draft-ietf-dnsext-tsig-md5-deprecated-01.txt   draft-ietf-dnsext-tsig-md5-deprecated-02.txt 
DNSext Working Group F. Dupont DNSext Working Group F. Dupont
Internet-Draft ISC Internet-Draft ISC
Updates: 2845,2930,4635 November 19, 2008 Updates: 2845,2930,4635 April 27, 2009
(if approved) (if approved)
Intended status: Standards Track Intended status: Standards Track
Expires: May 23, 2009 Expires: October 29, 2009
Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records
draft-ietf-dnsext-tsig-md5-deprecated-01.txt draft-ietf-dnsext-tsig-md5-deprecated-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79. This document may contain material
have been or will be disclosed, and any of which he or she becomes from IETF Documents or IETF Contributions published or made publicly
aware will be disclosed, in accordance with Section 6 of BCP 79. available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 23, 2009. This Internet-Draft will expire on October 29, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
The main goal of this document is to deprecate the use of HMAC-MD5 as The main goal of this document is to deprecate the use of HMAC-MD5 as
an algorithm for the TSIG (secret key transaction authentication) an algorithm for the TSIG (secret key transaction authentication)
resource record in the DNS (domain name system). resource record in the DNS (domain name system).
1. Introduction 1. Introduction
The secret key transaction authentication for DNS (TSIG, [RFC2845]) The secret key transaction authentication for DNS (TSIG, [RFC2845])
skipping to change at page 2, line 25 skipping to change at page 2, line 43
establishment for DNS (TKEY, [RFC2930]) using a Diffie-Hellman establishment for DNS (TKEY, [RFC2930]) using a Diffie-Hellman
exchange with SHA256 [RFC4634] in place of MD5 [RFC1321] exchange with SHA256 [RFC4634] in place of MD5 [RFC1321]
4. Finally recommend the use of HMAC-SHA256. 4. Finally recommend the use of HMAC-SHA256.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Implementation Requirements 2. Implementation Requirements
The table of section 3 of [RFC4635] is updated into: The table of section 3 of [RFC4635] is replaced by:
+-------------------+--------------------------+ +-------------------+--------------------------+
| Requirement Level | Algorithm Name | | Requirement Level | Algorithm Name |
+-------------------+--------------------------+ +-------------------+--------------------------+
| Optional | HMAC-MD5.SIG-ALG.REG.INT | | Optional | HMAC-MD5.SIG-ALG.REG.INT |
| Optional | gss-tsig | | Optional | gss-tsig |
| Mandatory | hmac-sha1 | | Mandatory | hmac-sha1 |
| Optional | hmac-sha224 | | Optional | hmac-sha224 |
| Mandatory | hmac-sha256 | | Mandatory | hmac-sha256 |
| Optional | hmac-sha384 | | Optional | hmac-sha384 |
skipping to change at page 3, line 15 skipping to change at page 3, line 38
This is amended into: This is amended into:
keying material = keying material =
XOR ( DH value, SHA256 ( query data | DH value ) | XOR ( DH value, SHA256 ( query data | DH value ) |
SHA256 ( server data | DH value ) ) SHA256 ( server data | DH value ) )
using the same conventions. using the same conventions.
4. IANA Consideration 4. IANA Consideration
This document extends the "TSIG Algorithm Names - per [RFC2845]" This document extends the "TSIG Algorithm Names - per [] and
located at http://www.iana.org/assignments/tsig-algorithm-names by [RFC2845]" located at
adding a new colum to the registry "Compliance Requirement". http://www.iana.org/assignments/tsig-algorithm-names by adding a new
column to the registry "Compliance Requirement".
The registry should contain the following: The registry should contain the following:
+--------------------------+------------------------+-------------+ +--------------------------+------------------------+-------------+
| Algorithm Name | Compliance Requirement | Reference | | Algorithm Name | Compliance Requirement | Reference |
+--------------------------+------------------------+-------------+ +--------------------------+------------------------+-------------+
| gss-tsig | Optional | [RFC3645] | | gss-tsig | Optional | [RFC3645] |
| HMAC-MD5.SIG-ALG.REG.INT | Optional | [RFC2845][] | | HMAC-MD5.SIG-ALG.REG.INT | Optional | [][RFC2845] |
| hmac-sha1 | Mandatory | [RFC4635] | | hmac-sha1 | Mandatory | [RFC4635] |
| hmac-sha224 | Optional | [RFC4635] | | hmac-sha224 | Optional | [RFC4635] |
| hmac-sha256 | Mandatory | [RFC4635] | | hmac-sha256 | Mandatory | [RFC4635] |
| hmac-sha384 | Optional | [RFC4635] | | hmac-sha384 | Optional | [RFC4635] |
| hmac-sha512 | Optional | [RFC4635] | | hmac-sha512 | Optional | [RFC4635] |
+--------------------------+------------------------+-------------+ +--------------------------+------------------------+-------------+
where [] is this document. where [] is this document.
5. Security Considerations 5. Availability Considerations
MD5 was proven to be less secure than expected in some uses, but MD5 is no more universally available and its use should lead to
HMAC-MD5 is not one of these uses, i.e., today HMAC-MD5 was not increasing operation issues. SHA1 is likely to suffer from the same
proved insecure [Bellovin]. kind of problem. To summary MD5 has reached end-of-life and SHA1
follows few years behind.
But for many reasons like to avoid insecure uses of MD5, or According to [RFC4635], implementations which support TSIG are
certification of cryptographic modules (e.g., [FIPS140-2], one cannot REQUIRED to implement HMAC-SHA256.
assume MD5 will be provided by all cryptographic modules, so even
HMAC-MD5 does not lead today to security issues, it can lead to
operational issues.
The use of MD5 and HMAC-MD5 is NOT RECOMMENDED in TSIG and related 6. Security Considerations
specifications (i.e., TKEY).
But SHA1 seems to be vulnerable too, so the use of at least SHA256 is This document does not assume anything about the cryptographic
RECOMMENDED. Implementations which support TSIG are REQUIRED to security of different hash algorithms. It is a routine maintenance,
implement HMAC-SHA256, the HMAC-SHA256 algorithm is RECOMMENDED for its goal is better availability of some security mechanisms in a
default use in TSIG. predictable future.
6. Acknowledgments Requirement levels are adjusted for TSIG and related specifications
(i.e., TKEY):
The use of MD5 and HMAC-MD5 is NOT RECOMMENDED.
The use of HMAC-SHA256 is RECOMMENDED.
Cryptographic module validation programs made MD5 not approved so not 7. Acknowledgments
available. They provide a good incentive to deprecate MD5 at a place
it is still mandatory to support and likely heavily used.
Olafur Gudmundsson kindly helped in the procedure to deprecate the Olafur Gudmundsson kindly helped in the procedure to deprecate the
MD5 use in TSIG, i.e., the procedure which led to this memo. Alfred MD5 use in TSIG, i.e., the procedure which led to this memo. Alfred
Hoenes, Peter Koch and paul Hoffman proposed some improvements. Hoenes, Peter Koch and Paul Hoffman proposed some improvements.
7. References 8. References
7.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000. (TSIG)", RFC 2845, May 2000.
[RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY
RR)", RFC 2930, September 2000. RR)", RFC 2930, September 2000.
[RFC4635] Eastlake, D., "HMAC SHA TSIG Algorithm Identifiers", [RFC4635] Eastlake, D., "HMAC SHA TSIG Algorithm Identifiers",
RFC 4635, August 2006. RFC 4635, August 2006.
7.2. Informative References 8.2. Informative References
[Bellovin]
Bellovin, S., "[Cfrg] HMAC-MD5", March 2006, <http://
www.ietf.org/mail-archive/web/cfrg/current/msg01197.html>.
[FIPS140-2]
National Institute of Standards and Technology (NIST),
"FIPS PUB 140-2: Security Requirements for Cryptographic
Modules", May 2001, <http://csrc.nist.gov/publications/
fips/fips140-2/fips1402.pdf>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
February 1997. February 1997.
[RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 [RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, September 2001. (SHA1)", RFC 3174, September 2001.
skipping to change at page 6, line 4 skipping to change at line 222
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, BCP 26, IANA Considerations Section in RFCs", RFC 5226, BCP 26,
May 2008. May 2008.
Author's Address Author's Address
Francis Dupont Francis Dupont
ISC ISC
Email: Francis.Dupont@fdupont.fr Email: Francis.Dupont@fdupont.fr
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
 End of changes. 20 change blocks. 
46 lines changed or deleted 54 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/