IP Authentication using Keyed SHA
RFC 1852

Document Type RFC - Experimental (September 1995; No errata)
Obsoleted by RFC 2841
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1852 (Experimental)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         P. Metzger
Request for Comments: 1852                                      Piermont
Category: Experimental                                        W. Simpson
                                                              Daydreamer
                                                          September 1995

                   IP Authentication using Keyed SHA

Status of this Memo

   This document defines an Experimental Protocol for the Internet
   community.  This does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   This document describes the use of keyed SHA with the IP
   Authentication Header.

Table of Contents

     1.     Introduction ..........................................    2
        1.1       Keys ............................................    2
        1.2       Data Size .......................................    2
        1.3       Performance .....................................    2

     2.     Calculation ...........................................    3

     SECURITY CONSIDERATIONS ......................................    4
     ACKNOWLEDGEMENTS .............................................    4
     REFERENCES ...................................................    5
     AUTHOR'S ADDRESS .............................................    6

Metzger & Simpson             Experimental                      [Page 1]
RFC 1852                         AH SHA                   September 1995

1.  Introduction

   The Authentication Header (AH) [RFC-1826] provides integrity and
   authentication for IP datagrams.  This specification describes the AH
   use of keys with the Secure Hash Algorithm (SHA) [FIPS-180-1].

      It should be noted that this document specifies a newer version of
      the SHA than that described in [FIPS-180], which was flawed.  The
      older version is not interoperable with the newer version.

   This document assumes that the reader is familiar with the related
   document "Security Architecture for the Internet Protocol" [RFC-
   1825], which defines the overall security plan for IP, and provides
   important background for this specification.

1.1.  Keys

   The secret authentication key shared between the communicating
   parties SHOULD be a cryptographically strong random number, not a
   guessable string of any sort.

   The shared key is not constrained by this transform to any particular
   size.  Lengths of up to 160 bits MUST be supported by the
   implementation, although any particular key may be shorter.  Longer
   keys are encouraged.

1.2.  Data Size

   SHA's 160-bit output is naturally 32-bit aligned.  However, many
   implementations require 64-bit alignment of the following headers, in
   which case an additional 32 bits of padding is added, either before
   or after the SHA output.

   The size and position of this padding are negotiated as part of the
   key management.  Padding bits are filled with unspecified
   implementation dependent (random) values, which are ignored on
   receipt.

1.3.  Performance

   Preliminary results indicate that SHA is 62% as fast as MD5, and 80%
   as fast as DES hashing.  That is,

Metzger & Simpson             Experimental                      [Page 2]
RFC 1852                         AH SHA                   September 1995

                           SHA < DES < MD5

   Nota Bene:
      Suggestions are sought on alternative authentication algorithms
      that have significantly faster throughput, are not patent-
      encumbered, and still retain adequate cryptographic strength.

2.  Calculation

   The 160-bit digest is calculated as described in [FIPS-180-1].  At
   the time of writing, a portable C language implementation of SHA is
   available via FTP from ftp://rand.org/pub/jim/sha.tar.gz.

   The form of the authenticated message is

            key, keyfill, datagram, key, SHAfill

   First, the variable length secret authentication key is filled to the
   next 512-bit boundary, using the same pad with length technique
   defined for SHA.

   Then, the filled key is concatenated with (immediately followed by)
   the invariant fields of the entire IP datagram (variant fields are
   zeroed), concatenated with (immediately followed by) the original
   variable length key again.

   A trailing pad with length to the next 512-bit boundary for the
   entire message is added by SHA itself.  The 160-bit SHA digest is
   calculated, and the result is inserted into the Authentication Data
   field.

   Discussion:
      The leading copy of the key is padded in order to facilitate
      copying of the key at machine boundaries without requiring re-
      alignment of the following datagram.  The padding technique
      includes a length which protects arbitrary length keys.  Filling
      to the SHA block size also allows the key to be prehashed to avoid
Show full document text