Internet Engineering Task Force (IETF)                           G. Zorn
Request for Comments: 6734                                   Network Zen
Category: Standards Track                                          Q. Wu
ISSN: 2070-1721                                                   Huawei
                                                              V. Cakulev
                                                          Alcatel Lucent
                                                            October 2012
        
Internet Engineering Task Force (IETF)                           G. Zorn
Request for Comments: 6734                                   Network Zen
Category: Standards Track                                          Q. Wu
ISSN: 2070-1721                                                   Huawei
                                                              V. Cakulev
                                                          Alcatel Lucent
                                                            October 2012
        

Diameter Attribute-Value Pairs for Cryptographic Key Transport

加密密钥传输的直径属性值对

Abstract

摘要

Some Authentication, Authorization, and Accounting (AAA) applications require the transport of cryptographic keying material. This document specifies a set of Attribute-Value Pairs (AVPs) providing native Diameter support of cryptographic key delivery.

某些身份验证、授权和记帐(AAA)应用程序需要传输加密密钥材料。本文档指定了一组属性值对(AVP),提供加密密钥传递的本机直径支持。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6734.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6734.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Terminology .....................................................3
      2.1. Requirements Language ......................................3
      2.2. Technical Terms and Acronyms ...............................3
   3. Attribute-Value Pair Definitions ................................3
      3.1. Key AVP ....................................................3
           3.1.1. Key-Type AVP ........................................4
           3.1.2. Key-Name AVP ........................................4
           3.1.3. Keying-Material AVP .................................4
           3.1.4. Key-Lifetime AVP ....................................4
           3.1.5. Key-SPI .............................................5
   4. Security Considerations .........................................5
   5. IANA Considerations .............................................5
      5.1. AVP Codes ..................................................5
      5.2. AVP Values .................................................5
   6. Acknowledgements ................................................6
   7. References ......................................................6
      7.1. Normative References .......................................6
      7.2. Informative References .....................................6
        
   1. Introduction ....................................................2
   2. Terminology .....................................................3
      2.1. Requirements Language ......................................3
      2.2. Technical Terms and Acronyms ...............................3
   3. Attribute-Value Pair Definitions ................................3
      3.1. Key AVP ....................................................3
           3.1.1. Key-Type AVP ........................................4
           3.1.2. Key-Name AVP ........................................4
           3.1.3. Keying-Material AVP .................................4
           3.1.4. Key-Lifetime AVP ....................................4
           3.1.5. Key-SPI .............................................5
   4. Security Considerations .........................................5
   5. IANA Considerations .............................................5
      5.1. AVP Codes ..................................................5
      5.2. AVP Values .................................................5
   6. Acknowledgements ................................................6
   7. References ......................................................6
      7.1. Normative References .......................................6
      7.2. Informative References .....................................6
        
1. Introduction
1. 介绍

The Diameter Extensible Authentication Protocol (EAP) application [RFC4072] defines the EAP-Master-Session-Key and EAP-Key-Name AVPs for the purpose of transporting cryptographic keying material derived during the execution of certain Extensible Authentication Protocol (EAP) [RFC3748] methods (for example, EAP-TLS [RFC5216]). At most one instance of either of these AVPs is allowed in any Diameter message.

Diameter可扩展身份验证协议(EAP)应用程序[RFC4072]定义EAP主会话密钥和EAP密钥名称AVPs,用于传输在执行某些可扩展身份验证协议(EAP)[RFC3748]方法(例如,EAP-TLS[RFC5216])期间衍生的加密密钥材料。在任何Diameter消息中最多允许一个AVP实例。

However, recent work (see, for example, [RFC5295]) has specified methods to derive other keys from the keying material created during EAP method execution that may require transport in addition to the Master Session Key (MSK). Also, the EAP Re-authentication Protocol (ERP) [RFC6696] specifies new keys that may need to be transported between Diameter nodes.

然而,最近的工作(例如,参见[RFC5295])规定了从EAP方法执行期间创建的密钥材料中导出其他密钥的方法,除了主会话密钥(MSK)外,这些密钥可能还需要传输。此外,EAP重新认证协议(ERP)[RFC6696]指定可能需要在Diameter节点之间传输的新密钥。

This document specifies a set of AVPs allowing the transport of multiple cryptographic keys in a single Diameter message.

本文档指定了一组AVP,允许在单个Diameter消息中传输多个加密密钥。

2. Terminology
2. 术语
2.1. Requirements Language
2.1. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

2.2. Technical Terms and Acronyms
2.2. 技术术语和首字母缩略词

DSRK Domain-Specific Root Key [RFC5295].

DSRK域特定根密钥[RFC5295]。

MSK Master Session Key [RFC3748].

MSK主会话密钥[RFC3748]。

rMSK re-authentication MSK [RFC6696]. This is a per-authenticator key, derived from the rRK (below).

rMSK重新认证MSK[RFC6696]。这是一个基于身份验证器的密钥,源自rRK(如下所示)。

rRK re-authentication Root Key, derived from the Extended Master Session Key (EMSK) [RFC3748] or DSRK [RFC6696].

rRK重新认证根密钥,源自扩展主会话密钥(EMSK)[RFC3748]或DSRK[RFC6696]。

3. Attribute-Value Pair Definitions
3. 属性值对定义

This section defines new AVPs for the transport of cryptographic keys in the Diameter EAP application [RFC4072], as well as other Diameter applications.

本节定义了用于在Diameter EAP应用程序[RFC4072]以及其他Diameter应用程序中传输加密密钥的新AVP。

3.1. Key AVP
3.1. 键AVP

The Key AVP (AVP Code 581) is of type Grouped. It contains the type and keying material and, optionally, an indication of the usable lifetime of the key, the name of the key and a Security Parameter Index (SPI) with which the key is associated.

钥匙AVP(AVP代码581)为分组型。它包含类型和键控材料,以及(可选)密钥的可用寿命指示、密钥名称和密钥关联的安全参数索引(SPI)。

   Key ::= < AVP Header: 581 >
             < Key-Type >
             { Keying-Material }
             [ Key-Lifetime ]
             [ Key-Name ]
             [ Key-SPI ]
           * [ AVP ]
        
   Key ::= < AVP Header: 581 >
             < Key-Type >
             { Keying-Material }
             [ Key-Lifetime ]
             [ Key-Name ]
             [ Key-SPI ]
           * [ AVP ]
        
3.1.1. Key-Type AVP
3.1.1. 键型AVP

The Key-Type AVP (AVP Code 582) is of type Enumerated. This AVP identifies the type of the key being sent. The following decimal values are defined in this document:

密钥类型AVP(AVP代码582)是枚举类型。此AVP标识正在发送的密钥的类型。本文件中定义了以下十进制值:

DSRK (0) A Domain-Specific Root Key [RFC5295].

DSRK(0)特定于域的根密钥[RFC5295]。

rRK (1) A re-authentication Root Key [RFC6696].

rRK(1)重新认证根密钥[RFC6696]。

rMSK (2) A re-authentication Master Session Key [RFC6696].

rMSK(2)重新认证主会话密钥[RFC6696]。

If additional values are needed, they are to be assigned by IANA according to the policy stated in Section 5.2.

如果需要附加值,IANA将根据第5.2节规定的政策分配这些值。

3.1.2. Key-Name AVP
3.1.2. 关键字名称

The Key-Name AVP (AVP Code 586) is of type OctetString. It contains an opaque key identifier. Exactly how this name is generated and used depends on the key type and usage in question and is beyond the scope of this document (see [RFC5247] and [RFC5295] for discussions of key name generation in the context of EAP).

密钥名AVP(AVP代码586)为OctetString类型。它包含一个不透明的密钥标识符。该名称的具体生成和使用方式取决于所讨论的密钥类型和用法,超出了本文档的范围(有关EAP上下文中密钥名称生成的讨论,请参见[RFC5247]和[RFC5295])。

3.1.3. Keying-Material AVP
3.1.3. 键控材料

The Keying-Material AVP (AVP Code 583) is of type OctetString. The exact usage of this keying material depends upon several factors, including the type of the key and the link layer in use and is beyond the scope of this document.

键控材料AVP(AVP代码583)为八进制字符串类型。此键控材料的确切用法取决于多个因素,包括使用的键类型和链接层,不在本文档的范围内。

3.1.4. Key-Lifetime AVP
3.1.4. 密钥寿命平均值

The Key-Lifetime AVP (AVP Code 584) is of type Unsigned32 and represents the period of time (in seconds) for which the contents of the Keying-Material AVP (Section 3.1.3) is valid.

密钥生存期AVP(AVP代码584)类型为Unsigned32,表示密钥材料AVP(第3.1.3节)内容有效的时间段(以秒为单位)。

NOTE: Applications using this value SHOULD consider the beginning of the lifetime to be the point in time when the message containing the keying material is received. In addition, client implementations SHOULD check to ensure that the value is reasonable; for example, the lifetime of a key should not generally be longer than the session lifetime (see Section 8.13 of [RFC6733]).

注意:使用此值的应用程序应该考虑到生命周期的开始是接收包含密钥材料的消息的时间点。此外,客户机实现应进行检查,以确保值是合理的;例如,密钥的生存期通常不应超过会话生存期(见[RFC6733]第8.13节)。

3.1.5. Key-SPI
3.1.5. 键SPI

The Key-SPI AVP (AVP Code 585) is of type Unsigned32 and contains an SPI value that can be used with other parameters for identifying associated keying material.

密钥SPI AVP(AVP代码585)的类型为Unsigned32,包含一个SPI值,该值可与其他参数一起用于识别相关的密钥材料。

4. Security Considerations
4. 安全考虑

Transporting keys is a security-sensitive action. Some forms of keying material are already protected and can be sent safely over the open Internet. However, if a Key AVP contains a Keying-Material AVP that is not already protected, then the Diameter messages containing that Key AVP MUST only be sent protected via mutually authenticated TLS or IPsec.

传输密钥是一种安全敏感的操作。某些形式的键控材料已经受到保护,可以通过开放的互联网安全发送。但是,如果密钥AVP包含尚未受保护的密钥材料AVP,则包含该密钥AVP的Diameter消息只能通过相互认证的TLS或IPsec进行保护发送。

The security considerations applicable to the Diameter base protocol [RFC6733] are also applicable to this document, as are those in Section 8.4 of RFC 4072 [RFC4072].

适用于Diameter base协议[RFC6733]的安全注意事项也适用于本文件,RFC 4072[RFC4072]第8.4节中的安全注意事项也适用于本文件。

5. IANA Considerations
5. IANA考虑

IANA has assigned values as described in the following sections.

IANA已按以下章节所述分配了值。

5.1. AVP Codes
5.1. AVP码

Codes have been assigned for the following AVPs using the policy specified in [RFC6733], Section 11.1.1:

已使用[RFC6733]第11.1.1节中规定的政策为以下AVP分配了代码:

o Key (581, Section 3.1)

o 钥匙(581,第3.1节)

o Key-Type (582, Section 3.1.1)

o 钥匙类型(582,第3.1.1节)

o Keying-Material (583, Section 3.1.3)

o 键控材料(583,第3.1.3节)

o Key-Lifetime (584, Section 3.1.4)

o 密钥寿命(584,第3.1.4节)

o Key-SPI (585, Section 3.1.5)

o 关键SPI(585,第3.1.5节)

o Key-Name (586, Section 3.1.2)

o 密钥名称(586,第3.1.2节)

5.2. AVP Values
5.2. AVP值

IANA has created a new registry for values assigned to the Key-Type AVP and populated it with the decimal values defined in this document (Section 3.1.1). New values may be assigned for the Key-Type AVP using the "Specification Required" policy [RFC5226]; once values have been assigned, they MUST NOT be deleted, replaced, or modified.

IANA已为分配给键类型AVP的值创建了一个新的注册表,并用本文件(第3.1.1节)中定义的十进制值填充该注册表。可以使用“所需规格”策略[RFC5226]为密钥类型AVP分配新值;赋值后,不得删除、替换或修改这些值。

6. Acknowledgements
6. 致谢

Thanks (in no particular order) to Niclas Comstedt, Semyon Mizikovsky, Hannes Tschofenig, Joe Salowey, Tom Taylor, Frank Xia, Lionel Morand, Dan Romascanu, Bernard Aboba, Jouni Korhonen, Stephen Farrel, Joel Halpern, Phillip Hallam-Baker, Sean Turner, and Sebastien Decugis for useful comments, suggestions, and review.

感谢(无特殊顺序)Niclas Comstedt、Semyon Mizikovsky、Hannes Tschofenig、Joe Salowey、Tom Taylor、Frank Xia、Lionel Morand、Dan Romascanu、Bernard Aboba、Jouni Korhonen、Stephen Farrel、Joel Halpern、Phillip Hallam Baker、Sean Turner和Sebastien Decugis提出的有用意见、建议和评论。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.

[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展身份验证协议(EAP)”,RFC 3748,2004年6月。

[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005.

[RFC4072]Eronen,P.,Hiller,T.,和G.Zorn,“直径可扩展认证协议(EAP)应用”,RFC 4072,2005年8月。

[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.

[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。

[RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, "Diameter Base Protocol", RFC 6733, October 2012.

[RFC6733]Fajardo,V.,Arkko,J.,Loughney,J.,和G.Zorn,“直径基准协议”,RFC 67332012年10月。

7.2. Informative References
7.2. 资料性引用

[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS Authentication Protocol", RFC 5216, March 2008.

[RFC5216]Simon,D.,Aboba,B.和R.Hurst,“EAP-TLS认证协议”,RFC 5216,2008年3月。

[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", RFC 5247, August 2008.

[RFC5247]Aboba,B.,Simon,D.,和P.Eronen,“可扩展认证协议(EAP)密钥管理框架”,RFC 5247,2008年8月。

[RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri, "Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK)", RFC 5295, August 2008.

[RFC5295]Salowey,J.,Dondeti,L.,Narayanan,V.,和M.Nakhjiri,“从扩展主会话密钥(EMSK)派生根密钥的规范”,RFC 52952008年8月。

[RFC6696] Cao, Z., He, B., Shi, Y., Wu, Q., Ed., and G. Zorn, Ed., "EAP Extensions for the EAP Re-authentication Protocol (ERP)", RFC 6696, July 2012.

[RFC6696]Cao,Z.,He,B.,Shi,Y.,Wu,Q.,Ed.,和G.Zorn,Ed.,“EAP再认证协议(ERP)的EAP扩展”,RFC 66962012年7月。

Authors' Addresses

作者地址

Glen Zorn Network Zen 227/358 Thanon Sanphawut Bang Na, Bangkok 10260 Thailand

格伦佐恩网络禅宗227/358泰国曼谷Thanon Sanphawut Bang Na 10260

   Phone: +66 (0) 909-201060
   EMail: glenzorn@gmail.com
        
   Phone: +66 (0) 909-201060
   EMail: glenzorn@gmail.com
        

Qin Wu Huawei Technologies Co., Ltd. 101 Software Avenue, Yuhua District Nanjing, Jiangsu 21001 China

中国江苏省南京市雨花区软件大道101号秦武华为技术有限公司21001

   Phone: +86-25-56623633
   EMail: sunseawq@huawei.com
        
   Phone: +86-25-56623633
   EMail: sunseawq@huawei.com
        

Violeta Cakulev Alcatel Lucent 600 Mountain Ave. 3D-517 Murray Hill, NJ 07974 US

Violeta Cakulev Alcatel-Lucent美国新泽西州默里山3D-517山地大道600号,邮编:07974

   Phone: +1 908 582 3207
   EMail: violeta.cakulev@alcatel-lucent.com
        
   Phone: +1 908 582 3207
   EMail: violeta.cakulev@alcatel-lucent.com