1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
Internet Engineering Task Force (IETF) S. Shen
Request for Comments: 5930 Huawei
Category: Informational Y. Mao
ISSN: 2070-1721 Hangzhou H3C Tech. Co., Ltd.
NSS. Murthy
Freescale Semiconductor
July 2010
Using Advanced Encryption Standard Counter Mode (AES-CTR)
with the Internet Key Exchange version 02 (IKEv2) Protocol
Abstract
This document describes the usage of Advanced Encryption Standard
Counter Mode (AES-CTR), with an explicit Initialization Vector, by
the Internet Key Exchange version 2 (IKEv2) protocol, for encrypting
the IKEv2 exchanges that follow the IKE_SA_INIT exchange.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5930.
Shen, et al. Informational [Page 1]
^L
RFC 5930 AES-CTR for IKEv2 July 2010
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................2
1.1. Conventions Used in This Document ..........................3
2. IKEv2 Encrypted Payload .........................................3
3. IKEv2 Conventions ...............................................4
4. Security Considerations .........................................4
5. IANA Considerations .............................................4
6. Acknowledgments .................................................4
7. References ......................................................5
7.1. Normative References .......................................5
7.2. Informative References .....................................5
1. Introduction
The Internet Key Exchange version 2 (IKEv2) protocol [RFC4306] is a
component of IPsec used for performing mutual authentication and
establishing and maintaining security associations (SAs). [RFC4307]
defines the set of algorithms that are mandatory to implement as part
of IKEv2, as well as algorithms that should be implemented because
they may be promoted to mandatory at some future time. [RFC4307]
requires that an implementation "SHOULD" support Advanced Encryption
Standard [AES] Counter Mode [MODES] (AES-CTR) as a Transform Type 1
algorithm (encryption).
Although [RFC4307] specifies that the AES-CTR encryption algorithm
feature SHOULD be supported by IKEv2, no existing document specifies
how IKEv2 can support the feature. This document provides the
specification and usage of AES-CTR Counter Mode by IKEv2.
Implementers need to carefully consider the use of AES-CTR over the
mandatory-to-implement algorithms in [RFC4307], because the
performance improvements of AES-CTR are minimal in the context of
Shen, et al. Informational [Page 2]
^L
RFC 5930 AES-CTR for IKEv2 July 2010
IKEv2. Furthermore, these performance improvements may be offset by
the Counter Mode specific risk of a minor, hard-to-detect
implementation issue resulting in total security failure.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. IKEv2 Encrypted Payload
Section 3.14 of IKEv2 [RFC4306] explains the IKEv2 Encrypted Payload.
The Encrypted Payload, denoted SK{...}, contains other IKEv2 payloads
in encrypted form.
The payload includes an Initialization Vector (IV) whose length is
defined by the encryption algorithm negotiated. It also includes
Integrity Checksum data. These two fields are not encrypted.
The IV field MUST be 8 octets when the AES-CTR algorithm is used for
IKEv2 encryption. The requirements for this IV are the same as what
is specified for the Encapsulating Security Payload (ESP) in
Section 3.1 of [RFC3686].
IKEv2 requires Integrity Check Data for the Encrypted Payload as
described in Section 3.14 of [RFC4306]. The choice of integrity
algorithms in IKEv2 is defined in [RFC4307] or documents that update
it in the future.
When AES-CTR is used in IKEv2, no padding is required. The Padding
field of the Encrypted Payload SHOULD be empty, and the Pad Length
field SHOULD be zero. However, according to [RFC4306], the recipient
MUST accept any length that results in proper alignment. It should
be noted that the ESP [RFC4303] Encrypted Payload requires alignment
on a 4-byte boundary while the IKEv2 [RFC4306] Encrypted Payload does
not have such a requirement.
The Encrypted Payload is the XOR of the plaintext and key stream.
The key stream is generated by inputting counter blocks into the AES
algorithm. The AES counter block is 128 bits, including a 4-octet
Nonce, 8-octet Initialization Vector, and 4-octet Block Counter, in
that order. The Block Counter begins with the value of one and
increments by one to generate the next portion of the key stream.
The detailed requirements for the counter block are the same as those
specified in Section 4 of [RFC3686].
Shen, et al. Informational [Page 3]
^L
RFC 5930 AES-CTR for IKEv2 July 2010
3. IKEv2 Conventions
The use of AES-CTR for the IKE SA is negotiated in the same way as
AES-CTR for ESP. The Transform ID (ENCR_AES_CTR) is the same; the
key length transform attribute is used in the same way; and the
keying material (consisting of the actual key and the nonce) is
derived in the same way. See Section 5 of [RFC3686] for detailed
descriptions.
4. Security Considerations
Security considerations explained in Section 7 of [RFC3686] are
entirely relevant to this document as well. The security
considerations on fresh keys and integrity protection in Section 7 of
[RFC3686] are totally applicable to using AES-CTR in IKEv2; see
[RFC3686] for details. As static keys are never used in IKEv2 for
IKE_SA and integrity protection is mandatory for IKE_SA, these issues
are not applicable for AES-CTR in IKEv2 when protecting IKE_SA.
Additionally, since AES has a 128-bit block size, regardless of the
mode employed, the ciphertext generated by AES encryption becomes
distinguishable from random values after 2^64 blocks are encrypted
with a single key. Since IKEv2 SA cannot carry that much data
(because of the size limit of the message ID of the IKEv2 message and
the requirements for the message ID in Section 4 of [RFC4306]), this
issue is not a concern here.
For generic attacks on AES, such as brute force or precalculations,
the key-size requirements provide reasonable security
[Recommendations].
5. IANA Considerations
IANA [IANA-Para] has assigned an Encryption Algorithm Transform ID
for AES-CTR encryption with an explicit IV for IKEv2: 13 as the
number, and ENCR_AES_CTR as the name. IANA has added a reference to
this RFC in that entry.
6. Acknowledgments
The authors thank Yaron Sheffer, Paul Hoffman, Tero Kivinen, and
Alfred Hoenes for their direction and comments on this document.
This document specifies usage of AES-CTR with IKEv2, similar to usage
of AES-CTR with ESP as specified in [RFC3686]. The reader is
referred to [RFC3686] for the same descriptions and definitions. The
authors thank Russ Housley for providing the document.
Shen, et al. Informational [Page 4]
^L
RFC 5930 AES-CTR for IKEv2 July 2010
During the production and modification of this document, both Huawei
and CNNIC supported one of the authors, Sean Shen. Both are
appreciated as affiliations of the author.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3686] Housley, R., "Using Advanced Encryption Standard
(AES) Counter Mode With IPsec Encapsulating
Security Payload (ESP)", RFC 3686, January 2004.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2)
Protocol", RFC 4306, December 2005.
[RFC4307] Schiller, J., "Cryptographic Algorithms for Use in
the Internet Key Exchange Version 2 (IKEv2)",
RFC 4307, December 2005.
[AES] National Institute of Standards and Technology,
"Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001, <http://csrc.nist.gov/
publications/fips/fips197/fips-197.pdf>.
[IANA-Para] Internet Assigned Numbers Authority, "Internet Key
Exchange Version 2 (IKEv2) Parameters",
<http://www.iana.org>.
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes
of Operation -- Methods and Techniques", NIST
Special Publication 800-38A, December 2001,
<http://csrc.nist.gov/publications/nistpubs/
800-38a/sp800-38a.pdf>.
7.2. Informative References
[RFC4303] Kent, S., "IP Encapsulating Security Payload
(ESP)", RFC 4303, December 2005.
[Recommendations] Barker, E., Barker, W., Burr, W., Polk, W., and M.
Smid, "Recommendation for Key Management - Part 1:
General (Revised)", NIST Special
Publication 800-57, March 2007, <http://
csrc.nist.gov/publications/nistpubs/800-57/
sp800-57-Part1-revised2_Mar08-2007.pdf>.
Shen, et al. Informational [Page 5]
^L
RFC 5930 AES-CTR for IKEv2 July 2010
Authors' Addresses
Sean Shen
Huawei
4, South 4th Street, Zhongguancun
Beijing 100190
China
EMail: shenshuo@cnnic.cn
Yu Mao
Hangzhou H3C Tech. Co., Ltd.
Oriental Electronic Bld., No. 2
Chuangye Road
Shang-Di Information Industry
Hai-Dian District
Beijing 100085
China
EMail: yumao9@gmail.com
N S Srinivasa Murthy
Freescale Semiconductor
UMA PLAZA, NAGARJUNA CIRCLE, PUNJAGUTTA
HYDERABAD 500082
INDIA
EMail: ssmurthy.nittala@freescale.com
Shen, et al. Informational [Page 6]
^L
|