| < draft-songlee-aes-cmac-96-03.txt | draft-songlee-aes-cmac-96-04.txt > | |||
|---|---|---|---|---|
| JunHyuk Song | JunHyuk Song | |||
| Radha Poovendran | Radha Poovendran | |||
| University of Washington | University of Washington | |||
| Jicheol Lee | Jicheol Lee | |||
| INTERNET DRAFT Samsung Electronics | INTERNET DRAFT Samsung Electronics | |||
| Expires: May 30, 2006 November 30 2005 | Expires: August 2, 2006 February 3 2006 | |||
| The AES-CMAC-96 Algorithm and its use with IPsec | The AES-CMAC-96 Algorithm and its use with IPsec | |||
| draft-songlee-aes-cmac-96-03.txt | draft-songlee-aes-cmac-96-04.txt | |||
| Status of This Memo | Status of This Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| National Institute of Standards and Technology (NIST) has newly | National Institute of Standards and Technology (NIST) has newly | |||
| specified the Cipher based MAC (CMAC) which is equivalent to the | specified the Cipher based MAC (CMAC) which is equivalent to the | |||
| One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. | One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. | |||
| OMAC1 efficiently reduces the key size of Extended Cipher Block | OMAC1 efficiently reduces the key size of Extended Cipher Block | |||
| Chaining mode (XCBC). This memo specifies the use of CMAC mode on | Chaining mode (XCBC). This memo specifies the use of CMAC mode on | |||
| authentication mechanism of IPsec Encapsulating Security Payload | authentication mechanism of IPsec Encapsulating Security Payload | |||
| (ESP) and the Authentication Header (AH) protocols. This new | (ESP) and the Authentication Header (AH) protocols. This new | |||
| algorithm is named AES-CMAC-96. | algorithm is named AES-CMAC-96. | |||
| 1. Introduction | 1. Introduction | |||
| National Institute of Standards and Technology (NIST) has newly | National Institute of Standards and Technology (NIST) has newly | |||
| specified the Cipher-based Message Authentication Code (CMAC). | specified the Cipher-based Message Authentication Code (CMAC). | |||
| CMAC [NIST-CMAC] is a keyed hash function that is based on a | CMAC [NIST-CMAC] is a message authentication code that is based on | |||
| symmetric key block cipher such as the Advanced Encryption | a symmetric key block cipher such as the Advanced Encryption | |||
| Standard [NIST-AES]. CMAC is equivalent to the One-Key CBC MAC1 | Standard [NIST-AES]. CMAC is equivalent to the One-Key CBC MAC1 | |||
| (OMAC1) submitted by Iwata and Kurosawa [OMAC1a, OMAC1b]. OMAC1 | (OMAC1) submitted by Iwata and Kurosawa [OMAC1a, OMAC1b]. OMAC1 | |||
| is an improvement of the eXtended Cipher Block Chaining mode (XCBC) | is an improvement of the eXtended Cipher Block Chaining mode (XCBC) | |||
| submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an | submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an | |||
| improvement of the basic CBC-MAC. XCBC efficiently addresses the | improvement of the basic CBC-MAC. XCBC efficiently addresses the | |||
| security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the | security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the | |||
| key size of XCBC. | key size of XCBC. | |||
| This memo specifies the usage of CMAC on authentication mechanism | This memo specifies the usage of CMAC on authentication mechanism | |||
| of IPsec Encapsulating Security Payload (ESP) [ESP] and the | of IPsec Encapsulating Security Payload (ESP) [ESP] and the | |||
| skipping to change at page 2, line 39 ¶ | skipping to change at page 2, line 39 ¶ | |||
| MAC Message Authentication Code. | MAC Message Authentication Code. | |||
| A bit string of a fixed length, computed by MAC | A bit string of a fixed length, computed by MAC | |||
| generation algorithm, that is used to established | generation algorithm, that is used to established | |||
| the authority and hence, the integrity of a message. | the authority and hence, the integrity of a message. | |||
| CMAC Cipher-based MAC based on an approved symmetric key | CMAC Cipher-based MAC based on an approved symmetric key | |||
| block cipher, such as the Advanced Encryption | block cipher, such as the Advanced Encryption | |||
| Standard. | Standard. | |||
| Key (K) 128-bits (16bytes) long key for AES-128 cipher block. | Key (K) 128-bits (16 octets) long key for AES-128 cipher | |||
| Denoted by K. | block. Denoted by K. | |||
| Message (M) Message to be authenticated. | Message (M) Message to be authenticated. | |||
| Denoted by M. | Denoted by M. | |||
| Length (len) The length of message M in bytes. | Length (len) The length of message M in octets. | |||
| Denoted by len. | Denoted by len. | |||
| Minimum value of the length can be 0. The maximum | Minimum value of the length can be 0. The maximum | |||
| value of the length is not specified in this document. | value of the length is not specified in this document. | |||
| truncate(T,l) Truncate T (MAC) in msb-first order with l bytes. | truncate(T,l) Truncate T (MAC) in msb-first order with l octet. | |||
| T The output of AES-CMAC | T The output of AES-CMAC | |||
| Truncated T The truncated output of AES-CMAC-128 in MSB first | Truncated T The truncated output of AES-CMAC-128 in MSB first | |||
| order. | order. | |||
| AES-CMAC CMAC generation function based on AES block cipher | AES-CMAC CMAC generation function based on AES block cipher | |||
| with 128-bits key | with 128-bits key | |||
| AES-CMAC-96 IPsec AH and ESP MAC generation function based on | AES-CMAC-96 IPsec AH and ESP MAC generation function based on | |||
| AES-CMAC which truncates MSB 96 bits of 128 bits | AES-CMAC which truncates MSB 96 bits of 128 bits | |||
| skipping to change at page 3, line 41 ¶ | skipping to change at page 3, line 41 ¶ | |||
| systems in which AES is more readily available than a hash function. | systems in which AES is more readily available than a hash function. | |||
| For detail information about AES-CMAC is available in [AES-CMAC] and | For detail information about AES-CMAC is available in [AES-CMAC] and | |||
| [NIST-CMAC]. | [NIST-CMAC]. | |||
| 4. AES-CMAC-96 | 4. AES-CMAC-96 | |||
| For use in IPsec message authentication on AH and ESP, AES-CMAC-96 | For use in IPsec message authentication on AH and ESP, AES-CMAC-96 | |||
| should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long truncated | should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long truncated | |||
| output in most significant bit first order. The output of 96 bits | output in most significant bit first order. The output of 96 bits | |||
| MAC that will meet the default authenticator length as specified | MAC that will meet the default authenticator length as specified | |||
| in [AH]. The result of truncation should be taken in most | in [AH]. The result of truncation is taken in most significant bits | |||
| significant bits first order. For further information on AES-CMAC, | first order. For further information on AES-CMAC, refer to | |||
| refer to [AES-CMAC] and [NIST-CMAC]. | [AES-CMAC] and [NIST-CMAC]. | |||
| Figure 1 describes AES-CMAC-96 algorithm: | Figure 1 describes AES-CMAC-96 algorithm: | |||
| In step 1, AES-CMAC is applied to the message 'M' in length 'len' | In step 1, AES-CMAC is applied to the message 'M' in length 'len' | |||
| with key 'K' | with key 'K' | |||
| In step 2, Truncate output block, T with 12 byte in msb-first-order | In step 2, Truncate output block, T with 12 octets in | |||
| and return TT. | msb-first-order and return TT. | |||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |||
| + Algorithm AES-CMAC-96 + | + Algorithm AES-CMAC-96 + | |||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |||
| + + | + + | |||
| + Input : K (128-bit Key described in section 4.1) + | + Input : K (128-bit Key described in section 4.1) + | |||
| + : M ( message to be authenticated ) + | + : M ( message to be authenticated ) + | |||
| + : len ( length of message in bytes ) + | + : len ( length of message in octets ) + | |||
| + Output : Truncated T (Truncated output with length 12 bytes) + | + Output : Truncated T (Truncated output with length 12 octets)+ | |||
| + + | + + | |||
| +-------------------------------------------------------------------+ | +-------------------------------------------------------------------+ | |||
| + + | + + | |||
| + Step 1. T := AES-CMAC (K,M,len); + | + Step 1. T := AES-CMAC (K,M,len); + | |||
| + Step 2. TT := truncate (T, 12); + | + Step 2. TT := truncate (T, 12); + | |||
| + return TT; + | + return TT; + | |||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |||
| Figure 1 Algorithm AES-CMAC-96 | Figure 1 Algorithm AES-CMAC-96 | |||
| skipping to change at page 5, line 16 ¶ | skipping to change at page 5, line 16 ¶ | |||
| As of this writing, there are no known issues which preclude the use | As of this writing, there are no known issues which preclude the use | |||
| of AES-CMAC-96 with any specific cipher algorithm. | of AES-CMAC-96 with any specific cipher algorithm. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| See security consideration of [AES-CMAC]. | See security consideration of [AES-CMAC]. | |||
| 8. IANA Consideration | 8. IANA Consideration | |||
| IANA should allocate a value for IKEv2 Transform Type 3 (Integrity | IANA should allocate a value for IKEv2 Transform Type 3 (Integrity | |||
| Algorithm) to the AES-CMAC-PRF-128 algorithm when this document is | Algorithm) to the AUTH_AES_CMAC_96 algorithm when this document is | |||
| published. | published. | |||
| 9. Acknowledgement | 9. Acknowledgement | |||
| Portions of this text were borrowed from [NIST-CMAC] and [AES-XCBC-MAC]. | Portions of this text were borrowed from [NIST-CMAC] and | |||
| We would like to thank to Russ Housley for his useful comments. | [AES-XCBC-MAC]. We would like to thank to Russ Housley for his | |||
| useful comments. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation | [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation | |||
| for Block Cipher Modes of Operation: The CMAC Method | for Block Cipher Modes of Operation: The CMAC Method | |||
| for Authentication," March 9, 2005 | for Authentication," March 9, 2005 | |||
| [NIST-AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," | [NIST-AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," | |||
| November 2001. | November 2001. | |||
| http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf | http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf | |||
| [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, | ||||
| Department of Computer and Information Sciences, | ||||
| Ilbaraki University, March 10, 2003. | ||||
| [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security | [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security | |||
| Payload (ESP)", RFC 2406, November 1998. | Payload (ESP)", RFC 2406, November 1998. | |||
| [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling | ||||
| Arbitrary-Length Messages with the CBC MAC," NIST | ||||
| Second Modes of Operation Workshop, August 2001. | ||||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | ||||
| xcbc-mac/xcbc-mac-spec.pdf | ||||
| [AES-CMAC] JunHyuk Song, Jicheol Lee, Radha Poovendran, Tetsu Iwata | [AES-CMAC] JunHyuk Song, Jicheol Lee, Radha Poovendran, Tetsu Iwata | |||
| "The AES-CMAC Algorithm" draft-songlee-aes-cmac-02.txt, | "The AES-CMAC Algorithm" draft-songlee-aes-cmac-02.txt, | |||
| October 2005 (Work in progress) | October 2005 (Work in progress) | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [AH] Kent, S. and R. Atkinson, "Security Architecture for the | [AH] Kent, S. and R. Atkinson, "Security Architecture for the | |||
| Internet Protocol", RFC 2401, November 1998. | Internet Protocol", RFC 2401, November 1998. | |||
| [ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security | [ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security | |||
| Document Roadmap", RFC 2411, November 1998. | Document Roadmap", RFC 2411, November 1998. | |||
| [OMAC1a] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," | [OMAC1a] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," | |||
| Fast Software Encryption, FSE 2003, LNCS 2887, | Fast Software Encryption, FSE 2003, LNCS 2887, | |||
| pp. 129-153, Springer-Verlag, 2003. | pp. 129-153, Springer-Verlag, 2003. | |||
| [RFC-HMAC] Hugo Krawczyk, Mihir Bellare and Ran Canetti, | [RFC-HMAC] Hugo Krawczyk, Mihir Bellare and Ran Canetti, | |||
| "HMAC: Keyed-Hashing for Message Authentication," | "HMAC: Keyed-Hashing for Message Authentication," | |||
| RFC2104, February 1997. | RFC2104, February 1997. | |||
| [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, | ||||
| Department of Computer and Information Sciences, | ||||
| Ilbaraki University, March 10, 2003. | ||||
| [OMAC1b] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," | [OMAC1b] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," | |||
| Submission to NIST, December 2002. | Submission to NIST, December 2002. | |||
| Available from the NIST modes of operation web site at | Available from the NIST modes of operation web site at | |||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | |||
| omac/omac-spec.pdf | omac/omac-spec.pdf | |||
| [XCBCa] John Black and Phillip Rogaway, "A Suggestion for | [XCBCa] John Black and Phillip Rogaway, "A Suggestion for | |||
| Handling Arbitrary-Length Messages with the CBC MAC," | Handling Arbitrary-Length Messages with the CBC MAC," | |||
| NIST Second Modes of Operation Workshop, August 2001. | NIST Second Modes of Operation Workshop, August 2001. | |||
| Available from the NIST modes of operation web site at | Available from the NIST modes of operation web site at | |||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | |||
| xcbc-mac/xcbc-mac-spec.pdf | xcbc-mac/xcbc-mac-spec.pdf | |||
| [XCBCb] John Black and Phillip Rogaway, "CBC MACs for | [XCBCb] John Black and Phillip Rogaway, "CBC MACs for | |||
| Arbitrary-Length Messages: The Three-Key | Arbitrary-Length Messages: The Three-Key | |||
| Constructions," Journal of Cryptology, Vol. 18, No. 2, | Constructions," Journal of Cryptology, Vol. 18, No. 2, | |||
| pp. 111-132, Springer-Verlag, Spring 2005. | pp. 111-132, Springer-Verlag, Spring 2005. | |||
| [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling | ||||
| Arbitrary-Length Messages with the CBC MAC," NIST | ||||
| Second Modes of Operation Workshop, August 2001. | ||||
| http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ | ||||
| xcbc-mac/xcbc-mac-spec.pdf | ||||
| [IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) | [IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) | |||
| Protocol", draft-ietf-ipsec-ikev2-17 | Protocol", draft-ietf-ipsec-ikev2-17 | |||
| (work in progress), September 2004. | (work in progress), September 2004. | |||
| 11. Author's Address | 11. Author's Address | |||
| Junhyuk Song | Junhyuk Song | |||
| University of Washington | University of Washington | |||
| Samsung Electronics | Samsung Electronics | |||
| (206) 853-5843 | (206) 853-5843 | |||
| skipping to change at page 8, line 17 ¶ | skipping to change at page 8, line 17 ¶ | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Copyright Statement | Copyright Statement | |||
| Copyright (C) The Internet Society (2005). This document is subject | Copyright (C) The Internet Society (2006). This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 17 change blocks. | ||||
| 34 lines changed or deleted | 36 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||