词条 | Cryptographically Generated Address | ||||||
释义 |
A Cryptographically Generated Address (CGA) is an Internet Protocol Version 6 (IPv6) address that has a host identifier computed from a cryptographic hash function.[1] This procedure is a method for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery Protocol (SEND).[2] MethodologyA Cryptographically Generated Address is formed by replacing the least-significant 64 bits of the 128-bit IPv6 address with the cryptographic hash of the public key of the address owner. The messages are signed with the corresponding private key. Only if the source address and the public key are known can the verifier authenticate the message from that corresponding sender. This method requires no public key infrastructure. Valid CGAs may be generated by any sender, including a potential attacker, but they cannot use any existing CGAs. CharacteristicsA Cryptographically Generated Address is an IPv6 address whose interface identifier has been generated according to the CGA generation method. The interface identifier is formed by the least-significant 64 bits of an IPv6 address and is used to identify the host's network interface on its subnet. The subnet is determined by the most-significant 64 bits, the subnet prefix.
Apart from the public key that is to be bound to the CGA, the CGA generation method takes several other input parameters including the predefined subnet prefix. These parameters, along with other parameters that are generated during the execution of the CGA generation method, form a set of parameters called the CGA Parameters data structure. The complete set of CGA Parameters has to be known in order to be able to verify the corresponding CGA. The CGA Parameters data structure consists of:
Additionally, a security parameter CGA generation methodThe following piece of pseudocode represents the CGA generation method, which is used to create a new Cryptographically Generated Address. 1 '''procedure''' generateCGA(''Sec'', ''subnetPrefix'', ''publicKey'', ''extFields''): 2 ''modifier'' := random(0x00000000000000000000000000000000, // 16 octets (128 bits) 3 0xffffffffffffffffffffffffffffffff) 4 5 label1: 6 ''concat'' := concatenate(''modifier'', 0x000000000000000000, // 9 zero octets 7 ''publicKey'', ''extFields'') 8 9 ''digest'' := SHA1(''concat'') 10 ''Hash2'' := ''digest''[0:14] // 14*8 = 112 leftmost bits 11 12 '''if''' ''Sec'' ≠ 0 '''and''' ''Hash2''[0:2*''Sec''] ≠ 0: // 2*Sec*8 = 16*Sec leftmost bits 13 ''modifier'' := ''modifier'' + 1 14 '''goto''' label1 15 '''end if''' 16 17 ''collCount'' := 0x00 // 8-bit collision count 18 19 label2: 20 ''concat'' := concatenate(''modifier'', ''subnetPrefix'', ''collCount'', 21 ''publicKey'', ''extFields'') 22 23 ''digest'' := SHA1(''concat'') 24 ''Hash1'' := ''digest''[0:8] // 8*8 = 64 leftmost bits 25 26 ''intID'' := ''Hash1'' // Hash1 becomes interface identifier... 27 ''intID''[0] := ''intID''[0] '''binary and''' 0x1c '''binary or''' (''Sec'' << 5) // ...after writing Sec and u/g bits 28 29 ''CGA'' := concatenate(''subnetPrefix'', ''intID'') // concatenate to form the CGA 30 31 '''if''' duplicate(''CGA''): 32 ''collCount'' := ''collCount'' + 1 33 34 '''if''' ''collCount'' = 3: 35 '''abort''' 36 '''end if''' 37 38 '''goto''' label2 39 '''end if''' 40 41 '''return''' [''CGA'', [''modifier'', ''subnetPrefix'', ''collCount'', ''publicKey'', ''extFields'']] 42 '''end procedure''' The CGA's interface identifier is largely formed by The After concatenating the subnet prefix and the generated interface identifier to create the CGA, duplicate address detection may be performed. If the address is already in use, then the collision counter On line 41 the CGA is returned, along with the CGA Parameters data structure. CGA verification methodA Cryptographically Generated Address is used to verify that received signed messages were sent by the host to which that address has been assigned. This is done by verifying that the key pair used for signing has been bound to the CGA. Because the authenticity of the public key can be verified this way, there is no need for a public key infrastructure. If the host itself is required to be authenticated as well, however, then the CGA itself needs to be authenticated beforehand since the bound public key cannot be trusted if the address is not trusted in such a case (assuming it has not been verified by other methods than CGA). The CGA verification method, in which a public key is verified to be bound to a CGA, requires the corresponding CGA Parameters data structure as input and can be implemented as follows. 1 '''procedure''' verifyCGA(''CGA'', [''modifier'', ''subnetPrefix'', ''collCount'', ''publicKey'', ''extFields'']): 2 '''if''' ''collCount'' > 2 '''or''' ''CGA''[0:8] ≠ ''subnetPrefix'': 3 '''return''' false 4 '''end if''' 5 6 ''concat'' := concatenate(''modifier'', ''subnetPrefix'', ''collCount'', 7 ''publicKey'', ''extFields'') 8 9 ''digest'' := SHA1(''concat'') 10 ''Hash1'' := ''digest''[0:8] // 8*8 = 64 leftmost bits 11 ''Hash1''[0] := ''Hash1''[0] '''binary and''' 0x1c // ignore Sec and u/g bits 12 13 ''intID'' := ''CGA''[8:16] // interface identifier (64 rightmost bits) 14 ''intID''[0] := ''intID''[0] '''binary and''' 0x1c // ignore Sec and u/g bits 15 16 '''if''' ''Hash1'' ≠ ''intID'': 17 '''return''' false 18 '''end if''' 19 20 ''Sec'' := ''CGA''[8] >> 5 // extract Sec from interface identifier 21 22 ''concat'' := concatenate(''modifier'', 0x000000000000000000, // 9 zero octets 23 ''publicKey'', ''extFields'') 24 25 ''digest'' := SHA1(''concat'') 26 ''Hash2'' := ''digest''[0:14] // 14*8 = 112 leftmost bits 27 28 '''if''' ''Sec'' ≠ 0 '''and''' ''Hash2''[0:2*''Sec''] ≠ 0: // 2*Sec*8 = 16*Sec leftmost bits 29 '''return''' false 30 '''end if''' 31 32 '''return''' true // verification succeeded 33 '''end procedure''' The method starts with checking if From line 6 to 18, After extracting SecurityIn order for an attacker to make a client believe it received a valid message from a certain CGA that isn't owned by the attacker, the attacker must find a hash collision for the relevant bits of Of the 64 bits of Because During the CGA generation process, it is very unlikely that three address collisions occur. If a duplicate address would be detected for the third time, then this would most likely be due to a configuration or implementation error or a denial-of-service attack. For this reason, the number of valid values for By including the subnet prefix in the digest operation that results in See also
References1. ^RFC 3972, Cryptographically Generated Addresses (CGA), T. Aura (March 2005) 2. ^RFC 3971, Secure Neighbor Discovery (SEND), J. Arkko (ed.), J. Kempf, B. Zill, P. Nikander (March 2005) 3 : Cryptographic protocols|IPv6|Articles with example pseudocode |
||||||
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。