draft-ietf-ipsec-ciph-sha-256
Internet Draft IPsec Working Group
November 2001 S. Frankel, NIST
Expiration Date: May 2002 S. Kelly, SonicWALL
The HMAC-SHA-256-96 Algorithm and Its Use With IPsec
<draft-ietf-ipsec-ciph-sha-256-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Drafts Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This document is a submission to the IETF Internet Protocol Security
(IPsec) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@lists.tislabs.com) or to the
editors.
Distribution of this memo is unlimited.
Frankel,Kelly [Page 1]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
Table of Contents
1. Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Specification of Requirements . . . . . . . . . . . . . . . . . 3
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. The HMAC-SHA-256-96 Algorithm . . . . . . . . . . . . . . . . . 3
4.1 Keying Material . . . . . . . . . . . . . . . . . . . . . . 4
4.2 Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.4 Interaction with the ESP Cipher Mechanism . . . . . . . . . 5
4.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . 5
4.6 Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 5
5. IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1 Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . . 5
5.2 Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
8. Intellectual Property Rights Statement . . . . . . . . . . . . . 6
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
11. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
12. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 8
Frankel,Kelly [Page 2]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
1. Abstract
Ths document describes the use of the HMAC algorithm in conjunction
with the SHA-256 algorithm as an authentication mechanism within the
context of the IPsec Authentication Header and the IPsec Encapsulat-
ing Security Payload. HMAC with SHA-256 provides data origin authen-
tication and integrity protection. This version of the HMAC-SHA-256
authenticator specifies truncation to 96 bits, and is therefore named
HMAC-SHA-256-96.
2. Specification of Requirements
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
appear in this document are to be interpreted as described in
[RFC-2119].
3. Introduction
This document specifies the use of SHA-256 [SHA2-1] combined with
HMAC [HMAC] as a keyed authentication mechanism within the context of
the Encapsulating Security Payload [ESP] and the Authentication Head-
er [AH]. This algorithm is named HMAC-SHA-256-96. For further in-
formation on ESP, refer to [ESP] and [ROADMAP]. For further informa-
tion on AH, refer to [AH] and [ROADMAP].
Using the SHA-256 block cipher, with its increased block size (512
bits) and increased hash length (256 bits), provides the new algo-
rithm with the ability to withstand continuing advances in crypto-an-
alytic techniques and computational capability. It also allows less
frequent re-keying, which is useful for high-speed networks and high-
volume applications.
The goal of HMAC-SHA-256-96 is to ensure that the packet is authentic
and cannot be modified in transit. Data integrity and data origin
authentication as provided by HMAC-SHA-256-96 are dependent upon the
scope of the distribution of the secret key. If the key is known only
by the source and destination, this algorithm will provide both data
origin authentication and data integrity for packets sent between the
two parties. In addition, only a party with the identical key can
verify the hash.
4. The HMAC-SHA-256-96 Algorithm
[SHA2-1] and [SHA2-2] describe the underlying SHA-256 algorithm,
while [HMAC] describes the HMAC algorithm. The HMAC algorithm pro-
vides a framework for inserting various hashing algorithms such as
SHA-256.
The following sections contain descriptions of the various character-
istics and requirements of the HMAC-SHA-256-96 algorithm.
Frankel,Kelly [Page 3]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
4.1 Keying Material
HMAC-SHA-256-96 is a secret key algorithm. While no fixed key length
is specified in [HMAC], for use with either ESP or AH a fixed key
length of 256-bits MUST be supported. Key lengths other than 256-
bits MUST NOT be supported (i.e. only 256-bit keys are to be used by
HMAC-SHA-256-96). A key length of 256-bits was chosen based on the
recommendations in [HMAC] (i.e. key lengths less than the authentica-
tor length decrease security strength and keys longer than the au-
thenticator length do not significantly increase security strength).
[HMAC] discusses requirements for key material, which includes a dis-
cussion on requirements for strong randomness. A strong pseudo-random
function MUST be used to generate the required 256-bit key.
At the time of this writing there are no specified weak keys for use
with HMAC. This does not mean to imply that weak keys do not exist.
If, at some point, a set of weak keys for HMAC are identified, the
use of these weak keys MUST be rejected followed by a request for re-
placement keys or a newly negotiated Security Association.
[ARCH] describes the general mechanism for obtaining keying material
when multiple keys are required for a single SA (e.g. when an ESP SA
requires a key for confidentiality and a key for authentication).
In order to provide data origin authentication, the key distribution
mechanism must ensure that unique keys are allocated and that they
are distributed only to the parties participating in the communica-
tion.
[HMAC] makes the following recommendation with regard to rekeying.
Current attacks do not necessitate a specific recommended frequency
for key changes. However, periodic key refreshment is a fundamental
security practice that helps against potential weaknesses of the
function and the keys, reduces the information available to a crypt-
analyst, and limits the damage resulting from a compromised key.
4.2 Padding
HMAC-SHA-256-96 operates on 512-bit blocks of data. Padding require-
ments are specified in [SHA2-1] and are part of the SHA-256 algo-
rithm. If you build SHA-256 according to [SHA2-1] you do not need to
add any additional padding as far as HMAC-SHA-256-96 is concerned.
With regard to "implicit packet padding" as defined in [AH], no im-
plicit packet padding is required.
4.3 Truncation
HMAC-SHA-256-96 produces a 256-bit authenticator value. This 256-bit
value can be truncated as described in [HMAC]. For use with either
ESP or AH, a truncated value using the first 96 bits MUST be support-
ed. Upon sending, the truncated value is stored within the authenti-
cator field. Upon receipt, the entire 256-bit value is computed and
Frankel,Kelly [Page 4]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
the first 96 bits are compared to the value stored in the authentica-
tor field. No other authenticator value lengths are supported by
HMAC-SHA-256-96.
The length of 96 bits was selected because it is the default authen-
ticator length as specified in [AH] and meets the security require-
ments described in [HMAC]. [HMAC] discusses the potential additional
security which is provided by the truncation of the resulting hash.
Specifications which include HMAC are strongly encouraged to perform
this hash truncation.
4.4 Interaction with the ESP Cipher Mechanism
As of this writing, there are no known issues which preclude the use
of the HMAC-SHA-256-96 with any specific cipher algorithm.
4.5 Performance
[HASH] states that "(HMAC) performance is essentially that of the un-
derlying hash function". As of this writing no detailed performance
analysis has been done of SHA-256, HMAC or HMAC combined with
SHA-256.
[HMAC] outlines an implementation modification which can improve per-
packet performance without affecting interoperability.
4.6 Test Vectors
TBD
5. IKE Interactions
5.1 Phase 1 Identifier
For Phase 1 negotiations, IANA has assigned a Hash Algorithm ID of 4
for SHA2-256.
For further information on the use of Hash Algorithm IDs within IKE,
see [IKE].
5.2 Phase 2 Identifier
For Phase 2 negotiations, IANA has assigned an AH Transform Identifi-
er of 5 for AH_SHA2-256.
For Phase 2 negotiations, IANA has assigned an AH/ESP Authentication
Attribute Value of 5 for HMAC-SHA2-256.
For further information on the use of Transform Identifiers and At-
tributes Values within IKE, see [IKE] and [DOI].
Frankel,Kelly [Page 5]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
6. Security Considerations
The security provided by HMAC-SHA-256-96 is based upon the strength
of HMAC and, to a lesser degree, the strength of SHA-256. At the
time of this writing there are no practical cryptographic attacks
against HMAC-SHA-256-96.
As is true with any cryptographic algorithm, part of its strength
lies in the correctness of the algorithm implementation, the security
of the key management mechanism and its implementation, the strength
of the associated secret key, and upon the correctness of the imple-
mentation in all of the participating systems. This draft contains
test vectors to assist in verifying the correctness of HMAC-
SHA-256-96 code.
7. IANA Considerations
IANA has assigned Hash Algorithm ID 4 to SHA2-256.
IANA has assigned AH Transform Identifier 5 to AH_SHA2-256.
IANA has assigned AH/ESP Authentication Attribute Value 5 to HMAC-
SHA2-256.
8. Intellectual Property Rights Statement
Pursuant to the provisions of [RFC-2026], the authors represent that
they have disclosed the existence of any proprietary or intellectual
property rights in the contribution that are reasonably and personal-
ly known to the authors. The authors do not represent that they per-
sonally know of all potentially pertinent proprietary and intellectu-
al property rights owned or claimed by the organizations they repre-
sent or third parties.
The IETF takes no position regarding the validity or scope of any in-
tellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this doc-
ument or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made
any effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses
to be made available, or the result of an attempt made to obtain a
general license or permission for the use of such proprietary rights
by implementers or users of this specification can be obtained from
the IETF Secretariat.
9. Acknowledgments
Portions of this text were unabashedly borrowed from [HMAC-SHA].
Frankel,Kelly [Page 6]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
10. References
[AH] Kent, S. and R. Atkinson, "IP Authentication Header",
RFC 2402, November 1998.
[ARCH] Kent, S. and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998.
[DOI] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP,"
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[HASH] Bellare, M., R. Canetti and H. Krawczyk, "Keying Hash
Functions for Message Authentication," Advances in
Cryptography, Crypto96 Proceedings, June 1996.
[HMAC] Krawczyk, H., M. Bellare and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication," RFC 2104, February
1997.
[HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96
within ESP and AH," RFC 2404, November 1998.
[IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC-2026] Bradner, S., "The Internet Standards Process --
Revision 3", RFC2026, October 1996.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, March 1997.
[ROADMAP] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
[SHA2-1] "Specifications for the Secure Hash Standard," Draft
FIPS 180-2, May 2001.
http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf.
[SHA2-2] "Descriptions of SHA-256, SHA-384, and SHA-512."
http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf.
11. Authors' Addresses
Sheila Frankel
NIST
820 West Diamond Ave.
Room 680
Gaithersburg, MD 20899
Frankel,Kelly [Page 7]
INTERNET DRAFT <draft-ietf-ipsec-ciph-sha-256-00.txt> November 2001
Phone: +1 (301) 975-3297
Email: sheila.frankel@nist.gov
Scott Kelly
SonicWALL, Inc.
1160 Bordeaux Dr.
Sunnyvale, CA 94089
Phone: +1 (408) 745-9600
Email: skelly@sonicwall.com
The IPsec working group can be contacted through the chairs:
Barbara Fraser
Cisco Systems Inc.
Email: byfraser@cisco.com
Theodore T'so
Massachusetts Institute of Technology
Email: tytso@mit.edu
12. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this doc-
ument itself may not be modified in any way, such as by removing the
copyright notice or references to the Internet Society or other In-
ternet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights de-
fined in the Internet Standards process must be followed, or as re-
quired to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HERE-
IN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER-
CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Frankel,Kelly [Page 8]