ipsec, esp: Which key is used to generate the HMAC The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)What is the “shared secret” used for in IPSec VPN?What are the well known protocols that offer perfect forward secrecy?AES-GCM Hash sub key parameter in Intel's IPsec libraryIs IPsec IND-CCA secure provided the used block cipher is a pseudorandom function?where does the prime number taken in DH algorithm in IPSECWhy TLS uses in-band handshake signallingHow does OpenVPN work?

how can a perfect fourth interval be considered either consonant or dissonant?

Do warforged have souls?

What is special about square numbers here?

Sort list of array linked objects by keys and values

I could not break this equation. Please help me

How should I replace vector<uint8_t>::const_iterator in an API?

How is simplicity better than precision and clarity in prose?

Is this wall load bearing? Blueprints and photos attached

Can a novice safely splice in wire to lengthen 5V charging cable?

Python - Fishing Simulator

Can a 1st-level character have an ability score above 18?

Can withdrawing asylum be illegal?

Empty set is subset of every set? If yes, why that...

Finding the path in a graph from A to B then back to A with a minimum of shared edges

What's the point in a preamp?

Arduino Pro Micro - switch off LEDs

The variadic template constructor of my class cannot modify my class members, why is that so?

Does the AirPods case need to be around while listening via an iOS Device?

How many people can fit inside Mordenkainen's Magnificent Mansion?

How can I protect witches in combat who wear limited clothing?

system() function string length limit

Simulating Exploding Dice

Is every episode of "Where are my Pants?" identical?

How to delete random line from file using Unix command?



ipsec, esp: Which key is used to generate the HMAC



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)What is the “shared secret” used for in IPSec VPN?What are the well known protocols that offer perfect forward secrecy?AES-GCM Hash sub key parameter in Intel's IPsec libraryIs IPsec IND-CCA secure provided the used block cipher is a pseudorandom function?where does the prime number taken in DH algorithm in IPSECWhy TLS uses in-band handshake signallingHow does OpenVPN work?










1












$begingroup$


Short Question:
Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
Or do there exist two keys in the SA?



Long Question:
Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
This involves also a DH key agreement.
This key is than stored in the IKE-SA.



Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
After the payload was encrypted, the ICV is calculated by a HMAC calculation.
But this HMAC requires also a key.
I have already searched for a few hours without being successful.



Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



And there are not many books about IPsec out there.






ipsec







share|improve this question







New contributor




byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$
















    1












    $begingroup$


    Short Question:
    Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
    Or do there exist two keys in the SA?



    Long Question:
    Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
    This involves also a DH key agreement.
    This key is than stored in the IKE-SA.



    Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
    After the payload was encrypted, the ICV is calculated by a HMAC calculation.
    But this HMAC requires also a key.
    I have already searched for a few hours without being successful.



    Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



    I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



    And there are not many books about IPsec out there.






    ipsec







    share|improve this question







    New contributor




    byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.







    $endgroup$














      1












      1








      1





      $begingroup$


      Short Question:
      Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
      Or do there exist two keys in the SA?



      Long Question:
      Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
      This involves also a DH key agreement.
      This key is than stored in the IKE-SA.



      Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
      After the payload was encrypted, the ICV is calculated by a HMAC calculation.
      But this HMAC requires also a key.
      I have already searched for a few hours without being successful.



      Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



      I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



      And there are not many books about IPsec out there.






      ipsec







      share|improve this question







      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.







      $endgroup$




      Short Question:
      Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP?
      Or do there exist two keys in the SA?



      Long Question:
      Before a new IPSEC-ESP connection is established, IKEv2 is used to start a new session.
      This involves also a DH key agreement.
      This key is than stored in the IKE-SA.



      Once the session is established, ESP uses the key in the IKE-SA's for the message encryption/decryption.
      After the payload was encrypted, the ICV is calculated by a HMAC calculation.
      But this HMAC requires also a key.
      I have already searched for a few hours without being successful.



      Is it the same key that is used for encryption, is it calculated out of the encryption key or are there two keys stored in the SA?



      I wasn't able to find the answer in rfc4303 (ESP), rfc2104 (HMAC) or rfc7296 (IKEv2).



      And there are not many books about IPsec out there.






      ipsec




      ipsec






      share|improve this question







      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 6 hours ago









      byteunitbyteunit

      1062




      1062




      New contributor




      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      byteunit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes


















          2












          $begingroup$


          Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




          No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



          You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



          That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



          • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

          • The next m bits is used as the initiator-to-responder integrity key

          • The next n bits is used as the responder-to-initiator encryption key

          • The next m bits is used as the responder-to-initiator integrity key

          To see the text of the standard, see section 2.17 of RFC7296:




          In any case, keying material
          for each Child SA MUST be taken from the expanded KEYMAT using the
          following rules:



          All keys for SAs carrying data from the initiator to the responder
          are taken before SAs going from the responder to the initiator.



          If multiple IPsec protocols are negotiated, keying material for
          each Child SA is taken in the order in which the protocol headers
          will appear in the encapsulated packet.



          If an IPsec protocol requires multiple keys, the order in which
          they are taken from the SA's keying material needs to be described
          in the protocol's specification. For ESP and AH, [IPSECARCH]
          defines the order, namely: the encryption key (if any) MUST be
          taken from the first bits and the integrity key (if any) MUST be
          taken from the remaining bits.




          The HMAC key is the 'integrity key'






          share|improve this answer











          $endgroup$













            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            byteunit is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68754%2fipsec-esp-which-key-is-used-to-generate-the-hmac%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2












            $begingroup$


            Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




            No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



            You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



            That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



            • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

            • The next m bits is used as the initiator-to-responder integrity key

            • The next n bits is used as the responder-to-initiator encryption key

            • The next m bits is used as the responder-to-initiator integrity key

            To see the text of the standard, see section 2.17 of RFC7296:




            In any case, keying material
            for each Child SA MUST be taken from the expanded KEYMAT using the
            following rules:



            All keys for SAs carrying data from the initiator to the responder
            are taken before SAs going from the responder to the initiator.



            If multiple IPsec protocols are negotiated, keying material for
            each Child SA is taken in the order in which the protocol headers
            will appear in the encapsulated packet.



            If an IPsec protocol requires multiple keys, the order in which
            they are taken from the SA's keying material needs to be described
            in the protocol's specification. For ESP and AH, [IPSECARCH]
            defines the order, namely: the encryption key (if any) MUST be
            taken from the first bits and the integrity key (if any) MUST be
            taken from the remaining bits.




            The HMAC key is the 'integrity key'






            share|improve this answer











            $endgroup$

















              2












              $begingroup$


              Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




              No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



              You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



              That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



              • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

              • The next m bits is used as the initiator-to-responder integrity key

              • The next n bits is used as the responder-to-initiator encryption key

              • The next m bits is used as the responder-to-initiator integrity key

              To see the text of the standard, see section 2.17 of RFC7296:




              In any case, keying material
              for each Child SA MUST be taken from the expanded KEYMAT using the
              following rules:



              All keys for SAs carrying data from the initiator to the responder
              are taken before SAs going from the responder to the initiator.



              If multiple IPsec protocols are negotiated, keying material for
              each Child SA is taken in the order in which the protocol headers
              will appear in the encapsulated packet.



              If an IPsec protocol requires multiple keys, the order in which
              they are taken from the SA's keying material needs to be described
              in the protocol's specification. For ESP and AH, [IPSECARCH]
              defines the order, namely: the encryption key (if any) MUST be
              taken from the first bits and the integrity key (if any) MUST be
              taken from the remaining bits.




              The HMAC key is the 'integrity key'






              share|improve this answer











              $endgroup$















                2












                2








                2





                $begingroup$


                Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




                No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



                You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



                That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



                • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

                • The next m bits is used as the initiator-to-responder integrity key

                • The next n bits is used as the responder-to-initiator encryption key

                • The next m bits is used as the responder-to-initiator integrity key

                To see the text of the standard, see section 2.17 of RFC7296:




                In any case, keying material
                for each Child SA MUST be taken from the expanded KEYMAT using the
                following rules:



                All keys for SAs carrying data from the initiator to the responder
                are taken before SAs going from the responder to the initiator.



                If multiple IPsec protocols are negotiated, keying material for
                each Child SA is taken in the order in which the protocol headers
                will appear in the encapsulated packet.



                If an IPsec protocol requires multiple keys, the order in which
                they are taken from the SA's keying material needs to be described
                in the protocol's specification. For ESP and AH, [IPSECARCH]
                defines the order, namely: the encryption key (if any) MUST be
                taken from the first bits and the integrity key (if any) MUST be
                taken from the remaining bits.




                The HMAC key is the 'integrity key'






                share|improve this answer











                $endgroup$




                Are the keys for the ICV calculation and the encryption the same in IPSEC/ESP? Or do there exist two keys in the SA?




                No, the keys are not the same. Yes, there do exist two keys in the SA (at least, for SAs that have separate encryption and integrity transforms - not all do).



                You do derive both the encryption and the HMAC key at the same time, from the same secret, but they are not the same (that'd be bad key hygene). Instead they are derived from the same secret (and also you generate the keys for the SA protecting traffic flowing in the opposite direction at the same time).



                That is, IKE generates a long random-looking string (which it refers to as KEYMAT); if the encryption key is n bits and the integrity (ICV) key is m bits (and AH is not being used), then at least 2n+2m bits of KEYMAT are generated, and then:



                • The first n bits is used as the initiator-to-responder encryption key (that is, used to protect traffic flowing from the initiator to the responder)

                • The next m bits is used as the initiator-to-responder integrity key

                • The next n bits is used as the responder-to-initiator encryption key

                • The next m bits is used as the responder-to-initiator integrity key

                To see the text of the standard, see section 2.17 of RFC7296:




                In any case, keying material
                for each Child SA MUST be taken from the expanded KEYMAT using the
                following rules:



                All keys for SAs carrying data from the initiator to the responder
                are taken before SAs going from the responder to the initiator.



                If multiple IPsec protocols are negotiated, keying material for
                each Child SA is taken in the order in which the protocol headers
                will appear in the encapsulated packet.



                If an IPsec protocol requires multiple keys, the order in which
                they are taken from the SA's keying material needs to be described
                in the protocol's specification. For ESP and AH, [IPSECARCH]
                defines the order, namely: the encryption key (if any) MUST be
                taken from the first bits and the integrity key (if any) MUST be
                taken from the remaining bits.




                The HMAC key is the 'integrity key'







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 hours ago

























                answered 4 hours ago









                ponchoponcho

                94k2148247




                94k2148247




















                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.












                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.











                    byteunit is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68754%2fipsec-esp-which-key-is-used-to-generate-the-hmac%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Isabella Eugénie Boyer Biographie | Références | Menu de navigationmodifiermodifier le codeComparator to Compute the Relative Value of a U.S. Dollar Amount – 1774 to Present.

                    Image
                    Personnalité américaine du monde des affairesPersonnalité féminine françaiseNaissance en décembre 1841Naissance à ParisDécès en mai 1904Décès à 62 ansDécès à Paris 17 décembre1841Paris12 mai1904Isaac Merritt SingerSingerNew York1863guerre civile américaineParisAngleterreguerre de 1870DevonOldway Mansion (en) PaigntonWinnarettaEdmond de Polignacduchesse DecazesdollarsVictor ReubsaetParisHumbert I er d'Italieviolon de StradivariusStatue de la LibertéBartholdi Isabella Eugénie Boyer.mw-parser-output .entete.humainbackground-image:url("//upload.wikimedia.org/wikipedia/commons/8/82/Picto_infobox_manwoman.png") Isabella Eugénie Boyer. Titre de noblesse Duchesse Biographie Naissance 17 décembre 1841 Paris Décès 12 mai 1904 (à 62 ans) Paris Sépulture Cimetière de Passy Nationalité Française Domicile Oldway Mansion ( en ) Activité Mannequin Con...
                    Read more

                    Join wedge with single bond in chemfigHow to make only one part of double bond bold with chemfig?Crossing bonds in chemfigjoining atoms in chemfig. Two adjacent molculesHow do I selectively change bond length in chemfig?Ugly bond joints in chemfigchemfig: reaction above arrowUsing the mhchem and chemfig packages in conjunctionBonding to specific element letter using chemfigResonance hybrids in chemfigScale chemfig molecule in beamer with tikzWhy does this chemfig bond with a hook start in the middle of the atom?

                    Image
                    Where does SFDX store details about scratch orgs? Decimal to roman python Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat? What is the word for reserving something for yourself before others do? How could indestructible materials be used in power generation? Issue with type force PATH search How to copy / replace first letter in a column of attribute table in ArcMap with field calculator and Python? A plague kills all white people book, probably 1960's Is it inappropriate for a student to attend their mentor's dissertation defense? How to model explosives? Twin primes whose sum is a cube Alternative to sending password over mail? Do I have a twin with permutated remainders? Why do I get two different answers for this counting problem? How badly should I try to prevent a user from XSSing themselves? What is going on with Captain Marvel's blood colour? I'm going to France and my pa...
                    Read more

                    Are small insurances worth itIs insurance worth it if you can afford to replace the item? If not, when is it?Is accident insurance worth it for my kids who play sportsIs insuring property for more than it is worth allowed?At what point does it become worth it to file an insurance claim?Are wage loss insurance programs worth the cost compared to having an emergency fund?When is an event worth insuring against?Is insurance worth it if you can afford to replace the item? If not, when is it?FHA loan just commenced : Any way to get any of the up-front mortgage insurance back?Which types of insurances do I need to buy?Should I carry less renter's insurance if I can self-insure?Mortgage Adviser Signed Me Up For Multiple Home and Life Insurances (UK)Why many travel insurances don't cover country of nationality?

                    Image
                    Does restoring a database break external synonyms targeting objects in that database? In the world of The Matrix, what is "popping"? “I had a flat in the centre of town, but I didn’t like living there, so …” My cassette model name doesn't seem to fit the actual cassette description.. (CS-HG50-9 and CS-HG500-10) Does the US political system, in principle, allow for a no-party system? An Undercover Army Too soon for a plot twist? How does learning spells work when leveling a multiclass character? What is the purpose of a disclaimer like "this is not legal advice"? What do I miss if I buy Monster Hunter: World late? Was it really inappropriate to write a pull request for the company I interviewed with? How spaceships determine each other's mass in space? Replacing tantalum capacitor with ceramic capacitor for Op Amps Ultrafilters as a double dual Insult for someone who "doesn't know anything" How do you make a gun tha...
                    Read more