[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DH-less encryption mode for IKE

To: ipsec@tis.com
Subject: DH-less encryption mode for IKE
From: Ran Canetti <canetti@watson.ibm.com>
Date: Thu, 2 Jul 1998 18:11:57 -0400
Sender: owner-ipsec@ex.tis.com

Currently all the modes of (phase I of) IKE involve performing a 
Diffie-Hellman (DH) exponentiation on either end. While DH helps maintain
long term secrecy (via its Perfect-Forward-Secrecy properties)
the computational cost is high: DH exponentiations takes a large 
fraction of the processing time, even when elliptic curves 
are used. Yet, on the majority of internet traffic long term secrecy
may not be be a concern at all. (In fact, many connections may be interested
only in integrity.) Thus, a "lightweight" mode that does not involve DH
exponentiations seems warranted. 

Hugo, Pau and I have submitted a draft describing how the (revised)
encryption mode of IKE can be performed without the Diffie-Hellman 
exponentiations. This mode involves only a very minor modification
of the current revised mode. (Basically, the  DH payloads are omitted
and the DH values needed for the derivation of SKEYID_a,d,e are zeroed out.)
We would like to propose this mode to the list as a work item for ipsecond.
I enclose the abstract; the draft should be available in couple days.

In conjunction to this, and in order to avoid inflating the number of modes
in IKE, we would like to propose to move the original (non-revised)
encryption mode of IKE to "historic".



Ran


BTW, I'd like to draw attention to the "security considerations" section
of the draft. It contains a warning that is relevant also to the 
current (DH-full) encryption modes  of IKE. It reads:

   4. Security Considerations

   The public key encryption modes of authentication in IKE require
   strong public key encryption. In particular, resistance to strong
   attacks generally known as "chosen ciphertext attacks" (CCA) is
   necessary.  This is a practical need as well as the basis for a sound
   analysis of these protocols [BeCaKr].  Recently, an explicit chosen
   ciphertext attack on the PKCS #1 encryption standard was demonstrated
   [Ble]. RSA Labs., the authors of PKCS#1, are preparing a new release
   of PKCS #1 that will include the OAEP format of RSA encryption [RSAlabs].
   It is strongly recommended that IKE specifications and implementations
   move to that format which was designed to resist CCA and other attacks.



------------------------------------------------------------------------------







IPSEC Working Group                       R. Canetti, P. Cheng, H. Krawczyk
INTERNET-DRAFT                                IBM Research and the Technion
draft-ietf-ipsec-dhless-enc-mode-00.txt                           July 1998
Expire in six months


                  A DH-less encryption mode for IKE
               <draft-ietf-ipsec-dhless-enc-mode-00.txt>

                          Status of this Memo

   This document is an Internet Draft. Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and working groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check
   the "1id-abstracts.txt" listing contained in the Internet-Drafts
   Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
   (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au



   1. Abstract

   The IKE document [HC98] describes a key exchange protocol for
   obtaining authenticated and secret keying material for use with ISAKMP,
   and for other security associations such as AH and ESP for the IETF
   IPsec DOI.

   All the current modes for carrying out Phase 1 of the key exchange
   in [HC98] incorporate a Diffie- Hellman exponentiation. While the DH
   exponentiation enhances the security of the exchange (and in particular
   provides perfect forward secrecy (PFS)), this enhanced secrecy comes
   at a computational cost. In cases where PFS is not a requirement, most
   notably in authentication only scenarios, less expensive solutions
   are possible.

   This draft describes a ``DH-less'' version of the (revised) public-
   key encryption mode of [HC98]. This saves the DH exponentiation,
   which may be significant (especially on low-end machines and busy servers).
   The proposed mode is VERY similar to the existing modes and requires
   only minimal modifications. In particular, it is straightforward
   to implement as an addition to the existing modes.
Prev by Date: Revised drafts -- Arch, AH, ESP
Next by Date: Re: Revised drafts -- Arch, AH, ESP
Prev by thread: Re: Revised drafts -- Arch, AH, ESP
Next by thread: IPsec and Fragmentation
Index(es):
- Main
- Thread