1 .pl 10.0i
2 .po 0
3 .ll 7.2i
4 .lt 7.2i
5 .nr LL 7.2i
6 .nr LT 7.2i
7 .ds LF Riikonen
8 .ds RF FORMFEED[Page %]
9 .ds CF
10 .ds LH Internet-Draft
11 .ds RH 13 November 2001
12 .ds CH
13 .na
14 .hy 0
15 .in 0
16 .nf
17 Network Working Group P. Riikonen
18 Internet-Draft
19 draft-riikonen-silc-ke-auth-04.txt 13 November 2001
20 Expires: 13 May 2002
21
22 .in 3
23
24 .ce 2
25 SILC Key Exchange and Authentication Protocols
26 <draft-riikonen-silc-ke-auth-04.txt>
27
28 .ti 0
29 Status of this Memo
30
31 This document is an Internet-Draft and is in full conformance with
32 all provisions of Section 10 of RFC 2026. Internet-Drafts are
33 working documents of the Internet Engineering Task Force (IETF), its
34 areas, and its working groups. Note that other groups may also
35 distribute working documents as Internet-Drafts.
36
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress."
41
42 The list of current Internet-Drafts can be accessed at
43 http://www.ietf.org/ietf/1id-abstracts.txt
44
45 The list of Internet-Draft Shadow Directories can be accessed at
46 http://www.ietf.org/shadow.html
47
48 The distribution of this memo is unlimited.
49
50
51 .ti 0
52 Abstract
53
54 This memo describes two protocols used in the Secure Internet Live
55 Conferencing (SILC) protocol, specified in the Secure Internet Live
56 Conferencing, Protocol Specification internet-draft [SILC1]. The
57 SILC Key Exchange (SKE) protocol provides secure key exchange between
58 two parties resulting into shared secret key material. The protocol
59 is based on Diffie-Hellman key exchange algorithm and its functionality
60 is derived from several key exchange protocols. SKE uses best parts
61 of the SSH2 Key Exchange protocol, Station-To-Station (STS) protocol
62 and the OAKLEY Key Determination protocol [OAKLEY].
63
64 The SILC Connection Authentication protocol provides user level
65 authentication used when creating connections in SILC network. The
66 protocol is transparent to the authentication data which means that it
67 can be used to authenticate the user with, for example, passphrase
68 (pre-shared-secret) or public key (and certificate).
69
70
71
72 .ti 0
73 Table of Contents
74
75 .nf
76 1 Introduction .................................................. 2
77 1.1 Requirements Terminology .................................. 3
78 2 SILC Key Exchange Protocol .................................... 3
79 2.1 Key Exchange Payloads ..................................... 4
80 2.1.1 Key Exchange Start Payload .......................... 4
81 2.1.2 Key Exchange Payload ................................ 8
82 2.2 Key Exchange Procedure .................................... 10
83 2.3 Processing the Key Material ............................... 12
84 2.4 SILC Key Exchange Groups .................................. 13
85 2.4.1 diffie-hellman-group1 ............................... 14
86 2.4.2 diffie-hellman-group2 ............................... 14
87 2.5 Key Exchange Status Types ................................. 15
88 3 SILC Connection Authentication Protocol ....................... 16
89 3.1 Connection Auth Payload ................................... 18
90 3.2 Connection Authentication Types ........................... 19
91 3.2.1 Passphrase Authentication ........................... 19
92 3.2.2 Public Key Authentication ........................... 19
93 3.3 Connection Authentication Status Types .................... 20
94 4 Security Considerations ....................................... 20
95 5 References .................................................... 20
96 6 Author's Address .............................................. 22
97
98
99 .ti 0
100 List of Figures
101
102 .nf
103 Figure 1: Key Exchange Start Payload
104 Figure 2: Key Exchange Payload
105 Figure 3: Connection Auth Payload
106
107
108 .ti 0
109 1 Introduction
110
111 This memo describes two protocols used in the Secure Internet Live
112 Conferencing (SILC) protocol specified in the Secure Internet Live
113 Conferencing, Protocol Specification Internet-Draft [SILC1]. The
114 SILC Key Exchange (SKE) protocol provides secure key exchange between
115 two parties resulting into shared secret key material. The protocol
116 is based on Diffie-Hellman key exchange algorithm and its functionality
117 is derived from several key exchange protocols. SKE uses best parts
118 of the SSH2 Key Exchange protocol, Station-To-Station (STS) protocol
119 and the OAKLEY Key Determination protocol.
120
121 The SILC Connection Authentication protocol provides user level
122 authentication used when creating connections in SILC network. The
123 protocol is transparent to the authentication data which means that it
124 can be used to authenticate the user with, for example, pass phrase
125 (pre-shared- secret) or public key (and certificate).
126
127 The basis of secure SILC session requires strong and secure key exchange
128 protocol and authentication. The authentication protocol is entirely
129 secured and no authentication data is ever sent in the network without
130 encrypting and authenticating it first. Thus, authentication protocol
131 may be used only after the key exchange protocol has been successfully
132 completed.
133
134 This document refers constantly to other SILC protocol specification
135 Internet Drafts that are a must read for those who wants to understand
136 the function of these protocols. The most important references are
137 the Secure Internet Live Conferencing, Protocol Specification [SILC1]
138 and the SILC Packet Protocol [SILC2] Internet Drafts.
139
140 The protocol is intended to be used with the SILC protocol thus it
141 does not define own framework that could be used. The framework is
142 provided by the SILC protocol.
143
144
145 .ti 0
146 1.1 Requirements Terminology
147
148 The keywords MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED,
149 MAY, and OPTIONAL, when they appear in this document, are to be
150 interpreted as described in [RFC2119].
151
152
153 .ti 0
154 2 SILC Key Exchange Protocol
155
156 SILC Key Exchange Protocol (SKE) is used to exchange shared secret
157 between connecting entities. The result of this protocol is a key
158 material used to secure the communication channel. The protocol uses
159 Diffie-Hellman key exchange algorithm and its functionality is derived
160 from several key exchange protocols. SKE uses best parts of the SSH2
161 Key Exchange protocol, Station-To-Station (STS) protocol and the OAKLEY
162 Key Determination protocol. The protocol does not claim any conformance
163 to any of these protocols, they were merely used as a reference when
164 designing this protocol.
165
166 The purpose of SILC Key Exchange protocol is to create session keys to
167 be used in current SILC session. The keys are valid only for some period
168 of time (usually an hour) or at most until the session ends. These keys
169 are used to protect packets like commands, command replies and other
170 communication between two entities. If connection is server to router
171 connection, the keys are used to protect all traffic between those
172 servers. In client connections usually all the packets are protected
173 with this key except channel messages; channels has their own keys and
174 they are not exchanged with this protocol.
175
176 The Diffie-Hellman implementation used in the SILC SHOULD be compliant
177 to the PKCS #3.
178
179
180 .ti 0
181 2.1 Key Exchange Payloads
182
183 During the key exchange procedure public data is sent between initiator
184 and responder. This data is later used in the key exchange procedure.
185 There are several payloads used in the key exchange. As for all SILC
186 packets, SILC Packet Header, described in [SILC2], is at the start of
187 all packets. The same is done with these payloads as well. All the
188 fields in the payloads are always in MSB (most significant byte first)
189 order. Following descriptions of these payloads.
190
191
192 .ti 0
193 2.1.1 Key Exchange Start Payload
194
195 The key exchange between two entities MUST be started by sending the
196 SILC_PACKET_KEY_EXCHANGE packet containing Key Exchange Start Payload.
197 Initiator sends the Key Exchange Start Payload to the responder filled
198 with all security properties it supports. The responder then checks
199 whether it supports the security properties.
200
201 It then sends a Key Exchange Start Payload to the initiator filled with
202 security properties it selected from the original payload. The payload
203 sent by responder MUST include only one chosen property per list.
204
205 The Key Exchange Start Payload is used to tell connecting entities what
206 security properties and algorithms should be used in the communication.
207 The Key Exchange Start Payload is sent only once per session. Even if
208 the PFS (Perfect Forward Secrecy) flag is set the Key Exchange Start
209 Payload is not re-sent. When PFS is desired the Key Exchange Payloads
210 are sent to negotiate new key material. The procedure is equivalent to
211 the very first negotiation except that the Key Exchange Start Payload
212 is not sent.
213
214 As this payload is used only with the very first key exchange the payload
215 is never encrypted, as there are no keys to encrypt it with.
216
217 A cookie is also sent in this payload. A cookie is used to randomize the
218 payload so that none of the key exchange parties can determine this
219 payload before the key exchange procedure starts. The cookie MUST be
220 returned to the original sender by the responder.
221
222 Following diagram represents the Key Exchange Start Payload. The lists
223 mentioned below are always comma (`,') separated and the list MUST NOT
224 include spaces (` ').
225
226
227 .in 5
228 .nf
229 1 2 3
230 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
231 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
232 | RESERVED | Flags | Payload Length |
233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234 | |
235 + +
236 | |
237 + Cookie +
238 | |
239 + +
240 | |
241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
242 | Version String Length | |
243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
244 | |
245 ~ Version String ~
246 | |
247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
248 | Key Exchange Grp Length | |
249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
250 | |
251 ~ Key Exchange Groups ~
252 | |
253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
254 | PKCS Alg Length | |
255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
256 | |
257 ~ PKCS Algorithms ~
258 | |
259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
260 | Encryption Alg Length | |
261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
262 | |
263 ~ Encryption Algorithms ~
264 | |
265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
266 | Hash Alg Length | |
267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
268 | |
269 ~ Hash Algorithms ~
270 | |
271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
272 | HMAC Length | |
273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
274 | |
275 ~ HMACs ~
276 | |
277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
278 | Compression Alg Length | |
279 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
280 | |
281 ~ Compression Algorithms ~
282 | |
283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
284 .in 3
285
286 .ce
287 Figure 1: Key Exchange Start Payload
288
289
290
291 .in 6
292 o RESERVED (1 byte) - Reserved field. Sender fills this with
293 zero (0) value.
294
295 o Flags (1 byte) - Indicates flags to be used in the key
296 exchange. Several flags can be set at once by ORing the
297 flags together. The following flags are reserved for this
298 field:
299
300 No flags 0x00
301
302 In this case the field is ignored.
303
304 No Reply 0x01
305
306 If set the receiver of the payload does not reply to
307 the packet.
308
309 PFS 0x02
310
311 Perfect Forward Secrecy (PFS) to be used in the
312 key exchange protocol. If not set, re-keying
313 is performed using the old key. See the [SILC1]
314 for more information on this issue. When PFS is
315 used, re-keying and creating new keys for any
316 particular purpose MUST cause new key exchange.
317 In this key exchange only the Key Exchange Payload
318 is sent and the Key Exchange Start Payload MUST
319 NOT be sent. When doing PFS the Key Exchange
320 Payloads are encrypted with the old keys.
321
322 Mutual Authentication 0x04
323
324 Both of the parties will perform authentication
325 by providing signed data for the other party to
326 verify. By default, only responder will provide
327 the signature data. If this is set then the
328 initiator must also provide it. Initiator MAY
329 set this but also responder MAY set this even if
330 initiator did not set it.
331
332 Rest of the flags are reserved for the future and
333 MUST NOT be set.
334
335 o Payload Length (2 bytes) - Length of the entire Key Exchange
336 Start payload, not including any other field.
337
338 o Cookie (16 bytes) - Cookie that randomize this payload so
339 that each of the party cannot determine the payload before
340 hand.
341
342 o Version String Length (2 bytes) - The length of the Version
343 String field, not including any other field.
344
345 o Version String (variable length) - Indicates the version of
346 the sender of this payload. Initiator sets this when sending
347 the payload and responder sets this when it replies by sending
348 this payload. See [SILC1] for definition of the version
349 string format.
350
351 o Key Exchange Grp Length (2 bytes) - The length of the
352 key exchange group list, not including any other field.
353
354 o Key Exchange Group (variable length) - The list of
355 key exchange groups. See the section 2.4 SILC Key Exchange
356 Groups for definitions of these groups.
357
358 o PKCS Alg Length (2 bytes) - The length of the PKCS algorithms
359 list, not including any other field.
360
361 o PKCS Algorithms (variable length) - The list of PKCS
362 algorithms.
363
364 o Encryption Alg Length (2 bytes) - The length of the encryption
365 algorithms list, not including any other field.
366
367 o Encryption Algorithms (variable length) - The list of
368 encryption algorithms.
369
370 o Hash Alg Length (2 bytes) - The length of the Hash algorithm
371 list, not including any other field.
372
373 o Hash Algorithms (variable length) - The list of Hash
374 algorithms. The hash algorithms are mainly used in the
375 SKE protocol.
376
377 o HMAC Length (2 bytes) - The length of the HMAC list, not
378 including any other field.
379
380 o HMACs (variable length) - The list of HMACs. The HMAC's
381 are used to compute the Message Authentication Codes (MAC)
382 of the SILC packets.
383
384 o Compression Alg Length (2 bytes) - The length of the
385 compression algorithms list, not including any other field.
386
387 o Compression Algorithms (variable length) - The list of
388 compression algorithms.
389 .in 3
390
391
392 .ti 0
393 2.1.2 Key Exchange Payload
394
395 Key Exchange payload is used to deliver the public key (or certificate),
396 the computed Diffie-Hellman public value and possibly signature data
397 from one party to the other. When initiator is using this payload
398 and the Mutual Authentication flag is not set then the initiator MUST
399 NOT provide the signature data. If the flag is set then the initiator
400 MUST provide the signature data so that the responder can verify it.
401
402 The Mutual Authentication flag is usually used when a separate
403 authentication protocol will not be executed for the initiator of the
404 protocol. This is case for example when the SKE is performed between
405 two SILC clients. In normal case, where client is connecting to a
406 server, or server is connecting to a router the Mutual Authentication
407 flag may be omitted. However, if the connection authentication protocol
408 for the connecting entity is not based on public key authentication (it
409 is based on passphrase) then the Mutual Authentication flag SHOULD be
410 enabled. This way the connecting entity has to provide proof of
411 posession of the private key for the public key it will provide in
412 SILC Key Exchange protocol.
413
414 When performing re-key with PFS selected this is the only payload that
415 is sent in the SKE protocol. The Key Exchange Start Payload MUST NOT
416 be sent at all. However, this payload does not have all the fields
417 present. In the re-key with PFS the public key and a possible signature
418 data SHOULD NOT be present. If they are present they MUST be ignored.
419 The only field that is present is the Public Data that is used to create
420 the new key material. In the re-key the Mutual Authentication flag, that
421 may be set in the initial negotiation, MUST also be ignored.
422
423 This payload is sent inside SILC_PACKET_KEY_EXCHANGE_1 and inside
424 SILC_PACKET_KEY_EXCHANGE_2 packet types. The initiator uses the
425 SILC_PACKET_KEY_EXCHANGE_1 and the responder the latter.
426
427 The following diagram represent the Key Exchange Payload.
428
429
430 .in 5
431 .nf
432 1 2 3
433 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
434 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
435 | Public Key Length | Public Key Type |
436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
437 | |
438 ~ Public Key of the party (or certificate) ~
439 | |
440 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
441 | Public Data Length | |
442 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
443 | |
444 ~ Public Data ~
445 | |
446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
447 | Signature Length | |
448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
449 | |
450 ~ Signature Data ~
451 | |
452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
453 .in 3
454
455 .ce
456 Figure 2: Key Exchange Payload
457
458
459 .in 6
460 o Public Key Length (2 bytes) - The length of the Public Key
461 (or certificate) field, not including any other field.
462
463 o Public Key Type (2 bytes) - The public key (or certificate)
464 type. This field indicates the type of the public key in
465 the packet. Following types are defined:
466
467 1 SILC style public key (mandatory)
468 2 SSH2 style public key (optional)
469 3 X.509 Version 3 certificate (optional)
470 4 OpenPGP certificate (optional)
471 5 SPKI certificate (optional)
472
473 The only required type to support is type number 1. See
474 [SILC1] for the SILC public key specification. See
475 SSH public key specification in [SSH-TRANS]. See X.509v3
476 certificate specification in [PKIX-Part1]. See OpenPGP
477 certificate specification in [PGP]. See SPKI certificate
478 specification in [SPKI]. If this field includes zero (0)
479 or unsupported type number the protocol MUST be aborted
480 sending SILC_PACKET_FAILURE message and the connection SHOULD
481 be closed immediately.
482
483 o Public Key (or certificate) (variable length) - The
484 public key or certificate.
485
486 o Public Data Length (2 bytes) - The length of the Public Data
487 field, not including any other field.
488
489 o Public Data (variable length) - The public data to be
490 sent to the receiver. See section 2.2 Key Exchange
491 Procedure for detailed description how this field is
492 computed. This value is binary encoded.
493
494 o Signature Length (2 bytes) - The length of the signature,
495 not including any other field.
496
497 o Signature Data (variable length) - The signature signed
498 by the sender. The receiver of this signature MUST
499 verify it. The verification is done using the sender's
500 public key. See section 2.2 Key Exchange Procedure for
501 detailed description how to produce the signature. If
502 the Mutual Authentication flag is not set then initiator
503 MUST NOT provide this field and the Signature Length field
504 MUST be set to zero (0) value. If the flag is set then
505 also the initiator MUST provide this field. The responder
506 MUST always provide this field.
507 .in 3
508
509
510 .ti 0
511 2.2 Key Exchange Procedure
512
513 The key exchange begins by sending SILC_PACKET_KEY_EXCHANGE packet with
514 Key Exchange Start Payload to select the security properties to be used
515 in the key exchange and later in the communication.
516
517 After Key Exchange Start Payload has been processed by both of the
518 parties the protocol proceeds as follows:
519
520
521 Setup: p is a large and public safe prime. This is one of the
522 Diffie Hellman groups. q is order of subgroup (largest
523 prime factor of p). g is a generator and is defined
524 along with the Diffie Hellman group.
525
526 1. Initiator generates a random number x, where 1 < x < q,
527 and computes e = g ^ x mod p. The result e is then
528 encoded into Key Exchange Payload, with the public key
529 (or certificate) and sent to the responder.
530
531 If the Mutual Authentication flag is set then initiator
532 MUST also produce signature data SIGN_i which the responder
533 will verify. The initiator MUST compute a hash value
534 HASH_i = hash(Key Exchange Start Payload | public key
535 (or certificate) | e). It then signs the HASH_i value with
536 its private key resulting a signature SIGN_i.
537
538 2. Responder generates a random number y, where 1 < y < q,
539 and computes f = g ^ y mod p. It then computes the
540 shared secret KEY = e ^ y mod p, and, a hash value
541 HASH = hash(Key Exchange Start Payload data | public
542 key (or certificate) | Initiator's public key (or
543 certificate) | e | f | KEY). It then signs
544 the HASH value with its private key resulting a signature
545 SIGN.
546
547 It then encodes its public key (or certificate), f and
548 SIGN into Key Exchange Payload and sends it to the
549 initiator.
550
551 If the Mutual Authentication flag is set then the responder
552 SHOULD verify that the public key provided in the payload
553 is authentic, or if certificates are used it verifies the
554 certificate. The responder MAY accept the public key without
555 verifying it, however, doing so may result to insecure key
556 exchange (accepting the public key without verifying may be
557 desirable for practical reasons on many environments. For
558 long term use this is never desirable, in which case
559 certificates would be the preferred method to use). It then
560 computes the HASH_i value the same way initiator did in the
561 phase 1. It then verifies the signature SIGN_i from the
562 payload with the hash value HASH_i using the received public
563 key.
564
565 3. Initiator verifies that the public key provided in
566 the payload is authentic, or if certificates are used
567 it verifies the certificate. The initiator MAY accept
568 the public key without verifying it, however, doing
569 so may result to insecure key exchange (accepting the
570 public key without verifying may be desirable for
571 practical reasons on many environments. For long term
572 use this is never desirable, in which case certificates
573 would be the preferred method to use).
574
575 Initiator then computes the shared secret KEY =
576 f ^ x mod p, and, a hash value HASH in the same way as
577 responder did in phase 2. It then verifies the
578 signature SIGN from the payload with the hash value
579 HASH using the received public key.
580
581
582 If any of these phases is to fail the SILC_PACKET_FAILURE MUST be sent
583 to indicate that the key exchange protocol has failed, and the connection
584 SHOULD be closed immediately. Any other packets MUST NOT be sent or
585 accepted during the key exchange except the SILC_PACKET_KEY_EXCHANGE_*,
586 SILC_PACKET_FAILURE and SILC_PACKET_SUCCESS packets.
587
588 The result of this protocol is a shared secret key material KEY and
589 a hash value HASH. The key material itself is not fit to be used as
590 a key, it needs to be processed further to derive the actual keys to be
591 used. The key material is also used to produce other security parameters
592 later used in the communication. See section 2.3 Processing the Key
593 Material for detailed description how to process the key material.
594
595 If the Mutual Authentication flag was set the protocol produces also
596 a hash value HASH_i. This value, however, must be discarded.
597
598 After the keys are processed the protocol is ended by sending the
599 SILC_PACKET_SUCCESS packet. Both entities send this packet to
600 each other. After this both parties will start using the new keys.
601
602
603 .ti 0
604 2.3 Processing the Key Material
605
606 Key Exchange protocol produces secret shared key material KEY. This
607 key material is used to derive the actual keys used in the encryption
608 of the communication channel. The key material is also used to derive
609 other security parameters used in the communication. Key Exchange
610 protocol produces a hash value HASH as well.
611
612 The keys MUST be derived from the key material as follows:
613
614 .in 6
615 Sending Initial Vector (IV) = hash(0 | KEY | HASH)
616 Receiving Initial Vector (IV) = hash(1 | KEY | HASH)
617 Sending Encryption Key = hash(2 | KEY | HASH)
618 Receiving Encryption Key = hash(3 | KEY | HASH)
619 Sending HMAC Key = hash(4 | KEY | HASH)
620 Receiving HMAC Key = hash(5 | KEY | HASH)
621 .in 3
622
623
624 The Initial Vector (IV) is used in the encryption when doing for
625 example CBC mode. As many bytes as needed are taken from the start of
626 the hash output for IV. Sending IV is for sending key and receiving IV
627 is for receiving key. For receiving party, the receiving IV is actually
628 sender's sending IV, and, the sending IV is actually sender's receiving
629 IV. Initiator uses IV's as they are (sending IV for sending and
630 receiving IV for receiving).
631
632 The Encryption Keys are derived as well from the hash(). If the hash()
633 output is too short for the encryption algorithm more key material MUST
634 be produced in the following manner:
635
636 .in 6
637 K1 = hash(2 | KEY | HASH)
638 K2 = hash(KEY | HASH | K1)
639 K3 = hash(KEY | HASH | K1 | K2) ...
640
641 Sending Encryption Key = K1 | K2 | K3 ...
642
643
644 K1 = hash(3 | KEY | HASH)
645 K2 = hash(KEY | HASH | K1)
646 K3 = hash(KEY | HASH | K1 | K2) ...
647
648 Receiving Encryption Key = K1 | K2 | K3 ...
649 .in 3
650
651
652 The key is distributed by hashing the previous hash with the original
653 key material. The final key is a concatenation of the hash values.
654 For Receiving Encryption Key the procedure is equivalent. Sending key
655 is used only for encrypting data to be sent. The receiving key is used
656 only to decrypt received data. For receiving party, the receive key is
657 actually sender's sending key, and, the sending key is actually sender's
658 receiving key. Initiator uses generated keys as they are (sending key
659 for sending and receiving key for receiving).
660
661 The HMAC keys are used to create MAC values to packets in the
662 communication channel. As many bytes as needed are taken from the start
663 of the hash output to generate the MAC keys.
664
665 These procedures are performed by all parties of the key exchange
666 protocol. This MUST be done before the protocol has been ended by
667 sending the SILC_PACKET_SUCCESS packet.
668
669 This same procedure is used in the SILC in some other circumstances
670 as well. Any changes to this procedure is mentioned separately when
671 this procedure is needed. See the [SILC1] and the [SILC2] for these
672 circumstances.
673
674
675 .ti 0
676 2.4 SILC Key Exchange Groups
677
678 The Following groups may be used in the SILC Key Exchange protocol.
679 The first group diffie-hellman-group1 is REQUIRED, other groups MAY be
680 negotiated to be used in the connection with Key Exchange Start Payload
681 and SILC_PACKET_KEY_EXCHANGE packet. However, the first group MUST be
682 proposed in the Key Exchange Start Payload regardless of any other
683 requested group (however, it does not have to be the first in the list).
684
685
686 .ti 0
687 2.4.1 diffie-hellman-group1
688
689 The length of this group is 1024 bits. This is REQUIRED group.
690 The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
691
692 Its decimal value is
693
694 .in 6
695 179769313486231590770839156793787453197860296048756011706444
696 423684197180216158519368947833795864925541502180565485980503
697 646440548199239100050792877003355816639229553136239076508735
698 759914822574862575007425302077447712589550957937778424442426
699 617334727629299387668709205606050270810842907692932019128194
700 467627007
701 .in 3
702
703 Its hexadecimal value is
704
705 .in 6
706 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
707 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
708 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
709 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
710 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
711 FFFFFFFF FFFFFFFF
712 .in 3
713
714
715 The generator used with this prime is g = 2. The group order q is
716 (p - 1) / 2.
717
718 This group was taken from the OAKLEY specification.
719
720
721 .ti 0
722 2.4.2 diffie-hellman-group2
723
724 The length of this group is 1536 bits. This is OPTIONAL group.
725 The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.
726
727 Its decimal value is
728
729 .in 6
730 241031242692103258855207602219756607485695054850245994265411
731 694195810883168261222889009385826134161467322714147790401219
732 650364895705058263194273070680500922306273474534107340669624
733 601458936165977404102716924945320037872943417032584377865919
734 814376319377685986952408894019557734611984354530154704374720
735 774996976375008430892633929555996888245787241299381012913029
736 459299994792636526405928464720973038494721168143446471443848
737 8520940127459844288859336526896320919633919
738 .in 3
739
740 Its hexadecimal value is
741
742 .in 6
743 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
744 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
745 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
746 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
747 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
748 C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
749 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
750 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
751 .in 3
752
753 The generator used with this prime is g = 2. The group order q is
754 (p - 1) / 2.
755
756 This group was taken from the OAKLEY specification.
757
758
759 .ti 0
760 2.5 Key Exchange Status Types
761
762 This section defines all key exchange protocol status types that may
763 be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
764 to indicate the status of the protocol. Implementations may map the
765 status types to human readable error message. All types except the
766 SILC_SKE_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
767 The length of status is 32 bits (4 bytes). The following status types
768 are defined:
769
770 .in 6
771 0 SILC_SKE_STATUS_OK
772
773 Protocol were executed successfully.
774
775
776 1 SILC_SKE_STATUS_ERROR
777
778 Unknown error occurred. No specific error type is defined.
779
780
781 2 SILC_SKE_STATUS_BAD_PAYLOAD
782
783 Provided KE payload were malformed or included bad fields.
784
785
786 3 SILC_SKE_STATUS_UNSUPPORTED_GROUP
787
788 None of the provided groups were supported.
789
790
791 4 SILC_SKE_STATUS_UNSUPPORTED_CIPHER
792
793 None of the provided ciphers were supported.
794
795
796 5 SILC_SKE_STATUS_UNSUPPORTED_PKCS
797
798 None of the provided public key algorithms were supported.
799
800
801 6 SILC_SKE_STATUS_UNSUPPORTED_HASH_FUNCTION
802
803 None of the provided hash functions were supported.
804
805
806 7 SILC_SKE_STATUS_UNSUPPORTED_HMAC
807
808 None of the provided HMACs were supported.
809
810
811 8 SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY
812
813 Provided public key type is not supported.
814
815
816 9 SILC_SKE_STATUS_INCORRECT_SIGNATURE
817
818 Provided signature was incorrect.
819
820
821 10 SILC_SKE_STATUS_BAD_VERSION
822
823 Provided version string was not acceptable.
824
825 11 SILC_SKE_STATUS_INVALID_COOKIE
826
827 The cookie in the Key Exchange Start Payload was malformed,
828 because responder modified the cookie.
829 .in 3
830
831
832 .ti 0
833 3 SILC Connection Authentication Protocol
834
835 Purpose of Connection Authentication protocol is to authenticate the
836 connecting party with server. Usually connecting party is client but
837 server may connect to router server as well. Its other purpose is to
838 provide information for the server about which type of connection this
839 is. The type defines whether this is client, server or router
840 connection. Server uses this information to create the ID for the
841 connection.
842
843 After the authentication protocol has been successfully completed
844 SILC_PACKET_NEW_ID must be sent to the connecting client by the server.
845 See the [SILC1] for the details of the connecting procedure.
846
847 Server MUST verify the authentication data received and if it is to fail
848 the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
849 If everything checks out fine the protocol is ended by server by sending
850 SILC_PACKET_SUCCESS packet.
851
852 The protocol is executed after the SILC Key Exchange protocol. It MUST
853 NOT be executed in any other time. As it is performed after key exchange
854 protocol all traffic in the connection authentication protocol is
855 encrypted with the exchanged keys.
856
857 The protocol MUST be started by the connecting party by sending the
858 SILC_PACKET_CONNECTION_AUTH packet with Connection Auth Payload,
859 described in the next section. This payload MUST include the
860 authentication data. The authentication data is set according
861 authentication method that MUST be known by both parties. If connecting
862 party does not know what is the mandatory authentication method it MAY
863 request it from the server by sending SILC_PACKET_CONNECTION_AUTH_REQUEST
864 packet. This packet is not part of this protocol and is described in
865 section Connection Auth Request Payload in [SILC2]. However, if
866 connecting party already knows the mandatory authentication method
867 sending the request is not necessary.
868
869 See [SILC1] and section Connection Auth Request Payload in [SILC2] also
870 for the list of different authentication methods. Authentication method
871 MAY also be NONE, in which case the server does not require
872 authentication at all. However, in this case the protocol still MUST be
873 executed; the authentication data just is empty indicating no
874 authentication is required.
875
876 If authentication method is passphrase the authentication data is
877 plaintext passphrase. As the payload is entirely encrypted it is safe
878 to have plaintext passphrase. See the section 3.2.1 Passphrase
879 Authentication for more information.
880
881 If authentication method is public key authentication the authentication
882 data is a signature of the hash value of hash HASH plus Key Exchange
883 Start Payload, established by the SILC Key Exchange protocol. This
884 signature MUST then be verified by the server. See the section 3.2.2
885 Public Key Authentication for more information.
886
887 The connecting client of this protocol MUST wait after successful execution
888 of this protocol for the SILC_PACKET_NEW_ID packet where it will receive
889 the ID it will be using in the SILC network. The connecting client cannot
890 start normal SILC session (sending messages or commands) until it has
891 received its ID. The ID's are always created by the server except
892 for server to router connection where servers create their own ID's.
893
894
895 .ti 0
896 3.1 Connection Auth Payload
897
898 Client sends this payload to authenticate itself to the server. Server
899 connecting to another server also sends this payload. Server receiving
900 this payload MUST verify all the data in it and if something is to fail
901 the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
902
903 The payload may only be sent with SILC_PACKET_CONNECTION_AUTH packet.
904 It MUST NOT be sent in any other packet type. The following diagram
905 represent the Connection Auth Payload.
906
907
908 .in 5
909 .nf
910 1 2 3
911 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
912 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
913 | Payload Length | Connection Type |
914 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
915 | |
916 ~ Authentication Data ~
917 | |
918 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
919 .in 3
920
921 .ce
922 Figure 3: Connection Auth Payload
923
924
925 .in 6
926 o Payload Length (2 bytes) - Length of the entire Connection
927 Auth Payload.
928
929 o Connection Type (2 bytes) - Indicates the type of the
930 connection. See section Connection Auth Request Payload
931 in [SILC2] for the list of connection types. This field MUST
932 include valid connection type or the packet MUST be discarded
933 and authentication MUST be failed.
934
935 o Authentication Data (variable length) - The actual
936 authentication data. Contents of this depends on the
937 authentication method known by both parties. If no
938 authentication is required this field does not exist.
939 .in 3
940
941
942
943
944 .ti 0
945 3.2 Connection Authentication Types
946
947 SILC supports two authentication types to be used in the connection
948 authentication protocol; passphrase or public key based authentication.
949 The following sections defines the authentication methods. See [SILC2]
950 for defined numerical authentication method types.
951
952
953 .ti 0
954 3.2.1 Passphrase Authentication
955
956 Passphrase authentication or pre-shared-key based authentication is
957 simply an authentication where the party that wants to authenticate
958 itself to the other end sends the passphrase that is required by
959 the other end, for example server.
960
961 If the passphrase matches with the one in the server's end the
962 authentication is successful. Otherwise SILC_PACKET_FAILURE MUST be
963 sent to the sender and the protocol execution fails.
964
965 This is REQUIRED authentication method to be supported by all SILC
966 implementations.
967
968 When password authentication is used it is RECOMMENDED that maximum
969 amount of padding is applied to the SILC packet. This way it is not
970 possible to approximate the length of the password from the encrypted
971 packet.
972
973
974 .ti 0
975 3.2.2 Public Key Authentication
976
977 Public key authentication may be used if passphrase based authentication
978 is not desired. The public key authentication works by sending a
979 signature as authentication data to the other end, say, server. The
980 server MUST then verify the signature by the public key of the sender,
981 which the server has received earlier in SKE protocol.
982
983 The signature is computed using the private key of the sender by signing
984 the HASH value provided by the SKE protocol previously, and the Key
985 Exchange Start Payload from SKE protocol that was sent to the server.
986 These are concatenated and hash function is used to compute a hash value
987 which is then signed.
988
989 auth_hash = hash(HASH | Key Exchange Start Payload);
990 signature = sign(auth_hash);
991
992 The hash() function used to compute the value is the hash function
993 negotiated in the SKE protocol. The server MUST verify the data, thus
994 it must keep the HASH and the Key Exchange Start Payload saved during
995 SKE and authentication protocols.
996
997 If the verified signature matches the sent signature, the authentication
998 were successful and SILC_PACKET_SUCCESS is sent. If it failed the
999 protocol execution is stopped and SILC_PACKET_FAILURE is sent.
1000
1001 This is REQUIRED authentication method to be supported by all SILC
1002 implementations.
1003
1004
1005 .ti 0
1006 3.3 Connection Authentication Status Types
1007
1008 This section defines all connection authentication status types that
1009 may be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
1010 to indicate the status of the protocol. Implementations may map the
1011 status types to human readable error message. All types except the
1012 SILC_AUTH_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
1013 The length of status is 32 bits (4 bytes). The following status types
1014 are defined:
1015
1016
1017
1018 0 SILC_AUTH_OK
1019
1020 Protocol was executed successfully.
1021
1022
1023 1 SILC_AUTH_FAILED
1024
1025 Authentication failed.
1026
1027
1028 .ti 0
1029 4 Security Considerations
1030
1031 Security is central to the design of this protocol, and these security
1032 considerations permeate the specification. Common security considerations
1033 such as keeping private keys truly private and using adequate lengths for
1034 symmetric and asymmetric keys must be followed in order to maintain the
1035 security of this protocol.
1036
1037
1038 .ti 0
1039 5 References
1040
1041 [SILC1] Riikonen, P., "Secure Internet Live Conferencing (SILC),
1042 Protocol Specification", Internet Draft, April 2001.
1043
1044 [SILC2] Riikonen, P., "SILC Packet Protocol", Internet Draft,
1045 April 2001.
1046
1047 [SILC4] Riikonen, P., "SILC Commands", Internet Draft, April 2001.
1048
1049 [IRC] Oikarinen, J., and Reed D., "Internet Relay Chat Protocol",
1050 RFC 1459, May 1993.
1051
1052 [IRC-ARCH] Kalt, C., "Internet Relay Chat: Architecture", RFC 2810,
1053 April 2000.
1054
1055 [IRC-CHAN] Kalt, C., "Internet Relay Chat: Channel Management", RFC
1056 2811, April 2000.
1057
1058 [IRC-CLIENT] Kalt, C., "Internet Relay Chat: Client Protocol", RFC
1059 2812, April 2000.
1060
1061 [IRC-SERVER] Kalt, C., "Internet Relay Chat: Server Protocol", RFC
1062 2813, April 2000.
1063
1064 [SSH-TRANS] Ylonen, T., et al, "SSH Transport Layer Protocol",
1065 Internet Draft.
1066
1067 [PGP] Callas, J., et al, "OpenPGP Message Format", RFC 2440,