[Docs] [txt|pdf|xml] [Tracker] [Email] [Nits] [IPR]

Versions: 00 draft-ietf-ipsecme-dh-checks

Network Working Group                                         Y. Sheffer
Internet-Draft                                                  Porticor
Updates: 5996 (if approved)                                   S. Fluhrer
Intended status: Standards Track                                   Cisco
Expires: June 10, 2013                                  December 7, 2012

               Additional Diffie-Hellman Tests for IKEv2


   This document adds a small number of mandatory tests required for the
   secure operation of IKEv2 with elliptic curve groups.  No change is
   required to IKE implementations that use modular exponential groups,
   other than a few rarely used so-called DSA groups.  This document
   updates the IKEv2 protocol, RFC 5996.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 10, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Sheffer & Fluhrer         Expires June 10, 2013                 [Page 1]

Internet-Draft                  DH Tests                   December 2012

   described in the Simplified BSD License.

1.  Introduction

   IKEv2 [RFC5996] consists of the establishment of a shared secret
   using the Diffie-Hellman (DH) protocol, followed by authentication of
   the two peers.  Existing implementations typically use modular
   exponential (MODP) DH groups, such as those defined in [RFC3526].

   Recently there is growing interest in using IKEv2 with groups based
   on elliptic curve cryptography.  It turns out that using EC groups in
   some scenarios requires that IKE peers implement additional tests.
   This document defines these tests.

1.1.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  Group Membership Tests

   This section describes the tests that need to be performed by IKE
   peers receiving a Key Exchange (KE) payload.  The tests are
   RECOMMENDED for all implementations, but only REQUIRED for those that
   reuse DH secret keys (as defined in [RFC5996], Sec. 2.12).  The tests
   are listed here according to the DH group being used.

2.1.  Regular MODP Groups: Group 1, 2, 5, 14-18

   These are currently the most commonly used groups; all these groups
   have the property that (p-1)/2 is also prime; this section applies to
   any such MODP group.  The only check needed is a verification that
   the peer's public value r is in the legal range (1 < r < p-1).
   According to [Menezes], Sec 2.2, there is a possibility of leaking a
   single bit of the secret exponent during reuse; this amount of
   leakage is insignificant.

2.2.  MODP Groups with Small Subgroups: Group 22, 23, 24

   IKEv2 groups 22-24 [RFC5114] are modular exponential groups with
   small subgroups; these all have (p-1)/2 composite.  Sec. 2.1 of
   [Menezes] describes some informational leakage from a small subgroup
   attack on these groups.  An IKE peer MUST check both that the peer's
   public value is in range (1 < r < p-1) and that r**q = 1 mod p (where
   q is the size of the subgroup, as listed in the RFC).

Sheffer & Fluhrer         Expires June 10, 2013                 [Page 2]

Internet-Draft                  DH Tests                   December 2012

2.3.  Elliptic Curve Groups: Group 19-21, 25,26

   IKEv2 groups 19-21, 25-26 are elliptic curve groups defined over a
   field GF(p).  According to [Menezes], Sec. 2.3, there is some
   informational leakage possible.  A receiving peer MUST check that its
   peer's public value is valid; that is, it is not the point-at-
   infinity, and that the x and y parameters from the peer's public
   value satisfy the curve equation, that is, y**2 = x**3 + ax + b mod p
   (where for groups 19, 20, 21, a=-3, and all other values of a, b and
   p for the group are listed in the RFC).

2.4.  Transition

   Existing implementations of IKEv2 with ECDH groups MAY be modified to
   include the tests described in the current document, provided they do
   not reuse DH keys with multiple peers.  The tests can be considered
   as sanity checks, and will prevent the code having to handle inputs
   that it may not have been designed to handle.

   ECDH implementations that do reuse DH keys MUST be enhanced to
   include the above tests.

3.  Security Considerations

   This entire document is concerned with the IKEv2 security protocol
   and the need to harden it in some cases.

3.1.  DH Key Reuse and Multiple Peers

   This section describes the attack prevented by the tests defined

   Suppose that IKE peer Alice maintains IKE security associations with
   peers Bob and Eve. Alice uses the same secret ECDH key for both SAs,
   which is allowed with some restrictions.  If Alice does not implement
   these tests, Eve will be able to send a malformed public key, which
   would allow her to efficiently determine Alice's secret key (as
   described in Sec. 2 of [Menezes]).  Since the key is shared, Eve will
   be able to obtain Alice's shared IKE SA key with Bob.

4.  IANA Considerations

   This document does not have any IANA actions.

   All the Diffie-Hellman groups mentioned here are managed by IANA.
   Future documents that define new DH groups for use by IKEv2 MUST

Sheffer & Fluhrer         Expires June 10, 2013                 [Page 3]

Internet-Draft                  DH Tests                   December 2012

   reference this document and describe which of the tests listed here
   are applicable, or whether other tests are required.

5.  Acknowledgements

   We would like to thank Dan Harkins who initially raised this issue on
   the ipsec mailing list.

   The document was prepared using the lyx2rfc tool, created by Nico

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
              "Internet Key Exchange Protocol Version 2 (IKEv2)",
              RFC 5996, September 2010.

6.2.  Informative References

   [RFC3526]  Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
              Diffie-Hellman groups for Internet Key Exchange (IKE)",
              RFC 3526, May 2003.

   [RFC5114]  Lepinski, M. and S. Kent, "Additional Diffie-Hellman
              Groups for Use with IETF Standards", RFC 5114,
              January 2008.

   [Menezes]  Menezes, A. and B. Ostaoglu, "On Reusing Ephemeral Keys In
              Diffie-Hellman  Key Agreement Protocols", December 2008, <

Sheffer & Fluhrer         Expires June 10, 2013                 [Page 4]

Internet-Draft                  DH Tests                   December 2012

Authors' Addresses

   Yaron Sheffer
   10 Yirmiyahu St.
   Ramat HaSharon  47298

   Email: yaronf.ietf@gmail.com

   Scott Fluhrer
   Cisco Systems
   1414 Massachusetts Ave.
   Boxborough, MA  01719

   Email: sfluhrer@cisco.com

Sheffer & Fluhrer         Expires June 10, 2013                 [Page 5]

Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/