Project

General

Profile

Edit History

strongSwan User Documentation » strongSwan plugins »

NTRU » History » Version 6

Andreas Steffen, 02.03.2014 12:15
Added NTRU configuration section

1 1 Andreas Steffen 
h1. NTRU
2 1 Andreas Steffen 





    3
    6
    Andreas Steffen
    
NTRU is a lattice-based post-quantum encryption algorithm owned by "Security Innovation":https://www.securityinnovation.com/products/encryption-libraries/ntru-cryptography.html. Our implementation of the ntru plugin has been derived from the "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU has been standardized by *IEEE Std 1363.1-2008* and *ANSI X9.98-2010*.





    4
    3
    Andreas Steffen
    





    5
    6
    Andreas Steffen
    
h2. NTRU Encryption used in IKE Key Exchange





    6
    1
    Andreas Steffen
    





    7
    6
    Andreas Steffen
    
The strongSwan *ntru* plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:





    8
    6
    Andreas Steffen
    





    9
    3
    Andreas Steffen
    
 * The IKE initiator generates a random NTRU public/private key pair for the specified security strength.





    10
    3
    Andreas Steffen
    





    11
    3
    Andreas Steffen
    
 * The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.





    12
    3
    Andreas Steffen
    





    13
    4
    Andreas Steffen
    
 * The IKE responder generates a random secret _s_ with a size of twice the security strength and encrypts it with the NTRU public key.





    14
    3
    Andreas Steffen
    





    15
    3
    Andreas Steffen
    
 * The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator





    16
    3
    Andreas Steffen
    





    17
    4
    Andreas Steffen
    
 * The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret _s_.





    18
    1
    Andreas Steffen
    





    19
    4
    Andreas Steffen
    
 * With IKEv2 both initiator and responder use the secret _s_ to compute





    20
    4
    Andreas Steffen
    
<pre>





    21
    4
    Andreas Steffen
    
SKEYSEED = prf(Ni | Nr, s)





    22
    4
    Andreas Steffen
    
</pre>





    23
    4
    Andreas Steffen
    





    24
    5
    Andreas Steffen
    
 * With IKEv1 both initiator and responder use the secret _s_ to compute





    25
    4
    Andreas Steffen
    
<pre>





    26
    4
    Andreas Steffen
    
SKEYID = prf(Ni_b | Nr_b, s)               # for authby=pubkey i.e. public key signatures





    27
    4
    Andreas Steffen
    
SKEYID = prf(pre-shared-key, Ni_b | Nr_b)  # for authby=psk, i.e. pre-shared keys





    28
    4
    Andreas Steffen
    





    29
    4
    Andreas Steffen
    
SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)





    30
    1
    Andreas Steffen
    
SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)





    31
    1
    Andreas Steffen
    
SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)





    32
    6
    Andreas Steffen
    
</pre> 





    33
    6
    Andreas Steffen
    





    34
    6
    Andreas Steffen
    
h2. Configuration Options





    35
    6
    Andreas Steffen
    





    36
    6
    Andreas Steffen
    
NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits. strongSwan defines the following key exchange algorithm keywords for NTRU:





    37
    6
    Andreas Steffen
    





    38
    6
    Andreas Steffen
    
|Keyword    |DH Group |Strength   |





    39
    6
    Andreas Steffen
    
|*ntru112*  |=. 1030  |>.112 bits |





    40
    6
    Andreas Steffen
    
|*ntru128*  |=. 1031  |>.128 bits |





    41
    6
    Andreas Steffen
    
|*ntru192*  |=. 1032  |>.192 bits |





    42
    6
    Andreas Steffen
    
|*ntru256*  |=. 1033  |>.256 bits |





    43
    6
    Andreas Steffen
    





    44
    6
    Andreas Steffen
    
Thus an example IKE algorithm definition in _/etc/ipsec.conf_ for a security strength of 128 bits is





    45
    6
    Andreas Steffen
    
<pre>





    46
    6
    Andreas Steffen
    
ike=aes128-sha256-ntru128





    47
    1
    Andreas Steffen
    
</pre>





    48
    6
    Andreas Steffen
    
or for a security strength of 192 bits





    49
    6
    Andreas Steffen
    
<pre>





    50
    6
    Andreas Steffen
    
ike=aes192-sha384-ntru192





    51
    6
    Andreas Steffen
    
</pre>





    52
    6
    Andreas Steffen
    
and for a security strength of 256 bits





    53
    6
    Andreas Steffen
    
<pre>





    54
    6
    Andreas Steffen
    
ike=aes256-sha512-ntru256





    55
    6
    Andreas Steffen
    
</pre>





    56
    6
    Andreas Steffen
    





    57
    6
    Andreas Steffen
    
Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID *must* be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:





    58
    6
    Andreas Steffen
    
<pre>





    59
    6
    Andreas Steffen
    
charon {





    60
    6
    Andreas Steffen
    
  send_vendor_id = yes





    61
    6
    Andreas Steffen
    
}





    62
    6
    Andreas Steffen
    
</pre>