Browse Prior Art Database

Key Management Considerations for the TCP MD5 Signature Option (RFC3562)

IP.com Disclosure Number: IPCOM000016607D
Original Publication Date: 2003-Jul-01
Included in the Prior Art Database: 2003-Jul-03
Document File: 8 page(s) / 15K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

M. Leech: AUTHOR

Abstract

The TCP MD5 Signature Option (RFC 2385), used predominantly by BGP, has seen significant deployment in critical areas of Internet infrastructure. The security of this option relies heavily on the quality of the keying material used to compute the MD5 signature. This document addresses the security requirements of that keying material.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 19% of the total text.

Network Working Group                                           M. Leech

Request for Comments: 3562                               Nortel Networks

Category:Informational                                         July 2003

                   Key Management Considerations for

                     the TCP MD5 Signature Option

Status of this Memo

   This memo provides information for the Internet community.  It does

   not specify an Internet standard of any kind.  Distribution of this

   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   The TCP MD5 Signature Option (RFC 2385), used predominantly by BGP,

   has seen significant deployment in critical areas of Internet

   infrastructure.  The security of this option relies heavily on the

   quality of the keying material used to compute the MD5 signature.

   This document addresses the security requirements of that keying

   material.

1. Introduction

   The security of various cryptographic functions lies both in the

   strength of the functions themselves against various forms of attack,

   and also, perhaps more importantly, in the keying material that is

   used with them.  While theoretical attacks against the simple MAC

   construction used in RFC 2385 are possible [MDXMAC], the number of

   text-MAC pairs required to mount a forgery make it vastly more

   probable that key-guessing is the main threat against RFC 2385.

   We show a quantitative approach to determining the security

   requirements of keys used with [RFC2385], which tends to suggest the

   following:

      o  Key lengths SHOULD be between 12 and 24 bytes, with larger keys

         having effectively zero additional computational costs when

         compared to shorter keys.

Leech                        Informational                      [Page 1]

RFC 3562    Considerations for the TCP MD5 Signature Option    July 2003

      o  Key sharing SHOULD be limited so that keys aren't shared among

         multiple BGP peering arrangements.

      o  Keys SHOULD be changed at least every 90 days.

1.1. Requirements Keywords

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",

   and "MAY" that appear in this document are to be interpreted as

   described in [RFC2119].

2. Performance assumptions

   The most recent performance study of MD5 that this author was able to

   find was undertaken by J. Touch at ISI.  The results of this study

   were documented in [RFC1810].  The assumption is that Moores Law

   applies to the data in the study, which at the time showed a

   best-possible *software* performance for MD5 of 87Mbits/second.

   Projecting this number forward to the ca 2002 timeframe of this

   document, w...