At first glance, there appear to be a large number of schemes. In practice, the selection is simple to automate.
Each scheme indicates a needed strength. This strength is based upon the functions used in protecting the Photuris Exchanges themselves.
Each keyed attribute also indicates a needed strength. This strength is based upon its cryptographic functions.
Because the usage of these functions is orthogonal, the same strength value can select an appropriate scheme that meets the needs of both features.
A.1. Responder
The attributes to be offered to the particular Initiator are
examined. For each level of strength specified, a scheme that meets or exceeds the requirements is offered.
For example, a Responder offering MD5-IPMAC and SHA1-IPMAC might offer scheme #2 with a 512-bit modulus and a 1024-bit modulus, and scheme #4 with a zero Size (indicating moduli of #2).
A.2. Initiator
The strength indicated by the application for the Security
Association, together with the party privacy policy of the system operator, is used to select from the offered schemes. The strength indicates the minimal level to be chosen, while the party privacy policy indicates whether to choose the minimal or maximal level of available protection.
For example, an application might indicate that it desires 80-bits of strength. In that case, only the 1024-bit modulus would be
appropriate. The party privacy policy of the system operator would indicate whether to choose scheme #2 with "Simple Masking" or scheme #4 with "DES-CBC over Mask".
Alternatively, an application might indicate that it desires 64-bits of strength. The party privacy policy of the system operator would indicate whether to choose scheme #2 with the 512-bit modulus, or scheme #4 with the 1024-bit modulus.
Security Considerations
Provision for multiple generators does not enhance the security of the Photuris protocol exchange itself. Rather, it provides an opportunity for novelty of moduli, by allowing more forms of moduli to be used. An abundance of moduli inhibits a determined attacker from pre-calculating moduli exchange values, and discourages
dedication of resources for analysis of any particular modulus. That is, this protects the community of Photuris users.
In addition to preventing various attacks by protecting verification fields, the masking of the message plaintext before encryption is intended to obscure the relation of the number of parties and SPIs active between two IP nodes. The privacy mask dependency on the SPI and SPILT generates a different initial encrypted block for every SPI creation message.
This obscurement would be less effective when the SPI and SPILT are invariant or are not created for a particular exchange direction.
The number of parties could be revealed by the number of exchanges with differences in the initial encrypted blocks.
Acknowledgements
Phil Karn was principally responsible for the design of party privacy protection, and provided much of the design rationale text (now
removed to a separate document).
William Simpson was responsible for the packet formats, and additional Exchange-Schemes, editing and formatting. All such mistakes are his responsibity.
Use of encryption for privacy protection is also found in the Station-To-Station authentication protocol [DOW92].
Bart Preneel and Paul C van Oorschot in [PO96] recommended padding between the data and trailing key when hashing for authentication.
Niels Provos developed the first implementation with multiple schemes and multiple moduli per scheme (circa July 1997).
Special thanks to the Center for Information Technology Integration (CITI) for providing computing resources.
References
[DBP96] Dobbertin, H., Bosselaers, A., and Preneel, B., 160: a strengthened version of RIPEMD", Fast Software Encryption, Third International Workshop, Lecture Notes in Computer Science 1039 (1996), Springer-Verlag, pages 71-82.
See also corrections at
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/.
[DOW92] Whitfield Diffie, Paul C van Oorshot, and Michael J
Wiener, "Authentication and Authenticated Key Exchanges", Designs, Codes and Cryptography, v 2 pp 107-125, Kluwer Academic Publishers, 1992.
[FIPS-180-1]
"Secure Hash Standard", National Institute of Standards and Technology, U.S. Department Of Commerce, April 1995.
Also known as: 59 Fed Reg 35317 (1994).
[KR96] Kaliski, B., and Robshaw, M., "Multiple Encryption:
Weighing Security and Performance", Dr. Dobbs Journal, January 1996.
[PO96] Bart Preneel, and Paul C van Oorshot, "On the security of two MAC algorithms", Advances in Cryptology -- Eurocrypt ’96, Lecture Notes in Computer Science 1070 (May 1996), Springer-Verlag, pages 19-32.
[RFC-1829] Karn, P., Metzger, P., Simpson, W., "The ESP DES-CBC Transform", July 1995.
[RFC-1850] Karn, P., Metzger, P., Simpson, W., "The ESP Triple DES Transform", September 1995.
[RFC-1851] Metzger, P., Simpson, W., "IP Authentication using Keyed SHA", September 1995.
[RFC-2521] Karn, P., and Simpson, W., "ICMP Security Failures Messages", March 1999.
[RFC-2522] Karn, P., and Simpson, W., "Photuris: Session-Key Management Protocol", March 1999.
[XEX3] Simpson, W., Baldwin, R., "The ESP DES-XEX3-CBC Transform", Work In Progress, June 1997.
Contacts
Comments about this document should be discussed on the photuris@adk.gr mailing list.
Questions about this document can also be directed to:
Phil Karn Qualcomm, Inc.
6455 Lusk Blvd.
San Diego, California 92121-2779 karn@qualcomm.com
karn@unix.ka9q.ampr.org (preferred)
William Allen Simpson DayDreamer
Computer Systems Consulting Services 1384 Fontaine
Madison Heights, Michigan 48071 wsimpson@UMich.edu
wsimpson@GreenDragon.com (preferred)
Full Copyright Statement
Copyright (C) The Internet Society (1999). Copyright (C) Philip Karn and William Allen Simpson (1994-1999). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of
developing Internet standards (in which case the procedures for copyrights defined in the Internet Standards process must be
followed), or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING (BUT NOT LIMITED TO) ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.