From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc4650.txt | 1515 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1515 insertions(+) create mode 100644 doc/rfc/rfc4650.txt (limited to 'doc/rfc/rfc4650.txt') diff --git a/doc/rfc/rfc4650.txt b/doc/rfc/rfc4650.txt new file mode 100644 index 0000000..d03147d --- /dev/null +++ b/doc/rfc/rfc4650.txt @@ -0,0 +1,1515 @@ + + + + + + +Network Working Group M. Euchner +Request for Comments: 4650 September 2006 +Category: Standards Track + + + HMAC-Authenticated Diffie-Hellman + for Multimedia Internet KEYing (MIKEY) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes a lightweight point-to-point key management + protocol variant for the multimedia Internet keying (MIKEY) protocol + MIKEY, as defined in RFC 3830. In particular, this variant deploys + the classic Diffie-Hellman key agreement protocol for key + establishment featuring perfect forward secrecy in conjunction with a + keyed hash message authentication code for achieving mutual + authentication and message integrity of the key management messages + exchanged. This protocol addresses the security and performance + constraints of multimedia key management in MIKEY. + + + + + + + + + + + + + + + + + + + + +Euchner Standards Track [Page 1] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +Table of Contents + + 1. Introduction ....................................................2 + 1.1. Definitions ................................................5 + 1.2. Abbreviations ..............................................6 + 1.3. Conventions Used in This Document ..........................7 + 2. Scenario ........................................................7 + 2.1. Applicability ..............................................7 + 2.2. Relation to GKMARCH ........................................8 + 3. DHHMAC Security Protocol ........................................8 + 3.1. TGK Re-keying .............................................10 + 4. DHHMAC Payload Formats .........................................10 + 4.1. Common Header Payload (HDR) ..............................11 + 4.2. Key Data Transport Payload (KEMAC) ........................12 + 4.3. ID Payload (ID) ...........................................12 + 4.4. General Extension Payload .................................12 + 5. Security Considerations ........................................13 + 5.1. Security Environment ......................................13 + 5.2. Threat Model ..............................................13 + 5.3. Security Features and Properties ..........................15 + 5.4. Assumptions ...............................................19 + 5.5. Residual Risk .............................................20 + 5.6. Authorization and Trust Model .............................21 + 6. Acknowledgments ................................................21 + 7. IANA Considerations ............................................22 + 8. References .....................................................22 + 8.1. Normative References ......................................22 + 8.2. Informative References ....................................22 + Appendix A. Usage of MIKEY-DHHMAC in H.235 ........................25 + +1. Introduction + + There is work done in IETF to develop key management schemes. For + example, IKE [12] is a widely accepted unicast scheme for IPsec, and + the MSEC WG is developing other schemes, addressed to group + communication [17], [18]. For reasons discussed below, there is, + however, a need for a scheme with low latency, suitable for demanding + cases such as real-time data over heterogeneous networks and small + interactive groups. + + As pointed out in MIKEY (see [2]), secure real-time multimedia + applications demand a particular adequate lightweight key management + scheme that takes care to establish dynamic session keys securely and + efficiently in a conversational multimedia scenario. + + In general, MIKEY scenarios cover peer-to-peer, simple one-to-many, + and small-sized groups. MIKEY in particular describes three key + + + + +Euchner Standards Track [Page 2] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + management schemes for the peer-to-peer case that all finish their + task within one roundtrip: + + - a symmetric key distribution protocol (MIKEY-PS) based on pre- + shared master keys + + - a public-key encryption-based key distribution protocol (MIKEY-PK + and reverse-mode MIKEY-RSA-R [33]) assuming a public-key + infrastructure with RSA-based (Rivest, Shamir and Adleman) + private/public keys and digital certificates + + - a Diffie-Hellman key agreement protocol (MIKEY-DHSIGN) deploying + digital signatures and certificates. + + All of these three key management protocols are designed so that they + complete their work within just one roundtrip. This requires + depending on loosely synchronized clocks and deploying timestamps + within the key management protocols. + + However, it is known [6] that each of the three key management + schemes has its subtle constraints and limitations: + + - The symmetric key distribution protocol (MIKEY-PS) is simple to + implement; however, it was not intended to scale to support any + configurations beyond peer-to-peer, simple one-to-many, and + small-size (interactive) groups, due to the need for mutually + pre-assigned shared master secrets. + + Moreover, the security provided does not achieve the property of + perfect forward secrecy; i.e., compromise of the shared master + secret would render past and even future session keys susceptible + to compromise. + + Further, the generation of the session key happens just at the + initiator. Thus, the responder has to fully trust the initiator + to choose a good and secure session secret; the responder is able + neither to participate in the key generation nor to influence that + process. This is considered a specific limitation in less trusted + environments. + + - The public-key encryption scheme (MIKEY-PK and MIKEY-RSA-R [33]) + depends upon a public-key infrastructure that certifies the + private-public keys by issuing and maintaining digital + certificates. While such key management schemes provide full + scalability in large networked configurations, public-key + infrastructures are still not widely available, and, in general, + implementations are significantly more complex. + + + + +Euchner Standards Track [Page 3] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + Further, additional roundtrips and computational processing might + be necessary for each end system in order to ascertain + verification of the digital certificates. For example, typical + operations in the context of a public-key infrastructure may + involve extra network communication handshakes with the public-key + infrastructure and with certification authorities and may + typically involve additional processing steps in the end systems. + These operations would include validating digital certificates + (RFC 3029, [24]), ascertaining the revocation status of digital + certificates (RFC 2560, [23]), asserting certificate policies, + construction of certification path(s) ([26]), requesting and + obtaining necessary certificates (RFC 2511, [25]), and management + of certificates for such purposes ([22]). Such steps and tasks + all result in further delay of the key agreement or key + establishment phase among the end systems, which negatively + affects setup time. Any extra PKI handshakes and processing are + not in the scope of MIKEY, and since this document only deploys + symmetric security mechanisms, aspects of PKI, digital + certificates, and related processing are not further covered in + this document. + + Finally, as in the symmetric case, the responder depends + completely upon the initiator's choosing good and secure session + keys. + + - The third MIKEY-DHSIGN key management protocol deploys the + Diffie-Hellman key agreement scheme and authenticates the exchange + of the Diffie-Hellman half-keys in each direction by using a + digital signature. This approach has the same advantages and + deficiencies as described in the previous section in terms of a + public-key infrastructure. + + However, the Diffie-Hellman key agreement protocol is known for + its subtle security strengths in that it is able to provide full + perfect forward secrecy (PFS) and further have to both parties + actively involved in session key generation. This special + security property (despite the somewhat higher computational + costs) makes Diffie-Hellman techniques attractive in practice. + + In order to overcome some of the limitations as outlined above, a + special need has been recognized for another efficient key agreement + protocol variant in MIKEY. This protocol variant aims to provide the + capability of perfect forward secrecy as part of a key agreement with + low latency without dependency on a public-key infrastructure. + + + + + + + +Euchner Standards Track [Page 4] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + This document describes a fourth lightweight key management scheme + for MIKEY that could somehow be seen as a synergetic optimization + between the pre-shared key distribution scheme and the Diffie-Hellman + key agreement. + + The idea of the protocol in this document is to apply the Diffie- + Hellman key agreement, but rather than deploy a digital signature for + authenticity of the exchanged keying material, it instead uses a + keyed-hash for symmetrically pre-assigned shared secrets. This + combination of security mechanisms is called the HMAC-authenticated + Diffie-Hellman (DH) key agreement for MIKEY (DHHMAC). + + The DHHMAC variant closely follows the design and philosophy of MIKEY + and reuses MIKEY protocol payload components and MIKEY mechanisms to + its maximum benefit and for best compatibility. + + Like the MIKEY Diffie-Hellman protocol, DHHMAC does not scale beyond + a point-to-point constellation; thus, both MIKEY Diffie-Hellman + protocols do not support group-based keying for any group size larger + than two entities. + +1.1. Definitions + + The definitions and notations in this document are aligned with + MIKEY; see [2] sections 1.3 - 1.4. + + All large integer computations in this document should be understood + as being mod p within some fixed group G for some large prime p; see + [2] section 3.3. However, the DHHMAC protocol is also applicable + generally to other appropriate finite, cyclical groups as well. + + It is assumed that a pre-shared key s is known by both entities + (initiator and responder). The authentication key auth_key is + derived from the pre-shared secret s using the pseudo-random function + PRF; see [2] sections 4.1.3 and 4.1.5. + + In this text, [X] represents an optional piece of information. + Generally throughout the text, X SHOULD be present unless certain + circumstances MAY allow X to be optional and not to be present, + thereby potentially resulting in weaker security. Likewise, [X, Y] + represents an optional compound piece of information where the pieces + X and Y either SHOULD both be present or MAY optionally both be + absent. {X} denotes zero or more occurrences of X. + + + + + + + + +Euchner Standards Track [Page 5] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +1.2. Abbreviations + + auth_key Pre-shared authentication key, PRF-derived from + pre-shared key s. + DH Diffie-Hellman + DHi Public Diffie-Hellman half key g^(xi) of the + Initiator + DHr Public Diffie-Hellman half key g^(xr) of the + Responder + DHHMAC HMAC-authenticated Diffie-Hellman + DoS Denial-of-service + G Diffie-Hellman group + HDR MIKEY common header payload + HMAC Keyed Hash Message Authentication Code + HMAC-SHA1 HMAC using SHA1 as hash function (160-bit result) + IDi Identity of initiator + IDr Identity of receiver + IKE Internet Key Exchange + IPsec Internet Protocol Security + MIKEY Multimedia Internet KEYing + MIKEY-DHHMAC MIKEY Diffie-Hellman key management protocol using + HMAC + MIKEY-DHSIGN MIKEY Diffie-Hellman key agreement protocol + MIKEY-PK MIKEY public-key encryption-based key distribution + protocol + MIKEY-PS MIKEY pre-shared key distribution protocol + p Diffie-Hellman prime modulus + PKI Public-key Infrastructure + PRF MIKEY pseudo-random function (see [2] section + 4.1.3) + RSA Rivest, Shamir, and Adleman + s Pre-shared key + SDP Session Description Protocol + SOI Son-of-IKE, IKEv2 + SP MIKEY Security Policy (Parameter) Payload + T Timestamp + TEK Traffic Encryption Key + TGK MIKEY TEK Generation Key, as the common Diffie- + Hellman shared secret + TLS Transport Layer Security + xi Secret, (pseudo) random Diffie-Hellman key of the + Initiator + xr Secret, (pseudo) random Diffie-Hellman key of the + Responder + + + + + + + +Euchner Standards Track [Page 6] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +1.3. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [1]. + +2. Scenario + + The HMAC-authenticated Diffie-Hellman key agreement protocol (DHHMAC) + for MIKEY addresses the same scenarios and scope as the other three + key management schemes in MIKEY address. + + DHHMAC is applicable in a peer-to-peer group where no access to a + public-key infrastructure can be assumed to be available. Rather, + pre- shared master secrets are assumed to be available among the + entities in such an environment. + + In a pair-wise group, it is assumed that each client will be setting + up a session key for its outgoing links with its peer using the DH- + MAC key agreement protocol. + + As is the case for the other three MIKEY key management protocols, + DHHMAC assumes, at least, loosely synchronized clocks among the + entities in the small group. + + To synchronize the clocks in a secure manner, some operational or + procedural means are recommended. MIKEY-DHHMAC does not define any + secure time synchronization measures; however, sections 5.4 and 9.3 + of [2] provide implementation guidance on clock synchronization and + timestamps. + +2.1. Applicability + + MIKEY-DHHMAC and the other MIKEY key management protocols are + intended for application-level key management and are optimized for + multimedia applications with real-time session setup and session + management constraints. + + As the MIKEY-DHHMAC key management protocol terminates in one + roundtrip, DHHMAC is applicable for integration into two-way + handshake session or call signaling protocols such as + + a) SIP [13] and SDP, where the encoded MIKEY messages are + encapsulated and transported in SDP containers of the SDP + offer/answer see RFC 3264 [27]) handshake, as described in [4]; + and + + + + + +Euchner Standards Track [Page 7] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + b) H.323 (see [15]), where the encoded MIKEY messages are transported + in the H.225.0 fast start call signaling handshake. Appendix A + outlines the usage of MIKEY-DHHMAC within H.235. + + MIKEY-DHHMAC is offered as an option to the other MIKEY key + management variants (MIKEY-pre-shared, MIKEY-public-key and MIKEY- + DH-SIGN) for all those cases where DHHMAC has its particular + strengths (see section 5). + +2.2. Relation to GKMARCH + + The Group key management architecture (GKMARCH) [19] describes a + generic architecture for multicast security group key management + protocols. In the context of this architecture, MIKEY-DHHMAC may + operate as a registration protocol; see also [2] section 2.4. The + main entities involved in the architecture are a group controller/key + server (GCKS), the receiver(s), and the sender(s). Due to the pair- + wise nature of the Diffie-Hellman operation and the 1-roundtrip + constraint, usage of MIKEY-DHHMAC rules out any deployment as a group + key management protocol with more than two group entities. Only the + degenerate case with two peers is possible where, for example, the + responder acts as the group controller. + + Note that MIKEY does not provide re-keying in the GKMARCH sense, only + updating of the keys by normal unicast messages. + +3. DHHMAC Security Protocol + + The following figure defines the security protocol for DHHMAC: + + Initiator Responder + + I_message = HDR, T, RAND, [IDi], IDr, + {SP}, DHi, KEMAC + -----------------------> R_message = HDR, T, + [IDr], IDi, DHr, + DHi, KEMAC + <---------------------- + + + Figure 1: HMAC-authenticated Diffie-Hellman key-based exchange, + where xi and xr are (pseudo) randomly chosen, respectively, + by the initiator and the responder. + + The DHHMAC key exchange SHALL be done according to Figure 1. The + initiator chooses a (pseudo) random value, xi, and sends an HMACed + message including g^(xi) and a timestamp to the responder. It is + recommended that the initiator SHOULD always include the identity + + + +Euchner Standards Track [Page 8] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + payloads IDi and IDr within the I_message; unless the receiver can + defer the initiator's identity by some other means, IDi MAY + optionally be omitted. The initiator SHALL always include the + recipient's identity. + + The group parameters (e.g., the group G) are a set of parameters + chosen by the initiator. Note that like in the MIKEY protocol, both + sender and receiver explicitly transmit the Diffie-Hellman group G + within the Diffie-Hellman payload DHi or DHr through an encoding + (e.g., OAKLEY group numbering; see [2] section 6.4). The actual + group parameters g and p, however, are not explicitly transmitted but + can be deduced from the Diffie-Hellman group G. The responder + chooses a (pseudo) random positive integer, xr, and sends an HMACed + message including g^(xr) and the timestamp to the initiator. The + responder SHALL always include the initiator's identity IDi + regardless of whether the I_message conveyed any IDi. It is + RECOMMENDED that the responder SHOULD always include the identity + payload IDr within the R_message; unless the initiator can defer the + responder's identity by some other means, IDr MAY optionally be left + out. + + Both parties then calculate the TGK as g^(xi * xr). + + The HMAC authentication provides authentication of the DH half-keys + and is necessary to avoid man-in-the-middle attacks. + + This approach is less expensive than digitally signed Diffie-Hellman + in that both sides compute one exponentiation and one HMAC first, + then one HMAC verification, and finally another Diffie-Hellman + exponentiation. + + With off-line pre-computation, the initial Diffie-Hellman half-key + MAY be computed before the key management transaction and thereby MAY + further reduce the overall roundtrip delay, as well as the risk of + denial-of-service attacks. + + Processing of the TGK SHALL be accomplished as described in MIKEY [2] + section 4. + + The computed HMAC result SHALL be conveyed in the KEMAC payload field + where the MAC fields holds the HMAC result. The HMAC SHALL be + computed over the entire message, excluding the MAC field using + auth_key; see also section 4.2. + + + + + + + + +Euchner Standards Track [Page 9] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +3.1. TGK Re-keying + + TGK re-keying for DHHMAC generally proceeds as described in [2] + section 4.5. Specifically, Figure 2 provides the message exchange + for the DHHMAC update message. + + Initiator Responder + + I_message = HDR, T, [IDi], IDr, + {SP}, [DHi], KEMAC + -----------------------> R_message = HDR, T, + [IDr], IDi, + [DHr, DHi], KEMAC + <---------------------- + + Figure 2: DHHMAC update message + + TGK re-keying supports two procedures: + + a) True re-keying by exchanging new and fresh Diffie-Hellman half- + keys. For this, the initiator SHALL provide a new, fresh DHi, and + the responder SHALL respond with a new, fresh DHr and the received + DHi. + + b) Non-key related information update without including any Diffie- + Hellman half-keys in the exchange. Such a transaction does not + change the actual TGK but updates other information such as + security policy parameters. To update the non-key related + information only, [DHi] and [DHr, DHi] SHALL be left out. + +4. DHHMAC Payload Formats + + This section specifies the payload formats and data type values for + DHHMAC; see also [2] section 6, for a definition of the MIKEY + payloads. + + + This document does not define new payload formats but re-uses MIKEY + payloads for DHHMAC as referenced: + + * Common header payload (HDR); see section 4.1 and [2] section 6.1. + + * SRTP ID sub-payload; see [2] section 6.1.1. + + * Key data transport payload (KEMAC); see section 4.2 and [2] section + 6.2. + + * DH data payload; see [2] section 6.4. + + + +Euchner Standards Track [Page 10] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + * Timestamp payload; see [2] section 6.6. + + * ID payload; [2] section 6.7. + + * Security Policy payload (SP); see [2] section 6.10. + + * RAND payload (RAND); see [2] section 6.11. + + * Error payload (ERR); see [2] section 6.12. + + * General Extension Payload; see [2] section 6.15. + +4.1. Common Header Payload (HDR) + + Referring to [2] section 6.1, the following data types SHALL be used + for DHHMAC: + + Data type | Value | Comment + ------------------------------------------------------------- + DHHMAC init | 7 | Initiator's DHHMAC exchange message + DHHMAC resp | 8 | Responder's DHHMAC exchange message + Error | 6 | Error message; see [2] section 6.12 + + Table 4.1.a + + Note: A responder is able to recognize the MIKEY DHHMAC protocol by + evaluating the data type field as 7 or 8. This is how the responder + can differentiate between MIKEY and MIKEY DHHMAC. + + The next payload field SHALL be one of the following values: + + Next payload| Value | Section + ---------------------------------------------------------------- + Last payload| 0 | - + KEMAC | 1 | section 4.2 and [2] section 6.2 + DH | 3 | [2] section 6.4 + T | 5 | [2] section 6.6 + ID | 6 | [2] section 6.7 + SP | 10 | [2] section 6.10 + RAND | 11 | [2] section 6.11 + ERR | 12 | [2] section 6.12 + General Ext.| 21 | [2] section 6.15 + + Table 4.1.b + + Other defined next payload values defined in [2] SHALL not be applied + to DHHMAC. + + + + +Euchner Standards Track [Page 11] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + In case of a decoding error or of a failed HMAC authentication + verification, the responder SHALL apply the Error payload data type. + +4.2. Key Data Transport Payload (KEMAC) + + DHHMAC SHALL apply this payload for conveying the HMAC result along + with the indicated authentication algorithm. When used in + conjunction with DHHMAC, KEMAC SHALL not convey any encrypted data; + thus, Encr alg SHALL be set to 2 (NULL), Encr data len SHALL be set + to 0, and Encr data SHALL be left empty. The AES key wrap method + (see [16]) SHALL not be applied for DHHMAC. + + For DHHMAC, this key data transport payload SHALL be the last payload + in the message. Note that the Next payload field SHALL be set to + Last payload. The HMAC is then calculated over the entire MIKEY + message, excluding the MAC field using auth_key as described in [2] + section 5.2, and then stored within the MAC field. + + MAC alg | Value | Comments + ------------------------------------------------------------------ + HMAC-SHA-1 | 0 | Mandatory, Default (see [3]) + NULL | 1 | Very restricted use; see + | [2] section 4.2.4 + + Table 4.2.a + + HMAC-SHA-1 is the default hash function that MUST be implemented as + part of the DHHMAC. The length of the HMAC-SHA-1 result is 160 bits. + +4.3. ID Payload (ID) + + For DHHMAC, this payload SHALL only hold a non-certificate-based + identity. + +4.4. General Extension Payload + + For DHHMAC, to avoid bidding-down attacks, this payload SHALL list + all key management protocol identifiers of a surrounding + encapsulation protocol, such as SDP [4]. The General Extension + Payload SHALL be integrity protected with the HMAC using the shared + secret. + + Type | Value | Comments + SDP IDs | 1 | List of SDP key management IDs (allocated for + use in [4]); see also [2] section 6.15. + + Table 4.4.a + + + + +Euchner Standards Track [Page 12] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +5. Security Considerations + + This document addresses key management security issues throughout. + For a comprehensive explanation of MIKEY security considerations, + please refer to MIKEY [2] section 9. + + In addition, this document addresses security issues according to + [7], where the following security considerations apply in particular + to this document: + +5.1. Security Environment + + The DHHMAC security protocol described in this document focuses + primarily on communication security; i.e., the security issues + concerned with the MIKEY DHHMAC protocol. Nevertheless, some system + security issues are also of interest that are not explicitly defined + by the DHHMAC protocol, but that should be provided locally in + practice. + + The system that runs the DHHMAC protocol entity SHALL provide the + capability to generate (pseudo) random numbers as input to the + Diffie-Hellman operation (see [8]). Furthermore, the system SHALL be + capable of storing the generated (pseudo) random data, secret data, + keys, and other secret security parameters securely (i.e., + confidential and safe from unauthorized tampering). + +5.2. Threat Model + + The threat model, to which this document adheres, covers the issues + of end-to-end security in the Internet generally, without ruling out + the possibility that MIKEY DHHMAC can be deployed in a corporate, + closed IP environment. This also includes the possibility that MIKEY + DHHMAC can be deployed on a hop-by-hop basis with some intermediate + trusted "MIKEY DHHMAC proxies" involved. + + Since DHHMAC is a key management protocol, the following security + threats are of concern: + + * Unauthorized interception of plain TGKs: For DHHMAC, this threat + does not occur since the TGK is not actually transmitted on the + wire (not even in encrypted fashion). + + * Eavesdropping of other, transmitted keying information: DHHMAC + protocol does not explicitly transmit the TGK at all. Instead, by + using the Diffie-Hellman "encryption" operation, which conceals the + secret (pseudo) random values, only partial information (i.e., the + DH half-key) for construction of the TGK is transmitted. It is + fundamentally assumed that availability of such Diffie-Hellman + + + +Euchner Standards Track [Page 13] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + half-keys to an eavesdropper does not result in any substantial + security risk; see 5.4. Furthermore, the DHHMAC carries other data + such as timestamps, (pseudo) random values, identification + information or security policy parameters; eavesdropping of any + such data is not considered to yield any significant security risk. + + * Masquerade of either entity: This security threat must be avoided, + and if a masquerade attack would be attempted, appropriate + detection means must be in place. DHHMAC addresses this threat by + providing mutual peer entity authentication. + + * Man-in-the-middle attacks: Such attacks threaten the security of + exchanged, non-authenticated messages. Man-in-the-middle attacks + usually come with masquerade and or loss of message integrity (see + below). Man-in-the-middle attacks must be avoided and, if present + or attempted, must be detected appropriately. DHHMAC addresses + this threat by providing mutual peer entity authentication and + message integrity. + + * Loss of integrity: This security threat relates to unauthorized + replay, deletion, insertion, and manipulation of messages. + Although any such attacks cannot be avoided, they must at least be + detected. DHHMAC addresses this threat by providing message + integrity. + + * Bidding-down attacks: When multiple key management protocols, each + of a distinct security level, are offered (such as those made + possible by SDP [4]), avoiding bidding-down attacks is of concern. + DHHMAC addresses this threat by reusing the MIKEY General Extension + Payload mechanism, where all key management protocol identifiers + are to be listed within the MIKEY General Extension Payload. + + Some potential threats are not within the scope of this threat model: + + * Passive and off-line cryptanalysis of the Diffie-Hellman algorithm: + Under certain reasonable assumptions (see 5.4, below), it is widely + believed that DHHMAC is sufficiently secure and that such attacks + are infeasible, although the possibility of a successful attack + cannot be ruled out. + + * Non-repudiation of the receipt or of the origin of the message: + These are not requirements within the context of DHHMAC in this + environment, and thus related countermeasures are not provided at + all. + + + + + + + +Euchner Standards Track [Page 14] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + * Denial-of-service or distributed denial-of-service attacks: Some + considerations are given on some of those attacks, but DHHMAC does + not claim to provide full countermeasure against any of those + attacks. For example, stressing the availability of the entities + is not thwarted by means of the key management protocol; some other + local countermeasures should be applied. Further, some DoS attacks + are not countered, such as interception of a valid DH- request and + its massive instant duplication. Such attacks might at least be + countered partially by some local means that are outside the scope + of this document. + + * Identity protection: Like MIKEY, identity protection is not a major + design requirement for MIKEY-DHHMAC, either; see [2]. No security + protocol is known so far that is able to provide the objectives of + DHHMAC as stated in section 5.3, including identity protection + within just a single roundtrip. MIKEY-DHHMAC trades identity + protection for better security for the keying material and shorter + roundtrip time. Thus, MIKEY-DHHMAC does not provide identity + protection on its own but may inherit such property from a security + protocol underneath that actually features identity protection. + + The DHHMAC security protocol (see section 3) and the TGK re-keying + security protocol (see section 3.1) provide the option not to + supply identity information. This option is only applicable if + some other means are available to supply trustworthy identity + information; e.g., by relying on secured links underneath MIKEY + that supply trustworthy identity information some other way. + However, it is understood that without identity information, the + MIKEY key management security protocols might be subject to + security weaknesses such as masquerade, impersonation, and + reflection attacks, particularly in end-to-end scenarios where no + other secure means of assured identity information are provided. + + Leaving identity fields optional (if doing so is possible) thus + should not be seen as a privacy method, either, but rather as a + protocol optimization feature. + +5.3. Security Features and Properties + + With the security threats in mind, this document provides the + following security features and yields the following properties: + + * Secure key agreement with the establishment of a TGK at both peers: + This is achieved using an authenticated Diffie-Hellman key + management protocol. + + + + + + +Euchner Standards Track [Page 15] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + * Peer-entity authentication (mutual): This authentication + corroborates that the host/user is authentic in that possession of + a pre-assigned secret key is proven using keyed HMAC. + Authentication occurs on the request and on the response message; + thus authentication is mutual. + + The HMAC computation corroborates for authentication and message + integrity of the exchanged Diffie-Hellman half-keys and associated + messages. The authentication is absolutely necessary in order to + avoid man-in-the-middle attacks on the exchanged messages in + transit and, in particular, on the otherwise non-authenticated + exchanged Diffie-Hellman half-keys. + + Note: This document does not address issues regarding + authorization; this feature is not provided explicitly. However, + DHHMAC authentication means support and facilitate realization of + authorization means (local issue). + + * Cryptographic integrity check: The cryptographic integrity check is + achieved using a message digest (keyed HMAC). It includes the + exchanged Diffie-Hellman half-keys but covers the other parts of + the exchanged message as well. Both mutual peer entity + authentication and message integrity provide effective + countermeasures against man-in-the-middle attacks. + + The initiator may deploy a local timer that fires when the awaited + response message did not arrive in a timely manner. This is + intended to detect deletion of entire messages. + + * Replay protection of the messages is achieved using embedded + timestamps: In order to detect replayed messages, it is essential + that the clocks among initiator and sender be roughly synchronized. + The reader is referred to [2] section 5.4, and [2] section 9.3, + which provide further considerations and give guidance on clock + synchronization and timestamp usage. Should the clock + synchronization be lost, end systems cannot detect replayed + messages anymore, and the end systems cannot securely establish + keying material. This may result in a denial-of-service; see [2] + section 9.5. + + * Limited DoS protection: Rapid checking of the message digest allows + verifying the authenticity and integrity of a message before + launching CPU intensive Diffie-Hellman operations or starting other + resource consuming tasks. This protects against some denial-of- + service attacks: malicious modification of messages and spam + attacks with (replayed or masqueraded) messages. DHHMAC probably + does not explicitly counter sophisticated distributed, large-scale + denial-of-service attacks that compromise system availability, for + + + +Euchner Standards Track [Page 16] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + example. Some DoS protection is provided by inclusion of the + initiator's identity payload in the I_message. This allows the + recipient to filter out those (replayed) I_messages that are not + targeted for him and to avoid creating unnecessary MIKEY sessions. + + * Perfect-forward secrecy (PFS): Other than the MIKEY pre-shared and + public-key-based key distribution protocols, the Diffie-Hellman key + agreement protocol features a security property called perfect + forward secrecy. That is, even if the long-term pre-shared key is + compromised at some point in time, this does not compromise past or + future session keys. + + Neither the MIKEY pre-shared nor the MIKEY public-key protocol + variants are able to provide the security property of perfect- + forward secrecy. Thus, none of the other MIKEY protocols is able + to substitute the Diffie-Hellman PFS property. + + As such, DHHMAC and digitally signed DH provide a far superior + security level to that of the pre-shared or public-key-based key + distribution protocol in that respect. + + * Fair, mutual key contribution: The Diffie-Hellman key management + protocol is not a strict key distribution protocol per se, in which + the initiator distributes a key to its peers. Actually, both + parties involved in the protocol exchange are able to contribute to + the common Diffie-Hellman TEK traffic generating key equally. This + reduces the risk of either party cheating or unintentionally + generating a weak session key. This makes the DHHMAC a fair key + agreement protocol. One may view this property as an additional + distributed security measure that increases security robustness + over that of the case where all the security depends just on the + proper implementation of a single entity. + + For Diffie-Hellman key agreement to be secure, each party SHALL + generate its xi or xr values using a strong, unpredictable pseudo- + random generator if a source of true randomness is not available. + Further, these values xi or xr SHALL be kept private. It is + RECOMMENDED that these secret values be destroyed once the common + Diffie-Hellman shared secret key has been established. + + * Efficiency and performance: Like the MIKEY-public key protocol, the + MIKEY DHHMAC key agreement protocol securely establishes a TGK + within just one roundtrip. Other existing key management + techniques, such as IPsec-IKE [12], IPsec-IKEv2 [14], TLS [11], and + other schemes, are not deemed adequate in addressing those real- + time and security requirements sufficiently; they all use more than + a single roundtrip. All the MIKEY key management protocols are + able to complete their task of security policy parameter + + + +Euchner Standards Track [Page 17] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + negotiation, including key-agreement or key distribution, in one + roundtrip. However, the MIKEY pre-shared and MIKEY public-key + protocol are both able to complete their task even in a half- + roundtrip when the confirmation messages are omitted. + + Using HMAC in conjunction with a strong one-way hash function (such + as SHA1) may be achieved more efficiently in software than + expensive public-key operations. This yields a particular + performance benefit of DHHMAC over signed DH or the public-key + encryption protocol. + + If a very high security level is desired for long-term secrecy of + the negotiated Diffie-Hellman shared secret, longer hash values may + be deployed, such as SHA256, SHA384, or SHA512 provide, possibly in + conjunction with stronger Diffie-Hellman groups. This is left as + for further study. + + For the sake of improved performance and reduced roundtrip delay, + either party may pre-compute its public Diffie-Hellman half-key + off-line. + + On the other side and under reasonable conditions, DHHMAC consumes + more CPU cycles than the MIKEY pre-shared key distribution + protocol. The same might hold true quite likely for the MIKEY + public-key distribution protocol (depending on choice of the + private and public key lengths). As such, it can be said that + DHHMAC provides sound performance when compared with the other + MIKEY protocol variants. + + The use of optional identity information (with the constraints + stated in section 5.2) and optional Diffie-Hellman half-key fields + provides a means to increase performance and shorten the consumed + network bandwidth. + + * Security infrastructure: This document describes the HMAC- + authenticated Diffie-Hellman key agreement protocol, which + completely avoids digital signatures and the associated public-key + infrastructure, as would be necessary for the X.509 RSA public- + key-based key distribution protocol or the digitally signed + Diffie-Hellman key agreement protocol as described in MIKEY. + Public-key infrastructures may not always be available in certain + environments, nor may they be deemed adequate for real-time + multimedia applications when additional steps are taken for + certificate validation and certificate revocation methods with + additional roundtrips into account. + + + + + + +Euchner Standards Track [Page 18] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + DHHMAC does not depend on PKI, nor do implementations require PKI + standards. Thus, it is believed to be much simpler than the more + complex PKI facilities. + + DHHMAC is particularly attractive in those environments where + provisioning of a pre-shared key has already been accomplished. + + * NAT-friendliness: DHHMAC is able to operate smoothly through + firewall/NAT devices as long as the protected identity information + of the end entity is not an IP/transport address. + + * Scalability: Like the MIKEY signed Diffie-Hellman protocol, DHHMAC + does not scale to any larger configurations beyond peer-to-peer + groups. + +5.4. Assumptions + + This document states a couple of assumptions upon which the security + of DHHMAC significantly depends. The following conditions are + assumed: + + * The parameters xi, xr, s, and auth_key are to be kept secret. + + * The pre-shared key s has sufficient entropy and cannot be + effectively guessed. + + * The pseudo-random function (PRF) is secure, yields the pseudo- + random property, and maintains the entropy. + + * A sufficiently large and secure Diffie-Hellman group is applied. + + * The Diffie-Hellman assumption holds saying basically that even with + knowledge of the exchanged Diffie-Hellman half-keys and knowledge + of the Diffie-Hellman group, it is infeasible to compute the TGK or + to derive the secret parameters xi or xr. The latter is also + called the discrete logarithm assumption. Please see [6], [9], or + [10] for more background information regarding the Diffie-Hellman + problem and its computational complexity assumptions. + + * The hash function (SHA1) is secure; i.e., it is computationally + infeasible to find a message that corresponds to a given message + digest, or to find two different messages that produce the same + message digest. + + * The HMAC algorithm is secure and does not leak the auth_key. In + particular, the security depends on the message authentication + property of the compression function of the hash function H when it + is applied to single blocks (see [5]). + + + +Euchner Standards Track [Page 19] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + * A source capable of producing sufficiently many bits of (pseudo) + randomness is available. + + * The system upon which DHHMAC runs is sufficiently secure. + +5.5. Residual Risk + + Although these detailed assumptions are non-negligible, security + experts generally believe that all these assumptions are reasonable + and that the assumptions made can be fulfilled in practice with + little or no expenses. + + The mathematical and cryptographic assumptions of the properties of + the PRF, the Diffie-Hellman algorithm (discrete log-assumption), the + HMAC algorithm, and the SHA1 algorithms have been neither proven nor + disproven at this time. + + Thus, a certain residual risk remains, which might threaten the + overall security at some unforeseeable time in the future. + + The DHHMAC would be compromised as soon as any of the listed + assumptions no longer hold. + + The Diffie-Hellman mechanism is a generic security technique that is + not only applicable to groups of prime order or of characteristic + two. This is because of the fundamental mathematical assumption that + the discrete logarithm problem is also a very hard one in general + groups. This enables Diffie-Hellman to be deployed also for GF(p)*, + for sub-groups of sufficient size, and for groups upon elliptic + curves. RSA does not allow such generalization, as the core + mathematical problem is a different one (large integer + factorization). + + RSA asymmetric keys tend to become increasingly lengthy (1536 bits + and more) and thus very computationally intensive. Nevertheless, + Elliptic Curve Diffie-Hellman (ECDH) allows key lengths to be cut + down substantially (say 170 bits or more) while maintaining at least + the security level and providing even more significant performance + benefits in practice. Moreover, it is believed that elliptic-curve + techniques provide much better protection against side channel + attacks due to the inherent redundancy in the projective coordinates. + For all these reasons, one may view elliptic-curve-based Diffie- + Hellman as being more "future-proof" and robust against potential + threats than RSA is. Note that Elliptic Curve Diffie-Hellman + variants of MIKEY are defined in [31]. + + + + + + +Euchner Standards Track [Page 20] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + HMAC-SHA1 is a key security mechanism within DHHMAC on which the + overall security of MIKEY DHHMAC depends. MIKEY DHHMAC uses HMAC- + SHA1 in combination with the classic Diffie-Hellman key agreement + scheme. HMAC-SHA1 is a keyed one-way hash function that involves a + secret in its computation. DHHMAC applies HMAC-SHA1 for protection + of the MIKEY payload. Likewise, the pseudo-random function PRF + within MIKEY [2] uses the HMAC-SHA1 mechanism as a key derivation + function. While certain attacks have been reported against SHA1 and + MD5 (see [29]), with current knowledge (see [29], [30]), no attacks + have been reported against the HMAC-SHA1 security mechanism. In + fact, [32] proves that HMAC possesses the property of a pseudo-random + function PRF assuming solely that the (SHA1) hash function is a + pseudo-random function. [32] also provides evidence that HMAC is + robust against collision attacks on the underlying hash function. It + is believed that MIKEY DHHMAC should be considered secure enough for + the time being. Thus, there is no need to change the underlying + security mechanism within the MIKEY DHHMAC protocol. + + It is not recommended to deploy DHHMAC for any other use than that + depicted in section 2. Any misapplication might lead to unknown, + undefined properties. + +5.6. Authorization and Trust Model + + Basically, similar remarks on authorization as those stated in [2] + section 4.3.2 hold also for DHHMAC. However, as noted before, this + key management protocol does not serve full groups. + + One may view the pre-established shared secret as yielding some pre- + established trust relationship between the initiator and the + responder. This results in a much simpler trust model for DHHMAC + than would be the case for some generic group key management protocol + and potential group entities without any pre-defined trust + relationship. In conjunction with the assumption of a shared key, + the common group controller simplifies the communication setup of the + entities. + + One may view the pre-established trust relationship through the pre- + shared secret as some means for pre-granted, implied authorization. + This document does not define any particular authorization means but + leaves this subject to the application. + +6. Acknowledgments + + This document incorporates kindly, valuable review feedback from + Steffen Fries, Hannes Tschofenig, Fredrick Lindholm, Mary Barnes, and + Russell Housley and general feedback by the MSEC WG. + + + + +Euchner Standards Track [Page 21] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +7. IANA Considerations + + This document does not define its own new name spaces for DHHMAC, + beyond the IANA name spaces that have been assigned for MIKEY; see + [2] sections 10 and 10.1 and IANA MIKEY payload name spaces [37]. + + In order to align Table 4.1.a with Table 6.1.a in [2], IANA is + requested to add the following entries to their MIKEY Payload Name + Space: + + Data Type Value Reference + --------------- ----- --------- + DHHMAC init 7 RFC 4650 + DHHMAC resp 8 RFC 4650 + +8. References + +8.1. Normative References + + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. + Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, August + 2004. + + [3] NIST, FIBS-PUB 180-2, "Secure Hash Standard", April 1995, + http://csrc.nist.gov/publications/fips/fips180-2/ + fips180-2withchangenotice.pdf. + + [4] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E. + Carrara, "Key Management Extensions for Session Description + Protocol (SDP) and Real Time Streaming Protocol (RTSP)", RFC + 4567, July 2006. + + [5] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing + for Message Authentication", RFC 2104, February 1997. + +8.2. Informative References + + [6] A.J. Menezes, P. van Oorschot, S. A. Vanstone: "Handbook of + Applied Cryptography", CRC Press 1996. + + [7] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on + Security Considerations", BCP 72, RFC 3552, July 2003. + + [8] Eastlake 3rd, D., Crocker, S., and J. Schiller, "Randomness + Recommendations for Security", RFC 1750, December 1994. + + + +Euchner Standards Track [Page 22] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + [9] Ueli M. Maurer, S. Wolf: "The Diffie-Hellman Protocol", + Designs, Codes, and Cryptography, Special Issue Public Key + Cryptography, Kluwer Academic Publishers, vol. 19, pp. 147-171, + 2000. + ftp://ftp.inf.ethz.ch/pub/crypto/publications/MauWol00c.ps. + + [10] Discrete Logarithms and the Diffie-Hellman Protocol, + http://www.crypto.ethz.ch/research/ntc/dldh/. + + [11] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) + Protocol Version 1.1", RFC 4346, April 2006. + + [12] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", + RFC 2409, November 1998. + + [13] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., + Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: + Session Initiation Protocol", RFC 3261, June 2002. + + [14] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC + 4306, December 2005. + + [15] ITU-T Recommendation H.235.7: " H.323 Security framework: Usage + of the MIKEY Key Management Protocol for the Secure Real Time + Transport Protocol (SRTP) within H.235"; 9/2005. + + [16] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) + Key Wrap Algorithm", RFC 3394, September 2002. + + [17] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group + Domain of Interpretation", RFC 3547, July 2003. + + [18] Harney, H., Meth, U., Colegrove, A., and G. Gross, "GSAKMP: + Group Secure Association Key Management Protocol", RFC 4535, + June 2006. + + [19] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, + "Multicast Security (MSEC) Group Key Management Architecture", + RFC 4046, April 2005. + + [20] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC + 3711, March 2004. + + [21] ITU-T Recommendation H.235.0, " H.323 Security framework: + Security framework for H-series (H.323 and other H.245 based) + multimedia systems", (09/2005). + + + + +Euchner Standards Track [Page 23] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + [22] Adams, C., Farrell, S., Kause, T., and T. Mononen, "Internet + X.509 Public Key Infrastructure Certificate Management Protocol + (CMP)", RFC 4210, September 2005. + + [23] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, + "X.509 Internet Public Key Infrastructure Online Certificate + Status Protocol - OCSP", RFC 2560, June 1999. + + [24] Adams, C., Sylvester, P., Zolotarev, M., and R. Zuccherato, + "Internet X.509 Public Key Infrastructure Data Validation and + Certification Server Protocols", RFC 3029, February 2001. + + [25] Schaad, J., "Internet X.509 Public Key Infrastructure + Certificate Request Message Format (CRMF)", RFC 4211, September + 2005. + + [26] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. + Nicholas, "Internet X.509 Public Key Infrastructure: + Certification Path Building", RFC 4158, September 2005. + + [27] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with + Session Description Protocol (SDP)", RFC 3264, June 2002. + + [37] IANA MIKEY Payload Name Spaces per RFC 3830, see + http://www.iana.org/assignments/mikey-payloads. + + [29] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes + in Internet Protocols", RFC 4270, November 2005. + + [30] Bellovin, S.M. and E.K. Rescorla: "Deploying a New Hash + Algorithm", October 2005, + http://www.cs.columbia.edu/~smb/papers/new-hash.pdf. + + [31] Milne, A., Blaser, M., Brown, D., and L. Dondetti, "ECC + Algorithms For MIKEY", Work in Progress, June 2005. + + [32] Bellare, M.: "New Proofs for NMAC and HMAC: Security Without + Collision-Resistance", http://eprint.iacr.org/2006/043.pdf, + November 2005. + + [33] Ignjatic, D., Dondeti, L., Audet, F., and P. Lin, "An + additional mode of key Distribution in MIKEY: MIKEY-RSA-R", + Work in Progress, August 2006. + + + + + + + + +Euchner Standards Track [Page 24] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +Appendix A. Usage of MIKEY-DHHMAC in H.235 + + This appendix provides informative overview how MIKEY-DHHMAC can be + applied in some H.323-based multimedia environments. Generally, + MIKEY is applicable for multimedia applications including IP + telephony. [15] describes various use cases of the MIKEY key + management protocols (MIKEY-PS, MIKEY-PK, MIKEY-DHSIGN and MIKEY- + DHHMAC) with the purpose to establish TGK keying material among H.323 + endpoints. The TGKs are then used for media encryption by applying + SRTP [20]. Addressed scenarios include point-to-point with one or + more intermediate gatekeepers (trusted or partially trusted) in + between. + + One particular use case addresses MIKEY-DHHMAC to establish a media + connection from an endpoint B calling (through a gatekeeper) to + another endpoint A that is located within that same gatekeeper zone. + While EP-A and EP-B typically do not share any auth_key a priori, + some separate protocol exchange means are achieved outside the actual + call setup procedure to establish an auth_key for the time while + endpoints are being registered with the gatekeeper; such protocols + exist [15] but are not shown in this document. The auth_key between + the endpoints is being used to authenticate and integrity protect the + MIKEY-DHHMAC messages. + + To establish a call, it is assumed that endpoint B has obtained + permission from the gatekeeper (not shown). Endpoint B as the caller + builds the MIKEY-DHHMAC I_message (see section 3) and sends the + I_message encapsulated within the H.323-SETUP to endpoint A. A + routing gatekeeper (GK) would forward this message to endpoint B; in + case of a non-routing gatekeeper, endpoint B sends the SETUP directly + to endpoint A. In either case, H.323 inherent security mechanisms + [21] are applied to protect the (encapsulation) message during + transfer. This is not depicted here. The receiving endpoint A is + able to verify the conveyed I_message and can compute a TGK. + Assuming that endpoint A would accept the call, EP-A then builds the + MIKEY-DHHMAC R_message and sends the response as part of the + CallProceeding-to-Connect message back to the calling endpoint B + (possibly through a routing gatekeeper). Endpoint B processes the + conveyed R_message to compute the same TGK as the called endpoint A. + + 1.) EP-B -> (GK) -> EP-A: SETUP(I_fwd_message [, I_rev_message]) + 2.) EP-A -> (GK) -> EP-B: CallProceeding-to-CONNECT(R_fwd_message + [, R_rev_message]) + + Notes: If it is necessary to establish directional TGKs for full- + duplex links in both directions B->A and A->B, then the + calling endpoint B instantiates the DHHMAC protocol twice: + once in the direction B->A using I_fwd_message and another run + + + +Euchner Standards Track [Page 25] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + + in parallel in the direction A->B using I_rev_message. In + that case, two MIKEY-DHHMAC I_messages are encapsulated within + SETUP (I_fwd_message and I_rev_message) and two MIKEY-DHHMAC + R_messages (R_fwd_message and R_rev_message) are encapsulated + within CallProceeding-to-CONNECT. The I_rev_message + corresponds with the I_fwd_message. Alternatively, the called + endpoint A may instantiate the DHHMAC protocol in a separate + run with endpoint B (not shown); however, this requires a + third handshake to complete. + + For more details on how the MIKEY protocols may be deployed + with H.235, please refer to [15]. + +Author's Address + + Martin Euchner + Hofmannstr. 51 + 81359 Munich, Germany + + Phone: +49 89 722 55790 + Fax: +49 89 722 62366 + EMail: martin_euchner@hotmail.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Euchner Standards Track [Page 26] + +RFC 4650 HMAC-Authenticated Diffie-Hellman for MIKEY September 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Euchner Standards Track [Page 27] + -- cgit v1.2.3