Re: Terminology question: "suites" vs "set of cryptographic algorithms"

[Charlie_Kaufman@notesdev.ibm.com]

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> wrote on 05/02/2003 07:40:30
PM:
> The term "suite" is used inconsistently in the current document. In
> some places, it means "the set of things chosen by the responder".
> However, there are exceptions. I have listed what I think are the
> main problems with the term "suite" in the current draft.
>
I've tried to use it to mean "a collection of algorithms used together
in an SA". The initiator proposes multiple suites (not as a list, but
as a Chinese menu (I hope that term has not become politically
incorrect)), and the responder selects one.

To clarify this, I changed the third paragraph of IKE Protocol Overview to
the following:

IKE performs mutual authentication between two parties and establishes
an IKE security association that includes shared secret information
that can be used
to efficiently establish SAs for ESP [RFC2406] and/or AH [RFC2402] and
a set of cryptographic algorithms to be used to protect the SAs.
In this document, the term "suite" or "cryptographic suite" refers to
a complete set of algorithms used to protect an SA. An initiator
proposes one or more suites by listing supported algorithms that can
be combined into suites in a mix and match fashion.
IKE can also negotiate use of IPcomp
[RFC2393] in connection with an ESP and/or AH SA.
We call the IKE SA an "IKE_SA". The SAs for ESP and/or AH
that get set up through that IKE_SA we call "CHILD_SA"s.

Does that help?

> The third paragraph of 2.7 says:
>     This hierarchical structure was designed to be able to efficiently
>     encode proposals for cryptographic suites when the number of
>     supported suites is large because multiple values are acceptable for
>     multiple transforms. The responder MUST choose a single suite, which
>     MAY be any subset of the SA proposal following the rules below:
> This use of "suites" is talking about the proposals offered by the
> initiator, which is the "old" use of suites.
>
This seems clear to me. Do you have an alternate wording to propose?

> The last sentence in 2.7 says:
>     Alice MUST again propose her full
>     set of acceptable cryptographic suites because the rejection message
>     was unauthenticated and otherwise an active attacker could trick
>     Alice and Bob into negotiating a weaker suite than a stronger one
>     that they both prefer.
> But Alice isn't proposing suites, she is proposing individual algorithms.
>
> In 3.10.1 it says:
>          NO_PROPOSAL_CHOSEN                       14
>              None of the proposed crypto suites was acceptable.
> But no suites were proposed: algorithm choices were proposed.
>
Likewise, these seem clear to me; do you have an alternate wording.

> Section 6:
>     Values of the Cryptographic Suite-ID define a set of cryptographic
>     algorithms to be used in an IKE, ESP, or AH SA.
> We removed Suite-ID completely.
>
You're right on this one. It's an obsolete reference. I removed it.

> Appedix B:
>     Future IANA-registered and private use Suite-IDs MAY use Diffie-
>     Hellman groups that have modulus values and generators that are
>     different than those in this document or in [ADDGROUP].
> Ditto.
>
This is also obsolete, and I removed it.

Was there ever a declared consensus on whether the algorithm definitions
(including all of Appendix B) should be removed so as not to duplicate
information in the algorithms document?

Barbara? Ted?

> --Paul Hoffman, Director
> --VPN Consortium

      --Charlie