draft-ietf-msec-mikey-dhhmac-08.txt   draft-ietf-msec-mikey-dhhmac-09.txt 
Internet Engineering Task Force - MSEC WG Internet Engineering Task Force - MSEC WG
Internet Draft M. Euchner Internet Draft M. Euchner
Intended Category: Proposed Standard Intended Category: Proposed Standard
Expires: July 2005 January 2005 Expires: July 2005 February 2005
HMAC-authenticated Diffie-Hellman for MIKEY HMAC-authenticated Diffie-Hellman for MIKEY
<draft-ietf-msec-mikey-dhhmac-08.txt> <draft-ietf-msec-mikey-dhhmac-09.txt>
IPR Statement IPR Statement
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable patent
patent or other IPR claims of which I am aware have been disclosed, or other IPR claims of which I am aware have been disclosed, or will be
or will be disclosed, and any of which I become aware will be disclosed, and any of which I become aware will be disclosed, in accordance
disclosed, in accordance with RFC 3668. with RFC 3668.
Status of this Memo Status of this Memo
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering Task
Task Force (IETF), its areas, and its working groups. Note that Force (IETF), its areas, and its working groups. Note that other groups
other groups may also distribute working documents as Internet- may also distribute working documents as Internet- Drafts.
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months and
and may be updated, replaced, or obsoleted by other documents at any may be updated, replaced, or obsoleted by other documents at any time.
time. It is inappropriate to use Internet-Drafts as reference It is inappropriate to use Internet-Drafts as reference material or to
material or to cite them other than a "work in progress." cite them other than a "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the MSEC WG mailing list at Comments should be sent to the MSEC WG mailing list at
msec@securemulticast.org and to the author. msec@securemulticast.org and to the author.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Abstract Abstract
This document describes a light-weight point-to-point key management This document describes a light-weight point-to-point key management
protocol variant for the multimedia Internet keying (MIKEY) protocol protocol variant for the multimedia Internet keying (MIKEY) protocol
MIKEY, as defined in RFC 3830. In particular, this variant deploys MIKEY, as defined in RFC 3830. In particular, this variant deploys the
the classic Diffie-Hellman key agreement protocol for key classic Diffie-Hellman key agreement protocol for key establishment
establishment featuring perfect forward secrecy in conjunction with a featuring perfect forward secrecy in conjunction with a keyed hash message
keyed hash message authentication code for achieving mutual authentication code for achieving mutual authentication and message
authentication and message integrity of the key management messages integrity of the key management messages exchanged. This protocol
exchanged. This protocol addresses the security and performance addresses the security and performance constraints of multimedia key
constraints of multimedia key management in MIKEY. management in MIKEY.
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [2]. document are to be interpreted as described in RFC-2119 [2].
Table of Contents Table of Contents
1. Introduction..................................................3 1. Introduction..................................................3
1.1. Definitions.................................................6 1.1. Definitions.................................................6
1.2. Abbreviations...............................................7 1.2. Abbreviations...............................................7
2. Scenario......................................................8 2. Scenario......................................................8
2.1. Applicability...............................................9 2.1. Applicability...............................................8
2.2. Relation to GKMARCH........................................11 2.2. Relation to GKMARCH........................................10
3. DHHMAC Security Protocol.....................................11 3. DHHMAC Security Protocol.....................................11
3.1. TGK re-keying..............................................13 3.1. TGK re-keying..............................................13
4. DHHMAC payload formats.......................................14 4. DHHMAC payload formats.......................................14
4.1. Common header payload (HDR)................................15 4.1. Common header payload (HDR)................................14
4.2. Key data transport payload (KEMAC).........................16 4.2. Key data transport payload (KEMAC).........................15
4.3. ID payload (ID)............................................16 4.3. ID payload (ID)............................................16
4.4. General Extension Payload..................................16 4.4. General Extension Payload..................................16
5. Security Considerations......................................17 5. Security Considerations......................................16
5.1. Security environment.......................................17 5.1. Security environment.......................................17
5.2. Threat model...............................................17 5.2. Threat model...............................................17
5.3. Security features and properties...........................20 5.3. Security features and properties...........................20
5.4. Assumptions................................................24
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
5.4. Assumptions................................................25
5.5. Residual risk..............................................25 5.5. Residual risk..............................................25
5.6. Authorization and Trust Model..............................27 5.6. Authorization and Trust Model..............................26
6. Acknowledgments............................................27 6. Acknowledgments............................................26
Conclusions.....................................................27 Conclusions.....................................................26
7. IANA considerations..........................................28 7. IANA considerations..........................................27
8. References...................................................28 8. References...................................................27
8.1 Normative References.......................................28 8.1 Normative References.......................................27
8.2 Informative References.....................................29 8.2 Informative References.....................................28
Full Copyright Statement........................................31 Full Copyright Statement........................................30
Expiration Date.................................................32 Expiration Date.................................................31
Revision History................................................33 Revision History................................................32
Author's Addresses..............................................35 Author's Addresses..............................................34
1. Introduction 1. Introduction
There is work done in IETF to develop key management schemes. For There is work done in IETF to develop key management schemes. For example,
example, IKE [14] is a widely accepted unicast scheme for IPsec, and IKE [14] is a widely accepted unicast scheme for IPsec, and the MSEC WG
the MSEC WG is developing other schemes, addressed to group is developing other schemes, addressed to group communication [24], [25].
communication [24], [25]. For reasons discussed below, there is For reasons discussed below, there is however a need for a scheme with
however a need for a scheme with low latency, suitable for demanding low latency, suitable for demanding cases such as real-time data over
cases such as real-time data over heterogeneous networks, and small heterogeneous networks, and small interactive groups.
interactive groups.
As pointed out in MIKEY (see [3]), secure real-time multimedia As pointed out in MIKEY (see [3]), secure real-time multimedia
applications demand a particular adequate light-weight key management applications demand a particular adequate light-weight key management
scheme that cares for how to securely and efficiently establish scheme that cares for how to securely and efficiently establish dynamic
dynamic session keys in a conversational multimedia scenario. session keys in a conversational multimedia scenario.
In general, MIKEY scenarios cover peer-to-peer, simple-one-to-many In general, MIKEY scenarios cover peer-to-peer, simple-one-to-many and
and small-sized groups. MIKEY in particular, describes three key small-sized groups. MIKEY in particular, describes three key management
management schemes for the peer-to-peer case that all finish their schemes for the peer-to-peer case that all finish their task within one
task within one round trip: round trip:
- a symmetric key distribution protocol (MIKEY-PS) based upon - a symmetric key distribution protocol (MIKEY-PS) based upon
pre-shared master keys; pre-shared master keys;
- a public-key encryption-based key distribution protocol - a public-key encryption-based key distribution protocol
(MIKEY-PK) assuming a public-key infrastructure with RSA-based (MIKEY-PK) assuming a public-key infrastructure with RSA-based
(Rivest, Shamir and Adleman) private/public keys and digital (Rivest, Shamir and Adleman) private/public keys and digital
certificates; certificates;
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
- and a Diffie-Hellman key agreement protocol (MIKEY-DHSIGN) - and a Diffie-Hellman key agreement protocol (MIKEY-DHSIGN)
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
deploying digital signatures and certificates. deploying digital signatures and certificates.
All these three key management protocols are designed such that they All these three key management protocols are designed such that they
complete their work within just one round trip. This requires complete their work within just one round trip. This requires depending
depending on loosely synchronized clocks and deploying timestamps on loosely synchronized clocks and deploying timestamps within the key
within the key management protocols. management protocols.
However, it is known [7] that each of the three key management However, it is known [7] that each of the three key management schemes
schemes has its subtle constraints and limitations: has its subtle constraints and limitations:
- The symmetric key distribution protocol (MIKEY-PS) is simple - The symmetric key distribution protocol (MIKEY-PS) is simple
to implement but does not nicely scale in any larger to implement but does not nicely scale in any larger configuration
configuration of potential peer entities due to the need of of potential peer entities due to the need of mutually pre-assigned
mutually pre-assigned shared master secrets. shared master secrets.
Moreover, the security provided does not achieve the property Moreover, the security provided does not achieve the property of
of perfect forward secrecy; i.e. compromise of the shared perfect forward secrecy; i.e. compromise of the shared master
master secret would render past and even future session keys secret would render past and even future session keys susceptible
susceptible to compromise. to compromise.
Further, the generation of the session key happens just at the Further, the generation of the session key happens just at the
initiator. Thus, the responder has to fully trust the initiator. Thus, the responder has to fully trust the initiator
initiator on choosing a good and secure session secret; the on choosing a good and secure session secret; the responder neither
responder neither is able to participate in the key generation is able to participate in the key generation nor to influence that
nor to influence that process. This is considered as a process. This is considered as a specific limitation in less
specific limitation in less trusted environments. trusted environments.
- The public-key encryption scheme (MIKEY-PK) depends upon a - The public-key encryption scheme (MIKEY-PK) depends upon a
public-key infrastructure that certifies the private-public public-key infrastructure that certifies the private-public keys
keys by issuing and maintaining digital certificates. While by issuing and maintaining digital certificates. While such a key
such a key management scheme provides full scalability in large management scheme provides full scalability in large networked
networked configurations, public-key infrastructures are still configurations, public-key infrastructures are still not widely
not widely available and in general, implementations are available and in general, implementations are significantly more
significantly more complex. complex.
Further, additional round trips and computational processing Further, additional round trips and computational processing might
might be necessary for each end system in order to ascertain be necessary for each end system in order to ascertain verification
verification of the digital certificates. For example, typical of the digital certificates. For example, typical operations in
PKIX operations such as validating of digital certificates (RFC the context of a public-key infrastructure such as validating
digital certificates (RFC 3029, [31]), ascertaining the revocation
status of digital certificates (RFC 2560, [30]) and asserting
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
3029, [31]), ascertaining the revocation status of digital certificate policies, construction of certification path(s)
certificates (RFC 2560, [30]) and asserting certificate ([33]), requesting and obtaining necessary certificates (RFC 2511,
policies, construction of certification path(s) ([33]), [32]) and management of certificates for such purposes ([29]) may
requesting and obtaining necessary certificates (RFC 2511, involve extra network communication handshakes with the public-key
[32]) and management of certificates for such purposes ([29]) infrastructure and with certification authorities and may
may involve extra network communication handshakes with the typically involve additional processing steps in the end systems.
public-key infrastructure and with certification authorities Such steps and tasks all result in further delay of the key agreement
and may typically involve additional processing steps in the or key establishment phase among the end systems, negatively
end systems. Such steps and tasks all result in further delay impacting setup time. Any extra PKI handshakes and processing are
of the key agreement or key establishment phase among the end not in scope of MIKEY and since this document deploys symmetric
systems, negatively impacting setup time. Any extra PKI security mechanisms only, aspects of PKI, digital certificates and
handshakes and processing are not in scope of MIKEY and since related processing are not further covered in this document.
this document deploys symmetric security mechanisms only,
aspects of PKI, digital certificates and related processing are
not further covered in this document.
Finally, as in the symmetric case, the responder depends Finally, as in the symmetric case, the responder depends completely
completely upon the initiator choosing good and secure session upon the initiator choosing good and secure session keys.
keys.
- The third MIKEY-DHSIGN key management protocol deploys the - The third MIKEY-DHSIGN key management protocol deploys the
Diffie-Hellman key agreement scheme and authenticates the Diffie-Hellman key agreement scheme and authenticates the exchange
exchange of the Diffie-Hellman half-keys in each direction by of the Diffie-Hellman half-keys in each direction by using a digital
using a digital signature. As in the previous method, this signature. As in the previous method, this introduces the
introduces the dependency upon a public-key infrastructure with dependency upon a public-key infrastructure with its strength on
its strength on scalability but also the limitations on scalability but also the limitations on computational costs in
computational costs in performing the asymmetric long-integer performing the asymmetric long-integer operations and the
operations and the potential need for additional communication potential need for additional communication for verification of the
for verification of the digital certificates. digital certificates.
However, the Diffie-Hellman key agreement protocol is known for However, the Diffie-Hellman key agreement protocol is known for its
its subtle security strengths in that it is able to provide subtle security strengths in that it is able to provide full perfect
full perfect forward secrecy (PFS) and further have both forward secrecy (PFS) and further have both parties actively
parties actively involved in session key generation. This involved in session key generation. This special security property
special security property - despite the somewhat higher - despite the somewhat higher computational costs - makes
computational costs - makes Diffie-Hellman techniques Diffie-Hellman techniques attractive in practice.
attractive in practice.
In order to overcome some of the limitations as outlined above, a In order to overcome some of the limitations as outlined above, a special
special need has been recognized for another efficient key agreement need has been recognized for another efficient key agreement protocol
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 variant in MIKEY. This protocol variant aims to provide the capability
of perfect forward secrecy as part of a key agreement with low latency
without dependency on a public-key infrastructure.
protocol variant in MIKEY. This protocol variant aims to provide the HMAC-authenticated Diffie-Hellman for MIKEY January 2005
capability of perfect forward secrecy as part of a key agreement with
low latency without dependency on a public-key infrastructure.
This document describes such a fourth light-weight key management This document describes such a fourth light-weight key management scheme
scheme for MIKEY that could somehow be seen as a synergetic for MIKEY that could somehow be seen as a synergetic optimization between
optimization between the pre-shared key distribution scheme and the the pre-shared key distribution scheme and the Diffie-Hellman key
Diffie-Hellman key agreement. agreement.
The idea of that protocol is to apply the Diffie-Hellman key The idea of that protocol is to apply the Diffie-Hellman key agreement
agreement but instead of deploying a digital signature for but instead of deploying a digital signature for authenticity of the
authenticity of the exchanged keying material rather uses a keyed- exchanged keying material rather uses a keyed-hash upon using
hash upon using symmetrically pre-assigned shared secrets. This symmetrically pre-assigned shared secrets. This combination of security
combination of security mechanisms is called the HMAC-authenticated mechanisms is called the HMAC-authenticated Diffie-Hellman (DH) key
Diffie-Hellman (DH) key agreement for MIKEY (DHHMAC). agreement for MIKEY (DHHMAC).
The DHHMAC variant closely follows the design and philosophy of MIKEY The DHHMAC variant closely follows the design and philosophy of MIKEY and
and reuses MIKEY protocol payload components and MIKEY mechanisms to reuses MIKEY protocol payload components and MIKEY mechanisms to its
its maximum benefit and for best compatibility. maximum benefit and for best compatibility.
Like the MIKEY Diffie-Hellman protocol, DHHMAC does not scale beyond Like the MIKEY Diffie-Hellman protocol, DHHMAC does not scale beyond a
a point-to-point constellation; thus, both MIKEY Diffie-Hellman point-to-point constellation; thus, both MIKEY Diffie-Hellman protocols
protocols do not support group-based keying for any group size larger do not support group-based keying for any group size larger than two
than two entities. entities.
1.1. Definitions 1.1. Definitions
The definitions and notations in this document are aligned with The definitions and notations in this document are aligned with MIKEY,
MIKEY, see [3] and [3] sections 1.3 - 1.4. see [3] and [3] sections 1.3 - 1.4.
All large integer computations in this document should be understood All large integer computations in this document should be understood as
as being mod p within some fixed group G for some large prime p; see being mod p within some fixed group G for some large prime p; see [3] section
[3] section 3.3; however, the DHHMAC protocol is applicable in 3.3; however, the DHHMAC protocol is applicable in general to other
general to other appropriate finite, cyclical groups as well. appropriate finite, cyclical groups as well.
It is assumed that a pre-shared key s is known by both entities It is assumed that a pre-shared key s is known by both entities (initiator
(initiator and responder). The authentication key auth_key is and responder). The authentication key auth_key is derived from the
derived from the pre-shared secret s using the pseudo-random function pre-shared secret s using the pseudo-random function PRF; see [3] sections
PRF; see [3] sections 4.1.3 and 4.1.5. 4.1.3 and 4.1.5.
In this text, [X] represents an optional piece of information. Generally
throughout the text, X SHOULD be present unless certain circumstance MAY
allow X being optional and not be present thereby resulting in weaker
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
In this text, [X] represents an optional piece of information. security potentially. Likewise [X, Y] represents an optional compound
Generally throughout the text, X SHOULD be present unless certain piece of information where the pieces X and Y SHOULD be either both present
circumstance MAY allow X being optional and not be present thereby or MAY optionally be both absent. {X} denotes zero or more occurrences
resulting in weaker security potentially. Likewise [X, Y] represents of X.
an optional compound piece of information where the pieces X and Y
SHOULD be either both present or MAY optionally be both absent. {X}
denotes zero or more occurrences of X.
1.2. Abbreviations 1.2. Abbreviations
auth_key pre-shared authentication key, PRF-derived from auth_key pre-shared authentication key, PRF-derived from
pre-shared key s. pre-shared key s.
DH Diffie-Hellman DH Diffie-Hellman
DHi public Diffie-Hellman half key g^(xi) of the DHi public Diffie-Hellman half key g^(xi) of the
Initiatior Initiatior
DHr public Diffie-Hellman half key g^(xr) of the DHr public Diffie-Hellman half key g^(xr) of the
Responder Responder
skipping to change at page 7, line 43 skipping to change at page 7, line 39
IPsec Internet Protocol Security IPsec Internet Protocol Security
MIKEY Multimedia Internet KEYing MIKEY Multimedia Internet KEYing
MIKEY-DHHMAC MIKEY Diffie-Hellman key management protocol using MIKEY-DHHMAC MIKEY Diffie-Hellman key management protocol using
HMAC HMAC
MIKEY-DHSIGN MIKEY Diffie-Hellman key agreement protocol MIKEY-DHSIGN MIKEY Diffie-Hellman key agreement protocol
MIKEY-PK MIKEY public-key encryption-based key distribution MIKEY-PK MIKEY public-key encryption-based key distribution
protocol protocol
MIKEY-PS MIKEY pre-shared key distribution protocol MIKEY-PS MIKEY pre-shared key distribution protocol
p Diffie-Hellman prime modulus p Diffie-Hellman prime modulus
PKI Public-key Infrastructure PKI Public-key Infrastructure
PKIX Public-key Infrastructure Operation
PRF MIKEY pseudo-random function (see [3] section PRF MIKEY pseudo-random function (see [3] section
4.1.3.) 4.1.3.)
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
RSA Rivest, Shamir and Adleman RSA Rivest, Shamir and Adleman
s pre-shared key s pre-shared key
SDP Session Description Protocol SDP Session Description Protocol
SOI Son-of-IKE, IKEv2 SOI Son-of-IKE, IKEv2
SP MIKEY Security Policy (Parameter) Payload SP MIKEY Security Policy (Parameter) Payload
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
T timestamp T timestamp
TEK Traffic Encryption Key TEK Traffic Encryption Key
TGK MIKEY TEK Generation Key as the common Diffie- TGK MIKEY TEK Generation Key as the common Diffie-
Hellman shared secret Hellman shared secret
TLS Transport Layer Security TLS Transport Layer Security
xi secret, (pseudo) random Diffie-Hellman key of the xi secret, (pseudo) random Diffie-Hellman key of the
Initiator Initiator
xr secret, (pseudo) random Diffie-Hellman key of the xr secret, (pseudo) random Diffie-Hellman key of the
Responder Responder
2. Scenario 2. Scenario
The HMAC-authenticated Diffie-Hellman key agreement protocol (DHHMAC) The HMAC-authenticated Diffie-Hellman key agreement protocol (DHHMAC) for
for MIKEY addresses the same scenarios and scope as the other three MIKEY addresses the same scenarios and scope as the other three key
key management schemes in MIKEY address. management schemes in MIKEY address.
DHHMAC is applicable in a peer-to-peer group where no access to a DHHMAC is applicable in a peer-to-peer group where no access to a
public-key infrastructure can be assumed available. Rather, pre- public-key infrastructure can be assumed available. Rather, pre-shared
shared master secrets are assumed available among the entities in master secrets are assumed available among the entities in such an
such an environment. environment.
In a pair-wise group, it is assumed that each client will be setting
up a session key for its outgoing links with it's peer using the DH-
MAC key agreement protocol.
As is the case for the other three MIKEY key management protocol, In a pair-wise group, it is assumed that each client will be setting up
DHHMAC assumes loosely synchronized clocks among the entities in the a session key for its outgoing links with it's peer using the DH-MAC key
small group. agreement protocol.
Note: To synchronize the clocks in a secure manner, some operational As is the case for the other three MIKEY key management protocol, DHHMAC
or procedural means are recommended. However, MIKEY-DHHMAC does not assumes loosely synchronized clocks among the entities in the small group.
describe any secure time synchronization measures and leaves such
tasks to the discretion of the implementation. The reader is
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
referred to [3] section 5.4 and [3] section 9.3 that give guidance on Note: To synchronize the clocks in a secure manner, some operational or
clock synchronization and timestamps. procedural means are recommended. However, MIKEY-DHHMAC does not describe
any secure time synchronization measures and leaves such tasks to the
discretion of the implementation. The reader is referred to [3] section
5.4 and [3] section 9.3 that give guidance on clock synchronization and
timestamps.
2.1. Applicability 2.1. Applicability
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
MIKEY-DHHMAC as well as the other MIKEY key management protocols are MIKEY-DHHMAC as well as the other MIKEY key management protocols are
optimized and targeted for the purpose of multimedia applications optimized and targeted for the purpose of multimedia applications with
with application-level key management needs under real-time session application-level key management needs under real-time session setup and
setup and session management constraints. session management constraints.
As the MIKEY-DHHMAC key management protocol terminates in one As the MIKEY-DHHMAC key management protocol terminates in one roundtrip,
roundtrip, DHHMAC is applicable for integration into two-way DHHMAC is applicable for integration into two-way handshake session- or
handshake session- or call signaling protocols such as call signaling protocols such as
a) SIP/SDP (see [5]) where the encoded MIKEY messages are a) SIP/SDP (see [5]) where the encoded MIKEY messages are encapsulated
encapsulated and transported in SDP containers of the SDP and transported in SDP containers of the SDP offer/answer handshake,
offer/answer handshake, b) H.323 (see [22]) where the encoded MIKEY messages are transported in
b) H.323 (see [22]) where the encoded MIKEY messages are transported the H.225.0 fast start call signaling handshake.
in the H.225.0 fast start call signaling handshake.
MIKEY-DHHMAC is offered as option to the other MIKEY key management MIKEY-DHHMAC is offered as option to the other MIKEY key management
variants (MIKEY-pre-shared, MIKEY-public-key and MIKEY-DH-SIGN) for variants (MIKEY-pre-shared, MIKEY-public-key and MIKEY-DH-SIGN) for all
all those cases where DHHMAC has its peculiar strengths (see section those cases where DHHMAC has its peculiar strengths (see section 5).
5).
2.1.1. Usage in H.235 2.1.1. Usage in H.235
This section provides informative overview how MIKEY-DHHMAC can be This section provides informative overview how MIKEY-DHHMAC can be
applied in some H.323-based multimedia environments. Generally, applied in some H.323-based multimedia environments. Generally, MIKEY
MIKEY is applicable for multimedia applications including IP is applicable for multimedia applications including IP telephony. [22]
telephony. [22] describes various use cases of the MIKEY key describes various use cases of the MIKEY key management protocols
management protocols (MIKEY-PS, MIKEY-PK, MIKEY-DHSIGN and MIKEY- (MIKEY-PS, MIKEY-PK, MIKEY-DHSIGN and MIKEY-DHHMAC) with the purpose to
DHHMAC) with the purpose to establish TGK keying material among H.323 establish TGK keying material among H.323 endpoints. The TGKs are then
endpoints. The TGKs are then used for media encryption by applying used for media encryption by applying SRTP [27]. Addressed scenarios
SRTP [27]. Addressed scenarios include point-to-point with one or include point-to-point with one or more intermediate gatekeepers (trusted
more intermediate gatekeepers (trusted or partially trusted) in- or partially trusted) in-between.
between.
One particular use case addresses MIKEY-DHHMAC to establish a media One particular use case addresses MIKEY-DHHMAC to establish a media
connection from an endpoint B calling (through a gatekeeper) to connection from an endpoint B calling (through a gatekeeper) to another
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 endpoint A that is located within that same gatekeeper zone. While EP-A
and EP-B typically do not share any auth_key a priori, some separate
protocol exchange means are achieved outside the actual call setup
procedure to establish an auth_key for the time while endpoints are being
registered with the gatekeeper; such protocols exist [22] but are not
shown in this document. The auth_key between the endpoints is being used
to authenticate and integrity protect the MIKEY-DHHMAC messages.
another endpoint A that is located within that same gatekeeper zone. HMAC-authenticated Diffie-Hellman for MIKEY January 2005
While EP-A and EP-B typically do not share any auth_key a priori,
some separate protocol exchange means are achieved outside the actual
call setup procedure to establish an auth_key for the time while
endpoints are being registered with the gatekeeper; such protocols
exist [22] but are not shown in this document. The auth_key between
the endpoints is being used to authenticate and integrity protect the
MIKEY-DHHMAC messages.
To establish a call, it is assumed that endpoint B has obtained To establish a call, it is assumed that endpoint B has obtained permission
permission from the gatekeeper (not shown). Endpoint B as the caller from the gatekeeper (not shown). Endpoint B as the caller builds the
builds the MIKEY-DHHMAC I_message(see section 3) and sends the MIKEY-DHHMAC I_message(see section 3) and sends the I_message
I_message encapsulated within the H.323-SETUP to endpoint A. A encapsulated within the H.323-SETUP to endpoint A. A routing gatekeeper
routing gatekeeper (GK) would forward this message to endpoint B; in (GK) would forward this message to endpoint B; in case of a non-routing
case of a non-routing gatekeeper, endpoint B sends the SETUP directly gatekeeper, endpoint B sends the SETUP directly to endpoint A. In either
to endpoint A. In either case, H.323 inherent security mechanisms case, H.323 inherent security mechanisms [28] are applied to protect the
[28] are applied to protect the (encapsulation) message during (encapsulation) message during transfer. This is not depicted here. The
transfer. This is not depicted here. The receiving endpoint A is receiving endpoint A is able to verify the conveyed I_message and can
able to verify the conveyed I_message and can compute a TGK. compute a TGK. Assuming that endpoint A would accept the call, EP-A then
Assuming that endpoint A would accept the call, EP-A then builds the builds the MIKEY-DHHMAC R_message and sends the response as part of the
MIKEY-DHHMAC R_message and sends the response as part of the
CallProceeding-to-Connect message back to the calling endpoint B CallProceeding-to-Connect message back to the calling endpoint B
(possibly through a routing gatekeeper). Endpoint B processes the (possibly through a routing gatekeeper). Endpoint B processes the
conveyed R_message to compute the same TGK as the called endpoint A. conveyed R_message to compute the same TGK as the called endpoint A.
1.) EP-B -> (GK) -> EP-A: SETUP(I_fwd_message [, I_rev_message]) 1.) EP-B -> (GK) -> EP-A: SETUP(I_fwd_message [, I_rev_message])
2.) EP-A -> (GK) -> EP-B: CallProceeding-to-CONNECT(R_fwd_message [, 2.) EP-A -> (GK) -> EP-B: CallProceeding-to-CONNECT(R_fwd_message [,
R_rev_message]) R_rev_message])
Notes: If it is necessary to establish directional TGKs for full- Notes: If it is necessary to establish directional TGKs for full-
duplex links in both directions B->A and A->B, then the duplex links in both directions B->A and A->B, then the calling
calling endpoint B instantiates the DHHMAC protocol twice: endpoint B instantiates the DHHMAC protocol twice: once in the
once in the direction B->A using I_fwd_message and another direction B->A using I_fwd_message and another run in parallel
run in parallel in the direction A->B using I_rev_message. in the direction A->B using I_rev_message. In that case, two
In that case, two MIKEY-DHHMAC I_messages are encapsulated MIKEY-DHHMAC I_messages are encapsulated within SETUP
within SETUP (I_fwd_message and I_rev_message) and two (I_fwd_message and I_rev_message) and two MIKEY-DHHMAC
MIKEY-DHHMAC R_messages (R_fwd_message and R_rev_message) R_messages (R_fwd_message and R_rev_message) are encapsulted
are encapsulted within CallProceeding-to-CONNECT. The within CallProceeding-to-CONNECT. The I_rev_message
I_rev_message corresponds with the I_fwd_message. corresponds with the I_fwd_message.
Alternatively, the called endpoint A may instantiate the DHHMAC
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 protocol in a separate run with endpoint B (not shown); however,
this requires a third handshake to complete.
Alternatively, the called endpoint A may instantiate the
DHHMAC protocol in a separate run with endpoint B (not
shown); however, this requires a third handshake to
complete.
For more details on how the MIKEY protocols may be deployed For more details on how the MIKEY protocols may be deployed with
with H.235, please refer to [22]. H.235, please refer to [22].
2.2. Relation to GKMARCH 2.2. Relation to GKMARCH
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
The Group key management architecture (GKMARCH) [26] describes a The Group key management architecture (GKMARCH) [26] describes a
generic architecture for multicast security group key management generic architecture for multicast security group key management
protocols. In the context of this architecture, MIKEY-DHHMAC may protocols. In the context of this architecture, MIKEY-DHHMAC may
operate as a registration protocol, see also [3] section 2.4. The operate as a registration protocol, see also [3] section 2.4. The main
main entities involved in the architecture are a group entities involved in the architecture are a group controller/key server
controller/key server (GCKS), the receiver(s), and the sender(s). (GCKS), the receiver(s), and the sender(s). Due to the pair-wise nature
Due to the pair-wise nature of the Diffie-Hellman operation and the of the Diffie-Hellman operation and the 1-roundtrip constraint, usage
1-roundtrip constraint, usage of MIKEY-DHHMAC rules out any of MIKEY-DHHMAC rules out any deployment as a group key management
deployment as a group key management protocol with more than two protocol with more than two group entities. Only the degenerate case
group entities. Only the degenerate case with two peers is with two peers is possible where for example the responder acts as the
possible where for example the responder acts as the group group controller.
controller.
Note that MIKEY does not provide re-keying in the GKMARCH sense, Note that MIKEY does not provide re-keying in the GKMARCH sense, only
only updating of the keys by normal unicast messages. updating of the keys by normal unicast messages.
3. DHHMAC Security Protocol 3. DHHMAC Security Protocol
The following figure defines the security protocol for DHHMAC: The following figure defines the security protocol for DHHMAC:
Initiator Responder Initiator Responder
I_message = HDR, T, RAND, [IDi], IDr, I_message = HDR, T, RAND, [IDi], IDr,
{SP}, DHi, KEMAC {SP}, DHi, KEMAC
-----------------------> R_message = HDR, T, -----------------------> R_message = HDR, T,
[IDr], IDi, DHr, [IDr], IDi, DHr,
DHi, KEMAC DHi, KEMAC
<---------------------- <----------------------
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Figure 1: HMAC-authenticated Diffie-Hellman key based exchange, Figure 1: HMAC-authenticated Diffie-Hellman key based exchange,
where xi and xr are (pseudo) randomly chosen respectively where xi and xr are (pseudo) randomly chosen respectively
by the initiator and the responder. by the initiator and the responder.
The DHHMAC key exchange SHALL be done according to Figure 1. The The DHHMAC key exchange SHALL be done according to Figure 1. The
initiator chooses a (pseudo) random value xi, and sends an HMACed initiator chooses a (pseudo) random value xi, and sends an HMACed
message including g^(xi) and a timestamp to the responder. It is message including g^(xi) and a timestamp to the responder. It is
recommended that the initiator SHOULD always include the identity recommended that the initiator SHOULD always include the identity
payloads IDi and IDr within the I_message; unless the receiver can payloads IDi and IDr within the I_message; unless the receiver can defer
defer the initiator's identity by some other means, then IDi MAY HMAC-authenticated Diffie-Hellman for MIKEY January 2005
optionally be omitted. The initiator SHALL always include the
recipient's identity.
The group parameters (e.g., the group G) are a set of parameters the initiator's identity by some other means, then IDi MAY optionally
chosen by the initiator. Note, that like in the MIKEY protocol, be omitted. The initiator SHALL always include the recipient's
both sender and receiver explicitly transmit the Diffie-Hellman identity.
group G within the Diffie-Hellman payload DHi or DHr through an
encoding (e.g., OAKELEY group numbering, see [3] section 6.4); the The group parameters (e.g., the group G) are a set of parameters chosen
actual group parameters g and p however are not explicitly by the initiator. Note, that like in the MIKEY protocol, both sender
transmitted but can be deduced from the Diffie-Hellman group G. and receiver explicitly transmit the Diffie-Hellman group G within the
The responder chooses a (pseudo) random positive integer xr, and Diffie-Hellman payload DHi or DHr through an encoding (e.g., OAKELEY
sends an HMACed message including g^(xr) and the timestamp to the group numbering, see [3] section 6.4); the actual group parameters g
initiator. The responder SHALL always include the initiator's and p however are not explicitly transmitted but can be deduced from
identity IDi regardless of whether the I_message conveyed any IDi. the Diffie-Hellman group G. The responder chooses a (pseudo) random
It is RECOMMENDED that the responder SHOULD always include the positive integer xr, and sends an HMACed message including g^(xr) and
identity payload IDr within the R_message; unless the initiator can the timestamp to the initiator. The responder SHALL always include the
initiator's identity IDi regardless of whether the I_message conveyed
any IDi. It is RECOMMENDED that the responder SHOULD always include
the identity payload IDr within the R_message; unless the initiator can
defer the reponder's identity by some other means, then IDr MAY defer the reponder's identity by some other means, then IDr MAY
optionally be left out. optionally be left out.
Both parties then calculate the TGK as g^(xi * xr). Both parties then calculate the TGK as g^(xi * xr).
The HMAC authentication provides authentication of the DH half- The HMAC authentication provides authentication of the DH half-keys,
keys, and is necessary to avoid man-in-the-middle attacks. and is necessary to avoid man-in-the-middle attacks.
This approach is less expensive than digitally signed Diffie- This approach is less expensive than digitally signed Diffie-Hellman.
Hellman. It requires first of all, that both sides compute one It requires first of all, that both sides compute one exponentiation
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 and one HMAC, then one HMAC verification and finally another
Diffie-Hellman exponentiation.
exponentiation and one HMAC, then one HMAC verification and finally With off-line pre-computation, the initial Diffie-Hellman half-key MAY
another Diffie-Hellman exponentiation. be computed before the key management transaction and thereby MAY
further reduce the overall round trip delay as well as reduce the risk
of denial-of-service attacks.
With off-line pre-computation, the initial Diffie-Hellman half-key Processing of the TGK SHALL be accomplished as described in MIKEY [3]
MAY be computed before the key management transaction and thereby chapter 4.
MAY further reduce the overall round trip delay as well as reduce
the risk of denial-of-service attacks.
Processing of the TGK SHALL be accomplished as described in MIKEY The computed HMAC result SHALL be conveyed in the KEMAC payload field
[3] chapter 4. where the MAC fields holds the HMAC result. The HMAC SHALL be computed
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
The computed HMAC result SHALL be conveyed in the KEMAC payload over the entire message excluding the MAC field using auth_key, see also
field where the MAC fields holds the HMAC result. The HMAC SHALL section 4.2.
be computed over the entire message excluding the MAC field using
auth_key, see also section 4.2.
3.1. TGK re-keying 3.1. TGK re-keying
TGK re-keying for DHHMAC generally proceeds as described in [3] TGK re-keying for DHHMAC generally proceeds as described in [3] section
section 4.5. Specifically, figure 2 provides the message exchange 4.5. Specifically, figure 2 provides the message exchange for the
for the DHHMAC update message. DHHMAC update message.
Initiator Responder Initiator Responder
I_message = HDR, T, [IDi], IDr, I_message = HDR, T, [IDi], IDr,
{SP}, [DHi], KEMAC {SP}, [DHi], KEMAC
-----------------------> R_message = HDR, T, -----------------------> R_message = HDR, T,
[IDr], IDi, [IDr], IDi,
[DHr, DHi], KEMAC [DHr, DHi], KEMAC
<---------------------- <----------------------
Figure 2: DHHMAC update message Figure 2: DHHMAC update message
TGK re-keying supports two procedures: TGK re-keying supports two procedures:
a) True re-keying by exchanging new and fresh Diffie-Hellman
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 half-keys. For this, the initiator SHALL provide a new, fresh DHi
a) True re-keying by exchanging new and fresh Diffie-Hellman half-
keys. For this, the initiator SHALL provide a new, fresh DHi
and the responder SHALL respond with a new, fresh DHr and the and the responder SHALL respond with a new, fresh DHr and the
received DHi. received DHi.
b) Non-key related information update without any Diffie-Hellman b) Non-key related information update without any Diffie-Hellman
half-keys included in the exchange. Such transaction does not half-keys included in the exchange. Such transaction does not
change the actual TGK but updates other information like change the actual TGK but updates other information like security
security policy parameters for example. To only update the policy parameters for example. To only update the non-key related
non-key related information, [DHi] and [DHr, DHi] SHALL be left information, [DHi] and [DHr, DHi] SHALL be left out.
out.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
4. DHHMAC payload formats 4. DHHMAC payload formats
This section specifies the payload formats and data type values for This section specifies the payload formats and data type values for DHHMAC,
DHHMAC, see also [3] chapter 6 for a definition of the MIKEY see also [3] chapter 6 for a definition of the MIKEY payloads.
payloads.
This document does not define new payload formats but re-uses MIKEY This document does not define new payload formats but re-uses MIKEY
payloads for DHHMAC as referenced: payloads for DHHMAC as referenced:
* Common header payload (HDR), see section 4.1 and [3] section 6.1 * Common header payload (HDR), see section 4.1 and [3] section 6.1
* SRTP ID sub-payload, see [3] section 6.1.1, * SRTP ID sub-payload, see [3] section 6.1.1,
* Key data transport payload (KEMAC), see section 4.2 and [3] section * Key data transport payload (KEMAC), see section 4.2 and [3] section
6.2 6.2
skipping to change at page 15, line 4 skipping to change at page 14, line 33
* Timestamp payload, [3] section 6.6 * Timestamp payload, [3] section 6.6
* ID payload, [3] section 6.7 * ID payload, [3] section 6.7
* Security Policy payload (SP), [3] section 6.10 * Security Policy payload (SP), [3] section 6.10
* RAND payload (RAND), [3] section 6.11 * RAND payload (RAND), [3] section 6.11
* Error payload (ERR), [3] section 6.12 * Error payload (ERR), [3] section 6.12
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
* General Extension Payload, [3] section 6.15 * General Extension Payload, [3] section 6.15
4.1. Common header payload (HDR) 4.1. Common header payload (HDR)
Referring to [3] section 6.1, for DHHMAC the following data types Referring to [3] section 6.1, for DHHMAC the following data types SHALL
SHALL be used: be used:
Data type | Value | Comment Data type | Value | Comment
------------------------------------------------------------- -------------------------------------------------------------
DHHMAC init | 7 | Initiator's DHHMAC exchange message DHHMAC init | 7 | Initiator's DHHMAC exchange message
DHHMAC resp | 8 | Responder's DHHMAC exchange message DHHMAC resp | 8 | Responder's DHHMAC exchange message
Error | 6 | Error message, see [3] section 6.12 Error | 6 | Error message, see [3] section 6.12
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Table 4.1.a Table 4.1.a
Note: A responder is able to recognize the MIKEY DHHMAC protocol Note: A responder is able to recognize the MIKEY DHHMAC protocol by
by evaluating the data type field as 7 or 8. This is how the evaluating the data type field as 7 or 8. This is how the responder
responder can differentiate between MIKEY and MIKEY DHHMAC. can differentiate between MIKEY and MIKEY DHHMAC.
The next payload field SHALL be one of the following values: The next payload field SHALL be one of the following values:
Next payload| Value | Section Next payload| Value | Section
---------------------------------------------------------------- ----------------------------------------------------------------
Last payload| 0 | - Last payload| 0 | -
KEMAC | 1 | section 4.2 and [3] section 6.2 KEMAC | 1 | section 4.2 and [3] section 6.2
DH | 3 | [3] section 6.4 DH | 3 | [3] section 6.4
T | 5 | [3] section 6.6 T | 5 | [3] section 6.6
ID | 6 | [3] section 6.7 ID | 6 | [3] section 6.7
SP | 10 | [3] section 6.10 SP | 10 | [3] section 6.10
RAND | 11 | [3] section 6.11 RAND | 11 | [3] section 6.11
ERR | 12 | [3] section 6.12 ERR | 12 | [3] section 6.12
General Ext.| 21 | [3] section 6.15 General Ext.| 21 | [3] section 6.15
Table 4.1.b Table 4.1.b
Other defined next payload values defined in [3] SHALL not be Other defined next payload values defined in [3] SHALL not be applied
applied to DHHMAC. to DHHMAC.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
The responder in case of a decoding error or of a failed HMAC The responder in case of a decoding error or of a failed HMAC
authentication verification SHALL apply the Error payload data authentication verification SHALL apply the Error payload data type.
type.
4.2. Key data transport payload (KEMAC) 4.2. Key data transport payload (KEMAC)
DHHMAC SHALL apply this payload for conveying the HMAC result along DHHMAC SHALL apply this payload for conveying the HMAC result along with
with the indicated authentication algorithm. KEMAC when used in the indicated authentication algorithm. KEMAC when used in conjunction
conjunction with DHHMAC SHALL not convey any encrypted data; thus with DHHMAC SHALL not convey any encrypted data; thus Encr alg SHALL
Encr alg SHALL be set to 2 (NULL), Encr data len SHALL be set to 0 be set to 2 (NULL), Encr data len SHALL be set to 0 and Encr data SHALL
and Encr data SHALL be left empty. The AES key wrap method (see be left empty. The AES key wrap method (see [23]) SHALL not be applied
[23]) SHALL not be applied for DHHMAC. for DHHMAC.
For DHHMAC, this key data transport payload SHALL be the last For DHHMAC, this key data transport payload SHALL be the last payload
payload in the message. Note that the Next payload field SHALL be in the message. Note that the Next payload field SHALL be set to Last
set to Last payload. The HMAC is then calculated over the entire HMAC-authenticated Diffie-Hellman for MIKEY January 2005
MIKEY message excluding the MAC field using auth_key as described
in [3] section 5.2 and then stored within MAC field. payload. The HMAC is then calculated over the entire MIKEY message
excluding the MAC field using auth_key as described in [3] section 5.2
and then stored within MAC field.
MAC alg | Value | Comments MAC alg | Value | Comments
------------------------------------------------------------------ ------------------------------------------------------------------
HMAC-SHA-1 | 0 | Mandatory, Default (see [4]) HMAC-SHA-1 | 0 | Mandatory, Default (see [4])
NULL | 1 | Very restricted use, see NULL | 1 | Very restricted use, see
| [3] section 4.2.4 | [3] section 4.2.4
Table 4.2.a Table 4.2.a
HMAC-SHA-1 is the default hash function that MUST be implemented as HMAC-SHA-1 is the default hash function that MUST be implemented as part
part of the DHHMAC. The length of the HMAC-SHA-1 result is 160 of the DHHMAC. The length of the HMAC-SHA-1 result is 160 bits.
bits.
4.3. ID payload (ID) 4.3. ID payload (ID)
For DHHMAC, this payload SHALL only hold a non-certificate based For DHHMAC, this payload SHALL only hold a non-certificate based
identity. identity.
4.4. General Extension Payload 4.4. General Extension Payload
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
For DHHMAC and to avoid bidding-down attacks, this payload SHALL For DHHMAC and to avoid bidding-down attacks, this payload SHALL list
list all key management protocol identifiers of a surrounding all key management protocol identifiers of a surrounding encapsulation
encapsulation protocol such as for example, SDP [5]. The General protocol such as for example, SDP [5]. The General Extension Payload
Extension Payload SHALL be integrity-protected with the HMAC using SHALL be integrity-protected with the HMAC using the shared secret.
the shared secret.
Type | Value | Comments Type | Value | Comments
SDP IDs | 1 | List of SDP key management IDs (allocated for SDP IDs | 1 | List of SDP key management IDs (allocated for
use in [5]); see also [3] section 6.15. use in [5]); see also [3] section 6.15.
Table 4.4.a Table 4.4.a
5. Security Considerations 5. Security Considerations
This document addresses key management security issues throughout. This document addresses key management security issues throughout. For
For a comprehensive explanation of MIKEY security considerations, a comprehensive explanation of MIKEY security considerations, please
please refer to MIKEY [3] section 9. refer to MIKEY [3] section 9.
In addition to that, this document addresses security issues HMAC-authenticated Diffie-Hellman for MIKEY January 2005
according to [8] where the following security considerations apply in
particular to this document: In addition to that, this document addresses security issues according
to [8] where the following security considerations apply in particular
to this document:
5.1. Security environment 5.1. Security environment
Generally, the DHHMAC security protocol described in this document Generally, the DHHMAC security protocol described in this document focuses
focuses primarily on communication security; i.e. the security issues primarily on communication security; i.e. the security issues concerned
concerned with the MIKEY DHHMAC protocol. Nevertheless, some system with the MIKEY DHHMAC protocol. Nevertheless, some system security issues
security issues are of interest as well that are not explicitly are of interest as well that are not explicitly defined by the DHHMAC
defined by the DHHMAC protocol, but should be provided locally in protocol, but should be provided locally in practice.
practice.
The system that runs the DHHMAC protocol entity SHALL provide the The system that runs the DHHMAC protocol entity SHALL provide the
capability to generate (pseudo) random numbers as input to the capability to generate (pseudo) random numbers as input to the
Diffie-Hellman operation (see [9], [15]). Furthermore, the system Diffie-Hellman operation (see [9], [15]). Furthermore, the system SHALL
SHALL be capable of storing the generated (pseudo) random data, be capable of storing the generated (pseudo) random data, secret data,
secret data, keys and other secret security parameters securely (i.e. keys and other secret security parameters securely (i.e. confidential and
confidential and safe from unauthorized tampering). safe from unauthorized tampering).
5.2. Threat model 5.2. Threat model
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
The threat model that this document adheres to cover the issues of The threat model that this document adheres to cover the issues of
end-to-end security in the Internet generally; without ruling out the end-to-end security in the Internet generally; without ruling out the
possibility that MIKEY DHHMAC be deployed in a corporate, closed IP possibility that MIKEY DHHMAC be deployed in a corporate, closed IP
environment. This also includes the possibility that MIKEY DHHMAC be environment. This also includes the possibility that MIKEY DHHMAC be
deployed on a hop-by-hop basis with some intermediate trusted "MIKEY deployed on a hop-by-hop basis with some intermediate trusted "MIKEY
DHHMAC proxies" involved. DHHMAC proxies" involved.
Since DHHMAC is a key management protocol, the following security Since DHHMAC is a key management protocol, the following security threats
threats are of concern: are of concern:
* Unauthorized interception of plain TGKs. * Unauthorized interception of plain TGKs.
For DHHMAC this threat does not occur since the TGK is not actually For DHHMAC this threat does not occur since the TGK is not actually
transmitted on the wire (not even in encrypted fashion). transmitted on the wire (not even in encrypted fashion).
* Eavesdropping of other, transmitted keying information: * Eavesdropping of other, transmitted keying information:
DHHMAC protocol does not explicitly transmit the TGK at all. DHHMAC protocol does not explicitly transmit the TGK at all. Rather,
Rather, by the Diffie-Hellman "encryption" operation, that conceals by the Diffie-Hellman "encryption" operation, that conceals the secret
the secret (pseudo) random values, only partial information (i.e. (pseudo) random values, only partial information (i.e. the DH- half key)
the DH- half key) for construction of the TGK is transmitted. It for construction of the TGK is transmitted. It is fundamentally assumed
is fundamentally assumed that availability of such Diffie-Hellman HMAC-authenticated Diffie-Hellman for MIKEY January 2005
half-keys to an eavesdropper does not result in any substantial
security risk; see 5.4. Furthermore, the DHHMAC carries other data that availability of such Diffie-Hellman half-keys to an eavesdropper
such as timestamps, (pseudo) random values, identification does not result in any substantial security risk; see 5.4. Furthermore,
information or security policy parameters; eavesdropping of any the DHHMAC carries other data such as timestamps, (pseudo) random
such data is considered not to yield any significant security risk. values, identification information or security policy parameters;
eavesdropping of any such data is considered not to yield any significant
security risk.
* Masquerade of either entity: * Masquerade of either entity:
This security threat must be avoided and if a masquerade attack This security threat must be avoided and if a masquerade attack would
would be attempted, appropriate detection means must be in place. be attempted, appropriate detection means must be in place. DHHMAC
DHHMAC addresses this threat by providing mutual peer entity addresses this threat by providing mutual peer entity authentication.
authentication.
* Man-in-the-middle attacks: * Man-in-the-middle attacks:
Such attacks threaten the security of exchanged, non-authenticated Such attacks threaten the security of exchanged, non-authenticated
messages. Man-in-the-middle attacks usually come with masquerade messages. Man-in-the-middle attacks usually come with masquerade and
and or loss of message integrity (see below). Man-in-the-middle or loss of message integrity (see below). Man-in-the-middle attacks
attacks must be avoided, and if present or attempted must be must be avoided, and if present or attempted must be detected
detected appropriately. DHHMAC addresses this threat by providing appropriately. DHHMAC addresses this threat by providing mutual peer
mutual peer entity authentication and message integrity. entity authentication and message integrity.
* Loss of integrity: * Loss of integrity:
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
This security threat relates to unauthorized replay, deletion, This security threat relates to unauthorized replay, deletion,
insertion and manipulation of messages. While any such attacks insertion and manipulation of messages. While any such attacks cannot
cannot be avoided they must be detected at least. DHHMAC addresses be avoided they must be detected at least. DHHMAC addresses this threat
this threat by providing message integrity. by providing message integrity.
* Bidding-down attacks: * Bidding-down attacks:
When multiple key management protocols each of a distinct security When multiple key management protocols each of a distinct security level
level are offered (e.g., such as is possible by SDP [5]), avoiding are offered (e.g., such as is possible by SDP [5]), avoiding
bidding-down attacks is of concern. DHHMAC addresses this threat bidding-down attacks is of concern. DHHMAC addresses this threat by
by reusing the MIKEY General Extension Payload mechanism, where all reusing the MIKEY General Extension Payload mechanism, where all key
key management protocol identifiers are be listed within the MIKEY management protocol identifiers are be listed within the MIKEY General
General Extension Payload. Extension Payload.
Some potential threats are not within the scope of this threat model: Some potential threats are not within the scope of this threat model:
* Passive and off-line cryptanalysis of the Diffie-Hellman algorithm: * Passive and off-line cryptanalysis of the Diffie-Hellman algorithm:
Under certain reasonable assumptions (see 5.4 below) it is widely Under certain reasonable assumptions (see 5.4 below) it is widely
believed that DHHMAC is sufficiently secure and that such attacks believed that DHHMAC is sufficiently secure and that such attacks be
be infeasible although the possibility of a successful attack HMAC-authenticated Diffie-Hellman for MIKEY January 2005
cannot be ruled out completely.
infeasible although the possibility of a successful attack cannot be
ruled out completely.
* Non-repudiation of the receipt or of the origin of the message: * Non-repudiation of the receipt or of the origin of the message:
These are not requirements of this environment and thus related These are not requirements of this environment and thus related
countermeasures are not provided at all. countermeasures are not provided at all.
* Denial-of-service or distributed denial-of-service attacks: * Denial-of-service or distributed denial-of-service attacks:
Some considerations are given on some of those attacks, but DHHMAC Some considerations are given on some of those attacks, but DHHMAC does
does not claim to provide full countermeasure against any of those not claim to provide full countermeasure against any of those attacks.
attacks. For example, stressing the availability of the entities For example, stressing the availability of the entities are not thwarted
are not thwarted by means of the key management protocol; some by means of the key management protocol; some other local
other local countermeasures should be applied. Further, some DoS countermeasures should be applied. Further, some DoS attacks are not
attacks are not countered such as interception of a valid DH- countered such as interception of a valid DH-request and its massive
request and its massive instant duplication. Such attacks might at instant duplication. Such attacks might at least be countered partially
least be countered partially by some local means that are outside by some local means that are outside the scope of this document.
the scope of this document.
* Identity protection: * Identity protection:
Like MIKEY, identity protection is not a major design requirement Like MIKEY, identity protection is not a major design requirement for
for MIKEY-DHHMAC either, see [3]. No security protocol is known so MIKEY-DHHMAC either, see [3]. No security protocol is known so far,
far, that is able to provide the objectives of DHHMAC as stated in that is able to provide the objectives of DHHMAC as stated in section
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 5.3 including identity protection within just a single roundtrip.
MIKEY-DHHMAC trades identity protection for better security for the
section 5.3 including identity protection within just a single keying material and shorter roundtrip time. Thus, MIKEY-DHHMAC does not
roundtrip. MIKEY-DHHMAC trades identity protection for better provide identity protection on its own but may inherit such property
security for the keying material and shorter roundtrip time. Thus, from a security protocol underneath that actually features identity
MIKEY-DHHMAC does not provide identity protection on its own but protection. On the other hand, it is expected that MIKEY-DHHMAC is
may inherit such property from a security protocol underneath that typically being deployed within SDP/SIP ([20], [5]); both those
actually features identity protection. On the other hand, it is protocols do not provide end-to-end identity protection either.
expected that MIKEY-DHHMAC is typically being deployed within
SDP/SIP ([20], [5]); both those protocols do not provide end-to-end
identity protection either.
The DHHMAC security protocol (see section 3) and the TGK re-keying The DHHMAC security protocol (see section 3) and the TGK re-keying
security protocol (see section 3.1) provide the option not to security protocol (see section 3.1) provide the option not to supply
supply identity information. This option is only applicable if identity information. This option is only applicable if some other means
some other means are available of supplying trustworthy identity are available of supplying trustworthy identity information; e.g., by
information; e.g., by relying on secured links underneath of MIKEY relying on secured links underneath of MIKEY that supply trustworthy
that supply trustworthy identity information otherwise. However, identity information otherwise. However, it is understood that without
it is understood that without identity information present, the identity information present, the MIKEY key management security
MIKEY key management security protocols might be subject to protocols might be subject to security weaknesses such as masquerade,
security weaknesses such as masquerade, impersonation and impersonation and reflection attacks particularly in end-to-end
reflection attacks particularly in end-to-end scenarios where no scenarios where no other secure means of assured identity information
other secure means of assured identity information is provided. is provided.
Leaving identity fields optional if possible thus should not be
seen as a privacy method either, but rather as a protocol HMAC-authenticated Diffie-Hellman for MIKEY January 2005
optimization feature.
Leaving identity fields optional if possible thus should not be seen
as a privacy method either, but rather as a protocol optimization
feature.
5.3. Security features and properties 5.3. Security features and properties
With the security threats in mind, this draft provides the following With the security threats in mind, this draft provides the following
security features and yields the following properties: security features and yields the following properties:
* Secure key agreement with the establishment of a TGK at both peers: * Secure key agreement with the establishment of a TGK at both peers:
This is achieved using an authenticated Diffie-Hellman key This is achieved using an authenticated Diffie-Hellman key management
management protocol. protocol.
* Peer-entity authentication (mutual): * Peer-entity authentication (mutual):
This authentication corroborates that the host/user is authentic in This authentication corroborates that the host/user is authentic in that
that possession of a pre-assigned secret key is proven using keyed possession of a pre-assigned secret key is proven using keyed HMAC.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 Authentication occurs on the request and on the response message, thus
authentication is mutual.
HMAC. Authentication occurs on the request and on the response
message, thus authentication is mutual.
The HMAC computation corroborates for authentication and message The HMAC computation corroborates for authentication and message
integrity of the exchanged Diffie-Hellman half-keys and associated integrity of the exchanged Diffie-Hellman half-keys and associated
messages. The authentication is absolutely necessary in order to messages. The authentication is absolutely necessary in order to avoid
avoid man-in-the-middle attacks on the exchanged messages in man-in-the-middle attacks on the exchanged messages in transit and in
transit and in particular, on the otherwise non-authenticated particular, on the otherwise non-authenticated exchanged
exchanged Diffie-Hellman half keys. Diffie-Hellman half keys.
Note: This document does not address issues regarding Note: This document does not address issues regarding authorization;
authorization; this feature is not provided explicitly. However, this feature is not provided explicitly. However, DHHMAC authentication
DHHMAC authentication means support and facilitate realization of means support and facilitate realization of authorization means (local
authorization means (local issue). issue).
* Cryptographic integrity check: * Cryptographic integrity check:
The cryptographic integrity check is achieved using a message The cryptographic integrity check is achieved using a message digest
digest (keyed HMAC). It includes the exchanged Diffie-Hellman (keyed HMAC). It includes the exchanged Diffie-Hellman half-keys but
half-keys but covers the other parts of the exchanged message as covers the other parts of the exchanged message as well. Both mutual
well. Both mutual peer entity authentication and message integrity peer entity authentication and message integrity provide effective
provide effective countermeasure against man-in-the-middle attacks. countermeasure against man-in-the-middle attacks.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
The initiator may deploy a local timer that fires when the awaited The initiator may deploy a local timer that fires when the awaited
response message did not arrive timely. This is to detect deletion response message did not arrive timely. This is to detect deletion of
of entire messages. entire messages.
* Replay protection of the messages is achieved using embedded * Replay protection of the messages is achieved using embedded
timestamps. In order to detect replayed messages it is essential timestamps. In order to detect replayed messages it is essential that
that the clocks among initiator and sender be roughly synchronized. the clocks among initiator and sender be roughly synchronized. The
The reader is referred to [3] section 5.4 and [3] section 9.3 that reader is referred to [3] section 5.4 and [3] section 9.3 that provide
provide further considerations and give guidance on clock further considerations and give guidance on clock synchronization and
synchronization and timestamp usage. Should the clock timestamp usage. Should the clock synchronization be lost, then end
synchronization be lost, then end systems cannot detect replayed systems cannot detect replayed messages anymore resulting that the end
messages anymore resulting that the end systems cannot securely systems cannot securely establish keying material. This may result in
establish keying material. This may result in a denial-of-service, a denial-of-service, see [3] section 9.5.
see [3] section 9.5.
* Limited DoS protection: * Limited DoS protection:
Rapid checking of the message digest allows verifying the Rapid checking of the message digest allows verifying the authenticity
authenticity and integrity of a message before launching CPU and integrity of a message before launching CPU intensive Diffie-Hellman
intensive Diffie-Hellman operations or starting other resource operations or starting other resource consuming tasks. This protects
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 against some denial-of-service attacks: malicious modification of
messages and spam attacks with (replayed or masqueraded) messages.
consuming tasks. This protects against some denial-of-service DHHMAC probably does not explicitly counter sophisticated distributed,
attacks: malicious modification of messages and spam attacks with large-scale denial-of-service attacks that compromise system
(replayed or masqueraded) messages. DHHMAC probably does not availability for example. Some DoS protection is provided by inclusion
explicitly counter sophisticated distributed, large-scale denial- of the initiator's identity payload in the I_message. This allows the
of-service attacks that compromise system availability for example. recipient to filter out those (replayed) I_messages that are not
Some DoS protection is provided by inclusion of the initiator's targeted for him and avoids the recipient from creating unnecessary
identity payload in the I_message. This allows the recipient to MIKEY sessions.
filter out those (replayed) I_messages that are not targeted for
him and avoids the recipient from creating unnecessary MIKEY
sessions.
* Perfect-forward secrecy (PFS): * Perfect-forward secrecy (PFS):
Other than the MIKEY pre-shared and public-key based key Other than the MIKEY pre-shared and public-key based key distribution
distribution protocols, the Diffie-Hellman key agreement protocol protocols, the Diffie-Hellman key agreement protocol features a
features a security property called perfect forward secrecy. That security property called perfect forward secrecy. That is, that even
is, that even if the long-term pre-shared key would be compromised if the long-term pre-shared key would be compromised at some point in
at some point in time, this would not render past or future session time, this would not render past or future session keys compromised.
keys compromised.
Neither the MIKEY pre-shared nor the MIKEY public-key protocol Neither the MIKEY pre-shared nor the MIKEY public-key protocol variants
variants are able to provide the security property of perfect- are able to provide the security property of perfect-forward secrecy.
forward secrecy. Thus, none of the other MIKEY protocols is able Thus, none of the other MIKEY protocols is able to substitute the
to substitute the Diffie-Hellman PFS property. Diffie-Hellman PFS property.
As such, DHHMAC but also digitally signed DH provides a far HMAC-authenticated Diffie-Hellman for MIKEY January 2005
superior security level over the pre-shared or public-key based key
distribution protocol in that respect. As such, DHHMAC but also digitally signed DH provides a far superior
security level over the pre-shared or public-key based key distribution
protocol in that respect.
* Fair, mutual key contribution: * Fair, mutual key contribution:
The Diffie-Hellman key management protocol is not a strict key The Diffie-Hellman key management protocol is not a strict key
distribution protocol per se with the initiator distributing a key distribution protocol per se with the initiator distributing a key to
to its peers. Actually, both parties involved in the protocol its peers. Actually, both parties involved in the protocol exchange
exchange are able to equally contribute to the common Diffie- are able to equally contribute to the common Diffie-Hellman TEK traffic
Hellman TEK traffic generating key. This reduces the risk of generating key. This reduces the risk of either party cheating or
either party cheating or unintentionally generating a weak session unintentionally generating a weak session key. This makes the DHHMAC
key. This makes the DHHMAC a fair key agreement protocol. One may a fair key agreement protocol. One may view this property as an
view this property as an additional distributed security measure additional distributed security measure that is increasing security
that is increasing security robustness over the case where all the robustness over the case where all the security depends just on the
security depends just on the proper implementation of a single proper implementation of a single entity.
entity.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
In order for Diffie-Hellman key agreement to be secure, each party In order for Diffie-Hellman key agreement to be secure, each party SHALL
SHALL generate its xi or xr values using a strong, unpredictable generate its xi or xr values using a strong, unpredictable pseudo-random
pseudo-random generator if a source of true randomness is not generator if a source of true randomness is not available. Further,
available. Further, these values xi or xr SHALL be kept private. these values xi or xr SHALL be kept private. It is RECOMMENDED that
It is RECOMMENDED that these secret values be destroyed once the these secret values be destroyed once the common Diffie-Hellman shared
common Diffie-Hellman shared secret key has been established. secret key has been established.
* Efficiency and performance: * Efficiency and performance:
Like the MIKEY-public key protocol, the MIKEY DHHMAC key agreement Like the MIKEY-public key protocol, the MIKEY DHHMAC key agreement
protocol securely establishes a TGK within just one roundtrip. protocol securely establishes a TGK within just one roundtrip. Other
Other existing key management techniques like IPsec-IKE [14], existing key management techniques like IPsec-IKE [14], IPsec-IKEv2
IPsec-IKEv2 [21] and TLS [13] and other schemes are not deemed [21] and TLS [13] and other schemes are not deemed adequate in addressing
adequate in addressing sufficiently those real-time and security sufficiently those real-time and security requirements; they all use
requirements; they all use more than a single roundtrip. All the more than a single roundtrip. All the MIKEY key management protocols
MIKEY key management protocols are able to complete their task of are able to complete their task of security policy parameter negotiation
security policy parameter negotiation including key-agreement or including key-agreement or key distribution in one roundtrip. However,
key distribution in one roundtrip. However, the MIKEY pre-shared the MIKEY pre-shared and the MIKEY public-key protocol both are able
and the MIKEY public-key protocol both are able to complete their to complete their task even in a half-round trip when the confirmation
task even in a half-round trip when the confirmation messages are messages are omitted.
omitted.
Using HMAC in conjunction with a strong one-way hash function such Using HMAC in conjunction with a strong one-way hash function such as
as SHA1 may be achieved more efficiently in software than expensive SHA1 may be achieved more efficiently in software than expensive
public-key operations. This yields a particular performance public-key operations. This yields a particular performance benefit
benefit of DHHMAC over signed DH or the public-key encryption of DHHMAC over signed DH or the public-key encryption protocol.
protocol.
If a very high security level is desired for long-term secrecy of HMAC-authenticated Diffie-Hellman for MIKEY January 2005
the negotiated Diffie-Hellman shared secret, longer hash values may
be deployed such as SHA256, SHA384 or SHA512 provide, possibly in
conjunction with stronger Diffie-Hellman groups. This is left as
for further study.
For the sake of improved performance and reduced round trip delay If a very high security level is desired for long-term secrecy of the
either party may off-line pre-compute its public Diffie-Hellman negotiated Diffie-Hellman shared secret, longer hash values may be
half-key. deployed such as SHA256, SHA384 or SHA512 provide, possibly in
conjunction with stronger Diffie-Hellman groups. This is left as for
further study.
On the other side and under reasonable conditions, DHHMAC consumes For the sake of improved performance and reduced round trip delay either
more CPU cycles than the MIKEY pre-shared key distribution party may off-line pre-compute its public Diffie-Hellman half-key.
protocol. The same might hold true quite likely for the MIKEY
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
public-key distribution protocol (depending on choice of the On the other side and under reasonable conditions, DHHMAC consumes more
private and public key lengths). CPU cycles than the MIKEY pre-shared key distribution protocol. The
same might hold true quite likely for the MIKEY public-key distribution
protocol (depending on choice of the private and public key lengths).
As such, it can be said that DHHMAC provides sound performance when As such, it can be said that DHHMAC provides sound performance when
compared with the other MIKEY protocol variants. compared with the other MIKEY protocol variants.
The use of optional identity information (with the constraints The use of optional identity information (with the constraints stated
stated in section 5.2) and optional Diffie-Hellman half-key fields in section 5.2) and optional Diffie-Hellman half-key fields provides
provides a means to increase performance and shorten the consumed a means to increase performance and shorten the consumed network
network bandwidth. bandwidth.
* Security infrastructure: * Security infrastructure:
This document describes the HMAC-authenticated Diffie-Hellman key This document describes the HMAC-authenticated Diffie-Hellman key
agreement protocol that completely avoids digital signatures and agreement protocol that completely avoids digital signatures and the
the associated public-key infrastructure as would be necessary for associated public-key infrastructure as would be necessary for the X.509
the X.509 RSA public-key based key distribution protocol or the RSA public-key based key distribution protocol or the digitally signed
digitally signed Diffie-Hellman key agreement protocol as described Diffie-Hellman key agreement protocol as described in MIKEY. Public-key
in MIKEY. Public-key infrastructures may not always be available infrastructures may not always be available in certain environments nor
in certain environments nor may they be deemed adequate for real- may they be deemed adequate for real-time multimedia applications when
time multimedia applications when taking additional steps for taking additional steps for certificate validation and certificate
certificate validation and certificate revocation methods with revocation methods with additional round-trips into account.
additional round-trips into account.
DHHMAC does not depend on PKI nor do implementations require PKI DHHMAC does not depend on PKI nor do implementations require PKI
standards and thus is believed to be much simpler than the more standards and thus is believed to be much simpler than the more complex
complex PKI facilities. PKI facilities.
DHHMAC is particularly attractive in those environments where DHHMAC is particularly attractive in those environments where
provisioning of a pre-shared key has already been accomplished. provisioning of a pre-shared key has already been accomplished.
* NAT-friendliness: * NAT-friendliness:
DHHMAC is able to operate smoothly through firewall/NAT devices as
long as the protected identity information of the end entity is not
an IP /transport address.
* Scalability:
Like the MIKEY signed Diffie-Hellman protocol, DHHMAC does not
scale to any larger configurations beyond peer-to-peer groups.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
DHHMAC is able to operate smoothly through firewall/NAT devices as long
as the protected identity information of the end entity is not an IP
/transport address.
* Scalability:
Like the MIKEY signed Diffie-Hellman protocol, DHHMAC does not scale
to any larger configurations beyond peer-to-peer groups.
5.4. Assumptions 5.4. Assumptions
This document states a couple of assumptions upon which the security This document states a couple of assumptions upon which the security of
of DHHMAC significantly depends. It is assumed, that DHHMAC significantly depends. It is assumed, that
* the parameters xi, xr, s and auth_key are to be kept secret. * the parameters xi, xr, s and auth_key are to be kept secret.
* the pre-shared key s has sufficient entropy and cannot be * the pre-shared key s has sufficient entropy and cannot be
effectively guessed. effectively guessed.
* the pseudo-random function (PRF) is secure, yields indeed the * the pseudo-random function (PRF) is secure, yields indeed the
pseudo-random property and maintains the entropy. pseudo-random property and maintains the entropy.
* a sufficiently large and secure Diffie-Hellman group is applied. * a sufficiently large and secure Diffie-Hellman group is applied.
* the Diffie-Hellman assumption holds saying basically that even with * the Diffie-Hellman assumption holds saying basically that even with
knowledge of the exchanged Diffie-Hellman half-keys and knowledge knowledge of the exchanged Diffie-Hellman half-keys and knowledge of
of the Diffie-Hellman group, it is infeasible to compute the TGK or the Diffie-Hellman group, it is infeasible to compute the TGK or to
to derive the secret parameters xi or xr. The latter is also derive the secret parameters xi or xr. The latter is also called the
called the discrete logarithm assumption. Please see [7], [11] or discrete logarithm assumption. Please see [7], [11] or [12] for more
[12] for more background information regarding the Diffie-Hellman background information regarding the Diffie-Hellman problem and its
problem and its computational complexity assumptions. computational complexity assumptions.
* the hash function (SHA1) is secure; i.e. that it is computationally * the hash function (SHA1) is secure; i.e. that it is computationally
infeasible to find a message which corresponds to a given message infeasible to find a message which corresponds to a given message digest,
digest, or to find two different messages that produce the same or to find two different messages that produce the same message digest.
message digest.
* the HMAC algorithm is secure and does not leak the auth_key. In * the HMAC algorithm is secure and does not leak the auth_key. In
particular, the security depends on the message authentication particular, the security depends on the message authentication property
property of the compression function of the hash function H when of the compression function of the hash function H when applied to single
applied to single blocks (see [6]). blocks (see [6]).
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
* a source capable of producing sufficiently many bits of (pseudo) * a source capable of producing sufficiently many bits of (pseudo)
randomness is available. randomness is available.
* the system upon which DHHMAC runs is sufficiently secure. * the system upon which DHHMAC runs is sufficiently secure.
5.5. Residual risk 5.5. Residual risk
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Although these detailed assumptions are non-negligible, security
experts generally believe that all these assumptions are reasonable
and that the assumptions made can be fulfilled in practice with
little or no expenses.
The mathematical and cryptographic assumptions upon the properties of Although these detailed assumptions are non-negligible, security experts
the PRF, the Diffie-Hellman algorithm (discrete log-assumption), the generally believe that all these assumptions are reasonable and that the
HMAC and SHA1 algorithms have not been proved yet nor have they been assumptions made can be fulfilled in practice with little or no expenses.
disproved by the time of this writing.
Thus, a certain residual risk remains, which might threaten the The mathematical and cryptographic assumptions upon the properties of the
overall security at some unforeseeable time in the future. PRF, the Diffie-Hellman algorithm (discrete log-assumption), the HMAC and
SHA1 algorithms have not been proved yet nor have they been disproved by
the time of this writing.
The DHHMAC would be compromised as soon as any of the listed Thus, a certain residual risk remains, which might threaten the overall
assumptions do not hold anymore. security at some unforeseeable time in the future.
The Diffie-Hellman mechanism is a generic security technique that is The DHHMAC would be compromised as soon as any of the listed assumptions
not only applicable to groups of prime order or of characteristic do not hold anymore.
two. This is because of the fundamental mathematical assumption that
the discrete logarithm problem is also a very hard one in general
groups. This enables Diffie-Hellman to be deployed also for GF(p)*,
for sub-groups of sufficient size and for groups upon elliptic
curves. RSA does not allow such generalization, as the core
mathematical problem is a different one (large integer
factorization).
RSA asymmetric keys tend to become increasingly lengthy (1536 bits
and more) and thus very computational intensive. Neverthess,
elliptic curve Diffie-Hellman (ECDH) allows to cut-down key lengths
substantially (say 170 bits or more) while maintaining at least the
security level and providing even significant performance benefits in
practice. Moreover, it is believed that elliptic curve techniques
provide much better protection against side channel attacks due to
the inherent redundancy in the projective coordinates. For all these
reasons, one may view elliptic-curve-based Diffie-Hellman as being
more "future-proof" and robust against potential threats than RSA.
Note, that an elliptic-curve Diffie-Hellman variant of MIKEY remains
for further study.
The Diffie-Hellman mechanism is a generic security technique that is not
only applicable to groups of prime order or of characteristic two. This
is because of the fundamental mathematical assumption that the discrete
logarithm problem is also a very hard one in general groups. This enables
Diffie-Hellman to be deployed also for GF(p)*, for sub-groups of
sufficient size and for groups upon elliptic curves. RSA does not allow
such generalization, as the core mathematical problem is a different one
(large integer factorization).
RSA asymmetric keys tend to become increasingly lengthy (1536 bits and
more) and thus very computational intensive. Neverthess, elliptic curve
Diffie-Hellman (ECDH) allows to cut-down key lengths substantially (say
170 bits or more) while maintaining at least the security level and
providing even significant performance benefits in practice. Moreover,
it is believed that elliptic curve techniques provide much better
protection against side channel attacks due to the inherent redundancy
in the projective coordinates. For all these reasons, one may view
elliptic-curve-based Diffie-Hellman as being more "future-proof" and
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
It is not recommended to deploy DHHMAC for any other usage than robust against potential threats than RSA. Note, that an elliptic-curve
depicted in section 2. Otherwise any such misapplication might lead Diffie-Hellman variant of MIKEY remains for further study.
to unknown, undefined properties.
It is not recommended to deploy DHHMAC for any other usage than depicted
in section 2. Otherwise any such misapplication might lead to unknown,
undefined properties.
5.6. Authorization and Trust Model 5.6. Authorization and Trust Model
Basically, similar remarks on authorization as stated in [3] section Basically, similar remarks on authorization as stated in [3] section
4.3.2. hold also for DHHMAC. However, as noted before, this key 4.3.2. hold also for DHHMAC. However, as noted before, this key management
management protocol does not serve full groups. protocol does not serve full groups.
One may view the pre-established shared secret to yield some pre- One may view the pre-established shared secret to yield some
established trust relationship between the initiator and the pre-established trust relationship between the initiator and the
responder. This results in a much simpler trust model for DHHMAC responder. This results in a much simpler trust model for DHHMAC than
than would be the case for some generic group key management protocol would be the case for some generic group key management protocol and
and potential group entities without any pre-defined trust potential group entities without any pre-defined trust relationship. The
relationship. The common group controller in conjunction with the common group controller in conjunction with the assumption of a shared
assumption of a shared key simplifies the communication setup of the key simplifies the communication setup of the entities.
entities.
One may view the pre-established trust relationship through the pre- One may view the pre-established trust relationship through the pre-shared
shared secret as some means for pre-granted, implied authorization. secret as some means for pre-granted, implied authorization. This
This document does not define any particular authorization means but document does not define any particular authorization means but leaves
leaves this subject to the application. this subject to the application.
6. Acknowledgments 6. Acknowledgments
This document incorporates kindly valuable review feedback from This document incorporates kindly valuable review feedback from Steffen
Steffen Fries, Hannes Tschofenig, Fredrick Lindholm and Russell Fries, Hannes Tschofenig, Fredrick Lindholm and Russell Housley and
Housely and general feedback by the MSEC WG. general feedback by the MSEC WG.
Conclusions Conclusions
Key management for environments and applications with real-time and Key management for environments and applications with real-time and
performance constraints are becoming of interest. Existing key performance constraints are becoming of interest. Existing key management
management techniques like IPsec-IKE [14] and IPsec-IKEv2 [22], TLS techniques like IPsec-IKE [14] and IPsec-IKEv2 [22], TLS [13] and other
[13] and other schemes are not deemed adequate in addressing
sufficiently those real-time and security requirements.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
schemes are not deemed adequate in addressing sufficiently those real-time
and security requirements.
MIKEY defines three key management security protocols addressing MIKEY defines three key management security protocols addressing
real-time constraints. DHHMAC as described in this document defines real-time constraints. DHHMAC as described in this document defines a
a fourth MIKEY variant aiming at the same target. fourth MIKEY variant aiming at the same target.
While each of the four key management protocols has its own merits While each of the four key management protocols has its own merits there
there are also certain limitations of each approach. As such there are also certain limitations of each approach. As such there is no single
is no single ideal solution and none of the variants is able to ideal solution and none of the variants is able to subsume the other
subsume the other remaining variants. remaining variants.
It is concluded that DHHMAC features useful security and performance It is concluded that DHHMAC features useful security and performance
properties that none of the other three MIKEY variants is able to properties that none of the other three MIKEY variants is able to provide.
provide.
7. IANA considerations 7. IANA considerations
This document does not define its own new name spaces for DHHMAC, This document does not define its own new name spaces for DHHMAC, beyond
beyond the IANA name spaces that have been assigned for MIKEY, see the IANA name spaces that have been assigned for MIKEY, see [3] section
[3] section 10 and section 10.1. 10 and section 10.1.
The name spaces for the following fields in the Common header payload The name spaces for the following fields in the Common header payload (from
(from Section 4.1) are requested to be managed by IANA (in bracket is Section 4.1) are requested to be managed by IANA (in bracket is the
the reference to the table with the initially registered values): reference to the table with the initially registered values):
* data type (Table 4.1.a); to be aligned with [3] table 6.1.a. * data type (Table 4.1.a); to be aligned with [3] table 6.1.a.
8. References 8. References
8.1 Normative References 8.1 Normative References
[1] Bradner, S., "The Internet Standards Process -- Revision 3", [1] Bradner, S., "The Internet Standards Process -- Revision 3",
BCP 9, RFC 2026, October 1996. BCP 9, RFC 2026, October 1996.
[2] Bradner, S., "Key words for use in RFCs to Indicate [2] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] J. Arkko, E. Carrara, F. Lindholm, M. Naslund, K. Norrman; [3] J. Arkko, E. Carrara, F. Lindholm, M. Naslund, K. Norrman;
"MIKEY: Multimedia Internet KEYing", RFC 3830 IETF, August 2004. "MIKEY: Multimedia Internet KEYing", RFC 3830 IETF, August 2004.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
[4] NIST, FIBS-PUB 180-1, "Secure Hash Standard", April 1995, [4] NIST, FIBS-PUB 180-1, "Secure Hash Standard", April 1995,
http://csrc.nist.gov/fips/fip180-1.ps. http://csrc.nist.gov/fips/fip180-1.ps.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
[5] J. Arkko, E. Carrara et al: "Key Management Extensions for SDP [5] J. Arkko, E. Carrara et al: "Key Management Extensions for SDP
and RTSP", Internet Draft <draft-ietf-mmusic-kmgmt-ext-11.txt>, and RTSP", Internet Draft <draft-ietf-mmusic-kmgmt-ext-11.txt>,
Work in Progress (MMUSIC WG), IETF, April 2004. Work in Progress (MMUSIC WG), IETF, April 2004.
[6] H. Krawczyk, M. Bellare, R. Canetti: "HMAC: Keyed-Hashing for [6] H. Krawczyk, M. Bellare, R. Canetti: "HMAC: Keyed-Hashing for
Message Authentication", RFC 2104, February 1997. Message Authentication", RFC 2104, February 1997.
8.2 Informative References 8.2 Informative References
[7] A.J. Menezes, P. van Oorschot, S. A. Vanstone: "Handbook of [7] A.J. Menezes, P. van Oorschot, S. A. Vanstone: "Handbook of
skipping to change at page 29, line 43 skipping to change at page 29, line 4
[12] Discrete Logarithms and the Diffie-Hellman Protocol; [12] Discrete Logarithms and the Diffie-Hellman Protocol;
http://www.crypto.ethz.ch/research/ntc/dldh/ http://www.crypto.ethz.ch/research/ntc/dldh/
[13] T. Dierks, C. Allen: "The TLS Protocol Version 1.0.", RFC 2246, [13] T. Dierks, C. Allen: "The TLS Protocol Version 1.0.", RFC 2246,
IETF, January 1999. IETF, January 1999.
[14] D. Harkins, D. Carrel: "The Internet Key Exchange (IKE).", RFC [14] D. Harkins, D. Carrel: "The Internet Key Exchange (IKE).", RFC
2409, IETF, November 1998. 2409, IETF, November 1998.
[15] Donald E. Eastlake, Jeffrey I. Schiller, Steve Crocker: [15] Donald E. Eastlake, Jeffrey I. Schiller, Steve Crocker:
"Randomness Requirements for Security"; <draft-eastlake-
randomness2-10.txt>; Work in Progress, IETF, January 2005.
[16] J. Schiller: "Strong Security Requirements for Internet
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Engineering Task Force Standard Protocols", RFC 3365, IETF, "Randomness Requirements for Security";
2002. <draft-eastlake-randomness2-10.txt>; Work in Progress, IETF,
January 2005.
[16] J. Schiller: "Strong Security Requirements for Internet
Engineering Task Force Standard Protocols", RFC 3365, IETF, 2002.
[17] C. Meadows: "Advice on Writing an Internet Draft Amenable to [17] C. Meadows: "Advice on Writing an Internet Draft Amenable to
Security Analysis", Work in Progress, <draft-irtf-cfrg-advice- Security Analysis", Work in Progress,
00.txt>, IRTF, October 2002. <draft-irtf-cfrg-advice-00.txt>, IRTF, October 2002.
[18] T. Narten: "Guidelines for Writing an IANA Considerations [18] T. Narten: "Guidelines for Writing an IANA Considerations
Section in RFCs", RFC 2434, IETF, October 1998. Section in RFCs", RFC 2434, IETF, October 1998.
[19] J. Reynolds: "Instructions to Request for Comments (RFC) [19] J. Reynolds: "Instructions to Request for Comments (RFC)
Authors", Work in Progress, <draft-rfc-editor-rfc2223bis- Authors", Work in Progress, <draft-rfc-editor-rfc2223bis-08.txt>,
08.txt>, IETF, August 2004. IETF, August 2004.
[20] J. Rosenberg et all: "SIP: Session Initiation Protocol", RFC [20] J. Rosenberg et all: "SIP: Session Initiation Protocol", RFC
3261, IETF, June 2002. 3261, IETF, June 2002.
[21] Ch. Kaufman: "Internet Key Exchange (IKEv2) Protocol", Work in [21] Ch. Kaufman: "Internet Key Exchange (IKEv2) Protocol", Work in
Progress (IPSEC WG), <draft-ietf-ipsec-ikev2-17.txt>, Internet Progress (IPSEC WG), <draft-ietf-ipsec-ikev2-17.txt>, Internet
Draft, Work in Progress (IPSEC WG). Draft, Work in Progress (IPSEC WG).
[22] ITU-T Recommendation H.235 Annex G: "Usage of the MIKEY [22] ITU-T Recommendation H.235 Annex G: "Usage of the MIKEY
Key Management Protocol for the Secure Real Time Transport Key Management Protocol for the Secure Real Time Transport Protocol
Protocol (SRTP) within H.235"; 1/2005. (SRTP) within H.235"; 1/2005.
[23] Schaad, J., Housley R.: "Advanced Encryption Standard (AES) [23] Schaad, J., Housley R.: "Advanced Encryption Standard (AES)
Key Wrap Algorithm", RFC 3394, IETF, September 2002. Key Wrap Algorithm", RFC 3394, IETF, September 2002.
[24] Baugher, M., Weis, B., Hardjono, T., Harney, H.: "The Group [24] Baugher, M., Weis, B., Hardjono, T., Harney, H.: "The Group
Domain of Interpretation", RFC 3547, IETF, July 2003. Domain of Interpretation", RFC 3547, IETF, July 2003.
[25] Harney, H., Colegrove, A., Harder, E., Meth, U., Fleischer, R.: [25] Harney, H., Colegrove, A., Harder, E., Meth, U., Fleischer, R.:
"Group Secure Association Key Management Protocol", <draft-ietf- "Group Secure Association Key Management Protocol",
msec-gsakmp-sec-07.txt>, Internet Draft, Work in Progress (MSEC <draft-ietf-msec-gsakmp-sec-07.txt>, Internet Draft, Work in
WG). Progress (MSEC WG).
[26] Baugher, M., Canetti, R., Dondeti, L., and Lindholm, F.: "Group [26] Baugher, M., Canetti, R., Dondeti, L., and Lindholm, F.: "Group
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Key Management Architecture", <draft-ietf-msec-gkmarch-08.txt>, Key Management Architecture", <draft-ietf-msec-gkmarch-08.txt>,
Internet Draft, Work in Progress (MSEC WG). Internet Draft, Work in Progress (MSEC WG).
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 [27] Baugher, McGrew, Oran, Blom, Carrara, Naslund: "The Secure Real-time
Transport Protocol", RFC 3711, IETF, March 2004.
[27] Baugher, McGrew, Oran, Blom, Carrara, Naslund: "The Secure Real-
time Transport Protocol", RFC 3711, IETF, March 2004.
[28] ITU-T Recommendation H.235V3Amd1 Corr1, "Security and encryption [28] ITU-T Recommendation H.235V3Amd1 Corr1, "Security and encryption for
for H-series (H.323 and other H.245-based) multimedia H-series (H.323 and other H.245-based) multimedia terminals",
terminals", (01/2005). (01/2005).
[29] C. Adams et al: "Internet X.509 Public Key Infrastructure [29] C. Adams et al: "Internet X.509 Public Key Infrastructure Certificate
Certificate Management Protocols"; draft-ietf-pkix-rfc2510bis- Management Protocols"; draft-ietf-pkix-rfc2510bis-09.txt,
09.txt, Internet Draft, Work in Progress (PKIX WG). Internet Draft, Work in Progress (PKIX WG).
[30] M. Myers et al: "X.509 Internet Public Key Infrastructure Online [30] M. Myers et al: "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP", RFC 2560, IETF, June 1999. Certificate Status Protocol - OCSP", RFC 2560, IETF, June 1999.
[31] C. Adams et al: "Internet X.509 Public Key Infrastructure Data [31] C. Adams et al: "Internet X.509 Public Key Infrastructure Data
Validation and Certification Server Protocols", RFC 3029, IETF, Validation and Certification Server Protocols", RFC 3029, IETF,
February 2001. February 2001.
[32] M. Myers: "Internet X.509 Certificate Request Message Format", [32] M. Myers: "Internet X.509 Certificate Request Message Format", RFC
RFC 2511, IETF, March 1999. 2511, IETF, March 1999.
[33] M. Cooper et al: "Internet X.509 Public Key Infrastructure: [33] M. Cooper et al: "Internet X.509 Public Key Infrastructure:
Certification Path Building", <draft-ietf-pkix-certpathbuild- Certification Path Building",
05.txt>, Internet Draft, Work in Progress (PKIX WG). <draft-ietf-pkix-certpathbuild-05.txt>, Internet Draft, Work in
Progress (PKIX WG).
[34] Bradner, S., "IETF Rights in Contributions", BCP 78, RFC 3667, [34] Bradner, S., "IETF Rights in Contributions", BCP 78, RFC 3667,
February 2004. February 2004.
[35] Bradner, S., "Intellectual Property Rights in IETF Technology", [35] Bradner, S., "Intellectual Property Rights in IETF Technology", BCP
BCP 79, RFC 3668, February 2004. 79, RFC 3668, February 2004.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2004). This document is subject to
to the rights, licenses and restrictions contained in BCP 78, and the rights, licenses and restrictions contained in BCP 78, and except as
except as set forth therein, the authors retain all their rights. set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, This document and the information contained herein are provided on an "AS
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Rights Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed Intellectual Property Rights or other rights that might be claimed to
to pertain to the implementation or use of the technology described pertain to the implementation or use of the technology described in this
in this document or the extent to which any license under such document or the extent to which any license under such rights might or
rights might or might not be available; nor does it represent that might not be available; nor does it represent that it has made any
it has made any independent effort to identify any such rights. independent effort to identify any such rights. Information on the
Information on the procedures with respect to rights in ISOC procedures with respect to rights in ISOC Documents can be found in BCP
Documents can be found in BCP 78 and BCP 79. 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any assurances
assurances of licenses to be made available, or the result of an of licenses to be made available, or the result of an attempt made to obtain
attempt made to obtain a general license or permission for the use a general license or permission for the use of such proprietary rights
of such proprietary rights by implementers or users of this by implementers or users of this specification can be obtained from the
specification can be obtained from the IETF on-line IPR repository IETF on-line IPR repository at http://www.ietf.org/ipr.
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary rights
rights that may cover technology that may be required to implement that may cover technology that may be required to implement this standard.
this standard. Please address the information to the IETF at Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Expiration Date Expiration Date
This Internet Draft expires on 30 July 2005. This Internet Draft expires on 30 July 2005.
[Note to the RFC editor: Please remove the entire following section
prior to publication.]
HMAC-authenticated Diffie-Hellman for MIKEY January 2005 HMAC-authenticated Diffie-Hellman for MIKEY January 2005
[Note to the RFC editor: Please remove the entire following section prior
to publication.]
Revision History Revision History
Changes against draft-ietf-msec-mikey-dhhmac-08.txt:
* PKIX removed; some minor editorials.
Changes against draft-ietf-msec-mikey-dhhmac-07.txt: Changes against draft-ietf-msec-mikey-dhhmac-07.txt:
* Feedback addressed from AD review. * Feedback addressed from AD review.
* added considerations on the possible impact of PKIX protocols and * added considerations on the possible impact of PKIX protocols and
operations to end systems with real-time constraints (section 1). operations to end systems with real-time constraints (section 1).
* added note that DH group is transmitted explicitly but not the * added note that DH group is transmitted explicitly but not the parameters
parameters g and p; see section 3. g and p; see section 3.
* added considerations on clock synchronization and timestamps in * added considerations on clock synchronization and timestamps in section
section 2 and in section 5.3 in the view of consequences on replay 2 and in section 5.3 in the view of consequences on replay protection.
protection.
* references updated. * references updated.
* editorial corrections and cleanup. * editorial corrections and cleanup.
Changes against draft-ietf-msec-mikey-dhhmac-06.txt: Changes against draft-ietf-msec-mikey-dhhmac-06.txt:
* Abstract reworded. * Abstract reworded.
* used new RFC boilerplate: changed/moved IPR statement (now at the * used new RFC boilerplate: changed/moved IPR statement (now at the
beginning), status of Memo, and Intellectual Property Rights beginning), status of Memo, and Intellectual Property Rights section
section in accordance with RFC 3667, RFC 3668. in accordance with RFC 3667, RFC 3668.
* ID nits removal. * ID nits removal.
* References updated. * References updated.
* Note added to section 4.1 explaining how to differentiate between * Note added to section 4.1 explaining how to differentiate between
MIKEY and DHHMAC. MIKEY and DHHMAC.
* New section 4.4 added that describes the use of the general * New section 4.4 added that describes the use of the general extension
extension payload to avoid bidding-down attacks. payload to avoid bidding-down attacks.
* Description of the bidding-down avoidance mechanism removed from * Description of the bidding-down avoidance mechanism removed from the
the threat model in section 5.2. threat model in section 5.2.
* IANA considerations section re-written and aligned with MIKEY. * IANA considerations section re-written and aligned with MIKEY.
* Open issue on KMID pointed in IANA considerations section. * Open issue on KMID pointed in IANA considerations section.
* editorial clean-up. * editorial clean-up.
Changes against draft-ietf-msec-mikey-dhhmac-05.txt: Changes against draft-ietf-msec-mikey-dhhmac-05.txt:
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
* HMAC-SHA1-96 option removed (see section 1.2, 4.2, 5.3,). This * HMAC-SHA1-96 option removed (see section 1.2, 4.2, 5.3,). This
option does not really provide much gain; removal reduces number option does not really provide much gain; removal reduces number
of options. of options.
* IDr added to I_message for DoS protection of the recipient; see * IDr added to I_message for DoS protection of the recipient; see
section 3, 3.1, 5.3. section 3, 3.1, 5.3.
* References updated. * References updated.
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Changes against draft-ietf-msec-mikey-dhhmac-04.txt: Changes against draft-ietf-msec-mikey-dhhmac-04.txt:
* Introduction section modified: PFS property of DH, requirement * Introduction section modified: PFS property of DH, requirement for
for 4th MIKEY key management variant motivated. 4th MIKEY key management variant motivated.
* MIKEY-DHSIGN, MIKEY-PK and MIKEY-PS added to section 1.2 * MIKEY-DHSIGN, MIKEY-PK and MIKEY-PS added to section 1.2
Abbreviations. Abbreviations.
* Note on secure time synchronization added to section 2.0. * Note on secure time synchronization added to section 2.0.
* New section 2.2 "Relation to GMKARCH" added. * New section 2.2 "Relation to GMKARCH" added.
* New section 2.1.1 "Usage in H.235" added: this section outlines a * New section 2.1.1 "Usage in H.235" added: this section outlines a use
use case of DHHMAC in the context of H.235. case of DHHMAC in the context of H.235.
* Trade-off between identity-protection and security & performance * Trade-off between identity-protection and security & performance
added to section 5.1. added to section 5.1.
* New section 5.6 "Authorization and Trust Model" added. * New section 5.6 "Authorization and Trust Model" added.
* Some further informative references added. * Some further informative references added.
Changes against draft-ietf-msec-mikey-dhhmac-03.txt: Changes against draft-ietf-msec-mikey-dhhmac-03.txt:
* RFC 3552 available; some references updated. * RFC 3552 available; some references updated.
Changes against draft-ietf-msec-mikey-dhhmac-02.txt: Changes against draft-ietf-msec-mikey-dhhmac-02.txt:
skipping to change at page 34, line 39 skipping to change at page 34, line 4
* exponentiation ** changed to ^. * exponentiation ** changed to ^.
* Notation aligned with MIKEY-07. * Notation aligned with MIKEY-07.
* Clarified that the HMAC is calculated over the entire MIKEY * Clarified that the HMAC is calculated over the entire MIKEY
message excluding the MAC field. message excluding the MAC field.
* Section 4.2: The AES key wrap method SHALL not be applied. * Section 4.2: The AES key wrap method SHALL not be applied.
* Section 1: Relationship with other, existing work mentioned. * Section 1: Relationship with other, existing work mentioned.
Changes against draft-ietf-msec-mikey-dhhmac-01.txt: Changes against draft-ietf-msec-mikey-dhhmac-01.txt:
* bidding-down attacks addressed (see section 5.2). * bidding-down attacks addressed (see section 5.2).
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
* optional [X], [X, Y] defined and clarified (see section 1.1, * optional [X], [X, Y] defined and clarified (see section 1.1,
5.3). 5.3).
* combination of options defined in key update procedure (see * combination of options defined in key update procedure (see
section 3.1). section 3.1).
* ID payloads clarified (see section 3 and 5.2). * ID payloads clarified (see section 3 and 5.2).
* relationship with MIKEY explained (roundtrip, performance). * relationship with MIKEY explained (roundtrip, performance).
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
* new section 2.1 on applicability of DHHMAC for SIP/SDP and * new section 2.1 on applicability of DHHMAC for SIP/SDP and
H.323 added. H.323 added.
* more text due to DH resolution incorporated in section 5.3 * more text due to DH resolution incorporated in section 5.3
regarding PFS, security robustness of DH, generalization regarding PFS, security robustness of DH, generalization
capability of DH to general groups in particular EC and capability of DH to general groups in particular EC and
"future-proofness". "future-proofness".
* a few editorials and nits. * a few editorials and nits.
* references adjusted and cleaned-up. * references adjusted and cleaned-up.
Changes against draft-ietf-msec-mikey-dhhmac-00.txt: Changes against draft-ietf-msec-mikey-dhhmac-00.txt:
skipping to change at page 35, line 39 skipping to change at page 35, line 4
rather than the SHA1 intermediate value. rather than the SHA1 intermediate value.
* improved security considerations section completely rewritten in * improved security considerations section completely rewritten in
the spirit of [8]. the spirit of [8].
* IANA consideration section added * IANA consideration section added
* a few editorial improvements and corrections * a few editorial improvements and corrections
* IPR clarified and IPR section changed. * IPR clarified and IPR section changed.
Author's Addresses Author's Addresses
Martin Euchner Martin Euchner
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
Email: martin_euchner@hotmail.com Email: martin_euchner@hotmail.com
Phone: +49 89 722 55790 Hofmannstr. 51 Phone: +49 89 722 55790 Hofmannstr. 51
Fax: +49 89 722 62366 Fax: +49 89 722 62366
81359 Munich, Germany 81359 Munich, Germany
HMAC-authenticated Diffie-Hellman for MIKEY January 2005
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/