[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

key derived SPI?

To: ipsec@lists.tislabs.com
Subject: key derived SPI?
From: Pawel Krawczyk <kravietz@aba.krakow.pl>
Date: Wed, 15 Aug 2001 11:26:38 +0200
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.3.20i

Is there anything wrong with deriving IPSec SA data like SPI from the
keying material, using one way hash? I thinking of reducing number of
parameters needed to automatically setup an IPSec SA between two hosts
without IKE. Using this trick I could end up with only password and
destination IP address needed to setup the secure channel. So the final
SPI generation scheme would be:

h0 = SHA1(source IP) [public]
h1 = SHA1(destination IP) [public]
h2 = SHA1(provided password) [secret]
h3 = SHA1(h2)
h4 = SHA1(h3)

SPI = h0 XOR h1 XOR h4

enc key = h2
auth key = h3

Result SA = ESP(SPI, src IP, dst IP, enc key, auth key)

So I use h2 as ESP encryption key, h3 as authentication key and generated
SPI to build the ESP SA. This SA is used to send small amount of data
and its lifetime is short. Use of h3 for auth is not to provide any
possible information about encryption key with authentication ciphertext.
The IP addresses are hashed only to minimize chance of SPI conflict
with many clients.

Is there any problem with this method?

-- 
Pawe„ Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23

Prev by Date: Re: having and eating cake? agressive mode with identity hiding
Next by Date: RE: VPN subnet mask
Prev by thread: RE: VPN subnet mask
Next by thread: XKMS and NIH RE: Simplifying IKE
Index(es):
- Main
- Thread