1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
|
<pre>Internet Engineering Task Force (IETF) D. Harkins
Request for Comments: 6617 Aruba Networks
Category: Experimental June 2012
ISSN: 2070-1721
<span class="h1">Secure Pre-Shared Key (PSK) Authentication</span>
<span class="h1">for the Internet Key Exchange Protocol (IKE)</span>
Abstract
This memo describes a secure pre-shared key (PSK) authentication
method for the Internet Key Exchange Protocol (IKE). It is resistant
to dictionary attack and retains security even when used with weak
pre-shared keys.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6617">http://www.rfc-editor.org/info/rfc6617</a>.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Harkins Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Keyword Definitions ........................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Usage Scenarios .................................................<a href="#page-3">3</a>
<a href="#section-3">3</a>. Terms and Notation ..............................................<a href="#page-4">4</a>
<a href="#section-4">4</a>. Discrete Logarithm Cryptography .................................<a href="#page-5">5</a>
<a href="#section-4.1">4.1</a>. Elliptic Curve Cryptography (ECP) Groups ...................<a href="#page-5">5</a>
<a href="#section-4.2">4.2</a>. Finite Field Cryptography (MODP) Groups ....................<a href="#page-7">7</a>
<a href="#section-5">5</a>. Random Numbers ..................................................<a href="#page-8">8</a>
<a href="#section-6">6</a>. Using Passwords and Raw Keys For Authentication .................<a href="#page-8">8</a>
<a href="#section-7">7</a>. Assumptions .....................................................<a href="#page-9">9</a>
<a href="#section-8">8</a>. Secure PSK Authentication Message Exchange ......................<a href="#page-9">9</a>
<a href="#section-8.1">8.1</a>. Negotiation of Secure PSK Authentication ..................<a href="#page-10">10</a>
<a href="#section-8.2">8.2</a>. Fixing the Secret Element, SKE ............................<a href="#page-11">11</a>
<a href="#section-8.2.1">8.2.1</a>. ECP Operation to Select SKE ........................<a href="#page-12">12</a>
<a href="#section-8.2.2">8.2.2</a>. MODP Operation to Select SKE .......................<a href="#page-13">13</a>
<a href="#section-8.3">8.3</a>. Encoding and Decoding of Group Elements and Scalars .......<a href="#page-14">14</a>
<a href="#section-8.3.1">8.3.1</a>. Encoding and Decoding of Scalars ...................<a href="#page-14">14</a>
<a href="#section-8.3.2">8.3.2</a>. Encoding and Decoding of ECP Elements ..............<a href="#page-15">15</a>
<a href="#section-8.3.3">8.3.3</a>. Encoding and Decoding of MODP Elements .............<a href="#page-15">15</a>
<a href="#section-8.4">8.4</a>. Message Generation and Processing .........................<a href="#page-16">16</a>
<a href="#section-8.4.1">8.4.1</a>. Generation of a Commit .............................<a href="#page-16">16</a>
<a href="#section-8.4.2">8.4.2</a>. Processing of a Commit .............................<a href="#page-16">16</a>
<a href="#section-8.4.2.1">8.4.2.1</a>. Validation of an ECP Element ..............<a href="#page-16">16</a>
<a href="#section-8.4.2.2">8.4.2.2</a>. Validation of a MODP Element ..............<a href="#page-16">16</a>
<a href="#section-8.4.2.3">8.4.2.3</a>. Commit Processing Steps ...................<a href="#page-17">17</a>
<a href="#section-8.4.3">8.4.3</a>. Authentication of the Exchange .....................<a href="#page-17">17</a>
<a href="#section-8.5">8.5</a>. Payload Format ............................................<a href="#page-18">18</a>
<a href="#section-8.5.1">8.5.1</a>. Commit Payload .....................................<a href="#page-18">18</a>
<a href="#section-8.6">8.6</a>. IKEv2 Messaging ...........................................<a href="#page-19">19</a>
<a href="#section-9">9</a>. IANA Considerations ............................................<a href="#page-20">20</a>
<a href="#section-10">10</a>. Security Considerations .......................................<a href="#page-20">20</a>
<a href="#section-11">11</a>. Acknowledgements ..............................................<a href="#page-22">22</a>
<a href="#section-12">12</a>. References ....................................................<a href="#page-22">22</a>
<a href="#section-12.1">12.1</a>. Normative References .....................................<a href="#page-22">22</a>
<a href="#section-12.2">12.2</a>. Informative References ...................................<a href="#page-23">23</a>
<span class="grey">Harkins Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
[<a id="ref-RFC5996">RFC5996</a>] allows for authentication of the IKE peers using a pre-
shared key. This exchange, though, is susceptible to dictionary
attack and is therefore insecure when used with weak pre-shared keys,
such as human-memorizable passwords. To address the security issue,
[<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>] recommends that the pre-shared key used for authentication
"contain as much unpredictability as the strongest key being
negotiated". That means any non-hexadecimal key would require over
100 characters to provide enough strength to generate a 128-bit key
suitable for AES. This is an unrealistic requirement because humans
have a hard time entering a string over 20 characters without error.
Consequently, pre-shared key authentication in [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>] is used
insecurely today.
A pre-shared key authentication method built on top of a zero-
knowledge proof will provide resistance to dictionary attack and
still allow for security when used with weak pre-shared keys, such as
user-chosen passwords. Such an authentication method is described in
this memo.
Resistance to dictionary attack is achieved when an adversary gets
one, and only one, guess at the secret per active attack (see, for
example, [<a href="#ref-BM92" title=""Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks"">BM92</a>], [<a href="#ref-BMP00" title=""Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman"">BMP00</a>], and [<a href="#ref-BPR00" title=""Authenticated Key Exchange Secure Against Dictionary Attacks"">BPR00</a>]). Another way of putting this
is that any advantage the adversary can realize is through
interaction and not through computation. This is demonstrably
different than the technique from [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>] of using a large, random
number as the pre-shared key. That can only make a dictionary attack
less likely to succeed; it does not prevent a dictionary attack.
Furthermore, as [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>] notes, it is completely insecure when used
with weak keys like user-generated passwords.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Keyword Definitions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Usage Scenarios</span>
[<a id="ref-RFC5996">RFC5996</a>] describes usage scenarios for IKEv2. These are:
1. "Security Gateway to Security Gateway Tunnel": The endpoints of
the IKE (and IPsec) communication are network nodes that protect
traffic on behalf of connected networks. Protected traffic is
between devices on the respective protected networks.
<span class="grey">Harkins Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
2. "Endpoint-to-Endpoint Transport": The endpoints of the IKE (and
IPsec) communication are hosts according to [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>]. Protected
traffic is between the two endpoints.
3. "Endpoint to Security Gateway Tunnel": One endpoint connects to a
protected network through a network node. The endpoints of the
IKE (and IPsec) communication are the endpoint and network node,
but the protected traffic is between the endpoint and another
device on the protected network behind the node.
The authentication and key exchange process described in this memo is
suitable for all the usage scenarios described in [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>]. In the
"Security Gateway to Security Gateway Tunnel" scenario and the
"Endpoint-to-Endpoint Transport" scenario, it provides a secure
method of authentication without requiring a certificate. For the
"Endpoint to Security Gateway Tunnel" scenario, it provides for
secure username+password authentication that is popular in remote-
access VPN situations.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Terms and Notation</span>
The following terms and notations are used in this memo:
PSK
A shared, secret, and potentially low-entropy word, phrase, code,
or key used as a credential to mutually authenticate the peers.
a = prf(b, c)
The string "b" and "c" are given to a pseudo-random function
(prf) to produce a fixed-length output "a".
a | b
denotes concatenation of string "a" with string "b".
[a]b
indicates a string consisting of the single bit "a" repeated "b"
times.
len(a)
indicates the length in bits of the string "a".
LSB(a)
returns the least-significant bit of the bitstring "a".
element
one member of a finite cyclic group.
<span class="grey">Harkins Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
scalar
a quantity that can multiply an element.
The convention for this memo to represent an element in a finite
cyclic group is to use an upper-case letter or acronym, while a
scalar is indicated with a lowercase letter or acronym.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Discrete Logarithm Cryptography</span>
This protocol uses Discrete Logarithm Cryptography to achieve
authentication. Each party to the exchange derives ephemeral public
and private keys with respect to a particular set of domain
parameters (referred to here as a "group"). Groups can be either
based on finite field cryptography (modular exponentiation (MODP)
groups) or elliptic curve cryptography (ECP groups).
This protocol uses the same group as the IKE exchange in which it is
being used for authentication, with the exception of characteristic-
two elliptic curve groups (EC2N). Use of such groups is undefined
for this authentication method, and an IKE exchange that negotiates
one of these groups MUST NOT use this method of authentication.
For each group, the following operations are defined:
o "scalar operation" -- takes a scalar and an element in the group
to produce another element -- Z = scalar-op(x, Y).
o "element operation" -- takes two elements in the group to produce
a third -- Z = element-op(X, Y).
o "inverse operation" -- takes an element and returns another
element such that the element operation on the two produces the
identity element of the group -- Y = inverse(X).
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Elliptic Curve Cryptography (ECP) Groups</span>
The key exchange defined in this memo uses fundamental algorithms of
ECP groups as described in [<a href="./rfc6090" title=""Fundamental Elliptic Curve Cryptography Algorithms"">RFC6090</a>].
Domain parameters for ECP elliptic curves used for Secure PSK
Authentication include:
o A prime, p, determining a prime field GF(p). The cryptographic
group will be a subgroup of the full elliptic curve group that
consists of points on an elliptic curve -- elements from GF(p)
that satisfy the curve's equation -- together with the "point at
infinity" (denoted here as "0") that serves as the identity
element.
<span class="grey">Harkins Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
o Elements a and b from GF(p) that define the curve's equation. The
point (x,y) is on the elliptic curve if and only if y^2 = x^3 +
a*x + b.
o A prime, r, which is the order of, or number of elements in, a
subgroup generated by an element G.
The scalar operation is multiplication of a point on the curve by
itself a number of times. The point Y is multiplied x-times to
produce another point Z:
Z = scalar-op(x, Y) = x*Y
The element operation is addition of two points on the curve. Points
X and Y are summed to produce another point Z:
Z = element-op(X, Y) = X + Y
The inverse function is defined such that the sum of an element and
its inverse is "0", the point-at-infinity of an elliptic curve group:
Q + inverse(Q) = "0"
Elliptic curve groups require a mapping function, q = F(Q), to
convert a group element to an integer. The mapping function used in
this memo returns the x-coordinate of the point it is passed.
scalar-op(x, Y) can be viewed as x iterations of element-op() by
defining:
Y = scalar-op(1, Y)
Y = scalar-op(x, Y) = element-op(Y, scalar-op(x-1, Y)), for x > 1
A definition of how to add two points on an elliptic curve (i.e.,
element-op(X, Y)) can be found in [<a href="./rfc6090" title=""Fundamental Elliptic Curve Cryptography Algorithms"">RFC6090</a>].
Note: There is another ECP domain parameter, a cofactor, h, that is
defined by the requirement that the size of the full elliptic curve
group (including "0") be the product of h and r. ECP groups used for
Secure PSK Authentication MUST have a cofactor of one (1). At the
time of publication of this memo, all ECP groups in [<a href="#ref-IKEV2-IANA" title=""IKEv2 Parameters"">IKEV2-IANA</a>] had
a cofactor of one (1).
<span class="grey">Harkins Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Finite Field Cryptography (MODP) Groups</span>
Domain parameters for MODP groups used for Secure PSK Authentication
include:
o A prime, p, determining a prime field GF(p), the integers modulo
p.
o A prime, r, which is the multiplicative order, and thus also the
size, of the cryptographic subgroup of GF(p)* that is generated by
an element G.
The scalar operation is exponentiation of a generator modulo a prime.
An element Y is taken to the x-th power modulo the prime, thereby
returning another element, Z:
Z = scalar-op(x, Y) = Y^x mod p
The element operation is modular multiplication. Two elements, X and
Y, are multiplied modulo the prime, thereby returning another
element, Z:
Z = element-op(X, Y) = (X * Y) mod p
The inverse function for a MODP group is defined such that the
product of an element and its inverse modulo the group prime equals
one (1). In other words,
(Q * inverse(Q)) mod p = 1
Unlike ECP groups, MODP groups do not require a mapping function to
convert an element into an integer. However, for the purposes of
notation in protocol definition, the function F, when used below,
shall just return the value that was passed to it, i.e., F(i) = i.
Some MODP groups in [<a href="#ref-IKEV2-IANA" title=""IKEv2 Parameters"">IKEV2-IANA</a>] are based on safe primes, and the
order is not included in the group's domain parameter set. In this
case only, the order, r, MUST be computed as the prime minus one
divided by two -- (p-1)/2. If an order is included in the group's
domain parameter set, that value MUST be used in this exchange when
an order is called for. If a MODP group does not include an order in
its domain parameter set and is not based on a safe prime, it MUST
NOT be used with this exchange.
<span class="grey">Harkins Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Random Numbers</span>
As with IKE itself, the security of the Secure PSK Authentication
method relies upon each participant in the protocol producing quality
secret random numbers. A poor random number chosen by either side in
a single exchange can compromise the shared secret from that exchange
and open up the possibility of a dictionary attack.
Producing quality random numbers without specialized hardware entails
using a cryptographic mixing function (like a strong hash function)
to mix entropy from multiple, uncorrelated sources of information and
events. A very good discussion of this can be found in [<a href="./rfc4086" title=""Randomness Requirements for Security"">RFC4086</a>].
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Using Passwords and Raw Keys For Authentication</span>
The PSK used as an authentication credential with this protocol can
be either a character-based password or passphrase, or it could be a
binary or hexadecimal string. Regardless, however, this protocol
requires both the Initiator and Responder to have identical binary
representations of the shared credential.
If the PSK is a character-based password or passphrase, there are two
types of pre-processing that SHALL be employed to convert the
password or passphrase into a hexadecimal string suitable for use
with Secure PSK Authentication. If a PSK is already a hexadecimal or
binary string, it SHALL be used directly as the shared credential
without any pre-processing.
The first step of pre-processing is to remove ambiguities that may
arise due to internationalization. Each character-based password or
passphrase MUST be pre-processed to remove that ambiguity by
processing the character-based password or passphrase according to
the rules of the SASLprep [<a href="./rfc4013" title=""SASLprep: Stringprep Profile for User Names and Passwords"">RFC4013</a>] profile of [<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>]. The
password or passphrase SHALL be considered a "stored string" per
[<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>], and unassigned code points are therefore prohibited. The
output SHALL be the binary representation of the processed UTF-8
character string. Prohibited output and unassigned codepoints
encountered in SASLprep pre-processing SHALL cause a failure of pre-
processing, and the output SHALL NOT be used with Secure PSK
Authentication.
The next pre-processing step for character-based passwords or
passphrases is to effectively obfuscate the string. This is done in
an attempt to reduce exposure of stored passwords in the event of
server compromise, or compromise of a server's database of stored
passwords. The step involves taking the output of the SASLprep
[<a href="./rfc4013" title=""SASLprep: Stringprep Profile for User Names and Passwords"">RFC4013</a>] profile of [<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>] and passing it, as the key, with the
<span class="grey">Harkins Experimental [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
ASCII string "IKE Secure PSK Authentication", as the data, to HMAC-
SHA256(). The output of this obfuscation step SHALL become the
shared credential used with Secure PSK Authentication.
Note: Passwords tend to be shared for multiple purposes, and
compromise of a server or database of stored plaintext passwords can
be used, in that event, to mount multiple attacks. The obfuscation
step is merely to hide the password in the event of server compromise
or compromise of the database of stored passwords. Advances in
distributed computing power have diminished the effectiveness of
performing multiple prf iterations as a technique to prevent
dictionary attacks, so no such behavior is proscribed here. Mutually
consenting implementations can agree to use a different password
obfuscation method; the one described here is for interoperability
purposes only.
If a device stores passwords for use at a later time, it SHOULD pre-
process the password prior to storage. If a user enters a password
into a device at authentication time, it MUST be pre-processed upon
entry and prior to use with Secure PSK Authentication.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Assumptions</span>
The security of the protocol relies on certain assumptions. They
are:
1. The pseudo-random function, prf, defined in [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>], acts as an
"extractor" (see [<a href="./rfc5869" title=""HMAC-based Extract-and- Expand Key Derivation Function (HKDF)"">RFC5869</a>]) by distilling the entropy from a
secret input into a short, fixed string. The output of prf is
indistinguishable from a random source.
2. The discrete logarithm problem for the chosen finite cyclic group
is hard. That is, given G, p and Y = G^x mod p, it is
computationally infeasible to determine x. Similarly, for an
elliptic curve group given the curve definition, a generator G,
and Y = x * G, it is computationally infeasible to determine x.
3. The pre-shared key is drawn from a finite pool of potential keys.
Each possible key in the pool has equal probability of being the
shared key. All potential adversaries have access to this pool
of keys.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Secure PSK Authentication Message Exchange</span>
The key exchange described in this memo is based on the "Dragonfly"
key exchange, which has also been defined for use in 802.11 wireless
networks (see [<a href="#ref-SAE" title=""Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks"">SAE</a>]) and as an Extensible Authentication Protocol
(EAP) method (see [<a href="./rfc5931" title=""Extensible Authentication Protocol (EAP) Authentication Using Only a Password"">RFC5931</a>]). "Dragonfly" is patent-free and
<span class="grey">Harkins Experimental [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
royalty-free. It SHALL use the same pseudo-random function (prf) and
the same Diffie-Hellman group that are negotiated for use in the IKE
exchange that "Dragonfly" is authenticating.
A pseudo-random function that uses a block cipher is NOT RECOMMENDED
for use with Secure PSK Authentication due to its poor job operating
as an "extractor" (see <a href="#section-7">Section 7</a>). Pseudo-random functions based on
hash functions using the HMAC construct from [<a href="./rfc2104" title=""HMAC: Keyed-Hashing for Message Authentication"">RFC2104</a>] SHOULD be
used.
To perform Secure PSK Authentication, each side must generate a
shared and secret element in the chosen group based on the pre-shared
key. This element, called the Secret Key Element, or SKE, is then
used in the "Dragonfly" authentication and key exchange protocol.
"Dragonfly" consists of each side exchanging a Commit payload and
then proving knowledge of the resulting shared secret.
The Commit payload contributes ephemeral information to the exchange
and binds the sender to a single value of the pre-shared key from the
pool of potential pre-shared keys. An authentication payload (AUTH)
proves that the pre-shared key is known and completes the zero-
knowledge proof.
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Negotiation of Secure PSK Authentication</span>
The Initiator indicates its desire to use Secure PSK Authentication
by adding a Notify payload of type SECURE_PASSWORD_METHODS (see
[<a href="./rfc6467" title=""Secure Password Framework for Internet Key Exchange Version 2 (IKEv2)"">RFC6467</a>]) to the first message of the IKE_SA_INIT exchange and by
including 3 in the notification data field of the Notify payload,
indicating Secure PSK Authentication.
The Responder indicates its acceptance to perform Secure PSK
Authentication by adding a Notify payload of type
SECURE_PASSWORD_METHODS to its response in the IKE_SA_INIT exchange
and by adding the sole value of 3 to the notification data field of
the Notify payload.
If the Responder does not include a Notify payload of type
SECURE_PASSWORD_METHODS in its IKE_SA_INIT response, the Initiator
MUST terminate the exchange, and it MUST NOT fall back to the PSK
authentication method of [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>]. If the Initiator only indicated
its support for Secure PSK Authentication (i.e., if the Notify data
field only contained 3) and the Responder replies with a Notify
payload of type SECURE_PASSWORD_METHODS and a different value in the
Notify data field, the Initiator MUST terminate the exchange.
<span class="grey">Harkins Experimental [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Fixing the Secret Element, SKE</span>
The method of fixing SKE depends on the type of group, either MODP or
ECP. The function "prf+" from [<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>] is used as a key derivation
function.
Fixing SKE involves an iterative hunting-and-pecking technique using
the prime from the negotiated group's domain parameter set and an
ECP- or MODP-specific operation depending on the negotiated group.
This technique requires the pre-shared key to be a binary string;
therefore, any pre-processing transformation (see <a href="#section-6">Section 6</a>) MUST be
performed on the pre-shared key prior to fixing SKE.
To thwart side-channel attacks that attempt to determine the number
of iterations of the hunting-and-pecking loop that are used to find
SKE for a given password, a security parameter, k, is used to ensure
that at least k iterations are always performed.
Prior to beginning the hunting-and-pecking loop, an 8-bit counter is
set to the value one (1). Then the loop begins. First, the pseudo-
random function is used to generate a secret seed using the counter,
the pre-shared key, and two nonces (without the fixed headers)
exchanged by the Initiator and the Responder (see <a href="#section-8.6">Section 8.6</a>):
ske-seed = prf(Ni | Nr, psk | counter)
Then, the ske-seed is expanded using prf+ to create an ske-value:
ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking")
where len(ske-value) is the same as len(p), the length of the prime
from the domain parameter set of the negotiated group.
If the ske-seed is greater than or equal to the prime, p, the counter
is incremented, a new ske-seed is generated, and the hunting-and-
pecking continues. If ske-seed is less than the prime, p, it is
passed to the group-specific operation to select the SKE or fail. If
the group-specific operation fails, the counter is incremented, a new
ske-seed is generated, and the hunting-and-pecking continues. This
process continues until the group-specific operation returns the
password element. After the password element has been chosen, a
random number is used in place of the password in the ske-seed
calculation, and the hunting-and-pecking continues until the counter
is greater than the security parameter, k.
<span class="grey">Harkins Experimental [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h4"><a class="selflink" id="section-8.2.1" href="#section-8.2.1">8.2.1</a>. ECP Operation to Select SKE</span>
The group-specific operation for ECP groups uses ske-value, ske-seed,
and the equation of the curve to produce SKE. First, ske-value is
used directly as the x-coordinate, x, with the equation of the
elliptic curve, with parameters a and b from the domain parameter set
of the curve, to solve for a y-coordinate, y.
Note: A method of checking whether a solution to the equation of the
elliptic curve is to see whether the Legendre symbol of (x^3 + ax +
b) equals one (1). If it does, then a solution exists; if it does
not, then there is no solution.
If there is no solution to the equation of the elliptic curve, then
the operation fails, the counter is incremented, a new ske-value and
ske-seed are selected, and the hunting-and-pecking continues. If
there is a solution then, y is calculated as the square root of (x^3
+ ax + b) using the equation of the elliptic curve. In this case, an
ambiguity exists as there are technically two solutions to the
equation, and ske-seed is used to unambiguously select one of them.
If the low-order bit of ske-seed is equal to the low-order bit of y,
then a candidate SKE is defined as the point (x,y); if the low-order
bit of ske-seed differs from the low-order bit of y then a candidate
SKE is defined as the point (x, p-y) where p is the prime from the
negotiated group's domain parameter set. The candidate SKE becomes
the SKE, and the ECP-specific operation completes successfully.
<span class="grey">Harkins Experimental [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
Algorithmically, the process looks like this:
found = 0
counter = 1
v = psk
do {
ske-seed = prf(Ni | Nr, v | counter)
ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking")
if (ske-value < p)
then
x = ske-value
if ( (y = sqrt(x^3 + ax + b)) != FAIL)
then
if (found == 0)
then
if (LSB(y) == LSB(ske-seed))
then
SKE = (x,y)
else
SKE = (x, p-y)
fi
found = 1
v = random()
fi
fi
fi
counter = counter + 1
} while ((found == 0) || (counter <= k))
where FAIL indicates that there is no solution to sqrt(x^3 + ax + b).
Figure 1: Fixing SKE for ECP Groups
Note: For ECP groups, the probability that more than "n" iterations
of the hunting-and-pecking loop are required to find SKE is roughly
(1-(r/2p))^n, which rapidly approaches zero (0) as "n" increases.
<span class="h4"><a class="selflink" id="section-8.2.2" href="#section-8.2.2">8.2.2</a>. MODP Operation to Select SKE</span>
The group-specific operation for MODP groups takes ske-value, the
prime, p, and order, r, from the group's domain parameter set to
directly produce a candidate SKE by exponentiating the ske-value to
the value ((p-1)/r) modulo the prime. If the candidate SKE is
greater than one (1), the candidate SKE becomes the SKE, and the
MODP-specific operation completes successfully. Otherwise, the MODP-
specific operation fails (and the hunting-and-pecking continues).
<span class="grey">Harkins Experimental [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
Algorithmically, the process looks like this:
found = 0
counter = 1
v = psk
do {
ske-seed = prf(Ni | Nr, v | counter)
ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking")
if (ske-value < p)
then
ELE = ske-value ^ ((p-1)/r) mod p
if (ELE > 1)
then
if (found == 0)
SKE = ELE
found = 1
v = random()
fi
fi
fi
counter = counter + 1
} while ((found == 0) || (counter <= k))
Figure 2: Fixing SKE for MODP Groups
Note: For MODP groups, the probability that more than "n" iterations
of the hunting-and-pecking loop are required to find SKE is roughly
((m-p)/p)^n, where m is the largest unsigned number that can be
expressed in len(p) bits, which rapidly approaches zero (0) as "n"
increases.
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Encoding and Decoding of Group Elements and Scalars</span>
The payloads used in the Secure PSK Authentication method contain
elements from the negotiated group and scalar values. To ensure
interoperability, scalars and field elements MUST be represented in
payloads in accordance with the requirements in this section.
<span class="h4"><a class="selflink" id="section-8.3.1" href="#section-8.3.1">8.3.1</a>. Encoding and Decoding of Scalars</span>
Scalars MUST be represented (in binary form) as unsigned integers
that are strictly less than r, the order of the generator of the
agreed-upon cryptographic group. The binary representation of each
scalar MUST have a bit length equal to the bit length of the binary
representation of r. This requirement is enforced, if necessary, by
prepending the binary representation of the integer with zeros until
the required length is achieved.
<span class="grey">Harkins Experimental [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
Scalars in the form of unsigned integers are converted into octet
strings and back again using the technique described in [<a href="./rfc6090" title=""Fundamental Elliptic Curve Cryptography Algorithms"">RFC6090</a>].
<span class="h4"><a class="selflink" id="section-8.3.2" href="#section-8.3.2">8.3.2</a>. Encoding and Decoding of ECP Elements</span>
Elements in ECP groups are points on the negotiated elliptic curve.
Each such element MUST be represented by the concatenation of two
components, an x-coordinate and a y-coordinate.
Each of the two components, the x-coordinate and the y-coordinate,
MUST be represented (in binary form) as an unsigned integer that is
strictly less than the prime, p, from the group's domain parameter
set. The binary representation of each component MUST have a bit
length equal to the bit length of the binary representation of p.
This length requirement is enforced, if necessary, by prepending the
binary representation of the integer with zeros until the required
length is achieved.
The unsigned integers that represent the coordinates of the point are
converted into octet strings and back again using the technique
described in [<a href="./rfc6090" title=""Fundamental Elliptic Curve Cryptography Algorithms"">RFC6090</a>].
Since the field element is represented in a payload by the
x-coordinate followed by the y-coordinate, it follows, then, that the
length of the element in the payload MUST be twice the bit length of
p.
<span class="h4"><a class="selflink" id="section-8.3.3" href="#section-8.3.3">8.3.3</a>. Encoding and Decoding of MODP Elements</span>
Elements in MODP groups MUST be represented (in binary form) as
unsigned integers that are strictly less than the prime, p, from the
group's domain parameter set. The binary representation of each
group element MUST have a bit length equal to the bit length of the
binary representation of p. This length requirement is enforced, if
necessary, by prepending the binary representation of the integer
with zeros until the required length is achieved.
The unsigned integer that represents a MODP element is converted into
an octet string and back using the technique described in [<a href="./rfc6090" title=""Fundamental Elliptic Curve Cryptography Algorithms"">RFC6090</a>].
<span class="grey">Harkins Experimental [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h3"><a class="selflink" id="section-8.4" href="#section-8.4">8.4</a>. Message Generation and Processing</span>
<span class="h4"><a class="selflink" id="section-8.4.1" href="#section-8.4.1">8.4.1</a>. Generation of a Commit</span>
Before a Commit payload can be generated, the SKE must be fixed using
the process described in <a href="#section-8.2">Section 8.2</a>.
A Commit payload has two components, a scalar and an element. To
generate a Commit payload, two random numbers, a "private" value and
a "mask" value, are generated (see <a href="#section-5">Section 5</a>). Their sum modulo the
order of the group, r, becomes the scalar component:
scalar = (private + mask) mod r
If the scalar is not greater than one (1), the private and mask
values MUST be thrown away, and new values randomly generated. If
the scalar is greater than one (1), the inverse of the scalar
operation with the mask and SKE becomes the element component.
Element = inverse(scalar-op(mask, SKE))
The Commit payload consists of the scalar followed by the element,
and the scalar and element are encoded in the Commit payload
according to <a href="#section-8.3">Section 8.3</a>.
<span class="h4"><a class="selflink" id="section-8.4.2" href="#section-8.4.2">8.4.2</a>. Processing of a Commit</span>
Upon receipt of a peer's Commit payload, the scalar and element MUST
be validated. The processing of an element depends on the type,
either an ECP element or a MODP element.
<span class="h5"><a class="selflink" id="section-8.4.2.1" href="#section-8.4.2.1">8.4.2.1</a>. Validation of an ECP Element</span>
Validating a received ECP element involves: 1) checking whether the
two coordinates, x and y, are both greater than zero (0) and less
than the prime defining the underlying field; and 2) checking whether
the x- and y-coordinates satisfy the equation of the curve (that is,
that they produce a valid point on the curve that is not "0"). If
either of these conditions are not met, the received element is
invalid; otherwise, the received element is valid.
<span class="h5"><a class="selflink" id="section-8.4.2.2" href="#section-8.4.2.2">8.4.2.2</a>. Validation of a MODP Element</span>
A received MODP element is valid if: 1) it is between one (1) and the
prime, p, exclusive; and 2) if modular exponentiation of the element
by the group order, r, equals one (1). If either of these conditions
are not true, the received element is invalid; otherwise, the
received element is valid.
<span class="grey">Harkins Experimental [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h5"><a class="selflink" id="section-8.4.2.3" href="#section-8.4.2.3">8.4.2.3</a>. Commit Processing Steps</span>
Commit payload validation is accomplished by the following steps:
1. The length of the Commit payload is checked against its
anticipated length (the anticipated length of the scalar plus the
anticipated length of the element, for the negotiated group). If
it is incorrect, the Commit payload is invalidated; otherwise,
processing continues.
2. The peer's scalar is extracted from the Commit payload according
to <a href="#section-8.3.1">Section 8.3.1</a> and checked to ensure it is between one (1) and
r, the order of the negotiated group, exclusive. If it is not,
the Commit payload is invalidated; otherwise, processing
continues.
3. The peer's element is extracted from the Commit payload according
to <a href="#section-8.3.2">Section 8.3.2</a> and checked in a manner that depends on the type
of group negotiated. If the group is ECP, the element is
validated according to <a href="#section-8.4.2.1">Section 8.4.2.1</a>. If the group is MODP,
the element is validated according to <a href="#section-8.4.2.2">Section 8.4.2.2</a>. If the
element is not valid, then the Commit payload is invalidated;
otherwise, the Commit payload is validated.
4. The Initiator of the IKE exchange has an added requirement to
verify that the received element and scalar from the Commit
payload differ from the element and scalar sent to the Responder.
If they are identical, it signifies a reflection attack, and the
Commit payload is invalidated.
If the Commit payload is invalidated, the payload MUST be discarded
and the IKE exchange aborted.
<span class="h4"><a class="selflink" id="section-8.4.3" href="#section-8.4.3">8.4.3</a>. Authentication of the Exchange</span>
After a Commit payload has been generated and a peer's Commit payload
has been processed, a shared secret used to authenticate the peer is
derived. Using SKE, the "private" value generated as part of Commit
payload generation, and the peer's scalar and element from the peer's
Commit payload, named here peer-scalar and Peer-Element,
respectively, a preliminary shared secret, skey, is generated as:
skey = F(scalar-op(private,
element-op(Peer-Element,
scalar-op(peer-scalar, SKE))))
<span class="grey">Harkins Experimental [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
For the purposes of subsequent computation, the bit length of skey
SHALL be equal to the bit length of the prime, p, used in either a
MODP or ECP group. This bit length SHALL be enforced, if necessary,
by prepending zeros to the value until the required length is
achieved.
A shared secret, ss, is then computed from skey and the nonces
exchanged by the Initiator (Ni) and Responder (Nr) (without the fixed
headers) using prf():
ss = prf(Ni | Nr, skey | "Secure PSK Authentication in IKE")
The shared secret, ss, is used in an AUTH authentication payload to
prove possession of the shared secret and therefore knowledge of the
pre-shared key.
<span class="h3"><a class="selflink" id="section-8.5" href="#section-8.5">8.5</a>. Payload Format</span>
<span class="h4"><a class="selflink" id="section-8.5.1" href="#section-8.5.1">8.5.1</a>. Commit Payload</span>
[<a id="ref-RFC6467">RFC6467</a>] defines a Generic Secure Password Method (GSPM) payload
that is used to convey information that is specific to a particular
secure password method. This memo uses the GSPM payload as a Commit
payload to contain the scalar and element used in the Secure PSK
Authentication exchange:
The Commit payload is defined as follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ scalar ~
| |
~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
| |
~ Element ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The scalar and element SHALL be encoded in the Commit payload
according to <a href="#section-8.3">Section 8.3</a>.
<span class="grey">Harkins Experimental [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
<span class="h3"><a class="selflink" id="section-8.6" href="#section-8.6">8.6</a>. IKEv2 Messaging</span>
Secure PSK Authentication modifies the IKE_AUTH exchange by adding
one additional round trip to exchange Commit payloads to perform the
Secure PSK Authentication exchange and by changing the calculation of
the AUTH payload data to bind the IKEv2 exchange to the outcome of
the Secure PSK Authentication exchange (see Figure 3).
Initiator Responder
----------- -----------
IKE_SA_INIT:
HDR, SAi1, KEi, Ni,
N(SPM-SPSK) -->
<-- HDR, SAr1, KEr, Nr,
N(SPM-SPSK)
IKE_AUTH:
HDR, SK {IDi, COMi, [IDr,]
SAi2, TSi, TSr} -->
<-- HDR, SK {IDr, COMr}
HDR, SK {AUTHi} -->
<-- HDR, SK {AUTHr, SAr2, TSi, TSr}
where N(SPM-SPSK) indicates the Secure Password Methods Notify
payloads used to negotiate the use of Secure PSK Authentication (see
<a href="#section-8.1">Section 8.1</a>), COMi and AUTHi are the Commit payload and AUTH payload,
respectively, sent by the Initiator, and COMr and AUTHr are the
Commit payload and AUTH payload, respectively, sent by the Responder.
Figure 3: Secure PSK in IKEv2
When doing Secure PSK Authentication, the AUTH payloads SHALL be
computed as
AUTHi = prf(ss, <InitiatorSignedOctets> | COMi | COMr)
AUTHr = prf(ss, <ResponderSignedOctets> | COMr | COMi)
where "ss" is the shared secret derived in <a href="#section-8.4.3">Section 8.4.3</a>, COMi and
COMr are the entire Commit payloads (including the fixed headers)
sent by the Initiator and Responder, respectively, and
<InitiatorSignedOctets> and <ResponderSignedOctets> are defined in
<span class="grey">Harkins Experimental [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
[<a href="./rfc5996" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC5996</a>]. The Authentication Method indicated in both AUTH payloads
SHALL be "Generic Secure Password Authentication Method", value 12,
from [<a href="#ref-IKEV2-IANA" title=""IKEv2 Parameters"">IKEV2-IANA</a>].
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. IANA Considerations</span>
IANA has assigned the value 3 for "Secure PSK Authentication" from
the Secure Password Authentication Method registry in [<a href="#ref-IKEV2-IANA" title=""IKEv2 Parameters"">IKEV2-IANA</a>].
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Security Considerations</span>
Both the Initiator and Responder obtain a shared secret, "ss" (see
<a href="#section-8.4.3">Section 8.4.3</a>), based on a secret group element and their own private
values contributed to the exchange. If they do not share the same
pre-shared key, they will be unable to derive the same secret group
element, and if they do not share the same secret group element, they
will be unable to derive the same shared secret.
Resistance to dictionary attack means that the adversary must launch
an active attack to make a single guess at the pre-shared key. If
the size of the pool from which the key was extracted was d and each
key in the pool has an equal probability of being chosen, then the
probability of success after a single guess is 1/d. After x guesses,
and removal of failed guesses from the pool of possible keys, the
probability becomes 1/(d-x). As x grows, so does the probability of
success. Therefore, it is possible for an adversary to determine the
pre-shared key through repeated brute-force, active, guessing
attacks. This authentication method does not presume to be secure
against this, and implementations SHOULD ensure the value of d is
sufficiently large to prevent this attack. Implementations SHOULD
also take countermeasures, for instance, refusing authentication
attempts for a certain amount of time after the number of failed
authentication attempts reaches a certain threshold. No such
threshold or amount of time is recommended in this memo.
An active attacker can impersonate the Responder of the exchange and
send a forged Commit payload after receiving the Initiator's Commit
payload. The attacker then waits until it receives the
authentication payload from the Responder. Now the attacker can
attempt to run through all possible values of the pre-shared key,
computing SKE (see <a href="#section-8.2">Section 8.2</a>), computing "ss" (see <a href="#section-8.4.3">Section 8.4.3</a>),
and attempting to recreate the Confirm payload from the Responder.
But, by sending a forged Commit payload the attacker commits to a
single guess of the pre-shared key. That value was used by the
Responder in his computation of "ss", which was used in the
authentication payload. Any guess of the pre-shared key that differs
from the one used in the forged Commit payload would result in each
<span class="grey">Harkins Experimental [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
side using a different secret element in the computation of "ss" and
therefore the authentication payload could not be verified as
correct, even if a subsequent guess, while running through all
possible values, was correct. The attacker gets one guess, and one
guess only, per active attack.
An attacker, acting as either the Initiator or Responder, can take
the element from the Commit payload received from the other party,
reconstruct the random "mask" value used in its construction, and
then recover the other party's "private" value from the scalar in the
Commit payload. But this requires the attacker to solve the discrete
logarithm problem, which we assumed was intractable (<a href="#section-7">Section 7</a>).
Instead of attempting to guess at pre-shared keys, an attacker can
attempt to determine SKE and then launch an attack, but SKE is
determined by the output of the pseudo-random function, prf, which is
assumed to be indistinguishable from a random source (<a href="#section-7">Section 7</a>).
Therefore, each element of the finite cyclic group will have an equal
probability of being the SKE. The probability of guessing SKE will
be 1/r, where r is the order of the group. This is the same
probability of guessing the solution to the discrete logarithm, which
is assumed to be intractable (<a href="#section-7">Section 7</a>). The attacker would have a
better chance of success at guessing the input to prf, i.e., the pre-
shared key, since the order of the group will be many orders of
magnitude greater than the size of the pool of pre-shared keys.
The implications of resistance to dictionary attack are significant.
An implementation can provision a pre-shared key in a practical and
realistic manner -- i.e., it MAY be a character string, and it MAY be
relatively short -- and still maintain security. The nature of the
pre-shared key determines the size of the pool, D, and
countermeasures can prevent an adversary from determining the secret
in the only possible way: repeated, active, guessing attacks. For
example, a simple four-character string using lowercase English
characters, and assuming random selection of those characters, will
result in D of over four hundred thousand. An adversary would need
to mount over one hundred thousand active, guessing attacks (which
will easily be detected) before gaining any significant advantage in
determining the pre-shared key.
If an attacker knows the number of hunting-and-pecking loops that
were required to determine SKE, it is possible to eliminate passwords
from the pool of potential passwords and increase the probability of
successfully guessing the real password. MODP groups will require
more than "n" loops with a probability based on the value of the
prime -- if m is the largest unsigned number that can be expressed in
len(p) bits, then the probability is ((m-p)/p)^n -- which will
typically be very small for the groups defined in [<a href="#ref-IKEV2-IANA" title=""IKEv2 Parameters"">IKEV2-IANA</a>]. ECP
<span class="grey">Harkins Experimental [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
groups will require more than one "n" loop with a probability of
roughly (1-(r/2p))^n. Therefore, a security parameter, k, is defined
that will ensure that at least k loops will always be executed
regardless of whether SKE is found in less than k loops. There is
still a probability that a password would require more than k loops,
and a side-channel attacker could use that information to his
advantage, so selection of the value of k should be based on a trade-
off between the additional workload to always perform k iterations
and the potential of providing information to a side-channel
attacker. It is important to note that the possibility of a
successful side-channel attack is greater against ECP groups than
MODP groups, and it might be appropriate to have separate values of k
for the two.
For a more detailed discussion of the security of the key exchange
underlying this authentication method, see [<a href="#ref-SAE" title=""Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks"">SAE</a>] and [<a href="./rfc5931" title=""Extensible Authentication Protocol (EAP) Authentication Using Only a Password"">RFC5931</a>].
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Acknowledgements</span>
The author would like to thank Scott Fluhrer and Hideyuki Suzuki for
their insight in discovering flaws in earlier versions of the key
exchange that underlies this authentication method and for their
helpful suggestions in improving it. Thanks to Lily Chen for useful
advice on the hunting-and-pecking technique to "hash into" an element
in a group and to Jin-Meng Ho for a discussion on countering a small
sub-group attack. Rich Davis suggested several checks on received
messages that greatly increase the security of the underlying key
exchange. Hugo Krawczyk suggested using the prf as an extractor.
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. References</span>
<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>. Normative References</span>
[<a id="ref-IKEV2-IANA">IKEV2-IANA</a>] IANA, "IKEv2 Parameters",
<<a href="http://www.iana.org/assignments/ikev2-parameters">http://www.iana.org/assignments/ikev2-parameters</a>>.
[<a id="ref-RFC2104">RFC2104</a>] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication", <a href="./rfc2104">RFC 2104</a>,
February 1997.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC3454">RFC3454</a>] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", <a href="./rfc3454">RFC 3454</a>,
December 2002.
<span class="grey">Harkins Experimental [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
[<a id="ref-RFC4013">RFC4013</a>] Zeilenga, K., "SASLprep: Stringprep Profile for User
Names and Passwords", <a href="./rfc4013">RFC 4013</a>, February 2005.
[<a id="ref-RFC5996">RFC5996</a>] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
<a href="./rfc5996">RFC 5996</a>, September 2010.
[<a id="ref-RFC6090">RFC6090</a>] McGrew, D., Igoe, K., and M. Salter, "Fundamental
Elliptic Curve Cryptography Algorithms", <a href="./rfc6090">RFC 6090</a>,
February 2011.
[<a id="ref-RFC6467">RFC6467</a>] Kivinen, T., "Secure Password Framework for Internet
Key Exchange Version 2 (IKEv2)", <a href="./rfc6467">RFC 6467</a>,
December 2011.
<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>. Informative References</span>
[<a id="ref-BM92">BM92</a>] Bellovin, S. and M. Merritt, "Encrypted Key Exchange:
Password-Based Protocols Secure Against Dictionary
Attacks", Proceedings of the IEEE Symposium on Security
and Privacy, Oakland, 1992.
[<a id="ref-BMP00">BMP00</a>] Boyko, V., MacKenzie, P., and S. Patel, "Provably
Secure Password-Authenticated Key Exchange Using
Diffie-Hellman", Proceedings of Eurocrypt 2000, LNCS
1807 Springer-Verlag, 2000.
[<a id="ref-BPR00">BPR00</a>] Bellare, M., Pointcheval, D., and P. Rogaway,
"Authenticated Key Exchange Secure Against Dictionary
Attacks", Advances in Cryptology -- Eurocrypt '00,
Lecture Notes in Computer Science Springer-Verlag,
2000.
[<a id="ref-RFC4086">RFC4086</a>] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", <a href="https://www.rfc-editor.org/bcp/bcp106">BCP 106</a>, <a href="./rfc4086">RFC 4086</a>,
June 2005.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC5869">RFC5869</a>] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-
Expand Key Derivation Function (HKDF)", <a href="./rfc5869">RFC 5869</a>,
May 2010.
[<a id="ref-RFC5931">RFC5931</a>] Harkins, D. and G. Zorn, "Extensible Authentication
Protocol (EAP) Authentication Using Only a Password",
<a href="./rfc5931">RFC 5931</a>, August 2010.
<span class="grey">Harkins Experimental [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc6617">RFC 6617</a> Secure PSK Authentication for IKE June 2012</span>
[<a id="ref-SAE">SAE</a>] Harkins, D., "Simultaneous Authentication of Equals: A
Secure, Password-Based Key Exchange for Mesh Networks",
Proceedings of the 2008 Second International Conference
on Sensor Technologies and Applications Volume 00,
2008.
Author's Address
Dan Harkins
Aruba Networks
1322 Crossman Avenue
Sunnyvale, CA 94089-1113
United States of America
EMail: dharkins@arubanetworks.com
Harkins Experimental [Page 24]
</pre>
|
