draft-ietf-dnsext-tsig-md5-deprecated-00.txt   draft-ietf-dnsext-tsig-md5-deprecated-01.txt 
DNSext Working Group F. Dupont DNSext Working Group F. Dupont
Internet-Draft ISC Internet-Draft ISC
Updates: 2845,2930,4635 June 30, 2008 Updates: 2845,2930,4635 November 19, 2008
(if approved) (if approved)
Intended status: Standards Track Intended status: Standards Track
Expires: January 1, 2009 Expires: May 23, 2009
Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records
draft-ietf-dnsext-tsig-md5-deprecated-00.txt draft-ietf-dnsext-tsig-md5-deprecated-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 1, 2009. This Internet-Draft will expire on May 23, 2009.
Abstract Abstract
The main goal of this document is to deprecate the use of HMAC-MD5 as The main goal of this document is to deprecate the use of HMAC-MD5 as
an algorithm for the TSIG (secret key transaction authentication) an algorithm for the TSIG (secret key transaction authentication)
resource record in the DNS (domain name system). resource record in the DNS (domain name system).
1. Introduction 1. Introduction
The secret key transaction authentication for DNS (TSIG, [RFC2845]) The secret key transaction authentication for DNS (TSIG, [RFC2845])
was defined with the HMAC-MD5 [RFC2104] cryptographic algorithm. As was defined with the HMAC-MD5 [RFC2104] cryptographic algorithm. As
the MD5 [RFC1321] security was recognized to be lower than expected, the MD5 [RFC1321] security was recognized to be lower than expected,
[RFC4635] standardized new TSIG algorithms based on SHA [RFC4635] standardized new TSIG algorithms based on SHA
[RFC3174][RFC3874][RFC4634] digests. [RFC3174][RFC3874][RFC4634] digests.
But [RFC4635] did not deprecate the HMAC-MD5 algorithm. This But [RFC4635] did not deprecate the HMAC-MD5 algorithm. This
document is targeted to complete the process, in details: document is targeted to complete the process, in details:
1. Mark HMAC-MD5.SIG-ALG.REG.INT as deprecated and replaced by HMAC- 1. Mark HMAC-MD5.SIG-ALG.REG.INT as optional in the TSIG algorithm
SHA256 in the TSIG algorithm name registry managed by the IANA name registry managed by the IANA under the IETF Review Policy
under the IETF Review Policy [RFC5226] [RFC5226]
2. Make HMAC-MD5.SIG-ALG.REG.INT support "not Mandatory" for 2. Make HMAC-MD5.SIG-ALG.REG.INT support "not Mandatory" for
implementations implementations
3. Provide a keying material derivation for the secret key 3. Provide a keying material derivation for the secret key
establishment for DNS (TKEY, [RFC2930]) using a Diffie-Hellman establishment for DNS (TKEY, [RFC2930]) using a Diffie-Hellman
exchange with SHA256 [RFC4634] in place of MD5 [RFC1321] exchange with SHA256 [RFC4634] in place of MD5 [RFC1321]
4. Finally recommend the use of HMAC-SHA256. 4. Finally recommend the use of HMAC-SHA256.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. TSIG Algorithm Name Registry 2. Implementation Requirements
In the registry of TSIG algorithm names, add this comment
"(deprecated, see hmac-sha256)" in the HMAC-MD5.SIG-ALG.REG.INT
entry.
This follows the style of the registry of DNSSEC algorithm numbers
which was updated by [RFC3110].
3. Implementation Requirements
The table of section 3 of [RFC4635] is updated into: The table of section 3 of [RFC4635] is updated into:
+-------------------+--------------------------+ +-------------------+--------------------------+
| Requirement Level | Algorithm Name | | Requirement Level | Algorithm Name |
+-------------------+--------------------------+ +-------------------+--------------------------+
| Deprecated | HMAC-MD5.SIG-ALG.REG.INT | | Optional | HMAC-MD5.SIG-ALG.REG.INT |
| Optional | gss-tsig | | Optional | gss-tsig |
| Mandatory | hmac-sha1 | | Mandatory | hmac-sha1 |
| Optional | hmac-sha224 | | Optional | hmac-sha224 |
| Mandatory | hmac-sha256 | | Mandatory | hmac-sha256 |
| Optional | hmac-sha384 | | Optional | hmac-sha384 |
| Optional | hmac-sha512 | | Optional | hmac-sha512 |
+-------------------+--------------------------+ +-------------------+--------------------------+
Implementations that support TSIG MUST also implement HMAC-SHA1 and Implementations that support TSIG MUST also implement HMAC-SHA1 and
HMAC-SHA256 (i.e., algorithms at the "Mandatory" requirement level) HMAC-SHA256 (i.e., algorithms at the "Mandatory" requirement level)
and MAY implement GSS-TSIG and the other algorithms listed above and MAY implement GSS-TSIG and the other algorithms listed above
(i.e., algorithms at a "not Mandatory" requirement level). (i.e., algorithms at a "not Mandatory" requirement level).
4. TKEY keying material derivation 3. TKEY keying material derivation
When the TKEY [RFC2930] uses a Diffie-Hellman exchange, the keying When the TKEY [RFC2930] uses a Diffie-Hellman exchange, the keying
material is derived from the shared secret and TKEY resource record material is derived from the shared secret and TKEY resource record
data using MD5 [RFC1321] at the end of section 4.1 page 9. data using MD5 [RFC1321] at the end of section 4.1 page 9.
This is amended into: This is amended into:
keying material = keying material =
XOR ( DH value, SHA256 ( query data | DH value ) | XOR ( DH value, SHA256 ( query data | DH value ) |
SHA256 ( server data | DH value ) ) SHA256 ( server data | DH value ) )
using the same conventions. using the same conventions.
5. IANA Consideration 4. IANA Consideration
The section Section 2 should be applied according to the current IANA This document extends the "TSIG Algorithm Names - per [RFC2845]"
preferences, i.e., the update is in a [RFC3110] style and can be located at http://www.iana.org/assignments/tsig-algorithm-names by
adapted to the style chosen by IANA for TSIG algorithm names. adding a new colum to the registry "Compliance Requirement".
6. Security Considerations The registry should contain the following:
+--------------------------+------------------------+-------------+
| Algorithm Name | Compliance Requirement | Reference |
+--------------------------+------------------------+-------------+
| gss-tsig | Optional | [RFC3645] |
| HMAC-MD5.SIG-ALG.REG.INT | Optional | [RFC2845][] |
| hmac-sha1 | Mandatory | [RFC4635] |
| hmac-sha224 | Optional | [RFC4635] |
| hmac-sha256 | Mandatory | [RFC4635] |
| hmac-sha384 | Optional | [RFC4635] |
| hmac-sha512 | Optional | [RFC4635] |
+--------------------------+------------------------+-------------+
where [] is this document.
5. Security Considerations
MD5 was proven to be less secure than expected in some uses, but MD5 was proven to be less secure than expected in some uses, but
HMAC-MD5 is not one of these uses, i.e., today HMAC-MD5 was not HMAC-MD5 is not one of these uses, i.e., today HMAC-MD5 was not
proved insecure [Bellovin]. proved insecure [Bellovin].
But for many reasons like to avoid insecure uses of MD5, or But for many reasons like to avoid insecure uses of MD5, or
certification of cryptographic modules (e.g., [FIPS140-2], one cannot certification of cryptographic modules (e.g., [FIPS140-2], one cannot
assume MD5 will be provided by all cryptographic modules, so even assume MD5 will be provided by all cryptographic modules, so even
HMAC-MD5 does not lead today to security issues, it can lead to HMAC-MD5 does not lead today to security issues, it can lead to
operational issues. operational issues.
The use of MD5 and HMAC-MD5 is NOT RECOMMENDED in TSIG and related The use of MD5 and HMAC-MD5 is NOT RECOMMENDED in TSIG and related
specifications (i.e., TKEY). specifications (i.e., TKEY).
But SHA1 seems to be vulnerable too, so the use of at least SHA256 is But SHA1 seems to be vulnerable too, so the use of at least SHA256 is
RECOMMENDED. Implementations which support TSIG are REQUIRED to RECOMMENDED. Implementations which support TSIG are REQUIRED to
implement HMAC-SHA256, the HMAC-SHA256 algorithm is RECOMMENDED for implement HMAC-SHA256, the HMAC-SHA256 algorithm is RECOMMENDED for
default use in TSIG. default use in TSIG.
7. Acknowledgments 6. Acknowledgments
Cryptographic module validation programs made MD5 not approved so not Cryptographic module validation programs made MD5 not approved so not
available. They provide a good incentive to deprecate MD5 at a place available. They provide a good incentive to deprecate MD5 at a place
it is still mandatory to support and likely heavily used. it is still mandatory to support and likely heavily used.
Olafur Gudmundsson kindly helped in the procedure to deprecate the Olafur Gudmundsson kindly helped in the procedure to deprecate the
MD5 use in TSIG, i.e., the procedure which led to this memo. Alfred MD5 use in TSIG, i.e., the procedure which led to this memo. Alfred
Hoenes and Peter Koch proposed some improvements. Hoenes, Peter Koch and paul Hoffman proposed some improvements.
8. References 7. References
8.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000. (TSIG)", RFC 2845, May 2000.
[RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY
RR)", RFC 2930, September 2000. RR)", RFC 2930, September 2000.
[RFC4635] Eastlake, D., "HMAC SHA TSIG Algorithm Identifiers", [RFC4635] Eastlake, D., "HMAC SHA TSIG Algorithm Identifiers",
RFC 4635, August 2006. RFC 4635, August 2006.
8.2. Informative References 7.2. Informative References
[Bellovin] [Bellovin]
Bellovin, S., "[Cfrg] HMAC-MD5", March 2006, <http:// Bellovin, S., "[Cfrg] HMAC-MD5", March 2006, <http://
www.ietf.org/mail-archive/web/cfrg/current/msg01197.html>. www.ietf.org/mail-archive/web/cfrg/current/msg01197.html>.
[FIPS140-2] [FIPS140-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"FIPS PUB 140-2: Security Requirements for Cryptographic "FIPS PUB 140-2: Security Requirements for Cryptographic
Modules", May 2001, <http://csrc.nist.gov/publications/ Modules", May 2001, <http://csrc.nist.gov/publications/
fips/fips140-2/fips1402.pdf>. fips/fips140-2/fips1402.pdf>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
February 1997. February 1997.
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
Name System (DNS)", RFC 3110, May 2001.
[RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 [RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, September 2001. (SHA1)", RFC 3174, September 2001.
[RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,
and R. Hall, "Generic Security Service Algorithm for
Secret Key Transaction Authentication for DNS (GSS-TSIG)",
RFC 3645, October 2003.
[RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224",
RFC 3874, September 2004. RFC 3874, September 2004.
[RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and HMAC-SHA)", RFC 4634, July 2006. (SHA and HMAC-SHA)", RFC 4634, July 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, BCP 26, IANA Considerations Section in RFCs", RFC 5226, BCP 26,
May 2008. May 2008.
 End of changes. 18 change blocks. 
32 lines changed or deleted 41 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/