Network Working Group S. Kanno Internet-DraftNTT Software CorporationA. Kato Intended status: Standards Track NTT Software Corporation Expires: March 13, 2010 M. KandaExpires: October 7, 2009 Nippon Telegraph and Telephone Corporation April 5,NTT September 9, 2009 The Camellia-XCBC-96 and Camellia-XCBC-PRF-128 Algorithms and Its Use with IPsecdraft-kanno-ipsecme-camellia-xcbc-00draft-kanno-ipsecme-camellia-xcbc-01 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onOctober 7, 2009.March 13, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract This memo specifies two new algorithms. One is the usage of XCBC mode with Camellia block cipher on the authentication mechanism of the IPsec Encapsulating Security Payload and Authentication Header protocols. This algorithm is called Camellia-XCBC-96. Latter is pseudo-random function based on XCBC with Camellia block cipher for Internet Key Exchange. This algorithm is called Camellia-XCBC-PRF- 128. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Camellia-XCBC-96 and Camellia-XCBC-PRF-128 . . . . . . . . . . 4 3. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Camellia-XCBC-96 . . . . . . . . . . . . . . . . . . . . . 5 3.2. Camellia-XCBC-PRF-128 . . . . . . . . . . . . . . . . . .75 4. Security Considerations . . . . . . . . . . . . . . . . . . .87 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . .98 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .109 7. References . . . . . . . . . . . . . . . . . . . . . . . . . .1110 7.1. Normative . . . . . . . . . . . . . . . . . . . . . . . .1110 7.2. Informative . . . . . . . . . . . . . . . . . . . . . . .1110 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .1211 1. Introduction This document specifies two new algorithms. One is the usage of XCBC based on Camellia block cipher on the authentication mechanism of the IPsec Encapsulating Security Payload (ESP) [7] and Authentication Header protocols (AH) [6]. This algorithm is called Camellia-XCBC-96. Latter is Pseudo-Random Function (PRF) based on XCBC with Camellia block cipher for Internet Key Exchange (IKEv2) [8]. This algorithm is called Camellia-XCBC-PRF-128. The Camellia algorithm specification and object identifiers are described in [2]. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1]. 2. Camellia-XCBC-96 and Camellia-XCBC-PRF-128 The Camellia-XCBC-96 comply with [3]. Also, The Camellia-XCBC-PRF- 128 comply with [4]. 3. Test Vectors 3.1. Camellia-XCBC-96 This section containsseventhree test vectors(TV), which can be used to confirm that an implementation has correctly implemented Camellia- XCBC-96. Test Case #1 : Camellia-XCBC-MAC-96 with0-byte20-byte input Key (K) : 000102030405060708090a0b0c0d0e0f Message (M) :<empty string<000102030405060708090a0b0c0d0e0f10111213 Camellia-XCBC-MAC :<TBD>3d042dd4e7bc791cee320415c5e326d6 Camellia-XCBC-MAC-96:<TBD>3d042dd4e7bc791cee320415 Test Case #2 : Camellia-XCBC-MAC-96 with3-byte20-byte input Key (K) :000102030405060708090a0b0c0d0e0f00010203040506070809 Message (M) :000102000102030405060708090a0b0c0d0e0f10111213 Camellia-XCBC-MAC :<TBD>b916b423420a906cd7d7b672a24e976f Camellia-XCBC-MAC-96:<TBD>b916b423420a906cd7d7b672 Test Case #3 : Camellia-XCBC-MAC-96 with16-byte input Key (K) : 000102030405060708090a0b0c0d0e0f Message (M) : 00102030405060708090a0b0c0d0e0f Camellia-XCBC-MAC : <TBD> Camellia-XCBC-MAC-96: <TBD> Test Case #4 : Camellia-XCBC-MAC-96 with20-byte input Key (K) :000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0fedcb Message (M) : 000102030405060708090a0b0c0d0e0f10111213 Camellia-XCBC-MAC :<TBD>b97146369d31940ff57a0ddf2233c1d2 Camellia-XCBC-MAC-96:<TBD> Test Case #5 : Camellia-XCBC-MAC-96 with 32-byte input Key (K) : 000102030405060708090a0b0c0d0e0f Message (M) : 000102030405060708090a0b0c0d0e0f1011121314151 61718191a1b1c1d1e1f Camellia-XCBC-MAC : <TBD> Camellia-XCBC-MAC-96: <TBD> Test Case #6 : Camellia-XCBC-MAC-96 with 34-byte input Key (K) : 000102030405060708090a0b0c0d0e0f Message (M) : 000102030405060708090a0b0c0d0e0f1011121314151 61718191a1b1c1d1e1f2021 Camellia-XCBC-MAC : <TBD> Camellia-XCBC-MAC-96: <TBD> Test Case #7 : Camellia-XCBC-MAC-96 with 1000-byte input Key (K) : 000102030405060708090a0b0c0d0e0f Message (M) : 00000000000000000000 ... 00000000000000000000 [1000 bytes] Camellia-XCBC-MAC : <TBD> Camellia-XCBC-MAC-96: <TBD>b97146369d31940ff57a0ddf 3.2. Camellia-XCBC-PRF-128 This section contains three test vectors(TV), which can be used to confirm that an implementation has correctly implemented Camellia- XCBC-PRF-128. Test Case #1 : Camellia-XCBC-PRF-128 with 20-byte input Key : 000102030405060708090a0b0c0d0e0f Key Length : 16 Message : 000102030405060708090a0b0c0d0e0f10111213 PRF Output :<TBD>fb8f550070b5e6a51aa2404ff8bbcf7d3d042dd4e7bc791cee320415c5e326d6 Test Case #2 : Camellia-XCBC-PRF-128 with 20-byte input Key : 00010203040506070809 Key Length : 10 Message : 000102030405060708090a0b0c0d0e0f10111213 PRF Output :<TBD>e8243b0105b3a3b93fd6cedae0ca8ab6b916b423420a906cd7d7b672a24e976f Test Case #3 : Camellia-XCBC-PRF-128 with 20-byte input Key : 000102030405060708090a0b0c0d0e0fedcb Key Length : 18 Message : 000102030405060708090a0b0c0d0e0f10111213 PRF Output :<TBD>bd75834d3452f9087d1597a87a33bc33b97146369d31940ff57a0ddf2233c1d2 4. Security Considerations At the time of writing this document there are no known weak keys for Camellia. And no security problem has been found on Camellia [10], [11] For other security considerations, please refer to the security considerations of the previous use of XCBC mode document described in [3] and [4]. 5. IANA Considerations IANA has assigned AH/ESP Authentication Algorithm Value <TBD2> for IKEv2 Transform Type 3 (Integrity Algorithm) to CAMELLIA-XCBC-MAC. IANA has assigned AH Transform Identifier <TBD1> for IKEv2 Transform Type 2 (Pseudo-Random Function) to AH_CAMELLIA-XCBC-MAC. 6. Acknowledgements This document unabashedly referred to [3] and [4]. 7. References 7.1. Normative [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the Camellia Encryption Algorithm", RFC 3713, April 2004. [3] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", RFC 3566, September 2003. [4] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 4434, February 2006. [5] Black, J. and P. Rogaway, "Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes", August 2001, <h ttp://csrc.nist.gov/groups/ST/toolkit/BCM/documents/ proposedmodes/xcbc-mac/xcbc-mac-spec.pdf>. 7.2. Informative [6] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [7] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [8] Kaufman, C., Hoffman, P., and P. Eronen, "Internet Key Exchange Protocol: IKEv2", draft-hoffman-ikev2bis-03 (work in progress), February 2008. [9] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher Algorithm and Its Use With IPsec", RFC 4312, December 2005. [10] "The NESSIE project (New European Schemes for Signatures, Integrity and Encryption)", <http://www.cosic.esat.kuleuven.ac.be/nessie/>. [11] Information-technology Promotion Agency (IPA), "Cryptography Research and Evaluation Committees", <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>. Authors' Addresses Satoru Kanno NTT Software Corporation Phone: +81-45-212-7577 Fax: +81-45-212-9800 Email:kanno-s@po.ntts.co.jpkanno.satoru@po.ntts.co.jp Akihiro Kato NTT Software Corporation Phone: +81-45-212-7577 Fax: +81-45-212-9800 Email: kato.akihiro@po.ntts.co.jp Masayuki KandaNippon Telegraph and Telephone CorporationNTT Phone: +81-422-59-3456 Fax: +81-422-59-4015 Email: kanda.masayuki@lab.ntt.co.jp