RFC 1852 (rfc1852) - Page 3 of 6
IP Authentication using Keyed SHA
Alternative Format: Original Text Document
RFC 1852 AH SHA September 1995
SHA ftp://rand.org/pub/jim/sha.tar.gz.
The form of the authenticated message is
key, keyfill, datagram, key, SHAfill
First, the variable length secret authentication key is filled to the
next 512-bit boundary, using the same pad with length technique
defined for SHA.
Then, the filled key is concatenated with (immediately followed by)
the invariant fields of the entire IP datagram (variant fields are
zeroed), concatenated with (immediately followed by) the original
variable length key again.
A trailing pad with length to the next 512-bit boundary for the
entire message is added by SHA itself. The 160-bit SHA digest is
calculated, and the result is inserted into the Authentication Data
field.
Discussion:
The leading copy of the key is padded in order to facilitate
copying of the key at machine boundaries without requiring re-
alignment of the following datagram. The padding technique
includes a length which protects arbitrary length keys. Filling
to the SHA block size also allows the key to be prehashed to avoid
the physical copy in some implementations.
The trailing copy of the key is not necessary to protect against
appending attacks, as the IP datagram already includes a total
length field. It reintroduces mixing of the entire key, providing
minimal protection for very long and very short datagrams, and
marginal robustness against possible attacks on the IP length
field itself.
Metzger & Simpson Experimental
