< draft-songlee-aes-cmac-96-03.txt   draft-songlee-aes-cmac-96-04.txt >
JunHyuk Song JunHyuk Song
Radha Poovendran Radha Poovendran
University of Washington University of Washington
Jicheol Lee Jicheol Lee
INTERNET DRAFT Samsung Electronics INTERNET DRAFT Samsung Electronics
Expires: May 30, 2006 November 30 2005 Expires: August 2, 2006 February 3 2006
The AES-CMAC-96 Algorithm and its use with IPsec The AES-CMAC-96 Algorithm and its use with IPsec
draft-songlee-aes-cmac-96-03.txt draft-songlee-aes-cmac-96-04.txt
Status of This Memo Status of This Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
National Institute of Standards and Technology (NIST) has newly National Institute of Standards and Technology (NIST) has newly
specified the Cipher based MAC (CMAC) which is equivalent to the specified the Cipher based MAC (CMAC) which is equivalent to the
One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa.
OMAC1 efficiently reduces the key size of Extended Cipher Block OMAC1 efficiently reduces the key size of Extended Cipher Block
Chaining mode (XCBC). This memo specifies the use of CMAC mode on Chaining mode (XCBC). This memo specifies the use of CMAC mode on
authentication mechanism of IPsec Encapsulating Security Payload authentication mechanism of IPsec Encapsulating Security Payload
(ESP) and the Authentication Header (AH) protocols. This new (ESP) and the Authentication Header (AH) protocols. This new
algorithm is named AES-CMAC-96. algorithm is named AES-CMAC-96.
1. Introduction 1. Introduction
National Institute of Standards and Technology (NIST) has newly National Institute of Standards and Technology (NIST) has newly
specified the Cipher-based Message Authentication Code (CMAC). specified the Cipher-based Message Authentication Code (CMAC).
CMAC [NIST-CMAC] is a keyed hash function that is based on a CMAC [NIST-CMAC] is a message authentication code that is based on
symmetric key block cipher such as the Advanced Encryption a symmetric key block cipher such as the Advanced Encryption
Standard [NIST-AES]. CMAC is equivalent to the One-Key CBC MAC1 Standard [NIST-AES]. CMAC is equivalent to the One-Key CBC MAC1
(OMAC1) submitted by Iwata and Kurosawa [OMAC1a, OMAC1b]. OMAC1 (OMAC1) submitted by Iwata and Kurosawa [OMAC1a, OMAC1b]. OMAC1
is an improvement of the eXtended Cipher Block Chaining mode (XCBC) is an improvement of the eXtended Cipher Block Chaining mode (XCBC)
submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an
improvement of the basic CBC-MAC. XCBC efficiently addresses the improvement of the basic CBC-MAC. XCBC efficiently addresses the
security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the
key size of XCBC. key size of XCBC.
This memo specifies the usage of CMAC on authentication mechanism This memo specifies the usage of CMAC on authentication mechanism
of IPsec Encapsulating Security Payload (ESP) [ESP] and the of IPsec Encapsulating Security Payload (ESP) [ESP] and the
skipping to change at page 2, line 39 skipping to change at page 2, line 39
MAC Message Authentication Code. MAC Message Authentication Code.
A bit string of a fixed length, computed by MAC A bit string of a fixed length, computed by MAC
generation algorithm, that is used to established generation algorithm, that is used to established
the authority and hence, the integrity of a message. the authority and hence, the integrity of a message.
CMAC Cipher-based MAC based on an approved symmetric key CMAC Cipher-based MAC based on an approved symmetric key
block cipher, such as the Advanced Encryption block cipher, such as the Advanced Encryption
Standard. Standard.
Key (K) 128-bits (16bytes) long key for AES-128 cipher block. Key (K) 128-bits (16 octets) long key for AES-128 cipher
Denoted by K. block. Denoted by K.
Message (M) Message to be authenticated. Message (M) Message to be authenticated.
Denoted by M. Denoted by M.
Length (len) The length of message M in bytes. Length (len) The length of message M in octets.
Denoted by len. Denoted by len.
Minimum value of the length can be 0. The maximum Minimum value of the length can be 0. The maximum
value of the length is not specified in this document. value of the length is not specified in this document.
truncate(T,l) Truncate T (MAC) in msb-first order with l bytes. truncate(T,l) Truncate T (MAC) in msb-first order with l octet.
T The output of AES-CMAC T The output of AES-CMAC
Truncated T The truncated output of AES-CMAC-128 in MSB first Truncated T The truncated output of AES-CMAC-128 in MSB first
order. order.
AES-CMAC CMAC generation function based on AES block cipher AES-CMAC CMAC generation function based on AES block cipher
with 128-bits key with 128-bits key
AES-CMAC-96 IPsec AH and ESP MAC generation function based on AES-CMAC-96 IPsec AH and ESP MAC generation function based on
AES-CMAC which truncates MSB 96 bits of 128 bits AES-CMAC which truncates MSB 96 bits of 128 bits
skipping to change at page 3, line 41 skipping to change at page 3, line 41
systems in which AES is more readily available than a hash function. systems in which AES is more readily available than a hash function.
For detail information about AES-CMAC is available in [AES-CMAC] and For detail information about AES-CMAC is available in [AES-CMAC] and
[NIST-CMAC]. [NIST-CMAC].
4. AES-CMAC-96 4. AES-CMAC-96
For use in IPsec message authentication on AH and ESP, AES-CMAC-96 For use in IPsec message authentication on AH and ESP, AES-CMAC-96
should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long truncated should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long truncated
output in most significant bit first order. The output of 96 bits output in most significant bit first order. The output of 96 bits
MAC that will meet the default authenticator length as specified MAC that will meet the default authenticator length as specified
in [AH]. The result of truncation should be taken in most in [AH]. The result of truncation is taken in most significant bits
significant bits first order. For further information on AES-CMAC, first order. For further information on AES-CMAC, refer to
refer to [AES-CMAC] and [NIST-CMAC]. [AES-CMAC] and [NIST-CMAC].
Figure 1 describes AES-CMAC-96 algorithm: Figure 1 describes AES-CMAC-96 algorithm:
In step 1, AES-CMAC is applied to the message 'M' in length 'len' In step 1, AES-CMAC is applied to the message 'M' in length 'len'
with key 'K' with key 'K'
In step 2, Truncate output block, T with 12 byte in msb-first-order In step 2, Truncate output block, T with 12 octets in
and return TT. msb-first-order and return TT.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Algorithm AES-CMAC-96 + + Algorithm AES-CMAC-96 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ + + +
+ Input : K (128-bit Key described in section 4.1) + + Input : K (128-bit Key described in section 4.1) +
+ : M ( message to be authenticated ) + + : M ( message to be authenticated ) +
+ : len ( length of message in bytes ) + + : len ( length of message in octets ) +
+ Output : Truncated T (Truncated output with length 12 bytes) + + Output : Truncated T (Truncated output with length 12 octets)+
+ + + +
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
+ + + +
+ Step 1. T := AES-CMAC (K,M,len); + + Step 1. T := AES-CMAC (K,M,len); +
+ Step 2. TT := truncate (T, 12); + + Step 2. TT := truncate (T, 12); +
+ return TT; + + return TT; +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Figure 1 Algorithm AES-CMAC-96 Figure 1 Algorithm AES-CMAC-96
skipping to change at page 5, line 16 skipping to change at page 5, line 16
As of this writing, there are no known issues which preclude the use As of this writing, there are no known issues which preclude the use
of AES-CMAC-96 with any specific cipher algorithm. of AES-CMAC-96 with any specific cipher algorithm.
7. Security Considerations 7. Security Considerations
See security consideration of [AES-CMAC]. See security consideration of [AES-CMAC].
8. IANA Consideration 8. IANA Consideration
IANA should allocate a value for IKEv2 Transform Type 3 (Integrity IANA should allocate a value for IKEv2 Transform Type 3 (Integrity
Algorithm) to the AES-CMAC-PRF-128 algorithm when this document is Algorithm) to the AUTH_AES_CMAC_96 algorithm when this document is
published. published.
9. Acknowledgement 9. Acknowledgement
Portions of this text were borrowed from [NIST-CMAC] and [AES-XCBC-MAC]. Portions of this text were borrowed from [NIST-CMAC] and
We would like to thank to Russ Housley for his useful comments. [AES-XCBC-MAC]. We would like to thank to Russ Housley for his
useful comments.
10. References 10. References
10.1. Normative References 10.1. Normative References
[NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation
for Block Cipher Modes of Operation: The CMAC Method for Block Cipher Modes of Operation: The CMAC Method
for Authentication," March 9, 2005 for Authentication," March 9, 2005
[NIST-AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," [NIST-AES] NIST, FIPS 197, "Advanced Encryption Standard (AES),"
November 2001. November 2001.
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa,
Department of Computer and Information Sciences,
Ilbaraki University, March 10, 2003.
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998. Payload (ESP)", RFC 2406, November 1998.
[XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling
Arbitrary-Length Messages with the CBC MAC," NIST
Second Modes of Operation Workshop, August 2001.
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
xcbc-mac/xcbc-mac-spec.pdf
[AES-CMAC] JunHyuk Song, Jicheol Lee, Radha Poovendran, Tetsu Iwata [AES-CMAC] JunHyuk Song, Jicheol Lee, Radha Poovendran, Tetsu Iwata
"The AES-CMAC Algorithm" draft-songlee-aes-cmac-02.txt, "The AES-CMAC Algorithm" draft-songlee-aes-cmac-02.txt,
October 2005 (Work in progress) October 2005 (Work in progress)
10.2. Informative References 10.2. Informative References
[AH] Kent, S. and R. Atkinson, "Security Architecture for the [AH] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998. Internet Protocol", RFC 2401, November 1998.
[ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security [ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998. Document Roadmap", RFC 2411, November 1998.
[OMAC1a] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," [OMAC1a] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC,"
Fast Software Encryption, FSE 2003, LNCS 2887, Fast Software Encryption, FSE 2003, LNCS 2887,
pp. 129-153, Springer-Verlag, 2003. pp. 129-153, Springer-Verlag, 2003.
[RFC-HMAC] Hugo Krawczyk, Mihir Bellare and Ran Canetti, [RFC-HMAC] Hugo Krawczyk, Mihir Bellare and Ran Canetti,
"HMAC: Keyed-Hashing for Message Authentication," "HMAC: Keyed-Hashing for Message Authentication,"
RFC2104, February 1997. RFC2104, February 1997.
[OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa,
Department of Computer and Information Sciences,
Ilbaraki University, March 10, 2003.
[OMAC1b] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," [OMAC1b] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC,"
Submission to NIST, December 2002. Submission to NIST, December 2002.
Available from the NIST modes of operation web site at Available from the NIST modes of operation web site at
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
omac/omac-spec.pdf omac/omac-spec.pdf
[XCBCa] John Black and Phillip Rogaway, "A Suggestion for [XCBCa] John Black and Phillip Rogaway, "A Suggestion for
Handling Arbitrary-Length Messages with the CBC MAC," Handling Arbitrary-Length Messages with the CBC MAC,"
NIST Second Modes of Operation Workshop, August 2001. NIST Second Modes of Operation Workshop, August 2001.
Available from the NIST modes of operation web site at Available from the NIST modes of operation web site at
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
xcbc-mac/xcbc-mac-spec.pdf xcbc-mac/xcbc-mac-spec.pdf
[XCBCb] John Black and Phillip Rogaway, "CBC MACs for [XCBCb] John Black and Phillip Rogaway, "CBC MACs for
Arbitrary-Length Messages: The Three-Key Arbitrary-Length Messages: The Three-Key
Constructions," Journal of Cryptology, Vol. 18, No. 2, Constructions," Journal of Cryptology, Vol. 18, No. 2,
pp. 111-132, Springer-Verlag, Spring 2005. pp. 111-132, Springer-Verlag, Spring 2005.
[XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling
Arbitrary-Length Messages with the CBC MAC," NIST
Second Modes of Operation Workshop, August 2001.
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
xcbc-mac/xcbc-mac-spec.pdf
[IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) [IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
Protocol", draft-ietf-ipsec-ikev2-17 Protocol", draft-ietf-ipsec-ikev2-17
(work in progress), September 2004. (work in progress), September 2004.
11. Author's Address 11. Author's Address
Junhyuk Song Junhyuk Song
University of Washington University of Washington
Samsung Electronics Samsung Electronics
(206) 853-5843 (206) 853-5843
skipping to change at page 8, line 17 skipping to change at page 8, line 17
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 17 change blocks. 
34 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/