3.1.7.4 AuthIP Key Material Generation

A number of Authenticated Internet Protocol exchanges involve the generation of keying material. Each AuthIP peer MUST generate keying material as follows.

Notation:

This specification uses SKEYID_d, SKEYID_a, and SKEYID in the same manner as described in [RFC2409] section 5.

A-KDF refers to the key derivation function specified in [SP800-56A]. The output of the [SP800-56A] KDF is the bit string DerivedKeyingMaterial of length ByteLength bytes.

"|" signifies concatenation of information. For example, X | Y is the concatenation of X with Y, as specified in [RFC2409].

 Define Function: OtherInfo (pubInof, privInfo) as:  AlgorithmID|PartyUInfo|PartyVInfo|pubInfo|privInfo
  

The function OtherInfo takes as input (pubInfo, privInfo), and performs the given concatenation. AlgorithmID, PartyInfo, and PartyVInfo are known externally as defined below, and hence not passed directly to the function. For instance, when run for SKEYID:

{} indicates function invocation.

 COMPUTE SKEYID as A-KDF
   (Z, {OtherInfo} (SuppPubInfo-SKEYID, SuppPrivInfo-SKEYID),
    hashLength)
  

This substitutes SuppPubInfo-SKEYID into pubInfo and SuppPrivInfo-SKEYID into privInfo, and then executes the OtherInfo concatenation. Hence the variables pubInfo and privInfo themselves are function parameters, whose values are filled in by the caller.

 Set AlgorithmID to Crypto-ID
 Set PartyUInfo to CKY-I
 Set PartyVInfo to CKY-R
  
 SuppPubInfo-SKEYID = Ni|Nr
 SuppPubInfo-SKEYID_d = Ni|Nr|0x00
 SuppPubInfo-SKEYID_a = Ni|Nr|0x01
 SuppPubInfo-SKEYID_e = Ni|Nr|0x02
  
 Set SuppPrivInfo-SKEYID to GSS-APIsecret
 Set SuppPrivInfo-SKEYID_em to GSS-APIsecret_em
 Set SuppPrivInfo-SKEYID_d to SKEYID
  
 SuppPrivInfo-SKEYID_a = SKEYID_d|SKEYID
 SuppPrivInfo-SKEYID_e = SKEYID_a|SKEYID
  
 If DH is used then
 set Z to g^xy
 Else
 set Z to a zero-length byte string
 END IF
  
 COMPUTE SKEYID_d as A-KDF (Z, {OtherInfo} (SuppPubInfo-SKEYID_d,
   SuppPrivInfo-SKEYID_d), hashLength)
 COMPUTE SKEYID_a as A-KDF (Z, {OtherInfo} (SuppPubInfo-SKEYID_a,
   SuppPrivInfo- SKEYID_a), hashLength)
 COMPUTE SKEYID_e as A-KDF (Z, {OtherInfo} (SuppPubInfo-SKEYID_e,
   SuppPrivInfo-SKEYID_e), max(hashLength, cryptLength))
 COMPUTE SKEYID_em as A-KDF (Z, {OtherInfo} (SuppPubInfo-SKEYID,
   SuppPrivInfo-SKEYID_em), hashLength)
  
 SuppPubInfo-IpsecEncryptKey = MessageId|SPI|Ni(qm)|Nr(qm)|SKEYID_d
  
 if EM exchanges THEN
 SuppPrivInfo-IpsecEncryptKey = Ni(mm)|Nr(mm)|SKEYID_em
 ELSE
 Set SuppPrivInfo-IpsecEncryptKey = zero-length byte string
 END IF
  
 COMPUTE IPSecEncryptKey as A-KDF (Z(qm),
   OtherInfo(SuppPubInfo-IpsecEncryptKey,
   SuppPrivInfo-IpsecEncryptKey), ipsechashLength+ipseccryptLength)
 COMPUTE Auth1 as prf(SKEYID,
   hash(#4|(#3|sha256(#2|sha256(#1))))|0x01)
 COMPUTE Auth2 as prf(SKEYID, hash(#4|hash(#3|sha256(#2|sha256(#1))))|0x02)
  

For the first two payloads, the cumulative hash for Auth1 MUST start with a hard-coded sha256 (as specified in [SHA256]) because a hash method has not yet been negotiated between the peers. Starting with payload #3, the peers MUST use the negotiated hash algorithm.

Extended mode (EM) also uses the following hashes.

 COMPUTE Auth3 as prf(SKEYID_em, hash(#12|hash(#11|hash(#10|
   hash(#9|hash(#8|hash(#7))))))|Auth1
 COMPUTE Auth4 as prf(SKEYID_em, hash(#12|hash(#11|hash(#10|hash(#9|hash(#8|hash(#7))))))|Auth2
  

The length of the hash chains for computing Auth3 and Auth4 depends on the number of messages in the exchange. Each peer MUST hash all the IKE payloads as plaintext, for example, unencrypted.

The quick mode security association (QM SA) encryption key MUST be set to the first part of IPsecEncryptKey (up to ipseccryptLength bytes). The quick mode authentication key MUST be set to the remainder of IPsecEncryptKey.

DES-CBC [RFC2405] and TripleDES-CBC [RFC2451] require the parity and weak key checks. This formatting MUST be applied to SKEYID_e when using these algorithms.

For DES-CBC and TripleDES-CBC, the key MUST be computed in the following way:

1. Truncate the key to 8 bytes (DES-CBC) or 24 bytes (TripleDES-CBC).

2. For each byte, if the number of bits set to one in the byte is even, adjust the least significant bit so that the number of bits set to one is odd.