.ds LF Riikonen
.ds RF FORMFEED[Page %]
.ds CF
-.ds LH INTERNET-DRAFT
-.ds RH 13 September 2000
+.ds LH Internet-Draft
+.ds RH 6 October 2000
.ds CH
.na
.hy 0
.in 0
.nf
Network Working Group P. Riikonen
-INTERNET-DRAFT
-draft-riikonen-silc-ke-auth-01.txt 13 September 2000
-Expires: 13 May 2001
+Internet-Draft
+draft-riikonen-silc-ke-auth-01.txt 6 October 2000
+Expires: 6 Jun 2001
.in 3
This memo describes two protocols used in the Secure Internet Live
Conferencing (SILC) protocol specified in the Secure Internet Live
-Conferencing, Protocol Specification internet-draft [SILC1]. The
+Conferencing, Protocol Specification Internet-Draft [SILC1]. The
SILC Key Exchange (SKE) protocol provides secure key exchange between
two parties resulting into shared secret key material. The protocol
is based on Diffie Hellman key exchange algorithm and its functionality
Key exchange between two entities always begins with a
SILC_PACKET_KEY_EXCHANGE packet containing Key Exchange Start Payload.
-When performing key exchange between client and server, the client sends
-Key Exchange Start Payload to server filled with all security properties
-that the client supports. Server then checks if it supports the security
-properties.
-
-It then sends a Key Exchange Start Payload to client filled with security
-properties it selected from the payload client originally sent. The
-payload sent by server must include only one chosen property per list.
+Initiator sends the Key Exchange Start Payload to the responder filled with
+all security properties it supports. The responders then checks whether
+it supports the security properties.
-When performing key exchange between server and server, the server who
-is contacting sends the Key Exchange Start Payload with security property
-list it supports to the other server. The contacted party then chooses
-the preferred properties same way as previously described. It then
-replies with the properties it wanted same way as previously described.
+It then sends a Key Exchange Start Payload to the initiator filled with
+security properties it selected from the original payload. The payload sent
+by responder must include only one chosen property per list.
The Key Exchange Start Payload is used to tell connecting entities what
security properties and algorithms should be used in the communication.
(PFS was selected) this payload is encrypted with the existing key and
encryption algorithm.
-Cookie is also send in this payload. Cookie is used to uniform the
-payload so that none of the key exchange parties cannot determine this
+A cookie is also sent in this payload. A cookie is used to uniform the
+payload so that none of the key exchange parties can determine this
payload before hand. The cookie must be returned to the original sender
by the responder.
+
.in 5
.nf
1 2 3
+
.ti 0
2.3 Processing the Key Material
negotiated to be used in the connection with Key Exchange Start Payload
and SILC_PACKET_KEY_EXCHANGE packet. However, the first group must be
proposed in the Key Exchange Start Payload regardless of any other
-requested group (however, it doesn't have to be the first on the list).
+requested group (however, it does not have to be the first on the list).
.ti 0
indicate the status of the protocol. Implementations may map the
status types to human readable error message. All types except the
SILC_SKE_STATUS_OK type must be sent in SILC_PACKET_FAILURE packet.
-Following status types are defined:
+The length of status is 32 bits (4 bytes). Following status types are
+defined:
.in 6
0 SILC_SKE_STATUS_OK
- Protocol were exeucted succesfully.
+ Protocol were executed successfully.
1 SILC_SKE_STATUS_ERROR
8 SILC_SKE_STATUS_INCORRECT_SIGNATURE
Provided signature was incorrect.
+
+
+9 SILC_SKE_STATUS_BAD_VERSION
+
+ Provided version string was not acceptable.
.in 3
to indicate the status of the protocol. Implementations may map the
status types to human readable error message. All types except the
SILC_AUTH_STATUS_OK type must be sent in SILC_PACKET_FAILURE packet.
-Following status types are defined:
+The length of status is 32 bits (4 bytes). Following status types are
+defined:
0 SILC_AUTH_OK
- Protocol was executed succesfully.
+ Protocol was executed successfully.
1 SILC_AUTH_FAILED
Key Management Protocol (ISAKMP)", RFC 2408, November
1998.
-[IKE] Harkins D., and Carrel D., "The Internet Key Exhange
+[IKE] Harkins D., and Carrel D., "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[HMAC] Krawczyk, H., "HMAC: Keyed-Hashing for Message
EMail: priikone@poseidon.pspt.fi
-This Internet-Draft expires 13 May 2001
+This Internet-Draft expires 6 Jun 2001