| < draft-songlee-aes-cmac-96-02.txt | draft-songlee-aes-cmac-96-03.txt > | |||
|---|---|---|---|---|
| JunHyuk Song | JunHyuk Song | |||
| Radha Poovendran | ||||
| University of Washington | ||||
| Jicheol Lee | Jicheol Lee | |||
| INTERNET DRAFT Samsung Electronics | INTERNET DRAFT Samsung Electronics | |||
| Expires: November 30, 2005 May 31 2005 | Expires: May 30, 2006 November 30 2005 | |||
| The AES-CMAC-96 Algorithm and its use with IPsec | The AES-CMAC-96 Algorithm and its use with IPsec | |||
| draft-songlee-aes-cmac-96-02.txt | draft-songlee-aes-cmac-96-03.txt | |||
| Status of This Memo | Status of This Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 3, line ? ¶ | skipping to change at page 2, line 8 ¶ | |||
| One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. | One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. | |||
| OMAC1 efficiently reduces the key size of Extended Cipher Block | OMAC1 efficiently reduces the key size of Extended Cipher Block | |||
| Chaining mode (XCBC). This memo specifies the use of CMAC mode on | Chaining mode (XCBC). This memo specifies the use of CMAC mode on | |||
| authentication mechanism of IPsec Encapsulating Security Payload | authentication mechanism of IPsec Encapsulating Security Payload | |||
| (ESP) and the Authentication Header (AH) protocols. This new | (ESP) and the Authentication Header (AH) protocols. This new | |||
| algorithm is named AES-CMAC-96. | algorithm is named AES-CMAC-96. | |||
| 1. Introduction | 1. Introduction | |||
| National Institute of Standards and Technology (NIST) has newly | National Institute of Standards and Technology (NIST) has newly | |||
| specified the Cipher based MAC (CMAC). CMAC [NIST-CMAC] is a keyed | specified the Cipher-based Message Authentication Code (CMAC). | |||
| hashed function that is based on a symmetric key block cipher such | CMAC [NIST-CMAC] is a keyed hash function that is based on a | |||
| as Advanced Encryption Standard [AES]. CMAC is equivalent to the | symmetric key block cipher such as the Advanced Encryption | |||
| One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa | Standard [NIST-AES]. CMAC is equivalent to the One-Key CBC MAC1 | |||
| [OMAC1]. Although the OMAC1 algorithm is based on the eXtended Cipher | (OMAC1) submitted by Iwata and Kurosawa [OMAC1a, OMAC1b]. OMAC1 | |||
| Block Chaining mode (XCBC) algorithm submitted by Rogaway and Black | is an improvement of the eXtended Cipher Block Chaining mode (XCBC) | |||
| [XCBC], OMAC1 efficiently reduces the key size of XCBC. | submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an | |||
| This memo specifies the usage of CMAC on authentication mechanism | improvement of the basic CBC-MAC. XCBC efficiently addresses the | |||
| of IPsec Encapsulating Security Payload (ESP) and the Authentication | security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the | |||
| Header (AH) protocols. This new algorithm is named AES-CMAC-96. | key size of XCBC. | |||
| For further information on AH and ESP, refer to [AH] and [ROADMAP]. | ||||
| 2. Specification of Language | ||||
| The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||||
| document are to be interpreted as described in RFC 2119 [3]. | ||||
| In addition, the following words are used to signify the requirements | This memo specifies the usage of CMAC on authentication mechanism | |||
| of the specification. | of IPsec Encapsulating Security Payload (ESP) [ESP] and the | |||
| Authentication Header (AH) protocols. This new algorithm is named | ||||
| AES-CMAC-96. For further information on AH and ESP, refer to [AH] | ||||
| and [ROADMAP]. | ||||
| 3. Basic definitions | 2. Basic definitions | |||
| CBC Cipher Block Chaining mode of operation for message | CBC Cipher Block Chaining mode of operation for message | |||
| authentication code. | authentication code. | |||
| MAC Message Authentication Code. | MAC Message Authentication Code. | |||
| A bitstring of a fixed length, computed by MAC | A bit string of a fixed length, computed by MAC | |||
| generation algorithm, that is used to established | generation algorithm, that is used to established | |||
| the authority and hence, the integrity of a message. | the authority and hence, the integrity of a message. | |||
| CMAC Cipher-based MAC based on an approved symmetric key | CMAC Cipher-based MAC based on an approved symmetric key | |||
| block cipher, such as the Advanced Encryption | block cipher, such as the Advanced Encryption | |||
| Standard. | Standard. | |||
| Key (K) 128-bits (16bytes) long key for AES-128 cipher block. | Key (K) 128-bits (16bytes) long key for AES-128 cipher block. | |||
| Denoted by K. | Denoted by K. | |||
| Message (M) Message to be authenticated. | Message (M) Message to be authenticated. | |||
| Denoted by M. | Denoted by M. | |||
| Length (len) The length of message M in bytes. | Length (len) The length of message M in bytes. | |||
| Denoted by len. | Denoted by len. | |||
| Minimum value of the length can be 0. The maximum | Minimum value of the length can be 0. The maximum | |||
| value of the length is not specified in this document. | value of the length is not specified in this document. | |||
| truncate(T,l) Truncate T (MAC) in msb-first order with l bytes. | truncate(T,l) Truncate T (MAC) in msb-first order with l bytes. | |||
| T The output of AES-CMAC-128. | T The output of AES-CMAC | |||
| Truncated T The truncated output of AES-CMAC-128 in MSB first | Truncated T The truncated output of AES-CMAC-128 in MSB first | |||
| order. | order. | |||
| AES-CMAC CMAC generation function based on AES block cipher | AES-CMAC CMAC generation function based on AES block cipher | |||
| with 128-bits key | with 128-bits key | |||
| AES-CMAC-96 IPsec AH and ESP MAC generation function based on | AES-CMAC-96 IPsec AH and ESP MAC generation function based on | |||
| CMAC-AES-128 which truncates MSB 96 bits of 128 bits | AES-CMAC which truncates MSB 96 bits of 128 bits | |||
| output | output | |||
| 4. AES-CMAC-96 | 3. AES-CMAC | |||
| The underlying algorithm for AES-CMAC-96 are Advanced Encryption | The core of AES-CMAC-96 is the AES-CMAC [AES-CMAC]. The underlying | |||
| Standard cipher block [AES] and recently defined CMAC mode of | algorithm for AES-CMAC are Advanced Encryption Standard cipher block | |||
| operation [NIST-CMAC]. The output of AES-CMAC can validate the | [AES] and recently defined CMAC mode of operation [NIST-CMAC]. | |||
| input message. Validating the message provide assurance of the | AES-CMAC provides stronger assurance of data integrity than a | |||
| integrity and authenticity over the message from the source. | checksum or an error detecting code. The verification of a checksum | |||
| According to [NIST-CMAC] at least 64-bits should be used for | or an error detecting code detects only accidental modifications of | |||
| against guessing attack. | the data, while CMAC is designed to detect intentional, unauthorized | |||
| modifications of the data, as well as accidental modifications. The | ||||
| output of AES-CMAC can validate the input message. Validating the | ||||
| message provide assurance of the integrity and authenticity over the | ||||
| message from the source. According to [NIST-CMAC] at least 64-bits | ||||
| should be used for against guessing attack. AES-CMAC achieves the | ||||
| similar security goal of HMAC [RFC-HMAC]. Since AES-CMAC is based | ||||
| on a symmetric key block cipher, AES, while HMAC is based on a hash | ||||
| function, such as SHA-1, AES-CMAC is appropriate for information | ||||
| systems in which AES is more readily available than a hash function. | ||||
| For detail information about AES-CMAC is available in [AES-CMAC] and | ||||
| [NIST-CMAC]. | ||||
| For use in IPsec message authentication on AH and ESP, AES-CMAC-96 | 4. AES-CMAC-96 | |||
| should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long truncated | ||||
| output in most significant bit first order. The output of 96 bits | ||||
| MAC that will meet the default authenticator length as specified | ||||
| in [AH]. The result of truncation should be taken in most | ||||
| significant bits first order. For further information on | ||||
| AES-CMAC, refer to [AES-CMAC] and [NIST-CMAC]. | ||||
| Figure 1 describes AES-CMAC-96 algorithm: | For use in IPsec message authentication on AH and ESP, AES-CMAC-96 | |||
| should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long truncated | ||||
| output in most significant bit first order. The output of 96 bits | ||||
| MAC that will meet the default authenticator length as specified | ||||
| in [AH]. The result of truncation should be taken in most | ||||
| significant bits first order. For further information on AES-CMAC, | ||||
| refer to [AES-CMAC] and [NIST-CMAC]. | ||||
| In step 1, AES-CMAC is applied to the message 'M' in length 'len' | Figure 1 describes AES-CMAC-96 algorithm: | |||
| with key 'K' | ||||
| In step 2, Truncate output block, T with 12 byte in msb-first-order | In step 1, AES-CMAC is applied to the message 'M' in length 'len' | |||
| and return TT. | with key 'K' | |||
| In step 2, Truncate output block, T with 12 byte in msb-first-order | ||||
| and return TT. | ||||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |||
| + Algorithm AES-CMAC-96 + | + Algorithm AES-CMAC-96 + | |||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |||
| + + | + + | |||
| + Input : K (128-bit Key described in section 4.1) + | + Input : K (128-bit Key described in section 4.1) + | |||
| + : M ( message to be authenticated ) + | + : M ( message to be authenticated ) + | |||
| + : len ( length of message in bytes ) + | + : len ( length of message in bytes ) + | |||
| + Output : Truncated T (Truncated output with length 12 bytes) + | + Output : Truncated T (Truncated output with length 12 bytes) + | |||
| + + | + + | |||
| skipping to change at page 5, line 34 ¶ | skipping to change at page 4, line 34 ¶ | |||
| These test cases same as defined in [NIST-CMAC] with one exception of | These test cases same as defined in [NIST-CMAC] with one exception of | |||
| 96 bits truncation | 96 bits truncation | |||
| -------------------------------------------------- | -------------------------------------------------- | |||
| K 2b7e1516 28aed2a6 abf71588 09cf4f3c | K 2b7e1516 28aed2a6 abf71588 09cf4f3c | |||
| Subkey Generation | Subkey Generation | |||
| AES_128(key,0) 7df76b0c 1ab899b3 3e42f047 b91b546f | AES_128(key,0) 7df76b0c 1ab899b3 3e42f047 b91b546f | |||
| K1 fbeed618 35713366 7c85e08f 7236a8de | K1 fbeed618 35713366 7c85e08f 7236a8de | |||
| K2 f7ddac30 6ae266cc f90bc11e e46d513b | K2 f7ddac30 6ae266cc f90bc11e e46d513b | |||
| Example 1: len = 0 | Test Case 1: len = 0 | |||
| M <empty string> | M <empty string> | |||
| AES_CMAC_96 bb1d6929 e9593728 7fa37d12 | AES_CMAC_96 bb1d6929 e9593728 7fa37d12 | |||
| Example 2: len = 16 | Test Case 2: len = 16 | |||
| M 6bc1bee2 2e409f96 e93d7e11 7393172a | M 6bc1bee2 2e409f96 e93d7e11 7393172a | |||
| AES_CMAC_96 070a16b4 6b4d4144 f79bdd9d | AES_CMAC_96 070a16b4 6b4d4144 f79bdd9d | |||
| Example 3: len = 40 | Test Case 3: len = 40 | |||
| M 6bc1bee2 2e409f96 e93d7e11 7393172a | M 6bc1bee2 2e409f96 e93d7e11 7393172a | |||
| ae2d8a57 1e03ac9c 9eb76fac 45af8e51 | ae2d8a57 1e03ac9c 9eb76fac 45af8e51 | |||
| 30c81c46 a35ce411 | 30c81c46 a35ce411 | |||
| AES_CMAC_96 dfa66747 de9ae630 30ca3261 | AES_CMAC_96 dfa66747 de9ae630 30ca3261 | |||
| Example 4: len = 64 | Test Case 4: len = 64 | |||
| M 6bc1bee2 2e409f96 e93d7e11 7393172a | M 6bc1bee2 2e409f96 e93d7e11 7393172a | |||
| ae2d8a57 1e03ac9c 9eb76fac 45af8e51 | ae2d8a57 1e03ac9c 9eb76fac 45af8e51 | |||
| 30c81c46 a35ce411 e5fbc119 1a0a52ef | 30c81c46 a35ce411 e5fbc119 1a0a52ef | |||
| f69f2445 df4f9b17 ad2b417b e66c3710 | f69f2445 df4f9b17 ad2b417b e66c3710 | |||
| AES_CMAC_96 51f0bebf 7e3b9d92 fc497417 | AES_CMAC_96 51f0bebf 7e3b9d92 fc497417 | |||
| -------------------------------------------------- | -------------------------------------------------- | |||
| 6. Interaction with the ESP Cipher Mechanism | 6. Interaction with the ESP Cipher Mechanism | |||
| As of this writing, there are no known issues which preclude the use | As of this writing, there are no known issues which preclude the use | |||
| of AES-CMAC-96 with any specific cipher algorithm. | of AES-CMAC-96 with any specific cipher algorithm. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The security provided by AES-CMAC-96 is based upon the strength of | See security consideration of [AES-CMAC]. | |||
| AES. At the time of this writing there are no practical | ||||
| cryptographic attacks against AES or AES-CMAC-96. | ||||
| As is true with any cryptographic algorithm, part of its strength | ||||
| lies in the correctness of the algorithm implementation, the security | ||||
| of the key management mechanism and its implementation, the strength | ||||
| of the associated secret key, and upon the correctness of the | ||||
| implementation in all of the participating systems. This document | ||||
| contains test vectors to assist in verifying the correctness of | ||||
| AES-CMAC-96 code. | ||||
| 8. IANA Consideration | 8. IANA Consideration | |||
| TBD | IANA should allocate a value for IKEv2 Transform Type 3 (Integrity | |||
| Algorithm) to the AES-CMAC-PRF-128 algorithm when this document is | ||||
| published. | ||||
| 9. Acknowledgement | 9. Acknowledgement | |||
| Portions of this text were borrowed from [NIST-CMAC] and | Portions of this text were borrowed from [NIST-CMAC] and [AES-XCBC-MAC]. | |||
| [AES-XCBC-MAC]. We would like to thank to OMAC1 author Tetsu Iwata | We would like to thank to Russ Housley for his useful comments. | |||
| and Kaoru Kurosawa, and CMAC author Morris Dworkin. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | ||||
| [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation | [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation | |||
| for Block Cipher Modes of Operation: The CMAC Method | for Block Cipher Modes of Operation: The CMAC Method | |||
| for Authentication," March 9, 2005 | for Authentication," March 9, 2005 | |||
| [AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," | [NIST-AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," | |||
| November 2001. | November 2001. | |||
| http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf | http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf | |||
| [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, | [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, | |||
| Department of Computer and Information Sciences, | Department of Computer and Information Sciences, | |||
| Ilbaraki University, March 10, 2003. | Ilbaraki University, March 10, 2003. | |||
| [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security | ||||
| [AH] Kent, S. and R. Atkinson, "IP Authentication Header", | Payload (ESP)", RFC 2406, November 1998. | |||
| RFC 2402, November 1998. | ||||
| [ROADMAP] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security | ||||
| Document Roadmap", RFC 2411, November 1998. | ||||
| [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling | [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling | |||
| Arbitrary-Length Messages with the CBC MAC," NIST | Arbitrary-Length Messages with the CBC MAC," NIST | |||
| Second Modes of Operation Workshop, August 2001. | Second Modes of Operation Workshop, August 2001. | |||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | |||
| xcbc-mac/xcbc-mac-spec.pdf | xcbc-mac/xcbc-mac-spec.pdf | |||
| [AES-CMAC] JunHyuk Song and Jicheol Lee, "The AES-CMAC Algorithm" | [AES-CMAC] JunHyuk Song, Jicheol Lee, Radha Poovendran, Tetsu Iwata | |||
| draft-songlee-aes-cmac-00.txt, May 2005 | "The AES-CMAC Algorithm" draft-songlee-aes-cmac-02.txt, | |||
| October 2005 (Work in progress) | ||||
| 10.2. Informative References | ||||
| 11. Author's Address | [AH] Kent, S. and R. Atkinson, "Security Architecture for the | |||
| Internet Protocol", RFC 2401, November 1998. | ||||
| [ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security | ||||
| Document Roadmap", RFC 2411, November 1998. | ||||
| [OMAC1a] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," | ||||
| Fast Software Encryption, FSE 2003, LNCS 2887, | ||||
| pp. 129-153, Springer-Verlag, 2003. | ||||
| [RFC-HMAC] Hugo Krawczyk, Mihir Bellare and Ran Canetti, | ||||
| "HMAC: Keyed-Hashing for Message Authentication," | ||||
| RFC2104, February 1997. | ||||
| [OMAC1b] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," | ||||
| Submission to NIST, December 2002. | ||||
| Available from the NIST modes of operation web site at | ||||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | ||||
| omac/omac-spec.pdf | ||||
| [XCBCa] John Black and Phillip Rogaway, "A Suggestion for | ||||
| Handling Arbitrary-Length Messages with the CBC MAC," | ||||
| NIST Second Modes of Operation Workshop, August 2001. | ||||
| Available from the NIST modes of operation web site at | ||||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | ||||
| xcbc-mac/xcbc-mac-spec.pdf | ||||
| [XCBCb] John Black and Phillip Rogaway, "CBC MACs for | ||||
| Arbitrary-Length Messages: The Three-Key | ||||
| Constructions," Journal of Cryptology, Vol. 18, No. 2, | ||||
| pp. 111-132, Springer-Verlag, Spring 2005. | ||||
| [IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) | ||||
| Protocol", draft-ietf-ipsec-ikev2-17 | ||||
| (work in progress), September 2004. | ||||
| 11. Author's Address | ||||
| Junhyuk Song | Junhyuk Song | |||
| University of Washington | ||||
| Samsung Electronics | Samsung Electronics | |||
| +82-31-279-3639 | (206) 853-5843 | |||
| santajunman@hanafos.com | songlee@ee.washington.edu | |||
| junhyuk.song@samsung.com | ||||
| Jicheol Lee | Jicheol Lee | |||
| Samsung Electronics | Samsung Electronics | |||
| +82-31-279-3605 | +82-31-279-3605 | |||
| jicheol.lee@samsung.com | jicheol.lee@samsung.com | |||
| Radha Poovendran | ||||
| Network Security Lab (NSL) | ||||
| Dept. of Electrical Engineering | ||||
| University of Washington | ||||
| (206) 221-6512 | ||||
| radha@ee.washington.edu | ||||
| Intellectual Property Statement | Intellectual Property Statement | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
| found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
| End of changes. 30 change blocks. | ||||
| 77 lines changed or deleted | 122 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||