Internet DRAFT - draft-grieco-suite-vpn-d
draft-grieco-suite-vpn-d
Network Working Group D. McGrew
Internet-Draft A. Grieco
Intended status: Informational Cisco Systems, Inc.
Expires: January 7, 2010 July 6, 2009
Suite VPN-D: Cryptographic Algorithm Suite with 112-bit Security for
IPSEC
draft-grieco-suite-vpn-d-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 7, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
McGrew & Grieco Expires January 7, 2010 [Page 1]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
Abstract
This document defines a suite of cryptographic algorithms that target
a 112-bit security level. Additionally, this document defines the
use of these algorithms for use in IPSEC.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used In This Document . . . . . . . . . . . . 3
2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Considerations . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. Naming . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Suite D Algorithms . . . . . . . . . . . . . . . . . . . . 4
3. Suite D Algorithms in IPSec . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. Other 2048 bit MODP Groups . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
McGrew & Grieco Expires January 7, 2010 [Page 2]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
1. Introduction
[SuiteB] defines a set of cryptographic algorithms that are secure,
well reviewed, and are efficient at high data rates and high security
levels. Currently, support for Suite B is only partly available
across the industry. Traditionally, the adoption of new algorithms
by the industry is a complex and slow process involving multiple
actors, including policy makers in government and industry, standards
organizations, and vendors of crypto software and hardware, network
devices and software, and operating systems. Complications around
ownership of some intellectual property rights as also slowed
adoption of Suite B.
In this document, we define a suite of crypto algorithms that overlap
with Suite B, that contains only algorithms that are believed to be
unencumbered by intellectual property considerations and that targets
a 112-bit security level. This level is not as high as that of Suite
B, but it is believed to be adequately secure to meet present
commercial needs. It provides a halfway point between current
industry practice and Suite B.
It is hoped that the adoption of this new suite will simplify and
shorten the process of adopting Suite B while providing 112-bit
security.
As with previous user interface suites ("UI suites") for IPSec (see
[RFC4308] and [RFC4869]), this document simply defines a few
collections of algorithms for IPSec and does not modify the protocol
itself in any way.
1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
McGrew & Grieco Expires January 7, 2010 [Page 3]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
2. Algorithms
2.1. Considerations
There were four main criteria taken into consideration when
developing the list of algorithms to be recommended:
o IPR licensing concerns
o Targeted strength equivalence of at least 112 bits of security
o Acceptance of algorithms by the industry and governments,
including NIST approval of algorithms
o Interoperability between VPN devices
2.1.1. Naming
The naming of the suite of algorithms defined here is based on the
precedent set forth in RFC4308 where the denotation of "VPN-A" and
"VPN-B" is used. Due to concerns over naming conflicts with
organizations that already exist in the industry, the "VPN-C"
designation was bypassed and therefore the suite defined here is
referenced as "VPN-D".
2.2. Suite D Algorithms
For Authenticated Encryption in the data plane, AES with 128 bit keys
in GCM mode with 128 bit ICV [RFC4106] MUST be used.
For Integrity checks (when Authenticated Encryption is not in use),
HMAC-SHA-256-128 [RFC4868] MUST be used.
For hashing algorithms, SHA-256 [SHA2] MUST be used.
For certificate based signatures, RSA-2048 and SHA-256 MUST be used.
For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used.
Explicitly, Diffie-Hellman Group 14 [RFC3526] MUST be used.
For pseudo-random generation function, PRF-HMAC-SHA-256 [RFC4868]
MUST be used.
McGrew & Grieco Expires January 7, 2010 [Page 4]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
3. Suite D Algorithms in IPSec
Suite-VPN-D defines the set of algorithms intended to be used for
IPSec VPN applications and fully complies with the MUST Suite D
algorithms defined above.
+---------------------------+-----------------------------+
| Protocol | Algorithm |
+---------------------------+-----------------------------+
| ESP encryption transform | AES-GCM-128 w/ 16 octet ICV |
| | |
| ESP integrity transform | N/A |
| | |
| Pseudo Random Function | PRF-HMAC-SHA-256 |
| | |
| IKE encryption transform | AES-CBC-128 |
| | |
| IKEv1 hash | SHA-256 |
| | |
| IKEv2 integrity transform | HMAC-SHA-256-128 |
| | |
| IKE Diffie-Hellman Group | 14 |
| | |
| IKE X509 authentication | RSA-2048 with SHA-256 |
| | |
| IKE Pre-Shared Key | not less than 128 bits |
+---------------------------+-----------------------------+
Suite-VPN-D Cryptosuite
For IKEv1 implementations, Main mode SHOULD be used.
IKEv1 implementations MUST support rekeying of Phase 2. For IKEv2
implementations, CREATE-CHILD_SA exchanges MUST be supported. Rekey
operations that include the optional Diffie-Hellman key MUST use a
key that is DH Group 14.
If the pre-shared key option is used, then it MUST have a min-entropy
of 128 bits. This means that the key must be chosen at random in
such a way that the most probable key will occur with probability no
greater than 2^(-128). A practical way to achieve this is to choose
the key uniformly at random; for example, a string of 22 base64
characters chosen uniformly at random has sufficient min-entropy.
McGrew & Grieco Expires January 7, 2010 [Page 5]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
4. Security Considerations
The target of 112-bit security level for the suite is generally
believed to be sufficient for some time given current technologies
[RFC3766]. This security level is also supported by current NIST
recommendations for key strengths [NIST.800-57.2007].
McGrew & Grieco Expires January 7, 2010 [Page 6]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
5. IANA Considerations
The IANA registry called "Cryptographic Suites for IKEv1, IKEv2, and
IPsec" should be updated with an identifier of 'VPN-D' following the
criteria set forth in [RFC4308].
McGrew & Grieco Expires January 7, 2010 [Page 7]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
6. Acknowledgements
The authors would like to thank Scott Fluhrer and Igor Balabine for
their review and comment on this document.
McGrew & Grieco Expires January 7, 2010 [Page 8]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, May 2003.
[RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
Public Keys Used For Exchanging Symmetric Keys", BCP 86,
RFC 3766, April 2004.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.
[SHA2] "FIPS 180-2: Secure Hash Standard,", Federal Information
Processing Standard (FIPS) http://csrc.nist.gov/
publications/fips/fips180-2/fips180-2.pdf, 2002.
7.2. Informative References
[NIST.800-57.2007]
National Institute of Standards and Technology,
"Recommendation for Key Management - Part 1: General",
NIST 800-57, March 2007.
[RFC4308] Hoffman, P., "Cryptographic Suites for IPsec", RFC 4308,
December 2005.
[RFC4869] Law, L. and J. Solinas, "Suite B Cryptographic Suites for
IPsec", RFC 4869, May 2007.
[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
Groups for Use with IETF Standards", RFC 5114,
January 2008.
[SuiteB] "Fact Sheet for NSA Suite B Cryptography",
http://www.nsa.gov/ia/industry/crypto_suite_b.cfm.
McGrew & Grieco Expires January 7, 2010 [Page 9]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
Appendix A. Other 2048 bit MODP Groups
In this document, we make use of Diffie-Hellman Group 14 in Suite
VPN-D to provide 2048 bit MODP for IKE. Diffie-Hellman Group 24
[RFC5114] might also be considered to for this purpose. However, the
authors note, the prime chosen for Group 24 is not a safe prime and
modified IKE hanlding based on public key validation routines might
be required.
McGrew & Grieco Expires January 7, 2010 [Page 10]
�
Internet-Draft 112-bit Crypto for IPSEC July 2009
Authors' Addresses
David A. McGrew
Cisco Systems, Inc.
510 McCarthy Blvd.
Milpitas, CA 95035
US
Email: mcgrew@cisco.com
URI: http://www.mindspring.com/~dmcgrew/dam.htm
Anthony H. Grieco
Cisco Systems, Inc.
510 McCarthy Blvd.
Milpitas, CA 95035
US
Email: agrieco@cisco.com
McGrew & Grieco Expires January 7, 2010 [Page 11]
�
