draft-ietf-ipsecme-aes-ctr-ikev2-00.txt   draft-ietf-ipsecme-aes-ctr-ikev2-01.txt 
IPSECME S. Shen IPSECME S. Shen
Internet-Draft Huawei Internet-Draft Huawei
Updates: RFC4307 Y. Mao Updates: RFC4307 Y. Mao
(if approved) H3C (if approved) H3C
Expires: January 28, 2010 NSS. Murthy Expires: February 18, 2010 NSS. Murthy
Freescale Semiconductor Freescale Semiconductor
July 27, 2009 August 17, 2009
Using Advanced Encryption Standard (AES) Counter Mode with IKEv2 Using Advanced Encryption Standard (AES) Counter Mode with IKEv2
draft-ietf-ipsecme-aes-ctr-ikev2-00 draft-ietf-ipsecme-aes-ctr-ikev2-01
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 28, 2010. This Internet-Draft will expire on February 18, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 17 skipping to change at page 2, line 17
This document describes the usage of Advanced Encryption Standard This document describes the usage of Advanced Encryption Standard
Counter Mode (AES_CTR), with an explicit initialization vector, by Counter Mode (AES_CTR), with an explicit initialization vector, by
IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT
exchange. exchange.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used In This Document . . . . . . . . . . . . 3 1.1. Conventions Used In This Document . . . . . . . . . . . . 3
2. AES Counter Mode . . . . . . . . . . . . . . . . . . . . . . . 4 2. AES Counter Mode . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Key Sizes and Rounds . . . . . . . . . . . . . . . . . . . 4 2.1. Counter Mode . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Block Size . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Key Sizes and Rounds . . . . . . . . . . . . . . . . . . . 6
3. IKEv2 Encrypted Payload . . . . . . . . . . . . . . . . . . . 5 2.3. Block Size . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Initialization Vector(IV) . . . . . . . . . . . . . . . . 5 3. IKEv2 Encrypted Payload . . . . . . . . . . . . . . . . . . . 8
3.2. Integrity Checksum Data . . . . . . . . . . . . . . . . . 5 3.1. Initialization Vector(IV) . . . . . . . . . . . . . . . . 8
4. Counter Block Format . . . . . . . . . . . . . . . . . . . . . 6 3.2. Integrity Checksum Data . . . . . . . . . . . . . . . . . 8
5. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 8 4. Counter Block Format . . . . . . . . . . . . . . . . . . . . . 9
5.1. Keying Material and Nonces . . . . . . . . . . . . . . . . 8 5. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 11
5.2. Encryption identifier . . . . . . . . . . . . . . . . . . 9 5.1. Keying Material and Nonces . . . . . . . . . . . . . . . . 11
5.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 9 5.2. Encryption identifier . . . . . . . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . . 13 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.2. Informative References . . . . . . . . . . . . . . . . . . 13 9.1. Normative References . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 9.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
IKEv2 [RFC4306] is a component of IPsec used for performing mutual IKEv2 [RFC4306] is a component of IPsec used for performing mutual
authentication and establishing and maintaining security associations authentication and establishing and maintaining security associations
(SAs). [RFC4307] defines the set of algorithms that are mandatory to (SAs). [RFC4307] defines the set of algorithms that are mandatory to
implement as part of IKEv2, as well as algorithms that should be implement as part of IKEv2, as well as algorithms that should be
implemented because they may be promoted to mandatory at some future implemented because they may be promoted to mandatory at some future
time. [RFC4307] requires that an implementation "SHOULD" support time. [RFC4307] requires that an implementation "SHOULD" support
Advanced Encryption Standard [AES] in Counter Mode [MODES] (AES_CTR) Advanced Encryption Standard [AES] in Counter Mode [MODES] (AES_CTR)
skipping to change at page 4, line 7 skipping to change at page 4, line 7
CREATE_CHILD_SA exchange, messages in INFORMATIONAL exchange. CREATE_CHILD_SA exchange, messages in INFORMATIONAL exchange.
1.1. Conventions Used In This Document 1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. AES Counter Mode 2. AES Counter Mode
Section 2 of [RFC3686] provides a description of AES_CTR mode AES [AES] is a symmetric block cipher that can process data blocks of
including its characteristics and implementation issues. 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
RFC 3686 explains the procedure to generate the key material required
when the ESP protocol employs AES-CTR for encryption.
The use of AES algorithm operations in IKEv2 is the same as what The use of AES algorithm operations in IKEv2 is the same as what
defined in [AES]. The use of Counter Mode is defined the same as how defined in [AES]. The use of Counter Mode is defined the same as how
AES_CTR is used to encrypt ESP payload [RFC3686]. The choices of Key AES_CTR is used to encrypt ESP payload [RFC3686]. The choices of Key
Size, Rounds and Block Size are defined as following which are Size, Rounds and Block Size are defined as following which are
compatible with [RFC3686]. compatible with [RFC3686].
2.1. Key Sizes and Rounds 2.1. Counter Mode
This section gives description for AES Counter Mode algorithm and
cites algorithm description part in section 2.1 of [RFC3686]
NIST has defined five modes of operation for AES and other FIPS-
approved block ciphers [MODES]. Each of these modes has different
characteristics. The five modes are: ECB (Electronic Code Book), CBC
(Cipher Block Chaining), CFB (Cipher FeedBack), OFB (Output
FeedBack), and CTR (Counter).
Only AES Counter mode (AES-CTR) is discussed in this specification.
AES-CTR requires the encryptor to generate a unique per-packet value,
and communicate this value to the decryptor. This specification
calls this per-packet value an initialization vector (IV). The same
IV and key combination MUST NOT be used more than once. The
encryptor can generate the IV in any manner that ensures uniqueness.
Common approaches to IV generation include incrementing a counter for
each packet and linear feedback shift registers (LFSRs).
This specification calls for the use of a nonce for additional
protection against precomputation attacks. The nonce value need not
be secret. However, the nonce MUST be unpredictable prior to the
establishment of the IPsec security association that is making use of
AES-CTR.
AES-CTR has many properties that make it an attractive encryption
algorithm for in high-speed networking. AES-CTR uses the AES block
cipher to create a stream cipher. Data is encrypted and decrypted by
XORing with the key stream produced by AES encrypting sequential
counter block values. AES-CTR is easy to implement, and AES-CTR can
be pipelined and parallelized. AES-CTR also supports key stream
precomputation.
Pipelining is possible because AES has multiple rounds (see
Section 2.2). A hardware implementation (and some software
implementations) can create a pipeline by unwinding the loop implied
by this round structure. For example, after a 16-octet block has
been input, one round later another 16-octet block can be input, and
so on. In AES- CTR, these inputs are the sequential counter block
values used to generate the key stream.
Multiple independent AES encrypt implementations can also be used to
improve performance. For example, one could use two AES encrypt
implementations in parallel, to process a sequence of counter block
values, doubling the effective throughput.
The sender can precompute the key stream. Since the key stream does
not depend on any data in the packet, the key stream can be
precomputed once the nonce and IV are assigned. This precomputation
can reduce packet latency. The receiver cannot perform similar
precomputation because the IV will not be known before the packet
arrives.
AES-CTR uses the only AES encrypt operation (for both encryption and
decryption), making AES-CTR implementations smaller than
implementations of many other AES modes.
When used correctly, AES-CTR provides a high level of
confidentiality. Unfortunately, AES-CTR is easy to use incorrectly.
Being a stream cipher, any reuse of the per-packet value, called the
IV, with the same nonce and key is catastrophic. An IV collision
immediately leaks information about the plaintext in both packets.
For this reason, it is inappropriate to use this mode of operation
with static keys. Extraordinary measures would be needed to prevent
reuse of an IV value with the static key across power cycles. To be
safe, implementations MUST use fresh keys with AES-CTR. The Internet
Key Exchange [RFC4306] protocol can be used to establish fresh keys.
IKE can also provide the nonce value.
With AES-CTR, it is trivial to use a valid ciphertext to forge other
(valid to the decryptor) ciphertexts. Thus, it is equally
catastrophic to use AES-CTR without a companion authentication
function. Implementations MUST use AES-CTR in conjunction with an
authentication function, such as HMAC-SHA-1-96 [RFC2404].
To encrypt a payload with AES-CTR, the encryptor partitions the
plaintext, PT, into 128-bit blocks. The final block need not be 128
bits; it can be less.
PT = PT[1] PT[2] ... PT[n]
Each PT block is XORed with a block of the key stream to generate the
ciphertext, CT. The AES encryption of each counter block results in
128 bits of key stream. The most significant 96 bits of the counter
block are set to the nonce value, which is 32 bits, followed by the
per-packet IV value, which is 64 bits. The least significant 32 bits
of the counter block are initially set to one. This counter value is
incremented by one to generate subsequent counter blocks, each
resulting in another 128 bits of key stream. The encryption of n
plaintext blocks can be summarized as:
CTRBLK := NONCE || IV || ONE
FOR i := 1 to n-1 DO
CT[i] := PT[i] XOR AES(CTRBLK)
CTRBLK := CTRBLK + 1
END
CT[n] := PT[n] XOR TRUNC(AES(CTRBLK))
The AES() function performs AES encryption with the fresh key.
The TRUNC() function truncates the output of the AES encrypt
operation to the same length as the final plaintext block, returning
the most significant bits.
Decryption is similar. The decryption of n ciphertext blocks can be
summarized as:
CTRBLK := NONCE || IV || ONE
FOR i := 1 to n-1 DO
PT[i] := CT[i] XOR AES(CTRBLK)
CTRBLK := CTRBLK + 1
END
PT[n] := CT[n] XOR TRUNC(AES(CTRBLK))
2.2. Key Sizes and Rounds
AES supports three key sizes: 128 bits, 192 bits, and 256 bits. All AES supports three key sizes: 128 bits, 192 bits, and 256 bits. All
IKEv2 implementations MUST support the 128 key size. An IKEv2 IKEv2 implementations that implement AES-CTR MUST support the 128 key
implementation MAY support key sizes of 192 and 256 bits. size. An IKEv2 implementation MAY support key sizes of 192 and 256
bits.
AES MUST use different rounds for each of the key sizes: AES MUST use different rounds for each of the key sizes:
When a 128-bit key is used, implementations MUST use 10 rounds. When a 128-bit key is used, implementations MUST use 10 rounds.
When a 192-bit key is used, implementations MUST use 12 rounds. When a 192-bit key is used, implementations MUST use 12 rounds.
When a 256-bit key is used, implementations MUST use 14 rounds. When a 256-bit key is used, implementations MUST use 14 rounds.
2.2. Block Size 2.3. Block Size
The AES algorithm has a block size of 128 bits (16 octets), i.e., AES The AES algorithm has a block size of 128 bits (16 octets), i.e., AES
generate 128 bits of key stream. For encryption or decryption, a generate 128 bits of key stream. For encryption or decryption, a
user XOR the key stream with 128 bits of plaintext or ciphertext user XOR the key stream with 128 bits of plaintext or ciphertext
blocks. If the generated key stream is longer than the plaintext or blocks. If the generated key stream is longer than the plaintext or
ciphertext, the extra key stream bits are simply discarded. For this ciphertext, the extra key stream bits are simply discarded. For this
reason, AES-CTR does not require the plaintext to be padded to a reason, AES-CTR does not require the plaintext to be padded to a
multiple of the block size. multiple of the block size.
3. IKEv2 Encrypted Payload 3. IKEv2 Encrypted Payload
skipping to change at page 5, line 28 skipping to change at page 8, line 28
encryption. The IV MUST be chosen by the encryptor in a manner that encryption. The IV MUST be chosen by the encryptor in a manner that
ensures that the same IV value is NOT used more than once with a ensures that the same IV value is NOT used more than once with a
given encryption key. The encryptor can generate the IV in any given encryption key. The encryptor can generate the IV in any
manner that ensures uniqueness. Common approaches to IV generation manner that ensures uniqueness. Common approaches to IV generation
include incrementing a counter for each packet and linear feedback include incrementing a counter for each packet and linear feedback
shift registers (LFSRs). shift registers (LFSRs).
3.2. Integrity Checksum Data 3.2. Integrity Checksum Data
Since it is trivial to construct a forgery AES_CTR ciphertext from a Since it is trivial to construct a forgery AES_CTR ciphertext from a
valid AES_CTR ciphertext, IKEv2 MUST employ an integrity algorithm valid AES_CTR ciphertext, an integrity algorithm must be used when
when AES_CTR is selected for encrypting the IKEv2 payloads. using AES_CTR. IKEv2 does require Integrity Checksum Data for
AUTH_HMAC_SHA1_96 [RFC2404] is a likely choice. Encrypted Payload as described in section 3.14 of [RFC4306]. The
choice of integrity algorithms in IKEv2 is defined in [RFC4307] as:
Name Number Defined In Status
NONE 0
AUTH_HMAC_MD5_96 1 [RFC2403] MAY
AUTH_HMAC_SHA1_96 2 [RFC2404] MUST
AUTH_AES_XCBC_96 5 [AES-MAC] SHOULD+
4. Counter Block Format 4. Counter Block Format
All the IKEv2 messages following the initial exchange are All the IKEv2 messages following the initial exchange are
cryptographically protected using the cryptographic algorithms and cryptographically protected using the cryptographic algorithms and
keys negotiated in the first two messages of the IKEv2 exchange. keys negotiated in the first two messages of the IKEv2 exchange.
These subsequent messages use the syntax of the IKEv2 Encrypted These subsequent messages use the syntax of the IKEv2 Encrypted
Payload. Payload.
All such messages carry the IV that is necessary to construct the The Encrypted Payload is the XOR of the plaintext and key stream.
sequence of counter blocks used to generate the key stream necessary The key stream is generated by inputing Counter Blocks into AES
to decrypt the payload. The AES counter block cipher block is 128 algorithm. The AES counter block cipher block is 128 bits. Counter
bits. Blocks are defined as in Figure 1.
All messages carry the IV that is necessary to construct the sequence
of counter blocks used to generate the key stream necessary to
decrypt the payload.
Figure 1 shows the format of the counter block. Figure 1 shows the format of the counter block.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce | | Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector (IV) | | Initialization Vector (IV) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Counter | | Block Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Counter Block Format Figure 1: Counter Block Format
The components of the counter block are as follows: The components of the counter block are as follows:
Nonce Nonce
The Nonce field is 4 octets. An unpredictably fresh nonce value The Nonce field is 32 bits. As the name implies, the nonce is a
MUST be assigned to each security association immediately after it single use value. That is, a fresh nonce value MUST be assigned
is established. Section 5.1 explains how IKEv2 is used to for each security association. It MUST be assigned at the
generate the nonce by the two parties individually. beginning of the security association. The nonce value need not
be secret, but it MUST be unpredictable prior to the beginning of
the security association.
Initialization Vector (IV) Initialization Vector (IV)
The IV field is 64 bits. The IV MUST be chosen by the encryptor The IV field is 64 bits. The IV MUST be chosen by the encryptor
in a manner that ensures that the same IV value is used only once in a manner that ensures that the same IV value is used only once
for a given encryption key. The encryptor includes the IV in the for a given encryption key. The encryptor includes the IV in the
IKEv2 message containing encrypted payloads. IKEv2 message containing encrypted payloads.
Block Counter Block Counter
 End of changes. 12 change blocks. 
41 lines changed or deleted 168 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/