| < draft-dharkins-siv-aes-04.txt | draft-dharkins-siv-aes-05.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force D. Harkins, Ed. | Internet Engineering Task Force D. Harkins | |||
| Internet-Draft Aruba Networks | Internet-Draft Aruba Networks | |||
| Intended status: Standards Track June 11, 2008 | Intended status: Informational June 26, 2008 | |||
| Expires: December 13, 2008 | Expires: December 28, 2008 | |||
| SIV Authenticated Encryption using AES | SIV Authenticated Encryption using AES | |||
| draft-dharkins-siv-aes-04 | draft-dharkins-siv-aes-05 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on December 13, 2008. | This Internet-Draft will expire on December 28, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| This memo describes SIV, a block cipher mode of operation. SIV takes | This memo describes SIV (Synthetic Initialization Vector), a block | |||
| a key, a plaintext, and multiple variable-length octet strings which | cipher mode of operation. SIV takes a key, a plaintext, and multiple | |||
| will be authenticated but not encrypted. It produces a ciphertext | variable-length octet strings which will be authenticated but not | |||
| having the same length as the plaintext and a synthetic | encrypted. It produces a ciphertext having the same length as the | |||
| initialization vector. Depending on how it is used, SIV achieves | plaintext and a synthetic initialization vector. Depending on how it | |||
| either the goal of deterministic authenticated-encryption or the goal | is used, SIV achieves either the goal of deterministic authenticated- | |||
| of nonce-based, misuse-resistant authenticated-encryption. | encryption or the goal of nonce-based, misuse-resistant | |||
| authenticated-encryption. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3.1. Key Wrapping . . . . . . . . . . . . . . . . . . . . . 4 | 1.3.1. Key Wrapping . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3.2. Resistance to Nonce Misuse/Reuse . . . . . . . . . . . 4 | 1.3.2. Resistance to Nonce Misuse/Reuse . . . . . . . . . . . 4 | |||
| 1.3.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 5 | 1.3.3. Key Derivation . . . . . . . . . . . . . . . . . . . . 5 | |||
| skipping to change at page 2, line 28 ¶ | skipping to change at page 2, line 28 ¶ | |||
| 2.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 2.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 2.3. Doubling . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 2.3. Doubling . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 2.4. S2V . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 2.4. S2V . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 2.5. CTR . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 2.5. CTR . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 2.6. SIV Encrypt . . . . . . . . . . . . . . . . . . . . . . . 10 | 2.6. SIV Encrypt . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 2.7. SIV Decrypt . . . . . . . . . . . . . . . . . . . . . . . 12 | 2.7. SIV Decrypt . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3. Nonce-based Authenticated Encryption with SIV . . . . . . . . 14 | 3. Nonce-based Authenticated Encryption with SIV . . . . . . . . 14 | |||
| 4. Deterministic Authenticated Encryption with SIV . . . . . . . 15 | 4. Deterministic Authenticated Encryption with SIV . . . . . . . 15 | |||
| 5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 15 | 5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6.1. AEAD_AES_SIV_CMAC_256 . . . . . . . . . . . . . . . . . . 16 | 6.1. AEAD_AES_SIV_CMAC_256 . . . . . . . . . . . . . . . . . . 17 | |||
| 6.2. AEAD_AES_SIV_CMAC_384 . . . . . . . . . . . . . . . . . . 16 | 6.2. AEAD_AES_SIV_CMAC_384 . . . . . . . . . . . . . . . . . . 17 | |||
| 6.3. AEAD_AES_SIV_CMAC_512 . . . . . . . . . . . . . . . . . . 17 | 6.3. AEAD_AES_SIV_CMAC_512 . . . . . . . . . . . . . . . . . . 17 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 19 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 20 | Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21 | |||
| A.1. Deterministic Authenticated Encryption Example . . . . . . 20 | A.1. Deterministic Authenticated Encryption Example . . . . . . 21 | |||
| A.2. Nonce-based Authenticated Encryption Example . . . . . . . 22 | A.2. Nonce-based Authenticated Encryption Example . . . . . . . 22 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 25 | Intellectual Property and Copyright Statements . . . . . . . . . . 25 | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Background | 1.1. Background | |||
| Various attacks have been described (e.g. [BADESP]) when data is | Various attacks have been described (e.g. [BADESP]) when data is | |||
| merely privacy-protected and not additionally authenticated or | merely privacy-protected and not additionally authenticated or | |||
| skipping to change at page 6, line 37 ¶ | skipping to change at page 6, line 37 ¶ | |||
| pad(X) | pad(X) | |||
| indicates padding of string X, len(X) < 128, out to 128 bits by | indicates padding of string X, len(X) < 128, out to 128 bits by | |||
| the concatenation of a single bit of 1 followed by as many 0 bits | the concatenation of a single bit of 1 followed by as many 0 bits | |||
| as are necessary. | as are necessary. | |||
| leftmost(A,n) | leftmost(A,n) | |||
| the n most significant bits of A. | the n most significant bits of A. | |||
| rightmost(A,n) | rightmost(A,n) | |||
| the n least significatn bits of A. | the n least significant bits of A. | |||
| A || B | A || B | |||
| means concatenation of string A with string B. | means concatenation of string A with string B. | |||
| A xor B | A xor B | |||
| is the exclusive OR operation on two equal length strings, A and | is the exclusive OR operation on two equal length strings, A and | |||
| B. | B. | |||
| A xorend B | A xorend B | |||
| where len(A) >= len(B), means xoring a string B onto the end of | where len(A) >= len(B), means xoring a string B onto the end of | |||
| skipping to change at page 16, line 23 ¶ | skipping to change at page 16, line 23 ¶ | |||
| limits the benefit SIV offers for dealing in a natural fashion with | limits the benefit SIV offers for dealing in a natural fashion with | |||
| AD consisting of multiple distinct components. Therefore when it is | AD consisting of multiple distinct components. Therefore when it is | |||
| required to access SIV through the interface defined in [RFC5116] it | required to access SIV through the interface defined in [RFC5116] it | |||
| is necessary to marshall multiple AD inputs into a single string (see | is necessary to marshall multiple AD inputs into a single string (see | |||
| Section 1.1) prior to invoking SIV. Note that this requirement is | Section 1.1) prior to invoking SIV. Note that this requirement is | |||
| not unique to SIV. All cipher modes using [RFC5116] MUST similarly | not unique to SIV. All cipher modes using [RFC5116] MUST similarly | |||
| marshall multiple AD inputs into a single string and any technique | marshall multiple AD inputs into a single string and any technique | |||
| used for any other AEAD mode (e.g. a scatter/gather technique) can be | used for any other AEAD mode (e.g. a scatter/gather technique) can be | |||
| used with SIV. | used with SIV. | |||
| [RFC5116] requires AEAD algorithm specifications to include maximal | ||||
| limits to the amount of plaintext, the amount of associated data, and | ||||
| the size of a nonce that the AEAD algorithm can accept. | ||||
| SIV uses AES in counter mode and the security guarantees of SIV would | ||||
| be lost if the counter was allowed to repeat. Since the counter is | ||||
| 128 bits, a limit to the amount of plaintext that can be safely | ||||
| protected by a single invocation of SIV is 2^128 blocks. Multiple | ||||
| invocations of SIV with the same key, though, can increase the | ||||
| possibility of distinct invocations having overlapping counter-space | ||||
| so the limit on the amount of plaintext that can be safely protected | ||||
| by SIV is set at 2^64 blocks. | ||||
| To prevent the possibility of collisions [CMAC] recommends that no | ||||
| more than 2^48 invocations be made to CMAC with the same key. This | ||||
| is not a limit on the amount of data that can be passed to CMAC | ||||
| though. There is no practical limit to the amount of data that can | ||||
| be made to a single invocation of CMAC, and likewise there is no | ||||
| practical limit to the amount of associated data or nonce material | ||||
| that can be passed to SIV. | ||||
| A collision in the output of S2V would mean the same counter would be | ||||
| used with different plaintext in counter mode. This would void the | ||||
| security guarantees of SIV. The "Birthday Paradox" (see [APPCRY]) | ||||
| would imply that no more than 2^64 distinct invocations to SIV be | ||||
| made with the same key. It is prudent to follow the example of | ||||
| [CMAC] though and further limit the number of distinct invocations of | ||||
| SIV using the same key to 2^48. Note that [RFC5116] does not provide | ||||
| a variable to describe this limit. | ||||
| 6.1. AEAD_AES_SIV_CMAC_256 | 6.1. AEAD_AES_SIV_CMAC_256 | |||
| The AES-SIV-CMAC-256 AEAD algorithm works as specified in Section 2.6 | The AES-SIV-CMAC-256 AEAD algorithm works as specified in Section 2.6 | |||
| and Section 2.7. The input and output lengths for AES-SIV-CMAC-256 | and Section 2.7. The input and output lengths for AES-SIV-CMAC-256 | |||
| as defined by [RFC5116] are: | as defined by [RFC5116] are: | |||
| K_LEN is 32 octets. | K_LEN is 32 octets. | |||
| P_MAX is unlimited. | P_MAX is 2^68 octets. | |||
| A_MAX is unlimited. | A_MAX is unlimited. | |||
| N_MIN is 1 octet. | N_MIN is 1 octet. | |||
| N_MAX is unlimited. | N_MAX is unlimited. | |||
| C_MAX is unlimited. | C_MAX is 2^68 + 16 octets. | |||
| The security implications of nonce re-use and/or mis-use are | The security implications of nonce re-use and/or mis-use are | |||
| described in Section 1.3.2. | described in Section 1.3.2. | |||
| 6.2. AEAD_AES_SIV_CMAC_384 | 6.2. AEAD_AES_SIV_CMAC_384 | |||
| The AES-SIV-CMAC-384 AEAD algorithm works as specified in Section 2.6 | The AES-SIV-CMAC-384 AEAD algorithm works as specified in Section 2.6 | |||
| and Section 2.7. The input and output lengths for AES-SIV-CMAC-384 | and Section 2.7. The input and output lengths for AES-SIV-CMAC-384 | |||
| as defined by [RFC5116] are: | as defined by [RFC5116] are: | |||
| K_LEN is 48 octets. | K_LEN is 48 octets. | |||
| P_MAX is unlimited. | P_MAX is 2^68 octets. | |||
| A_MAX is unlimited. | A_MAX is unlimited. | |||
| N_MIN is 1 octet. | N_MIN is 1 octet. | |||
| N_MAX is unlimited. | N_MAX is unlimited. | |||
| C_MAX is unlimited. | C_MAX is 2^68 + 16 octets. | |||
| The security implications of nonce re-use and/or mis-use are | The security implications of nonce re-use and/or mis-use are | |||
| described in Section 1.3.2. | described in Section 1.3.2. | |||
| 6.3. AEAD_AES_SIV_CMAC_512 | 6.3. AEAD_AES_SIV_CMAC_512 | |||
| The AES-SIV-CMAC-512 AEAD algorithm works as specified in Section 2.6 | The AES-SIV-CMAC-512 AEAD algorithm works as specified in Section 2.6 | |||
| and Section 2.7. The input and output lengths for AES-SIV-CMAC-512 | and Section 2.7. The input and output lengths for AES-SIV-CMAC-512 | |||
| as defined by [RFC5116] are: | as defined by [RFC5116] are: | |||
| K_LEN is 64 octets. | K_LEN is 64 octets. | |||
| P_MAX is unlimited. | P_MAX is 2^68 octets. | |||
| A_MAX is unlimited. | A_MAX is unlimited. | |||
| N_MIN is 1 octet. | N_MIN is 1 octet. | |||
| N_MAX is unlimited. | N_MAX is unlimited. | |||
| C_MAX is unlimited. | C_MAX is 2^68 + 16 octets. | |||
| The security implications of nonce re-use and/or mis-use are | The security implications of nonce re-use and/or mis-use are | |||
| described in Section 1.3.2. | described in Section 1.3.2. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| SIV provides privacy in the sense that the output of SIV-Encrypt is | SIV provides confidentiality in the sense that the output of SIV- | |||
| indistinguishable from a random string of bits. It provides | Encrypt is indistinguishable from a random string of bits. It | |||
| authenticity in the sense that an attacker is unable to construct a | provides authenticity in the sense that an attacker is unable to | |||
| string of bits that will return other than FAIL when input to SIV- | construct a string of bits that will return other than FAIL when | |||
| Decrypt. A proof of the security of SIV with an "all in one" notion | input to SIV-Decrypt. A proof of the security of SIV with an "all in | |||
| of security for an authenticated encryption scheme is provided in | one" notion of security for an authenticated encryption scheme is | |||
| [DAE]. | provided in [DAE]. | |||
| SIV provides deterministic "key wrapping" when the plaintext contains | SIV provides deterministic "key wrapping" when the plaintext contains | |||
| data that is unpredictable to an adversary (for instance, a | data that is unpredictable to an adversary (for instance, a | |||
| cryptographic key). Even when this key is made available to an | cryptographic key). Even when this key is made available to an | |||
| attacker the output of SIV-Encrypt is indistinguishable from random | attacker the output of SIV-Encrypt is indistinguishable from random | |||
| bits. Similarly, even when this key is made available to an | bits. Similarly, even when this key is made available to an | |||
| attacker, she is unable to construct a string of bits that when input | attacker, she is unable to construct a string of bits that when input | |||
| to SIV-Decrypt will return anything other than FAIL. | to SIV-Decrypt will return anything other than FAIL. | |||
| When the nonce used in the nonce-based authenticated encryption mode | When the nonce used in the nonce-based authenticated encryption mode | |||
| skipping to change at page 19, line 6 ¶ | skipping to change at page 19, line 31 ¶ | |||
| of SIV, thereby confirming the correctness of the test vectors. | of SIV, thereby confirming the correctness of the test vectors. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of | [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of | |||
| Operation: The CMAC Mode for Authentication", NIST Special | Operation: The CMAC Mode for Authentication", NIST Special | |||
| Pulication 800-38B, May 2005. | Pulication 800-38B, May 2005. | |||
| [DAE] Rogaway, P. and T. Shrimpton, "Deterministic Authenticated | ||||
| Encryption, A Provable-Security Treatment of the Key-Wrap | ||||
| Problem", September 2006. | ||||
| [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of | [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of | |||
| Operation: Methods and Techniques", NIST Special | Operation: Methods and Techniques", NIST Special | |||
| Pulication 800-38A, 2001 edition. | Pulication 800-38A, 2001 edition. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [APPCRY] Menezes, A., van Oorshot, P., and S. Vanstone, "Handbook | ||||
| of Applied Cryptography", CRC Press Series on Discrete | ||||
| Mathematics and Its Applications, 1996. | ||||
| [BADESP] Bellovin, S., "Problem Areas for the IP Security | [BADESP] Bellovin, S., "Problem Areas for the IP Security | |||
| Protocols", July 1996. | Protocols", July 1996. | |||
| [CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter With | [CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter With | |||
| CBC-MAC (CCM)", June 2002. | CBC-MAC (CCM)", June 2002. | |||
| [DAE] Rogaway, P. and T. Shrimpton, "Deterministic Authenticated | ||||
| Encryption, A Provable-Security Treatment of the Key-Wrap | ||||
| Problem", Advances in Cryptology -- EUROCRYPT '06 St. | ||||
| Petersburg, Russia, 2006. | ||||
| [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of | [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of | |||
| Operation (GCM)". | Operation (GCM)". | |||
| [JUTLA] Jutla, C., "Encryption Modes With Almost Free Message | [JUTLA] Jutla, C., "Encryption Modes With Almost Free Message | |||
| Integrity", Proceedings of the International Conference on | Integrity", Proceedings of the International Conference on | |||
| the Theory and Application of Cryptographic Techniques: | the Theory and Application of Cryptographic Techniques: | |||
| Advances in Cryptography. | Advances in Cryptography. | |||
| [OCB] Korvetz, T. and P. Rogaway, "The OCB Authenticated | [OCB] Korvetz, T. and P. Rogaway, "The OCB Authenticated | |||
| Encryption Algorithm", | Encryption Algorithm", | |||
| skipping to change at page 24, line 10 ¶ | skipping to change at page 24, line 43 ¶ | |||
| output | output | |||
| ------ | ------ | |||
| IV || C: | IV || C: | |||
| 7bdb6e3b 432667eb 06f4d14b ff2fbd0f | 7bdb6e3b 432667eb 06f4d14b ff2fbd0f | |||
| cb900f2f ddbe4043 26601965 c889bf17 | cb900f2f ddbe4043 26601965 c889bf17 | |||
| dba77ceb 094fa663 b7a3f748 ba8af829 | dba77ceb 094fa663 b7a3f748 ba8af829 | |||
| ea64ad54 4a272e9c 485b62a3 fd5c0d | ea64ad54 4a272e9c 485b62a3 fd5c0d | |||
| Author's Address | Author's Address | |||
| Dan Harkins (editor) | Dan Harkins | |||
| Aruba Networks | Aruba Networks | |||
| Email: dharkins@arubanetworks.com | Email: dharkins@arubanetworks.com | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| End of changes. 21 change blocks. | ||||
| 39 lines changed or deleted | 75 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||