datatracker.ietf.org
Sign in
Version 5.6.2.p1, 2014-07-22
Report a bug

Support for Multiple Hash Algorithms in Cryptographically Generated Addresses (CGAs)
RFC 4982

Document type: RFC - Proposed Standard (July 2007; Errata)
Updates RFC 3972
Was draft-bagnulo-multiple-hash-cga (individual in sec area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4982 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: jari.arkko@piuha.net, marcelo@it.uc3m.es, kempf@docomolabs-usa.com

Network Working Group                                         M. Bagnulo
Request for Comments: 4982                                          UC3M
Updates: 3972                                                   J. Arkko
Category: Standards Track                                       Ericsson
                                                               July 2007

                Support for Multiple Hash Algorithms in
              Cryptographically Generated Addresses (CGAs)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document analyzes the implications of recent attacks on commonly
   used hash functions on Cryptographically Generated Addresses (CGAs)
   and updates the CGA specification to support multiple hash
   algorithms.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2
   3.  Impact of Collision Attacks in CGAs . . . . . . . . . . . . . . 2
   4.  Options for Multiple Hash Algorithm Support in CGAs . . . . . . 3
     4.1.  Where to Encode the Hash Function?  . . . . . . . . . . . . 4
   5.  CGA Generation Procedure  . . . . . . . . . . . . . . . . . . . 6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 7

Bagnulo & Arkko             Standards Track                     [Page 1]
RFC 4982             Multiple Hash Support in CGAs             July 2007

1.  Introduction

   Recent attacks to currently used hash functions have motivated a
   considerable amount of concern in the Internet community.  The
   recommended approach [6] [10] to deal with this issue is first to
   analyze the impact of these attacks on the different Internet
   protocols that use hash functions and second to make sure that the
   different Internet protocols that use hash functions are capable of
   migrating to an alternative (more secure) hash function without a
   major disruption in the Internet operation.

   This document performs such analysis for the Cryptographically
   Generated Addresses (CGAs) defined in [2].  The first conclusion of
   the analysis is that the security of the protocols using CGAs is not
   affected by the recently available attacks against hash functions.
   The second conclusion of the analysis is that the hash function used
   is hard coded in the CGA specification.  This document updates the
   CGA specification [2] to enable the support of alternative hash
   functions.  In order to do so, this document creates a new registry
   managed by IANA to register the different hash algorithms used in
   CGAs.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

3.  Impact of Collision Attacks in CGAs

   Recent advances in cryptography have resulted in simplified attacks
   against the collision-free property of certain commonly used hash
   functions [6] [10], including SHA-1 that is the hash function used by
   CGAs [2].  The result is that it is possible to obtain two messages,
   M1 and M2, that have the same hash value with much less than 2^(L/2)
   attempts.  We will next analyze the impact of such attacks in the
   currently proposed usages of CGAs.

   As we understand it, the attacks against the collision-free property
   of a hash function mostly challenge the application of such hash
   functions, for the provision of non-repudiation capabilities.  This
   is because an attacker would be capable to create two different
   messages that result in the same hash value and it can then present
   any of the messages interchangeably (for example after one of them
   has been signed by the other party involved in the transaction).
   However, it must be noted that both messages must be generated by the

[include full document text]