Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
RFC 4868
Document | Type |
RFC - Proposed Standard
(May 2007; Errata)
Was draft-kelly-ipsec-ciph-sha2 (individual in sec area)
|
|
---|---|---|---|
Authors | Sheila Frankel , Scott Kelly | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4868 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group S. Kelly Request for Comments: 4868 Aruba Networks Category: Standards Track S. Frankel NIST May 2007 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This specification describes the use of Hashed Message Authentication Mode (HMAC) in conjunction with the SHA-256, SHA-384, and SHA-512 algorithms in IPsec. These algorithms may be used as the basis for data origin authentication and integrity verification mechanisms for the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange Protocol (IKE), and IKEv2 protocols, and also as Pseudo-Random Functions (PRFs) for IKE and IKEv2. Truncated output lengths are specified for the authentication-related variants, with the corresponding algorithms designated as HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512-256. The PRF variants are not truncated, and are called PRF-HMAC-SHA-256, PRF-HMAC-SHA-384, and PRF-HMAC-SHA-512. Kelly & Frankel Standards Track [Page 1] RFC 4868 HMAC-SHA256, SHA384, and SHA512 in IPsec May 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The HMAC-SHA-256+ Algorithms . . . . . . . . . . . . . . . . . 3 2.1. Keying Material . . . . . . . . . . . . . . . . . . . . . 3 2.1.1. Data Origin Authentication and Integrity Verification Usage . . . . . . . . . . . . . . . . . . 4 2.1.2. Pseudo-Random Function (PRF) Usage . . . . . . . . . . 4 2.1.3. Randomness and Key Strength . . . . . . . . . . . . . 5 2.1.4. Key Distribution . . . . . . . . . . . . . . . . . . . 5 2.1.5. Refreshing Keys . . . . . . . . . . . . . . . . . . . 5 2.2. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Truncation . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4. Using HMAC-SHA-256+ as PRFs in IKE and IKEv2 . . . . . . . 7 2.5. Interactions with the ESP, IKE, or IKEv2 Cipher Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 7 2.6. HMAC-SHA-256+ Parameter Summary . . . . . . . . . . . . . 7 2.7. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . 7 2.7.1. PRF Test Vectors . . . . . . . . . . . . . . . . . . . 8 2.7.2. Authenticator Test Vectors . . . . . . . . . . . . . . 11 3. Security Considerations . . . . . . . . . . . . . . . . . . . 17 3.1. HMAC Key Length vs Truncation Length . . . . . . . . . . . 17 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 6.1. Normative References . . . . . . . . . . . . . . . . . . . 19 6.2. Informative References . . . . . . . . . . . . . . . . . . 20 Kelly & Frankel Standards Track [Page 2] RFC 4868 HMAC-SHA256, SHA384, and SHA512 in IPsec May 2007 1. Introduction This document specifies the use of SHA-256, SHA-384, and SHA-512 [SHA2-1] combined with HMAC [HMAC] as data origin authentication and integrity verification mechanisms for the IPsec AH [AH], ESP [ESP], IKE [IKE], and IKEv2 [IKEv2] protocol. Output truncation is specified for these variants, with the corresponding algorithms designated as HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512- 256. These truncation lengths are chosen in accordance with the birthday bound for each algorithm. This specification also describes untruncated variants of these algorithms as Pseudo-Random Functions (PRFs) for use with IKE and IKEv2, and those algorithms are called PRF-HMAC-SHA-256, PRF-HMAC- SHA-384, and PRF-HMAC-SHA-512. For ease of reference, these PRF algorithms and the authentication variants described above are collectively referred to below as "the HMAC-SHA-256+ algorithms". The goal of the PRF variants are to provide secure pseudo-random functions suitable for generation of keying material and other protocol-specific numeric quantities, while the goal of the authentication variants is to ensure that packets are authentic andShow full document text