ipsec, esp: Which key is used to generate the HMAC The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)What is the “shared secret” used for in IPSec VPN?What are the well known protocols that offer perfect forward secrecy?AES-GCM Hash sub key parameter in Intel's IPsec libraryIs IPsec IND-CCA secure provided the used block cipher is a pseudorandom function?where does the prime number taken in DH algorithm in IPSECWhy TLS uses in-band handshake signallingHow does OpenVPN work?

How should I replace vector<uint8_t>::const_iterator in an API?

Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?

Do warforged have souls?

Is this wall load bearing? Blueprints and photos attached

Does the AirPods case need to be around while listening via an iOS Device?

Install many applications using one command

Change bounding box of math glyphs in LuaTeX

Can the DM override racial traits?

How many people can fit inside Mordenkainen's Magnificent Mansion?

Semisimplicity of the category of coherent sheaves?

Windows 10: How to Lock (not sleep) laptop on lid close?

Arduino Pro Micro - switch off LEDs

When did F become S in typeography, and why?

"... to apply for a visa" or "... and applied for a visa"?

Road tyres vs "Street" tyres for charity ride on MTB Tandem

How does ice melt when immersed in water

Did the new image of black hole confirm the general theory of relativity?

Why is superheterodyning better than direct conversion?

First use of “packing” as in carrying a gun

Who or what is the being for whom Being is a question for Heidegger?

Can the prologue be the backstory of your main character?

How to grep and cut numbers from a file and sum them

Single author papers against my advisor's will?

How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?



ipsec, esp: Which key is used to generate the HMAC



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)What is the “shared secret” used for in IPSec VPN?What are the well known protocols that offer perfect forward secrecy?AES-GCM Hash sub key parameter in Intel's IPsec libraryIs IPsec IND-CCA secure provided the used block cipher is a pseudorandom function?where does the prime number taken in DH algorithm in IPSECWhy TLS uses in-band handshake signallingHow does OpenVPN work?










1












$begingroup$


Short Question:
Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
Or do there exist two keys in the SA?



Long Question:
Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
This involves also a DH key agreement.
This key is than stored in the IKE-SA.



Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
After the payload was encrypted, the ICV is calculated by a HMAC calculation.
But this HMAC requires also a key.
I have already searched for a few hours without being successful.



Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



And there are not many books about IPsec out there.






ipsec







share|improve this question







New contributor




byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$
















    1












    $begingroup$


    Short Question:
    Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
    Or do there exist two keys in the SA?



    Long Question:
    Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
    This involves also a DH key agreement.
    This key is than stored in the IKE-SA.



    Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
    After the payload was encrypted, the ICV is calculated by a HMAC calculation.
    But this HMAC requires also a key.
    I have already searched for a few hours without being successful.



    Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



    I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



    And there are not many books about IPsec out there.






    ipsec







    share|improve this question







    New contributor




    byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.







    $endgroup$














      1












      1








      1





      $begingroup$


      Short Question:
      Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
      Or do there exist two keys in the SA?



      Long Question:
      Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
      This involves also a DH key agreement.
      This key is than stored in the IKE-SA.



      Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
      After the payload was encrypted, the ICV is calculated by a HMAC calculation.
      But this HMAC requires also a key.
      I have already searched for a few hours without being successful.



      Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



      I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



      And there are not many books about IPsec out there.






      ipsec







      share|improve this question







      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.







      $endgroup$




      Short Question:
      Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
      Or do there exist two keys in the SA?



      Long Question:
      Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
      This involves also a DH key agreement.
      This key is than stored in the IKE-SA.



      Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
      After the payload was encrypted, the ICV is calculated by a HMAC calculation.
      But this HMAC requires also a key.
      I have already searched for a few hours without being successful.



      Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



      I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



      And there are not many books about IPsec out there.






      ipsec




      ipsec






      share|improve this question







      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 6 hours ago









      byteunitbyteunit

      1062




      1062




      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes


















          2












          $begingroup$


          Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




          No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



          You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



          That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



          • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

          • The next m bits is used as the initiator-to-responder integrity key

          • The next n bits is used as the responder-to-initiator encryption key

          • The next m bits is used as the responder-to-initiator integrity key

          To see the text of the standard, see section 2.17 of RFC7296:




          In any case, keying material
          for each Child SA MUST be taken from the expanded KEYMAT using the
          following rules:



          All keys for SAs carrying data from the initiator to the responder
          are taken before SAs going from the responder to the initiator.



          If multiple IPsec protocols are negotiated, keying material for
          each Child SA is taken in the order in which the protocol headers
          will appear in the encapsulated packet.



          If an IPsec protocol requires multiple keys, the order in which
          they are taken from the SA's keying material needs to be described
          in the protocol's specification. For ESP and AH, [IPSECARCH]
          defines the order, namely: the encryption key (if any) MUST be
          taken from the first bits and the integrity key (if any) MUST be
          taken from the remaining bits.




          The HMAC key is the 'integrity key'






          share|improve this answer











          $endgroup$













            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            byteunit is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68754%2fipsec-esp-which-key-is-used-to-generate-the-hmac%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2












            $begingroup$


            Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




            No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



            You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



            That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



            • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

            • The next m bits is used as the initiator-to-responder integrity key

            • The next n bits is used as the responder-to-initiator encryption key

            • The next m bits is used as the responder-to-initiator integrity key

            To see the text of the standard, see section 2.17 of RFC7296:




            In any case, keying material
            for each Child SA MUST be taken from the expanded KEYMAT using the
            following rules:



            All keys for SAs carrying data from the initiator to the responder
            are taken before SAs going from the responder to the initiator.



            If multiple IPsec protocols are negotiated, keying material for
            each Child SA is taken in the order in which the protocol headers
            will appear in the encapsulated packet.



            If an IPsec protocol requires multiple keys, the order in which
            they are taken from the SA's keying material needs to be described
            in the protocol's specification. For ESP and AH, [IPSECARCH]
            defines the order, namely: the encryption key (if any) MUST be
            taken from the first bits and the integrity key (if any) MUST be
            taken from the remaining bits.




            The HMAC key is the 'integrity key'






            share|improve this answer











            $endgroup$

















              2












              $begingroup$


              Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




              No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



              You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



              That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



              • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

              • The next m bits is used as the initiator-to-responder integrity key

              • The next n bits is used as the responder-to-initiator encryption key

              • The next m bits is used as the responder-to-initiator integrity key

              To see the text of the standard, see section 2.17 of RFC7296:




              In any case, keying material
              for each Child SA MUST be taken from the expanded KEYMAT using the
              following rules:



              All keys for SAs carrying data from the initiator to the responder
              are taken before SAs going from the responder to the initiator.



              If multiple IPsec protocols are negotiated, keying material for
              each Child SA is taken in the order in which the protocol headers
              will appear in the encapsulated packet.



              If an IPsec protocol requires multiple keys, the order in which
              they are taken from the SA's keying material needs to be described
              in the protocol's specification. For ESP and AH, [IPSECARCH]
              defines the order, namely: the encryption key (if any) MUST be
              taken from the first bits and the integrity key (if any) MUST be
              taken from the remaining bits.




              The HMAC key is the 'integrity key'






              share|improve this answer











              $endgroup$















                2












                2








                2





                $begingroup$


                Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




                No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



                You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



                That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



                • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

                • The next m bits is used as the initiator-to-responder integrity key

                • The next n bits is used as the responder-to-initiator encryption key

                • The next m bits is used as the responder-to-initiator integrity key

                To see the text of the standard, see section 2.17 of RFC7296:




                In any case, keying material
                for each Child SA MUST be taken from the expanded KEYMAT using the
                following rules:



                All keys for SAs carrying data from the initiator to the responder
                are taken before SAs going from the responder to the initiator.



                If multiple IPsec protocols are negotiated, keying material for
                each Child SA is taken in the order in which the protocol headers
                will appear in the encapsulated packet.



                If an IPsec protocol requires multiple keys, the order in which
                they are taken from the SA's keying material needs to be described
                in the protocol's specification. For ESP and AH, [IPSECARCH]
                defines the order, namely: the encryption key (if any) MUST be
                taken from the first bits and the integrity key (if any) MUST be
                taken from the remaining bits.




                The HMAC key is the 'integrity key'






                share|improve this answer











                $endgroup$




                Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




                No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



                You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



                That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



                • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

                • The next m bits is used as the initiator-to-responder integrity key

                • The next n bits is used as the responder-to-initiator encryption key

                • The next m bits is used as the responder-to-initiator integrity key

                To see the text of the standard, see section 2.17 of RFC7296:




                In any case, keying material
                for each Child SA MUST be taken from the expanded KEYMAT using the
                following rules:



                All keys for SAs carrying data from the initiator to the responder
                are taken before SAs going from the responder to the initiator.



                If multiple IPsec protocols are negotiated, keying material for
                each Child SA is taken in the order in which the protocol headers
                will appear in the encapsulated packet.



                If an IPsec protocol requires multiple keys, the order in which
                they are taken from the SA's keying material needs to be described
                in the protocol's specification. For ESP and AH, [IPSECARCH]
                defines the order, namely: the encryption key (if any) MUST be
                taken from the first bits and the integrity key (if any) MUST be
                taken from the remaining bits.




                The HMAC key is the 'integrity key'







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 hours ago

























                answered 4 hours ago









                ponchoponcho

                94k2148247




                94k2148247




















                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.












                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.











                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68754%2fipsec-esp-which-key-is-used-to-generate-the-hmac%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Are there any AGPL-style licences that require source code modifications to be public? Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Force derivative works to be publicAre there any GPL like licenses for Apple App Store?Do you violate the GPL if you provide source code that cannot be compiled?GPL - is it distribution to use libraries in an appliance loaned to customers?Distributing App for free which uses GPL'ed codeModifications of server software under GPL, with web/CLI interfaceDoes using an AGPLv3-licensed library prevent me from dual-licensing my own source code?Can I publish only select code under GPLv3 from a private project?Is there published precedent regarding the scope of covered work that uses AGPL software?If MIT licensed code links to GPL licensed code what should be the license of the resulting binary program?If I use a public API endpoint that has its source code licensed under AGPL in my app, do I need to disclose my source?

                    Image
                    Flight departed from the gate 5 min before scheduled departure time. Refund options How to show a density matrix is in a pure/mixed state? Can we cancel the equality mark here? How to ask rejected full-time candidates to apply to teach individual courses? Are there any AGPL-style licences that require source code modifications to be public? Why did Israel vote against lifting the American embargo on Cuba? What should one know about term logic before studying propositional and predicate logic? Why is Rajasthan pro BJP in the LS elections but not in the state elections? New Order #6: Easter Egg Question on Gÿongy' lemma proof How to resize main filesystem Is it OK if I do not take the receipt in Germany? My mentor says to set image to Fine instead of RAW — how is this different from JPG? Can I feed enough spin up electron to a black hole to affect it's angular momentum? How do I find my Spellcasting Ability for my D&D character? Is my guitar’s ac
                    Read more

                    2013 GY136 Descoberta | Órbita | Referências Menu de navegação«List Of Centaurs and Scattered-Disk Objects»«List of Known Trans-Neptunian Objects»

                    Image
                    Objetos do disco dispersoObjetos transnetunianos objeto transnetunianodisco dispersoSistema Solarcorpo celesteressonância orbitalplanetaplanetamagnitude absolutadiâmetro9 de abril2013Outer Solar System Origins Surveyórbitaexcentricidadesemieixo maiorUAperiélioSolafélio 2013 GY136 Data da descoberta 9 de abril de 2013 Descoberto por Outer Solar System Origins Survey Categoria Transnetuniano Objeto do disco disperso Elementos orbitais Semieixo maior 55,961 UA Perélio 32,595 UA Afélio 79,327 UA Excentricidade 0,418 Inclinação 10,9° Características físicas Dimensões 133 km Magnitude absoluta 7,6 ver 2013 GY 136 , também escrito como 2013 GY136 , é um objeto transnetuniano que está localizado no disco disperso, uma região do Sistema Solar. Este corpo celeste está em uma ressonância orbital de 2:5 com o planeta planeta. Ele possui uma magnitude absoluta de 7,6 [ 1 ] e tem um diâmetro estimado de 133 km. [ 2 ] Descoberta | 2013 GY 136 foi descoberto no dia 9 de abril de 2013 pelo Outer S
                    Read more

                    Button changing it's text & action. Good or terrible? The 2019 Stack Overflow Developer Survey Results Are Inchanging text on user mouseoverShould certain functions be “hard to find” for powerusers to discover?Custom liking function - do I need user login?Using different checkbox style for different checkbox behaviorBest Practices: Save and Exit in Software UIInteraction with remote validated formMore efficient UI to progress the user through a complicated process?Designing a popup notice for a gameShould bulk-editing functions be hidden until a table row is selected, or is there a better solution?Is it bad practice to disable (replace) the context menu?

                    Image
                    Delete all lines which don't have n characters before delimiter Why isn't the circumferential light around the M87 black hole's event horizon symmetric? Why did Acorn's A3000 have red function keys? Does the shape of a die affect the probability of a number being rolled? Worn-tile Scrabble Why do UK politicians seemingly ignore opinion polls on Brexit? If a Druid sees an animal’s corpse, can they wild shape into that animal? Is an up-to-date browser secure on an out-of-date OS? Loose spokes after only a few rides How are circuits which use complex ICs normally simulated? Multiply Two Integer Polynomials Resizing object distorts it (Illustrator CC 2018) Do these rules for Critical Successes and Critical Failures seem Fair? Why can Shazam fly? Does a dangling wire really electrocute me if I'm standing in water? Can we generate random numbers using irrational numbers like π and e? Why isn't airport relocation done gradually? What d
                    Read more