ACP-WG I-08/WP-__ International Civil Aviation Organization WORKING PAPER Aeronautical Communication Panel Working Group I – Internet Protocol Suite (IPS) August 25-29, 2008 Montreal Canada Encryption Algorithms for Air-Ground ESP and IKEv2 in the “Manual for the ATN using IPS Standards and Protocols” Prepared by: Vic Patel SUMMARY During the technical editing sesssion of Part I of Doc 9896 at meeting #7 it was agreed that a default encryption algorithm should be specified for use in the IPsec Encapsulating Security Payload (ESP) protocol and Internet Key Exchange version 2 (IKEv2) protocol for air-to-ground operation. This working paper recommends that the AES GCM combined mode algorithm offering both confidentiality and authentication be specified for ESP and that AES CBC be used for IKEv2 encryption. The working group is invited to consider the proposed algorithm. 1 1. Introduction At the 7th meeting of Working Group I during a technical editing session of Doc 9896 it was noted that unlike for authenication there was no default aglorithm for encryption. This paper suggests an algorithm and provides some rational for the selection. 2. IANA Encryption Algorithm Transform IDs The following table (www.iana.org/assignments/ikev2-parameters) lists the encryption algorithms that have been assigned registry numbers for use with ESP and IKEv2. Registry: Number Name Reference ------------ ---------------------------------- --------0 Reserved [RFC4306] 1 ENCR_DES_IV64 [RFC1827] 2 ENCR_DES [RFC2405] 3 ENCR_3DES [RFC2451] 4 ENCR_RC5 [RFC2451] 5 ENCR_IDEA [RFC2451] 6 ENCR_CAST [RFC2451] 7 ENCR_BLOWFISH [RFC2451] 8 ENCR_3IDEA [RFC2451] 9 ENCR_DES_IV32 [RFC4306] 10 Reserved [RFC4306] 11 ENCR_NULL [RFC2410] 12 ENCR_AES_CBC [RFC3602] 13 ENCR_AES_CTR [RFC3686] 14 ENCR_AES-CCM_8 [RFC4309] 15 ENCR-AES-CCM_12 [RFC4309] 16 ENCR-AES-CCM_16 [RFC4309] 17 Unassigned 18 AES-GCM with a 8 octet ICV [RFC4106] 19 AES-GCM with a 12 octet ICV [RFC4106] 20 AES-GCM with a 16 octet ICV [RFC4106] 21 ENCR_NULL_AUTH_AES _GMAC [RFC4543] 22 Reserved for IEEE P1619 XTS-AES [Ball] 23-1023 Unassigned [RFC4306] 1024-65535 Private use [RFC4306] Table 1 – IANA Encryption Algorithm Transform IDs 2 Although it would be possible for the ATN/IPS to assign a “private use” value, it is expected that those algorithms listed in the table would more likely be available in Commercial-Off-The-Shelf (COTS) products. The above list contains a variety of encryption algorithms; however, the US National Institute of Standards and Technology (NIST) currently has three approved algorithms: AES, Triple DES, and Skipjack. Of the three, the Advanced Encryption Standard appears to have emerged as the default encryption algorithm for future use. For example, it has been selected by the US National Security Agency (NSA) for encryption as part of NSA’s cryptographic modernization program. 3. AES Mode for ESP Encryption The third (and current) generation of the IP Encapsulating Security Payload (ESP) protocol [RFC 4303] now provides for “combined mode” algorithms which offer both confidentiality and integrity in a single operation and thus offer efficieny gains when compared with sequentially applying encryption and then integrity. Here integrity is defined in RFC 4303 to mean both data origin authentication and connectionless integrity. When combined mode algorithms are used the Integrity Check Value may be omitted from the ESP packet. In Table 1 there are two combined mode algorithms both of which have RFCs specifying their use. Both are used with AES. One is Counter with Cipher-Block-Chaining Message Authentication Code (CCM) and the other is Galois/Counter Mode (GCM). AES CCM and AES CCM have similar characteristics. Both exist as RFCs, (RFC 4309 and RFC 4106 respectively); both claim to be unencumbered by patents; and, the message expansion for both is the check value which is added. NIST has developed a special publication for both AES CCM (SP 800-38C) and AES GCM (SP 800-38D); however RFC 4869, Suite B Cryptographic Sites for IPsec, developed by NSA selects AES GCM for ESP encryption for “Suite-B-GCM128”. 4. AES Mode for IKEv2 Encryption The other (non combined mode) AES selections in Table 1 are Cipher Block Chaining (CBC) and Counter modes. These are specified in RFCs 3602 and 3686 respectively. RFC 4307, Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2), specifies that AES CBC should be implemented. RFC 4308, Cryptographic Suites for IPsec, also specifies AES CBC for Suite “VPN-B”. In addition RFC 4869 specifies AES CBC for “Suite-B-GCM-128”. 5. Recommendation It is recommended that the AES GCM combined mode algorithm offering both confidentiality and authentication be specified for ESP and that AES CBC be used for IKEv2 encryption. These selections together with other requirements in draft Document 9896 correspond to “Suite-B-GCM-128” as specified in RFC 4869 for air-ground operation. 3