One document matched: draft-zhou-6man-mhash-cga-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-zhou-6man-mhash-cga-01" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="draft-zhou-6man-mhash-cga-00">Another Support for Multiple
Hash Algorithms in Cryptographically Generated Addresses (CGAs)</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Sujing Zhou" initials="S.Z." role="editor"
surname="Zhou">
<organization>ZTE Corporation</organization>
<address>
<postal>
<street>No.68 Zijinghua Rd. Yuhuatai District</street>
<!-- Reorder these if your country does things differently -->
<city>Nanjing</city>
<region>Jiang Su</region>
<code>210012</code>
<country>R.R.China</country>
</postal>
<email>zhou.sujing@zte.com.cn</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Ruishan Zhang" initials="R.Z" surname="Zhang">
<organization>ZTE Corporation</organization>
<address>
<postal>
<street>889 Bibo Rd, Zhangjiang Hi-Tech Park</street>
<city>Shanghai</city>
<code>201203</code>
<country>P.R.China</country>
</postal>
<email>zhang.ruishan@zte.com.cn</email>
</address>
</author>
<author fullname="Zhenhua XIe" initials="Z.X" surname="Xie">
<organization>ZTE Corporation</organization>
<address>
<postal>
<street>No.68 Zijinghua Rd. Yuhuatai District</street>
<city>Nanjing</city>
<region>Jiang Su</region>
<code>210012</code>
<country>P.R.China</country>
</postal>
<phone>+86-25-52871287</phone>
<facsimile>+86-25-52871000</facsimile>
<email>xie.zhenhua@zte.com.cn</email>
</address>
</author>
<date day="9" month="April" year="2012" />
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill
in the current day for you. If only the current year is specified, xml2rfc will fill
in the current day and month for you. If the year is not the current one, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
purpose of calculating the expiry date). With drafts it is normally sufficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Internet Area</area>
<workgroup>6man</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>template</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>This document provides a support for multiple hash algorithms in
Cryptographically Generated Addresses (CGAs) defined in RFC 3972.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Cryptographically Generated Addresses (CGAs) defined in <xref
target="RFC3972"></xref> is a method of binding a public key to an IPv6
address, with the aim of providing address ownership in many internet
protocols. In the generation and verification of a CGA address, a
cryptographicaly secure hash function, SHA-1 in the case of <xref
target="RFC3972"></xref>, is used to hash a public key into part of the
neitwork IP address.</t>
<t>As pointed out in Section 4 of <xref target="RFC4982"></xref>, it is
wise to enable multiple hash functions support in CGAs so that once the
current hash function does not satisfy future requirements ,e.g.,
potential future applications of the CGAs may need a more
cryptographicaly secure hash algorithm than SHA-1, the transition to an
alternative hash function is as easy as possible.</t>
<t>To provide a sense of hash algorishms agility , a method of reusing
the security parameter bits in the address is secified <xref
target="RFC4982"></xref>. Security parameter , sec, defined in RFC 3972,
is a 3 bit value from 0 to 7 used in the hash extension technique
(Section 7.2 in RFC3972 ), to compensate the truncated SHA-1 output
length because of insuffient bits space in a CGA address. According to
the method specified in RFC4982, the security parameter is also used to
represent hash algorithm identity:</t>
<t><list style="empty">
<t>000 means sec=0 and SHA-1</t>
<t>001 means sec=1 and SHA-1</t>
<t>010 means sec=2 and SHA-1</t>
</list></t>
<t>Then security parameter is limited to 0,1,2 . They may be sufficient
for now, but higher security parameter value may also be required with
computers becoming faster, as pointed out in Section 7.2 , RFC 3972.</t>
<t>Even with limited security parameter value, the method in RFC 4982
can only support three hash algorithms at most. That is besides SHA-1,
we have a second choice of an alternative hash algorithm number one with
sec=0,1,2 and a third choice of another alternative hash algorithm
number two with sec can only be two values from {0,1,2}.</t>
<t>Taking the above two factors into consideration, at some time in the
future we will be faced with a painful choice, high security parameter
or a more secure hash algorithm? And we may be also challenged with pain
of high cost of upgrading because of the massive number of IPv6 nodes
that may be using CGA addresses.</t>
<t>In this document, a support for multiple hash algorithms without
limiting security parameter or downgrading the security level of CGAs is
provided. The proposed solution follows the idea of encoding the hash
algorithm identity in the CGA addresses to prevent from downgrading
attacks, the detailed decription of downgrading attack can be found in
Section 4.1, RFC 4982.</t>
<section title="Terminology ">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
</section>
</section>
<!-- -->
<section title="Mhash-method Extension ">
<t>To accomodate RFC 4982, an extension field "Mhash-method" is defined.
The format is illustrated in Figure 1.</t>
<t><figure>
<artwork><![CDATA[0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension Type | Extension Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mhash-method|
+-+-+-+-+-+-+-+
]]></artwork>
</figure>Extension Type: TBA. (16-bit unsigned integer).</t>
<t>Extension Data Length: 1. (16-bit unsigned integer. Length of the
multiple-hash-method field of this option, in octets.)</t>
<t>Mhash-method: 1 octet length field. If Mhash-method equal 0, it means
the method of denoting hash algorithm specified in RFC 4982 is adopted,
if Mhash-method equal 1, it means the method specified in this document
is adopted.</t>
</section>
<section title="Hash Algorithm Identity Parameter">
<t>A hash algorithm identity parameter (hid) in CGA is defiend to denote
the hash algorithm adopted when caculating HASH1 and HASH2. The hash
algorithm identity parameter is a three-bit unsigned integer, and it is
encoded in the 3rd-5th bits of the interface identifier. This can be
written as follows:</t>
<t>hid = (interface identifier & 0x1c00000000000000) >> 58</t>
<t><figure>
<artwork><![CDATA[ 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| sec | hid |0 0| Leftmost 56 bits of HASH1 output |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure></t>
</section>
<section title="CGA Generation Procedure ">
<t>Generate a CGA as defined in RFC 3972 except some modification to
steps 2,3,5,6 and 9 as shown in the following:</t>
<t><list style="numbers">
<t>Set the modifier to a random or pseudo-random 128-bit value.</t>
<t>Concatenate from left to right the modifier, 9 zero octets, the
encoded public key, and any optional extension fields. Execute the
adopted hash algorithm ( denoted by value of hid) on the
concatenation. Take the 112( or 115 in case sec=7 ) leftmost bits of
the hash value. The result is Hash2.</t>
<t>Compare the 16*Sec+3 leftmost bits of Hash2 with zero. If they
are all zero, continue with step 4. Otherwise, increment the
modifier by one and go back to step 2.</t>
<t>Set the 8-bit collision count to zero.</t>
<t>Concatenate from left to right the final modifier value, the
subnet prefix, the collision count, the encoded public key, and any
optional extension fields. Execute the adopted hash algorithm on the
concatenation. Take the 56 leftmost bits of the hash value. The
result is Hash1.</t>
<t>Form an interface identifier from Hash1 by writing the value of
Sec into the three leftmost bits, writing teh value of hid into the
following three bits and by setting bits 6 and 7 (i.e., the "u" and
"g" bits) to zero.</t>
<t>Concatenate the 64-bit subnet prefix and the 64-bit interface
identifier to form a 128-bit IPv6 address with the subnet prefix to
the left and interface identifier to the right, as in a standard
IPv6 address .</t>
<t>Perform duplicate address detection if required. If an address
collision is detected, increment the collision count by one and go
back to step 5. However, after three collisions, stop and report the
error.</t>
<t>Form the CGA Parameters data structure by concatenating from left
to right the final modifier value, the subnet prefix, the final
collision count value, the encoded public key, Mhash-method value
(equal 1 in this case) and any other optional extension fields.</t>
</list></t>
</section>
<section title="CGA Verification Procedure ">
<t>Veirfy a CGA as defined in RFC 3972 except some modification to steps
3,4,6 and 7 as shown in the following:</t>
<t><list style="numbers">
<t>Check that the collision count in the CGA Parameters data
structure is 0, 1, or 2. The CGA verification fails if the collision
count is out of the valid range.</t>
<t>Check that the subnet prefix in the CGA Parameters data structure
is equal to the subnet prefix (i.e., the leftmost 64 bits) of the
address. The CGA verification fails if the prefix values differ.</t>
<t>if the Mhash-method value in the Mhash-method extenstion filed is
1, read the hash algorithm identity parameter hid from the 3rd-5th
bits of the 64-bit interface identifier of the address, execute the
hash algorithm denoted by hid on the CGA Parameters data structure.
Take the 56 leftmost bits of the hash value. The result is Hash1. If
the Mhash-method value in the Mhash-method extenstion filed is 0, do
exactly as sepcified in RFC 3972 and RFC4982.</t>
<t>Compare Hash1 with the interface identifier (i.e., the rightmost
56 bits) of the address. If the 56-bit values differ, the CGA
verification fails.</t>
<t>Read the security parameter Sec from the three leftmost bits of
the 64-bit interface identifier of the address. (Sec is an unsigned
3-bit integer.)</t>
<t>Concatenate from left to right the modifier, 9 zero octets, the
public key, and any extension fields that follow the public key in
the CGA Parameters data structure. Execute the hash algorithm
denoted by hid on the concatenation. Take the 112 (or 115 in case
sec=7) leftmost bits of the SHA-1 hash value. The result is
Hash2.</t>
<t>Compare the 16*Sec+3 leftmost bits of Hash2 with zero. If any one
of them is not zero, the CGA verification fails. Otherwise, the
verification succeeds.</t>
</list></t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document defines one new CGA Extension Type [RFC4581] option,
which must be assigned by IANA:</t>
<t>Name: Mhash-method extension type;</t>
<t>Value: TBA.</t>
<t>Description: see Section 2.</t>
<t>The values of Mhash-method are also defined:</t>
<t>Name: Mhash-method extension value;</t>
<t>Value: 0 meaning RFC 4982, 1 meaning this document;</t>
<t>Description: see Section 2.</t>
<t>This document also defines a new parameter (hid) in CGA, the value of
which must be assigned by IANA. It may be assigned as follows:</t>
<t><figure>
<artwork><![CDATA[ Name | Value
-------------------+-------
SHA-1 | 000
SHA-244 | 001
SHA-256 | 010
SHA-384 | 011
SHA-512 | 100
TBD | 101
TBD | 110
TBD | 111
]]></artwork>
</figure></t>
<t></t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The security of applications using CGAs relies on the adopted public
key schemes, which is out of the scope of this document, as well as the
adopted hash algorithms.</t>
<t>A high cryptographicaly secure hash algorithm is obviously required.
But no hash algorithms are guaranteed to be secure for ever, it is wise
to add algorithm agility into CGAs in case current hash algorithm be
successfully attacked. .</t>
<t>This document suggests adding more flexible hash algorithm
agilibility to CGAs. The method in this document follows the idea of
encoding the hash algorithm identifier in the interface identifier to
avoid downgrading attack, as analysed in Section 4.1, RFC 4982.</t>
<t>Actually CGAs only adopt truncated forms of a hash algorithm which is
considered cryptographicaly secure in the sense of its regular form. As
specified in RFC 3972, the effective bits relating to the security of
CGAs are only the leftmost 59 bits (in the case of HASH1) , and the left
most 16*sec bits (in the case of HASH2) of the whole 160 bits SHA-1
output . It is roughly estimated that the overall security of the hash
algorithm is O( 2^(16*sec+59))(Section 7.2, RFC3972).</t>
<t>In this document, 3 bits originally used for output of HASH1are taken
off the interface identifier to denote hash algoritm identity, while 3
more bits of output of HASH2 are checked, in a whole the whole security
level is kept roughly the same, i.e.,O( 2^(16*sec+59)) .</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<?rfc include='reference.RFC.2119.xml'?>
<?rfc include='reference.RFC.3972.xml'?>
<?rfc include='reference.RFC.4982.xml'?>
</references>
<!-- -->
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 04:24:20 |