Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
RFC 4868
Document Type RFC - Proposed Standard (May 2007; Errata)
Was draft-kelly-ipsec-ciph-sha2 (individual in sec area)
Authors Sheila Frankel  , Scott Kelly 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4868 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                           S. Kelly
Request for Comments: 4868                                Aruba Networks
Category: Standards Track                                     S. Frankel
                                                                    NIST
                                                                May 2007

     Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This specification describes the use of Hashed Message Authentication
   Mode (HMAC) in conjunction with the SHA-256, SHA-384, and SHA-512
   algorithms in IPsec.  These algorithms may be used as the basis for
   data origin authentication and integrity verification mechanisms for
   the Authentication Header (AH), Encapsulating Security Payload (ESP),
   Internet Key Exchange Protocol (IKE), and IKEv2 protocols, and also
   as Pseudo-Random Functions (PRFs) for IKE and IKEv2.  Truncated
   output lengths are specified for the authentication-related variants,
   with the corresponding algorithms designated as HMAC-SHA-256-128,
   HMAC-SHA-384-192, and HMAC-SHA-512-256.  The PRF variants are not
   truncated, and are called PRF-HMAC-SHA-256, PRF-HMAC-SHA-384, and
   PRF-HMAC-SHA-512.

Kelly & Frankel             Standards Track                     [Page 1]
RFC 4868        HMAC-SHA256, SHA384, and SHA512 in IPsec        May 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The HMAC-SHA-256+ Algorithms . . . . . . . . . . . . . . . . .  3
     2.1.  Keying Material  . . . . . . . . . . . . . . . . . . . . .  3
       2.1.1.  Data Origin Authentication and Integrity
               Verification Usage . . . . . . . . . . . . . . . . . .  4
       2.1.2.  Pseudo-Random Function (PRF) Usage . . . . . . . . . .  4
       2.1.3.  Randomness and Key Strength  . . . . . . . . . . . . .  5
       2.1.4.  Key Distribution . . . . . . . . . . . . . . . . . . .  5
       2.1.5.  Refreshing Keys  . . . . . . . . . . . . . . . . . . .  5
     2.2.  Padding  . . . . . . . . . . . . . . . . . . . . . . . . .  6
     2.3.  Truncation . . . . . . . . . . . . . . . . . . . . . . . .  6
     2.4.  Using HMAC-SHA-256+ as PRFs in IKE and IKEv2 . . . . . . .  7
     2.5.  Interactions with the ESP, IKE, or IKEv2 Cipher
           Mechanisms . . . . . . . . . . . . . . . . . . . . . . . .  7
     2.6.  HMAC-SHA-256+ Parameter Summary  . . . . . . . . . . . . .  7
     2.7.  Test Vectors . . . . . . . . . . . . . . . . . . . . . . .  7
       2.7.1.  PRF Test Vectors . . . . . . . . . . . . . . . . . . .  8
       2.7.2.  Authenticator Test Vectors . . . . . . . . . . . . . . 11
   3.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17
     3.1.  HMAC Key Length vs Truncation Length . . . . . . . . . . . 17
   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 19
     6.2.  Informative References . . . . . . . . . . . . . . . . . . 20

Kelly & Frankel             Standards Track                     [Page 2]
RFC 4868        HMAC-SHA256, SHA384, and SHA512 in IPsec        May 2007

1.  Introduction

   This document specifies the use of SHA-256, SHA-384, and SHA-512
   [SHA2-1] combined with HMAC [HMAC] as data origin authentication and
   integrity verification mechanisms for the IPsec AH [AH], ESP [ESP],
   IKE [IKE], and IKEv2 [IKEv2] protocol.  Output truncation is
   specified for these variants, with the corresponding algorithms
   designated as HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512-
   256.  These truncation lengths are chosen in accordance with the
   birthday bound for each algorithm.

   This specification also describes untruncated variants of these
   algorithms as Pseudo-Random Functions (PRFs) for use with IKE and
   IKEv2, and those algorithms are called PRF-HMAC-SHA-256, PRF-HMAC-
   SHA-384, and PRF-HMAC-SHA-512.  For ease of reference, these PRF
   algorithms and the authentication variants described above are
   collectively referred to below as "the HMAC-SHA-256+ algorithms".

   The goal of the PRF variants are to provide secure pseudo-random
   functions suitable for generation of keying material and other
   protocol-specific numeric quantities, while the goal of the
   authentication variants is to ensure that packets are authentic and
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools