6man | S.Z. Zhou, Ed. |
Internet-Draft | R.Z. Zhang |
Intended status: Standards Track | Z.X. Xie |
Expires: October 09, 2012 | ZTE Corporation |
April 9, 2012 |
Another Support for Multiple Hash Algorithms in Cryptographically Generated Addresses (CGAs)
draft-zhou-6man-mhash-cga-01
This document provides a support for multiple hash algorithms in Cryptographically Generated Addresses (CGAs) defined in RFC 3972.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 09, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Cryptographically Generated Addresses (CGAs) defined in [RFC3972] is a method of binding a public key to an IPv6 address, with the aim of providing address ownership in many internet protocols. In the generation and verification of a CGA address, a cryptographicaly secure hash function, SHA-1 in the case of [RFC3972], is used to hash a public key into part of the neitwork IP address.
As pointed out in Section 4 of [RFC4982], it is wise to enable multiple hash functions support in CGAs so that once the current hash function does not satisfy future requirements ,e.g., potential future applications of the CGAs may need a more cryptographicaly secure hash algorithm than SHA-1, the transition to an alternative hash function is as easy as possible.
To provide a sense of hash algorishms agility , a method of reusing the security parameter bits in the address is secified [RFC4982]. Security parameter , sec, defined in RFC 3972, is a 3 bit value from 0 to 7 used in the hash extension technique (Section 7.2 in RFC3972 ), to compensate the truncated SHA-1 output length because of insuffient bits space in a CGA address. According to the method specified in RFC4982, the security parameter is also used to represent hash algorithm identity:
Then security parameter is limited to 0,1,2 . They may be sufficient for now, but higher security parameter value may also be required with computers becoming faster, as pointed out in Section 7.2 , RFC 3972.
Even with limited security parameter value, the method in RFC 4982 can only support three hash algorithms at most. That is besides SHA-1, we have a second choice of an alternative hash algorithm number one with sec=0,1,2 and a third choice of another alternative hash algorithm number two with sec can only be two values from {0,1,2}.
Taking the above two factors into consideration, at some time in the future we will be faced with a painful choice, high security parameter or a more secure hash algorithm? And we may be also challenged with pain of high cost of upgrading because of the massive number of IPv6 nodes that may be using CGA addresses.
In this document, a support for multiple hash algorithms without limiting security parameter or downgrading the security level of CGAs is provided. The proposed solution follows the idea of encoding the hash algorithm identity in the CGA addresses to prevent from downgrading attacks, the detailed decription of downgrading attack can be found in Section 4.1, RFC 4982.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
To accomodate RFC 4982, an extension field "Mhash-method" is defined. The format is illustrated in Figure 1.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension Type | Extension Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mhash-method| +-+-+-+-+-+-+-+
Extension Data Length: 1. (16-bit unsigned integer. Length of the multiple-hash-method field of this option, in octets.)
Mhash-method: 1 octet length field. If Mhash-method equal 0, it means the method of denoting hash algorithm specified in RFC 4982 is adopted, if Mhash-method equal 1, it means the method specified in this document is adopted.
A hash algorithm identity parameter (hid) in CGA is defiend to denote the hash algorithm adopted when caculating HASH1 and HASH2. The hash algorithm identity parameter is a three-bit unsigned integer, and it is encoded in the 3rd-5th bits of the interface identifier. This can be written as follows:
hid = (interface identifier & 0x1c00000000000000) >> 58
0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sec | hid |0 0| Leftmost 56 bits of HASH1 output | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Generate a CGA as defined in RFC 3972 except some modification to steps 2,3,5,6 and 9 as shown in the following:
Veirfy a CGA as defined in RFC 3972 except some modification to steps 3,4,6 and 7 as shown in the following:
This document defines one new CGA Extension Type [RFC4581] option, which must be assigned by IANA:
Name: Mhash-method extension type;
Value: TBA.
Description: see Section 2.
The values of Mhash-method are also defined:
Name: Mhash-method extension value;
Value: 0 meaning RFC 4982, 1 meaning this document;
Description: see Section 2.
This document also defines a new parameter (hid) in CGA, the value of which must be assigned by IANA. It may be assigned as follows:
Name | Value -------------------+------- SHA-1 | 000 SHA-244 | 001 SHA-256 | 010 SHA-384 | 011 SHA-512 | 100 TBD | 101 TBD | 110 TBD | 111
The security of applications using CGAs relies on the adopted public key schemes, which is out of the scope of this document, as well as the adopted hash algorithms.
A high cryptographicaly secure hash algorithm is obviously required. But no hash algorithms are guaranteed to be secure for ever, it is wise to add algorithm agility into CGAs in case current hash algorithm be successfully attacked. .
This document suggests adding more flexible hash algorithm agilibility to CGAs. The method in this document follows the idea of encoding the hash algorithm identifier in the interface identifier to avoid downgrading attack, as analysed in Section 4.1, RFC 4982.
Actually CGAs only adopt truncated forms of a hash algorithm which is considered cryptographicaly secure in the sense of its regular form. As specified in RFC 3972, the effective bits relating to the security of CGAs are only the leftmost 59 bits (in the case of HASH1) , and the left most 16*sec bits (in the case of HASH2) of the whole 160 bits SHA-1 output . It is roughly estimated that the overall security of the hash algorithm is O( 2^(16*sec+59))(Section 7.2, RFC3972).
In this document, 3 bits originally used for output of HASH1are taken off the interface identifier to denote hash algoritm identity, while 3 more bits of output of HASH2 are checked, in a whole the whole security level is kept roughly the same, i.e.,O( 2^(16*sec+59)) .
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC3972] | Aura, T., "Cryptographically Generated Addresses (CGA)", RFC 3972, March 2005. |
[RFC4982] | Bagnulo, M. and J. Arkko, "Support for Multiple Hash Algorithms in Cryptographically Generated Addresses (CGAs)", RFC 4982, July 2007. |