[Help] Last update at http://inet.nttam.com : Mon Aug 7 21:40:39 1995

Abstract -- Simple Key-Management for Internet Protocol (SKIP) Application Technology Track
A4: Security

[Previous] [Table [Next]
[Paper in HTML(Not Yet)] [Paper

Simple Key-Management for Internet Protocol (SKIP)

Aziz, Ashar ( ashar.aziz@eng.sun.com)
Patterson, Martin ( martin.patterson@france.sun.com)
Baehr, Geoff ( geoffrey.baehr@eng.sun.com)


Usage of networks has expanded beyond LAN or WAN boundaries to encompass virtual networks of arbitrary size and composition.

At the same time, users are demanding perceived value for their investment in networking technology. This value is being realized by the use of network services, ie those applications which may deliver information or analysis of data across the internetwork.

Three obstacles currently impede the growth of network services. They include the lack of security, authentication and registration of the service data. This paper will present an approach to network security and authentication which is unique. It will not address the issues of service registration.

Fundamental to our approach is a philosophy of securing the perimeter of the network and encrypting all outbound traffic through the perimter at the network layer, thereby not requiring user intervention, modification of applications or host based operating system revision.

A protocol has been developed and presented to the IETF Security Working Group - the Simple Key Management Protocol for IP " SKIP " protocol. It's use of Diffie Hellman 1024 bit public key based authentication alogorithms for long term key set up, session and traffic key generation, along with DES, RC2 and RC4 based traffic encryption will be described. Unique to this protocol are the lack of exchange of unencrypted keying material over the network, pipelining of traffic key generation and on the fly traffic key changing.

A host based implementation has been devised, offering a solution to remote hsot to network access through authenticated IP tunnels.

A discussion of an implementation in an automated, secure IP tunnelling packet screening device will be presented, along with analysis of the approach and results of field trials.