Encryption Algorithms for Air-Ground ESP and IKEv2 in the

advertisement
ACP-WG I-08/WP-__
International Civil Aviation Organization
WORKING PAPER
Aeronautical Communication Panel
Working Group I – Internet Protocol Suite (IPS)
August 25-29, 2008
Montreal Canada
Encryption Algorithms
for
Air-Ground ESP and IKEv2
in the
“Manual for the ATN using IPS Standards and Protocols”
Prepared by: Vic Patel
SUMMARY
During the technical editing sesssion of Part I of Doc 9896 at meeting #7 it was agreed
that a default encryption algorithm should be specified for use in the IPsec Encapsulating
Security Payload (ESP) protocol and Internet Key Exchange version 2 (IKEv2) protocol
for air-to-ground operation. This working paper recommends that the AES GCM
combined mode algorithm offering both confidentiality and authentication be specified
for ESP and that AES CBC be used for IKEv2 encryption. The working group is invited
to consider the proposed algorithm.
1
1. Introduction
At the 7th meeting of Working Group I during a technical editing session of Doc 9896 it
was noted that unlike for authenication there was no default aglorithm for encryption.
This paper suggests an algorithm and provides some rational for the selection.
2. IANA Encryption Algorithm Transform IDs
The following table (www.iana.org/assignments/ikev2-parameters) lists the encryption
algorithms that have been assigned registry numbers for use with ESP and IKEv2.
Registry:
Number
Name
Reference
------------ ---------------------------------- --------0
Reserved
[RFC4306]
1
ENCR_DES_IV64
[RFC1827]
2
ENCR_DES
[RFC2405]
3
ENCR_3DES
[RFC2451]
4
ENCR_RC5
[RFC2451]
5
ENCR_IDEA
[RFC2451]
6
ENCR_CAST
[RFC2451]
7
ENCR_BLOWFISH
[RFC2451]
8
ENCR_3IDEA
[RFC2451]
9
ENCR_DES_IV32
[RFC4306]
10
Reserved
[RFC4306]
11
ENCR_NULL
[RFC2410]
12
ENCR_AES_CBC
[RFC3602]
13
ENCR_AES_CTR
[RFC3686]
14
ENCR_AES-CCM_8
[RFC4309]
15
ENCR-AES-CCM_12
[RFC4309]
16
ENCR-AES-CCM_16
[RFC4309]
17
Unassigned
18
AES-GCM with a 8 octet ICV
[RFC4106]
19
AES-GCM with a 12 octet ICV [RFC4106]
20
AES-GCM with a 16 octet ICV [RFC4106]
21
ENCR_NULL_AUTH_AES
_GMAC
[RFC4543]
22
Reserved for IEEE P1619 XTS-AES [Ball]
23-1023
Unassigned
[RFC4306]
1024-65535 Private use
[RFC4306]
Table 1 – IANA Encryption Algorithm Transform IDs
2
Although it would be possible for the ATN/IPS to assign a “private use” value, it is
expected that those algorithms listed in the table would more likely be available in
Commercial-Off-The-Shelf (COTS) products.
The above list contains a variety of encryption algorithms; however, the US National
Institute of Standards and Technology (NIST) currently has three approved algorithms:
AES, Triple DES, and Skipjack. Of the three, the Advanced Encryption Standard
appears to have emerged as the default encryption algorithm for future use. For example,
it has been selected by the US National Security Agency (NSA) for encryption as part of
NSA’s cryptographic modernization program.
3. AES Mode for ESP Encryption
The third (and current) generation of the IP Encapsulating Security Payload (ESP)
protocol [RFC 4303] now provides for “combined mode” algorithms which offer both
confidentiality and integrity in a single operation and thus offer efficieny gains when
compared with sequentially applying encryption and then integrity. Here integrity is
defined in RFC 4303 to mean both data origin authentication and connectionless
integrity. When combined mode algorithms are used the Integrity Check Value may be
omitted from the ESP packet. In Table 1 there are two combined mode algorithms both
of which have RFCs specifying their use. Both are used with AES. One is Counter with
Cipher-Block-Chaining Message Authentication Code (CCM) and the other is
Galois/Counter Mode (GCM). AES CCM and AES CCM have similar characteristics.
Both exist as RFCs, (RFC 4309 and RFC 4106 respectively); both claim to be
unencumbered by patents; and, the message expansion for both is the check value which
is added. NIST has developed a special publication for both AES CCM (SP 800-38C)
and AES GCM (SP 800-38D); however RFC 4869, Suite B Cryptographic Sites for
IPsec, developed by NSA selects AES GCM for ESP encryption for “Suite-B-GCM128”.
4. AES Mode for IKEv2 Encryption
The other (non combined mode) AES selections in Table 1 are Cipher Block Chaining
(CBC) and Counter modes. These are specified in RFCs 3602 and 3686 respectively.
RFC 4307, Cryptographic Algorithms for Use in the Internet Key Exchange Version 2
(IKEv2), specifies that AES CBC should be implemented. RFC 4308, Cryptographic
Suites for IPsec, also specifies AES CBC for Suite “VPN-B”. In addition RFC 4869
specifies AES CBC for “Suite-B-GCM-128”.
5. Recommendation
It is recommended that the AES GCM combined mode algorithm offering both
confidentiality and authentication be specified for ESP and that AES CBC be used for
IKEv2 encryption. These selections together with other requirements in draft Document
9896 correspond to “Suite-B-GCM-128” as specified in RFC 4869 for air-ground
operation.
3
Download