[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
       IPSEC Working Group                         S.Bitan,RADGUARD
       Internet Draft                            D.Frommer,RADGUARD
                                                        August 1997
       
                        The Use of DES-MAC within ESP and AH
                          <draft-bitan-auth-des-mac-00.txt>
       
       
       Status of This Memo
       
       This document is a submission to the IETF Internet Protocol Security
       (IPSEC) Working Group. Comments are solicited and should be addressed
       to the working group mailing list (ipsec@tis.com) or to the authors.
       
       This document is an Internet-Draft.  Internet Drafts are working
       documents of the Internet Engineering Task Force (IETF), its areas,
       and its working Groups. Note that other groups may also distribute
       working documents as Internet Drafts.
       
       Internet-Drafts draft documents are valid for a maximum of six months
       and may be updated, replaced, or obsoleted by other documents at any
       time. It is inappropriate to use Internet-Drafts as reference material
       or to cite them other than as "work in progress."
       
       To learn the current status of any Internet-Draft, please check the
       "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
       Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
       munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
       ftp.isi.edu (US West Coast).
       
       Distribution of this memo is unlimited.
       
       Abstract
       
       This draft describes the use of the DES-MAC algorithm [Kaufman95] as
       an authentication  mechanism within the revised IPSEC Encapsulating
       Security  Payload [ESP] and the revised IPSEC Authentication Header
       [AH]. DES-MAC[Kaufman95] is based on the DES encryption algorithm
       [FIPS-46, FIPS-46-1, FIPS-74, FIPS-81].
       
       Further information on the other components necessary for ESP and AH
       implementations is provided by [Thayer97a].
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       Internet Draft                                      Page [1]
       
       Internet Draft      DES-MAC Authenticator          July 1997
       
       
       Contents
       
       STATUS OF THIS MEMO .................................................1
       
       
       ABSTRACT ............................................................1
       
       
       1. INTRODUCTION .....................................................2
       
         1.1 SPECIFICATION OF REQUIREMENTS .................................3
       
       2. AUTHENTICATION ALGORITHM .........................................3
       
         2.1  BLOCK SIZES AND PADDING ......................................3
         2.2 PERFORMANCE ...................................................3
       
       3. KEY SPECIFICATIONS ...............................................4
       
       
       4. IV ...............................................................4
       
       
       5. INTERACTION WITH THE ESP CIPHER MECHANISM ........................4
       
       
       6. SECURITY CONSIDERATIONS ..........................................4
       
       
       7. ACKNOWLEDGEMENTS ..................................................5
       
       
       8. REFERENCES .......................................................5
       
       
       9. AUTHORS INFORMATION ..............................................6
       
       
       1. Introduction
       
       This draft describes the use of the DES-MAC algorithm to provide
       authenticity within the context of the Encapsulating Security Payload
       [ESP] and the Authentication Header [AH]. The goal of this auth-des-
       mac is to ensure that the packet is authentic and that it was not
       modified in transit.
       
       DES-MAC [Kaufman95] is based on the DES   [FIPS-46, FIPS-46-1, FIPS-
       74, FIPS-81] encryption algorithm. Given a secret key, the last output
       block of a DES-CBC encryption of a message is used as the output of
       the DES-MAC algorithm for this message. Hence, DES-MAC is a secret key
       authentication algorithm. Data authentication and data integrity
       provided by DES-MAC are dependent upon the scope of the distribution
       
       
       Bitan,Frommer                                       Page [2]
       
       Internet Draft      DES-MAC Authenticator          July 1997
       
       
       of the secret key. If only the source and the destination know the
       DES-MAC key, this provides data origin authentication and data
       integrity for packets sent between the two parties. If the outputs of
       the DES-MAC computed by the two parties are identical, this proves
       that it has been computed by the source, and that the packet was not
       modified in transit.
       
       IPSEC implementations for high bandwidth networks, might fail to
       supply the required performance without using hardware implementations
       of encryption and authentication algorithms. DES hardware
       implementations are popular and easy to find. Currently there exist
       only a few  hardware implementations for the other authentication
       mechanisms that appear in the IPSEC drafts (HMAC-SHA-1 and HMAC-MD5).
       Hence, when high performance is a requirement, DES-MAC authenticator
       is preferable to HMAC-SHA-1 or HMAC-MD5.
       
       This document assumes the reader is familiar with the terms and
       concepts in [RFC-1825], in [ESP], and in [AH].  This document follows
       the IPsec document framework described in [Framework].
       
       
       1.1 Specification of Requirements
       
       Interpret the keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD",
       "SHOULD NOT", and "MAY" that appear in this document as described in
       [RFC-2119].
       
       2. Authentication Algorithm
       
       DES-MAC algorithm is based on the DES encryption algorithm   [FIPS-46,
       FIPS-46-1, FIPS-74, FIPS-81]. The Message Authentication Code (MAC) of
       a certain message is the last output block of the DES CBC encryption
       of the message. The authentication function properties of DES-MAC are
       derived from the encryption function properties of the DES algorithm.
       
       2.1  Block sizes and Padding
       
       Like DES, DES-MAC is a block algorithm. It operates on input blocks of
       size 64 bits. Hence, its input must be padded to form a multiple of 64
       bits blocks. When used in [ESP] the payload data must be padded, to
       make a block size of 64 bits. The padding should be done according to
       conventions specified in [ESP]. <should specify padding for AH>
       
       The output of the DES-MAC algorithm is 64 bits long. Hence, the
       authentication data size in both ESP and AH is 64 bits.
       
       2.2 Performance
       
       The DES-MAC performance is identical to that of the DES encryption
       algorithm. The DES algorithm is designed to perform well using
       hardware implementations. Commonly available DES hardware is
       considerably faster than software implementations on popular
       
       
       Bitan,Frommer                                       Page [3]
       
       Internet Draft      DES-MAC Authenticator          July 1997
       
       
       processors. There are hardware implementation of DES operating in 100
       Mbps[Schneier]. The use of hardware allows a level of parallelism
       between the CPU and the DES hardware, especially important in security
       gateway implementations.
       
       Phil Karn had tuned DES-CBC software to achieve 10.45 Mbps with a 90
       MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium.
       
       If DES-MAC is used in conjunction with DES-CBC cipher in ESP, the DES
       calculation of both integrity and confidentiality may be performed in
       parallel given the appropriate hardware.
       
       3. Key Specifications
       
       Like DES-CBC, the key of DES-MAC is 64 bits long. Each byte has seven
       significant bits, the least significant bit is used as a parity bit.
       The keying material must be adjusted for parity as necessary. If the
       resulting key is a weak key, it must not be used. A list of DES weak
       and semi-weak keys can be found in [Schneier]. When used in ESP, in
       conjunction with the DES-CBC cipher, independent keys must be used for
       authentication and encryption (see [Kaufman95, p.91]).
       
       A Security Association using this transform must rekey within a
       lifetime of 2^32 bytes.
       
       4. IV
       
       The DES-CBC algorithm requires an Initialization vector (IV). So does
       the DES-MAC algorithm. In this transform the IV is implicitly set to
       zero. A constant IV can be used, since the data in the ESP payload is
       encrypted, and in AH the replay protection guarantees that all the
       packets authenticated under the same SA are distinct.
       
       5. Interaction with the ESP cipher mechanism
       
       When used in conjunction with the DES-CBC cipher, independent keys
       must be used [Kaufman95, p.91]. For performance reason, when hardware
       encryption and authentication is used, it might be wanted to use DES-
       CBC cipher and DES-MAC authenticator together in ESP.
       
       6. Security considerations
       
       The strength of the DES-MAC transform relies of the strength of DES.
       The correctness of the specific DES implementation used. The
       correctness of the Security Association management, the key management
       and their implementations.
       
       The MAC produced by the DES-MAC algorithm is short relative to other
       authentication mechanisms. This fact makes it less resistant to
       various attacks. To overcome this problem, the Security Association
       and keys life time must be shorter.
       
       
       
       Bitan,Frommer                                       Page [4]
       
       Internet Draft      DES-MAC Authenticator          July 1997
       
       
       7. Acknowledgements
       
       Portions of this document are derived from draft-ietf-ipsec-auth-hmac-
       md5-99-00.txt, by C. Madson and R. Glenn.
       
       The IPsec document framework is described in draft-ietf-doc-roadmap-
       00.txt.
       
       The authors would like to thank Rodney Thayer, Ed Russel and all the
       Detroit bake-off participants.
       
       8. References
       
       [AH] S. Kent, R. Atkinson,  "IP Authentication Header", work in
       progress, July 97.
       
       [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Protocol
       (ESP)",  work in progress, July 1997.
       
       [FIPS-46] US National Bureau of Standards, "Data Encryption Standard",
       Federal Information Processing Standard (FIPS) Publication 46, January
       1977.
       
       [FIPS-46-1] US National Bureau of Standards, "Data Encryption
       Standard", Federal Information Processing Standard (FIPS) Publication
       46-1, January 1988.
       
       [FIPS-74] US National Bureau of Standards, "Guidelines for
       Implementing and Using the Data Encryption Standard", Federal
       Information Processing Standard (FIPS) Publication 74, April 1981.
       
       [FIPS-81] US National Bureau of Standards, "DES Modes of Operation",
       Federal Information Processing Standard (FIPS) Publication 81,
       December 1980.
       
       [Framework] The IP Security Document Roadmap, RFC-xxxx.
       
       [Kaufman95] Kaufman, C., Perlman, R. and Speciner, M., "Network
       Security: Private Communication in a Public World", PTR Prentice Hall,
       Englewood Cliffs, New Jersey, 1995. ISBN 0-13-061466-1
       
       [RFC-2119] Bradner, S., "Key words for use in RFCs to indicate
       Requirement Levels", ftp://ds.internic.net/rfc/rfc2119.txt, March 1997
       
       [Schneier] Schneier, B., "Applied Cryptography Second Edition", John
       Wiley & Sons, New York, NY, 1995.  ISBN 0-471-12845-7
       
       
       
       
       
       
       
       
       Bitan,Frommer                                       Page [5]
       
       Internet Draft      DES-MAC Authenticator          July 1997
       
       
       
       9. Authors Information
       
       Sara Bitan
       <mailto: sarab@radguard.com>
       RADGUARD, Ltd.
       24 Raoul-Wallenberg St.
       Tel Aviv 69719
       Israel
       Telephone: +972-3-645-5378
       
       Dan Frommer
       <mailto: dan@radguard.com>
       RADGUARD, Ltd.
       24 Raoul-Wallenberg St.
       Tel Aviv 69719
       Israel
       Telephone: +972-3-645-5396
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       Bitan,Frommer                                       Page [6]