[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Counter Mode: Proposed Way Forward
- To: ipsec@lists.tislabs.com
- Subject: Re: Counter Mode: Proposed Way Forward
- From: Russ Housley <housley@vigilsec.com>
- Date: Mon, 30 Dec 2002 14:40:28 -0500
- In-Reply-To: <5.2.0.9.2.20021127191422.00b82a78@mail.binhost.com>
- References: <15845.1606.961113.340051@pkoning.dev.equallogic.com><F504A8CEE925D411AF4A00508B8BE90A0162D056@exna07.securitydynamics.com>
- Sender: owner-ipsec@lists.tislabs.com
I updated the AES Counter Mode draft. It should be posted as soon as the
repository administrator returns from the holiday break. The document
describes the use of a nonce as previously discussed on the list. And, a
new section describes the way that IKE can provide the nonce. This is the
only part that has not already been discussed on the list, so I am posting
it here to foster discussion.
5. IKE Conventions
As described in section 2.1, implementations MUST use fresh keys with
AES-CTR. The Internet Key Exchange (IKE) [IKE] protocol can be used
to establish fresh keys. IKE can also provide the nonce value. This
section describes the conventions for obtaining the unpredictable
nonce from IKE.
The IKE_SA_init and the IKE_SA_init_response each contain a nonce.
These nonces are used as inputs to cryptographic functions. The
CREATE_CHILD_SA request and the CREATE_CHILD_SA response also contain
nonces. These nonces are used to add freshness to keys for child
security associations. In both cases, these nonces are
unpredictable, they are longer than 32 bits, and IKE transfers the
nonce value to the peer.
Each party will use the nonce that it generated for encryption, and
the nonce that the other party generated for decryption. The 32
least significant bits of the nonce used to establish the security
association will be used in the AES-CTR counter block. For the first
security association, the nonces come from the IKE_SA_init and
IKE_SA_init_response. For subsequent security associations, the
nonces come from the CREATE_CHILD_SA request and CREATE_CHILD_SA
response.
Enjoy,
Russ