2007/409 RFC 3526 Diffie-Hellman groups for IKE

Bill Sommerfeld sommerfeld at sun.com
Fri Jul 13 16:08:36 PDT 2007 

I'm sponsoring this self-reviewed open case for Mark Fenwick and have
marked it "closed approved automatic".  The interface taxonomy is
Committed.  Release binding is Micro/Patch. 

Note that some of the code modified by this project is closed-source.  

Description: 

The IKE protocol uses the Diffie-Hellman key agreement protocol to
generate keying material.  IKE defines several different Diffie-Hellman
groups with different modulus sizes; groups with larger modulus sizes
produce a larger shared key and otherwise have greater cryptographic
strength, but are more computationally expensive to use.

The Solaris IKE daemon, in.iked supports the Diffie-Hellman (MODP)
Oakley groups defined in RFC 2409 appendix A, specifically 1 (768-bit),
2 (1024-bit) and 5 (1536-bit). Larger Oakley groups have been defined in
RFC 3526, specifically 14 (2048-bit), 15 (3072-bit), 16 (4096-bit), 
17 (6144-bit) and 18 (8192-bit).

Solaris should support larger Oakley groups to keep par with other 
operating environments, specifically Microsoft Vista which already 
supports group 14.

Solution:

Changes to libike and in.iked allow for support for the following new
Oakley groups:

        14 (2048-bit)
        15 (3072-bit)
        16 (4096-bit)

Support for groups 17 & 18 will not be added at this time. The Solaris
Cryptographic Framework which provides PKCS#11 support for libike only
supports Diffie-Hellman key generation up to 4096 bits at this time. The
current generation of Sun supplied hardware crypto accelerators only support
modulus sizes up to 2048 bits. Generation of Diffie-Hellman key pairs larger
than 4096 bits in software is very slow.

The new groups can be configured using the existing configuration file
syntax described in ike.config(4). The suggested man page modification
is included below:


*** ike.config.txt.orig Thu Jul 12 13:14:03 2007
--- ike.config.txt      Fri Jul 13 15:53:37 2007
***************
*** 422,435 ****
           parameter-list:
  
           oakley_group number
  
               The Oakley Diffie-Hellman group used for IKE SA  key
!              derivation.  Acceptable values are currently 1 (768-
!              bit), 2 (1024-bit), or 5 (1536-bit).
  
  
           encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des,
           des-cbc, aes, aes-cbc}
  
               An encryption algorithm, as in  ipsecconf(1M).  How-
               ever,  of  the  ciphers  listed  above, only aes and
--- 422,443 ----
           parameter-list:
  
           oakley_group number
  
               The Oakley Diffie-Hellman group used for IKE SA  key
!              derivation. The group numbers are defined in RFC 2409
!              appendix A and RFC 3526.  Acceptable values are
!              currently:
  
+                 1 (768-bit),
+                 2 (1024-bit),
+                 5 (1536-bit),
+                 14 (2048-bit),
+                 15 (3072-bit),
+                 16 (4096-bit).
  
+ 
           encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des,
           des-cbc, aes, aes-cbc}
  
               An encryption algorithm, as in  ipsecconf(1M).  How-
               ever,  of  the  ciphers  listed  above, only aes and
***************
*** 581,593 ****
  
       p2_pfs num
  
           Use perfect forward secrecy for phase 2 (quick mode). If
           selected, the oakley group specified is used for phase 2
!          PFS. Acceptable values are 0 (do not use Perfect Forward
!          Secrecy for IPsec SAs), 1 (768-bit), 2 (1024-bit), and 5
  
  
  
  SunOS 5.11          Last change: 28 Jun 2006                    9
  
  
--- 589,607 ----
  
       p2_pfs num
  
           Use perfect forward secrecy for phase 2 (quick mode). If
           selected, the oakley group specified is used for phase 2
!          PFS. Acceptable values are:
  
+                 0 (do not use Perfect Forward Secrecy for IPsec SAs),
+                 1 (768-bit),
+                 2 (1024-bit),
+                 5 (1536-bit),
+                 14 (2048-bit),
+                 15 (3072-bit),
+                 16 (4096-bit).
  
  
  SunOS 5.11          Last change: 28 Jun 2006                    9
  
  
***************
*** 618,631 ****
           exactly once within a given transform's parameter-list:
  
           oakley_group number
  
               The Oakley Diffie-Hellman group used for IKE SA  key
!              derivation.  Acceptable values are currently 1 (768-
!              bit), 2 (1024-bit), or 5 (1536-bit).
  
  
           encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des,
           des-cbc, aes, aes-cbc}
  
               An encryption algorithm, as in  ipsecconf(1M).  How-
               ever,  of  the  ciphers  listed  above, only aes and
--- 632,652 ----
           exactly once within a given transform's parameter-list:
  
           oakley_group number
  
               The Oakley Diffie-Hellman group used for IKE SA  key
!              derivation.  Acceptable values are currently:
  
+                 1 (768-bit),
+                 2 (1024-bit),
+                 5 (1536-bit),
+                 14 (2048-bit),
+                 15 (3072-bit),
+                 16 (4096-bit).
  
+ 
+ 
           encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des,
           des-cbc, aes, aes-cbc}
  
               An encryption algorithm, as in  ipsecconf(1M).  How-
               ever,  of  the  ciphers  listed  above, only aes and
***************
*** 900,910 ****
--- 921,935 ----
  
       Piper, Derrell. RFC 2407, The Internet IP Security Domain of
       Interpretation for ISAKMP. Network Alchemy. Santa Cruz, Cal-
       ifornia. November 1998.
  
+      Kivinen, T. RFC 3526, More Modular Exponential (MODP)
+      Diffie-Hellman groups for Internet Key Exchange (IKE).
+      The Internet Society, Network Working Group. May 2003.

More information about the opensolaris-arc mailing list