Last Version: | draft-nesser-otp-sha-256-384-512-02.txt |
Date: | 26-Mar-2004 |
Disposition: | expired |
Previous Versions: |
draft-nesser-otp-sha-256-384-512-02.txt (diff) - 08-May-2003 draft-nesser-otp-sha-256-384-512-01.txt (diff) - 06-May-2003 draft-nesser-otp-sha-256-384-512-00.txt (diff) - 17-Feb-2003 |
Network Working Group P. J. Nesser II draft-nesser-otp-sha-256-384-512-02.txt Nesser & Nesser Consulting Category: Standards Track May 2003 Generating One-Time Passwords with SHA-256, SHA-384, and SHA-512 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. 1.0 ABSTRACT This document describes the use of the new AES hash alogrithms, SHA-256, SHA-384 and SHA-512, for use with the One Time Password (OTP) system, as defined by RFC 2289. RFC 2289 has definitions for the MD4, MD5 and SHA1 hashes, while this document defines techniques for using the AES hashes. 2.0 OVERVIEW The OTP protocol defines a widely deployed method of creating chains of one-time passwords. The OTP system generator passes the user's secret pass-phrase, along with a seed received from the server as part of the challenge, through multiple iterations of a secure hash function to produce a one-time password. After each successful authentication, the number of secure hash function iterations is reduced by one. Thus, a unique sequence of passwords is generated. Each one-time password is a 64-bit value calculated from the output of one of three defined hash functions. RFC 2289 specifies that all OTP implementations MUST implement the MD5 hash, SHOULD implement the SHA1 hash, and MAY implement the MD4 hash. MD4 and MD5 each produce 128-bit output and SHA1 produces 160-bit output. RFC 2289 defines methods for reducing the output of those hashes to 64-bits. This documument defines methods for reducing the output of SHA-256, SHA-384 and SHA-512 into 64-bit blocks for use in OTP. Although the SHA-256, SHA-384 and SHA-512 alogrithms are still in their introductory state, the length of their outputs are set and will not change. 3.0 REQUIREMENTS TERMINOLOGY In this document, the words that are used to define the significance of each particular requirement are usually capitalized. These words are: - MUST This word or the adjective "REQUIRED" means that the item is an absolute requirement of the specification. - SHOULD This word or the adjective "RECOMMENDED" means that there might exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before taking a different course. - MAY This word or the adjective "OPTIONAL" means that this item is truly optional. One vendor might choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. 4.0 Implementation Requirements OTP systems MAY implement the SHA-256, SHA-384, or SHA-512 hashes. 5.0 Server Challenges The syntax of the challenge issued by the OTP server to the client is: otp-<algorithm identifier> <sequence integer> <seed> The currently defined (RFC 2289) algorithm identifiers are: md4 MD4 Message Digest md5 MD5 Message Digest sha1 NIST Secure Hash Algorithm Revision 1 The following new algorithm identifiers are defined sha256 NIST Secure Hash Algorithm 256-bit output sha384 NIST Secure Hash Algorithm 384-bit output sha512 NIST Secure Hash Algorithm 512-bit output 6.0 Interfaces to Secure Hash Algorithms SHA-256 Secure Hash Algorithm SHA256_INFO sha; unsigned char result[16]; strcpy(buf, seed); strcat(buf, passwd); sha_init(&sha); sha_update(&sha, (unsigned char *)buf, strlen(buf)); sha_final(&sha); /* Fold the 256 bit result to 64 bits */ for (i = 1; i < 4; i++) { sha.digest[0] ^= sha.digest[2 * i]; sha.digest[1] ^= sha.digest[(2 * i) + 1]; } SHA-384 Secure Hash Algorithm SHA384_INFO sha; unsigned char result[16]; strcpy(buf, seed); strcat(buf, passwd); sha_init(&sha); sha_update(&sha, (unsigned char *)buf, strlen(buf)); sha_final(&sha); /* Fold the 384 bit result to 64 bits */ for (i = 1; i < 6; i++) { sha.digest[0] ^= sha.digest[2 * i]; sha.digest[1] ^= sha.digest[(2 * i) + 1]; } SHA-512 Secure Hash Algorithm SHA512_INFO sha; unsigned char result[16]; strcpy(buf, seed); strcat(buf, passwd); sha_init(&sha); sha_update(&sha, (unsigned char *)buf, strlen(buf)); sha_final(&sha); /* Fold the 512 bit result to 64 bits */ for (i = 1; i < 8; i++) { sha.digest[0] ^= sha.digest[2 * i]; sha.digest[1] ^= sha.digest[(2 * i) + 1]; } 7.0 Bit Ordering Any implementation of these extended hashes to the OTP protocol should take note of Appendix A of RFC 2289. A relevent fragment is presented here: >From RFC 2289 "For historical reasons, and to promote interoperability with existing implementations, it was decided that ALL hashes incorporated into the OTP protocol MUST store the output of their hash function in LITTLE ENDIAN format BEFORE the bit folding to 64 bits occurs." It is the implementors responsibility to check their hash function implementation to ensure compatibility. 8.0 Neccessity of Implementation As of this writing there is no apparent or pressing reason to upgrade the hash algorithms used in current OTP implementations. On the other hand, there will be certain organizations who desire to move all of their cryptographics software to conform to new US Government standards. 9.0 SECURITY CONSIDERATIONS This document describes the additional use of three new hashes for use in the OTP system. The OTP system is widely utilized and trusted on the Internet. Use of a new hash system which might have some yet undiscovered flaw could expose or compromise the security of these systems. 11.0 ACKNOWLEDGMENTS 12.0 REFERENCES [FIPS 180-2] Secure Hash Standard: A Revision of FIPS 180-1, August 2002 13.0 AUTHORS' ADDRESSES Philip J. Nesser II Nesser & Nesser Consulting 13501 100th Ave NE Suite 5202 Kirkland, WA 98034, USA Phone: +1 425 481 4303 EMail: phil@nesser.com