[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03

TCP Maintenance (TCPM)                                   A. Sujeet Nayak
Internet-Draft                                                   B. Weis
Intended status: Standards Track                           Cisco Systems
Expires: December 1, 2014                                   May 30, 2014


      SHA-2 Algorithms for the TCP Authentication Option (TCP-AO)
                        draft-nayak-tcp-sha2-00

Abstract

   The TCP Authentication Option (TCP-AO) relies on security algorithms
   to provide connection authentication between the two end-points.
   This document specifies how to use SHA-256 and SHA-512 algorithms and
   attributes with TCP-AO.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 1, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Sujeet Nayak & Weis     Expires December 1, 2014                [Page 1]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     2.1.  Requirements Language . . . . . . . . . . . . . . . . . . . 3
     2.2.  Algorithm Requirements  . . . . . . . . . . . . . . . . . . 3
   3.  Algorithms Specified  . . . . . . . . . . . . . . . . . . . . . 4
     3.1.  Key Derivation Functions (KDF)  . . . . . . . . . . . . . . 4
       3.1.1.  KDF_HMAC_SHA256 . . . . . . . . . . . . . . . . . . . . 5
       3.1.2.  KDF_HMAC_SHA512 . . . . . . . . . . . . . . . . . . . . 5
       3.1.3.  Tips for User Interfaces Regarding KDFs . . . . . . . . 5
     3.2.  MAC Algorithms  . . . . . . . . . . . . . . . . . . . . . . 6
       3.2.1.  The Use of HMAC-SHA256-128  . . . . . . . . . . . . . . 6
       3.2.2.  The Use of HMAC-SHA512-256  . . . . . . . . . . . . . . 7
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 8
     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9






























Sujeet Nayak & Weis     Expires December 1, 2014                [Page 2]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


1.  Introduction

   This document is a companion to [RFC5925] and [RFC5926].

   [RFC5925] describes TCP-AO mechanism to provide cryptographic
   authentication and message integrity verification between two end-
   points of a TCP connection.  [RFC5926] specifies HMAC-SHA-1-96 and
   AES-128-CMAC-96 message authentication codes (MACs) algorithms for
   TCP-AO.

   This document specifies usage of SHA-256 and SHA-512 MAC algorithms
   on TCP-AO enabled connections.


2.  Requirements

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   When used in lowercase, these words convey their typical use in
   common language, and they are not to be interpreted as described in
   [RFC2119].

2.2.  Algorithm Requirements

   This document adopts the style and conventions of [RFC5926] in
   specifying how the use of new data integrity algorithms are indicated
   in TCP-AO.  It indicates two MAC algorithms and two key derivation
   functions (KDFs).

   The following table indicates the required SHA-2 algorithms for
   TCP-AO:

         +-------------+----------------------------------------+
         | Requirement |        Authentication Algorithm        |
         +-------------+----------------------------------------+
         | RECOMMENDED | HMAC-SHA-256-128 [RFC2104][FIPS-180-4] |
         |   OPTIONAL  | HMAC-SHA-512-256 [RFC2104][FIPS-180-4] |
         +-------------+----------------------------------------+

                                  Table 1







Sujeet Nayak & Weis     Expires December 1, 2014                [Page 3]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


              +-------------+-------------------------------+
              | Requirement | Key Derivation Function (KDF) |
              +-------------+-------------------------------+
              | RECOMMENDED |        KDF_HMAC-SHA-256       |
              |   OPTIONAL  |        KDF_HMAC-SHA-512       |
              +-------------+-------------------------------+

                                  Table 2

   For an explanation on the reasoning for the above mandate, please see
   Section 4 of this document.


3.  Algorithms Specified

   TCP-AO requires two classes of algorithms to be used on a particular
   connection namely, Key Derivation Functions (KDF) and Message
   Authentication Code (MAC) algorithm.  Both these classes are
   generically described in Section 3 in [RFC5926], while focussing
   specifically on SHA-1 and AES-128 algorithms.

   In this document, the same concept is applied to use SHA-256 and SHA-
   512 algorithms.

3.1.  Key Derivation Functions (KDF)

   KDFs have the following interface:

   Traffic_Key = KDF_alg(Master_Key, Context, Output_Length)

   where:

   Traffic_Key, KDF_alg, Master_Key, Context, Output_Length stand for
   entities, as described in [RFC5926], Section 3.1.

   The two KDF algorithms, each paired with corresponding pseudorandom
   function (PRF) are:

   * KDF_HMAC-SHA-256 based on PRF-HMAC-SHA256 [RFC2104] [FIPS-180-4]

   * KDF_HMAC-SHA-512 based on PRF-HMAC-SHA512 [RFC2104] [FIPS-180-4]

   Both are based on the iteration-mode KDFs specified in [NIST-SP800-
   108].  They use an underlying PRF with a fixed length output, 256-
   bits in case of SHA-256 and 512-bits in case of SHA-512.  The KDF
   generates an arbitrary number of output bits by operating the PRF in
   a "counter" mode, where each invocation of the PRF uses a different
   input block, which is differentiated by a block counter.



Sujeet Nayak & Weis     Expires December 1, 2014                [Page 4]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


   Each input block is constructed as follows:

   (i || Label || Context || Output_Length)

   Where:

   "||", i, Label, Context, Output_Length stand for entities, as
   described in [RFC5926], Section 3.1.1.

3.1.1.  KDF_HMAC_SHA256

   For KDF_HMAC_SHA256:

   - PRF for KDF_alg: HMAC-SHA256 [RFC2104] [FIPS-180-4]

   - Use: HMAC-SHA256(Key, Input)

   - Key: Master_Key, configured by user, and passed to KDF

   - Input: ( i || Label || Context || Output_Length)

   - Output_Length: 256 bits

   - Result: Traffic_Key, used in MAC function by TCP-AO

3.1.2.  KDF_HMAC_SHA512

   For KDF_HMAC_SHA512:

   - PRF for KDF_alg: HMAC-SHA512 [RFC2104] [FIPS-180-4]

   - Use: HMAC-SHA512(Key, Input)

   - Key: Master_Key, configured by user, and passed to KDF

   - Input: ( i || Label || Context || Output_Length)

   - Output_Length: 512 bits

   - Result: Traffic_Key, used in MAC function by TCP-AO

3.1.3.  Tips for User Interfaces Regarding KDFs

   This section provides suggested representations for the KDFs in
   implementation of user interfaces (UIs).  Following these guidelines
   across common implementations will make interoperability easier and
   simpler for deployers.




Sujeet Nayak & Weis     Expires December 1, 2014                [Page 5]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


   UIs SHOULD refer to the choice of KDF_HMAC_SHA256 as simply "SHA256".

   UIs SHOULD refer to the choice of KDF_HMAC_SHA512 as simply "SHA512".

   The IANA registry values reflect these two entries.

3.2.  MAC Algorithms

   Each MAC_alg defined for TCP-AO has three fixed elements as part of
   its definition:

   - KDF_Alg: Name of the TCP-AO KDF algorithm used to generate the
   Traffic_Key.

   - Key_Length: Length, in bits, required for the Traffic_Key used in
   this MAC.

   - MAC_Length: The final length of the bits used in the TCP-AO MAC
   field.  This value may be a truncation of the MAC function's original
   output length.

   As described in [RFC5926], Section 3.2, MACs computed for TCP-AO have
   the following interface:

   MAC = MAC_alg(Traffic_Key, Message)

   The two MAC_algs for generating MAC, as used by TCP-AO:

   * HMAC-SHA256-128 based on [RFC2104] and [FIPS-180-4]

   * HMAC-SHA512-256 based on [RFC2104] and [FIPS-180-4]

   HMAC-SHA256 and HMAC-SHA512 produce 256 and 512 bits outputs
   respectively.  The MAC outputs are then truncated to provide a
   reasonable trade-off between security and message size, for fitting
   into the TCP-AO option field.  As recommended in [RFC2104], Section
   5, the HMAC-SHA256 and HMAC-SHA512 output are truncated to 128 and
   256 bits respectively.

3.2.1.  The Use of HMAC-SHA256-128

   The three fixed elements for HMAC-SHA256-128 are:

   - KDF_Alg: KDF_HMAC_SHA256

   - Key_Length: 256 bits

   - MAC_Length: 128 bits



Sujeet Nayak & Weis     Expires December 1, 2014                [Page 6]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


   For:

   MAC = MAC_alg (Traffic_Key, Message)

   HMAC-SHA256-128 for TCP-AO has the following values:

   - MAC_alg: HMAC-SHA256

   - Traffic_Key: Variable; the result of the KDF

   - Message: The message to be authenticated, as specified in
   [RFC5925], Section 5.1

3.2.2.  The Use of HMAC-SHA512-256

   The three fixed elements for HMAC-SHA512-256 are:

   - KDF_Alg: KDF_HMAC_SHA512

   - Key_Length: 512 bits

   - MAC_Length: 256 bits

   For:

   MAC = MAC_alg (Traffic_Key, Message)

   HMAC-SHA512-256 for TCP-AO has the following values:

   - MAC_alg: HMAC-SHA512

   - Traffic_Key: Variable; the result of the KDF

   - Message: The message to be authenticated, as specified in
   [RFC5925], Section 5.1


4.  Security Considerations

   This document inherits all the security considerations of the TCP-AO
   [RFC5925] and HMAC-SHA-1 related to [RFC5926].

   Although SHA-1 is considered safe for non-digital signature
   applications at the time of this writing [NIST-SP800-131A], there is
   a naturally growing demand, especially from the government and
   service provider community, for protecting their TCP sessions with
   SHA-2 family of authentication algorithms, which is considered to be
   relatively stronger.  SHA-256, being widely preferred and deployed,



Sujeet Nayak & Weis     Expires December 1, 2014                [Page 7]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


   provides a reasonable alternative with stronger algorithm and larger
   MAC length.  For those with larger compute power and more stringent
   security requirements, SHA-512 option could be considered.


5.  IANA Considerations

   As described in [RFC5926], Section 5, IANA has a registry with the
   following details:

   Registry Name: Cryptographic Algorithms for TCP-AO Registration

   Procedure: RFC Publication after Expert Review

   The following needs to be added to this registry:

                   +-----------+----------------------+
                   | Algorithm |       Reference      |
                   +-----------+----------------------+
                   |   SHA256  | This document Number |
                   |   SHA512  | This document Number |
                   +-----------+----------------------+

                                  Table 3


6.  Acknowledgements

   Bertrand Duvivier, M. Rohit and Srinivas Ramprasad for providing
   their inputs and getting us going on this one.


7.  References

7.1.  Normative References

   [FIPS-180-4]
              FIPS Publication 180-4, "Secured Hash Standard",
              March 2012.

   [NIST-SP800-108]
              National Institute of Standards and Technology,
              "Recommendation for Key Derivation Using Pseudorandom
              Functions, NIST SP800-108", October 2009.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.




Sujeet Nayak & Weis     Expires December 1, 2014                [Page 8]


Internet-Draft         SHA-2 Algorithm for TCP-AO               May 2014


   [RFC5925]  Touch, J., Mankin, A., and R. Bonica, "The TCP
              Authentication Option", RFC 5925, June 2010.

   [RFC5926]  Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms
              for the TCP Authentication Option (TCP-AO)", RFC 5926,
              June 2010.

7.2.  Informative References

   [NIST-SP800-131A]
              National Institute of Standards and Technology,
              "Transitions: Recommendation for Transitioning the Use of
              Cryptographic Algorithms and Key Lengths, NIST SP800-
              131A", January 2011.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              February 1997.


Authors' Addresses

   Sujeet Nayak Ammunje
   Cisco Systems
   Cessna Business Park
   Bangalore, Karnataka  560 087
   India

   Email: sujeetnayak@yahoo.com


   Brian Weis
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1 408 526 4796
   Email: bew@cisco.com












Sujeet Nayak & Weis     Expires December 1, 2014                [Page 9]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/