Skip to content

Commit e7c3836

Browse files
antonyantonyantonyantony
committed
remove iterative kdf.
After the Coffee hour. Only keep the heirarchical kdf
1 parent 02e668a commit e7c3836

File tree

1 file changed

+21
-57
lines changed

1 file changed

+21
-57
lines changed

eesp-ikev2.org

+21-57
Original file line numberDiff line numberDiff line change
@@ -318,89 +318,53 @@ The requirements:
318318
- Minimal memory requirements
319319
- Keyderviation support multiple SAs, such as EESP, AH
320320

321-
*** Iterative key derivation
322-
To iteratively derive keys create a large keymt. e.g. for the nth
321+
*** Hierarchical key derivation
322+
Hierarchical key derivation use Sub SA ID, which is carried in EESP
323+
Seesion ID or in EESP Flow ID(TLV), as an input to the key dervivation.
323324

324-
KEYMAT = prf+(SK_d, Ni | Nr)
325-
When there is no additional Key Exchange.
325+
Two KDF are propsed below and eventually choose one of them.
326326

327-
KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr)
328-
When there is additional Key Exchange Paload, a.k.a. PFS.
327+
KEYMAT = prf+(SK_d, Ni | Nr | Sub SA ID)
329328

330-
Where SK_d is derived from IKE negotiation, as specified in Section
331-
2.14 of [[RFC7296]]
329+
Where Ni and Nr are the nonces from the IKE_SA_INIT exchange if this
330+
request is the first Child SA created or the fresh Ni and Nr from the
331+
CREATE_CHILD_SA exchange if this is a subsequent creation.
332+
333+
For CREATE_CHILD_SA exchanges including an optional Key Exchange
334+
, the keying material is defined as:
335+
336+
KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr | Sub SA ID)
332337

333-
Where g^ir (new) is the shared secret from the ephemeral Key Exchange
338+
where g^ir (new) is the shared secret from the ephemeral Key Exchange
334339
of this CREATE_CHILD_SA exchange (represented as an
335340
octet string in big endian order padded with zeros in the high-order
336341
bits if necessary to make it the length of the modulus).
337342

338-
For example for Sub SA ID n, use nth set of keys from the KEYMAT.
339-
The order is specified in Section 2.17 of [[RFC7296]].
343+
[Note an alternative design that would provide
344+
uniform distribution when oring with Sub SA ID.
340345

341-
With existing prf+ function the keymat length is rather limited.
342-
[[RFC7296]] limit the iteration to 256.
343-
However, with modern prf+, more specifically XOF, functions,
344-
such as KMAC specified in [[NIST800-185 ]], or HopMAC/TurboSHAKE
345-
specified [[I-D.irtf-cfrg-kangarootwelve]] the KEYMAT can be
346-
infinitely,(2^40 bytes), long.
347-
348-
An XOF differs from a traditional PRF, hash, function in that it is
349-
designed to generate very long, and variable length output.
350-
Unlike the IKEv2 prf+ an XOF can generate longer outputs directly
351-
without iterative call.
352-
353-
Typical length of of 256 bit encryption is 36 bytes,
354-
(32 + 4 salt for IV), in one direction. Using an AEAD for 64K Sub SAs
355-
maximum KEYMAT length would
356-
be:
357-
358-
4718592 bytes = 2^16 * 2 * 36 bytes. i.e. 4.5 Mega Bytes
359-
360-
When using non AEAD algorithms KEMAT size would roughly double of the
361-
above, about 9 Mega Bytes.
362-
363-
The memory requirment fot generate could be reduced by changing prf+
364-
function interface to return portion of the KEYMAT when using
365-
iterative feedback mode.
366-
367-
*** Hierarchical key derivation
368-
369-
Hierarchical key derivation use Sub SA ID, which is carried in EESP
370-
Seesion ID or in EESP Flow ID(TLV), as an input to the key dervivation.
371-
372-
Two KDF are propsed below and eventually choose one of them.
373-
374-
KEYMAT = prf+(SK_child, Sub SA ID)
375-
376-
Where SK_child is the key derived for the Child SA as specified in
377-
[[RFC7296]] section 2.17
346+
KEYMAT = prf+(prf(SK_d, Ni | Nr | Sub SA ID))
378347

379348
One advantage of Hierarchical KDF is KEYMAT for the Sub SAs can be
380349
generated on the fly, for every packet, when available memory is
381350
limited, for example [[PSP]]. This is usually the case when key
382351
derivation is implemented in hardware. When implimenting in hardware
383352
choose a hardware friendly prf+.
384353

385-
An alternative key derivation :
386-
387-
KEYMAT = prf+(SK_d, Ni | Nr | Flow ID)
388-
389-
NOTE: does using using Ni|Nr|g^ir KDF input matters? Is there a
390-
perfernece? Any advise from the cryptographers?
391-
392354
** Rekey Key Derivation.
393355
During the EESP SA rekey, new keys are derived using the new Ni
394356
and Nr values. If a Key Exchange (KE) method was used in the rekying,
395357
CREATE_CHILD_SA exchange, the new key MAY also include g^ir as part of
396358
the derivation process.
397359

398-
KEYMAT = prf+(SK_child, Sub SA ID)
360+
KEYMAT = prf+(SK_d, Ni | Nr | Sub SA ID)
399361

400-
or depending on which one of the above KDF is chossen.
362+
or
401363

402364
KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr | Sub SA ID)
403365

366+
When there is an additionl Key Exchange in rekey.
367+
404368
Even though each Sub SA can be independently rekeyed, for
405369
simplicity and security, all Sub SAs MUST be rekeyed together
406370
when either a cryptographic limit or a time-based limit is

0 commit comments

Comments
 (0)