updates.

[website.git] / docs / protocol / draft-riikonen-silc-ke-auth-09.txt

Network Working Group                                        P. Riikonen
Internet-Draft
draft-riikonen-silc-ke-auth-09.txt                       15 January 2007
Expires: 15 July 2007


              SILC Key Exchange and Authentication Protocols
                   <draft-riikonen-silc-ke-auth-09.txt>

Status of this Draft

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts. Internet-Drafts are draft documents valid for a maximum of
   six months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress".

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Abstract

   This memo describes two protocols used in the Secure Internet Live
   Conferencing (SILC) protocol, specified in the Secure Internet Live
   Conferencing, Protocol Specification [SILC1].  The SILC Key Exchange
   (SKE) protocol provides secure key exchange between two parties
   resulting into shared secret key material.  The protocol is based
   on Diffie-Hellman key exchange algorithm and its functionality is
   derived from several key exchange protocols.

   The second protocol, SILC Connection Authentication protocol provides
   user level authentication used when creating connections in SILC
   network.  The protocol supports passphrase (pre-shared secret)
   authentication and public key (and certificate) authentication based
   on digital signatures.






Riikonen                                                        [Page 1]
\f
Internet-Draft                                           15 January 2007


Table of Contents

   1 Introduction ..................................................  2
     1.1 Requirements Terminology ..................................  3
   2 SILC Key Exchange Protocol ....................................  3
     2.1 Key Exchange Payloads .....................................  4
         2.1.1 Key Exchange Start Payload ..........................  4
         2.1.2 Key Exchange Payload ................................  9
     2.2 Key Exchange Procedure .................................... 11
     2.3 Processing the Key Material ............................... 13
     2.4 SILC Key Exchange Groups .................................. 15
         2.4.1 diffie-hellman-group1 ............................... 15
         2.4.2 diffie-hellman-group2 ............................... 15
         2.4.3 diffie-hellman-group3 ............................... 16
     2.5 Key Exchange Status Types ................................. 16
   3 SILC Connection Authentication Protocol ....................... 18
     3.1 Connection Auth Payload ................................... 19
     3.2 Connection Authentication Types ........................... 20
         3.2.1 Passphrase Authentication ........................... 20
         3.2.2 Public Key Authentication ........................... 21
     3.3 Connection Authentication Status Types .................... 21
   4 Security Considerations ....................................... 22
   5 References .................................................... 22
   6 Author's Address .............................................. 23
   7 Full Copyright Statement ...................................... 24


List of Figures

   Figure 1:  Key Exchange Start Payload
   Figure 2:  Key Exchange Payload
   Figure 3:  Connection Auth Payload


1 Introduction

   This memo describes two protocols used in the Secure Internet Live
   Conferencing (SILC) protocol specified in the Secure Internet Live
   Conferencing, Protocol Specification [SILC1].  The SILC Key Exchange
   (SKE) protocol provides secure key exchange between two parties
   resulting into shared secret key material.  The protocol is based on
   Diffie-Hellman key exchange algorithm and its functionality is derived
   from several key exchange protocols, such as SSH2 Key Exchange protocol,
   Station-To-Station (STS) protocol and the OAKLEY Key Determination
   protocol [OAKLEY].

   The second protocol, SILC Connection Authentication protocol provides
   user level authentication used when creating connections in SILC



Riikonen                                                        [Page 2]
\f
Internet-Draft                                           15 January 2007


   network.  The protocol supports passphrase (pre-shared secret)
   authentication and public key (and certificate) authentication based
   on digital signatures.

   The basis of secure SILC session requires strong and secure key exchange
   protocol and authentication.  The authentication protocol is secured and
   no authentication data is ever sent in the network without encrypting
   and authenticating it first.  Thus, authentication protocol may be used
   only after the key exchange protocol has been successfully completed.

   This document constantly refers to other SILC protocol specifications
   that should be read to be able to fully understand the functionality
   and purpose of these protocols.  The most important references are
   the Secure Internet Live Conferencing, Protocol Specification [SILC1]
   and the SILC Packet Protocol [SILC2].

   The protocol is intended to be used with the SILC protocol thus it
   does not define own framework that could be used.  The framework is
   provided by the SILC protocol.


1.1 Requirements Terminology

   The keywords MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED,
   MAY, and OPTIONAL, when they appear in this document, are to be
   interpreted as described in [RFC2119].


2 SILC Key Exchange Protocol

   SILC Key Exchange Protocol (SKE) is used to exchange shared secret
   material used to secure the communication channel.  The protocol use
   Diffie-Hellman key exchange algorithm and its functionality is derived
   from several key exchange protocols, such as SSH2 Key Exchange protocol,
   Station-To-Station (STS) protocol and the OAKLEY Key Determination
   protocol [OAKLEY].  The protocol does not claim any conformance
   to any of these protocols, they were only used as a reference when
   designing this protocol.  The protocol can mutually authenticate the
   negotiating parties during the key exchange.

   The purpose of SILC Key Exchange protocol is to create session keys to
   be used in current SILC session.  The keys are valid only for some period
   of time (usually an hour) or at most until the session ends.  These keys
   are used to protect packets traveling between the two entities.
   Usually all traffic is secured with the key material derived from this
   protocol.

   The Diffie-Hellman implementation used in the SILC SHOULD be compliant



Riikonen                                                        [Page 3]
\f
Internet-Draft                                           15 January 2007


   to the PKCS #3.


2.1 Key Exchange Payloads

   During the key exchange procedure public data is sent between initiator
   and responder.  This data is later used in the key exchange procedure.
   There are several payloads used in the key exchange.  As for all SILC
   packets, SILC Packet Header, described in [SILC2], is at the beginning
   of all packets sent in during this protocol.  All the fields in the
   following payloads are in MSB (most significant byte first) order.


2.1.1 Key Exchange Start Payload

   The key exchange between two entities MUST be started by sending the
   SILC_PACKET_KEY_EXCHANGE packet containing Key Exchange Start Payload.
   Initiator sends the Key Exchange Start Payload to the responder filled
   with all security properties it supports.  The responder then checks
   whether it supports the security properties.

   It then sends a Key Exchange Start Payload to the initiator filled with
   security properties it selected from the original payload.  The payload
   sent by responder MUST include only one chosen property per list.  The
   character encoding for the security property values as defined in [SILC1]
   SHOULD be UTF-8 [RFC2279] in Key Exchange Start Payload.

   The Key Exchange Start Payload is used to tell connecting entities what
   security properties and algorithms should be used in the communication.
   The Key Exchange Start Payload is sent only once per session.  Even if
   the PFS (Perfect Forward Secrecy) flag is set the Key Exchange Start
   Payload is not re-sent.  When PFS is desired the Key Exchange Payloads
   are sent to negotiate new key material.  The procedure is equivalent to
   the very first negotiation except that the Key Exchange Start Payload
   is not sent.

   As this payload is used only with the very first key exchange the payload
   is never encrypted, as there are no keys to encrypt it with.

   A cookie is also sent in this payload.  A cookie is used to randomize the
   payload so that none of the key exchange parties can determine this
   payload before the key exchange procedure starts.  The cookie MUST be
   returned to the original sender unmodified by the responder.

   Following diagram represents the Key Exchange Start Payload.  The lists
   mentioned below are always comma (`,') separated and the list MUST NOT
   include white spaces (` ').




Riikonen                                                        [Page 4]
\f
Internet-Draft                                           15 January 2007


                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   RESERVED    |     Flags     |         Payload Length        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     +                                                               +
     |                                                               |
     +                            Cookie                             +
     |                                                               |
     +                                                               +
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Version String Length     |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                         Version String                        ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Key Exchange Grp Length     |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                      Key Exchange Groups                      ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |        PKCS Alg Length        |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                         PKCS Algorithms                       ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Encryption Alg Length     |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                      Encryption Algorithms                    ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |       Hash Alg Length         |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                         Hash Algorithms                       ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         HMAC Length           |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                             HMACs                             ~
     |                                                               |



Riikonen                                                        [Page 5]
\f
Internet-Draft                                           15 January 2007


     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Compression Alg Length     |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                     Compression Algorithms                    ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                   Figure 1:  Key Exchange Start Payload


      o RESERVED (1 byte) - Reserved field.  Sender fills this with
        zero (0) value.

      o Flags (1 byte) - Indicates flags to be used in the key
        exchange.  Several flags can be set at once by ORing the
        flags together.  The following flags are reserved for this
        field:

           No flags                 0x00

             In this case the field is ignored.

           IV Included              0x01

             This flag is used to indicate that Initialization
             Vector (IV) in encryption will be included in the
             ciphertext which the recipient must use in decryption.
             At the beginning of the SILC packet, before the SILC
             Packet header an 8-bit Security ID (SID) MUST be
             placed.  After the SID, the IV MUST be placed.  After
             the IV, a 32-bit MSB first ordered packet sequence
             number MUST be placed.  The SID and IV MUST NOT be
             encrypted, but the sequence number MUST be included
             in encryption.  The recipient MUST use the sequence
             number during MAC verification [SILC2].  All fields
             however are authenticated with MAC.

             The Security ID is set to value 0 when the key
             exchange is performed for the first time.  It is
             monotonically increased after each re-key, wrapping
             eventually.  The SID in combination with the current
             session can be used to identify which key has been
             used to encrypt an incoming packet.  This is especially
             important after rekey when using UDP/IP protocol,
             where packets may be lost or reordered.  A packet with
             unknown SID will result into discarding the packet as
             it cannot be decrypted.  After rekey, implementation



Riikonen                                                        [Page 6]
\f
Internet-Draft                                           15 January 2007


             should understand that it may still receive packets
             with old SID and be prepared to decrypt them with the
             old key.

             With this flag it is possible to use SILC protocol on
             unreliable transport such as UDP/IP which may cause
             packet reordering and packet losses.  By default,
             this flag is not set and thus IV is not included
             in the ciphertext.  Setting this flag increases the
             packet length by one ciphertext block plus 1 byte for
             the Security ID and 32 bits for the sequence number.
             Responder MAY override this flag for the initiator,
             however without this flag UDP connection cannot be
             used.  The flag MAY also be used in TCP connection.

             When using with UDP/IP implementations SHOULD use
             anti-replay methods where an anti-replay window
             defines what packets are replays.  An example of
             anti-window protocol is in [RFC2406] Section 3.4.2
             with example source code in [RFC2401] Appendix C.
             While [RFC2401] and [RFC2406] does not relate to SILC,
             the anti-replay method used is applicable in SILC.

           PFS                      0x02

             Perfect Forward Secrecy (PFS) to be used in the
             key exchange protocol.  If not set, re-keying
             is performed using the old key.  See the [SILC1]
             for more information on this issue.  When PFS is
             used, re-keying and creating new keys for any
             particular purpose MUST cause new key exchange with
             new Diffie-Hellman exponent values.  In this key
             exchange only the Key Exchange Payload is sent and
             the Key Exchange Start Payload MUST NOT be sent.
             When doing PFS the Key Exchange Payloads are
             encrypted with the old keys.

           Mutual Authentication    0x04

             Both of the parties will perform authentication
             by providing signed data for the other party to
             verify.  By default, only responder will provide
             the signature data.  If this is set then the
             initiator must also provide it.  Initiator MAY
             set this but also responder MAY set this even if
             initiator did not set it.

           Rest of the flags are reserved for the future and



Riikonen                                                        [Page 7]
\f
Internet-Draft                                           15 January 2007


           MUST NOT be set.

      o Payload Length (2 bytes) - Length of the entire Key Exchange
        Start payload, not including any other field.

      o Cookie (16 bytes) - Cookie that randomize this payload so
        that each of the party cannot determine the payload before
        hand.  This field MUST be present.

      o Version String Length (2 bytes) - The length of the Version
        String field, not including any other field.

      o Version String (variable length) - Indicates the version of
        the sender of this payload.  Initiator sets this when sending
        the payload and responder sets this when it replies by sending
        this payload.  See [SILC1] for definition for the version
        string format.  This field MUST be present and include valid
        version string.

      o Key Exchange Grp Length (2 bytes) - The length of the
        key exchange group list, not including any other field.

      o Key Exchange Group (variable length) - The list of
        key exchange groups.  See the section 2.4 SILC Key Exchange
        Groups for definitions of these groups.  This field MUST
        be present.

      o PKCS Alg Length (2 bytes) - The length of the PKCS algorithms
        list, not including any other field.

      o PKCS Algorithms (variable length) - The list of PKCS
        algorithms.  This field MUST be present.

      o Encryption Alg Length (2 bytes) - The length of the encryption
        algorithms list, not including any other field.

      o Encryption Algorithms (variable length) - The list of
        encryption algorithms.  This field MUST be present.

      o Hash Alg Length (2 bytes) - The length of the Hash algorithm
        list, not including any other field.

      o Hash Algorithms (variable length) - The list of Hash
        algorithms.  The hash algorithms are mainly used in the
        SKE protocol.  This field MUST be present.

      o HMAC Length (2 bytes) - The length of the HMAC list, not
        including any other field.



Riikonen                                                        [Page 8]
\f
Internet-Draft                                           15 January 2007


      o HMACs (variable length) - The list of HMACs.  The HMAC's
        are used to compute the Message Authentication Code (MAC)
        of the SILC packets.  This field MUST be present.

      o Compression Alg Length (2 bytes) - The length of the
        compression algorithms list, not including any other field.

      o Compression Algorithms (variable length) - The list of
        compression algorithms.  This field MAY be omitted.


2.1.2 Key Exchange Payload

   Key Exchange payload is used to deliver the public key (or certificate),
   the computed Diffie-Hellman public value and possibly signature data
   from one party to the other.  When initiator is using this payload
   and the Mutual Authentication flag is not set then the initiator MUST
   NOT provide the signature data.  If the flag is set then the initiator
   MUST provide the signature data so that the responder can verify it.

   The Mutual Authentication flag is usually used when a separate
   authentication protocol will not be executed for the initiator of the
   protocol.  This is case for example when the SKE is performed between
   two SILC clients.  In normal case, where client is connecting to a
   server, or server is connecting to a router the Mutual Authentication
   flag MAY be omitted.  However, if the connection authentication protocol
   for the connecting entity is not based on digital signatures (it is
   based on pre-shared key or there is no authentication) then the Mutual
   Authentication flag SHOULD be enabled.  This way the connecting entity
   has to provide proof of possession of the private key for the public key
   it will provide in this protocol.

   When performing re-key with PFS selected this is the only payload that
   is sent in the SKE protocol.  The Key Exchange Start Payload MUST NOT
   be sent at all.  However, this payload does not have all the fields
   present.  In the re-key with PFS the public key and a possible signature
   data SHOULD NOT be present.  If they are present they MUST be ignored.
   The only field that is present is the Public Data that is used to create
   the new key material.  In the re-key the Mutual Authentication flag, that
   may be set in the initial negotiation, MUST also be ignored.

   This payload is sent inside SILC_PACKET_KEY_EXCHANGE_1 and inside
   SILC_PACKET_KEY_EXCHANGE_2 packet types.  The initiator uses the
   SILC_PACKET_KEY_EXCHANGE_1 and the responder the latter.

   The following diagram represent the Key Exchange Payload.





Riikonen                                                        [Page 9]
\f
Internet-Draft                                           15 January 2007


                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |       Public Key Length       |        Public Key Type        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~            Public Key of the party (or certificate)           ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |       Public Data Length      |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                          Public Data                          ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |        Signature Length       |                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
     |                                                               |
     ~                        Signature Data                         ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 2:  Key Exchange Payload


      o Public Key Length (2 bytes) - The length of the Public Key
        (or certificate) field, not including any other field.

      o Public Key Type (2 bytes) - The public key (or certificate)
        type.  This field indicates the type of the public key in
        the packet.  Following types are defined:

           1    SILC style public key (mandatory)
           2    SSH2 style public key (optional)
           3    X.509 Version 3 certificate (optional)
           4    OpenPGP certificate (optional)
           5    SPKI certificate (optional)

        The only required type to support is type number 1.  See
        [SILC1] for the SILC public key specification.  See
        SSH2 public key specification in [SSH-TRANS].  See X.509v3
        certificate specification in [PKIX-Part1].  See OpenPGP
        certificate specification in [PGP].  See SPKI certificate
        specification in [SPKI].  If this field includes zero (0)
        or unsupported type number the protocol MUST be aborted
        sending SILC_PACKET_FAILURE message and the connection SHOULD
        be closed immediately.




Riikonen                                                       [Page 10]
\f
Internet-Draft                                           15 January 2007


      o Public Key (or certificate) (variable length) - The
        public key or certificate of the party.  This public key
        may be used to verify the digital signature.  The public key
        or certificate in this field is encoded in the manner as
        defined in their respective definitions; see previous field.

      o Public Data Length (2 bytes) - The length of the Public Data
        field, not including any other field.

      o Public Data (variable length) - The public data to be
        sent to the receiver (computed Diffie-Hellman public values).
        See section 2.2 Key Exchange Procedure for detailed description
        how this field is computed.  This field is MP integer and is
        encoded as defined in [SILC1].

      o Signature Length (2 bytes) - The length of the signature,
        not including any other field.

      o Signature Data (variable length) - The signature signed
        by the sender.  The receiver of this signature MUST
        verify it.  The verification is done using the sender's
        public key.  See section 2.2 Key Exchange Procedure for
        detailed description how to produce the signature.  If
        the Mutual Authentication flag is not set then initiator
        MUST NOT provide this field and the Signature Length field
        MUST be set to zero (0) value.  If the flag is set then
        also the initiator MUST provide this field.  The responder
        always MUST provide this field.  The encoding for signature
        is defined in [SILC1].



2.2 Key Exchange Procedure

   The key exchange begins by sending SILC_PACKET_KEY_EXCHANGE packet with
   Key Exchange Start Payload to select the security properties to be used
   in the key exchange and later in the communication.

   After Key Exchange Start Payload has been processed by both of the
   parties the protocol proceeds as follows:


   Setup:  p is a large and public safe prime.  This is one of the
           Diffie Hellman groups.  q is order of subgroup (largest
           prime factor of p).  g is a generator and is defined
           along with the Diffie Hellman group.

       1.  Initiator generates a random number x, where 1 < x < q,



Riikonen                                                       [Page 11]
\f
Internet-Draft                                           15 January 2007


           and computes e = g ^ x mod p.  The result e is then
           encoded into Key Exchange Payload, with the public key
           (or certificate) and sent to the responder.

           If the Mutual Authentication flag is set then initiator
           MUST also produce signature data SIGN_i which the responder
           will verify.  The initiator MUST compute a hash value
           HASH_i = hash(Initiator's Key Exchange Start Payload |
           public key (or certificate) | e).  The '|' stands for
           concatenation.  It then signs the HASH_i value with its
           private key resulting a signature SIGN_i.

       2.  Responder generates a random number y, where 1 < y < q,
           and computes f = g ^ y mod p.  It then computes the
           shared secret KEY = e ^ y mod p, and, a hash value
           HASH = hash(Initiator's Key Exchange Start Payload |
           public key (or certificate) | Initiator's public key
           (or certificate) | e | f | KEY).  It then signs
           the HASH value with its private key resulting a signature
           SIGN.

           It then encodes its public key (or certificate), f and
           SIGN into Key Exchange Payload and sends it to the
           initiator.

           If the Mutual Authentication flag is set then the responder
           SHOULD verify that the public key provided in the payload
           is authentic, or if certificates are used it verifies the
           certificate.  The responder MAY accept the public key without
           verifying it, however, doing so may result to insecure key
           exchange (accepting the public key without verifying may be
           desirable for practical reasons on many environments.  For
           long term use this is never desirable, in which case
           certificates would be the preferred method to use).  It then
           computes the HASH_i value the same way initiator did in the
           phase 1.  It then verifies the signature SIGN_i from the
           payload with the hash value HASH_i using the received public
           key.

       3.  Initiator verifies that the public key provided in
           the payload is authentic, or if certificates are used
           it verifies the certificate.  The initiator MAY accept
           the public key without verifying it, however, doing
           so may result to insecure key exchange (accepting the
           public key without verifying may be desirable for
           practical reasons on many environments.  For long term
           use this is never desirable, in which case certificates
           would be the preferred method to use).



Riikonen                                                       [Page 12]
\f
Internet-Draft                                           15 January 2007


           Initiator then computes the shared secret KEY =
           f ^ x mod p, and, a hash value HASH in the same way as
           responder did in phase 2.  It then verifies the
           signature SIGN from the payload with the hash value
           HASH using the received public key.


   If any of these phases is to fail the SILC_PACKET_FAILURE MUST be sent
   to indicate that the key exchange protocol has failed, and the connection
   SHOULD be closed immediately.  Any other packets MUST NOT be sent or
   accepted during the key exchange except the SILC_PACKET_KEY_EXCHANGE_*,
   SILC_PACKET_FAILURE and SILC_PACKET_SUCCESS packets.

   The result of this protocol is a shared secret key material KEY and
   a hash value HASH.  The key material itself is not fit to be used as
   a key, it needs to be processed further to derive the actual keys to be
   used.  The key material is also used to produce other security parameters
   later used in the communication.  See section 2.3 Processing the Key
   Material for detailed description how to process the key material.

   If the Mutual Authentication flag was set the protocol produces also
   a hash value HASH_i.  This value, however, must be discarded.

   After the keys are processed the protocol is ended by sending the
   SILC_PACKET_SUCCESS packet.  Both entities send this packet to
   each other.  After this both parties MUST start using the new keys.


2.3 Processing the Key Material

   Key Exchange protocol produces secret shared key material KEY.  This
   key material is used to derive the actual keys used in the encryption
   of the communication channel.  The key material is also used to derive
   other security parameters used in the communication.  Key Exchange
   protocol produces a hash value HASH as well.

   The keys MUST be derived from the key material as follows:

      Sending Initial Vector (IV)     = hash(0x0 | KEY | HASH)
      Receiving Initial Vector (IV)   = hash(0x1 | KEY | HASH)
      Sending Encryption Key          = hash(0x2 | KEY | HASH)
      Receiving Encryption Key        = hash(0x3 | KEY | HASH)
      Sending HMAC Key                = hash(0x4 | KEY | HASH)
      Receiving HMAC Key              = hash(0x5 | KEY | HASH)


   The Initial Vector (IV) is used in the encryption when doing for
   example CBC mode.  As many bytes as needed are taken from the start of



Riikonen                                                       [Page 13]
\f
Internet-Draft                                           15 January 2007


   the hash output for IV.  Sending IV is for sending key and receiving IV
   is for receiving key.  For receiving party, the receiving IV is actually
   sender's sending IV, and, the sending IV is actually sender's receiving
   IV.  Initiator uses IV's as they are (sending IV for sending and
   receiving IV for receiving).

   The Encryption Keys are derived as well from the hash().  If the hash()
   output is too short for the encryption algorithm more key material MUST
   be produced in the following manner:

      K1 = hash(0x2 | KEY | HASH)
      K2 = hash(KEY | HASH | K1)
      K3 = hash(KEY | HASH | K1 | K2)  ...

      Sending Encryption Key = K1 | K2 | K3 ...


      K1 = hash(0x3 | KEY | HASH)
      K2 = hash(KEY | HASH | K1)
      K3 = hash(KEY | HASH | K1 | K2)  ...

      Receiving Encryption Key = K1 | K2 | K3 ...


   The key is distributed by hashing the previous hash with the original
   key material.  The final key is a concatenation of the hash values.
   For Receiving Encryption Key the procedure is equivalent.  Sending key
   is used only for encrypting data to be sent.  The receiving key is used
   only to decrypt received data.  For receiving party, the receive key is
   actually sender's sending key, and, the sending key is actually sender's
   receiving key.  Initiator uses generated keys as they are (sending key
   for sending and receiving key for receiving).

   The HMAC keys are used to create MAC values to packets in the
   communication channel.  As many bytes as needed are taken from the start
   of the hash output to generate the MAC keys.

   These procedures are performed by all parties of the key exchange
   protocol.  This MUST be done before the protocol has been ended by
   sending the SILC_PACKET_SUCCESS packet, to assure that parties can
   successfully process the key material.

   This same key processing procedure MAY be used in the SILC in some
   other circumstances as well.  Any changes to this procedure is defined
   separately when this procedure is needed.  See the [SILC1] and the
   [SILC2] for these circumstances.





Riikonen                                                       [Page 14]
\f
Internet-Draft                                           15 January 2007


2.4 SILC Key Exchange Groups

   The Following groups may be used in the SILC Key Exchange protocol.
   The first group diffie-hellman-group1 is REQUIRED, other groups MAY be
   negotiated to be used in the connection with Key Exchange Start Payload
   and SILC_PACKET_KEY_EXCHANGE packet.  However, the first group MUST be
   proposed in the Key Exchange Start Payload regardless of any other
   requested group (however, it does not have to be the first in the list).


2.4.1 diffie-hellman-group1

   The length of this group is 1024 bits.  This is REQUIRED group.
   The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.

   Its hexadecimal value is

      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
      FFFFFFFF FFFFFFFF


   The generator used with this prime is g = 2.  The group order q is
   (p - 1) / 2.

   This group was taken from RFC 2412.


2.4.2 diffie-hellman-group2

   The length of this group is 1536 bits.  This is OPTIONAL group.
   The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }.

   Its hexadecimal value is

      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
      670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF

   The generator used with this prime is g = 2.  The group order q is



Riikonen                                                       [Page 15]
\f
Internet-Draft                                           15 January 2007


   (p - 1) / 2.

   This group was taken from RFC 3526.


2.4.3 diffie-hellman-group3

   The length of this group is 2048 bits.  This is OPTIONAL group.
   This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }.

   Its hexadecimal value is

      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
      670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
      E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
      DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
      15728E5A 8AACAA68 FFFFFFFF FFFFFFFF

   The generator used with this prime is g = 2.  The group order q is
   (p - 1) / 2.

   This group was taken from RFC 3526.

   Additional larger groups are defined in RFC 3526 and may be used in SKE
   by defining name for them using the above name format.


2.5 Key Exchange Status Types

   This section defines all key exchange protocol status types that may
   be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
   to indicate the status of the protocol.  Implementations may map the
   status types to human readable error message.  All types except the
   SILC_SKE_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
   The length of status is 32 bits (4 bytes).  The following status types
   are defined:

      0   SILC_SKE_STATUS_OK

          Protocol were executed successfully.





Riikonen                                                       [Page 16]
\f
Internet-Draft                                           15 January 2007


      1   SILC_SKE_STATUS_ERROR

          Unknown error occurred.  No specific error type is defined.


      2   SILC_SKE_STATUS_BAD_PAYLOAD

          Provided KE payload were malformed or included bad fields.


      3   SILC_SKE_STATUS_UNSUPPORTED_GROUP

          None of the provided groups were supported.


      4   SILC_SKE_STATUS_UNSUPPORTED_CIPHER

          None of the provided ciphers were supported.


      5   SILC_SKE_STATUS_UNSUPPORTED_PKCS

          None of the provided public key algorithms were supported.


      6   SILC_SKE_STATUS_UNSUPPORTED_HASH_FUNCTION

          None of the provided hash functions were supported.


      7   SILC_SKE_STATUS_UNSUPPORTED_HMAC

          None of the provided HMACs were supported.


      8   SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY

          Provided public key type is not supported.


      9   SILC_SKE_STATUS_INCORRECT_SIGNATURE

          Provided signature was incorrect.


      10  SILC_SKE_STATUS_BAD_VERSION

          Provided version string was not acceptable.



Riikonen                                                       [Page 17]
\f
Internet-Draft                                           15 January 2007


      11  SILC_SKE_STATUS_INVALID_COOKIE

          The cookie in the Key Exchange Start Payload was malformed,
          because responder modified the cookie.


3 SILC Connection Authentication Protocol

   Purpose of Connection Authentication protocol is to authenticate the
   connecting party with server.  Usually connecting party is client but
   server may connect to router server as well.  Its other purpose is to
   provide information for the server about which type of entity the
   connection is.  The type defines whether the connection is client,
   server or router connection.  Server use this information to create the
   ID for the connection.

   Server MUST verify the authentication data received and if it is to fail
   the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.
   If authentication is successful the protocol is ended by server by sending
   SILC_PACKET_SUCCESS packet.

   The protocol is executed after the SILC Key Exchange protocol.  It MUST
   NOT be executed in any other time.  As it is performed after key exchange
   protocol all traffic in the connection authentication protocol is
   encrypted with the exchanged keys.

   The protocol MUST be started by the connecting party by sending the
   SILC_PACKET_CONNECTION_AUTH packet with Connection Auth Payload,
   described in the next section.  This payload MUST include the
   authentication data.  The authentication data is set according
   authentication method that MUST be known by both parties.  If connecting
   party does not know what is the mandatory authentication method it MAY
   request it from the server by sending SILC_PACKET_CONNECTION_AUTH_REQUEST
   packet.  This packet is not part of this protocol and is described in
   section Connection Auth Request Payload in [SILC2].  However, if
   connecting party already knows the mandatory authentication method
   sending the request is not necessary.

   See [SILC1] and section Connection Auth Request Payload in [SILC2] also
   for the list of different authentication methods.  Authentication method
   MAY also be NONE, in which case the server does not require
   authentication.  However, in this case the protocol still MUST be
   executed; the authentication data is empty indicating no authentication
   is required.

   If authentication method is passphrase the authentication data is
   plaintext passphrase.  As the payload is encrypted it is safe to have
   plaintext passphrase.  It is also provided as plaintext passphrase



Riikonen                                                       [Page 18]
\f
Internet-Draft                                           15 January 2007


   because the receiver may need to pass the entire passphrase into a
   passphrase verifier, and a message digest of the passphrase would
   prevent this.  See the section 3.2.1 Passphrase Authentication for
   more information.

   If authentication method is public key authentication the authentication
   data is a digital signature of the hash value of hash HASH and Key
   Exchange Start Payload, established by the SILC Key Exchange protocol.
   This signature MUST then be verified by the server.  See the section
   3.2.2 Public Key Authentication for more information.

   See the section 4 SILC Procedures in [SILC1] for more information about
   client creating connection to server, and server creating connection
   to router, and how to register the session in the SILC Network after
   successful Connection Authentication protocol.


3.1 Connection Auth Payload

   Client sends this payload to authenticate itself to the server.  Server
   connecting to another server also sends this payload.  Server receiving
   this payload MUST verify all the data in it and if something is to fail
   the authentication MUST be failed by sending SILC_PACKET_FAILURE packet.

   The payload may only be sent with SILC_PACKET_CONNECTION_AUTH packet.
   It MUST NOT be sent in any other packet type.  The following diagram
   represent the Connection Auth Payload.







                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |        Payload Length         |        Connection Type        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                     Authentication Data                       ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                    Figure 3:  Connection Auth Payload


      o Payload Length (2 bytes) - Length of the entire Connection



Riikonen                                                       [Page 19]
\f
Internet-Draft                                           15 January 2007


        Auth Payload.

      o Connection Type (2 bytes) - Indicates the type of the
        connection.  See section Connection Auth Request Payload
        in [SILC2] for the list of connection types.  This field MUST
        include valid connection type or the packet MUST be discarded
        and authentication MUST be failed.

      o Authentication Data (variable length) - The actual
        authentication data.  Contents of this depends on the
        authentication method known by both parties.  If no
        authentication is required this field does not exist.


3.2 Connection Authentication Types

   SILC supports two authentication types to be used in the connection
   authentication protocol; passphrase authentication or public key
   authentication based on digital signatures.  The following sections
   defines the authentication methods.  See [SILC2] for defined numerical
   authentication method types.


3.2.1 Passphrase Authentication

   Passphrase authentication or pre-shared key based authentication is
   simply an authentication where the party that wants to authenticate
   itself to the other end sends the passphrase that is required by
   the other end, for example server.  The plaintext passphrase is put
   to the payload, that is then encrypted.  The plaintext passphrase
   MUST be in UTF-8 [RFC2279] encoding.  If the passphrase is in the
   sender's system in some other encoding it MUST be UTF-8 encoded
   before transmitted.  The receiver MAY change the encoding of the
   passphrase to its system's default character encoding before verifying
   the passphrase.

   If the passphrase matches with the one in the server's end the
   authentication is successful.  Otherwise SILC_PACKET_FAILURE MUST be
   sent to the sender and the protocol execution fails.

   This is REQUIRED authentication method to be supported by all SILC
   implementations.

   When password authentication is used it is RECOMMENDED that maximum
   amount of padding is applied to the SILC packet.  This way it is not
   possible to approximate the length of the password from the encrypted
   packet.




Riikonen                                                       [Page 20]
\f
Internet-Draft                                           15 January 2007


3.2.2 Public Key Authentication

   Public key authentication may be used if passphrase based authentication
   is not desired.  The public key authentication works by sending a
   digital signature as authentication data to the other end, say, server.
   The server MUST then verify the signature by the public key of the sender,
   which the server has received earlier in SKE protocol, or which the
   server has cached locally at some previous time.

   The signature is computed using the private key of the sender by signing
   the HASH value provided by the SKE protocol previously, and the Key
   Exchange Start Payload from SKE protocol that was sent to the server.
   These are concatenated and hash function is used to compute a hash value
   which is then signed.

     auth_hash = hash(HASH | Key Exchange Start Payload);
     signature = sign(auth_hash);

   The hash() function used to compute the value is the hash function
   negotiated in the SKE protocol.  The server MUST verify the data, thus
   it must keep the HASH and the Key Exchange Start Payload saved during
   SKE and authentication protocols.  These values can be discarded after
   Connection Authentication protocol is completed.

   If the verified signature matches the sent signature, the authentication
   were successful and SILC_PACKET_SUCCESS is sent.  If it failed the
   protocol execution is stopped and SILC_PACKET_FAILURE is sent.

   This is REQUIRED authentication method to be supported by all SILC
   implementations.



3.3 Connection Authentication Status Types

   This section defines all connection authentication status types that
   may be returned in the SILC_PACKET_SUCCESS or SILC_PACKET_FAILURE packets
   to indicate the status of the protocol.  Implementations may map the
   status types to human readable error message.  All types except the
   SILC_AUTH_STATUS_OK type MUST be sent in SILC_PACKET_FAILURE packet.
   The length of status is 32 bits (4 bytes).  The following status types
   are defined:

   0   SILC_AUTH_OK

       Protocol was executed successfully.





Riikonen                                                       [Page 21]
\f
Internet-Draft                                           15 January 2007


   1   SILC_AUTH_FAILED

       Authentication failed.


4 Security Considerations

   Security is central to the design of this protocol, and these security
   considerations permeate the specification.  Common security considerations
   such as keeping private keys truly private and using adequate lengths for
   symmetric and asymmetric keys must be followed in order to maintain the
   security of this protocol.


5 References

   [SILC1]      Riikonen, P., "Secure Internet Live Conferencing (SILC),
                Protocol Specification", Internet Draft, January 2007.

   [SILC2]      Riikonen, P., "SILC Packet Protocol", Internet Draft,
                January 2007.

   [SILC4]      Riikonen, P., "SILC Commands", Internet Draft, January 2007.

   [IRC]        Oikarinen, J., and Reed D., "Internet Relay Chat Protocol",
                RFC 1459, May 1993.

   [IRC-ARCH]   Kalt, C., "Internet Relay Chat: Architecture", RFC 2810,
                April 2000.

   [IRC-CHAN]   Kalt, C., "Internet Relay Chat: Channel Management", RFC
                2811, April 2000.

   [IRC-CLIENT] Kalt, C., "Internet Relay Chat: Client Protocol", RFC
                2812, April 2000.

   [IRC-SERVER] Kalt, C., "Internet Relay Chat: Server Protocol", RFC
                2813, April 2000.

   [SSH-TRANS]  Ylonen, T., et al, "SSH Transport Layer Protocol",
                Internet Draft.

   [PGP]        Callas, J., et al, "OpenPGP Message Format", RFC 2440,
                November 1998.

   [SPKI]       Ellison C., et al, "SPKI Certificate Theory", RFC 2693,
                September 1999.




Riikonen                                                       [Page 22]
\f
Internet-Draft                                           15 January 2007


   [PKIX-Part1] Housley, R., et al, "Internet X.509 Public Key
                Infrastructure, Certificate and CRL Profile", RFC 2459,
                January 1999.

   [Schneier]   Schneier, B., "Applied Cryptography Second Edition",
                John Wiley & Sons, New York, NY, 1996.

   [Menezes]    Menezes, A., et al, "Handbook of Applied Cryptography",
                CRC Press 1997.

   [OAKLEY]     Orman, H., "The OAKLEY Key Determination Protocol",
                RFC 2412, November 1998.

   [ISAKMP]     Maughan D., et al, "Internet Security Association and
                Key Management Protocol (ISAKMP)", RFC 2408, November
                1998.

   [IKE]        Harkins D., and Carrel D., "The Internet Key Exchange
                (IKE)", RFC 2409, November 1998.

   [HMAC]       Krawczyk, H., "HMAC: Keyed-Hashing for Message
                Authentication", RFC 2104, February 1997.

   [PKCS1]      Kalinski, B., and Staddon, J., "PKCS #1 RSA Cryptography
                Specifications, Version 2.0", RFC 2437, October 1998.

   [RFC2119]    Bradner, S., "Key Words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2279]    Yergeau, F., "UTF-8, a transformation format of ISO
                10646", RFC 2279, January 1998.

   [RFC2401]    Kent, S., et al, "Security Architecture for the Internet
                Protocol", RFC 2401, November 1998.

   [RFC2406]    Kent, S., et al, "Security Architecture for the Internet
                Protocol", RFC 2406, November 1998.


6 Author's Address

   Pekka Riikonen
   Helsinki
   Finland

   EMail: priikone@iki.fi





Riikonen                                                       [Page 23]
\f
Internet-Draft                                           15 January 2007


7 Full Copyright Statement

   Copyright (C) The Internet Society (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.




































Riikonen                                                       [Page 24]
\f