[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DH-less encryption mode for IKE
Currently all the modes of (phase I of) IKE involve performing a
Diffie-Hellman (DH) exponentiation on either end. While DH helps maintain
long term secrecy (via its Perfect-Forward-Secrecy properties)
the computational cost is high: DH exponentiations takes a large
fraction of the processing time, even when elliptic curves
are used. Yet, on the majority of internet traffic long term secrecy
may not be be a concern at all. (In fact, many connections may be interested
only in integrity.) Thus, a "lightweight" mode that does not involve DH
exponentiations seems warranted.
Hugo, Pau and I have submitted a draft describing how the (revised)
encryption mode of IKE can be performed without the Diffie-Hellman
exponentiations. This mode involves only a very minor modification
of the current revised mode. (Basically, the DH payloads are omitted
and the DH values needed for the derivation of SKEYID_a,d,e are zeroed out.)
We would like to propose this mode to the list as a work item for ipsecond.
I enclose the abstract; the draft should be available in couple days.
In conjunction to this, and in order to avoid inflating the number of modes
in IKE, we would like to propose to move the original (non-revised)
encryption mode of IKE to "historic".
Ran
BTW, I'd like to draw attention to the "security considerations" section
of the draft. It contains a warning that is relevant also to the
current (DH-full) encryption modes of IKE. It reads:
4. Security Considerations
The public key encryption modes of authentication in IKE require
strong public key encryption. In particular, resistance to strong
attacks generally known as "chosen ciphertext attacks" (CCA) is
necessary. This is a practical need as well as the basis for a sound
analysis of these protocols [BeCaKr]. Recently, an explicit chosen
ciphertext attack on the PKCS #1 encryption standard was demonstrated
[Ble]. RSA Labs., the authors of PKCS#1, are preparing a new release
of PKCS #1 that will include the OAEP format of RSA encryption [RSAlabs].
It is strongly recommended that IKE specifications and implementations
move to that format which was designed to resist CCA and other attacks.
------------------------------------------------------------------------------
IPSEC Working Group R. Canetti, P. Cheng, H. Krawczyk
INTERNET-DRAFT IBM Research and the Technion
draft-ietf-ipsec-dhless-enc-mode-00.txt July 1998
Expire in six months
A DH-less encryption mode for IKE
<draft-ietf-ipsec-dhless-enc-mode-00.txt>
Status of this Memo
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and working groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
1. Abstract
The IKE document [HC98] describes a key exchange protocol for
obtaining authenticated and secret keying material for use with ISAKMP,
and for other security associations such as AH and ESP for the IETF
IPsec DOI.
All the current modes for carrying out Phase 1 of the key exchange
in [HC98] incorporate a Diffie- Hellman exponentiation. While the DH
exponentiation enhances the security of the exchange (and in particular
provides perfect forward secrecy (PFS)), this enhanced secrecy comes
at a computational cost. In cases where PFS is not a requirement, most
notably in authentication only scenarios, less expensive solutions
are possible.
This draft describes a ``DH-less'' version of the (revised) public-
key encryption mode of [HC98]. This saves the DH exponentiation,
which may be significant (especially on low-end machines and busy servers).
The proposed mode is VERY similar to the existing modes and requires
only minimal modifications. In particular, it is straightforward
to implement as an addition to the existing modes.