1 .pl 10.0i
2 .po 0
3 .ll 7.2i
4 .lt 7.2i
5 .nr LL 7.2i
6 .nr LT 7.2i
7 .ds LF Riikonen
8 .ds RF FORMFEED[Page %]
9 .ds CF
10 .ds LH Internet-Draft
11 .ds RH 17 June 2003
12 .ds CH
13 .na
14 .hy 0
15 .in 0
16 .nf
17 Network Working Group P. Riikonen
18 Internet-Draft
19 draft-riikonen-silc-ke-auth-07.txt 17 June 2003
20 Expires: 17 December 2003
21
22 .in 3
23
24 .ce 2
25 SILC Key Exchange and Authentication Protocols
26 <draft-riikonen-silc-ke-auth-07.txt>
27
28 .ti 0
29 Status of this Memo
30
31 This document is an Internet-Draft and is in full conformance with
32 all provisions of Section 10 of RFC 2026. Internet-Drafts are
33 working documents of the Internet Engineering Task Force (IETF), its
34 areas, and its working groups. Note that other groups may also
35 distribute working documents as Internet-Drafts.
36
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress."
41
42 The list of current Internet-Drafts can be accessed at
43 http://www.ietf.org/ietf/1id-abstracts.txt
44
45 The list of Internet-Draft Shadow Directories can be accessed at
46 http://www.ietf.org/shadow.html
47
48 The distribution of this memo is unlimited.
49
50
51 .ti 0
52 Abstract
53
54 This memo describes two protocols used in the Secure Internet Live
55 Conferencing (SILC) protocol, specified in the Secure Internet Live
56 Conferencing, Protocol Specification [SILC1]. The SILC Key Exchange
57 (SKE) protocol provides secure key exchange between two parties
58 resulting into shared secret key material. The protocol is based
59 on Diffie-Hellman key exchange algorithm and its functionality is
60 derived from several key exchange protocols.
61
62 The second protocol, SILC Connection Authentication protocol provides
63 user level authentication used when creating connections in SILC
64 network. The protocol is transparent to the authentication data
65 which means that it can be used to authenticate the connection with, for
66 example, passphrase (pre-shared secret) or public key (and certificate)
67 based on digital signatures.
68
69
70
71 .ti 0
72 Table of Contents
73
74 .nf
75 1 Introduction .................................................. 2
76 1.1 Requirements Terminology .................................. 3
77 2 SILC Key Exchange Protocol .................................... 3
78 2.1 Key Exchange Payloads ..................................... 4
79 2.1.1 Key Exchange Start Payload .......................... 4
80 2.1.2 Key Exchange Payload ................................ 8
81 2.2 Key Exchange Procedure .................................... 11
82 2.3 Processing the Key Material ............................... 12
83 2.4 SILC Key Exchange Groups .................................. 14
84 2.4.1 diffie-hellman-group1 ............................... 14
85 2.4.2 diffie-hellman-group2 ............................... 15
86 2.4.3 diffie-hellman-group3 ............................... 15
87 2.5 Key Exchange Status Types ................................. 16
88 3 SILC Connection Authentication Protocol ....................... 17
89 3.1 Connection Auth Payload ................................... 18
90 3.2 Connection Authentication Types ........................... 19
91 3.2.1 Passphrase Authentication ........................... 19
92 3.2.2 Public Key Authentication ........................... 20
93 3.3 Connection Authentication Status Types .................... 21
94 4 Security Considerations ....................................... 21
95 5 References .................................................... 21
96 6 Author's Address .............................................. 23
97 7 Full Copyright Statement ...................................... 23
98
99
100 .ti 0
101 List of Figures
102
103 .nf
104 Figure 1: Key Exchange Start Payload
105 Figure 2: Key Exchange Payload
106 Figure 3: Connection Auth Payload
107
108
109 .ti 0
110 1 Introduction
111
112 This memo describes two protocols used in the Secure Internet Live
113 Conferencing (SILC) protocol specified in the Secure Internet Live
114 Conferencing, Protocol Specification [SILC1]. The SILC Key Exchange
115 (SKE) protocol provides secure key exchange between two parties
116 resulting into shared secret key material. The protocol is based on
117 Diffie-Hellman key exchange algorithm and its functionality is derived
118 from several key exchange protocols, such as SSH2 Key Exchange protocol,
119 Station-To-Station (STS) protocol and the OAKLEY Key Determination
120 protocol [OAKLEY].
121
122 The second protocol, SILC Connection Authentication protocol provides
123 user level authentication used when creating connections in SILC
124 network. The protocol is transparent to the authentication data which
125 means that it can be used to authenticate the connection with, for example,
126 passphrase (pre-shared secret) or public key (and certificate) based
127 on digital signatures.
128
129 The basis of secure SILC session requires strong and secure key exchange
130 protocol and authentication. The authentication protocol is secured and
131 no authentication data is ever sent in the network without encrypting
132 and authenticating it first. Thus, authentication protocol may be used
133 only after the key exchange protocol has been successfully completed.
134
135 This document constantly refers to other SILC protocol specifications
136 that should be read to be able to fully understand the functionality
137 and purpose of these protocols. The most important references are
138 the Secure Internet Live Conferencing, Protocol Specification [SILC1]
139 and the SILC Packet Protocol [SILC2].
140
141 The protocol is intended to be used with the SILC protocol thus it
142 does not define own framework that could be used. The framework is
143 provided by the SILC protocol.
144
145
146 .ti 0
147 1.1 Requirements Terminology
148
149 The keywords MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED,
150 MAY, and OPTIONAL, when they appear in this document, are to be
151 interpreted as described in [RFC2119].
152
153
154 .ti 0
155 2 SILC Key Exchange Protocol
156
157 SILC Key Exchange Protocol (SKE) is used to exchange shared secret
158 material used to secure the communication channel. The protocol use
159 Diffie-Hellman key exchange algorithm and its functionality is derived
160 from several key exchange protocols, such as SSH2 Key Exchange protocol,
161 Station-To-Station (STS) protocol and the OAKLEY Key Determination
162 protocol [OAKLEY]. The protocol does not claim any conformance
163 to any of these protocols, they were only used as a reference when
164 designing this protocol. The protocol can mutually authenticate the
165 negotiating parties during the key exchange.
166
167 The purpose of SILC Key Exchange protocol is to create session keys to
168 be used in current SILC session. The keys are valid only for some period
169 of time (usually an hour) or at most until the session ends. These keys
170 are used to protect packets traveling between the two entities.
171 Usually all traffic is secured with the key material derived from this
172 protocol.
173
174 The Diffie-Hellman implementation used in the SILC SHOULD be compliant
175 to the PKCS #3.
176
177
178 .ti 0
179 2.1 Key Exchange Payloads
180
181 During the key exchange procedure public data is sent between initiator
182 and responder. This data is later used in the key exchange procedure.
183 There are several payloads used in the key exchange. As for all SILC
184 packets, SILC Packet Header, described in [SILC2], is at the start of
185 all packets sent in during this protocol. All the fields in the
186 following payloads are in MSB (most significant byte first) order.
187 Following descriptions of these payloads.
188
189
190 .ti 0
191 2.1.1 Key Exchange Start Payload
192
193 The key exchange between two entities MUST be started by sending the
194 SILC_PACKET_KEY_EXCHANGE packet containing Key Exchange Start Payload.
195 Initiator sends the Key Exchange Start Payload to the responder filled
196 with all security properties it supports. The responder then checks
197 whether it supports the security properties.
198
199 It then sends a Key Exchange Start Payload to the initiator filled with
200 security properties it selected from the original payload. The payload
201 sent by responder MUST include only one chosen property per list. The
202 character encoding for the security property values as defined in [SILC1]
203 SHOULD be UTF-8 [RFC2279] in Key Exchange Start Payload.
204
205 The Key Exchange Start Payload is used to tell connecting entities what
206 security properties and algorithms should be used in the communication.
207 The Key Exchange Start Payload is sent only once per session. Even if
208 the PFS (Perfect Forward Secrecy) flag is set the Key Exchange Start
209 Payload is not re-sent. When PFS is desired the Key Exchange Payloads
210 are sent to negotiate new key material. The procedure is equivalent to
211 the very first negotiation except that the Key Exchange Start Payload
212 is not sent.
213
214 As this payload is used only with the very first key exchange the payload
215 is never encrypted, as there are no keys to encrypt it with.
216
217 A cookie is also sent in this payload. A cookie is used to randomize the
218 payload so that none of the key exchange parties can determine this
219 payload before the key exchange procedure starts. The cookie MUST be
220 returned to the original sender unmodified by the responder.
221
222 Following diagram represents the Key Exchange Start Payload. The lists
223 mentioned below are always comma (`,') separated and the list MUST NOT
224 include white spaces (` ').
225
226
227 .in 5
228 .nf
229 1 2 3
230 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
231 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
232 | RESERVED | Flags | Payload Length |
233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234 | |
235 + +
236 | |
237 + Cookie +
238 | |
239 + +
240 | |
241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
242 | Version String Length | |
243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
244 | |
245 ~ Version String ~
246 | |
247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
248 | Key Exchange Grp Length | |
249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
250 | |
251 ~ Key Exchange Groups ~
252 | |
253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
254 | PKCS Alg Length | |
255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
256 | |
257 ~ PKCS Algorithms ~
258 | |
259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
260 | Encryption Alg Length | |
261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
262 | |
263 ~ Encryption Algorithms ~
264 | |
265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
266 | Hash Alg Length | |
267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
268 | |
269 ~ Hash Algorithms ~
270 | |
271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
272 | HMAC Length | |
273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
274 | |
275 ~ HMACs ~
276 | |
277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
278 | Compression Alg Length | |
279 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
280 | |
281 ~ Compression Algorithms ~
282 | |
283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
284 .in 3
285
286 .ce
287 Figure 1: Key Exchange Start Payload
288
289
290 .in 6
291 o RESERVED (1 byte) - Reserved field. Sender fills this with
292 zero (0) value.
293
294 o Flags (1 byte) - Indicates flags to be used in the key
295 exchange. Several flags can be set at once by ORing the
296 flags together. The following flags are reserved for this
297 field:
298
299 No flags 0x00
300
301 In this case the field is ignored.
302
303 IV Included 0x01
304
305 This flag is used to indicate that Initial Vector (IV)
306 in encryption will be included in the ciphertext
307 which the recipient must use in decryption. The IV
308 MUST be set after the last ciphertext block. With
309 this flag it is possible to use SILC protocol on
310 unreliable transport such as UDP/IP which may cause
311 packet reordering and packet losses. By default,
312 this flag is not set and thus IV is not included
313 in the ciphertext. Setting this flag increases the
314 ciphertext size by one ciphertext block. Responder
315 MAY override this flag for the initiator.
316
317 PFS 0x02
318
319 Perfect Forward Secrecy (PFS) to be used in the
320 key exchange protocol. If not set, re-keying
321 is performed using the old key. See the [SILC1]
322 for more information on this issue. When PFS is
323 used, re-keying and creating new keys for any
324 particular purpose MUST cause new key exchange with
325 new Diffie-Hellman exponent values. In this key
326 exchange only the Key Exchange Payload is sent and
327 the Key Exchange Start Payload MUST NOT be sent.
328 When doing PFS the Key Exchange Payloads are
329 encrypted with the old keys.
330
331 Mutual Authentication 0x04
332
333 Both of the parties will perform authentication
334 by providing signed data for the other party to
335 verify. By default, only responder will provide
336 the signature data. If this is set then the
337 initiator must also provide it. Initiator MAY
338 set this but also responder MAY set this even if
339 initiator did not set it.
340
341 Rest of the flags are reserved for the future and
342 MUST NOT be set.
343
344 o Payload Length (2 bytes) - Length of the entire Key Exchange
345 Start payload, not including any other field.
346
347 o Cookie (16 bytes) - Cookie that randomize this payload so
348 that each of the party cannot determine the payload before
349 hand. This field MUST be present.
350
351 o Version String Length (2 bytes) - The length of the Version
352 String field, not including any other field.
353
354 o Version String (variable length) - Indicates the version of
355 the sender of this payload. Initiator sets this when sending
356 the payload and responder sets this when it replies by sending
357 this payload. See [SILC1] for definition for the version
358 string format. This field MUST be present and include valid
359 version string.
360
361 o Key Exchange Grp Length (2 bytes) - The length of the
362 key exchange group list, not including any other field.
363
364 o Key Exchange Group (variable length) - The list of
365 key exchange groups. See the section 2.4 SILC Key Exchange
366 Groups for definitions of these groups. This field MUST
367 be present.
368
369 o PKCS Alg Length (2 bytes) - The length of the PKCS algorithms
370 list, not including any other field.
371
372 o PKCS Algorithms (variable length) - The list of PKCS
373 algorithms. This field MUST be present.
374
375 o Encryption Alg Length (2 bytes) - The length of the encryption
376 algorithms list, not including any other field.
377
378 o Encryption Algorithms (variable length) - The list of
379 encryption algorithms. This field MUST be present.
380
381 o Hash Alg Length (2 bytes) - The length of the Hash algorithm
382 list, not including any other field.
383
384 o Hash Algorithms (variable length) - The list of Hash
385 algorithms. The hash algorithms are mainly used in the
386 SKE protocol. This field MUST be present.
387
388 o HMAC Length (2 bytes) - The length of the HMAC list, not
389 including any other field.
390
391 o HMACs (variable length) - The list of HMACs. The HMAC's
392 are used to compute the Message Authentication Code (MAC)
393 of the SILC packets. This field MUST be present.
394
395 o Compression Alg Length (2 bytes) - The length of the
396 compression algorithms list, not including any other field.
397
398 o Compression Algorithms (variable length) - The list of
399 compression algorithms. This field MAY be omitted.
400 .in 3
401
402
403 .ti 0
404 2.1.2 Key Exchange Payload
405
406 Key Exchange payload is used to deliver the public key (or certificate),
407 the computed Diffie-Hellman public value and possibly signature data
408 from one party to the other. When initiator is using this payload
409 and the Mutual Authentication flag is not set then the initiator MUST
410 NOT provide the signature data. If the flag is set then the initiator
411 MUST provide the signature data so that the responder can verify it.
412
413 The Mutual Authentication flag is usually used when a separate
414 authentication protocol will not be executed for the initiator of the
415 protocol. This is case for example when the SKE is performed between
416 two SILC clients. In normal case, where client is connecting to a
417 server, or server is connecting to a router the Mutual Authentication
418 flag MAY be omitted. However, if the connection authentication protocol
419 for the connecting entity is not based on digital signatures (it is
420 based on pre-shared key) then the Mutual Authentication flag SHOULD be
421 enabled. This way the connecting entity has to provide proof of
422 possession of the private key for the public key it will provide in
423 this protocol.
424
425 When performing re-key with PFS selected this is the only payload that
426 is sent in the SKE protocol. The Key Exchange Start Payload MUST NOT
427 be sent at all. However, this payload does not have all the fields
428 present. In the re-key with PFS the public key and a possible signature
429 data SHOULD NOT be present. If they are present they MUST be ignored.
430 The only field that is present is the Public Data that is used to create
431 the new key material. In the re-key the Mutual Authentication flag, that
432 may be set in the initial negotiation, MUST also be ignored.
433
434 This payload is sent inside SILC_PACKET_KEY_EXCHANGE_1 and inside
435 SILC_PACKET_KEY_EXCHANGE_2 packet types. The initiator uses the
436 SILC_PACKET_KEY_EXCHANGE_1 and the responder the latter.
437
438 The following diagram represent the Key Exchange Payload.
439
440
441 .in 5
442 .nf
443 1 2 3
444 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
445 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
446 | Public Key Length | Public Key Type |
447 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
448 | |
449 ~ Public Key of the party (or certificate) ~
450 | |
451 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
452 | Public Data Length | |
453 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
454 | |
455 ~ Public Data ~
456 | |
457 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
458 | Signature Length | |
459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
460 | |
461 ~ Signature Data ~
462 | |
463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
464 .in 3
465
466 .ce
467 Figure 2: Key Exchange Payload
468
469
470 .in 6
471 o Public Key Length (2 bytes) - The length of the Public Key
472 (or certificate) field, not including any other field.
473
474 o Public Key Type (2 bytes) - The public key (or certificate)
475 type. This field indicates the type of the public key in
476 the packet. Following types are defined:
477
478 1 SILC style public key (mandatory)
479 2 SSH2 style public key (optional)
480 3 X.509 Version 3 certificate (optional)
481 4 OpenPGP certificate (optional)
482 5 SPKI certificate (optional)
483
484 The only required type to support is type number 1. See
485 [SILC1] for the SILC public key specification. See
486 SSH2 public key specification in [SSH-TRANS]. See X.509v3
487 certificate specification in [PKIX-Part1]. See OpenPGP
488 certificate specification in [PGP]. See SPKI certificate
489 specification in [SPKI]. If this field includes zero (0)
490 or unsupported type number the protocol MUST be aborted
491 sending SILC_PACKET_FAILURE message and the connection SHOULD
492 be closed immediately.
493
494 o Public Key (or certificate) (variable length) - The
495 public key or certificate of the party. This public key
496 is used to verify the digital signature. The public key
497 or certificate in this field is encoded in the manner as
498 defined in their respective definitions; see previous field.
499
500 o Public Data Length (2 bytes) - The length of the Public Data
501 field, not including any other field.
502
503 o Public Data (variable length) - The public data to be
504 sent to the receiver (computed Diffie-Hellman public values).
505 See section 2.2 Key Exchange Procedure for detailed description
506 how this field is computed. This field is MP integer and is
507 encoded as defined in [SILC1].
508
509 o Signature Length (2 bytes) - The length of the signature,
510 not including any other field.
511
512 o Signature Data (variable length) - The signature signed
513 by the sender. The receiver of this signature MUST
514 verify it. The verification is done using the sender's
515 public key. See section 2.2 Key Exchange Procedure for
516 detailed description how to produce the signature. If
517 the Mutual Authentication flag is not set then initiator
518 MUST NOT provide this field and the Signature Length field
519 MUST be set to zero (0) value. If the flag is set then
520 also the initiator MUST provide this field. The responder
521 always MUST provide this field. The encoding for signature
522 is defined in [SILC1].
523 .in 3
524
525
526
527 .ti 0
528 2.2 Key Exchange Procedure
529
530 The key exchange begins by sending SILC_PACKET_KEY_EXCHANGE packet with
531 Key Exchange Start Payload to select the security properties to be used
532 in the key exchange and later in the communication.
533
534 After Key Exchange Start Payload has been processed by both of the
535 parties the protocol proceeds as follows:
536
537
538 Setup: p is a large and public safe prime. This is one of the
539 Diffie Hellman groups. q is order of subgroup (largest
540 prime factor of p). g is a generator and is defined
541 along with the Diffie Hellman group.
542
543 1. Initiator generates a random number x, where 1 < x < q,
544 and computes e = g ^ x mod p. The result e is then
545 encoded into Key Exchange Payload, with the public key
546 (or certificate) and sent to the responder.
547
548 If the Mutual Authentication flag is set then initiator
549 MUST also produce signature data SIGN_i which the responder
550 will verify. The initiator MUST compute a hash value
551 HASH_i = hash(Initiator's Key Exchange Start Payload |
552 public key (or certificate) | e). The '|' stands for
553 concatenation. It then signs the HASH_i value with its
554 private key resulting a signature SIGN_i.
555
556 2. Responder generates a random number y, where 1 < y < q,
557 and computes f = g ^ y mod p. It then computes the
558 shared secret KEY = e ^ y mod p, and, a hash value
559 HASH = hash(Initiator's Key Exchange Start Payload |
560 public key (or certificate) | Initiator's public key
561 (or certificate) | e | f | KEY). It then signs
562 the HASH value with its private key resulting a signature
563 SIGN.
564
565 It then encodes its public key (or certificate), f and
566 SIGN into Key Exchange Payload and sends it to the
567 initiator.
568
569 If the Mutual Authentication flag is set then the responder
570 SHOULD verify that the public key provided in the payload
571 is authentic, or if certificates are used it verifies the
572 certificate. The responder MAY accept the public key without
573 verifying it, however, doing so may result to insecure key
574 exchange (accepting the public key without verifying may be
575 desirable for practical reasons on many environments. For
576 long term use this is never desirable, in which case
577 certificates would be the preferred method to use). It then
578 computes the HASH_i value the same way initiator did in the
579 phase 1. It then verifies the signature SIGN_i from the
580 payload with the hash value HASH_i using the received public
581 key.
582
583 3. Initiator verifies that the public key provided in
584 the payload is authentic, or if certificates are used
585 it verifies the certificate. The initiator MAY accept
586 the public key without verifying it, however, doing
587 so may result to insecure key exchange (accepting the
588 public key without verifying may be desirable for
589 practical reasons on many environments. For long term
590 use this is never desirable, in which case certificates
591 would be the preferred method to use).
592
593 Initiator then computes the shared secret KEY =
594 f ^ x mod p, and, a hash value HASH in the same way as
595 responder did in phase 2. It then verifies the
596 signature SIGN from the payload with the hash value
597 HASH using the received public key.
598
599
600 If any of these phases is to fail the SILC_PACKET_FAILURE MUST be sent
601 to indicate that the key exchange protocol has failed, and the connection
602 SHOULD be closed immediately. Any other packets MUST NOT be sent or
603 accepted during the key exchange except the SILC_PACKET_KEY_EXCHANGE_*,
604 SILC_PACKET_FAILURE and SILC_PACKET_SUCCESS packets.
605
606 The result of this protocol is a shared secret key material KEY and
607 a hash value HASH. The key material itself is not fit to be used as
608 a key, it needs to be processed further to derive the actual keys to be
609 used. The key material is also used to produce other security parameters
610 later used in the communication. See section 2.3 Processing the Key
611 Material for detailed description how to process the key material.
612
613 If the Mutual Authentication flag was set the protocol produces also
614 a hash value HASH_i. This value, however, must be discarded.
615
616 After the keys are processed the protocol is ended by sending the
617 SILC_PACKET_SUCCESS packet. Both entities send this packet to
618 each other. After this both parties MUST start using the new keys.
619
620
621 .ti 0
622 2.3 Processing the Key Material
623
624 Key Exchange protocol produces secret shared key material KEY. This
625 key material is used to derive the actual keys used in the encryption
626 of the communication channel. The key material is also used to derive
627 other security parameters used in the communication. Key Exchange
628 protocol produces a hash value HASH as well.
629
630 The keys MUST be derived from the key material as follows:
631
632 .in 6
633 Sending Initial Vector (IV) = hash(0x0 | KEY | HASH)
634 Receiving Initial Vector (IV) = hash(0x1 | KEY | HASH)
635 Sending Encryption Key = hash(0x2 | KEY | HASH)
636 Receiving Encryption Key = hash(0x3 | KEY | HASH)
637 Sending HMAC Key = hash(0x4 | KEY | HASH)
638 Receiving HMAC Key = hash(0x5 | KEY | HASH)
639 .in 3
640
641
642 The Initial Vector (IV) is used in the encryption when doing for
643 example CBC mode. As many bytes as needed are taken from the start of
644 the hash output for IV. Sending IV is for sending key and receiving IV
645 is for receiving key. For receiving party, the receiving IV is actually
646 sender's sending IV, and, the sending IV is actually sender's receiving
647 IV. Initiator uses IV's as they are (sending IV for sending and
648 receiving IV for receiving).
649
650 The Encryption Keys are derived as well from the hash(). If the hash()
651 output is too short for the encryption algorithm more key material MUST
652 be produced in the following manner:
653
654 .in 6
655 K1 = hash(0x2 | KEY | HASH)
656 K2 = hash(KEY | HASH | K1)
657 K3 = hash(KEY | HASH | K1 | K2) ...
658
659 Sending Encryption Key = K1 | K2 | K3 ...
660
661
662 K1 = hash(0x3 | KEY | HASH)
663 K2 = hash(KEY | HASH | K1)
664 K3 = hash(KEY | HASH | K1 | K2) ...
665
666 Receiving Encryption Key = K1 | K2 | K3 ...
667 .in 3
668
669
670 The key is distributed by hashing the previous hash with the original
671 key material. The final key is a concatenation of the hash values.
672 For Receiving Encryption Key the procedure is equivalent. Sending key
673 is used only for encrypting data to be sent. The receiving key is used
674 only to decrypt received data. For receiving party, the receive key is
675 actually sender's sending key, and, the sending key is actually sender's
676 receiving key. Initiator uses generated keys as they are (sending key
677 for sending and receiving key for receiving).
678
679 The HMAC keys are used to create MAC values to packets in the
680 communication channel. As many bytes as needed are taken from the start
681 of the hash output to generate the MAC keys.
682
683 These procedures are performed by all parties of the key exchange
684 protocol. This MUST be done before the protocol has been ended by
685 sending the SILC_PACKET_SUCCESS packet, to assure that parties can
686 successfully process the key material.
687
688 This same key processing procedure MAY be used in the SILC in some
689 other circumstances as well. Any changes to this procedure is defined
690 separately when this procedure is needed. See the [SILC1] and the
691 [SILC2] for these circumstances.
692
693
694 .ti 0
695 2.4 SILC Key Exchange Groups
696
697 The Following groups may be used in the SILC Key Exchange protocol.
698 The first group diffie-hellman-group1 is REQUIRED, other groups MAY be
699 negotiated to be used in the connection with Key Exchange Start Payload
700 and SILC_PACKET_KEY_EXCHANGE packet. However, the first group MUST be
701 proposed in the Key Exchange Start Payload regardless of any other
702 requested group (however, it does not have to be the first in the list).
703
704
705 .ti 0
706 2.4.1 diffie-hellman-group1
707
708 The length of this group is 1024 bits. This is REQUIRED group.
709 The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
710
711 Its hexadecimal value is
712
713 .in 6
714 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
715 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
716 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
717 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
718 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
719 FFFFFFFF FFFFFFFF
720 .in 3
721
722
723 The generator used with this prime is g = 2. The group order q is
724 (p - 1) / 2.
725
726 This group was taken from RFC 2412.
727
728
729 .ti 0
730 2.4.2 diffie-hellman-group2
731
732 The length of this group is 1536 bits. This is OPTIONAL group.
733 The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.
734
735 Its hexadecimal value is
736
737 .in 6
738 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
739 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
740 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
741 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
742 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
743 C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
744 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
745 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
746 .in 3
747
748 The generator used with this prime is g = 2. The group order q is
749 (p - 1) / 2.
750
751 This group was taken from RFC 3526.
752
753
754 .ti 0
755 2.4.3 diffie-hellman-group3
756
757 The length of this group is 2048 bits. This is OPTIONAL group.
758 This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }.
759
760 Its hexadecimal value is
761
762 .in 6
763 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
764 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
765 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
766 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
767 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
768 C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
769 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
770 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
771 E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
772 DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
773 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
774 .in 3
775
776 The generator used with this prime is g = 2. The group order q is
777 (p - 1) / 2.
778
779 This group was taken from RFC 3526.
780
781 Additional larger groups are defined in RFC 3526 and may be used in SKE
782 by defining name for them using the above name format.
783
784
785 .ti 0
786 2.5 Key Exchange Status Types
787
788 This section defines all key exchange protocol status types that may
789 be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
790 to indicate the status of the protocol. Implementations may map the
791 status types to human readable error message. All types except the
792 SILC_SKE_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
793 The length of status is 32 bits (4 bytes). The following status types
794 are defined:
795
796 .in 6
797 0 SILC_SKE_STATUS_OK
798
799 Protocol were executed successfully.
800
801
802 1 SILC_SKE_STATUS_ERROR
803
804 Unknown error occurred. No specific error type is defined.
805
806
807 2 SILC_SKE_STATUS_BAD_PAYLOAD
808
809 Provided KE payload were malformed or included bad fields.
810
811
812 3 SILC_SKE_STATUS_UNSUPPORTED_GROUP
813
814 None of the provided groups were supported.
815
816
817 4 SILC_SKE_STATUS_UNSUPPORTED_CIPHER
818
819 None of the provided ciphers were supported.
820
821
822 5 SILC_SKE_STATUS_UNSUPPORTED_PKCS
823
824 None of the provided public key algorithms were supported.
825
826
827 6 SILC_SKE_STATUS_UNSUPPORTED_HASH_FUNCTION
828
829 None of the provided hash functions were supported.
830
831
832 7 SILC_SKE_STATUS_UNSUPPORTED_HMAC
833
834 None of the provided HMACs were supported.
835
836
837 8 SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY
838
839 Provided public key type is not supported.
840
841
842 9 SILC_SKE_STATUS_INCORRECT_SIGNATURE
843
844 Provided signature was incorrect.
845
846
847 10 SILC_SKE_STATUS_BAD_VERSION
848
849 Provided version string was not acceptable.
850
851
852 11 SILC_SKE_STATUS_INVALID_COOKIE
853
854 The cookie in the Key Exchange Start Payload was malformed,
855 because responder modified the cookie.
856 .in 3
857
858
859 .ti 0
860 3 SILC Connection Authentication Protocol
861
862 Purpose of Connection Authentication protocol is to authenticate the
863 connecting party with server. Usually connecting party is client but
864 server may connect to router server as well. Its other purpose is to
865 provide information for the server about which type of entity the
866 connection is. The type defines whether the connection is client,
867 server or router connection. Server use this information to create the
868 ID for the connection.
869
870 Server MUST verify the authentication data received and if it is to fail
871 the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
872 If authentication is successful the protocol is ended by server by sending
873 SILC_PACKET_SUCCESS packet.
874
875 The protocol is executed after the SILC Key Exchange protocol. It MUST
876 NOT be executed in any other time. As it is performed after key exchange
877 protocol all traffic in the connection authentication protocol is
878 encrypted with the exchanged keys.
879
880 The protocol MUST be started by the connecting party by sending the
881 SILC_PACKET_CONNECTION_AUTH packet with Connection Auth Payload,
882 described in the next section. This payload MUST include the
883 authentication data. The authentication data is set according
884 authentication method that MUST be known by both parties. If connecting
885 party does not know what is the mandatory authentication method it MAY
886 request it from the server by sending SILC_PACKET_CONNECTION_AUTH_REQUEST
887 packet. This packet is not part of this protocol and is described in
888 section Connection Auth Request Payload in [SILC2]. However, if
889 connecting party already knows the mandatory authentication method
890 sending the request is not necessary.
891
892 See [SILC1] and section Connection Auth Request Payload in [SILC2] also
893 for the list of different authentication methods. Authentication method
894 MAY also be NONE, in which case the server does not require
895 authentication. However, in this case the protocol still MUST be
896 executed; the authentication data is empty indicating no authentication
897 is required.
898
899 If authentication method is passphrase the authentication data is
900 plaintext passphrase. As the payload is encrypted it is safe to have
901 plaintext passphrase. It is also provided as plaintext passphrase
902 because the receiver may need to pass the entire passphrase into a
903 passphrase verifier, and a message digest of the passphrase would
904 prevent this. See the section 3.2.1 Passphrase Authentication for
905 more information.
906
907 If authentication method is public key authentication the authentication
908 data is a digital signature of the hash value of hash HASH and Key
909 Exchange Start Payload, established by the SILC Key Exchange protocol.
910 This signature MUST then be verified by the server. See the section
911 3.2.2 Public Key Authentication for more information.
912
913 See the section 4 SILC Procedures in [SILC1] for more information about
914 client creating connection to server, and server creating connection
915 to router, and how to register the session in the SILC Network after
916 successful Connection Authentication protocol.
917
918
919 .ti 0
920 3.1 Connection Auth Payload
921
922 Client sends this payload to authenticate itself to the server. Server
923 connecting to another server also sends this payload. Server receiving
924 this payload MUST verify all the data in it and if something is to fail
925 the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
926
927 The payload may only be sent with SILC_PACKET_CONNECTION_AUTH packet.
928 It MUST NOT be sent in any other packet type. The following diagram
929 represent the Connection Auth Payload.
930
931
932
933
934
935
936
937 .in 5
938 .nf
939 1 2 3
940 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
941 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
942 | Payload Length | Connection Type |
943 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
944 | |
945 ~ Authentication Data ~
946 | |
947 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
948 .in 3
949
950 .ce
951 Figure 3: Connection Auth Payload
952
953
954 .in 6
955 o Payload Length (2 bytes) - Length of the entire Connection
956 Auth Payload.
957
958 o Connection Type (2 bytes) - Indicates the type of the
959 connection. See section Connection Auth Request Payload
960 in [SILC2] for the list of connection types. This field MUST
961 include valid connection type or the packet MUST be discarded
962 and authentication MUST be failed.
963
964 o Authentication Data (variable length) - The actual
965 authentication data. Contents of this depends on the
966 authentication method known by both parties. If no
967 authentication is required this field does not exist.
968 .in 3
969
970
971 .ti 0
972 3.2 Connection Authentication Types
973
974 SILC supports two authentication types to be used in the connection
975 authentication protocol; passphrase authentication or public key
976 authentication based on digital signatures. The following sections
977 defines the authentication methods. See [SILC2] for defined numerical
978 authentication method types.
979
980
981 .ti 0
982 3.2.1 Passphrase Authentication
983
984 Passphrase authentication or pre-shared key based authentication is
985 simply an authentication where the party that wants to authenticate
986 itself to the other end sends the passphrase that is required by
987 the other end, for example server. The plaintext passphrase is put
988 to the payload, that is then encrypted. The plaintext passphrase
989 MUST be in UTF-8 [RFC2279] encoding. If the passphrase is in the
990 sender's system in some other encoding it MUST be UTF-8 encoded
991 before transmitted. The receiver MAY change the encoding of the
992 passphrase to its system's default character encoding before verifying
993 the passphrase.
994
995 If the passphrase matches with the one in the server's end the
996 authentication is successful. Otherwise SILC_PACKET_FAILURE MUST be
997 sent to the sender and the protocol execution fails.
998
999 This is REQUIRED authentication method to be supported by all SILC
1000 implementations.
1001
1002 When password authentication is used it is RECOMMENDED that maximum
1003 amount of padding is applied to the SILC packet. This way it is not
1004 possible to approximate the length of the password from the encrypted
1005 packet.
1006
1007
1008
1009 .ti 0
1010 3.2.2 Public Key Authentication
1011
1012 Public key authentication may be used if passphrase based authentication
1013 is not desired. The public key authentication works by sending a
1014 digital signature as authentication data to the other end, say, server.
1015 The server MUST then verify the signature by the public key of the sender,
1016 which the server has received earlier in SKE protocol.
1017
1018 The signature is computed using the private key of the sender by signing
1019 the HASH value provided by the SKE protocol previously, and the Key
1020 Exchange Start Payload from SKE protocol that was sent to the server.
1021 These are concatenated and hash function is used to compute a hash value
1022 which is then signed.
1023
1024 auth_hash = hash(HASH | Key Exchange Start Payload);
1025 signature = sign(auth_hash);
1026
1027 The hash() function used to compute the value is the hash function
1028 negotiated in the SKE protocol. The server MUST verify the data, thus
1029 it must keep the HASH and the Key Exchange Start Payload saved during
1030 SKE and authentication protocols. These values can be discarded after
1031 Connection Authentication protocol is completed.
1032
1033 If the verified signature matches the sent signature, the authentication
1034 were successful and SILC_PACKET_SUCCESS is sent. If it failed the
1035 protocol execution is stopped and SILC_PACKET_FAILURE is sent.
1036
1037 This is REQUIRED authentication method to be supported by all SILC
1038 implementations.
1039
1040
1041
1042 .ti 0
1043 3.3 Connection Authentication Status Types
1044
1045 This section defines all connection authentication status types that
1046 may be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
1047 to indicate the status of the protocol. Implementations may map the
1048 status types to human readable error message. All types except the
1049 SILC_AUTH_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
1050 The length of status is 32 bits (4 bytes). The following status types
1051 are defined:
1052
1053 0 SILC_AUTH_OK
1054
1055 Protocol was executed successfully.
1056
1057
1058 1 SILC_AUTH_FAILED
1059
1060 Authentication failed.
1061
1062