| < draft-ietf-ipsecme-chacha20-poly1305-05.txt | draft-ietf-ipsecme-chacha20-poly1305-06.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track April 27, 2015 | Intended status: Standards Track April 28, 2015 | |||
| Expires: October 29, 2015 | Expires: October 30, 2015 | |||
| ChaCha20, Poly1305 and their use in IKE & IPsec | ChaCha20, Poly1305 and their use in IKE & IPsec | |||
| draft-ietf-ipsecme-chacha20-poly1305-05 | draft-ietf-ipsecme-chacha20-poly1305-06 | |||
| Abstract | Abstract | |||
| This document describes the use of the ChaCha20 stream cipher along | This document describes the use of the ChaCha20 stream cipher along | |||
| with the Poly1305 authenticator, combined into an AEAD algorithm for | with the Poly1305 authenticator, combined into an AEAD algorithm for | |||
| the Internet Key Exchange protocol (IKEv2) and for IPsec. | the Internet Key Exchange protocol (IKEv2) and for IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 32 ¶ | skipping to change at page 1, line 32 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 29, 2015. | This Internet-Draft will expire on October 30, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | |||
| 2. ChaCha20 & Poly1305 for ESP . . . . . . . . . . . . . . . . . 3 | 2. ChaCha20 & Poly1305 for ESP . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 4 | 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Negotiation in IKEv2 . . . . . . . . . . . . . . . . . . . . 5 | 4. Negotiation in IKEv2 . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Appendix A. ESP Example . . . . . . . . . . . . . . . . . . . . 7 | Appendix A. ESP Example . . . . . . . . . . . . . . . . . . . . 7 | |||
| Appendix B. IKEv2 Example . . . . . . . . . . . . . . . . . . . 9 | Appendix B. IKEv2 Example . . . . . . . . . . . . . . . . . . . 9 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| The Advanced Encryption Standard (AES - [FIPS-197]) has become the | The Advanced Encryption Standard (AES - [FIPS-197]) has become the | |||
| skipping to change at page 2, line 38 ¶ | skipping to change at page 2, line 38 ¶ | |||
| many areas, including IPsec VPNs. On most modern platforms, AES is | many areas, including IPsec VPNs. On most modern platforms, AES is | |||
| anywhere from 4x to 10x as fast as the previous most-used cipher, | anywhere from 4x to 10x as fast as the previous most-used cipher, | |||
| 3-key Data Encryption Standard (3DES - [SP800-67]). 3DES also has a | 3-key Data Encryption Standard (3DES - [SP800-67]). 3DES also has a | |||
| 64-bit block, which means that the amount of data that can be | 64-bit block, which means that the amount of data that can be | |||
| encrypted before rekeying is required is not great. These reasons | encrypted before rekeying is required is not great. These reasons | |||
| make AES not only the best choice, but the only choice. | make AES not only the best choice, but the only choice. | |||
| The problem is that if future advances in cryptanalysis reveal a | The problem is that if future advances in cryptanalysis reveal a | |||
| weakness in AES, VPN users will be in an unenviable position. With | weakness in AES, VPN users will be in an unenviable position. With | |||
| the only other widely supported cipher being the much slower 3DES, it | the only other widely supported cipher being the much slower 3DES, it | |||
| is not feasible to re-configure IPsec installations to use 3DES. | is not feasible to re-configure IPsec installations away from AES. | |||
| [standby-cipher] describes this issue and the need for a standby | [standby-cipher] describes this issue and the need for a standby | |||
| cipher in greater detail. | cipher in greater detail. | |||
| This document proposes the ChaCha20 stream cipher as such a standby | This document proposes the fast and secure ChaCha20 stream cipher as | |||
| cipher in an Authenticated Encryption with Associated Data (AEAD) | such a standby cipher in an Authenticated Encryption with Associated | |||
| construction with the Poly1305 authenticator for use with the | Data (AEAD) construction with the Poly1305 authenticator for use with | |||
| Encapsulated Security Protocol (ESP - [RFC4303]) and the Internet Key | the Encapsulated Security Protocol (ESP - [RFC4303]) and the Internet | |||
| Exchange Protocol (IKEv2 - [RFC7296]). The algorithms are described | Key Exchange Protocol (IKEv2 - [RFC7296]). The algorithms are | |||
| in a separate document ([chacha_poly]). This document only describes | described in a separate document ([chacha_poly]). This document only | |||
| the IPsec-specific things. | describes the IPsec-specific things. | |||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. ChaCha20 & Poly1305 for ESP | 2. ChaCha20 & Poly1305 for ESP | |||
| AEAD_CHACHA20_POLY1305 is a combined mode algorithm, or AEAD. The | AEAD_CHACHA20_POLY1305 is a combined mode algorithm, or AEAD. The | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 47 ¶ | |||
| o The key is set as mentioned above. | o The key is set as mentioned above. | |||
| o The 96-bit nonce is formed from a concatenation of the 32-bit Salt | o The 96-bit nonce is formed from a concatenation of the 32-bit Salt | |||
| and the 64-bit IV, as described above. | and the 64-bit IV, as described above. | |||
| o The Initial Block Counter is set to one (1). The reason that one | o The Initial Block Counter is set to one (1). The reason that one | |||
| is used for the initial counter rather than zero is that zero is | is used for the initial counter rather than zero is that zero is | |||
| reserved for generating the one-time Poly1305 key (see below) | reserved for generating the one-time Poly1305 key (see below) | |||
| As the ChaCha20 block function is not applied directly to the | As the ChaCha20 block function is not applied directly to the | |||
| plaintext, no padding should be necessary. However, in keeping with | plaintext, no padding should be necessary. However, in keeping with | |||
| the specification in RFC 4303, the plaintext always has a pad length | the specification in RFC 4303, the plaintext always has a pad length | |||
| octet and may require padding bytes so as to align the buffer to an | octet and a Next Header octet and may require padding bytes so as to | |||
| integral multiple of 4 octets. | align the buffer to an integral multiple of 4 octets. | |||
| The same key and nonce, along with a block counter of zero are passed | The same key and nonce, along with a block counter of zero are passed | |||
| to the ChaCha20 block function, and the top 256 bits of the result | to the ChaCha20 block function, and the top 256 bits of the result | |||
| are used as the Poly1305 key. The nonce passed to the block function | are used as the Poly1305 key. The nonce passed to the block function | |||
| here is the same nonce that is used in ChaCha20, including the 32-bit | here is the same nonce that is used in ChaCha20, including the 32-bit | |||
| Salt, and the key passed is the same as the encryption key. | Salt, and the key passed is the same as the encryption key. | |||
| Finally, the Poly1305 function is run on the data to be | Finally, the Poly1305 function is run on the data to be | |||
| authenticated, which is, as specified in section 2.8 of [chacha_poly] | authenticated, which is, as specified in section 2.8 of [chacha_poly] | |||
| a concatenation of the following in the below order: | a concatenation of the following in the below order: | |||
| o The Authenticated Additional Data (AAD) - see Section 2.1. | o The Authenticated Additional Data (AAD) - see Section 2.1. | |||
| o Padding that rounds the length up to 16 bytes. This is 4 or 8 | o Zero-octet padding that rounds the length up to 16 bytes. This is | |||
| bytes depending on whether extended sequence numbers (ESN) is set | 4 or 8 bytes depending on the length of the AAD. | |||
| for the SA. The padding is all zeros. | ||||
| o The ciphertext | o The ciphertext | |||
| o Padding that rounds the total length up to an integral multiple of | o Zero octet padding that rounds the total length up to an integral | |||
| 16 bytes. This padding is also all zeros. | multiple of 16 bytes. | |||
| o The length of the additional authenticated data (AAD) in octets | o The length of the additional authenticated data (AAD) in octets | |||
| (as a 64-bit little-endian integer). | (as a 64-bit little-endian integer). | |||
| o The length of the ciphertext in octets (as a 64-bit little-endian | o The length of the ciphertext in octets (as a 64-bit little-endian | |||
| integer). | integer). | |||
| The 128-bit output of Poly1305 is used as the tag. All 16 bytes are | The 128-bit output of Poly1305 is used as the tag. All 16 bytes are | |||
| included in the packet. | included in the packet. | |||
| The encryption algorithm transform ID for negotiating this algorithm | The encryption algorithm transform ID for negotiating this algorithm | |||
| in IKE is TBA by IANA. | in IKE is TBA by IANA. | |||
| skipping to change at page 4, line 45 ¶ | skipping to change at page 4, line 44 ¶ | |||
| For SAs with ESN the AAD is 12 bytes: 4-byte SPI followed by an | For SAs with ESN the AAD is 12 bytes: 4-byte SPI followed by an | |||
| 8-byte sequence number as a 64-bit network order integer. | 8-byte sequence number as a 64-bit network order integer. | |||
| 3. Use in IKEv2 | 3. Use in IKEv2 | |||
| AEAD algorithms can be used in IKE, as described in [RFC5282]. More | AEAD algorithms can be used in IKE, as described in [RFC5282]. More | |||
| specifically: | specifically: | |||
| o The Encrypted Payload is as described in section 3 of that | o The Encrypted Payload is as described in section 3 of that | |||
| document. | document. | |||
| o The ChaCha20-Poly1305 keying material is derived from KEYMAT as | o The ChaCha20-Poly1305 keying material is derived similar to ESP: | |||
| for ESP: 36 octets are requested, of which the first 32 form the | 36 octets are requested for each of SK_ei and SK_er, of which the | |||
| key and the last 4 form the salt. | first 32 form the key and the last 4 form the salt. No octets are | |||
| o The IV is 64 bits, as described in Section 2. | requested for SK_ai and SK_ar. | |||
| o The IV is 64 bits, as described in Section 2, and is included | ||||
| explicitly in the Encrypted payload. | ||||
| o The sender SHOULD include no padding and set the Pad Length field | ||||
| to zero. The receiver MUST accept any length of padding. | ||||
| o The AAD is as described in section 5.1 of RFC 5282, so it's 32 | o The AAD is as described in section 5.1 of RFC 5282, so it's 32 | |||
| bytes (28 for the IKEv2 header + 4 bytes for the encrypted payload | bytes (28 for the IKEv2 header + 4 bytes for the encrypted payload | |||
| header) assuming no unencrypted payloads. | header) assuming no unencrypted payloads. | |||
| 4. Negotiation in IKEv2 | 4. Negotiation in IKEv2 | |||
| When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or | When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or | |||
| IPsec, the value xxx (TBA by IANA) should be used in the transform | IPsec, the value xxx (TBA by IANA) should be used in the transform | |||
| substructure of the SA payload as the ENCR (type 1) transform ID. As | substructure of the SA payload as the ENCR (type 1) transform ID. As | |||
| with other AEAD algorithms, INTEG (type 3) transform substructures | with other AEAD algorithms, INTEG (type 3) transform substructures | |||
| skipping to change at page 5, line 34 ¶ | skipping to change at page 5, line 38 ¶ | |||
| is the uniqueness of the nonce used in ChaCha20. The nonce should be | is the uniqueness of the nonce used in ChaCha20. The nonce should be | |||
| selected uniquely for a particular key, but unpredictability of the | selected uniquely for a particular key, but unpredictability of the | |||
| nonce is not required. Counters and LFSRs are both acceptable ways | nonce is not required. Counters and LFSRs are both acceptable ways | |||
| of generating unique nonces. | of generating unique nonces. | |||
| Another issue with implementing these algorithms is avoiding side | Another issue with implementing these algorithms is avoiding side | |||
| channels. This is trivial for ChaCha20, but requires some care for | channels. This is trivial for ChaCha20, but requires some care for | |||
| Poly1305. Considerations for implementations of these algorithms are | Poly1305. Considerations for implementations of these algorithms are | |||
| in the [chacha_poly] document. | in the [chacha_poly] document. | |||
| The Salt value in used nonce construction in ESP and IKEv2 is derived | ||||
| from the keystream, same as the encryption key. It is never | ||||
| transmitted on the wire, but the security of the algorithm does not | ||||
| depend on its secrecy. Thus implementations that keep keys and other | ||||
| secret material within some security boundary MAY export the Salt | ||||
| from the security boundary. This may be useful if the API provided | ||||
| by the library accepts the nonce as parameter rather than the IV. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to assign one value from the IKEv2 "Transform Type | IANA is requested to assign one value from the IKEv2 "Transform Type | |||
| 1 - Encryption Algorithm Transform IDs" registry, with name | 1 - Encryption Algorithm Transform IDs" registry, with name | |||
| ENCR_CHACHA20_POLY1305, and this document as reference for both ESP | ENCR_CHACHA20_POLY1305, and this document as reference for both ESP | |||
| and IKEv2. | and IKEv2. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| All of the algorithms in this document were designed by D. J. | All of the algorithms in this document were designed by D. J. | |||
| Bernstein. The AEAD construction was designed by Adam Langley. The | Bernstein. The AEAD construction was designed by Adam Langley. The | |||
| author would also like to thank Adam for helpful comments, as well as | author would also like to thank Adam for helpful comments, as well as | |||
| Yaron Sheffer for telling me to write the algorithms draft. Thanks | Yaron Sheffer for telling me to write the algorithms draft. Thanks | |||
| also to Martin Willi for pointing out the discrepancy with the final | also to Martin Willi for pointing out the discrepancy with the final | |||
| version of the algorithm document, and to Valery Smyslov and Tero | version of the algorithm document, and to Valery Smyslov and Tero | |||
| Kivinen for helpful comments on this draft. | Kivinen for helpful comments on this draft. Thanks to Steve Doyle | |||
| and Martin Willi for pointing out mistakes in my examples. | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | |||
| 4303, December 2005. | 4303, December 2005. | |||
| skipping to change at page 7, line 44 ¶ | skipping to change at page 8, line 4 ¶ | |||
| 032 00 07 36 27 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ..6'............ | 032 00 07 36 27 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ..6'............ | |||
| 048 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"# | 048 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"# | |||
| 064 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123 | 064 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123 | |||
| 080 34 35 36 37 4567 | 080 34 35 36 37 4567 | |||
| The SA details are as follows: | The SA details are as follows: | |||
| o The key and Salt are as above. | o The key and Salt are as above. | |||
| o The SPI is 0x01 0x02 0x03 0x04. | o The SPI is 0x01 0x02 0x03 0x04. | |||
| o The next sequence number is 5; ESN is not enabled. | o The next sequence number is 5; ESN is not enabled. | |||
| o The gateway IP address for this side is 203.0.113.153; The peer | o The gateway IP address for this side is 203.0.113.153; The peer | |||
| address is 203.0.113.5. | address is 203.0.113.5. | |||
| o NAT was not detected. | o NAT was not detected. | |||
| The 64-bit IV is 0x10 0x11 0x12 0x13 0x14 0x15 0x16 0x17. Putting | The 64-bit IV is 0x10 0x11 0x12 0x13 0x14 0x15 0x16 0x17. Putting | |||
| together the salt and IV we get the nonce: | together the salt and IV we get the nonce: | |||
| The nonce: | The nonce: | |||
| 000 a0 a1 a2 a3 10 11 12 13 14 15 16 17 ............ | 000 a0 a1 a2 a3 10 11 12 13 14 15 16 17 ............ | |||
| The plaintext to encrypt consists of the source IP packet plus the | The plaintext to encrypt consists of the source IP packet plus the | |||
| padding: | padding: | |||
| Plaintext (includes padding and pad length): | Plaintext (includes padding and pad length): | |||
| 000 45 00 00 54 a6 f2 00 00 40 01 e7 78 c6 33 64 05 E..T....@..x.3d. | 000 45 00 00 54 a6 f2 00 00 40 01 e7 78 c6 33 64 05 E..T....@..x.3d. | |||
| 016 c0 00 02 05 08 00 5b 7a 3a 08 00 00 55 3b ec 10 ......[z:...U;.. | 016 c0 00 02 05 08 00 5b 7a 3a 08 00 00 55 3b ec 10 ......[z:...U;.. | |||
| 032 00 07 36 27 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ..6'............ | 032 00 07 36 27 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ..6'............ | |||
| 048 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"# | 048 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"# | |||
| 064 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123 | 064 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123 | |||
| 080 34 35 36 37 01 02 03 03 4567.... | 080 34 35 36 37 01 02 02 04 4567.... | |||
| With the key, nonce and plaintext available, we can call the ChaCha20 | With the key, nonce and plaintext available, we can call the ChaCha20 | |||
| function and encrypt the packet, producing the ciphertext: | function and encrypt the packet, producing the ciphertext: | |||
| Ciphertext: | Ciphertext: | |||
| 000 24 03 94 28 b9 7f 41 7e 3c 13 75 3a 4f 05 08 7b $..(..A~<.u:O..{ | 000 24 03 94 28 b9 7f 41 7e 3c 13 75 3a 4f 05 08 7b $..(..A~<.u:O..{ | |||
| 016 67 c3 52 e6 a7 fa b1 b9 82 d4 66 ef 40 7a e5 c6 g.R.......f.@z.. | 016 67 c3 52 e6 a7 fa b1 b9 82 d4 66 ef 40 7a e5 c6 g.R.......f.@z.. | |||
| 032 14 ee 80 99 d5 28 44 eb 61 aa 95 df ab 4c 02 f7 .....(D.a....L.. | 032 14 ee 80 99 d5 28 44 eb 61 aa 95 df ab 4c 02 f7 .....(D.a....L.. | |||
| 048 2a a7 1e 7c 4c 4f 64 c9 be fe 2f ac c6 38 e8 f3 *..|LOd.../..8.. | 048 2a a7 1e 7c 4c 4f 64 c9 be fe 2f ac c6 38 e8 f3 *..|LOd.../..8.. | |||
| 064 cb ec 16 3f ac 46 9b 50 27 73 f6 fb 94 e6 64 da ...?.F.P's....d. | 064 cb ec 16 3f ac 46 9b 50 27 73 f6 fb 94 e6 64 da ...?.F.P's....d. | |||
| 080 91 65 b8 28 29 f6 40 e7 .e.().@. | 080 91 65 b8 28 29 f6 41 e0 .e.().A. | |||
| To calculate the tag, we need a one-time Poly1305 key, which we | To calculate the tag, we need a one-time Poly1305 key, which we | |||
| calculate by calling the ChaCha20 function again with the same key | calculate by calling the ChaCha20 function again with the same key | |||
| and nonce, but a block count of zero. | and nonce, but a block count of zero. | |||
| Poly1305 one-time key: | Poly1305 one-time key: | |||
| 000 af 1f 41 2c c1 15 ad ce 5e 4d 0e 29 d5 c1 30 bf ..A,....^M.)..0. | 000 af 1f 41 2c c1 15 ad ce 5e 4d 0e 29 d5 c1 30 bf ..A,....^M.)..0. | |||
| 016 46 31 21 0e 0f ef 74 31 c0 45 4f e7 0f d7 c2 d1 F1!...t1.EO..... | 016 46 31 21 0e 0f ef 74 31 c0 45 4f e7 0f d7 c2 d1 F1!...t1.EO..... | |||
| The AAD is constructed by concatenating the SPI to the sequence | The AAD is constructed by concatenating the SPI to the sequence | |||
| skipping to change at page 8, line 50 ¶ | skipping to change at page 9, line 12 ¶ | |||
| The input to the Poly1305 function is constructed by concatenating | The input to the Poly1305 function is constructed by concatenating | |||
| and padding the AAD and ciphertext: | and padding the AAD and ciphertext: | |||
| Poly1305 Input: | Poly1305 Input: | |||
| 000 01 02 03 04 00 00 00 05 00 00 00 00 00 00 00 00 ................ | 000 01 02 03 04 00 00 00 05 00 00 00 00 00 00 00 00 ................ | |||
| 016 24 03 94 28 b9 7f 41 7e 3c 13 75 3a 4f 05 08 7b $..(..A~<.u:O..{ | 016 24 03 94 28 b9 7f 41 7e 3c 13 75 3a 4f 05 08 7b $..(..A~<.u:O..{ | |||
| 032 67 c3 52 e6 a7 fa b1 b9 82 d4 66 ef 40 7a e5 c6 g.R.......f.@z.. | 032 67 c3 52 e6 a7 fa b1 b9 82 d4 66 ef 40 7a e5 c6 g.R.......f.@z.. | |||
| 048 14 ee 80 99 d5 28 44 eb 61 aa 95 df ab 4c 02 f7 .....(D.a....L.. | 048 14 ee 80 99 d5 28 44 eb 61 aa 95 df ab 4c 02 f7 .....(D.a....L.. | |||
| 064 2a a7 1e 7c 4c 4f 64 c9 be fe 2f ac c6 38 e8 f3 *..|LOd.../..8.. | 064 2a a7 1e 7c 4c 4f 64 c9 be fe 2f ac c6 38 e8 f3 *..|LOd.../..8.. | |||
| 080 cb ec 16 3f ac 46 9b 50 27 73 f6 fb 94 e6 64 da ...?.F.P's....d. | 080 cb ec 16 3f ac 46 9b 50 27 73 f6 fb 94 e6 64 da ...?.F.P's....d. | |||
| 096 91 65 b8 28 29 f6 40 e7 00 00 00 00 00 00 00 00 .e.().@......... | 096 91 65 b8 28 29 f6 41 e0 00 00 00 00 00 00 00 00 .e.().A......... | |||
| 112 08 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 ........X....... | 112 08 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 ........X....... | |||
| The resulting tag is: | The resulting tag is: | |||
| Tag: | Tag: | |||
| 000 f0 5f ff a1 a0 cc cd de 88 a3 e8 9a 21 2b 18 ba ._..........!+.. | 000 76 aa a8 26 6b 7f b0 f7 b1 1b 36 99 07 e1 ad 43 v..&k.....6....C | |||
| Putting it all together, the resulting packet is as follows: | Putting it all together, the resulting packet is as follows: | |||
| ESP packet: | ESP packet: | |||
| 000 45 00 00 8c 23 45 00 00 40 32 de 5b cb 00 71 99 E...#E..@2.[..q. | 000 45 00 00 8c 23 45 00 00 40 32 de 5b cb 00 71 99 E...#E..@2.[..q. | |||
| 016 cb 00 71 05 01 02 03 04 00 00 00 05 10 11 12 13 ..q............. | 016 cb 00 71 05 01 02 03 04 00 00 00 05 10 11 12 13 ..q............. | |||
| 032 14 15 16 17 24 03 94 28 b9 7f 41 7e 3c 13 75 3a ....$..(..A~<.u: | 032 14 15 16 17 24 03 94 28 b9 7f 41 7e 3c 13 75 3a ....$..(..A~<.u: | |||
| 048 4f 05 08 7b 67 c3 52 e6 a7 fa b1 b9 82 d4 66 ef O..{g.R.......f. | 048 4f 05 08 7b 67 c3 52 e6 a7 fa b1 b9 82 d4 66 ef O..{g.R.......f. | |||
| 064 40 7a e5 c6 14 ee 80 99 d5 28 44 eb 61 aa 95 df @z.......(D.a... | 064 40 7a e5 c6 14 ee 80 99 d5 28 44 eb 61 aa 95 df @z.......(D.a... | |||
| 080 ab 4c 02 f7 2a a7 1e 7c 4c 4f 64 c9 be fe 2f ac .L..*..|LOd.../. | 080 ab 4c 02 f7 2a a7 1e 7c 4c 4f 64 c9 be fe 2f ac .L..*..|LOd.../. | |||
| 096 c6 38 e8 f3 cb ec 16 3f ac 46 9b 50 27 73 f6 fb .8.....?.F.P's.. | 096 c6 38 e8 f3 cb ec 16 3f ac 46 9b 50 27 73 f6 fb .8.....?.F.P's.. | |||
| 112 94 e6 64 da 91 65 b8 28 29 f6 40 e7 f0 5f ff a1 ..d..e.().@.._.. | 112 94 e6 64 da 91 65 b8 28 29 f6 41 e0 76 aa a8 26 ..d..e.().A.v..& | |||
| 128 a0 cc cd de 88 a3 e8 9a 21 2b 18 ba ........!+.. | 128 6b 7f b0 f7 b1 1b 36 99 07 e1 ad 43 k.....6....C | |||
| Appendix B. IKEv2 Example | Appendix B. IKEv2 Example | |||
| For the IKEv2 example, we'll use the following: | For the IKEv2 example, we'll use the following: | |||
| o The key is 0x80..0x9f, the same as in Appendix A. | o The key is 0x80..0x9f, the same as in Appendix A. | |||
| o The Salt is 0xa0 0xa1 0xa2 0xa3. | o The Salt is 0xa0 0xa1 0xa2 0xa3. | |||
| o The IV will also be the same as in the previous example. The fact | o The IV will also be the same as in the previous example. The fact | |||
| that the IV and Salt are both the same means that the nonce is | that the IV and Salt are both the same means that the nonce is | |||
| also the same. | also the same. | |||
| skipping to change at page 9, line 44 ¶ | skipping to change at page 10, line 5 ¶ | |||
| o The packet with be an Informational request carrying a single | o The packet with be an Informational request carrying a single | |||
| payload: A Notify payload with type SET_WINDOW_SIZE, setting the | payload: A Notify payload with type SET_WINDOW_SIZE, setting the | |||
| window size to 10. | window size to 10. | |||
| o iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7. | o iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7. | |||
| o rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7. | o rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7. | |||
| o Message ID shall be 9. | o Message ID shall be 9. | |||
| The Notify Payload: | The Notify Payload: | |||
| 000 00 00 00 0c 00 00 40 01 00 00 00 0a ......@..... | 000 00 00 00 0c 00 00 40 01 00 00 00 0a ......@..... | |||
| Padding as required by RFC 7296 is 4 bytes long. | Plaintext (with no padding and a zero pad length): | |||
| 000 00 00 00 0c 00 00 40 01 00 00 00 0a 00 ......@...... | ||||
| Plaintext (includes padding and pad length): | Ciphertext: | |||
| 000 00 00 00 0c 00 00 40 01 00 00 00 0a 01 02 03 03 ......@......... | 000 61 03 94 70 1f 8d 01 7f 7c 12 92 48 89 a..p....|..H. | |||
| Ciphertext: | ||||
| 000 61 03 94 70 1f 8d 01 7f 7c 12 92 48 88 34 6f 7d a..p....|..H.4o} | ||||
| The AAD is constructed by appending the IKE header to the encrypted | The AAD is constructed by appending the IKE header to the encrypted | |||
| payload header. Note that the length field in the IKE header and the | payload header. Note that the length field in the IKE header and the | |||
| length field in the encrypted payload header have to be calculated | length field in the encrypted payload header have to be calculated | |||
| before constructing the AAD: | before constructing the AAD: | |||
| AAD: | AAD: | |||
| 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | |||
| 016 2e 20 25 00 00 00 00 09 00 00 00 48 00 00 00 2c . %........H..., | 016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..) | |||
| In this case, the length of the AAD is an integral multiple of 16, so | In this case, the length of the AAD is an integral multiple of 16, so | |||
| when constructing the input to Poly1305 there was no need for | when constructing the input to Poly1305 there was no need for | |||
| padding. The ciphertext is also 16 octets long, so the construction | padding. The ciphertext is also 16 octets long, so the construction | |||
| has no padding at all. Just 32 octets of AAD, 16 octets of | has no padding at all. Just 32 octets of AAD, 16 octets of | |||
| ciphertext, and two 8-octet length fields in little-endian encoding. | ciphertext, and two 8-octet length fields in little-endian encoding. | |||
| Poly1305 Input: | Poly1305 Input: | |||
| 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | |||
| 016 2e 20 25 00 00 00 00 09 00 00 00 48 00 00 00 2c . %........H..., | 016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..) | |||
| 032 61 03 94 70 1f 8d 01 7f 7c 12 92 48 88 34 6f 7d a..p....|..H.4o} | 032 61 03 94 70 1f 8d 01 7f 7c 12 92 48 89 00 00 00 a..p....|..H.... | |||
| 048 20 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 ............... | 048 20 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ............... | |||
| Tag: | Tag: | |||
| 000 92 7a e2 94 79 59 24 93 a9 aa 97 d6 cc c6 b5 b4 .z..yY$......... | 000 6b 71 bf e2 52 36 ef d7 cd c6 70 66 90 63 15 b2 kq..R6....pf.c.. | |||
| Encrypted Payload: | Encrypted Payload: | |||
| 000 00 00 00 2c 10 11 12 13 14 15 16 17 61 03 94 70 ...,........a..p | 000 29 00 00 29 10 11 12 13 14 15 16 17 61 03 94 70 )..)........a..p | |||
| 016 1f 8d 01 7f 7c 12 92 48 88 34 6f 7d 92 7a e2 94 ....|..H.4o}.z.. | 016 1f 8d 01 7f 7c 12 92 48 89 6b 71 bf e2 52 36 ef ....|..H.kq..R6. | |||
| 032 79 59 24 93 a9 aa 97 d6 cc c6 b5 b4 yY$......... | 032 d7 cd c6 70 66 90 63 15 b2 ...pf.c.. | |||
| The IKE Message: | The IKE Message: | |||
| 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | |||
| 016 2e 20 25 00 00 00 00 09 00 00 00 48 00 00 00 2c . %........H..., | 016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..) | |||
| 032 10 11 12 13 14 15 16 17 61 03 94 70 1f 8d 01 7f ........a..p.... | 032 10 11 12 13 14 15 16 17 61 03 94 70 1f 8d 01 7f ........a..p.... | |||
| 048 7c 12 92 48 88 34 6f 7d 92 7a e2 94 79 59 24 93 |..H.4o}.z..yY$. | 048 7c 12 92 48 89 6b 71 bf e2 52 36 ef d7 cd c6 70 |..H.kq..R6....p | |||
| 064 a9 aa 97 d6 cc c6 b5 b4 ........ | 064 66 90 63 15 b2 f.c.. | |||
| The below file in the snoop format [RFC1761] contains three packets: | The below file in the snoop format [RFC1761] contains three packets: | |||
| The first is the ICMP packet from the example in the Appendix A, the | The first is the ICMP packet from the example in the Appendix A, the | |||
| second is the ESP packet from the same appendix, and the third is the | second is the ESP packet from the same appendix, and the third is the | |||
| IKEv2 packet from this appendix. To convert this text back into a | IKEv2 packet from this appendix. To convert this text back into a | |||
| file, you can use a Unix command line tools such as "openssl enc -d | file, you can use a Unix command line tools such as "openssl enc -d | |||
| -a": | -a": | |||
| c25vb3AAAAAAAAACAAAABAAAAGIAAABiAAAAegAAAABVPR8iAAADVdhs6fUQBHgx | c25vb3AAAAAAAAACAAAABAAAAGIAAABiAAAAegAAAABVPq8PAAADVdhs6fUQBHgx | |||
| wbcpwggARQAAVKbyAABAAed4xjNkBcAAAgUIAFt6OggAAFU77BAABzYnCAkKCwwN | wbcpwggARQAAVKbyAABAAed4xjNkBcAAAgUIAFt6OggAAFU77BAABzYnCAkKCwwN | |||
| Dg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3AAAAmgAA | Dg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3AAAAmgAA | |||
| AJoAAACyAAAAAFU9HyIAAAo62Gzp9RAEeDHBtynCCABFAACMI0UAAEAy3lvLAHGZ | AJoAAACyAAAAAFU+rw8AAAo62Gzp9RAEeDHBtynCCABFAACMI0UAAEAy3lvLAHGZ | |||
| ywBxBQECAwQAAAAFEBESExQVFhckA5QouX9BfjwTdTpPBQh7Z8NS5qf6sbmC1Gbv | ywBxBQECAwQAAAAFEBESExQVFhckA5QouX9BfjwTdTpPBQh7Z8NS5qf6sbmC1Gbv | |||
| QHrlxhTugJnVKETrYaqV36tMAvcqpx58TE9kyb7+L6zGOOjzy+wWP6xGm1Anc/b7 | QHrlxhTugJnVKETrYaqV36tMAvcqpx58TE9kyb7+L6zGOOjzy+wWP6xGm1Anc/b7 | |||
| lOZk2pFluCgp9kDn8F//oaDMzd6Io+iaISsYugAAAHIAAAByAAAAigAAAABVPR8i | lOZk2pFluCgp9kHgdqqoJmt/sPexGzaZB+GtQwAAAG8AAABvAAAAhwAAAABVPq8P | |||
| AAARH9hs6fUQBHgxwbcpwggARQAAZCNFAABAEd6kywBxmcsAcQUB9AH0AFCQ7MDB | AAARH9hs6fUQBHgxwbcpwggARQAAYSNFAABAEd6nywBxmcsAcQUB9AH0AE0IUcDB | |||
| wsPExcbH0NHS09TV1tcuICUAAAAACQAAAEgAAAAsEBESExQVFhdhA5RwH40Bf3wS | wsPExcbH0NHS09TV1tcuICUAAAAACQAAAEUpAAApEBESExQVFhdhA5RwH40Bf3wS | |||
| kkiING99knrilHlZJJOpqpfWzMa1tA== | kkiJa3G/4lI279fNxnBmkGMVsg== | |||
| Author's Address | Author's Address | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| Email: ynir.ietf@gmail.com | Email: ynir.ietf@gmail.com | |||
| End of changes. 30 change blocks. | ||||
| 53 lines changed or deleted | 66 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||