RFC 2412 (rfc2412) - Page 2 of 55
The OAKLEY Key Determination Protocol
Alternative Format: Original Text Document
RFC 2412 The OAKLEY Key Determination Protocol November 1998
Because OAKLEY is a generic key exchange protocol, and because the
keys that it generates might be used for encrypting data with a long
privacy lifetime, 20 years or more, it is important that the
algorithms underlying the protocol be able to ensure the security of
the keys for that period of time, based on the best prediction
capabilities available for seeing into the mathematical future. The
protocol therefore has two options for adding to the difficulties
faced by an attacker who has a large amount of recorded key exchange
traffic at his disposal (a passive attacker). These options are
useful for deriving keys which will be used for encryption.
The OAKLEY protocol is related to STS, sharing the similarity of
authenticating the Diffie-Hellman exponentials and using them for
determining a shared key, and also of achieving Perfect Forward
Secrecy for the shared key, but it differs from the STS protocol in
several ways.
The first is the addition of a weak address validation mechanism
("cookies", described by Phil Karn in the Photuris key exchange
protocol work in progress) to help avoid denial of service
attacks.
The second extension is to allow the two parties to select
mutually agreeable supporting algorithms for the protocol: the
encryption method, the key derivation method, and the
authentication method.
Thirdly, the authentication does not depend on encryption using
the Diffie-Hellman exponentials; instead, the authentication
validates the binding of the exponentials to the identities of the
parties.
The protocol does not require the two parties compute the shared
exponentials prior to authentication.
This protocol adds additional security to the derivation of keys
meant for use with encryption (as opposed to authentication) by
including a dependence on an additional algorithm. The derivation
of keys for encryption is made to depend not only on the Diffie-
Hellman algorithm, but also on the cryptographic method used to
securely authenticate the communicating parties to each other.
Finally, this protocol explicitly defines how the two parties can
select the mathematical structures (group representation and
operation) for performing the Diffie-Hellman algorithm; they can
use standard groups or define their own. User-defined groups
provide an additional degree of long-term security.
Orman Informational