Re: AES-based PRF for IKEv2

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

On Tue, 25 Mar 2003, Paul Hoffman / VPNC wrote:

> At 6:36 AM +0200 3/25/03, Hugo Krawczyk wrote:
> >Moreover, ikev2 already offers a solution to the problem of how to get a
> >prf key out of the DH key g^xy (see page 25 of the draft).
> >And ikev2 does not really have a need to deal with too-short keys.
> >The only places where this could potentially be an issue is when
> >(1) you key the prf with Ni|Nr and (2) when authenticating with a
> >pre-shared key.
> 
> I'm confused by this statement. Where is the preshared key used in 
> the SKEYSEED calculation in IKEv2?

Preshared key is NOT used in the calculation of SKEYSEED.
Sorry if my text gave the wrong impression.

The only thing we need to make sure is that the ikev2 document will
mandate a minimal length for the nonces Ni and Nr (each has to be at least
of half the length of the prf), and a minimal size of the preshared key
(which has to be at least of the length of the prf key).

There is no reason that an implementation will not be able to meet these
requirements. The only case in which this may happen is if someone tries
to use a password as a preshared key. But that should be seen as a
vioaltion of the purpose of pre-shared key mode. Especially in view that
ikev2 explicitly supports password-based authentication methods through
its EAP exchange.

Also, now that we are back to "a la carte", one may want to clarify in the
document that in case that ALice (the initiator) offers more than one prf,
she has to send (in message 1) a nonce which is at least of half the
length of the longest-key prf in her offer (for example: if she offers
HMAC-SHA1 and AES-128 then she has to send a nonce of length 80 bits).

Hugo

> 
> --Paul Hoffman, Director
> --VPN Consortium
>