1 .pl 10.0i
2 .po 0
3 .ll 7.2i
4 .lt 7.2i
5 .nr LL 7.2i
6 .nr LT 7.2i
7 .ds LF Riikonen
8 .ds RF FORMFEED[Page %]
9 .ds CF
10 .ds LH Internet-Draft
11 .ds RH 15 January 2007
12 .ds CH
13 .na
14 .hy 0
15 .in 0
16 .nf
17 Network Working Group P. Riikonen
18 Internet-Draft
19 draft-riikonen-silc-ke-auth-09.txt 15 January 2007
20 Expires: 15 July 2007
21
22 .in 3
23
24 .ce 2
25 SILC Key Exchange and Authentication Protocols
26 <draft-riikonen-silc-ke-auth-09.txt>
27
28 .ti 0
29 Status of this Draft
30
31 By submitting this Internet-Draft, each author represents that any
32 applicable patent or other IPR claims of which he or she is aware
33 have been or will be disclosed, and any of which he or she becomes
34 aware will be disclosed, in accordance with Section 6 of BCP 79.
35
36 Internet-Drafts are working documents of the Internet Engineering
37 Task Force (IETF), its areas, and its working groups. Note that
38 other groups may also distribute working documents as Internet-
39 Drafts. Internet-Drafts are draft documents valid for a maximum of
40 six months and may be updated, replaced, or obsoleted by other
41 documents at any time. It is inappropriate to use Internet-Drafts as
42 reference material or to cite them other than as "work in progress".
43
44 The list of current Internet-Drafts can be accessed at
45 http://www.ietf.org/1id-abstracts.html
46 The list of Internet-Draft Shadow Directories can be accessed at
47 http://www.ietf.org/shadow.html.
48
49
50 .ti 0
51 Abstract
52
53 This memo describes two protocols used in the Secure Internet Live
54 Conferencing (SILC) protocol, specified in the Secure Internet Live
55 Conferencing, Protocol Specification [SILC1]. The SILC Key Exchange
56 (SKE) protocol provides secure key exchange between two parties
57 resulting into shared secret key material. The protocol is based
58 on Diffie-Hellman key exchange algorithm and its functionality is
59 derived from several key exchange protocols.
60
61 The second protocol, SILC Connection Authentication protocol provides
62 user level authentication used when creating connections in SILC
63 network. The protocol supports passphrase (pre-shared secret)
64 authentication and public key (and certificate) authentication based
65 on digital signatures.
66
67
68
69 .ti 0
70 Table of Contents
71
72 .nf
73 1 Introduction .................................................. 2
74 1.1 Requirements Terminology .................................. 3
75 2 SILC Key Exchange Protocol .................................... 3
76 2.1 Key Exchange Payloads ..................................... 4
77 2.1.1 Key Exchange Start Payload .......................... 4
78 2.1.2 Key Exchange Payload ................................ 9
79 2.2 Key Exchange Procedure .................................... 11
80 2.3 Processing the Key Material ............................... 13
81 2.4 SILC Key Exchange Groups .................................. 15
82 2.4.1 diffie-hellman-group1 ............................... 15
83 2.4.2 diffie-hellman-group2 ............................... 15
84 2.4.3 diffie-hellman-group3 ............................... 16
85 2.5 Key Exchange Status Types ................................. 16
86 3 SILC Connection Authentication Protocol ....................... 18
87 3.1 Connection Auth Payload ................................... 19
88 3.2 Connection Authentication Types ........................... 20
89 3.2.1 Passphrase Authentication ........................... 20
90 3.2.2 Public Key Authentication ........................... 21
91 3.3 Connection Authentication Status Types .................... 21
92 4 Security Considerations ....................................... 22
93 5 References .................................................... 22
94 6 Author's Address .............................................. 23
95 7 Full Copyright Statement ...................................... 24
96
97
98 .ti 0
99 List of Figures
100
101 .nf
102 Figure 1: Key Exchange Start Payload
103 Figure 2: Key Exchange Payload
104 Figure 3: Connection Auth Payload
105
106
107 .ti 0
108 1 Introduction
109
110 This memo describes two protocols used in the Secure Internet Live
111 Conferencing (SILC) protocol specified in the Secure Internet Live
112 Conferencing, Protocol Specification [SILC1]. The SILC Key Exchange
113 (SKE) protocol provides secure key exchange between two parties
114 resulting into shared secret key material. The protocol is based on
115 Diffie-Hellman key exchange algorithm and its functionality is derived
116 from several key exchange protocols, such as SSH2 Key Exchange protocol,
117 Station-To-Station (STS) protocol and the OAKLEY Key Determination
118 protocol [OAKLEY].
119
120 The second protocol, SILC Connection Authentication protocol provides
121 user level authentication used when creating connections in SILC
122 network. The protocol supports passphrase (pre-shared secret)
123 authentication and public key (and certificate) authentication based
124 on digital signatures.
125
126 The basis of secure SILC session requires strong and secure key exchange
127 protocol and authentication. The authentication protocol is secured and
128 no authentication data is ever sent in the network without encrypting
129 and authenticating it first. Thus, authentication protocol may be used
130 only after the key exchange protocol has been successfully completed.
131
132 This document constantly refers to other SILC protocol specifications
133 that should be read to be able to fully understand the functionality
134 and purpose of these protocols. The most important references are
135 the Secure Internet Live Conferencing, Protocol Specification [SILC1]
136 and the SILC Packet Protocol [SILC2].
137
138 The protocol is intended to be used with the SILC protocol thus it
139 does not define own framework that could be used. The framework is
140 provided by the SILC protocol.
141
142
143 .ti 0
144 1.1 Requirements Terminology
145
146 The keywords MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED,
147 MAY, and OPTIONAL, when they appear in this document, are to be
148 interpreted as described in [RFC2119].
149
150
151 .ti 0
152 2 SILC Key Exchange Protocol
153
154 SILC Key Exchange Protocol (SKE) is used to exchange shared secret
155 material used to secure the communication channel. The protocol use
156 Diffie-Hellman key exchange algorithm and its functionality is derived
157 from several key exchange protocols, such as SSH2 Key Exchange protocol,
158 Station-To-Station (STS) protocol and the OAKLEY Key Determination
159 protocol [OAKLEY]. The protocol does not claim any conformance
160 to any of these protocols, they were only used as a reference when
161 designing this protocol. The protocol can mutually authenticate the
162 negotiating parties during the key exchange.
163
164 The purpose of SILC Key Exchange protocol is to create session keys to
165 be used in current SILC session. The keys are valid only for some period
166 of time (usually an hour) or at most until the session ends. These keys
167 are used to protect packets traveling between the two entities.
168 Usually all traffic is secured with the key material derived from this
169 protocol.
170
171 The Diffie-Hellman implementation used in the SILC SHOULD be compliant
172 to the PKCS #3.
173
174
175 .ti 0
176 2.1 Key Exchange Payloads
177
178 During the key exchange procedure public data is sent between initiator
179 and responder. This data is later used in the key exchange procedure.
180 There are several payloads used in the key exchange. As for all SILC
181 packets, SILC Packet Header, described in [SILC2], is at the beginning
182 of all packets sent in during this protocol. All the fields in the
183 following payloads are in MSB (most significant byte first) order.
184
185
186 .ti 0
187 2.1.1 Key Exchange Start Payload
188
189 The key exchange between two entities MUST be started by sending the
190 SILC_PACKET_KEY_EXCHANGE packet containing Key Exchange Start Payload.
191 Initiator sends the Key Exchange Start Payload to the responder filled
192 with all security properties it supports. The responder then checks
193 whether it supports the security properties.
194
195 It then sends a Key Exchange Start Payload to the initiator filled with
196 security properties it selected from the original payload. The payload
197 sent by responder MUST include only one chosen property per list. The
198 character encoding for the security property values as defined in [SILC1]
199 SHOULD be UTF-8 [RFC2279] in Key Exchange Start Payload.
200
201 The Key Exchange Start Payload is used to tell connecting entities what
202 security properties and algorithms should be used in the communication.
203 The Key Exchange Start Payload is sent only once per session. Even if
204 the PFS (Perfect Forward Secrecy) flag is set the Key Exchange Start
205 Payload is not re-sent. When PFS is desired the Key Exchange Payloads
206 are sent to negotiate new key material. The procedure is equivalent to
207 the very first negotiation except that the Key Exchange Start Payload
208 is not sent.
209
210 As this payload is used only with the very first key exchange the payload
211 is never encrypted, as there are no keys to encrypt it with.
212
213 A cookie is also sent in this payload. A cookie is used to randomize the
214 payload so that none of the key exchange parties can determine this
215 payload before the key exchange procedure starts. The cookie MUST be
216 returned to the original sender unmodified by the responder.
217
218 Following diagram represents the Key Exchange Start Payload. The lists
219 mentioned below are always comma (`,') separated and the list MUST NOT
220 include white spaces (` ').
221
222
223 .in 5
224 .nf
225 1 2 3
226 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
228 | RESERVED | Flags | Payload Length |
229 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
230 | |
231 + +
232 | |
233 + Cookie +
234 | |
235 + +
236 | |
237 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
238 | Version String Length | |
239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
240 | |
241 ~ Version String ~
242 | |
243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
244 | Key Exchange Grp Length | |
245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
246 | |
247 ~ Key Exchange Groups ~
248 | |
249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
250 | PKCS Alg Length | |
251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
252 | |
253 ~ PKCS Algorithms ~
254 | |
255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
256 | Encryption Alg Length | |
257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
258 | |
259 ~ Encryption Algorithms ~
260 | |
261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
262 | Hash Alg Length | |
263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
264 | |
265 ~ Hash Algorithms ~
266 | |
267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
268 | HMAC Length | |
269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
270 | |
271 ~ HMACs ~
272 | |
273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
274 | Compression Alg Length | |
275 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
276 | |
277 ~ Compression Algorithms ~
278 | |
279 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
280 .in 3
281
282 .ce
283 Figure 1: Key Exchange Start Payload
284
285
286 .in 6
287 o RESERVED (1 byte) - Reserved field. Sender fills this with
288 zero (0) value.
289
290 o Flags (1 byte) - Indicates flags to be used in the key
291 exchange. Several flags can be set at once by ORing the
292 flags together. The following flags are reserved for this
293 field:
294
295 No flags 0x00
296
297 In this case the field is ignored.
298
299 IV Included 0x01
300
301 This flag is used to indicate that Initialization
302 Vector (IV) in encryption will be included in the
303 ciphertext which the recipient must use in decryption.
304 At the beginning of the SILC packet, before the SILC
305 Packet header an 8-bit Security ID (SID) MUST be
306 placed. After the SID, the IV MUST be placed. After
307 the IV, a 32-bit MSB first ordered packet sequence
308 number MUST be placed. The SID and IV MUST NOT be
309 encrypted, but the sequence number MUST be included
310 in encryption. The recipient MUST use the sequence
311 number during MAC verification [SILC2]. All fields
312 however are authenticated with MAC.
313
314 The Security ID is set to value 0 when the key
315 exchange is performed for the first time. It is
316 monotonically increased after each re-key, wrapping
317 eventually. The SID in combination with the current
318 session can be used to identify which key has been
319 used to encrypt an incoming packet. This is especially
320 important after rekey when using UDP/IP protocol,
321 where packets may be lost or reordered. A packet with
322 unknown SID will result into discarding the packet as
323 it cannot be decrypted. After rekey, implementation
324 should understand that it may still receive packets
325 with old SID and be prepared to decrypt them with the
326 old key.
327
328 With this flag it is possible to use SILC protocol on
329 unreliable transport such as UDP/IP which may cause
330 packet reordering and packet losses. By default,
331 this flag is not set and thus IV is not included
332 in the ciphertext. Setting this flag increases the
333 packet length by one ciphertext block plus 1 byte for
334 the Security ID and 32 bits for the sequence number.
335 Responder MAY override this flag for the initiator,
336 however without this flag UDP connection cannot be
337 used. The flag MAY also be used in TCP connection.
338
339 When using with UDP/IP implementations SHOULD use
340 anti-replay methods where an anti-replay window
341 defines what packets are replays. An example of
342 anti-window protocol is in [RFC2406] Section 3.4.2
343 with example source code in [RFC2401] Appendix C.
344 While [RFC2401] and [RFC2406] does not relate to SILC,
345 the anti-replay method used is applicable in SILC.
346
347 PFS 0x02
348
349 Perfect Forward Secrecy (PFS) to be used in the
350 key exchange protocol. If not set, re-keying
351 is performed using the old key. See the [SILC1]
352 for more information on this issue. When PFS is
353 used, re-keying and creating new keys for any
354 particular purpose MUST cause new key exchange with
355 new Diffie-Hellman exponent values. In this key
356 exchange only the Key Exchange Payload is sent and
357 the Key Exchange Start Payload MUST NOT be sent.
358 When doing PFS the Key Exchange Payloads are
359 encrypted with the old keys.
360
361 Mutual Authentication 0x04
362
363 Both of the parties will perform authentication
364 by providing signed data for the other party to
365 verify. By default, only responder will provide
366 the signature data. If this is set then the
367 initiator must also provide it. Initiator MAY
368 set this but also responder MAY set this even if
369 initiator did not set it.
370
371 Rest of the flags are reserved for the future and
372 MUST NOT be set.
373
374 o Payload Length (2 bytes) - Length of the entire Key Exchange
375 Start payload, not including any other field.
376
377 o Cookie (16 bytes) - Cookie that randomize this payload so
378 that each of the party cannot determine the payload before
379 hand. This field MUST be present.
380
381 o Version String Length (2 bytes) - The length of the Version
382 String field, not including any other field.
383
384 o Version String (variable length) - Indicates the version of
385 the sender of this payload. Initiator sets this when sending
386 the payload and responder sets this when it replies by sending
387 this payload. See [SILC1] for definition for the version
388 string format. This field MUST be present and include valid
389 version string.
390
391 o Key Exchange Grp Length (2 bytes) - The length of the
392 key exchange group list, not including any other field.
393
394 o Key Exchange Group (variable length) - The list of
395 key exchange groups. See the section 2.4 SILC Key Exchange
396 Groups for definitions of these groups. This field MUST
397 be present.
398
399 o PKCS Alg Length (2 bytes) - The length of the PKCS algorithms
400 list, not including any other field.
401
402 o PKCS Algorithms (variable length) - The list of PKCS
403 algorithms. This field MUST be present.
404
405 o Encryption Alg Length (2 bytes) - The length of the encryption
406 algorithms list, not including any other field.
407
408 o Encryption Algorithms (variable length) - The list of
409 encryption algorithms. This field MUST be present.
410
411 o Hash Alg Length (2 bytes) - The length of the Hash algorithm
412 list, not including any other field.
413
414 o Hash Algorithms (variable length) - The list of Hash
415 algorithms. The hash algorithms are mainly used in the
416 SKE protocol. This field MUST be present.
417
418 o HMAC Length (2 bytes) - The length of the HMAC list, not
419 including any other field.
420
421 o HMACs (variable length) - The list of HMACs. The HMAC's
422 are used to compute the Message Authentication Code (MAC)
423 of the SILC packets. This field MUST be present.
424
425 o Compression Alg Length (2 bytes) - The length of the
426 compression algorithms list, not including any other field.
427
428 o Compression Algorithms (variable length) - The list of
429 compression algorithms. This field MAY be omitted.
430 .in 3
431
432
433 .ti 0
434 2.1.2 Key Exchange Payload
435
436 Key Exchange payload is used to deliver the public key (or certificate),
437 the computed Diffie-Hellman public value and possibly signature data
438 from one party to the other. When initiator is using this payload
439 and the Mutual Authentication flag is not set then the initiator MUST
440 NOT provide the signature data. If the flag is set then the initiator
441 MUST provide the signature data so that the responder can verify it.
442
443 The Mutual Authentication flag is usually used when a separate
444 authentication protocol will not be executed for the initiator of the
445 protocol. This is case for example when the SKE is performed between
446 two SILC clients. In normal case, where client is connecting to a
447 server, or server is connecting to a router the Mutual Authentication
448 flag MAY be omitted. However, if the connection authentication protocol
449 for the connecting entity is not based on digital signatures (it is
450 based on pre-shared key or there is no authentication) then the Mutual
451 Authentication flag SHOULD be enabled. This way the connecting entity
452 has to provide proof of possession of the private key for the public key
453 it will provide in this protocol.
454
455 When performing re-key with PFS selected this is the only payload that
456 is sent in the SKE protocol. The Key Exchange Start Payload MUST NOT
457 be sent at all. However, this payload does not have all the fields
458 present. In the re-key with PFS the public key and a possible signature
459 data SHOULD NOT be present. If they are present they MUST be ignored.
460 The only field that is present is the Public Data that is used to create
461 the new key material. In the re-key the Mutual Authentication flag, that
462 may be set in the initial negotiation, MUST also be ignored.
463
464 This payload is sent inside SILC_PACKET_KEY_EXCHANGE_1 and inside
465 SILC_PACKET_KEY_EXCHANGE_2 packet types. The initiator uses the
466 SILC_PACKET_KEY_EXCHANGE_1 and the responder the latter.
467
468 The following diagram represent the Key Exchange Payload.
469
470
471 .in 5
472 .nf
473 1 2 3
474 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
475 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
476 | Public Key Length | Public Key Type |
477 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
478 | |
479 ~ Public Key of the party (or certificate) ~
480 | |
481 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
482 | Public Data Length | |
483 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
484 | |
485 ~ Public Data ~
486 | |
487 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
488 | Signature Length | |
489 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
490 | |
491 ~ Signature Data ~
492 | |
493 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
494 .in 3
495
496 .ce
497 Figure 2: Key Exchange Payload
498
499
500 .in 6
501 o Public Key Length (2 bytes) - The length of the Public Key
502 (or certificate) field, not including any other field.
503
504 o Public Key Type (2 bytes) - The public key (or certificate)
505 type. This field indicates the type of the public key in
506 the packet. Following types are defined:
507
508 1 SILC style public key (mandatory)
509 2 SSH2 style public key (optional)
510 3 X.509 Version 3 certificate (optional)
511 4 OpenPGP certificate (optional)
512 5 SPKI certificate (optional)
513
514 The only required type to support is type number 1. See
515 [SILC1] for the SILC public key specification. See
516 SSH2 public key specification in [SSH-TRANS]. See X.509v3
517 certificate specification in [PKIX-Part1]. See OpenPGP
518 certificate specification in [PGP]. See SPKI certificate
519 specification in [SPKI]. If this field includes zero (0)
520 or unsupported type number the protocol MUST be aborted
521 sending SILC_PACKET_FAILURE message and the connection SHOULD
522 be closed immediately.
523
524 o Public Key (or certificate) (variable length) - The
525 public key or certificate of the party. This public key
526 may be used to verify the digital signature. The public key
527 or certificate in this field is encoded in the manner as
528 defined in their respective definitions; see previous field.
529
530 o Public Data Length (2 bytes) - The length of the Public Data
531 field, not including any other field.
532
533 o Public Data (variable length) - The public data to be
534 sent to the receiver (computed Diffie-Hellman public values).
535 See section 2.2 Key Exchange Procedure for detailed description
536 how this field is computed. This field is MP integer and is
537 encoded as defined in [SILC1].
538
539 o Signature Length (2 bytes) - The length of the signature,
540 not including any other field.
541
542 o Signature Data (variable length) - The signature signed
543 by the sender. The receiver of this signature MUST
544 verify it. The verification is done using the sender's
545 public key. See section 2.2 Key Exchange Procedure for
546 detailed description how to produce the signature. If
547 the Mutual Authentication flag is not set then initiator
548 MUST NOT provide this field and the Signature Length field
549 MUST be set to zero (0) value. If the flag is set then
550 also the initiator MUST provide this field. The responder
551 always MUST provide this field. The encoding for signature
552 is defined in [SILC1].
553 .in 3
554
555
556
557 .ti 0
558 2.2 Key Exchange Procedure
559
560 The key exchange begins by sending SILC_PACKET_KEY_EXCHANGE packet with
561 Key Exchange Start Payload to select the security properties to be used
562 in the key exchange and later in the communication.
563
564 After Key Exchange Start Payload has been processed by both of the
565 parties the protocol proceeds as follows:
566
567
568 Setup: p is a large and public safe prime. This is one of the
569 Diffie Hellman groups. q is order of subgroup (largest
570 prime factor of p). g is a generator and is defined
571 along with the Diffie Hellman group.
572
573 1. Initiator generates a random number x, where 1 < x < q,
574 and computes e = g ^ x mod p. The result e is then
575 encoded into Key Exchange Payload, with the public key
576 (or certificate) and sent to the responder.
577
578 If the Mutual Authentication flag is set then initiator
579 MUST also produce signature data SIGN_i which the responder
580 will verify. The initiator MUST compute a hash value
581 HASH_i = hash(Initiator's Key Exchange Start Payload |
582 public key (or certificate) | e). The '|' stands for
583 concatenation. It then signs the HASH_i value with its
584 private key resulting a signature SIGN_i.
585
586 2. Responder generates a random number y, where 1 < y < q,
587 and computes f = g ^ y mod p. It then computes the
588 shared secret KEY = e ^ y mod p, and, a hash value
589 HASH = hash(Initiator's Key Exchange Start Payload |
590 public key (or certificate) | Initiator's public key
591 (or certificate) | e | f | KEY). It then signs
592 the HASH value with its private key resulting a signature
593 SIGN.
594
595 It then encodes its public key (or certificate), f and
596 SIGN into Key Exchange Payload and sends it to the
597 initiator.
598
599 If the Mutual Authentication flag is set then the responder
600 SHOULD verify that the public key provided in the payload
601 is authentic, or if certificates are used it verifies the
602 certificate. The responder MAY accept the public key without
603 verifying it, however, doing so may result to insecure key
604 exchange (accepting the public key without verifying may be
605 desirable for practical reasons on many environments. For
606 long term use this is never desirable, in which case
607 certificates would be the preferred method to use). It then
608 computes the HASH_i value the same way initiator did in the
609 phase 1. It then verifies the signature SIGN_i from the
610 payload with the hash value HASH_i using the received public
611 key.
612
613 3. Initiator verifies that the public key provided in
614 the payload is authentic, or if certificates are used
615 it verifies the certificate. The initiator MAY accept
616 the public key without verifying it, however, doing
617 so may result to insecure key exchange (accepting the
618 public key without verifying may be desirable for
619 practical reasons on many environments. For long term
620 use this is never desirable, in which case certificates
621 would be the preferred method to use).
622
623 Initiator then computes the shared secret KEY =
624 f ^ x mod p, and, a hash value HASH in the same way as
625 responder did in phase 2. It then verifies the
626 signature SIGN from the payload with the hash value
627 HASH using the received public key.
628
629
630 If any of these phases is to fail the SILC_PACKET_FAILURE MUST be sent
631 to indicate that the key exchange protocol has failed, and the connection
632 SHOULD be closed immediately. Any other packets MUST NOT be sent or
633 accepted during the key exchange except the SILC_PACKET_KEY_EXCHANGE_*,
634 SILC_PACKET_FAILURE and SILC_PACKET_SUCCESS packets.
635
636 The result of this protocol is a shared secret key material KEY and
637 a hash value HASH. The key material itself is not fit to be used as
638 a key, it needs to be processed further to derive the actual keys to be
639 used. The key material is also used to produce other security parameters
640 later used in the communication. See section 2.3 Processing the Key
641 Material for detailed description how to process the key material.
642
643 If the Mutual Authentication flag was set the protocol produces also
644 a hash value HASH_i. This value, however, must be discarded.
645
646 After the keys are processed the protocol is ended by sending the
647 SILC_PACKET_SUCCESS packet. Both entities send this packet to
648 each other. After this both parties MUST start using the new keys.
649
650
651 .ti 0
652 2.3 Processing the Key Material
653
654 Key Exchange protocol produces secret shared key material KEY. This
655 key material is used to derive the actual keys used in the encryption
656 of the communication channel. The key material is also used to derive
657 other security parameters used in the communication. Key Exchange
658 protocol produces a hash value HASH as well.
659
660 The keys MUST be derived from the key material as follows:
661
662 .in 6
663 Sending Initial Vector (IV) = hash(0x0 | KEY | HASH)
664 Receiving Initial Vector (IV) = hash(0x1 | KEY | HASH)
665 Sending Encryption Key = hash(0x2 | KEY | HASH)
666 Receiving Encryption Key = hash(0x3 | KEY | HASH)
667 Sending HMAC Key = hash(0x4 | KEY | HASH)
668 Receiving HMAC Key = hash(0x5 | KEY | HASH)
669 .in 3
670
671
672 The Initial Vector (IV) is used in the encryption when doing for
673 example CBC mode. As many bytes as needed are taken from the start of
674 the hash output for IV. Sending IV is for sending key and receiving IV
675 is for receiving key. For receiving party, the receiving IV is actually
676 sender's sending IV, and, the sending IV is actually sender's receiving
677 IV. Initiator uses IV's as they are (sending IV for sending and
678 receiving IV for receiving).
679
680 The Encryption Keys are derived as well from the hash(). If the hash()
681 output is too short for the encryption algorithm more key material MUST
682 be produced in the following manner:
683
684 .in 6
685 K1 = hash(0x2 | KEY | HASH)
686 K2 = hash(KEY | HASH | K1)
687 K3 = hash(KEY | HASH | K1 | K2) ...
688
689 Sending Encryption Key = K1 | K2 | K3 ...
690
691
692 K1 = hash(0x3 | KEY | HASH)
693 K2 = hash(KEY | HASH | K1)
694 K3 = hash(KEY | HASH | K1 | K2) ...
695
696 Receiving Encryption Key = K1 | K2 | K3 ...
697 .in 3
698
699
700 The key is distributed by hashing the previous hash with the original
701 key material. The final key is a concatenation of the hash values.
702 For Receiving Encryption Key the procedure is equivalent. Sending key
703 is used only for encrypting data to be sent. The receiving key is used
704 only to decrypt received data. For receiving party, the receive key is
705 actually sender's sending key, and, the sending key is actually sender's
706 receiving key. Initiator uses generated keys as they are (sending key
707 for sending and receiving key for receiving).
708
709 The HMAC keys are used to create MAC values to packets in the
710 communication channel. As many bytes as needed are taken from the start
711 of the hash output to generate the MAC keys.
712
713 These procedures are performed by all parties of the key exchange
714 protocol. This MUST be done before the protocol has been ended by
715 sending the SILC_PACKET_SUCCESS packet, to assure that parties can
716 successfully process the key material.
717
718 This same key processing procedure MAY be used in the SILC in some
719 other circumstances as well. Any changes to this procedure is defined
720 separately when this procedure is needed. See the [SILC1] and the
721 [SILC2] for these circumstances.
722
723
724 .ti 0
725 2.4 SILC Key Exchange Groups
726
727 The Following groups may be used in the SILC Key Exchange protocol.
728 The first group diffie-hellman-group1 is REQUIRED, other groups MAY be
729 negotiated to be used in the connection with Key Exchange Start Payload
730 and SILC_PACKET_KEY_EXCHANGE packet. However, the first group MUST be
731 proposed in the Key Exchange Start Payload regardless of any other
732 requested group (however, it does not have to be the first in the list).
733
734
735 .ti 0
736 2.4.1 diffie-hellman-group1
737
738 The length of this group is 1024 bits. This is REQUIRED group.
739 The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
740
741 Its hexadecimal value is
742
743 .in 6
744 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
745 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
746 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
747 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
748 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
749 FFFFFFFF FFFFFFFF
750 .in 3
751
752
753 The generator used with this prime is g = 2. The group order q is
754 (p - 1) / 2.
755
756 This group was taken from RFC 2412.
757
758
759 .ti 0
760 2.4.2 diffie-hellman-group2
761
762 The length of this group is 1536 bits. This is OPTIONAL group.
763 The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.
764
765 Its hexadecimal value is
766
767 .in 6
768 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
769 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
770 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
771 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
772 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
773 C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
774 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
775 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
776 .in 3
777
778 The generator used with this prime is g = 2. The group order q is
779 (p - 1) / 2.
780
781 This group was taken from RFC 3526.
782
783
784 .ti 0
785 2.4.3 diffie-hellman-group3
786
787 The length of this group is 2048 bits. This is OPTIONAL group.
788 This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }.
789
790 Its hexadecimal value is
791
792 .in 6
793 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
794 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
795 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
796 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
797 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
798 C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
799 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
800 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
801 E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
802 DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
803 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
804 .in 3
805
806 The generator used with this prime is g = 2. The group order q is
807 (p - 1) / 2.
808
809 This group was taken from RFC 3526.
810
811 Additional larger groups are defined in RFC 3526 and may be used in SKE
812 by defining name for them using the above name format.
813
814
815 .ti 0
816 2.5 Key Exchange Status Types
817
818 This section defines all key exchange protocol status types that may
819 be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
820 to indicate the status of the protocol. Implementations may map the
821 status types to human readable error message. All types except the
822 SILC_SKE_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
823 The length of status is 32 bits (4 bytes). The following status types
824 are defined:
825
826 .in 6
827 0 SILC_SKE_STATUS_OK
828
829 Protocol were executed successfully.
830
831
832 1 SILC_SKE_STATUS_ERROR
833
834 Unknown error occurred. No specific error type is defined.
835
836
837 2 SILC_SKE_STATUS_BAD_PAYLOAD
838
839 Provided KE payload were malformed or included bad fields.
840
841
842 3 SILC_SKE_STATUS_UNSUPPORTED_GROUP
843
844 None of the provided groups were supported.
845
846
847 4 SILC_SKE_STATUS_UNSUPPORTED_CIPHER
848
849 None of the provided ciphers were supported.
850
851
852 5 SILC_SKE_STATUS_UNSUPPORTED_PKCS
853
854 None of the provided public key algorithms were supported.
855
856
857 6 SILC_SKE_STATUS_UNSUPPORTED_HASH_FUNCTION
858
859 None of the provided hash functions were supported.
860
861
862 7 SILC_SKE_STATUS_UNSUPPORTED_HMAC
863
864 None of the provided HMACs were supported.
865
866
867 8 SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY
868
869 Provided public key type is not supported.
870
871
872 9 SILC_SKE_STATUS_INCORRECT_SIGNATURE
873
874 Provided signature was incorrect.
875
876
877 10 SILC_SKE_STATUS_BAD_VERSION
878
879 Provided version string was not acceptable.
880
881
882 11 SILC_SKE_STATUS_INVALID_COOKIE
883
884 The cookie in the Key Exchange Start Payload was malformed,
885 because responder modified the cookie.
886 .in 3
887
888
889 .ti 0
890 3 SILC Connection Authentication Protocol
891
892 Purpose of Connection Authentication protocol is to authenticate the
893 connecting party with server. Usually connecting party is client but
894 server may connect to router server as well. Its other purpose is to
895 provide information for the server about which type of entity the
896 connection is. The type defines whether the connection is client,
897 server or router connection. Server use this information to create the
898 ID for the connection.
899
900 Server MUST verify the authentication data received and if it is to fail
901 the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
902 If authentication is successful the protocol is ended by server by sending
903 SILC_PACKET_SUCCESS packet.
904
905 The protocol is executed after the SILC Key Exchange protocol. It MUST
906 NOT be executed in any other time. As it is performed after key exchange
907 protocol all traffic in the connection authentication protocol is
908 encrypted with the exchanged keys.
909
910 The protocol MUST be started by the connecting party by sending the
911 SILC_PACKET_CONNECTION_AUTH packet with Connection Auth Payload,
912 described in the next section. This payload MUST include the
913 authentication data. The authentication data is set according
914 authentication method that MUST be known by both parties. If connecting
915 party does not know what is the mandatory authentication method it MAY
916 request it from the server by sending SILC_PACKET_CONNECTION_AUTH_REQUEST
917 packet. This packet is not part of this protocol and is described in
918 section Connection Auth Request Payload in [SILC2]. However, if
919 connecting party already knows the mandatory authentication method
920 sending the request is not necessary.
921
922 See [SILC1] and section Connection Auth Request Payload in [SILC2] also
923 for the list of different authentication methods. Authentication method
924 MAY also be NONE, in which case the server does not require
925 authentication. However, in this case the protocol still MUST be
926 executed; the authentication data is empty indicating no authentication
927 is required.
928
929 If authentication method is passphrase the authentication data is
930 plaintext passphrase. As the payload is encrypted it is safe to have
931 plaintext passphrase. It is also provided as plaintext passphrase
932 because the receiver may need to pass the entire passphrase into a
933 passphrase verifier, and a message digest of the passphrase would
934 prevent this. See the section 3.2.1 Passphrase Authentication for
935 more information.
936
937 If authentication method is public key authentication the authentication
938 data is a digital signature of the hash value of hash HASH and Key
939 Exchange Start Payload, established by the SILC Key Exchange protocol.
940 This signature MUST then be verified by the server. See the section
941 3.2.2 Public Key Authentication for more information.
942
943 See the section 4 SILC Procedures in [SILC1] for more information about
944 client creating connection to server, and server creating connection
945 to router, and how to register the session in the SILC Network after
946 successful Connection Authentication protocol.
947
948
949 .ti 0
950 3.1 Connection Auth Payload
951
952 Client sends this payload to authenticate itself to the server. Server
953 connecting to another server also sends this payload. Server receiving
954 this payload MUST verify all the data in it and if something is to fail
955 the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
956
957 The payload may only be sent with SILC_PACKET_CONNECTION_AUTH packet.
958 It MUST NOT be sent in any other packet type. The following diagram
959 represent the Connection Auth Payload.
960
961
962
963
964
965
966
967 .in 5
968 .nf
969 1 2 3
970 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
971 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
972 | Payload Length | Connection Type |
973 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
974 | |
975 ~ Authentication Data ~
976 | |
977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
978 .in 3
979
980 .ce
981 Figure 3: Connection Auth Payload
982
983
984 .in 6
985 o Payload Length (2 bytes) - Length of the entire Connection
986 Auth Payload.
987
988 o Connection Type (2 bytes) - Indicates the type of the
989 connection. See section Connection Auth Request Payload
990 in [SILC2] for the list of connection types. This field MUST
991 include valid connection type or the packet MUST be discarded
992 and authentication MUST be failed.
993
994 o Authentication Data (variable length) - The actual
995 authentication data. Contents of this depends on the
996 authentication method known by both parties. If no
997 authentication is required this field does not exist.
998 .in 3
999
1000
1001 .ti 0
1002 3.2 Connection Authentication Types
1003
1004 SILC supports two authentication types to be used in the connection
1005 authentication protocol; passphrase authentication or public key
1006 authentication based on digital signatures. The following sections
1007 defines the authentication methods. See [SILC2] for defined numerical
1008 authentication method types.
1009
1010
1011 .ti 0
1012 3.2.1 Passphrase Authentication
1013
1014 Passphrase authentication or pre-shared key based authentication is
1015 simply an authentication where the party that wants to authenticate
1016 itself to the other end sends the passphrase that is required by
1017 the other end, for example server. The plaintext passphrase is put
1018 to the payload, that is then encrypted. The plaintext passphrase
1019 MUST be in UTF-8 [RFC2279] encoding. If the passphrase is in the
1020 sender's system in some other encoding it MUST be UTF-8 encoded
1021 before transmitted. The receiver MAY change the encoding of the
1022 passphrase to its system's default character encoding before verifying
1023 the passphrase.
1024
1025 If the passphrase matches with the one in the server's end the
1026 authentication is successful. Otherwise SILC_PACKET_FAILURE MUST be
1027 sent to the sender and the protocol execution fails.
1028
1029 This is REQUIRED authentication method to be supported by all SILC
1030 implementations.
1031
1032 When password authentication is used it is RECOMMENDED that maximum
1033 amount of padding is applied to the SILC packet. This way it is not
1034 possible to approximate the length of the password from the encrypted
1035 packet.
1036
1037
1038
1039 .ti 0
1040 3.2.2 Public Key Authentication
1041
1042 Public key authentication may be used if passphrase based authentication
1043 is not desired. The public key authentication works by sending a
1044 digital signature as authentication data to the other end, say, server.
1045 The server MUST then verify the signature by the public key of the sender,
1046 which the server has received earlier in SKE protocol, or which the
1047 server has cached locally at some previous time.
1048
1049 The signature is computed using the private key of the sender by signing
1050 the HASH value provided by the SKE protocol previously, and the Key
1051 Exchange Start Payload from SKE protocol that was sent to the server.
1052 These are concatenated and hash function is used to compute a hash value
1053 which is then signed.
1054
1055 auth_hash = hash(HASH | Key Exchange Start Payload);
1056 signature = sign(auth_hash);