RFC 3562 (rfc3562) - Page 1 of 7

Key Management Considerations for the TCP MD5 Signature Option

Network Working Group                                           M. Leech
Request for Comments: 3562                               Nortel Networks
Category:Informational                                         July 2003


                   Key Management Considerations for
                     the TCP MD5 Signature Option

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   The TCP MD5 Signature Option (RFC 2385), used predominantly by BGP,
   has seen significant deployment in critical areas of Internet
   infrastructure.  The security of this option relies heavily on the
   quality of the keying material used to compute the MD5 signature.
   This document addresses the security requirements of that keying
   material.

1. Introduction

   The security of various cryptographic functions lies both in the
   strength of the functions themselves against various forms of attack,
   and also, perhaps more importantly, in the keying material that is
   used with them.  While theoretical attacks against the simple MAC
   construction used in RFC 2385 are possible [MDXMAC], the number of
   text-MAC pairs required to mount a forgery make it vastly more
   probable that key-guessing is the main threat against RFC 2385.

   We show a quantitative approach to determining the security
   requirements of keys used with [RFC 2385], which tends to suggest the
   following:

      o  Key lengths SHOULD be between 12 and 24 bytes, with larger keys
         having effectively zero additional computational costs when
         compared to shorter keys.







Leech                        Informational