| < draft-mcgrew-aead-aes-cbc-hmac-sha2-01.txt | draft-mcgrew-aead-aes-cbc-hmac-sha2-02.txt > | |||
|---|---|---|---|---|
| Network Working Group D. McGrew | Network Working Group D. McGrew | |||
| Internet-Draft Cisco Systems, Inc. | Internet-Draft J. Foley | |||
| Intended status: Standards Track K. Paterson | Intended status: Standards Track Cisco Systems | |||
| Expires: April 25, 2013 Royal Holloway, University of | Expires: January 16, 2014 K. Paterson | |||
| Royal Holloway, University of | ||||
| London | London | |||
| October 22, 2012 | July 15, 2013 | |||
| Authenticated Encryption with AES-CBC and HMAC-SHA | Authenticated Encryption with AES-CBC and HMAC-SHA | |||
| draft-mcgrew-aead-aes-cbc-hmac-sha2-01.txt | draft-mcgrew-aead-aes-cbc-hmac-sha2-02.txt | |||
| Abstract | Abstract | |||
| This document specifies algorithms for authenticated encryption with | This document specifies algorithms for authenticated encryption with | |||
| associated data (AEAD) that are based on the composition of the | associated data (AEAD) that are based on the composition of the | |||
| Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC) | Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC) | |||
| mode of operation for encryption, and the HMAC-SHA message | mode of operation for encryption, and the HMAC-SHA message | |||
| authentication code (MAC). | authentication code (MAC). | |||
| These are randomized encryption algorithms, and thus are suitable for | These are randomized encryption algorithms, and thus are suitable for | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 25, 2013. | This Internet-Draft will expire on January 16, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 30 ¶ | |||
| 2.3. Length . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 2.3. Length . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 2.4. AEAD_AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . 8 | 2.4. AEAD_AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . 8 | |||
| 2.5. AEAD_AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . 9 | 2.5. AEAD_AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . 9 | |||
| 2.6. AEAD_AES_256_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . 9 | 2.6. AEAD_AES_256_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . 9 | |||
| 2.7. AEAD_AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . 10 | 2.7. AEAD_AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . 10 | |||
| 2.8. AEAD_AES_128_CBC_HMAC_SHA1 . . . . . . . . . . . . . . . . 10 | 2.8. AEAD_AES_128_CBC_HMAC_SHA1 . . . . . . . . . . . . . . . . 10 | |||
| 2.9. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 2.9. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3. Randomness Requirements . . . . . . . . . . . . . . . . . . . 12 | 3. Randomness Requirements . . . . . . . . . . . . . . . . . . . 12 | |||
| 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5. Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 5. Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 5.1. AEAD_AES_128_CBC_HMAC_SHA256 . . . . . . . . . . . . . . . 15 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 | 5.2. AEAD_AES_192_CBC_HMAC_SHA384 . . . . . . . . . . . . . . . 16 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 5.3. AEAD_AES_256_CBC_HMAC_SHA384 . . . . . . . . . . . . . . . 17 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | 5.4. AEAD_AES_256_CBC_HMAC_SHA512 . . . . . . . . . . . . . . . 19 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 18 | 5.5. AEAD_AES_128_CBC_HMAC_SHA1 . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. CBC Encryption and Decryption . . . . . . . . . . . . 21 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 | ||||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 | ||||
| Appendix A. CBC Encryption and Decryption . . . . . . . . . . . . 27 | ||||
| Appendix B. Alternative Interface for Legacy Encoding . . . . . . 28 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 | ||||
| 1. Introduction | 1. Introduction | |||
| Authenticated Encryption (AE) [BN00] is a form of encryption that, in | Authenticated Encryption (AE) [BN00] is a form of encryption that, in | |||
| addition to providing confidentiality for the plaintext that is | addition to providing confidentiality for the plaintext that is | |||
| encrypted, provides a way to check its integrity and authenticity. | encrypted, provides a way to check its integrity and authenticity. | |||
| This combination of features can, when properly implemented, provide | This combination of features can, when properly implemented, provide | |||
| security against adversaries who have access to full decryption | security against adversaries who have access to full decryption | |||
| capabilities for ciphertexts of their choice, and access to full | capabilities for ciphertexts of their choice, and access to full | |||
| encryption capabilities for plaintexts of their choice. The strong | encryption capabilities for plaintexts of their choice. The strong | |||
| form of security provided by AE is known to robust against a large | form of security provided by AE is known to be robust against a large | |||
| class of adversaries for general purpose applications of AE, | class of adversaries for general purpose applications of AE, | |||
| including applications such as securing network communications over | including applications such as securing network communications over | |||
| untrusted networks. The strong security properties of AE stand in | untrusted networks. The strong security properties of AE stand in | |||
| contrast to the known weaknesses of "encryption only" forms of | contrast to the known weaknesses of "encryption only" forms of | |||
| encryption, see [B96][YHR04] [DP07] for examples. | encryption, see [B96][YHR04] [DP07] for examples. | |||
| Authenticated encryption with Associated Data, or AEAD [R02], adds | Authenticated encryption with Associated Data, or AEAD [R02], adds | |||
| the ability to check the integrity and authenticity of some | the ability to check the integrity and authenticity of some | |||
| associated data (sometimes called "additional authenticated data") | associated data (sometimes called "additional authenticated data") | |||
| for which confidentiality is not required (or is not desirable). | for which confidentiality is not required (or is not desirable). | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 40 ¶ | |||
| Standard (AES) [FIPS197] in the Cipher Block Chaining (CBC) mode of | Standard (AES) [FIPS197] in the Cipher Block Chaining (CBC) mode of | |||
| operation [SP800-38] and HMAC using the Secure Hash Algorithm (SHA) | operation [SP800-38] and HMAC using the Secure Hash Algorithm (SHA) | |||
| [FIPS186-2], with security levels of 128, 192, and 256 bits. | [FIPS186-2], with security levels of 128, 192, and 256 bits. | |||
| 1.1. History | 1.1. History | |||
| This subsection describes the revision history of this Internet | This subsection describes the revision history of this Internet | |||
| Draft. It should be removed by the RFC Editor before publication as | Draft. It should be removed by the RFC Editor before publication as | |||
| an RFC. | an RFC. | |||
| The changes of version 02 from version 01 are: | ||||
| Added test cases for each of the five operational modes. | ||||
| Added John as a coauthor. | ||||
| Adds a legacy-style interface in Appendix B. | ||||
| The changes of version 01 from version 00 are: | The changes of version 01 from version 00 are: | |||
| MIN_LEN_A and associated logic was eliminated. | MIN_LEN_A and associated logic was eliminated. | |||
| Padding String (PS) typo corrected in Section 2.1. | Padding String (PS) typo corrected in Section 2.1. | |||
| Decryption Step 3 refers to the appropriate step in the encryption | Decryption Step 3 refers to the appropriate step in the encryption | |||
| process. | process. | |||
| Random IV min-entropy clarified in Section 3. | Random IV min-entropy clarified in Section 3. | |||
| skipping to change at page 13, line 14 ¶ | skipping to change at page 13, line 14 ¶ | |||
| 4. Rationale | 4. Rationale | |||
| The CBC-HMAC AEAD algorithms defined in this note are intended to be | The CBC-HMAC AEAD algorithms defined in this note are intended to be | |||
| useful in the following applications: | useful in the following applications: | |||
| systems that have the CBC and HMAC algorithms available, but do | systems that have the CBC and HMAC algorithms available, but do | |||
| not have dedicated AEAD algorithms such as GCM or CCM [RFC5116], | not have dedicated AEAD algorithms such as GCM or CCM [RFC5116], | |||
| scenarios in which AEAD is useful, but it is undesirable to have | scenarios in which AEAD is useful, but it is undesirable to have | |||
| the applicaiton maintain a deterministic nonce; see Section 4 of | the application maintain a deterministic nonce; see Section 4 of | |||
| [RFC5116] for more background, | [RFC5116] for more background, | |||
| new systems, such as JSON Cryptography and W3C Web Crypto, which | new systems, such as JSON Cryptography and W3C Web Crypto, which | |||
| can omit unauthenticated symmetric encryption altogether by | can omit unauthenticated symmetric encryption altogether by | |||
| providing CBC and HMAC through an AEAD interface. | providing CBC and HMAC through an AEAD interface. | |||
| These algorithms are not intended to replace existing uses of AES-CBC | These algorithms are not intended to replace existing uses of AES-CBC | |||
| and HMAC, except in those circumstances where the existing use is not | and HMAC, except in those circumstances where the existing use is not | |||
| sufficiently secure or sufficiently general-purpose. | sufficiently secure or sufficiently general-purpose. | |||
| skipping to change at page 15, line 7 ¶ | skipping to change at page 15, line 7 ¶ | |||
| but this note does not incorporate that hash function. To do so | but this note does not incorporate that hash function. To do so | |||
| would be to speculate on the final form of the SHA-3 standard. In | would be to speculate on the final form of the SHA-3 standard. In | |||
| addition, while the use of KECCAK as a hash function is | addition, while the use of KECCAK as a hash function is | |||
| straightforward, there are multiple options for its use in | straightforward, there are multiple options for its use in | |||
| authenticated encryption. The focus of this note is the definition | authenticated encryption. The focus of this note is the definition | |||
| of AEAD algorithms based on currently used cryptographic mechanisms, | of AEAD algorithms based on currently used cryptographic mechanisms, | |||
| so SHA-3 is out of scope. | so SHA-3 is out of scope. | |||
| 5. Test Cases | 5. Test Cases | |||
| A future version of this note will contain test cases for all of the | 5.1. AEAD_AES_128_CBC_HMAC_SHA256 | |||
| AEAD algorithms that it defines. | ||||
| MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | ||||
| ENC_KEY = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f | ||||
| P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 | ||||
| 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 | ||||
| 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 | ||||
| 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 | ||||
| 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 | ||||
| 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 | ||||
| 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f | ||||
| 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 | ||||
| IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 | ||||
| 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 | ||||
| 4b 65 72 63 6b 68 6f 66 66 73 | ||||
| PS = 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 | ||||
| AL = 00 00 00 00 00 00 01 50 | ||||
| S = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| c8 0e df a3 2d df 39 d5 ef 00 c0 b4 68 83 42 79 | ||||
| a2 e4 6a 1b 80 49 f7 92 f7 6b fe 54 b9 03 a9 c9 | ||||
| a9 4a c9 b4 7a d2 65 5c 5f 10 f9 ae f7 14 27 e2 | ||||
| fc 6f 9b 3f 39 9a 22 14 89 f1 63 62 c7 03 23 36 | ||||
| 09 d4 5a c6 98 64 e3 32 1c f8 29 35 ac 40 96 c8 | ||||
| 6e 13 33 14 c5 40 19 e8 ca 79 80 df a4 b9 cf 1b | ||||
| 38 4c 48 6f 3a 54 c5 10 78 15 8e e5 d7 9d e5 9f | ||||
| bd 34 d8 48 b3 d6 95 50 a6 76 46 34 44 27 ad e5 | ||||
| 4b 88 51 ff b5 98 f7 f8 00 74 b9 47 3c 82 e2 db | ||||
| T = 65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4 | ||||
| C = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| c8 0e df a3 2d df 39 d5 ef 00 c0 b4 68 83 42 79 | ||||
| a2 e4 6a 1b 80 49 f7 92 f7 6b fe 54 b9 03 a9 c9 | ||||
| a9 4a c9 b4 7a d2 65 5c 5f 10 f9 ae f7 14 27 e2 | ||||
| fc 6f 9b 3f 39 9a 22 14 89 f1 63 62 c7 03 23 36 | ||||
| 09 d4 5a c6 98 64 e3 32 1c f8 29 35 ac 40 96 c8 | ||||
| 6e 13 33 14 c5 40 19 e8 ca 79 80 df a4 b9 cf 1b | ||||
| 38 4c 48 6f 3a 54 c5 10 78 15 8e e5 d7 9d e5 9f | ||||
| bd 34 d8 48 b3 d6 95 50 a6 76 46 34 44 27 ad e5 | ||||
| 4b 88 51 ff b5 98 f7 f8 00 74 b9 47 3c 82 e2 db | ||||
| 65 2c 3f a3 6b 0a 7c 5b 32 19 fa b3 a3 0b c1 c4 | ||||
| 5.2. AEAD_AES_192_CBC_HMAC_SHA384 | ||||
| MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | ||||
| 10 11 12 13 14 15 16 17 | ||||
| ENC_KEY = 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 | ||||
| 28 29 2a 2b 2c 2d 2e 2f | ||||
| P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 | ||||
| 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 | ||||
| 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 | ||||
| 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 | ||||
| 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 | ||||
| 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 | ||||
| 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f | ||||
| 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 | ||||
| IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 | ||||
| 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 | ||||
| 4b 65 72 63 6b 68 6f 66 66 73 | ||||
| PS = 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 | ||||
| AL = 00 00 00 00 00 00 01 50 | ||||
| S = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| ea 65 da 6b 59 e6 1e db 41 9b e6 2d 19 71 2a e5 | ||||
| d3 03 ee b5 00 52 d0 df d6 69 7f 77 22 4c 8e db | ||||
| 00 0d 27 9b dc 14 c1 07 26 54 bd 30 94 42 30 c6 | ||||
| 57 be d4 ca 0c 9f 4a 84 66 f2 2b 22 6d 17 46 21 | ||||
| 4b f8 cf c2 40 0a dd 9f 51 26 e4 79 66 3f c9 0b | ||||
| 3b ed 78 7a 2f 0f fc bf 39 04 be 2a 64 1d 5c 21 | ||||
| 05 bf e5 91 ba e2 3b 1d 74 49 e5 32 ee f6 0a 9a | ||||
| c8 bb 6c 6b 01 d3 5d 49 78 7b cd 57 ef 48 49 27 | ||||
| f2 80 ad c9 1a c0 c4 e7 9c 7b 11 ef c6 00 54 e3 | ||||
| T = 84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20 | ||||
| 75 16 80 39 cc c7 33 d7 | ||||
| C = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| ea 65 da 6b 59 e6 1e db 41 9b e6 2d 19 71 2a e5 | ||||
| d3 03 ee b5 00 52 d0 df d6 69 7f 77 22 4c 8e db | ||||
| 00 0d 27 9b dc 14 c1 07 26 54 bd 30 94 42 30 c6 | ||||
| 57 be d4 ca 0c 9f 4a 84 66 f2 2b 22 6d 17 46 21 | ||||
| 4b f8 cf c2 40 0a dd 9f 51 26 e4 79 66 3f c9 0b | ||||
| 3b ed 78 7a 2f 0f fc bf 39 04 be 2a 64 1d 5c 21 | ||||
| 05 bf e5 91 ba e2 3b 1d 74 49 e5 32 ee f6 0a 9a | ||||
| c8 bb 6c 6b 01 d3 5d 49 78 7b cd 57 ef 48 49 27 | ||||
| f2 80 ad c9 1a c0 c4 e7 9c 7b 11 ef c6 00 54 e3 | ||||
| 84 90 ac 0e 58 94 9b fe 51 87 5d 73 3f 93 ac 20 | ||||
| 75 16 80 39 cc c7 33 d7 | ||||
| 5.3. AEAD_AES_256_CBC_HMAC_SHA384 | ||||
| MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | ||||
| 10 11 12 13 14 15 16 17 | ||||
| ENC_KEY = 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 | ||||
| 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 | ||||
| P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 | ||||
| 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 | ||||
| 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 | ||||
| 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 | ||||
| 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 | ||||
| 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 | ||||
| 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f | ||||
| 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 | ||||
| IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 | ||||
| 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 | ||||
| 4b 65 72 63 6b 68 6f 66 66 73 | ||||
| PS = 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 | ||||
| AL = 00 00 00 00 00 00 01 50 | ||||
| S = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| 89 31 29 b0 f4 ee 9e b1 8d 75 ed a6 f2 aa a9 f3 | ||||
| 60 7c 98 c4 ba 04 44 d3 41 62 17 0d 89 61 88 4e | ||||
| 58 f2 7d 4a 35 a5 e3 e3 23 4a a9 94 04 f3 27 f5 | ||||
| c2 d7 8e 98 6e 57 49 85 8b 88 bc dd c2 ba 05 21 | ||||
| 8f 19 51 12 d6 ad 48 fa 3b 1e 89 aa 7f 20 d5 96 | ||||
| 68 2f 10 b3 64 8d 3b b0 c9 83 c3 18 5f 59 e3 6d | ||||
| 28 f6 47 c1 c1 39 88 de 8e a0 d8 21 19 8c 15 09 | ||||
| 77 e2 8c a7 68 08 0b c7 8c 35 fa ed 69 d8 c0 b7 | ||||
| d9 f5 06 23 21 98 a4 89 a1 a6 ae 03 a3 19 fb 30 | ||||
| T = dd 13 1d 05 ab 34 67 dd 05 6f 8e 88 2b ad 70 63 | ||||
| 7f 1e 9a 54 1d 9c 23 e7 | ||||
| C = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| 89 31 29 b0 f4 ee 9e b1 8d 75 ed a6 f2 aa a9 f3 | ||||
| 60 7c 98 c4 ba 04 44 d3 41 62 17 0d 89 61 88 4e | ||||
| 58 f2 7d 4a 35 a5 e3 e3 23 4a a9 94 04 f3 27 f5 | ||||
| c2 d7 8e 98 6e 57 49 85 8b 88 bc dd c2 ba 05 21 | ||||
| 8f 19 51 12 d6 ad 48 fa 3b 1e 89 aa 7f 20 d5 96 | ||||
| 68 2f 10 b3 64 8d 3b b0 c9 83 c3 18 5f 59 e3 6d | ||||
| 28 f6 47 c1 c1 39 88 de 8e a0 d8 21 19 8c 15 09 | ||||
| 77 e2 8c a7 68 08 0b c7 8c 35 fa ed 69 d8 c0 b7 | ||||
| d9 f5 06 23 21 98 a4 89 a1 a6 ae 03 a3 19 fb 30 | ||||
| dd 13 1d 05 ab 34 67 dd 05 6f 8e 88 2b ad 70 63 | ||||
| 7f 1e 9a 54 1d 9c 23 e7 | ||||
| 5.4. AEAD_AES_256_CBC_HMAC_SHA512 | ||||
| MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | ||||
| 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f | ||||
| ENC_KEY = 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f | ||||
| 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f | ||||
| P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 | ||||
| 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 | ||||
| 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 | ||||
| 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 | ||||
| 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 | ||||
| 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 | ||||
| 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f | ||||
| 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 | ||||
| IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 | ||||
| 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 | ||||
| 4b 65 72 63 6b 68 6f 66 66 73 | ||||
| PS = 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 | ||||
| AL = 00 00 00 00 00 00 01 50 | ||||
| S = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| 4a ff aa ad b7 8c 31 c5 da 4b 1b 59 0d 10 ff bd | ||||
| 3d d8 d5 d3 02 42 35 26 91 2d a0 37 ec bc c7 bd | ||||
| 82 2c 30 1d d6 7c 37 3b cc b5 84 ad 3e 92 79 c2 | ||||
| e6 d1 2a 13 74 b7 7f 07 75 53 df 82 94 10 44 6b | ||||
| 36 eb d9 70 66 29 6a e6 42 7e a7 5c 2e 08 46 a1 | ||||
| 1a 09 cc f5 37 0d c8 0b fe cb ad 28 c7 3f 09 b3 | ||||
| a3 b7 5e 66 2a 25 94 41 0a e4 96 b2 e2 e6 60 9e | ||||
| 31 e6 e0 2c c8 37 f0 53 d2 1f 37 ff 4f 51 95 0b | ||||
| be 26 38 d0 9d d7 a4 93 09 30 80 6d 07 03 b1 f6 | ||||
| T = 4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf | ||||
| 2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5 | ||||
| C = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| 4a ff aa ad b7 8c 31 c5 da 4b 1b 59 0d 10 ff bd | ||||
| 3d d8 d5 d3 02 42 35 26 91 2d a0 37 ec bc c7 bd | ||||
| 82 2c 30 1d d6 7c 37 3b cc b5 84 ad 3e 92 79 c2 | ||||
| e6 d1 2a 13 74 b7 7f 07 75 53 df 82 94 10 44 6b | ||||
| 36 eb d9 70 66 29 6a e6 42 7e a7 5c 2e 08 46 a1 | ||||
| 1a 09 cc f5 37 0d c8 0b fe cb ad 28 c7 3f 09 b3 | ||||
| a3 b7 5e 66 2a 25 94 41 0a e4 96 b2 e2 e6 60 9e | ||||
| 31 e6 e0 2c c8 37 f0 53 d2 1f 37 ff 4f 51 95 0b | ||||
| be 26 38 d0 9d d7 a4 93 09 30 80 6d 07 03 b1 f6 | ||||
| 4d d3 b4 c0 88 a7 f4 5c 21 68 39 64 5b 20 12 bf | ||||
| 2e 62 69 a8 c5 6a 81 6d bc 1b 26 77 61 95 5b c5 | ||||
| 5.5. AEAD_AES_128_CBC_HMAC_SHA1 | ||||
| MAC_KEY = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | ||||
| 10 11 12 13 | ||||
| ENC_KEY = 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 | ||||
| P = 41 20 63 69 70 68 65 72 20 73 79 73 74 65 6d 20 | ||||
| 6d 75 73 74 20 6e 6f 74 20 62 65 20 72 65 71 75 | ||||
| 69 72 65 64 20 74 6f 20 62 65 20 73 65 63 72 65 | ||||
| 74 2c 20 61 6e 64 20 69 74 20 6d 75 73 74 20 62 | ||||
| 65 20 61 62 6c 65 20 74 6f 20 66 61 6c 6c 20 69 | ||||
| 6e 74 6f 20 74 68 65 20 68 61 6e 64 73 20 6f 66 | ||||
| 20 74 68 65 20 65 6e 65 6d 79 20 77 69 74 68 6f | ||||
| 75 74 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 | ||||
| IV = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| A = 54 68 65 20 73 65 63 6f 6e 64 20 70 72 69 6e 63 | ||||
| 69 70 6c 65 20 6f 66 20 41 75 67 75 73 74 65 20 | ||||
| 4b 65 72 63 6b 68 6f 66 66 73 | ||||
| PS = 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 | ||||
| AL = 00 00 00 00 00 00 01 50 | ||||
| S = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| c6 3a ec 99 63 f4 ff 33 a8 5e 56 4c d0 5f 92 40 | ||||
| 0a 71 fe 98 bc b3 39 ac c1 d7 8c 92 b3 aa 6a 32 | ||||
| 14 60 d2 ae ce c4 3b 78 4b 3b 08 b8 30 be 52 91 | ||||
| dc 04 00 b8 af c6 cd 1c 84 75 76 46 32 a8 36 05 | ||||
| 01 e5 31 9a 12 81 27 ae 4b 0e aa 9b 2f 97 ea 6d | ||||
| f0 22 00 d6 f6 8c 74 3b 79 4e d5 d6 13 9e 84 c4 | ||||
| cb 91 9e bb 8d 82 56 09 8b 63 85 e4 14 76 c4 16 | ||||
| cf c8 5a 46 fa c4 0e a4 50 d2 b4 c0 fd 7e 03 dc | ||||
| d8 33 c8 c3 d2 13 5f 0d 10 9b d2 31 80 8b b3 fd | ||||
| T = 4d 9d f6 8e 54 f7 d9 7e 91 4b 4a 9d | ||||
| C = 1a f3 8c 2d c2 b9 6f fd d8 66 94 09 23 41 bc 04 | ||||
| c6 3a ec 99 63 f4 ff 33 a8 5e 56 4c d0 5f 92 40 | ||||
| 0a 71 fe 98 bc b3 39 ac c1 d7 8c 92 b3 aa 6a 32 | ||||
| 14 60 d2 ae ce c4 3b 78 4b 3b 08 b8 30 be 52 91 | ||||
| dc 04 00 b8 af c6 cd 1c 84 75 76 46 32 a8 36 05 | ||||
| 01 e5 31 9a 12 81 27 ae 4b 0e aa 9b 2f 97 ea 6d | ||||
| f0 22 00 d6 f6 8c 74 3b 79 4e d5 d6 13 9e 84 c4 | ||||
| cb 91 9e bb 8d 82 56 09 8b 63 85 e4 14 76 c4 16 | ||||
| cf c8 5a 46 fa c4 0e a4 50 d2 b4 c0 fd 7e 03 dc | ||||
| d8 33 c8 c3 d2 13 5f 0d 10 9b d2 31 80 8b b3 fd | ||||
| 4d 9d f6 8e 54 f7 d9 7e 91 4b 4a 9d | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| An earlier version of this document benefitted from some review. | ||||
| Comments on this version are requested and should be forwarded to the | Comments on this version are requested and should be forwarded to the | |||
| IRTF Crypto Forum Research Group (CFRG). | IRTF Crypto Forum Research Group (CFRG). An earlier version of this | |||
| document benefited from some review from that group. | ||||
| The algorithms defined in this document use the generic composition | The algorithms defined in this document use the generic composition | |||
| of CBC encryption with HMAC authentication, with the encrypt-then-MAC | of CBC encryption with HMAC authentication, with the encrypt-then-MAC | |||
| method defined in Section 4.3 of [BN00]. This method has sound and | method defined in Section 4.3 of [BN00]. This method has sound and | |||
| well-understood security properties; for details, please see that | well-understood security properties; for details, please see that | |||
| reference. Note that HMAC is a good pseudorandom function and is | reference. Note that HMAC is a good pseudorandom function and is | |||
| "strongly unforgeable", and thus meets all of the security goals of | "strongly unforgeable", and thus meets all of the security goals of | |||
| that reference. | that reference. | |||
| During the decryption process, the inputs A and C are mapped into the | During the decryption process, the inputs A and C are mapped into the | |||
| skipping to change at page 17, line 7 ¶ | skipping to change at page 23, line 7 ¶ | |||
| key value SHOULD NOT be used to protect more than 2^64 bytes of data. | key value SHOULD NOT be used to protect more than 2^64 bytes of data. | |||
| This limit ensures that the AES-CBC algorithm will stay under the | This limit ensures that the AES-CBC algorithm will stay under the | |||
| birthday bound, i.e. because of the limit, it is unlikely that there | birthday bound, i.e. because of the limit, it is unlikely that there | |||
| will be two AES plaintext inputs that are equal. (If this event | will be two AES plaintext inputs that are equal. (If this event | |||
| occurs, information about the colliding plaintexts is leaked, so it | occurs, information about the colliding plaintexts is leaked, so it | |||
| is desirable to bound the amount of plaintext processed in order to | is desirable to bound the amount of plaintext processed in order to | |||
| make it unlikely.) | make it unlikely.) | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| Thanks are due to Matt Miller and John Foley for their constructive | Thanks are due to Matt Miller for his constructive feedback, and | |||
| feedback; special thanks to John for his generation of the test | Kelly Burgin, Michael Peck, and Mike Jones for their suggestions and | |||
| cases. Thanks also to Kelly Burgin and Michael Peck for their | help. | |||
| suggestions and help. | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [FIPS186-2] | [FIPS186-2] | |||
| "FIPS 180-2: Secure Hash Standard,", Federal Information | "FIPS 180-2: Secure Hash Standard,", Federal Information | |||
| Processing Standard | Processing Standard | |||
| (FIPS) http://www.itl.nist.gov/fipspubs/fip180-1.htm. | (FIPS) http://www.itl.nist.gov/fipspubs/fip180-1.htm. | |||
| skipping to change at page 22, line 5 ¶ | skipping to change at page 28, line 5 ¶ | |||
| of the underlying block cipher. It MUST NOT be predictable to an | of the underlying block cipher. It MUST NOT be predictable to an | |||
| attacker; in particular, it MUST NOT be set to the value of any | attacker; in particular, it MUST NOT be set to the value of any | |||
| previous ciphertext blocks. | previous ciphertext blocks. | |||
| The CBC decryption operation (denoted as CBC-DEC) takes as input a | The CBC decryption operation (denoted as CBC-DEC) takes as input a | |||
| sequence of m ciphertext blocks and produces a sequence of m-1 | sequence of m ciphertext blocks and produces a sequence of m-1 | |||
| plaintext blocks as follows: | plaintext blocks as follows: | |||
| P_i = CIPHER-INV(K, P_1 XOR IV) for i=1, 2, ... , n. | P_i = CIPHER-INV(K, P_1 XOR IV) for i=1, 2, ... , n. | |||
| Appendix B. Alternative Interface for Legacy Encoding | ||||
| In some scenarios, cryptographic data such as the ciphertext, | ||||
| initialization vector, and message authentication tag are encoded | ||||
| separately. To allow for the use of the algorithms defined in this | ||||
| document in such scenarios, this appendix describes an interface in | ||||
| which those data elements are discrete. New implementations SHOULD | ||||
| NOT use this interface, because it is incompatible with other | ||||
| authenticated encryption methods and is more complex; however, it MAY | ||||
| be useful in scenarios in which the separate encoding is already in | ||||
| use. | ||||
| The alternative interface is as follows. The inputs to the | ||||
| encryption operation the same as those defined in Section 2.1 (the | ||||
| secret key K, the plaintext P, the associated data A). The outputs | ||||
| of the encryption operation are: | ||||
| the initialization vector IV as defined in Appendix A, | ||||
| the ciphertext C, as defined in Appendix A, and | ||||
| the message authentication tag T, as defined in Section 2.1. | ||||
| The inputs to the decryption operation are: | ||||
| the initialization vector IV as defined in Appendix A, | ||||
| the ciphertext C, as defined in Appendix A, and | ||||
| the message authentication tag T, as defined in Section 2.1. | ||||
| The output of the decryption operation is the same as that defined in | ||||
| Section 2.2 (either a plaintext value P or a special symbol FAIL that | ||||
| indicates that the inputs are not authentic). | ||||
| All processing other than the encoding and decoding of IV, C, and T | ||||
| is done as defined above. In particular, the IV is an output of the | ||||
| encryption operation, rather than an input. | ||||
| Authors' Addresses | Authors' Addresses | |||
| David A. McGrew | David McGrew | |||
| Cisco Systems, Inc. | Cisco Systems | |||
| 13600 Dulles Technology Drive | 13600 Dulles Technology Drive | |||
| Herndon, VA 20171 | Herndon, VA 20171 | |||
| US | US | |||
| Phone: (408) 525 8651 | ||||
| Email: mcgrew@cisco.com | Email: mcgrew@cisco.com | |||
| URI: http://www.mindspring.com/~dmcgrew/dam.htm | URI: http://www.mindspring.com/~dmcgrew/dam.htm | |||
| John Foley | ||||
| Cisco Systems | ||||
| 7025-2 Kit Creek Road | ||||
| Research Triangle Park, NC 14987 | ||||
| US | ||||
| Email: foleyj@cisco.com | ||||
| Kenny Paterson | Kenny Paterson | |||
| Royal Holloway, University of London | Royal Holloway, University of London | |||
| TW20 0EX | TW20 0EX | |||
| Egham, Surrey TW20 0EX | Egham, Surrey TW20 0EX | |||
| UK | UK | |||
| Phone: +44 1784 414393 | Phone: +44 1784 414393 | |||
| Email: Kenny.Paterson@rhul.ac.uk | Email: Kenny.Paterson@rhul.ac.uk | |||
| URI: http://www.isg.rhul.ac.uk/~kp/ | URI: http://www.isg.rhul.ac.uk/~kp/ | |||
| End of changes. 17 change blocks. | ||||
| 27 lines changed or deleted | 344 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||