Use of AES as prf in IKEv2

[Charlie_Kaufman@notesdev.ibm.com]

Hugo pointed out that the IKEv2 spec assumes that prf functions accept
variable (and arbitrary) size keys, which won't always be the case. I
thought the question was only theoretical because HMAC does and that was
the only prf we defined.

But I notice that we added an IKE Suite #5, which specifies: "AES-CBC MAC +
XCBC integrity and prf". I'm having multiple problems parsing that. I think
I know what AES-CBC MAC is as an integrity protection function. But what
does "+ XCBC" mean and how do we feed two variable length inputs into this
thing for the purpose of doing key expansion.

I suspect AES-CBC MAC + XCBC integrity is well defined and hopefully in an
RFC somewhere. But I'll bet we need to specify a fixed key size (we use 128
bits for encryption, that's probably the intent for integrity protection).
And I'll bet no one really thought about how to use it with a variable
length key for key expansion. IKEv2 computes SKEYSEED = prf ( Ni | Nr ,
g^xy). Nonces are variable length. We could specify (as Hugo recommended)
that each nonce be truncated at half the fixed key size. I'd be happier
using SHA-1(Ni | Nr) truncated as the key. I'd be happier still saying that
even if we're using AES-CBC + XCBC for integrity we still use SHA-1 as our
prf.

What do others think?

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).