RFC 2841 (rfc2841) - Page 2 of 9
IP Authentication using Keyed SHA1 with Interleaved Padding (IP-MAC)
Alternative Format: Original Text Document
RFC 2841 AH SHA1 IP-MAC November 2000
1. Introduction
The Authentication Header (AH) [RFC-1826] provides integrity and
authentication for IP datagrams. This specification describes the AH
use of keys with the Secure Hash Algorithm (SHA1) [FIPS-180-1]. This
SHA1-IP-MAC algorithm uses a leading and trailing key (a variant of
the "envelope method"), with alignment padding between both keys and
data.
It should be noted that this document specifies a newer version of
SHA than that described in [FIPS-180], which was flawed. The
older version is not interoperable with the newer version.
This document assumes that the reader is familiar with the related
document "Security Architecture for the Internet Protocol" [RFC-
1825], that defines the overall security plan for IP, and provides
important background for this specification.
1.1. Keys
The secret authentication key shared between the communicating
parties SHOULD be a cryptographically strong random number, not a
guessable string of any sort.
The shared key is not constrained by this transform to any particular
size. Lengths of 160-bits (20 octets) MUST be supported by the
implementation, although any particular key may be shorter. Longer
keys are encouraged.
1.2. Data Size
SHA1's 160-bit output is naturally 32-bit aligned. However, many
implementations require 64-bit alignment of the following headers.
Therefore, several options are available for data alignment (most
preferred to least preferred):
1) only the most significant 128-bits (16 octets) of output are used.
2) an additional 32-bits (4 octets) of padding is added before the
SHA1 output.
3) an additional 32-bits (4 octets) of padding is added after the
SHA1 output.
4) the SHA1 output is variably bit-positioned within 192-bits (24
octets).
Metzger & Simpson Historic