diff --git a/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt b/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt new file mode 100644 index 0000000000..1133b0c87d --- /dev/null +++ b/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt @@ -0,0 +1,466 @@ + + +INTERNET-DRAFT Donald E. Eastlake 3rd +UPDATES RFC 2845 Motorola Laboratories +Expires: February 2005 August 2004 + + + HMAC SHA TSIG Algorithm Identifiers + ---- --- ---- --------- ----------- + + + +Status of This Document + + By submitting this Internet-Draft, I certify that any applicable + patent or other IPR claims of which I am aware have been disclosed, + or will be disclosed, and any of which I become aware will be + disclosed, in accordance with RFC 3668. + + This draft is intended to be become a Proposed Standard RFC. + Distribution of this document is unlimited. Comments should be sent + to the DNSEXT working group mailing list . + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than a "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/1id-abstracts.html + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html + + +Abstract + + Use of the TSIG DNS resource record requires specification of a + cryptographic message authentication code. Currently identifiers + have been specified only for the HMAC-MD5 and GSS TSIG algorithms. + This document standardizes identifiers for additional HMAC SHA TSIG + algorithms and standardizes how to specify the truncation of HMAC + values. + + +Copyright Notice + + Copyright (C) The Internet Society 2004. All Rights Reserved. + + + + +D. Eastlake 3rd [Page 1] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +Table of Contents + + Status of This Document....................................1 + Abstract...................................................1 + Copyright Notice...........................................1 + + Table of Contents..........................................2 + + 1. Introduction............................................3 + + 2. Algorithms and Identifiers..............................4 + + 3. Specifying Truncation...................................5 + + 4. IANA Considerations.....................................6 + 5. Security Considerations.................................6 + 6. Copyright and Disclaimer................................6 + + 7. Normative References....................................7 + 8. Informative References..................................7 + + Authors Address............................................8 + Expiration and File Name...................................8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +D. Eastlake 3rd [Page 2] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +1. Introduction + + [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to + authenticate DNS queries and responses. This RR contains a domain + name syntax data item which names the authentication algorithm used. + [RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for + authentication codes using the HMAC [RFC 2104] algorithm with the MD5 + [RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an + identifier for TSIG authentication where the cryptographic operations + are delegated to GSS [RFC 3645]. + + In section 2, this document specifies additional names for TSIG + authentication algorithms based on US NIST SHA algorithms and HMAC. + + In section 3, this document specifies the meaning of inequality + between the normal output size of the specified hash function and the + length of MAC (message authentication code) data given in the TSIG + RR. In particular, it specifies that a shorter length field value + specifies truncation and a longer length field is an error. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +D. Eastlake 3rd [Page 3] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +2. Algorithms and Identifiers + + TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS + queries and responses. They are intended to be efficient symmetric + authentication codes based on a shared secret. (Asymmetric signatures + can be provided using the SIG RR [RFC 2931]. In particular, SIG(0) + can be used for transaction signatures.) Used with a strong hash + function, HMAC [RFC 2104] provides a way to calculate such symmetric + authentication codes. The only specified HMAC based TSIG algorithm + identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321]. + + The use of SHA-1 [FIPS 180-1, RFC 3174], which is a 160 bit hash, as + compared with the 128 bits for MD5, and additional hash algorithms in + the SHA family [FIPS 180-2, RFC sha224] with 224, 256, 384, and 512 + bits, may be preferred in some case. Use of TSIG between a DNS + resolver and server is by mutual agreement. That agreement can + include the support of additional algorithms. + + For completeness in relation to HMAC based algorithms, the current + HMAC-MD5.SIG-ALG.REG.INT identifier is included in the table below. + Implementations which support TSIG MUST implement HMAC MD5, SHOULD + implement HMAC SHA-1, and MAY implement gss-tsig and the other + algorithms listed below. + + Mandatory HMAC-MD5.SIG-ALG.REG.INT + Recommended hmac-sha1 + Optional hmac-sha224 + Optional hmac-sha256 + Optional hamc-sha384 + Optional hmac-sha512 + + + + + + + + + + + + + + + + + + + + + + +D. Eastlake 3rd [Page 4] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +3. Specifying Truncation + + In some cases, it is reasonable to truncate the output of HMAC and + use the truncated value for authentication. HMAC SHA-1 truncated to + 96 bits is an optional available in several IETF protocols including + IPSEC and TLS. + + The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the + size of the MAC field in octets. But [RFC 2845] does not specify what + to do if this MAC size differs from the length of the output of HMAC + for a particular hash function. + + The specification for TSIG handling is changed as follows: + + 1. If The "MAC size" field is larger than the HMAC output length or + is zero: This case MUST NOT be generated and if received MUST + cause the packet to be dropped and RCODE 1 (FORMERR) to be + returned. + + 2. If the "MAC size" field equals the HMAC output length: Operation + is as described in [RFC 2845]. + + 3. If the "MAC size" field is less than the HMAC output length but is + not zero: This is sent when the signer has truncated the HMAC + output as described in RFC 2104, taking initial octets and + discarding trailing octets. TSIG truncation can only be to an + integral number of octets. On receipt of a packet with truncation + thus indicated, the locally calculated MAC is similarly truncated + and only the truncated values compared for authentication. + + TSIG implementations SHOULD implement SHA-1 truncated to 96 bits (12 + octets) and MAY implement any or all other truncations valid under + case 3 above. + + + + + + + + + + + + + + + + + + + +D. Eastlake 3rd [Page 5] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +4. IANA Considerations + + This document, on approval for publication as a standards track RFC, + registers the new TSIG algorithm identifiers listed in Section 2 with + IANA. + + + +5. Security Considerations + + For all of the message authentication code algorithms listed herein, + those producing longer values are believed to be stronger; however, + while there are some arguments that mild truncation can strengthen a + MAC by reducing the information available to an attacker, excessive + truncation clearly weakens authentication by reducing the number of + bits an attacker has to try to force. See [RFC 2104] which recommends + that ah HMAC never be truncated to less than half its length nor to + less than 80 bits (10 octets). + + See also the Security Considerations section of [RFC 2845]. + + + +6. Copyright and Disclaimer + + Copyright (C) The Internet Society 2004. This document is subject to + the rights, licenses and restrictions contained in BCP 78 and except + as set forth therein, the authors retain all their rights. + + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + +D. Eastlake 3rd [Page 6] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +7. Normative References + + [FIPS 180-2] - "Secure Hash Standard", (SHA-1/256/384/512) US Federal + Information Processing Standard, Draft, 1 August 2002. + + [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC + 1321, April 1992. + + [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, February 1997. + + [RFC 2434] - Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. + + [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. + Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", + RFC 2845, May 2000. + + [RFC sha224] - "A 224-bit One-way Hash Function: SHA-224", R. + Housley, December 2003, work in progress, draft-ietf-pkix- + sha224-*.txt. + + + +8. Informative References. + + [FIPS 180-1] - Secure Hash Standard, (SHA-1) US Federal Information + Processing Standard, 17 April 1995. + + [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction + Signatures ( SIG(0)s )", RFC 2931, September 2000. + + [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm + 1 (SHA1)", RFC 3174, September 2001. + + [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, + J., and R. Hall, "Generic Security Service Algorithm for Secret Key + Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October + 2003. + + + + + + + + + + + + + +D. Eastlake 3rd [Page 7] + + +INTERNET-DRAFT HMAC-SHA TSIG Identifiers + + +Authors Address + + Donald E. Eastlake 3rd + Motorola Laboratories + 155 Beaver Street + Milford, MA 01757 USA + + Telephone: +1-508-786-7554 (w) + +1-508-634-2066 (h) + EMail: Donald.Eastlake@motorola.com + + + +Expiration and File Name + + This draft expires in February 2005. + + Its file name is draft-ietf-dnsext-tsig-sha-00.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +D. Eastlake 3rd [Page 8] + +