Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
RFC 4868, “Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec”, is a Proposed Standard document published in May 2007 by S. Kelly, S. Frankel. The canonical text is published by the RFC Editor.
Abstract
This specification describes the use of Hashed Message Authentication Mode (HMAC) in conjunction with the SHA-256, SHA-384, and SHA-512 algorithms in IPsec. These algorithms may be used as the basis for data origin authentication and integrity verification mechanisms for the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange Protocol (IKE), and IKEv2 protocols, and also as Pseudo-Random Functions (PRFs) for IKE and IKEv2. Truncated output lengths are specified for the authentication-related variants, with the corresponding algorithms designated as HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512-256. The PRF variants are not truncated, and are called PRF-HMAC-SHA-256, PRF-HMAC-SHA-384, and PRF-HMAC-SHA-512. [STANDARDS-TRACK]
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 4868 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 4867 RTP Payload Format and File Storage Format for the Adaptive Multi- Rate and Adaptive Multi-Rate Wideband Audio Codecs
- RFC 4869 Suite B Cryptographic Suites for IPsec
- RFC 4866 Enhanced Route Optimization for Mobile IPv6
- RFC 4870 Domain-Based Email Authentication Using Public Keys Advertised in the DNS
- RFC 4865 SMTP Submission Service Extension for Future Message Release
- RFC 4871 DomainKeys Identified Mail Signatures
- RFC 4864 Local Network Protection for IPv6
- RFC 4872 RSVP-TE Extensions in Support of End-to-End Generalized Multi- Protocol Label Switching Recovery