7 Network Working Group P. Riikonen
9 draft-riikonen-silc-ke-auth-00.txt 28 June 2000
13 SILC Key Exchange and Authentication Protocols
17 This document is an Internet-Draft. Internet-Drafts are working
18 documents of the Internet Engineering Task Force (IETF), its areas,
19 and its working groups. Note that other groups may also distribute
20 working documents as Internet-Drafts.
22 Internet-Drafts are draft documents valid for a maximum of six
23 months and may be updated, replaced, or obsoleted by other
24 documents at any time. It is inappropriate to use Internet-Drafts
25 as reference material or to cite them other than as
28 To learn the current status of any Internet-Draft, please check the
29 ``1id-abstracts.txt'' listing contained in the Internet-Drafts
30 Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
31 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
32 ftp.isi.edu (US West Coast).
34 The distribution of this memo is unlimited.
39 This memo describes two protocols used in the Secure Internet Live
40 Conferencing (SILC) protocol specified in the Secure Internet Live
41 Conferencing, Protocol Specification internet-draft [SILC1]. The
42 SILC Key Exchange (SKE) protocol provides secure key exchange between
43 two parties resulting into shared secret key material. The protocol
44 is based on Diffie Hellman key exchange algorithm and its functionality
45 is derived from several key exchange protocols. SKE uses best parts
46 of the SSH2 Key Exchange protocol, Station-To-Station (STS) protocol
47 and the OAKLEY Key Determination protocol [OAKLEY].
49 The SILC Connection Authentication protocol provides user level
50 authentication used when creating connections in SILC network. The
51 protocol is transparent to the authentication data which means that it
52 can be used to authenticate the user with, for example, passphrase
53 (pre-shared- secret) or public key (and certificate).
60 Internet Draft Key Exchange and Authentication 28 June 2000
65 1 Introduction .................................................. 2
66 2 SILC Key Exchange Protocol .................................... 3
67 2.1 Key Exchange Payloads ..................................... 3
68 2.1.1 Key Exchange Start Payload .......................... 4
69 2.1.2 Key Exchange 1 Payload .............................. 7
70 2.1.3 Key Exchange 2 Payload .............................. 9
71 2.2 Key Exchange Procedure .................................... 10
72 2.3 Processing the Key Material ............................... 12
73 2.4 SILC Key Exchange Groups .................................. 13
74 2.4.1 diffie-hellman-group1 ............................... 13
75 2.4.2 diffie-hellman-group2 ............................... 14
76 2.5 Key Exchange Status Types ................................. 14
77 3 SILC Connection Authentication Protocol ....................... 16
78 3.1 Connection Auth Payload ................................... 17
79 3.2 Connection Authentication Types ........................... 18
80 3.2.1 Passphrase Authentication ........................... 18
81 3.2.2 Public Key Authentication ........................... 18
82 3.3 Connection Authentication Status Types .................... 19
83 4 Security Considerations ....................................... 19
84 5 References .................................................... 19
85 6 Author's Address .............................................. 20
90 Figure 1: Key Exchange Start Payload
91 Figure 2: Key Exchange 1 Payload
92 Figure 3: Key Exchange 2 Payload
93 Figure 4: Connection Auth Payload
98 This memo describes two protocols used in the Secure Internet Live
99 Conferencing (SILC) protocol specified in the Secure Internet Live
100 Conferencing, Protocol Specification internet-draft [SILC1]. The
101 SILC Key Exchange (SKE) protocol provides secure key exchange between
102 two parties resulting into shared secret key material. The protocol
103 is based on Diffie Hellman key exchange algorithm and its functionality
104 is derived from several key exchange protocols. SKE uses best parts
105 of the SSH2 Key Exchange protocol, Station-To-Station (STS) protocol
106 and the OAKLEY Key Determination protocol.
108 The SILC Connection Authentication protocol provides user level
109 authentication used when creating connections in SILC network. The
110 protocol is transparent to the authentication data which means that it
116 Internet Draft Key Exchange and Authentication 28 June 2000
119 can be used to authenticate the user with, for example, passphrase
120 (pre-shared- secret) or public key (and certificate).
122 The basis of secure SILC session requires strong and secure key exchange
123 protocol and authentication. The authentication protocol is entirely
124 secured and no authentication data is ever sent in the network without
125 encrypting and authenticating it first. Thus, authentication protocol
126 may be used only after the key exchange protocol has been successfully
129 This document refers constantly to other SILC protocol specification
130 Internet Drafts that are a must read for those who wants to understand
131 the function of these protocols. The most important references are
132 the Secure Internet Live Conferencing, Protocol Specification [SILC1]
133 and SILC Packet Protocol [SILC2] Internet Drafts.
135 The protocol is intended to be used with the SILC protocol thus it
136 does not define own framework that could be used. The framework is
137 provided by the SILC protocol.
140 2 SILC Key Exchange Protocol
142 SILC Key Exchange Protocol (SKE) is used to exchange shared secret
143 between connecting entities. The result of this protocol is a key
144 material used to secure the communication channel. The protocol uses
145 Diffie-Hellman key exchange algorithm and its functionality is derived
146 from several key exchange protocols. SKE uses best parts of the SSH2
147 Key Exchange protocol, Station-To-Station (STS) protocol and the OAKLEY
148 Key Determination protocol. The protocol does not claim any conformance
149 to any of these protocols, they were merely used as a reference when
150 designing this protocol.
152 The purpose of SILC Key Exchange protocol is to create session keys to
153 be used in current SILC session. The keys are valid only for some period
154 of time (usually an hour) or at most until the session ends. These keys
155 are used to protect packets like commands, command replies and other
156 communication between two entities. If connection is server to server
157 connection, the keys are used to protect all traffic between those
158 servers. In client connections usually all the packets are protected
159 with this key except channel messages; channels has their own keys and
160 they are not exchanged with this protocol.
163 2.1 Key Exchange Payloads
165 During the key exchange procedure public data is sent between initiator
166 and responder. This data is later used in the key exchange procedure.
172 Internet Draft Key Exchange and Authentication 28 June 2000
175 There are several payloads used in the key exchange. As for all SILC
176 packets, SILC Packet Header, described in [SILC2], is at the start of all
177 packets, the same is done with these payloads as well. All fields in
178 all payloads are always in MSB (most significant byte first) order.
179 Following descriptions of these payloads.
182 2.1.1 Key Exchange Start Payload
184 Key exchange between two entities always begins with a
185 SILC_PACKET_KEY_EXCHANGE packet containing Key Exchange Start Payload.
186 When performing key exchange between client and server, the client sends
187 Key Exchange Start Payload to server filled with all security properties
188 that the client supports. Server then checks if it supports the security
191 It then sends a Key Exchange Start Payload to client filled with security
192 properties it selected from the payload client originally sent. The
193 payload sent by server must include only one chosen property per list.
195 When performing key exchange between server and server, the server who
196 is contacting sends the Key Exchange Start Payload with security property
197 list it supports to the other server. The contacted party then chooses
198 the preferred properties same way as previously described. It then
199 replies with the properties it wanted same way as previously described.
201 The Key Exchange Start Payload is used to tell connecting entities what
202 security properties and algorithms should be used in the communication.
203 If perfect forward secrecy (PFS) is not desired (PFS is undefined by
204 default) Key Exchange Start Payload is sent only once per session, thus,
205 for example, re-keying will not cause sending of a new payload. If PFS
206 is desired, re-keying will always cause new key exchange thus causes
207 sending of a new Key Exchange Start Payload.
209 When performing first key exchange this payload is never encrypted, as
210 there are no existing keys to encrypt it with. If performing re-keying
211 (PFS was selected) this payload is encrypted with the existing key and
212 encryption algorithm.
214 Cookie is also send in this payload. Cookie is used to uniform the
215 payload so that none of the key exchange parties cannot determine this
216 payload before hand. The cookie must be returned to the original sender
219 Following diagram represents the Key Exchange Start Payload. The lists
220 mentioned below are always comma (`,') separated and the list must
221 not include spaces (` ').
228 Internet Draft Key Exchange and Authentication 28 June 2000
232 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234 | RESERVED | Flags | Payload Length |
235 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
244 | Key Exchange Grp Length | |
245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
247 ~ Key Exchange Groups ~
249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
250 | PKCS Alg Length | |
251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
256 | Encryption Alg Length | |
257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
259 ~ Encryption Algorithms ~
261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
262 | Hash Alg Length | |
263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
268 | Compression Alg Length | |
269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
271 ~ Compression Algorithms ~
273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
275 Figure 1: Key Exchange Start Payload
284 Internet Draft Key Exchange and Authentication 28 June 2000
287 o RESERVED (1 byte) - Reserved field. Sender fills this with
290 o Flags (1 byte) - Indicates flags to be used in the key
291 exchange. Several flags can be set at once by ORing the
292 flags together. Following flags are reserved for this field.
296 In this case the field is ignored.
300 If set the receiver of the payload does not reply to
305 Perfect Forward Secrecy (PFS) to be used in the
306 key exchange protocol. If not set, re-keying
307 is performed using the old key. When PFS is used,
308 re-keying and creating new keys for any particular
309 purpose will cause new key exchange.
311 Rest of the flags are reserved for the future and
314 o Payload Length (2 bytes) - Length of the entire Key Exchange
317 o Cookie (16 bytes) - Cookie that uniforms this payload so
318 that each of the party cannot determine the payload before
321 o Key Exchange Grp Length (2 bytes) - The length of the
322 key exchange group list, including this field as well.
324 o Key Exchange Group (variable length) - The list of
325 key exchange groups. See the section 2.1.2 SILC Key Exchange
326 Groups for definitions of these groups.
328 o PKCS Alg Length (2 bytes) - The length of the PKCS algorithms
329 list, including this field as well.
331 o PKCS Algorithms (variable length) - The list of PKCS
334 o Encryption Alg Length (2 bytes) - The length of the encryption
340 Internet Draft Key Exchange and Authentication 28 June 2000
343 algorithms list, including this field as well.
345 o Encryption Algorithms (variable length) - The list of
346 encryption algorithms.
348 o Hash Alg Length (2 bytes) - The length of the Hash algorithms
349 list, including this field as well.
351 o Hash Algorithms (variable length) - The list of Hash algorithms.
353 o Compression Alg Length (2 bytes) - The length of the
354 compression algorithms list, including this field as well.
356 o Compression Algorithms (variable length) - The list of
357 compression algorithms.
360 2.1.2 Key Exchange 1 Payload
362 Key Exchange 1 Payload is used to deliver computed public data from
363 initiator to responder. This data is used to compute the shared secret,
364 later by all parties. Key Exchange 1 Payload is only sent after the
365 SILC_PACKET_KEY_EXCHANGE packet and the Key Exchange Start Payload has
366 been processed by all the parties.
368 This payload sends the initiator's public key to the responder. Responder
369 may need the public key in which case it should be checked to be trusted
372 The payload may only be sent with SILC_PACKET_KEY_EXCHANGE_1 packet.
373 It must not be sent in any other packet type. Following diagram
374 represent the Key Exchange 1 Payload.
396 Internet Draft Key Exchange and Authentication 28 June 2000
400 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
401 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
402 | Public Key Length | Public Key Type |
403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
405 ~ Public Key of the Host (or certificate) ~
407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
408 | Public Data Length | |
409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
411 ~ Public Data (e = g ^ x mod p) ~
413 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
415 Figure 2: Key Exchange 1 Payload
418 o Public Key Length (2 bytes) - The length of the public key
419 (or certificate), including this field and public key type
422 o Public Key Type (2 bytes) - The public key (or certificate)
423 type. This field indicates the type of the public key in
424 the packet. Following types are defined:
426 1 SILC style public key (mandatory)
427 2 SSH2 style public key (optional)
428 3 X.509 Version 3 certificate (optional)
429 4 OpenPGP certificate (optional)
430 5 SPKI certificate (optional)
432 The only required type to support is type number 1. See
433 [SILC1] for the SILC public key specification. See
434 SSH public key specification in [SSH-TRANS]. See X.509v3
435 certificate specification in [PKIX-Part1]. See OpenPGP
436 certificate specification in [PGP]. See SPKI certificate
437 specification in [SPKI]. If this field includes zero (0)
438 or unsupported type number the protocol must be aborted
439 sending SILC_PACKET_FAILURE message.
441 o Public Data Length (2 bytes) - The length of the public
442 data computed by the responder, including this field
445 o Public Data (variable length) - The public data to be
446 sent to the responder. See section 2.2 Key Exchange
452 Internet Draft Key Exchange and Authentication 28 June 2000
455 Procedure for detailed description how this field is
456 computed. This value is binary encoded.
459 2.1.3 Key Exchange 2 Payload
461 Key Exchange 2 Payload is used to deliver public key, computed public
462 data and signature from responder to initiator. Initiator uses these
463 public parts of the key exchange protocol to compute the shared secret.
465 The payload may only be sent with SILC_PACKET_KEY_EXCHANGE_2 packet.
466 It must not be sent in any other packet type. Following diagram
467 represent the Key Exchange 2 Payload.
472 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
473 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
474 | Public Key Length | Public Key Type |
475 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
477 ~ Public Key of the Host (or certificate) ~
479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
480 | Public Data Length | |
481 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
483 ~ Public Data (f = g ^ y mod p) ~
485 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
486 | Signature Length | |
487 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
491 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
493 Figure 3: Key Exchange 2 Payload
497 o Public Key Length (2 bytes) - The length of the public key
498 (or certificate), including this field and public key type
501 o Public Key Type (2 bytes) - The public key (or certificate)
502 type. This field indicates the type of the public key in
508 Internet Draft Key Exchange and Authentication 28 June 2000
511 the packet. See previous sections for defined public key
514 o Public Key of the host (variable length) - The public
515 key of the sender (or its certificate). This is verified
516 by the receiver of the packet. The type of this field
517 is indicated by previous Public Key Type field.
519 o Public Data Length (2 bytes) - The length of the public
520 data computed by the responder, including this field
523 o Public Data (variable length) - The public data computed
524 by the responder. See section 2.2 Key Exchange Procedure
525 for detailed description how this field is computed. This
526 value is binary encoded.
528 o Signature Length (2 bytes) - The length of the signature,
529 including the length of this field as well.
531 o Signature Data (variable length) - The signature signed
532 by the responder. The receiver of this signature must
533 verify it. The verification is done using the public
534 key received in this same payload. See section 2.2
535 Key Exchange Procedure for detailed description how
536 to produce the signature.
539 2.2 Key Exchange Procedure
541 The key exchange begins by sending SILC_PACKET_KEY_EXCHANGE packet with
542 Key Exchange Start Payload to select the security properties to be used
543 in the key exchange and later in the communication.
545 After Key Exchange Start Payload has been processed by both of the
546 parties the protocol proceeds as follows:
549 Setup: p is a large and public safe prime. This is one of the
550 Diffie Hellman groups. q is order of subgroup (largest
551 prime factor of p). g is a generator and is defined
552 along with the Diffie Hellman group.
554 1. Initiator generates a random number x, where 1 < x < q,
555 and computes e = g ^ x mod p. The result e is then
556 encoded into Key Exchange 1 Payload and sent
564 Internet Draft Key Exchange and Authentication 28 June 2000
567 2. Responder generates a random number y, where 1 < y < q,
568 and computes f = g ^ y mod p. It then computes the
569 shared secret KEY = e ^ y mod p, and, a hash value
570 HASH = hash(Key Exchange Start Payload data | Host public
571 key (or certificate) | e | f | KEY). It then signs
572 the HASH value with its private key resulting a signature
575 It then encodes its public key (or certificate), f and
576 SIGN into Key Exchange 2 Payload and sends it to the
580 3. Initiator verifies that the public key provided in
581 the payload is authentic, or if certificates are used
582 it verifies the certificate. Initiator may accept
583 the public key without verifying it, however, doing
584 so may result to insecure key exchange (accepting the
585 public key without verifying may be desirable for
586 practical reasons on many environments. For long term
587 use this is never desirable, in which case certificates
588 would be the preferred method to use).
590 Initiator then computes the shared secret KEY =
591 f ^ x mod p, and, a hash value HASH in the same way as
592 responder did in phase 2. It then verifies the
593 signature SIGN from the payload with the hash value
594 HASH using the received public key.
597 If any of these phases is to fail SILC_PACKET_FAILURE is sent to
598 indicate that the key exchange protocol failed. Any other packets must
599 not be sent or accepted during the key exchange except the
600 SILC_PACKET_KEY_EXCHANGE_*, SILC_PACKET_DISCONNECT, SILC_PACKET_FAILURE
601 and/or SILC_PACKET_SUCCESS packets.
603 The result of this protocol is a shared secret key material KEY and
604 a hash value HASH. The key material itself is not fit to be used as
605 a key, it needs to be processed further to derive the actual keys to be
606 used. The key material is also used to produce other security parameters
607 later used in the communication. See section 2.3 Processing the Key
608 Material for detailed description how to process the key material.
610 After the keys are processed the protocol is ended by sending the
611 SILC_PACKET_SUCCESS packet. Both entities send this packet to
612 each other. After this both parties will start using the new keys.
620 Internet Draft Key Exchange and Authentication 28 June 2000
623 2.3 Processing the Key Material
625 Key Exchange protocol produces secret shared key material KEY. This
626 key material is used to derive the actual keys used in the encryption
627 of the communication channel. The key material is also used to derive
628 other security parameters used in the communication. Key Exchange
629 protocol produces a hash value HASH as well. This is used in the key
630 deriving process as a session identifier.
632 Keys are derived from the key material as follows:
634 Sending Initial Vector (IV) = hash(0 | KEY | HASH)
635 Receiving Initial Vector (IV) = hash(1 | KEY | HASH)
636 Sending Encryption Key = hash(2 | KEY | HASH)
637 Receiving Encryption Key = hash(3 | KEY | HASH)
638 HMAC Key = hash(4 | KEY | HASH)
641 The Initial Vector (IV) is used in the encryption when doing for
642 example CBC mode. As many bytes as needed are taken from the start of
643 the hash output for IV. Sending IV is for sending key and receiving IV
644 is for receiving key. For receiving party, the receiving IV is actually
645 sender's sending IV, and, the sending IV is actually sender's receiving
646 IV. Initiator uses IV's as they are (sending IV for sending and
647 receiving IV for receiving).
649 The Encryption Keys are derived as well from the hash(). If the hash()
650 output is too short for the encryption algorithm more key material is
651 produced in following manner:
653 K1 = hash(2 | KEY | HASH)
655 K3 = hash(KEY | K1 | K2) ...
657 Sending Encryption Key = K1 | K2 | K3 ...
660 K1 = hash(3 | KEY | HASH)
662 K3 = hash(KEY | K1 | K2) ...
664 Receiving Encryption Key = K1 | K2 | K3 ...
667 The key is distributed by hashing the previous hash with the original
668 key material. The final key is a concatenation of the hash values.
669 For Receiving Encryption Key the procedure is equivalent. Sending key
670 is used only for encrypting data to be sent. The receiving key is used
676 Internet Draft Key Exchange and Authentication 28 June 2000
679 only to decrypt received data. For receiving party, the receive key is
680 actually sender's sending key, and, the sending key is actually sender's
681 receiving key. Initiator uses generated keys as they are (sending key
682 for sending and receiving key for sending).
684 The HMAC key is used to create MAC values to packets in the communication
685 channel. As many bytes as needed are taken from the start of the hash
688 These procedures are performed by all parties of the key exchange
689 protocol. This must be done before the protocol has been ended by
690 sending the SILC_PACKET_SUCCESS packet.
693 2.4 SILC Key Exchange Groups
695 Following groups may be used in the SILC Key Exchange protocol. The
696 first group diffie-hellman-group1 is mandatory, other groups maybe
697 negotiated to be used in the connection with Key Exchange Start Payload
698 and SILC_PACKET_KEY_EXCHANGE packet. However, the first group must be
699 proposed in the Key Exchange Start Payload regardless of any other
700 requested group (however, it doesn't have to be the first on the list).
703 2.4.1 diffie-hellman-group1
705 The length of this group is 1024 bits. This is mandatory group.
706 The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
710 179769313486231590770839156793787453197860296048756011706444
711 423684197180216158519368947833795864925541502180565485980503
712 646440548199239100050792877003355816639229553136239076508735
713 759914822574862575007425302077447712589550957937778424442426
714 617334727629299387668709205606050270810842907692932019128194
717 Its hexadecimal value is
719 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
720 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
721 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
722 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
723 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
732 Internet Draft Key Exchange and Authentication 28 June 2000
735 The generator used with this prime is g = 2. The group order q is
738 This group was taken from the OAKLEY specification.
741 2.4.2 diffie-hellman-group2
743 The length of this group is 1536 bits. This is optional group.
744 The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.
748 241031242692103258855207602219756607485695054850245994265411
749 694195810883168261222889009385826134161467322714147790401219
750 650364895705058263194273070680500922306273474534107340669624
751 601458936165977404102716924945320037872943417032584377865919
752 814376319377685986952408894019557734611984354530154704374720
753 774996976375008430892633929555996888245787241299381012913029
754 459299994792636526405928464720973038494721168143446471443848
755 8520940127459844288859336526896320919633919
757 Its hexadecimal value is
759 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
760 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
761 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
762 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
763 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
764 C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
765 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
766 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
768 The generator used with this prime is g = 2. The group order q is
771 This group was taken from the OAKLEY specification.
774 2.5 Key Exchange Status Types
776 This section defines all key exchange protocol status types that may be
777 returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets to
778 indicate the status of the protocol. Implementations may map the
779 status types to human readable error message. All types except the
780 SILC_SKE_STATUS_OK type must be sent in SILC_PACKET_FAILURE packet.
781 Following status types are defined:
788 Internet Draft Key Exchange and Authentication 28 June 2000
793 Protocol were exeucted succesfully.
796 1 SILC_SKE_STATUS_ERROR
798 Unknown error occured. No specific error type is defined.
801 2 SILC_SKE_STATUS_BAD_PAYLOAD
803 Provided KE payload were malformed or included bad fields.
806 3 SILC_SKE_STATUS_UNSUPPORTED_GROUP
808 None of the provided groups were supported.
811 4 SILC_SKE_STATUS_UNSUPPORTED_CIPHER
813 None of the provided ciphers were supported.
816 5 SILC_SKE_STATUS_UNSUPPORTED_PKCS
818 None of the provided public key algorithms were supported.
821 6 SILC_SKE_STATUS_UNSUPPORTED_HASH_FUNCTION
823 None of the provided hash functions were supported.
826 7 SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY
828 Provided public key type is not supported.
831 8 SILC_SKE_STATUS_INCORRECT_SIGNATURE
833 Provided signature was incorrect.
844 Internet Draft Key Exchange and Authentication 28 June 2000
847 3 SILC Connection Authentication Protocol
849 Purpose of Connection Authentication protocol is to authenticate the
850 connecting party with server. Usually connecting party is client but
851 server may connect to server as well. Its other purpose is to provide
852 information for the server about which type of connection this is.
853 The type defines whether this is client, server or router connection.
854 Server uses this information to create the ID for the connection. After
855 the authentication protocol has been successfully completed
856 SILC_PACKET_NEW_ID must be sent to the connecting party by the server.
857 See section New ID Payload in [SILC2] for detailed description for this
860 Server must verify the authentication data received and if it is to fail
861 the authentication must be failed by sending SILC_PACKET_FAILURE packet.
862 If everything checks out fine the protocol is ended by server by sending
863 SILC_PACKET_SUCCESS packet.
865 The protocol is executed after the SILC Key Exchange protocol. It must
866 not be executed in any other time. As it is performed after key exchange
867 protocol all traffic in the connection authentication protocol is
868 encrypted with the exchanged keys.
870 The protocol is started by the connecting party by sending
871 SILC_PACKET_CONNECTION_AUTH packet with Connection Auth Payload,
872 described in the next section. This payload must include the
873 authentication data. Authentication data is set according
874 authentication method that must be known by both parties. If connecting
875 party does not know what is the mandatory authentication method it must
876 request it from the server by sending SILC_PACKET_CONNECTION_AUTH_REQUEST
877 packet. This packet is not part of this protocol and is described in
878 section Connection Auth Request Payload in [SILC2]. However, if
879 connecting party already knows the mandatory authentication method
880 sending the request is not necessary.
882 See [SILC1] and section Connection Auth Request Payload in [SILC2] also
883 for the list of different authentication methods. Authentication method
884 may also be NONE, in which case the server does not require
885 authentication at all. However, in this case the protocol still must be
886 executed; the authentication data just is empty indicating no
887 authentication is required.
889 If authentication method is passphrase the authentication data is
890 plaintext passphrase. As the payload is entirely encrypted it is safe
891 to have plaintext passphrase. 3.2.1 Passphrase Authentication for
900 Internet Draft Key Exchange and Authentication 28 June 2000
903 If authentication method is public key authentication the authentication
904 data is signature of the hash value HASH plus Key Exchange Start Payload,
905 established by the SILC Key Exchange protocol. This signature must then
906 be verified by the server. See section 3.2.2 Public Key Authentication
907 for more information.
909 The connecting party of this protocol must wait after successful execution
910 of this protocol for the SILC_PACKET_NEW_ID packet where it will receive
911 the ID it will be using in the SILC network. Connecting party cannot
912 start normal SILC session (sending messages or commands) until it has
913 received its ID. The ID's are always created by the server except
914 for server to server connection where servers create their own ID's.
918 3.1 Connection Auth Payload
920 Client sends this payload to authenticate itself to the server. Server
921 connecting to another server also sends this payload. Server receiving
922 this payload must verify all the data in it and if something is to fail
923 the authentication must be failed by sending SILC_PACKET_FAILURE packet.
925 The payload may only be sent with SILC_PACKET_CONNECTION_AUTH packet.
926 It must not be sent in any other packet type. Following diagram
927 represent the Connection Auth Payload.
931 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
932 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
933 | Payload Length | Connection Type |
934 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
936 ~ Authentication Data ~
938 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
940 Figure 4: Connection Auth Payload
943 o Payload Length (2 bytes) - Length of the entire Connection
946 o Connection Type (2 bytes) - Indicates the type of the
947 connection. See section Connection Auth Request Payload
948 in [SILC2] for the list of connection types. This field must
949 include valid connection type or the packet must be discarded
950 and authentication must be failed.
956 Internet Draft Key Exchange and Authentication 28 June 2000
959 o Authentication Data (variable length) - The actual
960 authentication data. Contents of this depends on the
961 authentication method known by both parties. If no
962 authentication is required this field does not exist.
965 3.2 Connection Authentication Types
967 SILC supports two authentication types to be used in the connection
968 authentication protocol; passphrase or public key based authentication.
969 Following sections defines the authentication methods. See [SILC2]
970 for defined numerical authentication method types.
973 3.2.1 Passphrase Authentication
975 Passphrase authentication or pre-shared-key base authentication is
976 simply an authentication where the party that wants to authenticate
977 itself to the other end sends the passphrase that is required by
978 the other end, for example server.
980 If the passphrase matches with the one in the server's end the
981 authentication is successful. Otherwise SILC_PACKET_FAILURE must be
982 sent to the sender and the protocol execution fails.
984 This is required authentication method to be supported by all SILC
988 3.2.2 Public Key Authentication
990 Public key authentication may be used if passphrase based authentication
991 is not desired. The public key authentication works by sending a
992 signature as authentication data to the other end, say, server. The
993 server must then verify the signature by the public key of the sender,
994 which the server has received earlier in SKE protocol.
996 The signature is computed using the private key of the sender by signing
997 the HASH value provided by the SKE protocol previously, and the Key
998 Exchange Start Payload from SKE protocol that was sent to the server.
999 The server must verify the data, thus it must keep the HASH and the
1000 Key Exchange Start Payload saved during SKE and authentication protocols.
1002 If the verified signature matches the sent signature, the authentication
1003 were successful and SILC_PACKET_SUCCESS is sent. If it failed the protocol
1004 execution is stopped and SILC_PACKET_FAILURE is sent.
1006 This is required authentication method to be supported by all SILC
1012 Internet Draft Key Exchange and Authentication 28 June 2000
1018 3.3 Connection Authentication Status Types
1020 This section defines all connection authentication status types that
1021 may be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
1022 to indicate the status of the protocol. Implementations may map the
1023 status types to human readable error message. All types except the
1024 SILC_AUTH_STATUS_OK type must be sent in SILC_PACKET_FAILURE packet.
1025 Following status types are defined:
1029 Protocol was executed succesfully.
1034 Authentication failed.
1037 4 Security Considerations
1039 Security is central to the design of this protocol, and these security
1040 considerations permeate the specification.
1045 [SILC1] Riikonen, P., "Secure Internet Live Conferencing (SILC),
1046 Protocol Specification", Internet Draft, June 2000.
1048 [SILC2] Riikonen, P., "SILC Packet Protocol", Internet Draft,
1051 [IRC] Oikarinen, J., and Reed D., "Internet Relay Chat Protocol",
1054 [SSH-TRANS] Ylonen, T., et al, "SSH Transport Layer Protocol",
1057 [PGP] Callas, J., et al, "OpenPGP Message Format", RFC 2440,
1060 [SPKI] Ellison C., et al, "SPKI Certificate Theory", RFC 2693,
1068 Internet Draft Key Exchange and Authentication 28 June 2000
1071 [PKIX-Part1] Housley, R., et al, "Internet X.509 Public Key
1072 Infrastructure, Certificate and CRL Profile", RFC 2459,
1075 [Schneier] Schneier, B., "Applied Cryptography Second Edition",
1076 John Wiley & Sons, New York, NY, 1996.
1078 [Menezes] Menezes, A., et al, "Handbook of Applied Cryptography",
1081 [OAKLEY] Orman, H., "The OAKLEY Key Determination Protocol",
1082 RFC 2412, November 1998.
1084 [ISAKMP] Maughan D., et al, "Internet Security Association and
1085 Key Management Protocol (ISAKMP)", RFC 2408, November
1088 [IKE] Harkins D., and Carrel D., "The Internet Key Exhange
1089 (IKE)", RFC 2409, November 1998.
1091 [HMAC] Krawczyk, H., "HMAC: Keyed-Hashing for Message
1092 Authentication", RFC 2104, February 1997.
1102 EMail: priikone@poseidon.pspt.fi