Network Working Group P. Metzger
Request for Comments: 2841 Piermont
Category: Historic W. Simpson
Obsoletes: 1852 DayDreamer
November 2000
Network Working Group P. Metzger
Request for Comments: 2841 Piermont
Category: Historic W. Simpson
Obsoletes: 1852 DayDreamer
November 2000
IP Authentication using Keyed SHA1 with Interleaved Padding (IP-MAC)
使用带交织填充的密钥SHA1(IP-MAC)的IP身份验证
Status of this Memo
本备忘录的状况
This memo defines a Historic Document for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
此备忘录定义了互联网社区的历史文档。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This document describes the use of keyed SHA1 with the IP Authentication Header.
本文档描述了带IP身份验证头的密钥SHA1的使用。
Table of Contents
目录
1. Introduction ............................................. 2
1.1. Keys ..................................................... 2
1.2. Data Size ................................................ 2
1.3. Performance .............................................. 3
2. Calculation .............................................. 3
A. Changes .................................................. 5
Security Considerations ....................................... 6
Acknowledgements .............................................. 6
References .................................................... 7
Contacts ...................................................... 8
Editor's Note ................................................. 8
Full Copyright Statement ...................................... 9
1. Introduction ............................................. 2
1.1. Keys ..................................................... 2
1.2. Data Size ................................................ 2
1.3. Performance .............................................. 3
2. Calculation .............................................. 3
A. Changes .................................................. 5
Security Considerations ....................................... 6
Acknowledgements .............................................. 6
References .................................................... 7
Contacts ...................................................... 8
Editor's Note ................................................. 8
Full Copyright Statement ...................................... 9
The Authentication Header (AH) [RFC-1826] provides integrity and authentication for IP datagrams. This specification describes the AH use of keys with the Secure Hash Algorithm (SHA1) [FIPS-180-1]. This SHA1-IP-MAC algorithm uses a leading and trailing key (a variant of the "envelope method"), with alignment padding between both keys and data.
认证头(AH)[RFC-1826]为IP数据报提供完整性和认证。本规范描述了安全哈希算法(SHA1)[FIPS-180-1]中密钥的AH使用。这种SHA1-IP-MAC算法使用一个前导键和尾随键(一种“信封方法”的变体),在键和数据之间使用对齐填充。
It should be noted that this document specifies a newer version of SHA than that described in [FIPS-180], which was flawed. The older version is not interoperable with the newer version.
应该注意的是,本文件指定的SHA版本比[FIPS-180]中描述的版本更新,这是有缺陷的。旧版本与新版本不可互操作。
This document assumes that the reader is familiar with the related document "Security Architecture for the Internet Protocol" [RFC-1825], that defines the overall security plan for IP, and provides important background for this specification.
本文件假设读者熟悉相关文件“互联网协议的安全架构”[RFC-1825],该文件定义了IP的总体安全计划,并为本规范提供了重要背景。
The secret authentication key shared between the communicating parties SHOULD be a cryptographically strong random number, not a guessable string of any sort.
通信双方之间共享的秘密身份验证密钥应该是加密强随机数,而不是任何种类的可猜测字符串。
The shared key is not constrained by this transform to any particular size. Lengths of 160-bits (20 octets) MUST be supported by the implementation, although any particular key may be shorter. Longer keys are encouraged.
共享密钥不受此转换的约束,不受任何特定大小的约束。实现必须支持160位(20个八位字节)的长度,尽管任何特定密钥可能更短。鼓励使用更长的钥匙。
SHA1's 160-bit output is naturally 32-bit aligned. However, many implementations require 64-bit alignment of the following headers.
SHA1的160位输出自然是32位对齐的。但是,许多实现需要以下标头的64位对齐。
Therefore, several options are available for data alignment (most preferred to least preferred):
因此,有几个选项可用于数据对齐(最优先到最不优先):
1) only the most significant 128-bits (16 octets) of output are used.
1) 仅使用输出的最高有效128位(16个八位字节)。
2) an additional 32-bits (4 octets) of padding is added before the SHA1 output.
2) 在SHA1输出之前添加额外的32位(4个八位字节)填充。
3) an additional 32-bits (4 octets) of padding is added after the SHA1 output.
3) 在SHA1输出之后添加额外的32位(4个八位字节)填充。
4) the SHA1 output is variably bit-positioned within 192-bits (24 octets).
4) SHA1输出可在192位(24个八位字节)内进行可变位定位。
The size and position of the output are negotiated as part of the key management. Padding bits are filled with unspecified implementation dependent (random) values, which are ignored on receipt.
输出的大小和位置作为密钥管理的一部分进行协商。填充位由未指定的依赖于实现的(随机)值填充,这些值在接收时被忽略。
Discussion:
讨论:
Although truncation of the output for alignment purposes may appear to reduce the effectiveness of the algorithm, some analysts of attack verification suggest that this may instead improve the overall robustness [PO95a].
尽管出于对齐目的截断输出可能会降低算法的有效性,但一些攻击验证分析师认为,这可能会提高整体鲁棒性[PO95a]。
Preliminary results indicate that SHA1 is 62% as fast as MD5, and 80% as fast as DES hashing. That is:
初步结果表明,SHA1的速度比MD5快62%,比DES哈希快80%。即:
SHA1 < DES < MD5
SHA1<DES<MD5
This appears to be a reasonable performance tradeoff, as SHA1 internal chaining is significantly longer than either DES or MD5:
这似乎是一个合理的性能折衷,因为SHA1内部链接明显长于DES或MD5:
DES < MD5 < SHA1
DES<MD5<SHA1
Nota Bene: Suggestions are sought on alternative authentication algorithms that have significantly faster throughput, are not patent-encumbered, and still retain adequate cryptographic strength.
注:我们寻求关于替代认证算法的建议,这些算法具有更快的吞吐量,不受专利限制,并且仍然保持足够的加密强度。
The 160-bit digest is calculated as described in [FIPS-180-1]. A portable C language implementation of SHA1 is available via FTP from ftp://rand.org/pub/jim/sha.tar.gz.
按照[FIPS-180-1]中的说明计算160位摘要。SHA1的可移植C语言实现可通过FTP从ftp://rand.org/pub/jim/sha.tar.gz.
The form of the authenticated message is:
已验证消息的形式为:
SHA1( key, keyfill, datagram, datafill, key, sha1fill )
SHA1(键,键填充,数据报,数据填充,键,SHA1填充)
First, the variable length secret authentication key is filled to the next 512-bit boundary, using the same pad-with-length technique defined for SHA1. The padding technique includes a length that protects arbitrary length keys.
首先,使用为SHA1定义的长度相同的pad技术,将可变长度秘密身份验证密钥填充到下一个512位边界。填充技术包括保护任意长度键的长度。
Next, the filled key is concatenated with (immediately followed by) the invariant fields of the entire IP datagram (variant fields are zeroed). This is also filled to the next 512-bit boundary, using the same pad-with-length technique defined for SHA1. The length includes the leading key and data.
接下来,填充的密钥与整个IP数据报的不变字段连接(紧跟其后)(变量字段归零)。这也填充到下一个512位边界,使用为SHA1定义的具有长度的相同焊盘技术。长度包括前导键和数据。
Then, the filled data is concatenated with (immediately followed by) the original variable length key again. A trailing pad-with-length to the next 512-bit boundary for the entire message is added by SHA1 itself.
然后,填充的数据再次与原始可变长度键连接(紧跟其后)。SHA1本身为整个消息添加一个长度为下一个512位边界的尾随焊盘。
Finally, the 160-bit SHA1 digest is calculated, and the result is inserted into the Authentication Data field.
最后,计算160位SHA1摘要,并将结果插入到身份验证数据字段中。
Discussion:
讨论:
The leading copy of the key is padded in order to facilitate copying of the key at machine boundaries without requiring re-alignment of the following datagram. Filling to the SHA1 block size also allows the key to be prehashed to avoid the physical copy in some implementations.
密钥的前导副本被填充,以便于在机器边界复制密钥,而无需重新对齐以下数据报。填充到SHA1块大小还允许预灰化密钥,以避免某些实现中的物理拷贝。
The trailing copy of the key is not necessary to protect against appending attacks, as the IP datagram already includes a total length field. It reintroduces mixing of the entire key, providing protection for very long and very short datagrams, and robustness against possible attacks on the IP length field itself.
密钥的尾部副本对于防止附加攻击不是必需的,因为IP数据报已经包含一个总长度字段。它重新引入了整个密钥的混合,为很长和很短的数据报提供保护,并对IP长度字段本身可能受到的攻击具有鲁棒性。
When the implementation adds the keys and padding in place before and after the IP datagram, care must be taken that the keys and/or padding are not sent over the link by the link driver.
当实现在IP数据报前后适当地添加密钥和填充时,必须注意,链路驱动程序不会通过链路发送密钥和/或填充。
A. Changes
A.变化
Changes from RFC 1852:
RFC 1852的变更:
Use of SHA1 term (as always intended).
SHA1术语的使用(与预期一致)。
Added shortened 128-bit output, and clarify output text.
增加了缩短的128位输出,并澄清了输出文本。
Added tradeoff text.
添加了折衷文本。
Changed padding technique to comply with Crypto '95 recommendations.
更改了填充技术以符合Crypto'95的建议。
Updated references.
更新参考资料。
Updated contacts.
更新联系人。
Minor editorial changes.
编辑上的小改动。
Security Considerations
安全考虑
Users need to understand that the quality of the security provided by this specification depends completely on the strength of the SHA1 hash function, the correctness of that algorithm's implementation, the security of the key management mechanism and its implementation, the strength of the key, and upon the correctness of the implementations in all of the participating nodes.
用户需要了解,本规范提供的安全质量完全取决于SHA1哈希函数的强度、该算法实现的正确性、密钥管理机制及其实现的安全性、密钥的强度、,以及在所有参与节点中实现的正确性。
The SHA algorithm was originally derived from the MD4 algorithm [RFC-1320]. A flaw was apparently found in the original specification of SHA [FIPS-180], and this document specifies the use of a corrected version [FIPS-180-1].
SHA算法最初源自MD4算法[RFC-1320]。SHA[FIPS-180]的原始规范中显然发现了一个缺陷,本文件规定使用修正版[FIPS-180-1]。
At the time of writing of this document, there are no known flaws in the SHA1 algorithm. That is, there are no known attacks on SHA1 or any of its components that are better than brute force, and the 160- bit hash size of SHA1 is substantially more resistant to brute force attacks than the 128-bit hash size of MD4 and MD5.
在编写本文档时,SHA1算法中没有已知的缺陷。也就是说,没有已知的对SHA1或其任何组件的攻击优于暴力攻击,并且SHA1的160位哈希大小比MD4和MD5的128位哈希大小更能抵抗暴力攻击。
However, as the flaw in the original SHA1 algorithm shows, cryptographers are fallible, and there may be substantial deficiencies yet to be discovered in the algorithm.
然而,正如原始SHA1算法中的缺陷所显示的那样,密码学家是容易出错的,并且该算法中可能存在大量有待发现的缺陷。
Acknowledgements
致谢
Some of the text of this specification was derived from work by Randall Atkinson for the SIP, SIPP, and IPv6 Working Groups.
本规范的部分文本源自Randall Atkinson为SIP、SIPP和IPv6工作组所做的工作。
Preliminary performance analysis was provided by Joe Touch.
Joe Touch提供了初步性能分析。
Padding the leading copy of the key to a hash block boundary for increased performance was originally suggested by William Allen Simpson.
William Allen Simpson最初建议将密钥的前导副本填充到哈希块边界以提高性能。
Padding the leading copy of the key to a hash block boundary for increased security was suggested by [KR95]. Including the key length for increased security was suggested by David Wagner.
[KR95]建议将密钥的前导副本填充到哈希块边界以提高安全性。David Wagner建议增加密钥长度以提高安全性。
Padding the datagram to a hash block boundary to avoid (an impractical) key recovery attack was suggested by [PO95b].
[PO95b]建议将数据报填充到哈希块边界以避免(不切实际的)密钥恢复攻击。
References
工具书类
[FIPS-180] "Secure Hash Standard", Computer Systems Laboratory, National Institute of Standards and Technology, U.S. Department Of Commerce, May 1993.
[FIPS-180]“安全哈希标准”,美国商务部国家标准与技术研究所计算机系统实验室,1993年5月。
Also known as: 58 Fed Reg 27712 (1993).
也称为:58联邦公报27712(1993)。
[FIPS-180-1] "Secure Hash Standard", National Institute of Standards and Technology, U.S. Department Of Commerce, April 1995.
[FIPS-180-1]“安全哈希标准”,美国商务部国家标准与技术研究所,1995年4月。
Also known as: 59 Fed Reg 35317 (1994).
也称为:59美联储条例35317(1994)。
[KR95] Kaliski, B., and Robshaw, M., "Message authentication with MD5", CryptoBytes (RSA Labs Technical Newsletter), vol.1 no.1, Spring 1995.
[KR95]Kaliski,B.和Robshaw,M.,“使用MD5进行消息身份验证”,CryptoBytes(RSA实验室技术通讯),第1卷第1期,1995年春季。
[PO95a] Preneel, B., and van Oorshot, P., "MDx-MAC and Building Fast MACs from Hash Functions", Advances in Cryptology -- Crypto '95 Proceedings, Santa Barbara, California, August 1995.
[PO95a]Preneel,B.和van Oorshot,P.,“MDx MAC和利用散列函数构建快速MAC”,《密码学进展——加密’95年论文集》,加利福尼亚州圣巴巴拉,1995年8月。
[PO95b] Preneel, B., and van Oorshot, P., "On the Security of Two MAC Algorithms", Presented at the Rump Session of Crypto '95, Santa Barbara, California, August 1995.
[PO95b]Preneel,B.和van Oorshot,P.,“关于两种MAC算法的安全性”,发表于1995年8月在加利福尼亚州圣巴巴拉的Crypto'95的残余会议上。
[RFC 1320] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.
[RFC 1320]Rivest,R.,“MD4消息摘要算法”,RFC 1320,1992年4月。
[RFC 1700] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[RFC 1700]Reynolds,J.和J.Postel,“分配的数字”,标准2,RFC 1700,1994年10月。
[RFC 1825] Atkinson, R., "Security Architecture for the Internet Protocol", RFC 1825, July 1995.
[RFC 1825]阿特金森,R.,“互联网协议的安全架构”,RFC 18251995年7月。
[RFC 1826] Atkinson, R., "IP Authentication Header", RFC 1826, July 1995.
[RFC 1826]阿特金森,R.,“IP认证头”,RFC 1826,1995年7月。
Contacts
联络
Comments about this document should be discussed on the photuris@adk.gr mailing list.
关于本文件的评论应在photuris@adk.gr邮件列表。
This document is a submission to the IP Security Working Group of the Internet Engineering Task Force (IETF). The working group can be contacted via the current chairs:
本文件提交给互联网工程任务组(IETF)的IP安全工作组。可通过现任主席联系工作组:
Questions about this document can also be directed to:
有关本文件的问题,请联系:
Perry Metzger Piermont Information Systems Inc. 160 Cabrini Blvd., Suite #2 New York, NY 10033
佩里·梅茨格·皮尔蒙特信息系统公司,纽约州纽约市卡布里尼大道160号,2号套房,邮编10033
EMail: perry@piermont.com
EMail: perry@piermont.com
William Allen Simpson DayDreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071
William Allen Simpson DayDreamer计算机系统咨询服务1384 Fontaine Madison Heights,Michigan 48071
EMail: wsimpson@UMich.edu
wsimpson@GreenDragon.com (preferred)
EMail: wsimpson@UMich.edu
wsimpson@GreenDragon.com (preferred)
Editor's Note
编者按
This paper was originally submitted May 1, 1996.
本论文最初于1996年5月1日提交。
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。