PD-0105: Acceptability of IKE Authentication as "Single Use" In Firewall PPs |
||||
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
IssueThe U.S. Government Firewall protection profiles contain requirements for Single-Use Authentication Mechanisms. Would use of certificate-based authentication conforming to the IKE protocol satisfy that requirement? This is based on the fact that certificate-based authentication is at least as effective as single-use mechanisms in meeting the security objectives in the protection profiles. ResolutionIKE is an acceptable instance of a single-use authentication mechanism. As IKE is not a FIPS mechanism, the following requirements must be met by the IKE implementation. FCS_IKE_EXP.1 Internet Key Exchange FCS_IKE_EXP.1.1 The TSF shall provide cryptographic key establishment techniques in accordance with RFC 2409 as follows(s):
FCS_IKE_EXP.1.2 The TSF shall require the nonce, and the x of g^xy] be randomly generated using FIPS-approved random number generator when computation is being performed. FCS_IKE_EXP.1.3 When performing authentication using pre-shared keys, the key shall be generated using the FIPS approved random number generator specified in FCS_COP_EXP.5.1. FCS_IKE_EXP.1.4 The TSF shall compute the value of SKEYID (as defined in RFC 2409), using SHA-1 as the pseudo-random function. The TSF shall be capable of authentication using the methods for
Application Note: If public key encryption is the method of choice, the sha algorithm listed in the requirement will be used. If the other option is selected, a different authentication method or a different hash algorithm for generating SKEYID may be specified. Refer to RFC 2409 for an explanation of the notation and definitions of the terms. FCS_IKE_EXP.1.5 The TSF shall compute authenticated keying material as follows:
Application note: If the assignment is selected, a different method for computing the authenticated keying material may be used, or a different hash algorithm may be specified. FCS_IKE.1.6 To authenticate the Phase 1 exchange, the TSF shall generate HASH_I if it is the intiator, or HASH_R if it is the responder as follows:
Application note: Refer to RFC 2409 for an explanation of the notation and definitions of the terms. FCS_IKE_EXP.1.7 The TSF shall be capable of authenticating IKE Phase 1 using the following methods as defined in RFC 2409, as configured by the security administrator:
FCS_IKE_EXP.1.7. The TSF shall compute the hash values for Quick Mode in the following way
Application Note: The following steps will be performed when using the HASH computation:
KE is only optional when SA elects not to use perfect forward secrecy. Verifying that a TFS implementation actually checks HASH(1) , HASH(2), and HASH(3) values sent against a computed value is important in detecting changes that could have been made to proposed transform negotiated in Quick Mode (not as likely as Phase One because Quick Mode is encrypted). The ordering of the ISAKMP payloads may differ because Quick Mode only specifies the location of the HASH and SA payload. FCS_IKE_EXP.1.8 The TSF shall compute new keying material during Quick Mode as follows: [selection: when using perfect forward secrecy KEYMAT = sha(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b), When perfect forward secrecy is not used KEYMAT = sha(SKEYID_d | protocol | SPI | Ni_b | Nr_b)] Modification History:
References:
Related NIs:
Related CCIMB-INTERPs:
Source OD: 0229 |