]> UK National Cyber Security Centre

Ben.S3@ncsc.gov.uk

UK National Cyber Security Centre

Adam.R@ncsc.gov.uk

UK National Cyber Security Centre

Jonathan.C@ncsc.gov.uk

Security IPSECME ipsec sha-3 ikev2 kmac This document specifies the use of HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, KMAC128 and KMAC256 within the Internet Key Exchange Version 2 (IKEv2), Encapsulating Security Payload (ESP), and Authentication Header (AH) protocols. These algorithms can be used as integrity protection algorithms for ESP, AH and IKEv2, and as Pseudo-Random Functions (PRFs) for IKEv2. Requirements for supporting signature algorithms in IKEv2 that use SHA3-224, SHA3-256, SHA3-384 and SHA3-512 are also specified.

Introduction specifies both the SHA3-256, SHA3-384 and SHA3-512 cryptographic hash functions, and the SHAKE eXtendable-output functions (XOFs). HMAC can be used with cryptographic hash functions to generate message authentication codes (MACs) that can be used for integrity protection for IKEv2 or IPsec, or as a PRF for IKEv2. specifies KMAC128 and KMAC256, which use variants of SHAKE128 and SHAKE256 respectively to create a MAC. Like the output of SHAKE, the MAC output of KMAC can be of any length required by the application. This document specifies how to use HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, KMAC128, and KMAC256 with IKEv2 and IPsec. It also allocates values used for announcing support of SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, and SHAKE256 when generating and validating signatures in IKEv2. EDNOTE: HMAC-SHA3-224 has been ignored as it doesn't have an equivalent in RFC 4868. draft-ietf-lamps-cms-sha3-hash includes support for SHA3-224 with ECDSA, hence its inclusion in the hash functions registry. Should SHA3-224/HMAC-SHA3-224 be specified for use in IKEv2/IPsec? Can/should the output be truncated safely for auth/integrity protection?

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Additionally, this document uses several terms to collectively refer to sets of algorithms. The term "SHA-3 cryptographic hash functions" is used to collectively refer to SHA3-256, SHA3-384 and SHA3-512. The term "HMAC" is used to refer to the Keyed-Hash Message Authentication Code algorithm generally, independent of specific cryptographic hash functions. The term "HMAC-SHA3" is used to collectively refer to HMAC-SHA3-256, HMAC-SHA3-384 and HMAC-SHA3-512. The term "KMAC" is used to collectively refer to KMAC-128 and KMAC-256. The term "SHA-3" (without any other qualifiers) is used to collectively refer to the cryptographic algorithms defined in and . The term "SHA-2" (without any other qualifiers) is used to collectively refer to SHA-224, SHA-256, SHA-384 and SHA-512. The term "SHAKE" is used to collectively refer to SHAKE128 and SHAKE256.

SHA-3 and Keccak SHA-3 is a collection of cryptographic algorithms that all utilise the Keccak sponge construction. describes the SHA-3 cryptographic hash functions, which produce a fixed length digest for any length of input. These hash functions are intended to be used in the same manner and contexts as other traditional hash functions such as SHA-2. also describes the SHAKE XOFs. An XOF differs from a traditional hash function in that the length of the XOF's output can be chosen by the application that uses it. describes cSHAKE, a customisable version of SHAKE, and KMAC, which is a PRF and keyed hash function that utilises cSHAKE. Like SHAKE and cSHAKE, the length of KMAC's output is application-dependent. SHA-3 was specified to provide applications with an alternative to SHA-2, which is based on the Merkle-Damgård construction. Use of the Merkle-Damgård construction in SHA-2 means that length extension attacks are possible if SHA-2 isn't used correctly. At the time of writing, use of SHA-2 in IPsec is believed to be secure, and hence there is no security motivation to migrate away from SHA-2 to SHA-3 in this context. However, in the event that a significant attack on SHA-2 is discovered, SHA-3 will be an immediately viable alternative. Migration to use of post-quantum algorithms in IKEv2 may make use of SHA-3 more appealing for minimal implementations of IPsec, as , , and all make use of SHA-3 internally. Since support for SHA-3 is required to implement these algorithms, some implementers may find it preferable to implement SHA-3, and only SHA-3, if interoperability with general-purpose IKEv2 and IPsec implementations is not required. KMAC is more efficient than HMAC-SHA3, as it directly uses the Keccak sponge function to produce a MAC, rather than treating Keccak as a traditional cryptographic hash function, and then feeding that hash function into a separate MAC algorithm. This would imply that use of KMAC is strictly preferred over HMAC-SHA3 and that HMAC-SHA3 shouldn't be implemented. However, as HMAC doesn't produce variable-length output and is widely utilised in IPsec implementations already, upgrading these implementations to support HMAC-SHA3 may be a simpler task than upgrading them to support KMAC.

APIs for SHA-3 To make it easier to compare HMAC and KMAC, basic APIs for each are defined below. The symbols used in these APIs broadly conform to those described in . KMAC and HMAC implementations used in IKEv2 and IPsec do not need to conform to these APIs exactly, they're merely used in this document for illustrative purposes. For the purposes of this document, the API for HMAC is defined as: HMAC(K, X) -> Z Each input and output is a bit string, where: K is the key. It can be of any length, including zero. X is the input string. It can be of any length, including zero. Z is the output string of HMAC, which is a message authentication code. The size of Z is fixed for each HMAC algorithm, and is the same size as the digest produced by the hash function used by that algorithm. For the purposes of this document, the API for KMAC is defined as: KMAC(K, X, L, S) -> Z where: K is the key. It is a bit string of any length, including zero, up to but not including 2^2040 bits. X is the input string. It is a bit string of any length, including zero. L is an integer representing the requested output length in bits. This parameter is typically fixed in the context of IKEv2, except when extracting key material using prf+ in IKEv2, where it depends on the length of key material needed by the negotiated cipher suite. S is an optional customization string. It is a bit string of any length, including zero, up to but not including 2^2040 bits. Z is the output string of KMAC, which is a message authentication code. It is a bit string of length L. EDNOTE: the symbols chosen above mostly match those in SP 800-15. They also match draft-ietf-lamps-cms-sha3-hash. However, RFC 7296 uses S for the prf+ input string. Would it be better use change X to S, and change S to C?

Constraints on SHA-3 inputs and outputs Per , the length of the K input to KMAC MUST be less than 2^2040 bits. In the context of IKEv2 and IPsec, there is no situation where a key that long would be expected. Initiator and Responder nonces Ni and Nr are used as inputs to IKE PRF calls, although the length of these nonces combined cannot exceed 4096 bits. Shared secrets used for authentication in IKEv2 are used as keys with PRFs negotiated by IKE, and have no upper bound on their length. Therefore, KMAC and HMAC-SHA3 implementations used with IKEv2 MUST at minimum accept K inputs up to and including 4096 bits in length. Implementations MAY restrict the size of pre-shared key inputs such that they do not exceed 4096 bits. There is no algorithm-defined minimum size for the key inputs to KMAC and HMAC-SHA3, but and describe the size of keys to be used with IKEv2 and IPsec, aligned to the security strength of each algorithm. Using a key smaller than the security strength of the chosen KMAC or HMAC-SHA3 algorithm undermines the security properties of that algorithm. Where IKEv2 is used to create security associations, the size of most PRF keys is automatically managed at the protocol level, and there is no risk of selecting an undersized key in these cases. However, the size of keys used for PRFs in IKE cannot always be controlled. In the case of pre-shared keys used for authentication or protection against a quantum computer, those secrets are used as the key input to a PRF negotiated by IKE. That shared secret could be arbitrarily chosen by a user rather than securely generated, or derived from a password, even though strongly discourages this practice. IKEv2 implementations following the recommendation laid out in can impose constraints on suitable pre-shared keys. Additionally, Ni and Nr are variable length and are used as the key for KMAC or HMAC-SHA3. states that each of these nonces MUST be at least 128 bits in size, and MUST be at least half the preferred key size for the negotiated PRF. If an IKE peer sends an undersized nonce, the message containing that nonce can be rejected in the same way as any malformed IKE message would be. Conformant KMAC and HMAC-SHA3 implementations SHOULD reject keys that do not meet the security strength of the corresponding algorithm. The input string X can be a variety of lengths in practice, but will always be a multiple of eight. Similarly, KMAC's output length parameter L will always be a multiple of eight. Since the length of output required from KMAC is always known in advance, KMAC with arbitrary-length output as described in Section 4.3.1 of is never used, and thus L is never set to 0. KMAC's customization string S is fixed to a specific value depending on the context in which KMAC is used. Future specifications may define additional customization strings, but the set of valid strings used by KMAC in IKEv2 and IPsec will always be fixed-length context-dependent strings specified in IETF RFCs rather than dynamically created, e.g. via random data.

Padding Since the length of the input string X for both HMAC-SHA3 and KMAC varies, and both HMAC-SHA3 and KMAC operate on fixed-size input blocks, padding is required to use HMAC-SHA3 and KMAC in IKEv2 and IPsec. The padding scheme for the SHA-3 cryptographic hash functions is specified in , and the padding scheme for KMAC is specified in . An HMAC-SHA3 or KMAC implementation conformant to those documents is sufficient; no additional padding is required to use these algorithms in IKEv2 or IPsec. When KMAC or HMAC-SHA3 are used as the PRF for an IKE SA, the size of the key input K is variable. HMAC and KMAC both permit use of variable key sizes, but handle these keys differently.

HMAC Key Padding When HMAC is invoked, unless K is the same as the input block size for the cryptographic hash function being used, K is padded or compressed to match that block size. The "rate" of a sponge function is the number of input bits processed or output bits generated per invocation of that function, and serves as the input block size for HMAC. The rates, and hence input block sizes, for each SHA-3 cryptographic hash function when used with HMAC are described in and repeated below. Algorithm Name Rate (bytes) SHA3-256 136 SHA3-384 104 SHA3-512 72 Keys that match the rate of the relevant SHA-3 cryptographic hash function are used as-is. Keys that are shorter than the rate are right-padded up to the rate of the hash function using zero bits. Note that this is required for the majority of keys used with HMAC-SHA3 in IKEv2 or IPsec. Keys that are longer than the rate are hashed using the relevant SHA-3 cryptographic hash function. The resulting digest is then right-padded up to the rate of the hash function using zero bits. The padding described above is that required by . Any HMAC implementation conformant with that RFC is suitable for use in IKEv2 and IPsec, no protocol-specific additional padding of keys is required.

KMAC Key Padding Unlike HMAC, if the size of a KMAC key is greater than the recommended key size, the key is used in its entirety without any kind of shortening or truncation. As described in , keys are always padded up to a multiple of the rate of the underlying Keccak sponge function; that is, 168 bytes and 136 bytes for KMAC-128 and KMAC-256 respectively. Any KMAC implementation conformant with is suitable for use in IKEv2 and IPsec, no protocol-specific additional padding of keys is required.

Parameters and security strengths for SHA-3 algorithms describes the general properties of the SHA-3 algorithms, with the SHA-2 algorithms also listed for comparison purposes. The maximum security strengths listed are taken from . Note that these are maximum security strengths. Using keys that are shorter than the maximum security strength will constrain the maximum security strength of the chosen algorithm to be no higher than the length of that key. Keys that contain insufficient entropy to meet the maximum security strength constrain the maximum security of the chosen algorithm to be no higher than the bits of entropy represented in the key. Algorithm Name Output Length (bits) Maximum Security Strength (bits) HMAC-SHA-256 256 >=256 HMAC-SHA-384 384 >=256 HMAC-SHA-512 512 >=256 HMAC-SHA3-256 256 >=256 HMAC-SHA3-384 384 >=256 HMAC-SHA3-512 512 >=256 KMAC128 Variable 128 KMAC256 Variable >=256 describes the parameters of the SHA-3 algorithms as used as a PRF in IKEv2, with the SHA-2 algorithms also listed for comparison purposes. Algorithm Name PRF variant Preferred Key Size (bits) Output Length (bits) HMAC-SHA-256 PRF_HMAC_SHA2_256 256 256 HMAC-SHA-384 PRF_HMAC_SHA2_384 384 384 HMAC-SHA-512 PRF_HMAC_SHA2_512 512 512 HMAC-SHA3-256 PRF_HMAC_SHA3_256 256 256 HMAC-SHA3-384 PRF_HMAC_SHA3_384 384 384 HMAC-SHA3-512 PRF_HMAC_SHA3_512 512 512 KMAC128 PRF_KMAC_128 128 256, or length of output required for prf+ KMAC256 PRF_KMAC_256 256 512, or length of output required for prf+ Like their SHA-2 equivalents, the output of HMAC-SHA3 algorithms used in IKEv2 is used in its entirety without truncation. The security strength of these algorithms is the same as the maximum security strength for that algorithm, unless the entropy in the supplied key is insufficient to meet that strength. When key material is extracted from IKEv2's prf+ KDF for use with SHA-3 in IKEv2, the length of keys extracted MUST conform to the preferred key sizes listed in . EDNOTE: The KMAC output lengths have been aligned with HMAC, but if we're not depending on collision resistance, it seems like they could be reduced to 128/256 bits respectively? That would also mean that the PRF output would be suitable for use as a PRF key without requiring further modification, like HMAC. describes the parameters of the SHA-3 algorithms as used for authentication and integrity protection in IKEv2 and IPsec, with the SHA-2 algorithms also listed for comparison purposes. Algorithm Name Integrity variant Key Size (bits) Output Length (bits) HMAC-SHA-256 AUTH_HMAC_SHA2_256_128 256 128 HMAC-SHA-384 AUTH_HMAC_SHA2_384_192 384 192 HMAC-SHA-512 AUTH_HMAC_SHA2_512_256 512 256 HMAC-SHA3-256 AUTH_HMAC_SHA3_256_128 256 128 HMAC-SHA3-384 AUTH_HMAC_SHA3_384_192 384 192 HMAC-SHA3-512 AUTH_HMAC_SHA3_512_256 512 256 KMAC128 AUTH_KMAC_128 128 128 KMAC256 AUTH_KMAC_256 256 256 When used for authentication and integrity protection, HMAC-SHA3 message authentication codes are truncated, and KMAC message authentication codes are produced using a smaller value for the "requested output length" parameter L. In this case, the security strength of each given algorithm is constrained by its output length. When key material is extracted from IKEv2's prf+ KDF for use with SHA-3 for authentication and integrity protection in IKEv2 or IPsec, the length of keys extracted MUST conform to the key sizes listed in .

SHA-3 as a PRF in IKEv2

Overview IKEv2 Security Associations (SAs) make use of a PRF for authentication purposes, and as a part of the prf+ Key Derivation Function (KDF). HMAC-SHA3 and KMAC can both act as the PRF for an IKE SA, but KMAC is treated slightly differently to other PRFs as it is capable of producing different output lengths depending on the context in which it's used. For both HMAC-SHA3 and KMAC, key K is either a fixed length key (such as SK_d) that is the same size as the output produced by that SHA-3 algorithm, or the length of K is dependent on other factors. For example, when used with the IKE SA keys SK_d, SK_pi or SK_pr, these keys are always 256 bits in length when the IKE SA's PRF is HMAC-SHA3-256. When the PRF is used with nonce inputs as the key K (e.g. when generating SKEYSEED), or when the PRF is used with a pre-shared key as the HMAC key K, the length of the key K depends on implementation-specific details, user configuration options, etc.

HMAC-SHA3 When used as a PRF in IKEv2, the full output of each HMAC-SHA3 algorithm is used, rather than the truncated variants described below for integrity protection in IPsec. Since the output length of HMAC is fixed, prf+ is used as described in .

KMAC A notable difference to HMAC is that when KMAC is used as the PRF for an IKE SA, its "requested output length" parameter L and "customization string" parameter S are populated differently depending on whether KMAC is being used as a part of the prf+ KDF or not. The context string S is also populated differently depending on whether KMAC is used in prf+ or not. This process is described in more detail below. EDNOTE: The customization string differences aren't strictly necessary and may make implementation a bit harder, but they seem valuable in that we're placing a clear divide between two places with different rules on how KMAC is used.

KMAC as a PRF When used in IKEv2, KMAC's output length L is 128 for KMAC-128, and 256 for KMAC-256. That is, the output length is the same size as the security strength and preferred key size of the given KMAC algorithm. The only exception to this is when KMAC is used in prf+, as described below. When KMAC is used outside the context of prf+, the customization string S is set to the ASCII character string "ikev2 prf", without null termination.

KMAC in prf+ When KMAC is used in prf+, L is set to the length of the keying material required. That is, prf (K, S | 0x01) is the only step of the prf+ function that is ever required, as KMAC can produce a pseudorandom stream without the need to iteratively call prf as described in . EDNOTE: the intent here is to keep prf+ (sort of) the same for KMAC, it's just that only one iteration is ever needed. Would this actually be more annoying from an implementer's point of view than just replacing prf+, though? The extra 0x01 is easy to forget if you simply redirect prf+ calls to KMAC instead. When KMAC is used in prf+, the customization string S is set to the ASCII character string "ikev2 kdf", without null termination.

SHA-3 for authentication and integrity protection in ESP, AH and IKEv2 IPsec SAs can make use of an integrity protection algorithm to provide data origin authentication and integrity protection services. KMAC and HMAC-SHA3 can be used to provide these services. As described in , Authenticated Encryption with Associated Data (AEAD) ciphers are the fastest and most modern approach to providing these services in conjunction with confidentiality protection. KMAC and HMAC-SHA3 MUST NOT be negotiated in IKEv2 in conjunction with an AEAD cipher. HMAC-SHA3 and KMAC MAY be used as an integrity protection algorithm with: ESP in conjunction with a non-AEAD cipher ESP and null encryption (ENCR_NULL) IKEv2 in conjunction with a non-AEAD cipher AH EDNOTE: You really should use ENCR-NULL over AH here. RFC 8221 recommends use of ENCR_NULL over AH - would it be worth reiterating that here?

HMAC-SHA3 When HMAC-SHA3 is used for authentication and integrity protection in ESP, AH, and IKEv2, the HMAC key K is 256 bits in length for HMAC-SHA3-256, 384 bits in length for HMAC-SHA3-384, and 512 bits in length for HMAC-SHA3-512. The output string Z of HMAC is truncated such that the output length is halved. As described in , the left-most bits are retained, and the right-most bits are discarded. The output string is truncated for the same reasons described in for HMAC-SHA2. Truncating the output of HMAC reduces the size expansion created by integrity protection offered by ESP and AH, and reduces the size of IKE messages. The output length is halved to match the birthday attack bound for HMAC.

KMAC When using KMAC, the L input parameter is always set to the same value as the key size and security strength of the chosen KMAC algorithm. That is, the output length of KMAC128 is always set to 128 bits, and the output length of KMAC256 is always set to 256 bits. When used with ESP or AH, the "customization string" parameter S is set to the ASCII character string "ipsec", without null termination. When used with IKEv2 for authentication and integrity protection, the "customization string" parameter S is set to the ASCII character string "ikev2 auth", without null termination. EDNOTE: Again, the customization string differences probably aren't strictly necessary, but placing IPsec and IKEv2 integrity/prf/prf+ into different domains seems like a good thing to do.

SHAKE and SHA-3 in IKEv2 SHAKE and the SHA-3 cryptographic hash functions can generate digests for use with signature algorithms. For instance, specifies algorithm identifiers for using RSASSA-PSS and ECDSA with SHAKE, and NIST have assigned OIDs for using RSA PKCS #1 v1.5 signatures with SHA-3 . specifies the "Digital Signature" (14) authentication method, that allows IKEv2 to support any signature algorithm without the need to specify an authentication method for every new combination of signature algorithm and hash function. The Digital Signature authentication method is the only way to utilise SHA-3 with signatures in IKEv2, so if a peer uses SHA-3 in this context, it MUST specify the Digital Signature authentication method in its corresponding AUTH payload. The Digital Signature authentication method specifies use of a SIGNATURE_HASH_ALGORITHMS notification by each IKE peer to announce the hash functions it supports for use with signatures. This specification defines values for announcing support for SHA-3 algorithms in the SIGNATURE_HASH_ALGORITHMS notification. When an IKEv2 implementation supports SHA-3 in this context, and local policy permits use of SHA-3 to generate or verify signatures, it MUST include the corresponding values in its SIGNATURE_HASH_ALGORITHMS notification.

Security Considerations SHA-3 and SHA-2 are both believed to be secure at time of writing. Views on the security of cryptographic algorithms evolves over time, so implementers should pay attention to IETF RFCs reporting on recommendations for use of cryptographic algorithms in IKEv2 and IPsec, such as any documents that update and . Quantum computing has a significant impact on the security of all IETF security protocols, as a cryptographically-relevant quantum computer (CRQC) could use Shor's algorithm to break many traditional asymmetric cryptographic algorithms. A CRQC can also attack hash functions, including SHA-3 and SHA-2, using Grover's algorithm. However, the impact of Grover's algorithm is less dramatic than the impact of Shor's Algorithm. The worst-case impact of Grover's algorithm is a reduction in security strength by a factor of two; using algorithms with a greater maximum security strength is sufficient to mitigate this. Grover's algorithm is likely to be difficult to parallelise, so the security reduction for SHA-3 and SHA-2 created by Grover's algorithm may be smaller in practice. See for a discussion on the practical cost of using Grover's algorithm to recover AES keys. EDNOTE: More references would be helpful here, especially if they relate to hash functions specifically. The security properties offered by both HMAC-SHA3 and KMAC depend on limiting access to the keys used with those algorithms. Since both algorithms depend on a symmetric key, the key must be known by at least two parties in order to be useful. Sharing the key beyond two parties may erode the security offered by these algorithms. In the case of IKEv2 and IPsec, this typically means that access to keys must be limited to the peers participating in the security association that uses those keys. IKEv2 can be used to enforce this for IPsec SAs and most keys used in IKE SAs, but pre-shared keys are a notable exception here. Providing more than two peers with access to a single pre-shared key may undermine the security offered by that pre-shared key, and hence the security offered by HMAC or KMAC. When IKEv2 is used to create IPsec SAs, the keys for HMAC-SHA3 and KMAC are all ultimately derived from an ephemeral shared secret produced using one or more negotiated key exchange algorithms, with the exception of static pre-shared keys used in IKE for authentication and/or protection against quantum computers. If the negotiated key exchange algorithm offers few bits of security than the negotiated PRF, this effectively caps the bits of security offered by the PRF as well. Negotiating a key exchange algorithm that offers more bits of security than the negotiated PRF does not improve the security offered by that PRF. Similarly, using an encryption algorithm whose security level does not align to the negotiated PRF will undermine the security offered by either the encryption algorithm or the PRF. As such, it is important to ensure that IKE peers configure algorithm policies such that every algorithm negotiated always meets an acceptable minimum security level. Where static keys are used with HMAC-SHA3 and KMAC, these MUST contain at least as much entropy as the security level of the chosen algorithm, and SHOULD be generated using a random number generator capable suitable for use with cryptography.

IANA Considerations For negotiating use of HMAC-SHA3 and KMAC as PRFs for IKEv2, IANA is requested to assign five Transform IDs in the "Transform Type 2 - Pseudorandom Function Transform IDs" registry: Number Name Status Reference TBD PRF_HMAC_SHA3_256   [This draft] TBD PRF_HMAC_SHA3_384   [This draft] TBD PRF_HMAC_SHA3_512   [This draft] TBD PRF_KMAC_128   [This draft] TBD PRF_KMAC_256   [This draft] For negotiating use of HMAC-SHA3 and KMAC for integrity protection in IKEv2 and IPsec protocols, IANA is requested to assign five Transform IDs in the "Transform Type 3 - Integrity Algorithm Transform IDs" registry: Number Name Status Reference TBD AUTH_HMAC_SHA3_256_128   [This draft] TBD AUTH_HMAC_SHA3_384_192   [This draft] TBD AUTH_HMAC_SHA3_512_256   [This draft] TBD AUTH_KMAC_128   [This draft] TBD AUTH_KMAC_256   [This draft] For indicating support for the SHA-3 cryptographic hash functions and SHAKE XOFs in conjunction with a signature algorithm, IANA is requested to assign six Transform IDs in the "IKEv2 Hash Algorithms" registry: Value Hash Algorithm Reference TBD SHA3_224 [This draft] TBD SHA3_256 [This draft] TBD SHA3_384 [This draft] TBD SHA3_512 [This draft] TBD SHAKE_128 [This draft] TBD SHAKE_256 [This draft]

This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard. National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology UK National Cyber Security Centre This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind This specification describes the use of Hashed Message Authentication Mode (HMAC) in conjunction with the SHA-256, SHA-384, and SHA-512 algorithms in IPsec. These algorithms may be used as the basis for data origin authentication and integrity verification mechanisms for the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange Protocol (IKE), and IKEv2 protocols, and also as Pseudo-Random Functions (PRFs) for IKE and IKEv2. Truncated output lengths are specified for the authentication-related variants, with the corresponding algorithms designated as HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512-256. The PRF variants are not truncated, and are called PRF-HMAC-SHA-256, PRF-HMAC-SHA-384, and PRF-HMAC-SHA-512. [STANDARDS-TRACK] This document replaces RFC 7321, "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)". The goal of this document is to enable ESP and AH to benefit from cryptography that is up to date while making IPsec interoperable. The IPsec series of protocols makes use of various cryptographic algorithms in order to provide security services. The Internet Key Exchange (IKE) protocol is used to negotiate the IPsec Security Association (IPsec SA) parameters, such as which algorithms should be used. To ensure interoperability between different implementations, it is necessary to specify a set of algorithm implementation requirements and usage guidance to ensure that there is at least one algorithm that all implementations support. This document updates RFC 7296 and obsoletes RFC 4307 in defining the current algorithm implementation requirements and usage guidance for IKEv2, and does minor cleaning up of the IKEv2 IANA registry. This document does not update the algorithms used for packet encryption using IPsec Encapsulating Security Payload (ESP). Digital signatures are used to sign messages, X.509 certificates, and Certificate Revocation Lists (CRLs). This document updates the "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" (RFC 3279) and describes the conventions for using the SHAKE function family in Internet X.509 certificates and revocation lists as one-way hash functions with the RSA Probabilistic signature and Elliptic Curve Digital Signature Algorithm (ECDSA) signature algorithms. The conventions for the associated subject public keys are also described. The Internet Key Exchange Version 2 (IKEv2) protocol has limited support for the Elliptic Curve Digital Signature Algorithm (ECDSA). The current version only includes support for three Elliptic Curve groups, and there is a fixed hash algorithm tied to each group. This document generalizes IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation. This is a generic mechanism and is not limited to ECDSA; it can also be used with other signature algorithms.

Test Vectors The following test cases include inputs and outputs for scenarios where HMAC-SHA3 and KMAC are used in IKEv2 and IPsec. A key, input, and output are always supplied, these correspond to the K, X and Z parameters described in . For KMAC, a customization string input is also supplied, which corresponds to the L parameter. Note that in each context, the customization string is fixed. All inputs and outputs are encoded in hexadecimal. KMAC Customization strings also have an ASCII character string representation. Data supplied to KMAC does not include quotation marks or null terminators. In some cases a description is supplied, which describes the case being tested in more detail. These descriptions are test vector metada, and are not ever supplied to the relevant algorithm.

PRF Test Vectors These test cases correspond to use of HMAC-SHA3 or KMAC as the PRF transform for an IKEv2 SA.

HMAC-SHA3-256 PRF Test Vectors

HMAC-SHA3-384 PRF Test Vectors

HMAC-SHA3-512 PRF Test Vectors

KMAC128 PRF Test Vectors

KMAC256 PRF Test Vectors

KDF Test Vectors These test cases correspond to use of HMAC-SHA3 or KMAC with IKEv2's prf+ function.

HMAC-SHA3-256 KDF Test Vectors

HMAC-SHA3-384 KDF Test Vectors

HMAC-SHA3-512 KDF Test Vectors

KMAC128 KDF Test Vectors

KMAC256 KDF Test Vectors

HMAC-SHA3 IKEv2 and IPsec Integrity Protection Test Vectors These test cases correspond to use of HMAC-SHA3 as the integrity protection transform for an IKEv2 SA or an IPsec SA.

HMAC-SHA3-256 IKEv2 and IPsec Integrity Protection Test Vectors

HMAC-SHA3-384 IKEv2 and IPsec Integrity Protection Test Vectors

HMAC-SHA3-512 IKEv2 and IPsec Integrity Protection Test Vectors

KMAC IKEv2 Integrity Protection Test Vectors These test cases correspond to use of KMAC as the integrity protection transform for an IKEv2 SA. Note that, since different customization strings are used for integrity protection in IKEv2 and IPsec, different outputs are produced, so two sets of test vectors are supplied.

KMAC128 IKEv2 Integrity Protection Test Vectors

KMAC256 IKEv2 Integrity Protection Test Vectors

KMAC IPsec Integrity Protection Test Vectors These test cases correspond to use of KMAC as the integrity protection transform for an IPsec SA. Note that, since different customization strings are used for integrity protection in IKEv2 and IPsec, different outputs are produced, so two sets of test vectors are supplied.

KMAC128 IKEv2 Integrity Protection Test Vectors

KMAC256 IKEv2 Integrity Protection Test Vectors

Acknowledgments TODO