Hi Ben, > Hi IPsec! > > We've just published draft-ietf-ipsecme-sha3-01. This version aligns the > draft more closely with draft-ietf-ipsecme- > ikev2-prf-plus-00: > * Rather than integrating KMAC into prf+, we've replaced prf+ entirely with a > single KMAC call, which simplifies the > design. > * We've doubled KMAC's preferred key sizes to be the same as the default PRF > output length, hence aligning it > with the corresponding HMAC of the same strength (but see point 2 below) > > > There are a couple of points we'd like the WG's opinion on - these are > highlighted as EDNOTEs in the draft, but > are elaborated below: > > 1) KMAC supports use of customisation strings, and this draft makes use of > them to provide separation between > the IKE context and the ESP/AH context. There seemed to be some interest in > the room at IETF 123 for this > approach. The concern is that without use of customisation strings, the same > PRF output could be derived in > different contexts. > > For instance, consider the following derivations of SKEYSEED (following a > rekey), and of KEYMAT (generated in a > CREATE_CHILD_SA): > > SKEYSEED = prf(SK_d (old), g^ir (new) | Ni | Nr) > KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr) > > When using KMAC, prf and prf+ are identical, hence if asking for the same > amount of key material, given the same > inputs these would produce the same outputs. This is unlikely to manifest as > an actual problem since the second > input should be different, but it feels prudent to try to prevent this sort > of thing entirely. As it stands, this is a > deviation from draft-ietf-ipsecme-ikev2-prf-plus. Do we want to keep the > customisation strings?
I believe this should be aligned with draft-ietf-ipsecme-ikev2-prf-plus: if the WG thinks that customization strings should be used, then they must be specified in draft-ietf-ipsecme-ikev2-prf-plus for all class of variable-output-size PRFs. To address the particular case you provided (to distinguish between PRF and PRF+) it is enough to revert the rule in draft-ietf-ipsecme-ikev2-prf-plus to always use a single-round prf+ with variable-output-size PRFs (thus, always append 0x01 in case of prf+). That said, I can see the value of using customization strings (and I suspect cryptographers would favor their use for the purpose of domain separation). My concerns: - we don't use customization strings for ordinary PRFs and it seems that no one cared so far - as you pointed out, this is more a theoretical issue - what if some future variable-output-size PRF doesn't allow customization strings in its API? Anyway, I think that this should be specified in draft-ietf-ipsecme-ikev2-prf-plus and I would ask the IPsec community for a feedback on this. Regards, Valery. [...] > Best, > Ben, Adam, and Jonathan > > > OFFICIAL > -----Original Message----- > From: [email protected] <[email protected]> > Sent: 29 January 2026 08:46 > To: [email protected] > Cc: [email protected] > Subject: [IPsec] I-D Action: draft-ietf-ipsecme-sha3-01.txt > > Internet-Draft draft-ietf-ipsecme-sha3-01.txt is now available. It is a work > item of the IP Security Maintenance and > Extensions (IPSECME) WG of the IETF. > > Title: Use of SHA-3 in the Internet Key Exchange Protocol Version 2 > (IKEv2) and IPsec > Authors: Ben Salter > Adam Raine > Jonathan Cruickshanks > Name: draft-ietf-ipsecme-sha3-01.txt > Pages: 32 > Dates: 2026-01-29 > > Abstract: > > This document specifies the use of KMAC128 and KMAC256 within the > Internet Key Exchange Version 2 (IKEv2), Encapsulating Security > Payload (ESP), and Authentication Header (AH) protocols. These > algorithms can be used as integrity protection algorithms for ESP, AH > and IKEv2, and as Pseudo-Random Functions (PRFs) for IKEv2. > Requirements for supporting signature algorithms in IKEv2 that use > SHA3-256, SHA3-384, SHA3-512, SHAKE128 and SHAKE256 are also > specified. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-sha3/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-sha3-01 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-ipsecme-sha3-01 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > IPsec mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > IPsec mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
