IPSEC Working Group S.Bitan,RADGUARD
Internet Draft D.Frommer,RADGUARD
August 1997
The Use of DES-MAC within ESP and AH
<draft-bitan-auth-des-mac-00.txt>
Status of This Memo
This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@tis.com) or to the authors.
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet-Drafts draft documents are valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
Abstract
This draft describes the use of the DES-MAC algorithm [Kaufman95] as
an authentication mechanism within the revised IPSEC Encapsulating
Security Payload [ESP] and the revised IPSEC Authentication Header
[AH]. DES-MAC[Kaufman95] is based on the DES encryption algorithm
[FIPS-46, FIPS-46-1, FIPS-74, FIPS-81].
Further information on the other components necessary for ESP and AH
implementations is provided by [Thayer97a].
Internet Draft Page [1]
Internet Draft DES-MAC Authenticator July 1997
Contents
STATUS OF THIS MEMO .................................................1
ABSTRACT ............................................................1
1. INTRODUCTION .....................................................2
1.1 SPECIFICATION OF REQUIREMENTS .................................3
2. AUTHENTICATION ALGORITHM .........................................3
2.1 BLOCK SIZES AND PADDING ......................................3
2.2 PERFORMANCE ...................................................3
3. KEY SPECIFICATIONS ...............................................4
4. IV ...............................................................4
5. INTERACTION WITH THE ESP CIPHER MECHANISM ........................4
6. SECURITY CONSIDERATIONS ..........................................4
7. ACKNOWLEDGEMENTS ..................................................5
8. REFERENCES .......................................................5
9. AUTHORS INFORMATION ..............................................6
1. Introduction
This draft describes the use of the DES-MAC algorithm to provide
authenticity within the context of the Encapsulating Security Payload
[ESP] and the Authentication Header [AH]. The goal of this auth-des-
mac is to ensure that the packet is authentic and that it was not
modified in transit.
DES-MAC [Kaufman95] is based on the DES [FIPS-46, FIPS-46-1, FIPS-
74, FIPS-81] encryption algorithm. Given a secret key, the last output
block of a DES-CBC encryption of a message is used as the output of
the DES-MAC algorithm for this message. Hence, DES-MAC is a secret key
authentication algorithm. Data authentication and data integrity
provided by DES-MAC are dependent upon the scope of the distribution
Bitan,Frommer Page [2]
Internet Draft DES-MAC Authenticator July 1997
of the secret key. If only the source and the destination know the
DES-MAC key, this provides data origin authentication and data
integrity for packets sent between the two parties. If the outputs of
the DES-MAC computed by the two parties are identical, this proves
that it has been computed by the source, and that the packet was not
modified in transit.
IPSEC implementations for high bandwidth networks, might fail to
supply the required performance without using hardware implementations
of encryption and authentication algorithms. DES hardware
implementations are popular and easy to find. Currently there exist
only a few hardware implementations for the other authentication
mechanisms that appear in the IPSEC drafts (HMAC-SHA-1 and HMAC-MD5).
Hence, when high performance is a requirement, DES-MAC authenticator
is preferable to HMAC-SHA-1 or HMAC-MD5.
This document assumes the reader is familiar with the terms and
concepts in [RFC-1825], in [ESP], and in [AH]. This document follows
the IPsec document framework described in [Framework].
1.1 Specification of Requirements
Interpret the keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD",
"SHOULD NOT", and "MAY" that appear in this document as described in
[RFC-2119].
2. Authentication Algorithm
DES-MAC algorithm is based on the DES encryption algorithm [FIPS-46,
FIPS-46-1, FIPS-74, FIPS-81]. The Message Authentication Code (MAC) of
a certain message is the last output block of the DES CBC encryption
of the message. The authentication function properties of DES-MAC are
derived from the encryption function properties of the DES algorithm.
2.1 Block sizes and Padding
Like DES, DES-MAC is a block algorithm. It operates on input blocks of
size 64 bits. Hence, its input must be padded to form a multiple of 64
bits blocks. When used in [ESP] the payload data must be padded, to
make a block size of 64 bits. The padding should be done according to
conventions specified in [ESP]. <should specify padding for AH>
The output of the DES-MAC algorithm is 64 bits long. Hence, the
authentication data size in both ESP and AH is 64 bits.
2.2 Performance
The DES-MAC performance is identical to that of the DES encryption
algorithm. The DES algorithm is designed to perform well using
hardware implementations. Commonly available DES hardware is
considerably faster than software implementations on popular
Bitan,Frommer Page [3]
Internet Draft DES-MAC Authenticator July 1997
processors. There are hardware implementation of DES operating in 100
Mbps[Schneier]. The use of hardware allows a level of parallelism
between the CPU and the DES hardware, especially important in security
gateway implementations.
Phil Karn had tuned DES-CBC software to achieve 10.45 Mbps with a 90
MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium.
If DES-MAC is used in conjunction with DES-CBC cipher in ESP, the DES
calculation of both integrity and confidentiality may be performed in
parallel given the appropriate hardware.
3. Key Specifications
Like DES-CBC, the key of DES-MAC is 64 bits long. Each byte has seven
significant bits, the least significant bit is used as a parity bit.
The keying material must be adjusted for parity as necessary. If the
resulting key is a weak key, it must not be used. A list of DES weak
and semi-weak keys can be found in [Schneier]. When used in ESP, in
conjunction with the DES-CBC cipher, independent keys must be used for
authentication and encryption (see [Kaufman95, p.91]).
A Security Association using this transform must rekey within a
lifetime of 2^32 bytes.
4. IV
The DES-CBC algorithm requires an Initialization vector (IV). So does
the DES-MAC algorithm. In this transform the IV is implicitly set to
zero. A constant IV can be used, since the data in the ESP payload is
encrypted, and in AH the replay protection guarantees that all the
packets authenticated under the same SA are distinct.
5. Interaction with the ESP cipher mechanism
When used in conjunction with the DES-CBC cipher, independent keys
must be used [Kaufman95, p.91]. For performance reason, when hardware
encryption and authentication is used, it might be wanted to use DES-
CBC cipher and DES-MAC authenticator together in ESP.
6. Security considerations
The strength of the DES-MAC transform relies of the strength of DES.
The correctness of the specific DES implementation used. The
correctness of the Security Association management, the key management
and their implementations.
The MAC produced by the DES-MAC algorithm is short relative to other
authentication mechanisms. This fact makes it less resistant to
various attacks. To overcome this problem, the Security Association
and keys life time must be shorter.
Bitan,Frommer Page [4]
Internet Draft DES-MAC Authenticator July 1997
7. Acknowledgements
Portions of this document are derived from draft-ietf-ipsec-auth-hmac-
md5-99-00.txt, by C. Madson and R. Glenn.
The IPsec document framework is described in draft-ietf-doc-roadmap-
00.txt.
The authors would like to thank Rodney Thayer, Ed Russel and all the
Detroit bake-off participants.
8. References
[AH] S. Kent, R. Atkinson, "IP Authentication Header", work in
progress, July 97.
[ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Protocol
(ESP)", work in progress, July 1997.
[FIPS-46] US National Bureau of Standards, "Data Encryption Standard",
Federal Information Processing Standard (FIPS) Publication 46, January
1977.
[FIPS-46-1] US National Bureau of Standards, "Data Encryption
Standard", Federal Information Processing Standard (FIPS) Publication
46-1, January 1988.
[FIPS-74] US National Bureau of Standards, "Guidelines for
Implementing and Using the Data Encryption Standard", Federal
Information Processing Standard (FIPS) Publication 74, April 1981.
[FIPS-81] US National Bureau of Standards, "DES Modes of Operation",
Federal Information Processing Standard (FIPS) Publication 81,
December 1980.
[Framework] The IP Security Document Roadmap, RFC-xxxx.
[Kaufman95] Kaufman, C., Perlman, R. and Speciner, M., "Network
Security: Private Communication in a Public World", PTR Prentice Hall,
Englewood Cliffs, New Jersey, 1995. ISBN 0-13-061466-1
[RFC-2119] Bradner, S., "Key words for use in RFCs to indicate
Requirement Levels", ftp://ds.internic.net/rfc/rfc2119.txt, March 1997
[Schneier] Schneier, B., "Applied Cryptography Second Edition", John
Wiley & Sons, New York, NY, 1995. ISBN 0-471-12845-7
Bitan,Frommer Page [5]
Internet Draft DES-MAC Authenticator July 1997
9. Authors Information
Sara Bitan
<mailto: sarab@radguard.com>
RADGUARD, Ltd.
24 Raoul-Wallenberg St.
Tel Aviv 69719
Israel
Telephone: +972-3-645-5378
Dan Frommer
<mailto: dan@radguard.com>
RADGUARD, Ltd.
24 Raoul-Wallenberg St.
Tel Aviv 69719
Israel
Telephone: +972-3-645-5396
Bitan,Frommer Page [6]