[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: key derivation for ESP Authentication Algorithm
Norio Korekawa writes:
>>> I should have written "(ESP Encryption and ESP Authentication)",
>>> instead of "(Encryption and Authentication)". In this case,
>>> only ESP is employed, and I think "protocol" is PROTO_IPSEC_ESP.
>>> That's why, I think that a key for ESP Encryption and a key for
>>> ESP Authentication are derived from the same KEYMAT, because
>>> the same "protocol" value(PROTO_IPSEC_ESP) and the same SPI
>>> are used for the computation.
>>>
>>> Hope to hear your comments again.
Whoops, thanks for clarifying the question. I was hallucinating
"transform-id" while writing "protocol-id". Here's an answer that I
think will be more informative:
The Architecture document (previous rev., <draft-...-arch-sec-02>, Sec.
4.6.2) specifies the procedure for slicing KEYMAT into multiple keys
needed for a single SA:
> When an automated SA/key management protocol is employed, the output
> from this protocol may be used to generate multiple keys, e.g., for a
> single ESP SA. This may arise because:
>
> o the encryption algorithm uses multiple keys (e.g., triple DES)
> o the authentication algorithm uses multiple keys
> o both encryption and authentication algorithms are employed
>
> The Key Management System may provide a separate string of bits for
> each key or it may generate one string of bits from which all of them
> are extracted. If a single string of bits is provided, care needs to
> be taken to ensure that the parts of the system that map the string
> of bits to the required keys do so in the same fashion at both ends
> of the SA. To ensure that the IPsec implementations at each end of
> the SA use the same bits for the same keys, and irrespective of which
> part of the system divides the string of bits into individual keys,
> the encryption key(s) MUST be taken from the first (left-most, high-
> order) bits and the authentication key(s) MUST be taken from the
> remaining bits. The number of bits for each key is defined in the
> relevant algorithm specification RFC. In the case of multiple
> encryption keys or multiple authentication keys, the specification
> for the algorithm must specify the order in which they are to be
> selected from a single string of bits provided to the algorithm.
--
Lewis http://www.cs.umass.edu/~lmccarth/ "In our opinion
provable security is nothing more than a phantom, similar to
the perpetuum mobile in thermodynamics." -- Joan Daemen, 1995
References: