分享
 
 
 

RFC1828 - IP Authentication using Keyed MD5

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group P. Metzger

Request for Comments: 1828 Piermont

Category: Standards Track W. Simpson

Daydreamer

August 1995

IP Authentication using Keyed MD5

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Abstract

This document describes the use of keyed MD5 with the IP

Authentication Header.

Table of Contents

1. IntrodUCtion .......................................... 1

1.1 Keys ............................................ 1

1.2 Data Size ....................................... 1

1.3 Performance ..................................... 1

2. Calculation ........................................... 2

SECURITY CONSIDERATIONS ...................................... 2

ACKNOWLEDGEMENTS ............................................. 3

REFERENCES ................................................... 3

AUTHOR'S ADDRESS ............................................. 4

1. Introduction

The Authentication Header (AH) [RFC-1826] provides integrity and

authentication for IP datagrams. This specification describes the AH

use of keys with Message Digest 5 (MD5) [RFC-1321].

All implementations that claim conformance or compliance with the

Authentication Header specification MUST implement this keyed MD5

mechanism.

This document assumes that the reader is familiar with the related

document "Security Architecture for the Internet Protocol" [RFC-

1825], which defines the overall security plan for IP, and provides

important background for this specification.

1.1. Keys

The secret authentication key shared between the communicating

parties SHOULD be a cryptographically strong random number, not a

guessable string of any sort.

The shared key is not constrained by this transform to any particular

size. Lengths of up to 128 bits MUST be supported by the

implementation, although any particular key may be shorter. Longer

keys are encouraged.

1.2. Data Size

MD5's 128-bit output is naturally 64-bit aligned. Typically, there

is no further padding of the Authentication Data field.

1.3. Performance

MD5 software speeds are adequate for commonly deployed LAN and WAN

links, but reportedly are too slow for newer link technologies [RFC-

1810].

Nota Bene:

Suggestions are sought on alternative authentication algorithms

that have significantly faster throughput, are not patent-

encumbered, and still retain adequate cryptographic strength.

2. Calculation

The 128-bit digest is calculated as described in [RFC-1321]. The

specification of MD5 includes a portable 'C' programming language

description of the MD5 algorithm.

The form of the authenticated message is

key, keyfill, datagram, key, MD5fill

First, the variable length secret authentication key is filled to the

next 512-bit boundary, using the same pad with length technique

defined for MD5.

Then, the filled key is concatenated with (immediately followed by)

the invariant fields of the entire IP datagram (variant fields are

zeroed), concatenated with (immediately followed by) the original

variable length key again.

A trailing pad with length to the next 512-bit boundary for the

entire message is added by MD5 itself. The 128-bit MD5 digest is

calculated, and the result is inserted into the Authentication Data

field.

Discussion:

When the implementation adds the keys and padding in place before

and after the IP datagram, care must be taken that the keys and/or

padding are not sent over the link by the link driver.

Security Considerations

Users need to understand that the quality of the security provided by

this specification depends completely on the strength of the MD5 hash

function, the correctness of that algorithm's implementation, the

security of the key management mechanism and its implementation, the

strength of the key [CN94], and upon the correctness of the

implementations in all of the participating nodes.

At the time of writing of this document, it is known to be possible

to produce collisions in the compression function of MD5 [dBB93].

There is not yet a known method to eXPloit these collisions to attack

MD5 in practice, but this fact is disturbing to some authors

[Schneier94].

It has also recently been determined [vOW94] that it is possible to

build a machine for $10 Million that could find two chosen text

variants with a common MD5 hash value. However, it is unclear

whether this attack is applicable to a keyed MD5 transform.

This attack requires approximately 24 days. The same form of attack

is useful on any iterated n-bit hash function, and the time is

entirely due to the 128-bit length of the MD5 hash.

Although there is no substantial weakness for most IP security

applications, it should be recognized that current technology is

catching up to the 128-bit hash length used by MD5. Applications

requiring extremely high levels of security may wish to move in the

near future to algorithms with longer hash lengths.

Acknowledgements

This document was reviewed by the IP Security Working Group of the

Internet Engineering Task Force (IETF). Comments should be submitted

to the ipsec@ans.net mailing list.

Some of the text of this specification was derived from work by

Randall Atkinson for the SIP, SIPP, and IPv6 Working Groups.

The basic concept and use of MD5 is derived in large part from the

work done for SNMPv2 [RFC-1446].

Steve Bellovin, Phil Karn, Charles Lynn, Dave Mihelcic, Hilarie

Orman, Jeffrey Schiller, Joe Touch, and David Wagner provided useful

critiques of earlier versions of this draft.

References

[CN94] Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak Data:

Foiling the Two Nemeses", Cryptologia, Vol. 18 No. 23 pp.

253-280, July 1994.

[dBB93] den Boer, B., and Bosselaers, A., "Collisions for the

Compression function of MD5", Advances in Cryptology --

Eurocrypt '93 Proceedings, Berlin: Springer-Verlag 1994

[KR95] Kaliski, B., and Robshaw, M., "Message authentication with

MD5", CryptoBytes (RSA Labs Technical Newsletter), vol.1

no.1, Spring 1995.

[RFC-1321]

Rivest, R., "The MD5 Message-Digest Algorithm", RFC1321,

MIT and RSA Data Security, Inc., April 1992.

[RFC-1446]

Galvin, J., and K. McCloghrie, "Security Protocols for

Version 2 of the Simple Network Management Protocol

(SNMPv2)", RFC1446, TIS, Hughes LAN Systems, April

1993.

[RFC-1700]

Reynolds, J., and J. Postel, "Assigned Numbers", STD 2,

RFC1700, USC/Information Sciences Institute, October 1994.

[RFC-1800]

Postel, J., "Internet Official Protocol Standards", STD 1,

RFC1800, USC/Information Sciences Institute, July 1995.

[RFC-1810]

Touch, J., "Report on MD5 Performance", RFC1810,

USC/Information Sciences Institute, June 1995.

[RFC-1825]

Atkinson, R., "Security Architecture for the Internet

Protocol", RFC1825, NRL, August 1995.

[RFC-1826]

Atkinson, R., "IP Authentication Header", RFC1826, NRL

August 1995.

[Schneier94]

Schneier, B., "Applied Cryptography", John Wiley & Sons, New

York, NY, 1994. ISBN 0-471-59756-2

[vOW94] van Oorschot, P. C., and Wiener, M. J., "Parallel Collision

Search with Applications to Hash Functions and Discrete

Logarithms", Proceedings of the 2nd ACM Conf. Computer and

Communications Security, Fairfax, VA, November 1994.

Author's Address

Questions about this memo can also be directed to:

Perry Metzger

Piermont Information Systems Inc.

160 Cabrini Blvd., Suite #2

New York, NY 10033

perry@piermont.com

William Allen Simpson

Daydreamer

Computer Systems Consulting Services

1384 Fontaine

Madison Heights, Michigan 48071

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有