[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft-ietf-ipsec-ah-md5-00.txt
Network Working Group P Metzger
Internet Draft W A Simpson
expires in six months January 1995
Authentication with Keyed MD5
draft-ietf-ipsec-ah-md5-00.txt
Status of this Memo
This document is a submission to the IP Security Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the ipsec@ans.net mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months, and may be updated, replaced, or obsoleted by other documents
at any time. It is not appropriate to use Internet Drafts as
reference material, or to cite them other than as a ``working draft''
or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the internet-drafts Shadow
Directories on:
ftp.is.co.za (Africa)
nic.nordu.net (Europe)
ds.internic.net (US East Coast)
ftp.isi.edu (US West Coast)
munnari.oz.au (Pacific Rim)
Abstract
This document describes the use of MD5 with the IPv4 Authentication
Header.
Troublemakers expires in six months [Page 1]
DRAFT AH MD5 January 1995
1. Introduction
The Authentication Header (AH) [RAah] provides integrity and
authentication for IP datagrams. This specification describes the AH
use of Message Digest 5 (MD5) [RFC-1321].
A 128-bit digest is calculated over the invariant portions of the
entire IP datagram and the result is included in the Authentication
Data field of the Authentication Header.
Implementations that claim conformance or compliance with the
Authentication Header specification MUST implement the MD5 mechanism.
Implementors should consult the most recent version of the IAB
Standards [RFC-1610] for further guidance on the status of this
document.
1.1. Keys
The secret authentication key shared between the communicating
parties MUST be 128 bits long. The key SHOULD be a pseudo-random
number, not a guessable string of any sort.
1.2. Data Size
Because MD5's 128-bit output is naturally 64-bit aligned, there is no
wasted space in the Authentication Data field.
1.3. Performance
MD5 reportedly has a throughput of about 60 Mbps on a fast 64-bit
RISC processor with slightly tuned MD5 code [Touch94].
Nota Bene: This is possibly too slow to be used for a long period
of time. Suggestions are sought on alternative authentication
algorithms that would be acceptable to the IETF, have
significantly faster throughput, are not patent-encumbered, and
still retain adequate cryptographic strength.
Troublemakers expires in six months [Page 1]
DRAFT AH MD5 January 1995
2. Calculation
The 128-bit digest is calculated as described in [RFC-1321]. The
specification of MD5 includes a portable 'C' programming language
description of the MD5 algorithm.
The "b-bit message" shall consist of the 128-bit secret
authentication key concatenated with (followed by) the entire IP
datagram. All IP headers and payloads that are present MUST be
included in the computation, with header fields whose value varies in
transit (such as Hop Count) being assumed to contain zeros for the
purpose of the authentication calculation. Also, the Authentication
Data field of the Authentication Header is considered to contain all
zeros.
Security Considerations
Users need to understand that the quality of the security provided by
this specification depends completely on the strength of the MD5 hash
function, the correctness of that algorithm's implementation, the
security of the key management mechanism and its implementation, the
strength of the key [CN94], and upon the correctness of the
implementations in all of the participating systems.
At the time of writing of this document, it is known to be possible
to produce collisions in the compression function of MD5 [BdB93].
There is not yet a known method to exploit these collisions to attack
MD5 in practice, but this fact is disturbing to some authors
[Schneier94].
It has also recently been determined [OW94] that it is possible to
build a machine for $10 Million that could find messages that hash to
an arbitrary given MD5 hash. This attack requires approximately 24
days. Although this is not a substantial weakness for most IP
security applications, it should be recognized that current
technology is catching up to the 128 bit hash length used by MD5.
Applications requiring extremely high levels of security may wish to
move in the near future to algorithms with longer hash lengths.
Acknowledgements
The original text of this specification was derived from work by Ran
Atkinson for the SIP, SIPP, and IPv6 Working Groups.
Troublemakers expires in six months [Page 2]
DRAFT AH MD5 January 1995
The use of MD5 for authentication is closely modeled on the work done
for SNMPv2 [RFC-1446].
References
[CN94] John M. Carroll & Sri Nudiati, "On Weak Keys and Weak Data:
Foiling the Two Nemeses", Cryptologia, Vol. 18 No. 23 pp.
253-280, July 1994.
[BdB93] B. den Boer and A. Bosselaers, "Collisions for the
Compression function of MD5", Advances in Cryptology --
Eurocrypt '93 Proceedings, Berlin: Springer-Verlag 1994
[RAah] Randall Atkinson, "IPv6 Authentication Header", work in
progress, 4 November 1994.
[RFC-1321]
Ronald Rivest, MD5 Digest Algorithm, RFC-1321, DDN Network
Information Center, April 1992.
[RFC-1446]
James Galvin & Keith McCloghrie, Security Protocols for
version 2 of the Simple Network Management Protocol
(SNMPv2), RFC-1446, DDN Network Information Center, April
1993.
[RFC-1610]
Postel, J., "Internet Official Protocol Standards", STD 1,
RFC 1610, USC/Information Sciences Institute, July 1994.
[RFC-1700]
Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, RFC
1700, USC/Information Sciences Institute, October 1994.
[OW94] Paul C. van Oorschot & Michael J. Wiener, Unpublished Crypto
'94 Rump Session.
[Schneier94]
Schneier, B., "Applied Cryptography", John Wiley & Sons, New
York, NY, 1994. ISBN 0-471-59756-2
[Touch94]
Touch, J., "Report on MD5 Performance", work in progress,
December 1994.
Troublemakers expires in six months [Page 3]
DRAFT AH MD5 January 1995
Author's Address
Questions about this memo can also be directed to:
Randall Atkinson
Information Technology Division
Naval Research Laboratory
Washington,
DC 20375-5320
USA
Telephone: (DSN) 354-8590
Fax: (DSN) 354-7942
<atkinson@itd.nrl.navy.mil>
Perry Metzger
Piermont Information Systems Inc.
160 Cabrini Blvd., Suite #2
New York, NY 10033
perry@piermont.com
William Allen Simpson
Daydreamer
Computer Systems Consulting Services
1384 Fontaine
Madison Heights, Michigan 48071
Bill.Simpson@um.cc.umich.edu
bsimpson@MorningStar.com
Troublemakers expires in six months [Page 4]
DRAFT AH MD5 January 1995
Table of Contents
1. Introduction .......................................... 1
1.1 Keys ............................................ 1
1.2 Data Size ....................................... 1
1.3 Performance ..................................... 1
2. Calculation ........................................... 2
SECURITY CONSIDERATIONS ...................................... 2
ACKNOWLEDGEMENTS ............................................. 2
REFERENCES ................................................... 3
AUTHOR'S ADDRESS ............................................. 4