<?xml version="1.0" encoding="US-ASCII"?>
<!-- -*- xml -*- -->
<!-- This template is for creating an Internet Draft using xml2rfc,
  which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
  <!-- One method to get references from the online citation libraries.
  There has to be one entity for each item to be referenced.
  An alternate method (rfc include) is described in the references. -->

<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC4312 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4312.xml">
<!ENTITY RFC4301 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301.xml">
<!ENTITY RFC4302 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4302.xml">
<!ENTITY RFC4306 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4306.xml">
<!ENTITY RFC2411 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2411.xml">
<!ENTITY RFC4086 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4086.xml">
<!ENTITY RFC2898 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2898.xml">
<!ENTITY RFC4494 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4494.xml">
<!ENTITY RFC4615 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4615.xml">
<!ENTITY RFC4303 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4303.xml">
<!ENTITY RFC2409 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2409.xml">
<!ENTITY RFC4346 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY RFC5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3711.xml">
<!ENTITY RFC3550 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3550.xml">
<!ENTITY RFC3713 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3713.xml">
<!ENTITY RFC4568 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4568.xml">
<!ENTITY RFC3962 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3962.xml">
<!ENTITY RFC3961 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3961.xml">

<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
  please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
  (Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
  (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-krb-wg-kanno-camellia-01" ipr= "trust200902">
<!-- category values: std, bcp, info, exp, and historic
    ipr values: full3667, noModification3667, noDerivatives3667
    you can add the attributes updates="NNNN" and obsoletes="NNNN"
    they will automatically be output with "(if approved)" 
-->

<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
     full title is longer than 39 characters -->

<title abbrev="Camellia for Kerberos 5"> Camellia Encryption for Kerberos 5</title>

<author initials="S." surname="Kanno" fullname="Satoru Kanno">
 <organization>
  NTT Software Corporation
 </organization>
 <address>
  <phone>+81-45-212-9803</phone>
  <facsimile>+81-45-212-9800</facsimile>
  <email>kanno.satoru@po.ntts.co.jp</email>
 </address>
</author>

<author initials="K." surname="Raeburn" fullname="Kenneth Raeburn">
 <organization>
  Massachusetts Institute of Technology
 </organization>
 <address>
  <email>raeburn@mit.edu</email>
 </address>
</author>


<author initials="M." surname="Kanda" fullname="Masayuki Kanda">
 <organization>
  NTT
 </organization>
 <address>
  <phone>+81-422-59-3456</phone>
  <facsimile>+81-422-59-4015 </facsimile>
  <email>kanda.masayuki@lab.ntt.co.jp</email>
 </address>
</author>

<author initials="T." surname="Hardjono" fullname="Thomas Hardjono">
 <organization>
  Massachusetts Institute of Technology
 </organization>
 <address>
  <email>hardjono@mit.edu</email>
 </address>
</author>

<date />

    <!-- If the month and year are both specified and are the current ones, xml2rfc will fill
      in the current day for you. If only the current year is specified, xml2rfc will fill
      in the current day and month for you. If the year is not the current one, it is
      necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
      purpose of calculating the expiry date).  With drafts it is normally sufficient to
      specify just the year. -->

    <!-- Meta-data Declarations -->

    <area>KRB-WG</area>

    <workgroup>Network Working Group</workgroup>

    <!-- WG name at the upperleft corner of the doc,
      IETF is fine for individual submissions.
      If this element is not present, the default is "Network Working Group",
      which is used by the RFC Editor as a nod to the history of the IETF. -->

    <keyword>Block Cipher</keyword>
    <keyword>Security</keyword>
    <keyword>Camellia</keyword>
    <keyword>Kerberos</keyword>
    <keyword>CTS</keyword>

    <!-- Keywords will be incorporated into HTML output
      files in a meta tag but they have no effect on text or nroff
      output. If you submit your draft to the RFC Editor, the
      keywords will be used for the search engine. -->

<abstract>
 <t>
  This document is a specification for the addition of Camellia cipher
  to the Kerberos 5 cryptosystem suite.
  
  The Camellia cipher was developed by NTT and Mitsubishi Electric Corporation in 2000, 
  which is comparable to Advanced Encryption Standard (AES).
 </t>
</abstract>
</front>


<middle>
<section anchor="intro" title="Introduction">
 <t>
  This document defines encryption key and checksum types for Kerberos
  5 using the Camellia algorithm developed by NTT and Mitsubishi Electric
  Corporation in 2000.
  These new types support 128-bit block encryption and 
  key sizes of 128 or 256 bits.
  It is same that interface speficiations as the AES.
 </t>

 <t>
  The Camellia algorithm and its properties are described in <xref target="RFC3713" />.
 </t>

 <t>
  Using the "simplified profile" of <xref target="RFC3961"/>, 
  we can define a pair of encryption and checksum schemes.
  Camellia is used with ciphertext stealing (CTS) to avoid message expansion,
  and SHA-1 is the associated checksum function.
 </t>

</section>
    
<section title="Terminology">
 <t>
  The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
  appear in this document are to be interpreted as described in <xref
  target="RFC2119"/>.
 </t>
</section>

<section anchor="Protocol Key Representation" title="Protocol Key Representation">
<t>
   The profile in <xref target="RFC3961"/> treats keys and random octet strings as
   conceptually different.
   But since the AES key space is dense, we can use any bit string of appropriate
   length as a key.  We use the byte representation for the key described in <xref target="RFC3713" />,
   where the first bit of the bit string is the high bit of the first byte of 
   the byte string (octet string) representation.
</t>
</section>

<section anchor="Key generation" title="Key Generation from Pass Phrases or Random Data">
  <t>
   Given the above format for keys, we can generate keys from the
   appropriate amounts of random data (128 or 256 bits) by simply
   copying the input string.
  </t>
  <t>
   To generate an encryption key from a pass phrase and salt string, 
   the Camellia uses the PBKDF2 function from PKCS #5 v2.0 <xref target="RFC2898" />.
   This function of Camellia can define as same specification of AES <xref target="RFC3962" />
  </t>
  <t>
   The pseudorandom function used by PBKDF2 will be a SHA-1 HMAC of the
   passphrase and salt.
   The case of AES described in Appendix B of <xref target="RFC3962" />.
   For pseudorandom function, Camellia can use like an AES.
  </t>
</section>

<section anchor="CTS" title="CipherText Stealing mode">

<t>
 The specification of CipherText Stealing (CTS) mode for Camellia complies with 
 AES-CTS in <xref target="RFC3962" />.
</t>

<t>
 A test vector of Camellia-CTS is given in <xref target="Test Vector" />.
</t>
</section>

<section anchor="Profile Parameters" title="Kerberos Algorithm Profile Parameters">

<t>
 This is a summary of the parameters to be used with the simplified
 algorithm profile described in <xref target="RFC3961"/>:
</t>

<artwork>
  +--------------------------------------------------------------------+
  |               protocol key format        128- or 256-bit string    |
  |                                                                    |
  |            string-to-key function        PBKDF2+DK with variable   |
  |                                          iteration count           |
  |                                                                    |
  |  default string-to-key parameters        00 00 10 00               |
  |                                                                    |
  |        key-generation seed length        key size                  |
  |                                                                    |
  |            random-to-key function        identity function         |
  |                                                                    |
  |                  hash function, H        SHA-1                     |
  |                                                                    |
  |               HMAC output size, h        12 octets (96 bits)       |
  |                                                                    |
  |             message block size, m        1 octet                   |
  |                                                                    |
  |  encryption/decryption functions,        Camellia in CBC-CTS mode  |
  |  E and D                                 (cipher block size 16     |
  |                                          octets), with next-to-    |
  |                                          last block (last block    |
  |                                          if only one) as CBC-style |
  |                                          ivec                      |
  +--------------------------------------------------------------------+
</artwork>

<t>
 Using this profile with each key size gives us two each of encryption
 and checksum algorithm definitions.
</t>

</section>

<section anchor="Assigned Numbers" title="Assigned Numbers">

<t>
 The following encryption type numbers are assigned:
</t>

<artwork>
  +--------------------------------------------------------------------+
  |                         encryption types                           |
  +--------------------------------------------------------------------+
  |         type name                  etype value          key size   |
  +--------------------------------------------------------------------+
  |   camellia128-cts-hmac-sha1-96       &lt;TBD1&gt;               128      |
  |   camellia256-cts-hmac-sha1-96       &lt;TBD2&gt;               256      |
  +--------------------------------------------------------------------+
</artwork>

<t>
 The following checksum type numbers are assigned:
</t>

<artwork>
  +--------------------------------------------------------------------+
  |                          checksum types                            |
  +--------------------------------------------------------------------+
  |        type name                 sumtype value           length    |
  +--------------------------------------------------------------------+
  |    hmac-sha1-96-camellia128         &lt;TBD3&gt;                 96      |
  |    hmac-sha1-96-camellia256         &lt;TBD4&gt;                 96      |
  +--------------------------------------------------------------------+
</artwork>

<t>
 These checksum types will be used with the corresponding encryption
 types defined above.
</t>

</section>


<section anchor="Security" title="Security Considerations">
	<t>
     At the time of writing this document there are no known weak keys
     for Camellia. And no security problem has been found on 
     Camellia (see <xref target ="NESSIE"/>, <xref target="CRYPTREC"/>, and <xref target="LNCS"/>).
    </t>
    
    <t>
     For security considerations of CTS mode,
     this document refers to Section 8 of <xref target="RFC3962"/>.
   </t>
</section>
	
<section title="IANA Considerations">

<t>
 Kerberos encryption and checksum type values used in section 7 were
 previously reserved in <xref target="RFC3961"/> for the mechanisms defined in this
 document.  The registries have been updated to list this document as
 the reference.
</t>

</section>

<!--
<section title="Acknowledgements">
</section>
-->

<section anchor="Test Vector" title="Test Vector">
<t>
 Some test vectors for CTS mode, using an initial vector of all-zero.
</t>

<artwork>
   Camellia 128-bit key:
     0000:  63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69

   IV:
     0000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Input:
     0000:  49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
     0010:  20
   Output:
     0000:  &lt;TBD&gt;
     0010:  
   Next IV:
     0000:  &lt;TBD&gt;

   IV:
     0000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Input:
     0000:  49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
     0010:  20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20
   Output:
     0000:  &lt;TBD&gt;
     0010:  
   Next IV:
     0000:  &lt;TBD&gt;
     
   IV:
     0000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Input:
     0000:  49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
     0010:  20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
   Output:
     0000:  
     0010:  &lt;TBD&gt;
   Next IV:
     0000:  &lt;TBD&gt;

   IV:
     0000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Input:
     0000:  49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
     0010:  20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
     0020:  68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c
   Output:
     0000:  &lt;TBD&gt;
     0010:  
     0020:  
   Next IV:
     0000:  &lt;TBD&gt;

   IV:
     0000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Input:
     0000:  49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
     0010:  20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
     0020:  68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
   Output:
     0000:  &lt;TBD&gt;
     0010:  
     0020:  
   Next IV:
     0000:  &lt;TBD&gt;

   IV:
     0000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Input:
     0000:  49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
     0010:  20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
     0020:  68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
     0030:  61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e
   Output:
     0000:  &lt;TBD&gt;
     0010:  
     0020:  
     0030:  
   Next IV:
     0000:  &lt;TBD&gt;
</artwork>

</section>

</middle>

  <!--  *****BACK MATTER ***** -->

  <back>
    <!-- References split into informative and normative -->

    <!-- There are 2 ways to insert reference entries from the citation libraries:
      1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
      2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
      (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")

      Both are cited textually in the same manner: by using xref elements.
      If you use the PI option, xml2rfc will, by default, try to find included files in the same
      directory as the including file. You can also define the XML_LIBRARY environment variable
      with a value containing a set of directories to search.  These can be either in the local
      filing system or remote ones accessed by http (http://domain/dir/... ).-->

<references title="Normative References">
 &RFC2119;
 &RFC3713;
 &RFC3961;
 &RFC3962;
 &RFC2898;
</references>

<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
 <reference anchor="ISO/IEC 18033-3">
  <front>
   <title>Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers</title>
   <author>
    <organization>International Organization for Standardization</organization>
   </author>
   <date month="July" year="2005" />
  </front>
  <seriesInfo name="ISO/IEC" value="18033-3" />
 </reference>

 <reference anchor="NESSIE" target="http://www.cosic.esat.kuleuven.ac.be/nessie/">
  <front>
   <title abbrev="NESSIE">The NESSIE project (New European Schemes for Signatures, Integrity and Encryption) </title>
   <author>
    <organization />
   </author>
   </front>
 </reference>

<reference anchor="CRYPTREC" target="http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html" >
 <front>
  <title>Cryptography Research and Evaluation Committees</title>
  <author fullname="Information-technology Promotion Agency (IPA)">
   <organization>Information-technology Promotion Agency (IPA)</organization>
	    <address>
	      <postal>
		<street/>
		<country>Japan</country>
	      </postal>
	    </address>
	  </author>
	</front>
	<format type="HTML" target="http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html." />
    </reference>

  <reference anchor="LNCS" target="http://www.springerlink.com/content/e55783u422436g77/">
  <front>
   <title>New Results on Impossible Differential Cryptanalysis of Reduced Round Camellia-128</title> 
   <author initials="H." surname="Mala" fullname="Hamid Mala">
     </author>
   <author initials="M." surname="Shakiba" fullname="Mohsen Shakiba">
     </author>
     <author initials="M." surname="Dakhil-alian" fullname="Mohammad Dakhil-alian">
    <organization>Springer</organization> 
   </author>
   <date month="November" year="2009" />
   <seriesInfo name="LNCS" value="5867" /> 
  </front>
 </reference>
 
</references>

    <!-- Change Log

      v00 2006-03-15  EBD   Initial version

      v01 2006-04-03  EBD   Moved PI location back to position 1 -
      v3.1 of XMLmind is better with them at this location.
      v02 2007-03-07  AH    removed extraneous nested_list attribute,
      other minor corrections
      v03 2007-03-09  EBD   Added comments on null IANA sections and fixed heading capitalization.
      Modified comments around figure to reflect non-implementation of
      figure indent control.  Put in reference using anchor="DOMINATION".
      Fixed up the date specification comments to reflect current truth.
      v04 2007-03-09 AH     Major changes: shortened discussion of PIs,
      added discussion of rfc include.
      v05 2007-03-10 EBD    Added preamble to C program example to tell about ABNF and alternative
      images. Removed meta-characters from comments (causes problems).  -->
  </back>
</rfc>
