[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key derivation for ESP Authentication Algorithm



Norio Korekawa writes:
>>> I should have written "(ESP Encryption and ESP Authentication)",
>>> instead of "(Encryption and Authentication)".  In this case,
>>> only ESP is employed, and I think "protocol" is PROTO_IPSEC_ESP.
>>> That's why, I think that a key for ESP Encryption and a key for
>>> ESP Authentication are derived from the same KEYMAT, because
>>> the same "protocol" value(PROTO_IPSEC_ESP) and the same SPI
>>> are used for the computation.
>>> 
>>> Hope to hear your comments again.

Whoops, thanks for clarifying the question. I was hallucinating 
"transform-id" while writing "protocol-id". Here's an answer that I
think will be more informative:

The Architecture document (previous rev., <draft-...-arch-sec-02>, Sec. 
4.6.2) specifies the procedure for slicing KEYMAT into multiple keys 
needed for a single SA:

> When an automated SA/key management protocol is employed, the output
>    from this protocol may be used to generate multiple keys, e.g., for a
>    single ESP SA.  This may arise because:
> 
>            o the encryption algorithm uses multiple keys (e.g., triple DES)
>            o the authentication algorithm uses multiple keys
>            o both encryption and authentication algorithms are employed
> 
>    The Key Management System may provide a separate string of bits for
>    each key or it may generate one string of bits from which all of them
>    are extracted.  If a single string of bits is provided, care needs to
>    be taken to ensure that the parts of the system that map the string
>    of bits to the required keys do so in the same fashion at both ends
>    of the SA.  To ensure that the IPsec implementations at each end of
>    the SA use the same bits for the same keys, and irrespective of which
>    part of the system divides the string of bits into individual keys,
>    the encryption key(s) MUST be taken from the first (left-most, high-
>    order) bits and the authentication key(s) MUST be taken from the
>    remaining bits.  The number of bits for each key is defined in the
>    relevant algorithm specification RFC.  In the case of multiple
>    encryption keys or multiple authentication keys, the specification
>    for the algorithm must specify the order in which they are to be
>    selected from a single string of bits provided to the algorithm.


-- 
Lewis    http://www.cs.umass.edu/~lmccarth/    "In our opinion
provable security is nothing more than a phantom, similar to
the perpetuum mobile in thermodynamics."  -- Joan Daemen, 1995


References: