Re: [IPsec] AES-GCM IV length

To: "'Scott C Moonen'" <smoonen at us.ibm.com>, <ipsec at ietf.org>

Subject: Re: [IPsec] AES-GCM IV length

From: "Scott Fluhrer" <sfluhrer at cisco.com>

Date: Thu, 13 Aug 2009 14:35:19 -0400

Authentication-results: sj-dkim-1; header.From=sfluhrer at cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );

Delivered-to: ipsec at core3.amsl.com

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=5830; t=1250188521; x=1251052521; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sfluhrer at cisco.com; z=From:=20=22Scott=20Fluhrer=22=20<sfluhrer at cisco.com> |Subject:=20RE=3A=20[IPsec]=20AES-GCM=20IV=20length |Sender:=20; bh=ZRbDJOkJh48f6weeJzwfcISaQJk7X36xjGi1ZFz4Hz8=; b=h8z/g0FTi4nkDxKCOkxiKpX+q929KU+AbTMCuPtHzjwM5xVGBD3MfpLh3H vfbPRm1LksyYHQqfurb+gUrbQmLbkQakGfdOI54VNKTjYPOfJs+p4lpxeV6d MNIEPJJaRt5gxxSeIA5mZPZoHM9g3WVew8aZVe20C0gja4UGGYj3k=;

In-reply-to: <OFF337DF79.1F094E37-ON85257611.0060AFD9-85257611.0063BAD2 at us.ibm.com>

List-archive: <http://www.ietf.org/mail-archive/web/ipsec>

List-help: <mailto:ipsec-request@ietf.org?subject=help>

List-id: Discussion of IPsec protocols <ipsec.ietf.org>

List-post: <mailto:ipsec@ietf.org>

List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>

References: <OFF337DF79.1F094E37-ON85257611.0060AFD9-85257611.0063BAD2 at us.ibm.com>

Thread-index: AcocQUY3xLHMHW/ISaqOACI6wpevPAAAsn3A

From: ipsec-bounces at ietf.org [mailto:ipsec-bounces at ietf.org] On Behalf Of Scott C Moonen
Sent: Thursday, August 13, 2009 2:09 PM
To: ipsec at ietf.org
Subject: [IPsec] AES-GCM IV length

RFC 4106 says:

The AES-GCM-ESP IV field MUST be eight octets.

NIST publication 800-38D says:

For IVs, it is recommended that implementations restrict support to
the length of 96 bits, to promote interoperability, efficiency, and
simplicity of design.

See section 4 of RFC 4106: there's also a 4 octet 'salt' which is negotiated (and fixed for a particular SA); the nonce (IV) that is passed to the underlying GCM primitive is made of the of the 4 octet salt concatenated with the 8 byte IV from the packet. This concatenated nonce is 96 bits in length, matching the above guideline...

There are no errata for RFC 4106, so I assume that ESP with ENCR-AES_GCM_nn uses an 8-byte IV. Unfortunately, this goes against the NIST recommendation and also prevents the use of the RBG-based IV construction method outlined in the NIST document (which requires a minimum IV length of 96 bits).

Does anyone have any observations or comments on this? Is it correct that existing ESP AES_GCM implementations are using 128-bit IVs?

If they are, they are not following RFC 4106...

Thanks,

Scott Moonen (smoonen at us.ibm.com)
z/OS Communications Server TCP/IP Development
http://scott.andstuff.org/
http://www.linkedin.com/in/smoonen

Follow-Ups:

Re: [IPsec] AES-GCM IV length
- From: Andreas Steffen

References:

[IPsec] AES-GCM IV length
- From: Scott C Moonen

Re: [IPsec] AES-GCM IV length

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.