Network Working Group Request for Comments: 2085 Category: Standards Track NIST February HMAC-MD5 IP Authentication with Replay Prevention

Similar documents
Network Working Group. Category: Standards Track NIST November 1998

Network Working Group Request for Comments: 2202 Category: Informational NIST September 1997

Request for Comments: 3566 Category: Standards Track Intel September The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec

Request for Comments: 1828 Category: Standards Track Daydreamer August 1995

Network Working Group Request for Comments: 1829 Category: Standards Track Piermont W. Simpson Daydreamer August 1995

Network Working Group. Category: Informational February 1997

Network Working Group Request for Comments: 2059 Category: Informational January 1997

Request for Comments: Obsoletes: 2095 September IMAP/POP AUTHorize Extension for Simple Challenge/Response

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

IPSec. Overview. Overview. Levente Buttyán

Lecture 12 Page 1. Lecture 12 Page 3

Data Integrity & Authentication. Message Authentication Codes (MACs)

The IPsec protocols. Overview

Network Working Group. Category: Standards Track NIST May Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec

Lecture 13 Page 1. Lecture 13 Page 3

Request for Comments: 1552 Category: Standards Track December The PPP Internetwork Packet Exchange Control Protocol (IPXCP)

Network Working Group Request for Comments: October 1996

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSCE 715: Network Systems Security

Network Working Group. Category: Informational DayDreamer August 1996

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011

Network Working Group Request for Comments: DayDreamer March 1999

CSCE 715: Network Systems Security

Cryptography. Summer Term 2010

User Authentication in an Internet Protocol

Request for Comments: 2420 Category: Standards Track September The PPP Triple-DES Encryption Protocol (3DESE)

Network Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System

CSC 6575: Internet Security Fall 2017

Network Working Group. Category: Standards Track January 2006

Lecture 1 Applied Cryptography (Part 1)

Message Authentication and Hash function 2

IP Security. Cunsheng Ding HKUST, Kong Kong, China

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Category: Informational Stac Technology August 1996

IP Security. Have a range of application specific security mechanisms

Network Working Group Request for Comments: 2043 Category: Standards Track October 1996

Category: Standards Track Sun Microsystems Laboratories November 2000

Category: Informational May Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Network Working Group. Extreme Networks July Intermediate System to Intermediate System (IS-IS) Cryptographic Authentication

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Updates: 2453 Category: Standards Track February RIPv2 Cryptographic Authentication. Status of This Memo

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Message Authentication with MD5 *

Network Working Group Request for Comments: December 2004

INTERNET-DRAFT IP Version 6 over PPP February Table of Contents. 1. Introduction Specification of Requirements...

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Network Working Group Request for Comments: November 1998

Network Working Group Request for Comments: 2866 Category: Informational June 2000 Obsoletes: 2139

Lecture 4: Hashes and Message Digests,

COSC4377. Chapter 8 roadmap

Request for Comments: August PPP for Data Compression in Data Circuit-Terminating Equipment (DCE)

The Keyed-Hash Message Authentication Code (HMAC)

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Network Working Group Request for Comments: 4869 Category: Informational May Suite B Cryptographic Suites for IPsec. Status of This Memo

Spring 2010: CS419 Computer Security

Message Authentication Codes and Cryptographic Hash Functions

Point-to-Point Extensions Working Group Internet Draft April EAP SIM Authentication (Version 1) draft-haverinen-pppext-eap-sim-01.

8. Network Layer Contents

Cryptography and Network Security

Data Integrity. Modified by: Dr. Ramzi Saifan

S. Erfani, ECE Dept., University of Windsor Network Security

[MS-WDSMSI]: Windows Deployment Services Multicast Session Initiation Protocol

RSVP Cryptographic Authentication draft-ietf-rsvp-md5-04.txt

CSE509: (Intro to) Systems Security

Request for Comments: 2230 Category: Informational November 1997

Cryptography and Network Security. Sixth Edition by William Stallings

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptographic Hash Functions

Category: Informational Alcatel January 2006

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Network Working Group

[MS-SSRTP]: Scale Secure Real-time Transport Protocol (SSRTP) Extensions

Network Working Group Request for Comments: 3446 Category: Informational H. Kilmer D. Farinacci Procket Networks January 2003

Expiration Date: August 2003 February Access Control Prefix Router Advertisement Option for IPv6 draft-bellovin-ipv6-accessprefix-01.

Virtual Private Networks

Chapter 5: Network Layer Security

IPsec Working Group. Expires January 2003 July IP Authentication Header draft-ietf-ipsec-rfc2402bis-01.txt. Status of This Memo

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Experimenting Security Algorithms for the IEC based Substation Communication

The tactical Intranet IPSec security concept

Internet security and privacy

Network Working Group Request for Comments: 4432 March 2006 Category: Standards Track

[MS-WINSRA]: Windows Internet Naming Service (WINS) Replication and Autodiscovery Protocol

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

Merit Network, Incorporated Bernard Aboba Microsoft March 1997

Updates: 6126 (if approved) March 21, 2014 Intended status: Experimental Expires: September 22, 2014

The IPSec Security Architecture for the Internet Protocol

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptographic Hash Functions. William R. Speirs

05 - WLAN Encryption and Data Integrity Protocols

Network Working Group Request for Comments: 1115 IAB Privacy Task Force August 1989

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

Transcription:

Network Working Group Request for Comments: 2085 Category: Standards Track M. Oehler NSA R. Glenn NIST February 1997 Status of This Memo HMAC-MD5 IP Authentication with Replay Prevention This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This document describes a keyed-md5 transform to be used in conjunction with the IP Authentication Header [RFC-1826]. The particular transform is based on [HMAC-MD5]. An option is also specified to guard against replay attacks. Table of Contents 1. Introduction...1 1.1 Terminology...2 1.2 Keys...2 1.3 Data Size...3 2. Packet Format...3 2.1 Replay Prevention...4 2.2 Authentication Data Calculation...4 3. Security Considerations...5 Acknowledgments...5 References...6 Authors Addresses...6 1. Introduction The Authentication Header (AH) [RFC-1826] provides integrity and authentication for IP datagrams. The transform specified in this document uses a keyed-md5 mechanism [HMAC-MD5]. The mechanism uses the (key-less) MD5 hash function [RFC-1321] which produces a message digest. When combined with an AH Key, authentication data is produced. This value is placed in the Authentication Data field of the AH [RFC-1826]. This value is also the basis for the data integrity service offered by the AH protocol. Oehler & Glenn Standards Track [Page 1]

To provide protection against replay attacks, a Replay Prevention field is included as a transform option. This field is used to help prevent attacks in which a message is stored and re-used later, replacing or repeating the original. The Security Parameters Index (SPI) [RFC-1825] is used to determine whether this option is included in the AH. Familiarity with the following documents is assumed: "Security Architecture for the Internet Protocol" [RFC-1825], "IP Authentication Header" [RFC-1826], and "HMAC-MD5: Keyed-MD5 for Message Authentication" [HMAC-MD5]. All implementations that claim conformance or compliance with the IP Authentication Header specification [RFC-1826] MUST implement this HMAC-MD5 transform. 1.1 Terminology In this document, the words that are used to define the significance of each particular requirement are usually capitalized. These words are: - MUST This word or the adjective "REQUIRED" means that the item is an absolute requirement of the specification. - SHOULD This word or the adjective "RECOMMENDED" means that there might exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before taking a different course. 1.2 Keys The "AH Key" is used as a shared secret between two communicating parties. The Key is not a "cryptographic key" as used in a traditional sense. Instead, the AH key (shared secret) is hashed with the transmitted data and thus, assures that an intervening party cannot duplicate the authentication data. Even though an AH key is not a cryptographic key, the rudimentary concerns of cryptographic keys still apply. Consider that the algorithm and most of the data used to produce the output is known. The strength of the transform lies in the singular mapping of the key (which needs to be strong) and the IP datagram (which is known) to the authentication data. Thus, implementations should, and as Oehler & Glenn Standards Track [Page 2]

frequently as possible, change the AH key. Keys need to be chosen at random, or generated using a cryptographically strong pseudo-random generator seeded with a random seed. [HMAC-MD5] All conforming and compliant implementations MUST support a key length of 128 bits or less. Implementations SHOULD support longer key lengths as well. It is advised that the key length be chosen to be the length of the hash output, which is 128 bits for MD5. For other key lengths the following concerns MUST be considered. A key length of zero is prohibited and implementations MUST prevent key lengths of zero from being used with this transform, since no effective authentication could be provided by a zero-length key. Keys having a length less than 128 bits are strongly discouraged as it would decrease the security strength of the function. Keys longer than 128 bits are acceptable, but the extra length may not significantly increase the function strength. A longer key may be advisable if the randomness of the key is suspect. MD5 operates on 64-byte blocks. Keys longer than 64-bytes are first hashed using MD5. The resulting hash is then used to calculate the authentication data. 1.3 Data Size MD5 produces a 128-bit value which is used as the authentication data. It is naturally 64 bit aligned and thus, does not need any padding for machines with native double words. 2. Packet Format Next Header Length RESERVED SPI Replay Prevention + Authentication Data 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 The Next Header, RESERVED, and SPI fields are specified in [RFC- 1826]. The Length field is the length of the Replay Prevention field and the Authentication Data in 32-bit words. Oehler & Glenn Standards Track [Page 3]

2.1 Replay Prevention The Replay Prevention field is a 64-bit value used to guarantee that each packet exchanged between two parties is different. Each IPsec Security Association specifies whether Replay Prevention is used for that Security Association. If Replay Prevention is NOT in use, then the Authentication Data field will directly follow the SPI field. The 64-bit field is an up counter starting at a value of 1. The secret shared key must not be used for a period of time that allows the counter to wrap, that is, to transmit more than 2^64 packets using a single key. Upon receipt, the replay value is assured to be increasing. The implementation may accept out of order packets. The number of packets to accept out of order is an implementation detail. If an "out of order window" is supported, the implementation shall ensure that any and all packets accepted out of order are guaranteed not to have arrived before. That is, the implementation will accept any packet at most once. When the destination address is a multicast address, replay protection is in use, and more than one sender is sharing the same IPsec Security Association to that multicast destination address, then Replay Protection SHOULD NOT be enabled. When replay protection is desired for a multicast session having multiple senders to the same multicast destination address, each sender SHOULD have its own IPsec Security Association. [ESP-DES-MD5] provides example code that implements a 32 packet replay window and a test routine to show how it works. 2.2 Authentication Data Calculation The authentication data is the output of the authentication algorithm (MD5). This value is calculated over the entire IP datagram. Fields within the datagram that are variant during transit and the authentication data field itself, must contain all zeros prior to the computation [RFC-1826]. The Replay Prevention field if present, is included in the calculation. The definition and reference implementation of MD5 appears in [RFC- 1321]. Let text denote the data to which HMAC-MD5 is to be applied and K be the message authentication secret key shared by the parties. If K is longer than 64-bytes it MUST first be hashed using MD5. In this case, K is the resulting hash. Oehler & Glenn Standards Track [Page 4]

We define two fixed and different strings ipad and opad as follows (the i and o are mnemonics for inner and outer): ipad = the byte 0x36 repeated 64 times opad = the byte 0x5C repeated 64 times. To compute HMAC-MD5 over the data text we perform MD5(K XOR opad, MD5(K XOR ipad, text)) Namely, (1) append zeros to the end of K to create a 64 byte string (e.g., if K is of length 16 bytes it will be appended with 48 zero bytes 0x00) (2) XOR (bitwise exclusive-or) the 64 byte string computed in step (1) with ipad (3) append the data stream text to the 64 byte string resulting from step (2) (4) apply MD5 to the stream generated in step (3) (5) XOR (bitwise exclusive-or) the 64 byte string computed in step (1) with opad (6) append the MD5 result from step (4) to the 64 byte string resulting from step (5) (7) apply MD5 to the stream generated in step (6) and output the result This computation is described in more detail, along with example code and performance improvements, in [HMAC-MD5]. Implementers should consult [HMAC-MD5] for more information on this technique for keying a cryptographic hash function. 3. Security Considerations The security provided by this transform is based on the strength of MD5, the correctness of the algorithm s implementation, the security of the key management mechanism and its implementation, the strength of the associated secret key, and upon the correctness of the implementations in all of the participating systems. [HMAC-MD5] contains a detailed discussion on the strengths and weaknesses of MD5. Acknowledgments This document is largely based on text written by Hugo Krawczyk. The format used was derived from work by William Simpson and Perry Metzger. The text on replay prevention is derived directly from work by Jim Hughes. Oehler & Glenn Standards Track [Page 5]

References [RFC-1825] [RFC-1826] [RFC-1828] [RFC-1321] [HMAC-MD5] Atkinson, R., "Security Architecture for the Internet Protocol", RFC 1852, Naval Research Laboratory, July 1995. Atkinson, R., "IP Authentication Header", RFC 1826, August 1995. Metzger, P., and W. Simpson, "IP Authentication using Keyed MD5", RFC 1828, August 1995. Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997. [ESP-DES-MD5] Hughes, J., "Combined DES-CBC, MD5, and Replay Prevention Security Transform", Work in Progress. Authors Addresses Michael J. Oehler National Security Agency Atn: R23, INFOSEC Research and Development 9800 Savage Road Fort Meade, MD 20755 EMail: mjo@tycho.ncsc.mil Robert Glenn NIST Building 820, Room 455 Gaithersburg, MD 20899 EMail: rob.glenn@nist.gov Oehler & Glenn Standards Track [Page 6]

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback