2008/014 SHA-2 support for IPsec and IKE
Bill Sommerfeld
sommerfeld at sun.com
Tue Jan 8 15:19:37 PST 2008
I'm sponsoring this self-reviewed case for Dan McDonald and have marked
it "closed approved automatic".
(Process note: If anyone believes that this doesn't qualify for
self-review please speak up ASAP).
Description
-----------
SHA-2 specifies three secure hash algorithms with outputs of 256, 384, and
512 bits. These are already available in the Solaris Cryptographic
Framework, as well as being available in HMAC variants that make them
suitable for use in IPsec.
This project will enable support for sha256, sha384, and sha512 in IPsec's AH
and ESP, as well as IKE. Like previous new-algorithm cases (e.g. 2007/409),
the proposed interface taxonomy is Committed, and the proposed release
binding is Micro/Patch.
The following programs/files that accept algorithm parameters:
ipseckey(1M)
ipsecconf(1M)
ike.config(4)
will now accept hmac-sha{256,384,512} and variants. See man page RFEs
6642856 and 6642860.
This project will also increase our interoperability with other platforms
(e.g. Vista SP1 and Linux), as well as increase our security (hashes are
stronger than MD5 or SHA-1).
Internet RFCs
-------------
RFC 4868 - Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
More information about the opensolaris-arc
mailing list