IP Authentication using Keyed SHA1 with Interleaved Padding (IP-MAC)
RFC 2841

Document Type RFC - Historic (November 2000; No errata)
Obsoletes RFC 1852
Was draft-simpson-ah-sha-kdp (individual)
Last updated 2013-03-02
Stream Legacy
Formats plain text html pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2841 (Historic)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         P. Metzger
Request for Comments: 2841                                      Piermont
Category: Historic                                            W. Simpson
Obsoletes: 1852                                               DayDreamer
                                                           November 2000

  IP Authentication using Keyed SHA1 with Interleaved Padding (IP-MAC)

Status of this Memo

   This memo defines a Historic Document for the Internet community.  It
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   This document describes the use of keyed SHA1 with the IP
   Authentication Header.

Table of Contents

   1.   Introduction ............................................. 2
   1.1. Keys ..................................................... 2
   1.2. Data Size ................................................ 2
   1.3. Performance .............................................. 3
   2.   Calculation .............................................. 3
   A.   Changes .................................................. 5
   Security Considerations ....................................... 6
   Acknowledgements .............................................. 6
   References .................................................... 7
   Contacts ...................................................... 8
   Editor's Note ................................................. 8
   Full Copyright Statement ...................................... 9

Metzger & Simpson               Historic                        [Page 1]
RFC 2841                     AH SHA1 IP-MAC                November 2000

1.  Introduction

   The Authentication Header (AH) [RFC-1826] provides integrity and
   authentication for IP datagrams.  This specification describes the AH
   use of keys with the Secure Hash Algorithm (SHA1) [FIPS-180-1].  This
   SHA1-IP-MAC algorithm uses a leading and trailing key (a variant of
   the "envelope method"), with alignment padding between both keys and
   data.

      It should be noted that this document specifies a newer version of
      SHA than that described in [FIPS-180], which was flawed.  The
      older version is not interoperable with the newer version.

   This document assumes that the reader is familiar with the related
   document "Security Architecture for the Internet Protocol" [RFC-
   1825], that defines the overall security plan for IP, and provides
   important background for this specification.

1.1.  Keys

   The secret authentication key shared between the communicating
   parties SHOULD be a cryptographically strong random number, not a
   guessable string of any sort.

   The shared key is not constrained by this transform to any particular
   size.  Lengths of 160-bits (20 octets) MUST be supported by the
   implementation, although any particular key may be shorter.  Longer
   keys are encouraged.

1.2.  Data Size

   SHA1's 160-bit output is naturally 32-bit aligned.  However, many
   implementations require 64-bit alignment of the following headers.

   Therefore, several options are available for data alignment (most
   preferred to least preferred):

   1) only the most significant 128-bits (16 octets) of output are used.

   2) an additional 32-bits (4 octets) of padding is added before the
      SHA1 output.

   3) an additional 32-bits (4 octets) of padding is added after the
      SHA1 output.

   4) the SHA1 output is variably bit-positioned within 192-bits (24
      octets).

Metzger & Simpson               Historic                        [Page 2]
RFC 2841                     AH SHA1 IP-MAC                November 2000

   The size and position of the output are negotiated as part of the key
   management.  Padding bits are filled with unspecified implementation
   dependent (random) values, which are ignored on receipt.

   Discussion:

      Although truncation of the output for alignment purposes may
      appear to reduce the effectiveness of the algorithm, some analysts
      of attack verification suggest that this may instead improve the
      overall robustness [PO95a].

1.3.  Performance

   Preliminary results indicate that SHA1 is 62% as fast as MD5, and 80%
   as fast as DES hashing.  That is:

                           SHA1 < DES < MD5

   This appears to be a reasonable performance tradeoff, as SHA1
   internal chaining is significantly longer than either DES or MD5:

                           DES < MD5 < SHA1

   Nota Bene:
      Suggestions are sought on alternative authentication algorithms
      that have significantly faster throughput, are not patent-
      encumbered, and still retain adequate cryptographic strength.

2.  Calculation

   The 160-bit digest is calculated as described in [FIPS-180-1].  A
   portable C language implementation of SHA1 is available via FTP from
Show full document text