1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
<pre>Network Working Group S. Bellovin
Request for Comments: 4107 Columbia University
BCP: 107 R. Housley
Category: Best Current Practice Vigil Security
June 2005
<span class="h1">Guidelines for Cryptographic Key Management</span>
Status of This Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
The question often arises of whether a given security system requires
some form of automated key management, or whether manual keying is
sufficient. This memo provides guidelines for making such decisions.
When symmetric cryptographic mechanisms are used in a protocol, the
presumption is that automated key management is generally but not
always needed. If manual keying is proposed, the burden of proving
that automated key management is not required falls to the proposer.
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The question often arises of whether or not a given security system
requires some form of automated key management, or whether manual
keying is sufficient.
There is not one answer to that question; circumstances differ. In
general, automated key management SHOULD be used. Occasionally,
relying on manual key management is reasonable; we propose some
guidelines for making that judgment.
On the other hand, relying on manual key management has significant
disadvantages, and we outline the security concerns that justify the
preference for automated key management. However, there are
situations in which manual key management is acceptable.
<span class="grey">Bellovin & Housley Best Current Practice [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4107">RFC 4107</a> Guidelines for Cryptographic Key Management June 2005</span>
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="#ref-B" title=""Key words for use in RFCs to Indicate Requirement Levels"">B</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Guidelines</span>
These guidelines are for use by IETF working groups and protocol
authors who are determining whether to mandate automated key
management and whether manual key management is acceptable. Informed
judgment is needed.
The term "key management" refers to the establishment of
cryptographic keying material for use with a cryptographic algorithm
to provide protocol security services, especially integrity,
authentication, and confidentiality. Automated key management
derives one or more short-term session keys. The key derivation
function may make use of long-term keys to incorporate authentication
into the process. The manner in which this long-term key is
distributed to the peers and the type of key used (pre-shared
symmetric secret value, RSA public key, DSA public key, and others)
is beyond the scope of this document. However, it is part of the
overall key management solution. Manual key management is used to
distribute such values. Manual key management can also be used to
distribute long-term session keys.
Automated key management and manual key management provide very
different features. In particular, the protocol associated with an
automated key management technique will confirm the liveness of the
peer, protect against replay, authenticate the source of the short-
term session key, associate protocol state information with the
short-term session key, and ensure that a fresh short-term session
key is generated. Further, an automated key management protocol can
improve interoperability by including negotiation mechanisms for
cryptographic algorithms. These valuable features are impossible or
extremely cumbersome to accomplish with manual key management.
For some symmetric cryptographic algorithms, implementations must
prevent overuse of a given key. An implementation of such algorithms
can make use of automated key management when the usage limits are
nearly exhausted, in order to establish replacement keys before the
limits are reached, thereby maintaining secure communications.
Examples of automated key management systems include IPsec IKE and
Kerberos. S/MIME and TLS also include automated key management
functions.
<span class="grey">Bellovin & Housley Best Current Practice [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4107">RFC 4107</a> Guidelines for Cryptographic Key Management June 2005</span>
Key management schemes should not be designed by amateurs; it is
almost certainly inappropriate for working groups to design their
own. To put it in concrete terms, the very first key management
protocol in the open literature was published in 1978 [<a href="#ref-NS" title=""Using encryption for authentication in large networks of computers"">NS</a>]. A flaw
and a fix were published in 1981 [<a href="#ref-DS" title=""Timestamps in key distributed protocols"">DS</a>], and the fix was cracked in
1994 [<a href="#ref-AN" title=""Prudent Engineering Practice for Cryptographic Protocols"">AN</a>]. In 1995 [<a href="#ref-L" title=""An attack on the Needham-Schroeder public key authentication protocol"">L</a>], a new flaw was found in the original 1978
version, in an area not affected by the 1981/1994 issue. All of
these flaws were obvious once described -- yet no one spotted them
earlier. Note that the original protocol (translated to employ
certificates, which had not been invented at that time) was only
three messages.
Key management software is not always large or bloated. Even IKEv1
[<a href="#ref-HC" title=""The Internet Key Exchange (IKE)"">HC</a>] can be done in less than 200 Kbytes of object code, and TLS [<a href="#ref-DA" title=""The TLS Protocol Version 1.0"">DA</a>]
in half that space. Note that this TLS estimate includes other
functionality as well.
A session key is used to protect a payload. The nature of the
payload depends on the layer where the symmetric cryptography is
applied.
In general, automated key management SHOULD be used to establish
session keys. Strong justification is needed in the security
considerations section of a proposal that makes use of manual key
management.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Automated Key Management</span>
Automated key management MUST be used if any of these conditions
hold:
A party will have to manage n^2 static keys, where n may become
large.
Any stream cipher (such as RC4 [<a href="#ref-TK" title=""A Stream Cipher Encryption Algorithm"">TK</a>], AES-CTR [<a href="#ref-NIST" title=""Recommendation for Block Cipher Modes of Operation -- Methods and Techniques,"">NIST</a>], or AES-CCM
[<a href="#ref-WHF" title=""Counter with CBC-MAC (CCM)"">WHF</a>]) is used.
An initialization vector (IV) might be reused, especially an
implicit IV. Note that random or pseudo-random explicit IVs are
not a problem unless the probability of repetition is high.
Large amounts of data might need to be encrypted in a short time,
causing frequent change of the short-term session key.
Long-term session keys are used by more than two parties.
Multicast is a necessary exception, but multicast key management
standards are emerging in order to avoid this in the future.
Sharing long-term session keys should generally be discouraged.
<span class="grey">Bellovin & Housley Best Current Practice [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4107">RFC 4107</a> Guidelines for Cryptographic Key Management June 2005</span>
The likely operational environment is one where personnel (or
device) turnover is frequent, causing frequent change of the
short-term session key.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Manual Key Management</span>
Manual key management may be a reasonable approach in any of these
situations:
The environment has very limited available bandwidth or very high
round-trip times. Public key systems tend to require long
messages and lots of computation; symmetric key alternatives, such
as Kerberos, often require several round trips and interaction
with third parties.
The information being protected has low value.
The total volume of traffic over the entire lifetime of the long-
term session key will be very low.
The scale of each deployment is very limited.
Note that assertions about such things should often be viewed with
skepticism. The burden of demonstrating that manual key management
is appropriate falls to the proponents -- and it is a fairly high
hurdle.
Systems that employ manual key management need provisions for key
changes. There MUST be some way to indicate which key is in use to
avoid problems during transition. Designs SHOULD sketch plausible
mechanisms for deploying new keys and replacing old ones that might
have been compromised. If done well, such mechanisms can later be
used by an add-on key management scheme.
Lack of clarity about the parties involved in authentication is not a
valid reason for avoiding key management. Rather, it tends to
indicate a deeper problem with the underlying security model.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Key Size and Random Values</span>
Guidance on cryptographic key size for public keys that are used for
exchanging symmetric keys can be found in <a href="https://www.rfc-editor.org/bcp/bcp86">BCP 86</a> [<a href="#ref-OH" title=""Determining Strengths For Public Keys Used For Exchanging Symmetric Keys"">OH</a>].
When manual key management is used, long-term shared secret values
SHOULD be at least 128 bits.
Guidance on random number generation can be found in <a href="https://www.rfc-editor.org/bcp/bcp106">BCP 106</a> [<a href="#ref-ESC" title=""Randomness Requirements for Security"">ESC</a>].
<span class="grey">Bellovin & Housley Best Current Practice [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4107">RFC 4107</a> Guidelines for Cryptographic Key Management June 2005</span>
When manual key management is used, long-term shared secrets MUST be
unpredictable "random" values, ensuring that an adversary will have
no greater expectation than 50% of finding the value after searching
half the key search space.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Security Considerations</span>
This document provides guidance to working groups and protocol
designers. The security of the Internet is improved when automated
key management is employed.
The inclusion of automated key management does not mean that an
interface for manual key management is prohibited. In fact, manual
key management is very helpful for debugging. Therefore,
implementations ought to provide a manual key management interface
for such purposes, even if it is not specified by the protocol.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. References</span>
This section contains normative and informative references.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Normative References</span>
[<a id="ref-B">B</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-ESC">ESC</a>] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness
Requirements for Security", <a href="https://www.rfc-editor.org/bcp/bcp106">BCP 106</a>, <a href="./rfc4086">RFC 4086</a>, June 2005.
[<a id="ref-OH">OH</a>] Orman, H. and P. Hoffman, "Determining Strengths For Public
Keys Used For Exchanging Symmetric Keys", <a href="https://www.rfc-editor.org/bcp/bcp86">BCP 86</a>, <a href="./rfc3766">RFC 3766</a>,
April 2004
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Informative References</span>
[<a id="ref-AN">AN</a>] M. Abadi and R. Needham, "Prudent Engineering Practice for
Cryptographic Protocols", Proc. IEEE Computer Society
Symposium on Research in Security and Privacy, May 1994.
[<a id="ref-DA">DA</a>] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", <a href="./rfc2246">RFC</a>
<a href="./rfc2246">2246</a>, January 1999.
[<a id="ref-DS">DS</a>] D. Denning and G. Sacco. "Timestamps in key distributed
protocols", Communication of the ACM, 24(8):533--535, 1981.
[<a id="ref-HC">HC</a>] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
<a href="./rfc2409">RFC 2409</a>, November 1998.
<span class="grey">Bellovin & Housley Best Current Practice [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4107">RFC 4107</a> Guidelines for Cryptographic Key Management June 2005</span>
[<a id="ref-L">L</a>] G. Lowe. "An attack on the Needham-Schroeder public key
authentication protocol", Information Processing Letters,
56(3):131--136, November 1995.
[<a id="ref-NIST">NIST</a>] National Institute of Standards and Technology.
"Recommendation for Block Cipher Modes of Operation -- Methods
and Techniques," NIST Special Publication SP 800-38A, December
2001.
[<a id="ref-NS">NS</a>] R. Needham and M. Schroeder. "Using encryption for
authentication in large networks of computers", Communications
of the ACM, 21(12), December 1978.
[<a id="ref-TK">TK</a>] Thayer, R. and K. Kaukonen. "A Stream Cipher Encryption
Algorithm", Work in Progress.
[<a id="ref-WHF">WHF</a>] Whiting, D., Housley, R., and N. Ferguson , "Counter with
CBC-MAC (CCM)", <a href="./rfc3610">RFC 3610</a>, September 2003.
Authors' Addresses
Steven M. Bellovin
Department of Computer Science
Columbia University
1214 Amsterdam Avenue, M.C. 0401
New York, NY 10027-7003
Phone: +1 212-939-7149
EMail: bellovin@acm.org
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
Phone: +1 703-435-1775
EMail: housley@vigilsec.com
<span class="grey">Bellovin & Housley Best Current Practice [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4107">RFC 4107</a> Guidelines for Cryptographic Key Management June 2005</span>
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Bellovin & Housley Best Current Practice [Page 7]
</pre>
|
