RFC relevance of standards

As per Relevance of the word standards, we have this rfc below:

Network Working Group C.
Request for Comments: 2404 Cisco Systems Inc
Category: Standards Track R.

November 1998

The Use of HMAC-SHA-1-96 within ESP and

Status of this

This document specifies an Internet standards track protocol for
Internet community, and requests discussion and suggestions
improvements. Please refer to the current edition of the "
Official Protocol Standards" (STD 1) for the standardization
and status of this protocol. Distribution of this memo is unlimited

Copyright

Copyright (C) The Internet Society (1998). All Rights Reserved

This memo describes the use of the HMAC algorithm [RFC-2104]
conjunction with the SHA-1 algorithm [FIPS-180-1] as
authentication mechanism within the revised IPSEC
Security Payload [ESP] and the revised IPSEC Authentication
[AH]. HMAC with SHA-1 provides data origin authentication
integrity protection

Further information on the other components necessary for ESP and
implementations is provided by [Thayer97a].

1.

This memo specifies the use of SHA-1 [FIPS-180-1] combined with
[RFC-2104] as a keyed authentication mechanism within the context
the Encapsulating Security Payload and the Authentication Header
The goal of HMAC-SHA-1-96 is to ensure that the packet is
and cannot be modified in transit

HMAC is a secret key authentication algorithm. Data integrity
data origin authentication as provided by HMAC are dependent upon
scope of the distribution of the secret key. If only the source
destination know the HMAC key, this provides both data

Madson & Glenn Standards Track [Page 1]

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH November 1998

authentication and data integrity for packets sent between the
parties; if the HMAC is correct, this proves that it must have
added by the source

In this memo, HMAC-SHA-1-96 is used within the context of ESP and AH
For further information on how the various pieces of ESP -
the confidentiality mechanism -- fit together to provide
services, refer to [ESP] and [Thayer97a]. For further information
AH, refer to [AH] and [Thayer97a].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
document are to be interpreted as described in [RFC 2119].

2. Algorithm and

[FIPS-180-1] describes the underlying SHA-1 algorithm, while [RFC
2104] describes the HMAC algorithm. The HMAC algorithm provides
framework for inserting various hashing algorithms such as SHA-1.

HMAC-SHA-1-96 operates on 64-byte blocks of data.
requirements are specified in [FIPS-180-1] and are part of the SHA-1
algorithm. If you build SHA-1 according to [FIPS-180-1] you do
need to add any additional padding as far as HMAC-SHA-1-96
concerned. With regard to "implicit packet padding" as defined
[AH] no implicit packet padding is required

HMAC-SHA-1-96 produces a 160-bit authenticator value. This 160-
value can be truncated as described in RFC2104. For use with
ESP or AH, a truncated value using the first 96 bits MUST
supported. Upon sending, the truncated value is stored within
authenticator field. Upon receipt, the entire 160-bit value
computed and the first 96 bits are compared to the value stored
the authenticator field. No other authenticator value lengths
supported by HMAC-SHA-1-96.

The length of 96 bits was selected because it is the
authenticator length as specified in [AH] and meets the
requirements described in [RFC-2104].

2.1

[Bellare96a] states that "(HMAC) performance is essentially that
the underlying hash function". As of this writing no
performance analysis has been done of SHA-1, HMAC or HMAC
with SHA-1.

Madson & Glenn Standards Track [Page 2]

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH November 1998

[RFC-2104] outlines an implementation modification which can
per-packet performance without affecting interoperability

3. Keying

HMAC-SHA-1-96 is a secret key algorithm. While no fixed key length
specified in [RFC-2104], for use with either ESP or AH a fixed
length of 160-bits MUST be supported. Key lengths other than 160-
bits MUST NOT be supported (i.e. only 160-bit keys are to be used
HMAC-SHA-1-96). A key length of 160-bits was chosen based on
recommendations in [RFC-2104] (i.e. key lengths less than
authenticator length decrease security strength and keys longer
the authenticator length do not significantly increase
strength).

[RFC-2104] discusses requirements for key material, which includes
discussion on requirements for strong randomness. A strong pseudo
random function MUST be used to generate the required 160-bit key

At the time of this writing there are no specified weak keys for
with HMAC. This does not mean to imply that weak keys do not exist
If, at some point, a set of weak keys for HMAC are identified,
use of these weak keys must be rejected followed by a request
replacement keys or a newly negotiated Security Association

[ARCH] describes the general mechanism for obtaining keying
when multiple keys are required for a single SA (e.g. when an ESP
requires a key for confidentiality and a key for authentication).

In order to provide data origin authentication, the key
mechanism must ensure that unique keys are allocated and that
are distributed only to the parties participating in
communication

[RFC-2104] makes the following recommendation with regard
rekeying. Current attacks do not indicate a specific
frequency for key changes as these attacks are
infeasible. However, periodic key refreshment is a
security practice that helps against potential weaknesses of
function and keys, reduces the information avaliable to
cryptanalyst, and limits the damage of an exposed key

4. Interaction with the ESP Cipher

As of this writing, there are no known issues which preclude the
of the HMAC-SHA-1-96 algorithm with any specific cipher algorithm

Madson & Glenn Standards Track [Page 3]

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH November 1998

5. Security

The security provided by HMAC-SHA-1-96 is based upon the strength
HMAC, and to a lesser degree, the strength of SHA-1. At the time
this writing there are no practical cryptographic attacks
HMAC-SHA-1-96.

[RFC-2104] states that for "minimally reasonable hash functions"
"birthday attack" is impractical. For a 64-byte block hash such
HMAC-SHA-1-96, an attack involving the successful processing of 2**80
blocks would be infeasible unless it were discovered that
underlying hash had collisions after processing 2**30 blocks. A
with such weak collision-resistance characteristics would
be considered to be unusable

It is also important to consider that while SHA-1 was never
to be used as a keyed hash algorithm, HMAC had that criteria from
onset

[RFC-2104] also discusses the potential additional security which
provided by the truncation of the resulting hash.
which include HMAC are strongly encouraged to perform this
truncation

As [RFC-2104] provides a framework for incorporating various
algorithms with HMAC, it is possible to replace SHA-1 with
algorithms such as MD5. [RFC-2104] contains a detailed discussion
the strengths and weaknesses of HMAC algorithms

As is true with any cryptographic algorithm, part of its
lies in the correctness of the algorithm implementation, the
of the key management mechanism and its implementation, the
of the associated secret key, and upon the correctness of
implementation in all of the participating systems. [RFC-2202]
contains test vectors and example code to assist in verifying
correctness of HMAC-SHA-1-96 code

6.

This document is derived in part from previous works by Jim Hughes
those people that worked with Jim on the combined DES/CBC+HMAC-MD
ESP transforms, the ANX bakeoff participants, and the members of
IPsec working group

We would also like to thank Hugo Krawczyk for his comments
recommendations regarding some of the cryptographic specific text
this document

Madson & Glenn Standards Track [Page 4]

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH November 1998

7.

[FIPS-180-1] NIST, FIPS PUB 180-1: Secure Hash Standard
April 1995.
http://csrc.nist.gov/fips/fip180-1.txt (ascii
http://csrc.nist.gov/fips/fip180-1.ps (postscript

[RFC-2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed
Hashing for Message Authentication", RFC 2104,
1997.

[Bellare96a] Bellare, M., Canetti, R., and H. Krawczyk, "Keying
Functions for Message Authentication", Advances
Cryptography, Crypto96 Proceeding, June 1996.

[ARCH] Kent, S., and R. Atkinson, "Security Architecture
the Internet Protocol", RFC 2401, November 1998.

[ESP] Kent, S., and R. Atkinson, "IP Encapsulating
Payload", RFC 2406, November 1998.

[AH] Kent, S., and R. Atkinson, "IP Authentication Header",
RFC 2402, November 1998.

[Thayer97a] Thayer, R., Doraswamy, N., and R. Glenn, "IP
Document Roadmap", RFC 2411, November 1998.

[RFC-2202] Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5
HMAC-SHA-1", RFC 2202, March 1997.

[RFC-2119] Bradner, S., "Key words for use in RFCs to
Requirement Levels", BCP 14, RFC 2119, March 1997.

8. Editors'

Cheryl
Cisco Systems, Inc

EMail: cmadson@cisco.

Rob

EMail: rob.glenn@nist.

Madson & Glenn Standards Track [Page 5]

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH November 1998

The IPsec working group can be contacted through the chairs

Robert

EMail: rgm@icsa.

Ted T'
Massachusetts Institute of

EMail: tytso@mit.

Madson & Glenn Standards Track [Page 6]

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH November 1998

9. Full Copyright

Copyright (C) The Internet Society (1998). All Rights Reserved

This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English

The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns

This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE

Madson & Glenn Standards Track [Page 7]

if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.

RFC documents can be found at I.E.T.F.

Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX