RFC 1828 (rfc1828) - Page 2 of 5
IP Authentication using Keyed MD5
Alternative Format: Original Text Document
RFC 1828 AH MD5 August 1995
2. Calculation
The 128-bit digest is calculated as described in [RFC-1321]. The
specification of MD5 includes a portable 'C' programming language
description of the MD5 algorithm.
The form of the authenticated message is
key, keyfill, datagram, key, MD5fill
First, the variable length secret authentication key is filled to the
next 512-bit boundary, using the same pad with length technique
defined for MD5.
Then, the filled key is concatenated with (immediately followed by)
the invariant fields of the entire IP datagram (variant fields are
zeroed), concatenated with (immediately followed by) the original
variable length key again.
A trailing pad with length to the next 512-bit boundary for the
entire message is added by MD5 itself. The 128-bit MD5 digest is
calculated, and the result is inserted into the Authentication Data
field.
Discussion:
When the implementation adds the keys and padding in place before
and after the IP datagram, care must be taken that the keys and/or
padding are not sent over the link by the link driver.
Security Considerations
Users need to understand that the quality of the security provided by
this specification depends completely on the strength of the MD5 hash
function, the correctness of that algorithm's implementation, the
security of the key management mechanism and its implementation, the
strength of the key [CN94], and upon the correctness of the
implementations in all of the participating nodes.
At the time of writing of this document, it is known to be possible
to produce collisions in the compression function of MD5 [dBB93].
There is not yet a known method to exploit these collisions to attack
MD5 in practice, but this fact is disturbing to some authors
[Schneier94].
It has also recently been determined [vOW94] that it is possible to
build a machine for $10 Million that could find two chosen text
Metzger & Simpson Standards Track