Hash optimization for Cryptographically Generated Address T.Rajendran

K.V.Sreenaath

Security Technology Group, Motorola India Private Limited. Bangalore, India [email protected]

Research Scholar [email protected]

Abstract— Cryptographically generated addresses (CGA) are IPv6 addresses where the interface address bits are generated by hashing the address owner's public key [1]. Owner of the address uses the corresponding private key and signs messages sent from that address to assert ownership of the address. CGA is generated by recursive hashing and conformance of the computed hash depending upon the security level. In this paper we propose restructuring of the CGA format and optimization of hash computation of CGA using SHA-1[2] and MD5[3]. Keywords-component; CGA; Hash optimization

I.

address against brute force attacks. Security Parameter is a 3bit unsigned integer encoded in the three leftmost bits of the 64-bit interface identifier. Base don the security level the computed CGA has to confirm to the following two conditions 1) The first computed hash (hash-1) should equal the interface identifier of the IPv6 address. 2) The leftmost 16 bits of the second computed hash (hash-2) on masking with Mask-2 (Mask-2 is defined below) based on the 3-bit security level should be zero. The conditions are shown in Figure 2

INTRODUCTION

In Cryptographically Generated Address (CGA), the rightmost 64 bits- the interface identifier is generated by computing a cryptographic hash of the public key. The resulting IPv6 address is called a cryptographically generated address (CGA) [1]. CGA are used in IPv6 systems and are widely proposed as one of the techniques to overcome security issues in Binding Updates in Mobile IP v6 [4]. CGA are also used in SEcure Neighbor Discovery (SEND) [5]. The CGA data structure used in computation of CGA is given in Figure 1.

Figure 2. CGA conditions

II.

CGA COMPUTATION

CGA is computed as follows (Refer [1] for the complete description of the computational steps.)

Figure 1. CGA Data Structure

As shown in Figure 1, the CGA data structure has a modifier (random number) of 16 octets, a subnet prefix of 8 octets, a Public Key of variable length and an optional extension field of variable length. CGA has a security parameter that indicates the security level of the generated

1) Set the Modifier to a random 128 bit value. 2) Concatenate 9 zero octets, public key and optional extension fields from left to right with the generated modifier. 3) Compute SHA-1 on the result from (2). The resultant 112 leftmost bits is Hash-2. 4) Mask Hash-2 with Mask2 base don the security level. If the result is zero continue with step 5. If not increment the modifier and continue from step 2. 5) Concatenate from left to right the final modifier value, the subnet prefix, the collision count, the encoded public key, and any optional extension fields. Compute SHA-1 on the concatenation. Take the 64 leftmost bits of the SHA-1 hash value. The result is Hash1.

6) Form interface identifier from Hash-1 by writing value f sec in to three leftmost bits and setting bits 6 and 7 to zero. 7) Concatenate 64 bit subnet prefix with the 64-bit interface identifier computed in step 6 to obtain a 128 bit IPV6 address. This is the Cryptographically Generated Address (CGA). III.

OPTIMIZED CGA DATA STRUCTURE

Cryptographically generated address creation goes through a sequence of loops. While computing Hash-2 if the masking does not result in zero then the Modifier (random number) is increased and same sequence of steps is continued. The major problem here is that there will be few bits of change while incrementing the Modifier value. Even with that few bits change computation for the hash is done from the beginning as there is dependency between 512 bit blocks in hash computation. Let us assume that the CGA data structure has a size of 1526 bits. Initially, Hash-2 will be computed for 1526 bits. Hashing algorithm (Both SHA-1 and MD5) computes the digest of the data in chunks of 512 bit blocks. For each 512 block a sequence of operations is done which will form as the input for the next 512 block. So when Hash-2 masked with Mask-2 does not yield Zero then the Modifier is incremented. Now the hash needs to be computed on the changed CGA structure. This hash computation needs to be carried right from the beginning (i.e from first 512 block) because the change in the Modifier value will fall within the first 512 bit block. Moreover the output of the sequence of operations of the first 512 block will be used for the operation on second 512 bit block. This is a major drawback when computing Hash for CGA. Figure 3 explains the drawback in this methodology pictorially.

Figure 3. Hash Computation

It can be seen from Figure 3 that for a change of few bits in the first/second block all the steps involved in computing the hash has to be carried right from the first 512 block. Let us assume that it takes ' t ' sec s to process one 512 block of bits. This means it takes '4t ' sec s to process all the 512 bit blocks and computes the hash. Even for few bit changes in the Modifier it again takes '3t ' sec s to compute the hash. This is very costly for few changes in bits. To overcome this we change the CGA data structure such that the Modifier field comes after the optional extension field. It is pictorially represented in Figure 4.

Figure 4. CGA Data Structure

In Figure 4 the Modifier field comes after the optional extension field. Let us see what happens with the change in the CGA data structure. When Hash-2 masked with Mask-2 does

not result in zero the Modifier field is incremented resulting in changes in Modifier field bits does not necessitate computing the operation right from the first 512 block in the hashing algorithm sequence. Instead the 512 block in which there was

takes ' t ' sec s if the 128 bit Modifier field fits in to the last

change in bits (Either the last 512 block if the 128 bits of the Modifier field is accommodated within that or the last two blocks where the 128 bits of Modifier field are spilled over) alone be subjected to the block operation. Let us assume that the CGA data structure has a a size of 1556 bits. Initially, Hash-2 will be computed for 1556 bits. Using an hashing algorithm (either SHA-1 or MD5) Hash-2 is computed as described in section 1. When Hash-2 masked with Mask-2 does not yield Zero then the Modifier is incremented. Now the hash needs to be computed on the changed CGA structure. However with the modified CGA data structure it is sufficient to compute the block operation on the 512 block (and subsequent 512 block. This happens when the 128 bits of Modifier field spills over the last two 512 blocks.) in which the bits of the Modifier field is changed. If the 128 bits of the Modifier field fills completely in the last 512 block then the block operation need be carried only on that. If the 128 bit spills over the last two 512 blocks then the block operation need to be carried on both of them sequentially. In this way the block operation for the rest of the blocks can be avoided saving consider amount of computation time. Let us assume that the block operation one

pictorially.

512 bit block takes ' t ' sec s and there are ' n' 512 bit blocks, then using the normal CGA data structure and without hashing algorithm optimization it would take ' nt ' sec s . However with the algorithm optimization and modified CGA data structure it

512 bit block and '2t ' sec s if the 128 bit Modifier field spills over the last two 512 bit block. Figure 5 explains the same

Figure 5. Optimized Hash Algorithm for CGA

From Figure 5 it can be understood that the Hashing Algorithm register values of the 512 block that precedes the 512 bit block containing the 128 bit Modifier field is stored while computing the Hash digest of the '1526' bit data for the first time. For subsequent calculation fo the Hash digest when Hash-2 masked with Mask-2 does not equate to zero the stored Hash algorithm register values are processed along with the 512 bit block containing the changed 512-bit Modifier bit field to produce the hash digest. If the 128 bit Modifier field spills over the last two 512 bit blocks then the block operation is carried on both the 512-bit block sequentially with the result of the first 512-bit block processed in the next to derive the Hash digest. IV.

ALGORITHM:

Hashing algorithm, SHA-1 [2] and MD5[3] computes the hash digest in blocks of 512 bits. The sequence of steps used in SHA-1 and MD5 (Detailed algorithm is given in [2] for SHA-1 and [3] for MD5) for computing the hash digest is as follows.

A. Conventional Hashing Algorithm

4) The output (register values after block operation) of the 512 bit block previous to the 512 bit block containing the 128 bit Modifier filed is backed up. 5) The block operation is carried till the last but one 512 block. If the last 512 block contains bits less than 56 bytes then padding fields are appended to it till 56 bytes of the 512 bit block. 8 byte length of the padding field is appended after that. This block is subjected to block operation with the input of the previous 512 bit block’s output to produce the Hash Digest. SHA-1 gives a 160 bit hash digest whereas MD5 gives a 128 bit hash digest. This is Hash-2. 6) If masking Hash-2 with Mask-2 does not yield zero then the Modifier field bits are changed and the changed 512 bit block of the data is subjected to the block operation along with the backed up output (register values after the 512 bit block operation) of the previous 512 bit block to produce the Hash Digest. If the Modifier field spills over the last two 512 bit block of the data then the block operation is carried on the next 512 bit block with the output of the previous 512 bit block to produce the Hash Digest.

1) Initialize the registers. SHA-1 has five registers each of 32 bit space whereas MD5 has 4 registers each of 32 bit space. 2) Partition the data in to 512 bit blocks. 3) Using the initialized register values perform block operation on the first 512-bit block. The result fo the block operation on the first 512-bit block is fed as an input to the next block operation along with the next 512-bit value. A block operation is a series of AND, OR, XOR, NEGATION operation on the bit values of the 512-bit block. Detailed information on sequence and flow of the operation is given in [2] for SHA-1 and [3] for MD5. 4) The block operation si carried till the last but one 512 block. If the last 512 block contains bits less than 56 bytes then padding fields are appended to it till 56 bytes of the 512 bit block. 8 byte length of the padding field is appended after that. This block is subjected to block operation with the input of the previous 512 bit block’s output to produce the Hash Digest. SHA-1 gives a 160 bit hash digest whereas MD5 gives a 128 bit hash digest.

V.

B. Optimized Hashing Algorithm for Modified CGA Structure The optimized hashing algorithm for the Modified CGA structure is as follows.

PERFORMANCE AND TEST RESULTS:

Our performance analysis shows that the proposed implementation roughly reduces the time required to perform hash computations by a factor of 5, i.e., 80% reduction in computation time. We have made use of 4x512 and 5x512 sized random blocks. Because the CGA structure would be similar to these sizes and would vary mainly due to the size of the public key. If the message size was larger than the above mentioned sizes the reduction would be even more. For a 4x512 random message the hash computations reduced by a factor of 4. For a 5x512 random message the hash computations reduced by a factor of 5. The graph in Figure 6 illustrates this.

1) Initialize the registers. SHA-1 has five registers each of 32 bit space whereas MD5 has 4 registers each of 32 bit space. 2) Partition the data in to 512 bit blocks. 3) Using the initialized register values perform block operation on the first 512-bit block. The result of the block operation on the first 512-bit block is fed as an input to the next block operation along with the next 512-bit value. A block operation is a series of AND, OR, XOR, NEGATION operation on the bit values of the 512-bit block. Detailed

Hash computations performed Vs Time 100000

Changes in last block with optimization

Time

80000

Changes in last 2 blocks with optimization 4X512 message no optimization 5X512 message no optimization

60000 40000 20000 17000

15000

13000

11000

9000

7000

5000

3000

1000

100

0

Hash computations performed information on sequence and flow of the operation is given in [2] for SHA-1 and [3] for MD5.

Figure 6. Performance analysis result

Practically without using the proposed optimization, it requires around one minute to generate a CGA of security level 1 and around 16 days to generate a CGA of security level 2. This test is performed on a machine with moderate processing power [1] suggests that CGA with security level 2 provides security from being hacked considering the current processor speeds. With the proposed optimization enabled it takes around 20 seconds to generate a CGA of sec level 1 and less than 4 days to generate a CGA of sec level 2. This is a considerable improvement in terms of time required to generate a CGA.

REFERENCES [1] [2] [3] [4]

[5]

T. Aura, "Cryptographically Generated Addresses (CGA)", IETF Standard RFC-3972, March 2005. D. Eastlake, P. Jones, “US Secure Hash Algorithm 1 (SHA1)”, IETF Standard RFC-3174, September 2001. R. Rivest, “The MD5 Message-Digest Algorithm”, IETF Standard RFC1321, April 1992. Tuomas Aura, Michael Roe, “Designing the Mobile IPv6 Security Protocol” Annals of telecommunications, special issue on Network and information systems security, volume 61 number 3-4, March-April 2006. J. Arkko, Ed., J. Kempf, B. Zill, P. Nikander, “SEcure Neighbor Discovery (SEND)”, IETF Standard RFC-1321, March 2005.