Internet-Draft | HIP New Crypto | August 2021 |
Moskowitz, et al. | Expires 3 February 2022 | [Page] |
This document provides new cryptographic algorithms to be used with HIP. The Edwards Elliptic Curve and the Keccak sponge functions are the main focus. The HIP parameters and processing instructions impacted by these algorithms are defined.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 February 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
This document adds new cryptographic algorithms for HIPv2 [RFC7401] and [RFC7402]. This includes:¶
The hashes and encryption are all built on the Keccak [Keccak] sponge function and the Xoodyak [Xoodyak] lightweight scheme.¶
These additions reflect selection of advances in the field of cryptography that would best benefit HIP, particularly in constrained devices and communications.¶
Ed Note: The Xoodyak function calls should be considered the 1st best effort. There are a few areas open for discussion, like which of the 3 choices for adding in the nonce to the AEAD mode and when to use counter and Id. Also there may be copy errors from the source specification, nicer function calls, better acronyms.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
HIP parameters carry information that is necessary for establishing and maintaining a HIP association. For example, the device's public keys as well as the signaling for negotiating ciphers and payload handling are encapsulated in HIP parameters. Additional information, meaningful for end hosts or middleboxes, may also be included in HIP parameters. The specification of the HIP parameters and their mapping to HIP packets and packet types is flexible to allow HIP extensions to define new parameters and new protocol behavior.¶
Elliptic curves Curve25519 and Curve448 [RFC7748] are specified here for use in the HIP Diffie-Hellman exchange.¶
Curve25519 and Curve448 are already defined in Section 5.2.1 of [hip-dex], using the HIP-DEX CKDF. Here they are defined for using the new KMAC [NIST SP800-185] or XMAC [Xoodyak] derived KDF in Section 5.¶
The DIFFIE_HELLMAN parameter may be included in selected HIP packets based on the DH Group ID selected. The DIFFIE_HELLMAN parameter is defined in Section 5.2.7 of [RFC7401].¶
The following Elliptic Curves are defined here:¶
Group KDF Value Curve25519 [RFC7748] KMAC 13 Curve448 [RFC7748] KMAC 14¶
A new KDF for KEYMAT, Section 6.5 of [RFC7401] using Keccak or Xoodyak is defined in Section 5.¶
This section is extracted from Appendix D of [drip-rid]. It may later be pulled and only maintained there.¶
Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032] are specified here for use as Host Identities (HIs) per HIPv2 [RFC7401]. Further the HIT_SUITE_LIST is specified as used in [RFC7343].¶
The HOST_ID parameter specifies the public key algorithm, and for elliptic curves, a name. The HOST_ID parameter is defined in Section 5.2.19 of [RFC7401].¶
Algorithm profiles Values EdDSA 13 [RFC8032]¶
For hosts that implement EdDSA as the algorithm, the following ECC curves are available:¶
Algorithm Curve Values EdDSA RESERVED 0 EdDSA EdDSA25519 1 [RFC8032] EdDSA EdDSA25519ph 2 [RFC8032] EdDSA EdDSA448 3 [RFC8032] EdDSA EdDSA448ph 4 [RFC8032]¶
The HIT_SUITE_LIST parameter contains a list of the supported HIT suite IDs of the Responder. Based on the HIT_SUITE_LIST, the Initiator can determine which source HIT Suite IDs are supported by the Responder. The HIT_SUITE_LIST parameter is defined in Section 5.2.10 of [RFC7401].¶
The following HIT Suite ID is defined, and the relationship between the four-bit ID value used in the OGA ID field and the eight-bit encoding within the HIT_SUITE_LIST ID field is clarified:¶
HIT Suite Four-bit ID Eight-bit encoding RESERVED 0 0x00 EdDSA/cSHAKE128 5 0x50 EdDSA/XHASH 6 0x60¶
The following table provides more detail on the above HIT Suite combinations. The input for each generation algorithm is the encoding of the HI as defined herein.¶
The output of cSHAKE128 and XHASH are variable per the needs of a specific ORCHID construction. It is at most 96 bits long and is directly used in the ORCHID (without truncation).¶
Index | Hash function | HMAC | Signature algorithm family | Description |
---|---|---|---|---|
5 | cSHAKE128 | KMAC128 | EdDSA | EdDSA HI hashed with cSHAKE128, output is variable |
6 | XHASH | XMAC | EdDSA | EdDSA HI hashed with XMAC, output is variable |
Hashing is used in HIP for HIT generation and keyed hashes of HIP payloads. The hash algorithm used is designated as part of the HIT_SUITE_ID. The keyed hash function is the "common" such function used in conjunction with the HIT hash.¶
The XOF function in SHA-3, Secure Hash Algorithm Keccak (SHAKE) [NIST FIPS-202] and the more recent Xoodyak [Xoodyak] algorithm are called sponge functions. Sponge functions have a special feature in which an arbitrary number of output bits are "squeezed" out of the hashing state. This is a significant use change in that hash truncation or multiple "runs" for enough bits are not used with sponge functions.¶
The customizable SHAKE function (cSHAKE) in [NIST SP800-185] will be used as a HIP hash. As a Keccak XOF, it does not use the truncation operation that other hashes need. The invocation of cSHAKE specifies the desired number of bits in the hash output. Further, cSHAKE has a parameter 'S' as a customization bit string. This parameter will be used for including hash specific customization like the ORCHID Context Identifier in a standard fashion.¶
Hardware implementation of Keccak in VHDL is available from Keccak [Keccak] team website.¶
The Xoodyak [Xoodyak] sponge function is a candidate in the NIST Lightweight Cryptography (LWC) Standardization process (see [NISTIR 8369]). Xoodyak has been selected here for use in HIP from the LWC 2nd round candidates as it was developed by the Keccak team, making it more directly in line with Keccak.¶
Xoodyak has a hash function mode. More specifically, this hash mode is an extendable output function (XOF).¶
As the Xoodyak specification [Xoodyak_Spec] does not provide high-level function calls, rather a set of primitives to use to construct the various modes, the appropriate primitive calls will be detailed below. Xoodyak as a hash will be called here "XHASH".¶
To get a n-byte digest of some input x: XHASH(n, x), use the following set of Xoodyak primitives:¶
Cyclist(ε,ε,ε) Absorb(x) Squeeze(n)¶
Xoodyak can also naturally implement a DEC function and process a sequence of strings. Here the output depends on the sequence as such and not just on the concatenation of the different strings. To compute a n-byte digest, XHASH(n, {x1, x2, x3}) the Xoodyak primitives are:¶
Cyclist(ε,ε,ε) Absorb(x1) Absorb(x2) Absorb(x3) Squeeze(n)¶
The equivalent of the parameter 'S' in cSHAKE above can be implemented as the last Absorb primitive call in the DEC function. That is: XHASH(L, {S, N, X}) is equivalent to cSHAKE(X, L, N, S).¶
RHASH is the general term used throughout [RFC7401] to refer to the hash used for a specific HIT suite. For this addendum cSHAKE128 for Keccak or XHASH for Xoodyak is used, even for HITs of EdDSA448.¶
Unless otherwise specified, L of cSHAKE128 or n of XHASH is 256, resulting in a similar output to SHA256. Any truncation used for, older, fixed output hashes is still used. This is to simplify code integration. One exception to this is in Section 4.¶
The HIP_MAC and HIP_MAC2 parameters in [RFC7401] use HMAC [RFC2104]. This performs two hashes on a string with a key for a keyed hash the length of the underlying hash.¶
For both HIP_MAC and HIP_MAC2 use, the parameter S below is NULL. It is included for complete function definition.¶
Here, KMAC from NIST SP 800-185 [NIST SP800-185] is used. This is a single pass using the underlying cSHAKE function. The function call is:¶
KMAC128(Key, Input String, 256, S)¶
Here, XMAC is defined as the keyed hash function based on Xoodyak. It is built with primitives from [Xoodyak_Spec] as a DEC function.¶
To get a n-byte keyed MAC of some input x: XMAC(Key, n, {x, S}). Where n=256, use the following set of Xoodyak primitives:¶
Cyclist(Key,Id,ε) Absorb(S) Only if S is non-null Absorb(Input String) Squeeze(32)¶
Id is "HIP_MAC" and "HIP_MAC2" respectively. Note since S is null in this XMAC usage, the first Absorb call is not performed.¶
HIP encrypted parameters use the HIP_CIPHER, Section 5.2.8 of [RFC7401]. The Xoodyak cipher, [Xoodyak], is recommended. Here Xoodyak is used in encrypt only mode.¶
The HIP_CIPHER parameter value for Xoodyak is:¶
hip_cipher Suite ID Value Xoodyak 6 (Xoodyak)¶
The Xoodyak primitive calls for encrypt only are:¶
Cyclist(Key,Id,ε) Absorb(IV) C ← Encrypt(P) Where Id is HIP parameter name (e.g. "ENCRYPTED"). IV is from the encrypted HIP parameter. P is the plain-text per the specific HIP encrypted parameter. C is the ciphertext.¶
The ESP_TRANSFORM parameter is used during ESP SA establishment, Section 5.1.2 of [RFC7402]. The Xoodyak cipher, [Xoodyak], is recommended. Here Xoodyak is used in AEAD mode.¶
Further, it is recommended to use Implicit IV ESP [RFC8750] to match its lightweight over-the-air format with the lightweight Xoodyak AEAD cipher.¶
The ESP_TRANSFORM Suite IDs for Xoodyak are:¶
hip_cipher Suite ID Value Xoodyak-96 16 (Xoodyak) Xoodyak 17 (Xoodyak) Implicit IV 18 [8750]¶
The Implicit IV Suite ID is unique in that it is an AND condition with ciphers that can use it. That is AES-GCM and Xoodyak can both use 'regular' ESP [RFC4303] or [RFC8750].¶
The Xoodyak primitive calls for AEAD encrypt are:¶
Cyclist(Key,Id,ε) Absorb(IV) Absorb(A) C ← Encrypt(P) T ← Squeeze(t)¶
Where Id is "ESP_TRANSFORM". The IV is either a 32 bit ESP IV per [RFC4303] or the ESP Seq Number per[RFC8750]. P is the plain-text and A is the associated data. t is either 12 or 16. T is the ESP ICV of length t.¶
The EdDSA/cSHAKE based HITs require a new ORCHID generation method than that described in section 3.2 of [RFC7401]. The XOF functionality of cSHAKE produces an output of L bits. This replaces the Encode_96 function in the ORCHID generation.¶
For identities that are EdDSA public keys, ORCHIDs will be generated per the process defined in Appendix C.2.1 of [drip-rid].¶
For either the Keccak or Xoodyak KEYMAT generation, the inputs are consistent. The only practical difference is that cSHAKE allows for 128 or 256 bits of strength, whereas Xoodyak only provides 128 bits.¶
L is the derived key bit length. Since 4 HIP keys are "drawn" from this output, the length is 4 * HIP_key_size. Per ASIACRYPT 2017, pp. 606-637 [ASIACRYPT-2017] each of these derived keys will have the same strength as the Diffie-Hellman shared secret.¶
S is the byte string 01001011 || 01000100 || 01000110, which represents the sequence of characters "K", "D", and "F" in 8-bit ASCII.¶
Salt and info are derived as defined in sec 6.5 of [RFC7401]. There are special security considerations for IKM per [RFC7748].¶
The KMAC function provides a new, more efficient, key derivation function over HKDF [RFC5869]. KMAC as a KDF is defined below.¶
The two HIs MUST be used in constructing IKM as follows:¶
IKM = Diffie-Hellman secret | sort(HI-I | HI-R)¶
The two HIs are separately DER encoded per [RFC7401]¶
The choice of KMAC128 or KMAC256 is based on the strength of the output key material. For 256 bits of strength equivalent to HMAC-SHA256, use KMAC256. Per [NIST SP800-56Cr1], Section 4.1, Option 3:¶
OKM = KMAC[128|256](salt | info, IKM, L, S)¶
Here, XMAC from Section 3.3.3.2 is used. The DEC function XMAC("", L, {DH, sort(HI-I, HI-R), info, Salt, S}) primitives are:¶
Cyclist(ε, ε, ε) Absorb(S) Absorb(salt) Absorb(info) Absorb(max(HI-I , HI-R)) Absorb(min(HI-I , HI-R)) Absorb(Diffie-Hellman secret) Squeeze(L) Where L is bytes¶
Ed Note: Need to check that all above are well defined bytestrings per 7401. I think they are.¶
Appendix B of NIST SP 800-185 [NIST SP800-185] defines how to use SHAKE, cSHAKE, or KMAC as a PRF.¶
For Xoodyak, XMAC from Section 3.3.3.2 is used in the same manner as KMAC above.¶
IANA will need to make the following changes to the "Host Identity Protocol (HIP) Parameters" registries:¶
[RFC7748] warns about using Curve25519 and Curve448 in Diffie-Hellman for key derivation:¶
Designers using these curves should be aware that for each public key, there are several publicly computable public keys that are equivalent to it, i.e., they produce the same shared secrets. Thus using a public key as an identifier and knowledge of a shared secret as proof of ownership (without including the public keys in the key derivation) might lead to subtle vulnerabilities.¶
Thus the two Host IDs are included with the Diffie-Hellman secret in the KEYMAT generation.¶
Section 4.1 of NIST SP 800-185 [NIST SP800-185] states:¶
"The KECCAK Message Authentication Code (KMAC) algorithm is a PRF and keyed hash function based on KECCAK . It provides variable-length output"¶
That is, the output of KMAC is indistinguishable from a random string, regardless of the length of the output. As such, the output of KMAC can be divided into multiple substrings, each with the strength of the function (KMAC128 or KMAC256) and provided that a long enough key is used, as discussed in Sec. 8.4.1 of SP 800-185.¶
For example KMAC128(K, X, 512, S), where K is at least 128 bits, can produce 4 128 bit keys each with a strength of 128 bits. That is a single sponge operation is replacing perhaps 5 HMAC-SHA256 operations (each 2 SHA256 operations) in HKDF.¶
Quynh Dang of NIST gave considerable guidance on using Keccak and the NIST supporting documents. Joan Deamen of the Keccak team was especially helpful in many aspects of using Keccak and Xoodyak, particularly with the KEYMAT section and the strength of the derived keys.¶
NIST is entering round 3 (final) of its Lightweight Crypto Competition with anticipated selection the end of 2021 or early in 2022. Events in this process will impact selections in this document.¶