| < draft-ietf-ipsec-ciph-aes-ccm-03.txt | draft-ietf-ipsec-ciph-aes-ccm-04.txt > | |||
|---|---|---|---|---|
| IPsec Working Group R. Housley | IPsec Working Group R. Housley | |||
| Internet Draft Vigil Security | Internet Draft Vigil Security | |||
| expires in six months May 2003 | expires in six months July 2003 | |||
| Using AES CCM Mode With IPsec ESP | Using AES CCM Mode With IPsec ESP | |||
| <draft-ietf-ipsec-ciph-aes-ccm-03.txt> | <draft-ietf-ipsec-ciph-aes-ccm-04.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with all | This document is an Internet-Draft and is in full conformance with all | |||
| provisions of Section 10 of RFC2026. | provisions of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering Task | Internet-Drafts are working documents of the Internet Engineering Task | |||
| Force (IETF), its areas, and its working groups. Note that other | Force (IETF), its areas, and its working groups. Note that other | |||
| groups may also distribute working documents as Internet-Drafts. | groups may also distribute working documents as Internet-Drafts. | |||
| skipping to change at page 8, line 15 ¶ | skipping to change at page 8, line 15 ¶ | |||
| 7.1. Keying Material and Salt Values | 7.1. Keying Material and Salt Values | |||
| As previously described, implementations MUST use fresh keys with | As previously described, implementations MUST use fresh keys with | |||
| AES-CCM. IKE can be used to establish fresh keys. This section | AES-CCM. IKE can be used to establish fresh keys. This section | |||
| describes the conventions for obtaining the unpredictable salt value | describes the conventions for obtaining the unpredictable salt value | |||
| for use in the nonce from IKE. Note that this convention provides a | for use in the nonce from IKE. Note that this convention provides a | |||
| salt value that is secret as well as unpredictable. | salt value that is secret as well as unpredictable. | |||
| IKE makes use of a pseudo-random function (PRF) to derive keying | IKE makes use of a pseudo-random function (PRF) to derive keying | |||
| material. The PRF is used iteratively to derive keying material of | material. The PRF is used iteratively to derive keying material of | |||
| arbitrary size. Keying material is extracted from the output string | arbitrary size, called KEYMAT. Keying material is extracted from the | |||
| without regard to boundaries. | output string without regard to boundaries. | |||
| IKE uses the PRF to generate an output stream that parsed into five | ||||
| keys: SK_d, SK_ai, SK_ar, SK_ei, and SK_er. SK_d is used to derive | ||||
| new keys for the child security associations. SK_ai and SK_ar are | ||||
| the authentication keys for the initiator and the responder, | ||||
| respectively. SK_ei and SK_er are the encryption keys for the | ||||
| initiator and the responder, respectively. | ||||
| SK_ai and SK_ei are used to protect traffic from the initiator to the | ||||
| responder. SK_ar and SK_er are used to protect traffic from the | ||||
| responder to the initiator. | ||||
| The size of SK_ei and SK_er are each three octets longer than is | The size of KEYMAT MUST be three octets longer than is needed for the | |||
| needed by the associated AES key. The keying material is used as | associated AES key. The keying material is used as follows: | |||
| follows: | ||||
| AES-CCM with a 128 bit key | AES-CCM with a 128 bit key | |||
| SK_ei and SK_er are each 19 octets. The first 16 octets are | The KEYMAT requested for each AES-CCM key is 19 octets. The | |||
| the 128-bit AES key, and the remaining three octets are used as | first 16 octets are the 128-bit AES key, and the remaining | |||
| the salt value in the counter block. | three octets are used as the salt value in the counter block. | |||
| AES-CCM with a 192 bit key | AES-CCM with a 192 bit key | |||
| SK_ei and SK_er are each 27 octets. The first 24 octets are | The KEYMAT requested for each AES-CCM key is 27 octets. The | |||
| the 192-bit AES key, and the remaining three octets are used as | first 24 octets are the 192-bit AES key, and the remaining | |||
| the salt value in the counter block. | three octets are used as the salt value in the counter block. | |||
| AES-CCM with a 256 bit key | AES-CCM with a 256 bit key | |||
| SK_ei and SK_er are each 35 octets. The first 32 octets are | The KEYMAT requested for each AES-CCM key is 35 octets. The | |||
| the 256-bit AES key, and the remaining three octets are used as | first 32 octets are the 256-bit AES key, and the remaining | |||
| the salt value in the counter block. | three octets are used as the salt value in the counter block. | |||
| 7.2. Phase 1 Identifier | 7.2. Phase 1 Identifier | |||
| This document does not specify the conventions for using AES-CCM for | This document does not specify the conventions for using AES-CCM for | |||
| IKE Phase 1 negotiations. For AES-CCM to be used in this manner, a | IKE Phase 1 negotiations. For AES-CCM to be used in this manner, a | |||
| separate specification is needed, and an Encryption Algorithm | separate specification is needed, and an Encryption Algorithm | |||
| Identifier needs to be assigned. | Identifier needs to be assigned. | |||
| 7.3. Phase 2 Identifier | 7.3. Phase 2 Identifier | |||
| skipping to change at page 9, line 16 ¶ | skipping to change at page 9, line 4 ¶ | |||
| 7.3. Phase 2 Identifier | 7.3. Phase 2 Identifier | |||
| For IKE Phase 2 negotiations, IANA has assigned three ESP Transform | For IKE Phase 2 negotiations, IANA has assigned three ESP Transform | |||
| Identifiers for AES-CCM with an explicit IV: | Identifiers for AES-CCM with an explicit IV: | |||
| <TBD1> for AES-CCM with an 8 octet ICV; | <TBD1> for AES-CCM with an 8 octet ICV; | |||
| <TBD2> for AES-CCM with a 12 octet ICV; and | <TBD2> for AES-CCM with a 12 octet ICV; and | |||
| <TBD3> for AES-CCM with a 16 octet ICV. | <TBD3> for AES-CCM with a 16 octet ICV. | |||
| 7.4. Key Length Attribute | 7.4. Key Length Attribute | |||
| Since the AES supports three key lengths, the Key Length attribute | Since the AES supports three key lengths, the Key Length attribute | |||
| MUST be specified in the IKE Phase 2 exchange [DOI]. The Key Length | MUST be specified in the IKE Phase 2 exchange [DOI]. The Key Length | |||
| attribute MUST have a value of 128, 192, or 256. | attribute MUST have a value of 128, 192, or 256. | |||
| 8. Test Vectors | 8. Test Vectors | |||
| To be supplied. | Section 8 of [CCM] provides test vectors that will assist | |||
| implementers with AES-CCM mode. | ||||
| 9. Security Considerations | 9. Security Considerations | |||
| AES-CCM employs counter (CTR) mode for confidentiality. If a counter | AES-CCM employs counter (CTR) mode for confidentiality. If a counter | |||
| value is ever used for more that one packet with the same key, then | value is ever used for more that one packet with the same key, then | |||
| the same key stream will be used to encrypt both packets, and the | the same key stream will be used to encrypt both packets, and the | |||
| confidentiality guarantees are voided. | confidentiality guarantees are voided. | |||
| What happens if the encryptor XORs the same key stream with two | What happens if the encryptor XORs the same key stream with two | |||
| different packet plaintexts? Suppose two packets are defined by two | different packet plaintexts? Suppose two packets are defined by two | |||
| skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 11 ¶ | |||
| When IKE is used to establish fresh keys between two peer entities, | When IKE is used to establish fresh keys between two peer entities, | |||
| separate keys are established for the two traffic flows. If a | separate keys are established for the two traffic flows. If a | |||
| different mechanism is used to establish fresh keys, one that | different mechanism is used to establish fresh keys, one that | |||
| establishes only a single key to encrypt packets, then there is a | establishes only a single key to encrypt packets, then there is a | |||
| high probability that the peers will select the same IV values for | high probability that the peers will select the same IV values for | |||
| some packets. Thus, to avoid counter block collisions, ESP | some packets. Thus, to avoid counter block collisions, ESP | |||
| implementations that permit use of the same key for encrypting and | implementations that permit use of the same key for encrypting and | |||
| decrypting packets with the same peer MUST ensure that the two peers | decrypting packets with the same peer MUST ensure that the two peers | |||
| assign different salt values to the security association (SA). | assign different salt values to the security association (SA). | |||
| AES with a 128-bit key is vulnerable to the birthday attack after | Regardless of the mode used, AES with a 128-bit key is vulnerable to | |||
| 2^64 blocks are encrypted with a single key, regardless of the mode | the birthday attack after 2^64 blocks are encrypted with a single | |||
| used. Since ESP with Extended Sequence Numbers allows for up to 2^64 | key. Since ESP with Extended Sequence Numbers allows for up to 2^64 | |||
| packets in a single security association (SA), there is real | packets in a single security association (SA), there is real | |||
| potential for more than 2^64 blocks to be encrypted with one key. | potential for more than 2^64 blocks to be encrypted with one key. | |||
| Implementations SHOULD generate a fresh key before 2^64 blocks are | Implementations SHOULD generate a fresh key before 2^64 blocks are | |||
| encrypted with the same key, or implementations SHOULD make use of | encrypted with the same key, or implementations SHOULD make use of | |||
| the longer AES key sizes. Note that ESP with 32-bit Sequence Numbers | the longer AES key sizes. Note that ESP with 32-bit Sequence Numbers | |||
| will not exceed 2^64 blocks even if all of the packets are maximum- | will not exceed 2^64 blocks even if all of the packets are maximum- | |||
| length Jumbograms. | length Jumbograms. | |||
| 10. Design Rationale | 10. Design Rationale | |||
| skipping to change at page 11, line 9 ¶ | skipping to change at page 10, line 44 ¶ | |||
| 1. Only the encryptor can ensure that the value is not used for | 1. Only the encryptor can ensure that the value is not used for | |||
| more than one packet, so there is no advantage to selecting a | more than one packet, so there is no advantage to selecting a | |||
| mechanism that allows the decryptor to determine whether counter | mechanism that allows the decryptor to determine whether counter | |||
| block values collide. Damage from the collision is done, whether | block values collide. Damage from the collision is done, whether | |||
| the decryptor detects it or not. | the decryptor detects it or not. | |||
| 2. The use of explicit IVs allows adders, LFSRs, and any other | 2. The use of explicit IVs allows adders, LFSRs, and any other | |||
| technique that meets the time budget of the encryptor, so long as | technique that meets the time budget of the encryptor, so long as | |||
| the technique results in a unique value for each packet. Adders | the technique results in a unique value for each packet. Adders | |||
| are simple and straightforward to implement, but due to carries, | are simple and straightforward to implement, but due to carries, | |||
| they do not execute in constant time. LSFRs offer an alternative | they do not execute in constant time. LFSRs offer an alternative | |||
| that executes in constant time. | that executes in constant time. | |||
| 3. Complexity is in control of the implementer. Further, the | 3. Complexity is in control of the implementer. Further, the | |||
| decision made by the implementer of the encryptor does not make | decision made by the implementer of the encryptor does not make | |||
| the decryptor more (or less) complex. | the decryptor more (or less) complex. | |||
| 4. The assignment of the per-packet counter block value needs to | 4. The assignment of the per-packet counter block value needs to | |||
| be inside the assurance boundary. Some implementations assign the | be inside the assurance boundary. Some implementations assign the | |||
| sequence number inside the assurance boundary, but others do not. | sequence number inside the assurance boundary, but others do not. | |||
| A sequence number collision does not have the dire consequences, | A sequence number collision does not have the dire consequences, | |||
| skipping to change at page 12, line 19 ¶ | skipping to change at page 12, line 19 ¶ | |||
| One of the most attractive aspects of CCM mode is that it is | One of the most attractive aspects of CCM mode is that it is | |||
| unencumbered by patents. I acknowledge the companies that supported | unencumbered by patents. I acknowledge the companies that supported | |||
| the development of an unencumbered authenticated encryption mode (in | the development of an unencumbered authenticated encryption mode (in | |||
| alphabetical order): | alphabetical order): | |||
| Hifn | Hifn | |||
| Intersil | Intersil | |||
| MacFergus | MacFergus | |||
| RSA Security | RSA Security | |||
| Also, I thank Tero Kivinen for his comprehensive review of this | ||||
| document. | ||||
| 13. References | 13. References | |||
| This section provides normative and informative references. | This section provides normative and informative references. | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard | [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard | |||
| (AES)," November 2001. | (AES)," November 2001. | |||
| [DOI] Piper, D., "The Internet IP Security Domain of | [DOI] Piper, D., "The Internet IP Security Domain of | |||
| End of changes. 12 change blocks. | ||||
| 33 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||