 change blocks. 
84 lines changed or deleted 154 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/