< draft-ietf-ipsec-ciph-aes-cbc-03.txt   draft-ietf-ipsec-ciph-aes-cbc-04.txt >
Internet Draft IPsec Working Group Internet Draft IPsec Working Group
November 2001 S. Frankel, NIST June 2002 S. Frankel, NIST
Expiration Date: May 2002 S. Kelly, SonicWALL Expiration Date: December 2002 S. Kelly, Black Storm Networks
R. Glenn, NIST R. Glenn, NIST
The AES Cipher Algorithm and Its Use With IPsec The AES Cipher Algorithm and Its Use With IPsec
<draft-ietf-ipsec-ciph-aes-cbc-03.txt> <draft-ietf-ipsec-ciph-aes-cbc-04.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet Drafts are working all provisions of Section 10 of RFC2026. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
skipping to change at page 2, line 9 skipping to change at page 2, line 9
This document describes the use of the AES Cipher Algorithm in Cipher This document describes the use of the AES Cipher Algorithm in Cipher
Block Chaining Mode, with an explicit IV, as a confidentiality mecha- Block Chaining Mode, with an explicit IV, as a confidentiality mecha-
nism within the context of the IPsec Encapsulating Security Payload nism within the context of the IPsec Encapsulating Security Payload
(ESP). (ESP).
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Specification of Requirements . . . . . . . . . . . . . . . 3 1.1 Specification of Requirements . . . . . . . . . . . . . . . 3
2. The AES Cipher Algorithm . . . . . . . . . . . . . . . . . . . . 3 2. The AES Cipher Algorithm . . . . . . . . . . . . . . . . . . . . 4
2.1 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4 Block Size and Padding . . . . . . . . . . . . . . . . . . . 4 2.4 Block Size and Padding . . . . . . . . . . . . . . . . . . . 5
2.5 Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.5 Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 Additional Information . . . . . . . . . . . . . . . . . . . 5 2.6 Additional Information . . . . . . . . . . . . . . . . . . . 5
2.7 Performance . . . . . . . . . . . . . . . . . . . . . . . . 5 2.7 Performance . . . . . . . . . . . . . . . . . . . . . . . . 5
3. ESP Payload . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. ESP Payload . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1 ESP Algorithmic Interactions . . . . . . . . . . . . . . . . 6 3.1 ESP Algorithmic Interactions . . . . . . . . . . . . . . . . 6
3.2 Keying Material . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Keying Material . . . . . . . . . . . . . . . . . . . . . . 6
4. IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1 Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . . 6 5. IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2 Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . . 6 5.1 Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . . 10
4.3 Key Length Attribute . . . . . . . . . . . . . . . . . . . . 6 5.2 Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . . 10
4.4 Diffie-Hellman Groups . . . . . . . . . . . . . . . . . . . 6 5.3 Key Length Attribute . . . . . . . . . . . . . . . . . . . . 10
4.4.1 Relative Strength . . . . . . . . . . . . . . . . . . 7 5.4 Diffie-Hellman Groups . . . . . . . . . . . . . . . . . . . 10
4.5 Hash Algorithm Considerations . . . . . . . . . . . . . . . 8 5.4.1 Relative Strength . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 9 5.5 Hash Algorithm Considerations . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 12
7. Intellectual Property Rights Statement . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 12
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Intellectual Property Rights Statement . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 13
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 12 11. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
12. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
As the culmination of a four-year competitive process, NIST (the Na- As the culmination of a four-year competitive process, NIST (the Na-
tional Institute of Standards and Technology) has selected the AES tional Institute of Standards and Technology) has selected the AES
(Advanced Encryption Standard), the successor to the venerable DES. (Advanced Encryption Standard), the successor to the venerable DES.
The competition was an open one, with public participation and com- The competition was an open one, with public participation and com-
ment solicited at each step of the process. The AES, formerly known ment solicited at each step of the process. The AES [AES], formerly
as Rijndael, was chosen from a field of five finalists. known as Rijndael, was chosen from a field of five finalists.
The final AES selection was made on the basis of several additional The AES selection was made on the basis of several characteristics:
characteristics:
+ security
+ unclassified
+ publicly disclosed
+ available royalty-free worldwide
+ capable of handling a block size of at least 128 bits
+ at a minimum, capable of handling key sizes of 128, 192, and
256 bits
+ computational efficiency and memory requirements on a variety + computational efficiency and memory requirements on a variety
of software and hardware, including smart cards of software and hardware, including smart cards
+ flexibility, simplicity and ease of implementation + flexibility, simplicity and ease of implementation
The AES will be the government's designated encryption cipher, and The AES will be the government's designated encryption cipher. The
will be definitively described in a FIPS (Federal Information Pro-
cessing Standard), expected to be completed by summer 2001. The
expectation is that the AES will suffice to protect sensitive expectation is that the AES will suffice to protect sensitive
(unclassified) government information at least until the next cen- (unclassified) government information at least until the next cen-
tury. It is also expected to be widely adopted by businesses and tury. It is also expected to be widely adopted by businesses and
financial institutions. financial institutions.
It is the intention of the IETF IPsec Working Group that AES will It is the intention of the IETF IPsec Working Group that AES will
eventually be adopted as the default IPsec ESP cipher and will obtain eventually be adopted as the default IPsec ESP cipher and will obtain
the status of MUST be included in compliant IPsec implementations. the status of MUST be included in compliant IPsec implementations.
The remainder of this document specifies the use of the AES within The remainder of this document specifies the use of the AES within
skipping to change at page 3, line 54 skipping to change at page 4, line 14
2. The AES Cipher Algorithm 2. The AES Cipher Algorithm
All symmetric block cipher algorithms share common characteristics All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant rounds. The following sections contain descriptions of the relevant
characteristics of the AES cipher. characteristics of the AES cipher.
2.1 Mode 2.1 Mode
No operational modes are currently defined for the AES cipher. NIST NIST has defined 5 modes of operation for AES and other FIPS-approved
is in the process of developing a modes of operation FIPS for AES ciphers [MODES]: CBC (Cipher Block Chaining), ECB (Electronic Code-
Book), CFB (Cipher FeedBack), OFB (Output FeedBack) and CTR
(Counter). The CBC mode is well-defined and well-understood for sym-
metric ciphers, and is currently required for all other ESP ciphers.
[MODES]. However, the Cipher Block Chaining (CBC) mode is well- This document specifies the use of the AES cipher in CBC mode within
defined and well-understood for symmetric ciphers, and is currently ESP. This mode requires an Initialization Vector (IV) that is the
required for all other ESP ciphers. This document specifies the use same size as the block size. Use of a randomly generated IV prevents
of the AES cipher in CBC mode within ESP. This mode requires an Ini- generation of identical ciphertext from packets which have identical
tialization Vector (IV) that is the same size as the block size. Use data that spans the first block of the cipher algorithm's block size.
of a randomly generated IV prevents generation of identical cipher-
text from packets which have identical data that spans the first
block of the cipher algorithm's block size.
The IV is XOR'd with the first plaintext block before it is The IV is XOR'd with the first plaintext block before it is
encrypted. Then for successive blocks, the previous ciphertext block encrypted. Then for successive blocks, the previous ciphertext block
is XOR'd with the current plaintext, before it is encrypted. is XOR'd with the current plaintext, before it is encrypted.
More information on CBC mode can be obtained in [CRYPTO-S]. For the More information on CBC mode can be obtained in [MODES, CRYPTO-S].
use of CBC mode in ESP with 64-bit ciphers, see [CBC]. For the use of CBC mode in ESP with 64-bit ciphers, see [CBC].
2.2 Key Size 2.2 Key Size
Some cipher algorithms allow for variable sized keys, while others Some cipher algorithms allow for variable sized keys, while others
only allow specific, pre-defined key sizes. The length of the key only allow specific, pre-defined key sizes. The length of the key
typically correlates with the strength of the algorithm; thus larger typically correlates with the strength of the algorithm; thus larger
keys are usually harder to break than shorter ones. keys are usually harder to break than shorter ones.
This document specifies the default (i.e. MUST be supported) key size This document specifies the default (i.e. MUST be supported) key size
for the AES cipher algorithm. The default key size that implementa- for the AES cipher algorithm. The default key size that implementa-
skipping to change at page 5, line 25 skipping to change at page 5, line 39
for a 256-bit keysize. for a 256-bit keysize.
2.6 Additional Information 2.6 Additional Information
AES was invented by Joan Daemen from Banksys/PWI and Vincent Rijmen AES was invented by Joan Daemen from Banksys/PWI and Vincent Rijmen
from ESAT-COSIC, both in Belgium, and is available world-wide on a from ESAT-COSIC, both in Belgium, and is available world-wide on a
royalty-free basis. It is not covered by any patents, and the Rijn- royalty-free basis. It is not covered by any patents, and the Rijn-
dael homepage contains the following statement: "Rijndael is avail- dael homepage contains the following statement: "Rijndael is avail-
able for free. You can use it for whatever purposes you want, irre- able for free. You can use it for whatever purposes you want, irre-
spective of whether it is accepted as AES or not." AES's description spective of whether it is accepted as AES or not." AES's description
can be found in [RIJNDAEL]. The Rijndael homepage is: can be found in [AES]. The Rijndael homepage is:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.
The AES homepage, http://www.nist.gov/aes, contains a wealth of in- The AES homepage, http://www.nist.gov/aes, contains a wealth of in-
formation about the AES, including a definitive description of the formation about the AES, including a definitive description of the
AES algorithm, performance statistics, test vectors and intellectual AES algorithm, performance statistics, test vectors and intellectual
property information. This site also contains information on how to property information. This site also contains information on how to
obtain an AES reference implementation from NIST. obtain an AES reference implementation from NIST.
2.7 Performance 2.7 Performance
For a comparison table of the estimated speeds of AES and other ci- For a comparison table of the estimated speeds of AES and other ci-
pher algorithms, please see [PERF-1], [PERF-2], [PERF-3], or pher algorithms, please see [PERF-1], [PERF-2], [PERF-3], or
[PERF-4]. The AES homepage has pointers to other analyses. The AES [PERF-4]. The AES homepage has pointers to other analyses.
cypher document [RIJNDAEL] also contains performance statistics.
3. ESP Payload 3. ESP Payload
The ESP payload is made up of the IV followed by raw cipher-text. The ESP payload is made up of the IV followed by raw cipher-text.
Thus the payload field, as defined in [ESP], is broken down according Thus the payload field, as defined in [ESP], is broken down according
to the following diagram: to the following diagram:
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| | | |
+ Initialization Vector (16 octets) + + Initialization Vector (16 octets) +
| | | |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| | | |
~ Encrypted Payload (variable length, a multiple of 16 octets) ~ ~ Encrypted Payload (variable length, a multiple of 16 octets) ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
The IV field MUST be the same size as the block size of the cipher The IV field MUST be the same size as the block size of the cipher
algorithm being used. The IV MUST be chosen at random. Common prac- algorithm being used. The IV MUST be chosen at random, and MUST be
tice is to use random data for the first IV and the last block of en- unpredictable.
crypted data from an encryption process as the IV for the next en-
cryption process.
Including the IV in each datagram ensures that decryption of each re- Including the IV in each datagram ensures that decryption of each re-
ceived datagram can be performed, even when some datagrams are ceived datagram can be performed, even when some datagrams are
dropped, or datagrams are re-ordered in transit. dropped, or datagrams are re-ordered in transit.
To avoid CBC encryption of very similar plaintext blocks in different To avoid CBC encryption of very similar plaintext blocks in different
packets, implementations MUST NOT use a counter or other low-Hamming packets, implementations MUST NOT use a counter or other low-Hamming
distance source for IVs. distance source for IVs.
3.1 ESP Algorithmic Interactions 3.1 ESP Algorithmic Interactions
skipping to change at page 6, line 32 skipping to change at page 6, line 42
3.2 Keying Material 3.2 Keying Material
The minimum number of bits sent from the key exchange protocol to the The minimum number of bits sent from the key exchange protocol to the
ESP algorithm must be greater than or equal to the key size. ESP algorithm must be greater than or equal to the key size.
The cipher's encryption and decryption key is taken from the first The cipher's encryption and decryption key is taken from the first
<x> bits of the keying material, where <x> represents the required <x> bits of the keying material, where <x> represents the required
key size. key size.
4. IKE Interactions 4. Test Vectors
4.1 Phase 1 Identifier The first 4 test cases test AES-CBC encryption. Each test case in-
cludes the key, the plaintext, and the resulting ciphertext. The
values of keys and data are either hexadecimal numbers (prefixed by
"0x") or ASCII character strings (surrounded by double quotes). If a
value is an ASCII character string, then the AES-CBC computation for
the corresponding test case DOES NOT include the trailing null char-
acter ('\0') of the string. The computed cyphertext values are all
hexadecimal numbers.
The last 4 test cases illustrate sample ESP packets using AES-CBC for
encryption. All data are hexadecimal numbers (not prefixed by "0x").
These test cases were verified using 2 independent implementations:
the NIST AES-CBC reference implementation and an implementation pro-
vided by the authors of the Rijndael algorithm
(http://csrc.nist.gov/encryption/aes/rijndael/
rijndael-unix-refc.tar).
Case #1: Encrypting 16 bytes (1 blocks) using AES-CBC with 128-bit key
Key : 0x06a9214036b8a15b512e03d534120006
IV : 0x3dafba429d9eb430b422da802c9fac41
Plaintext : "Single block msg"
Ciphertext: 0xe353779c1079aeb82708942dbe77181a
Case #2: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Key : 0xc286696d887c9aa0611bbb3e2025a45a
IV : 0x562e17996d093d28ddb3ba695a2e6f58
Plaintext : 0x000102030405060708090a0b0c0d0e0f
101112131415161718191a1b1c1d1e1f
Ciphertext: 0xd296cd94c2cccf8a3a863028b5e1dc0a
7586602d253cfff91b8266bea6d61ab1
Case #3: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Key : 0x6c3ea0477630ce21a2ce334aa746c2cd
IV : 0xc782dc4c098c66cbd9cd27d825682c81
Plaintext : "This is a 48-byte message (exactly 3 AES blocks)"
Ciphertext: 0xd0a02b3836451753d493665d33f0e886
2dea54cdb293abc7506939276772f8d5
021c19216bad525c8579695d83ba2684
Case #4: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Key : 0x56e47a38c5598974bc46903dba290349
IV : 0x8ce82eefbea0da3c44699ed7db51b7d9
Plaintext : 0xa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
b0b1b2b3b4b5b6b7b8b9babbbcbdbebf
c0c1c2c3c4c5c6c7c8c9cacbcccdcecf
d0d1d2d3d4d5d6d7d8d9dadbdcdddedf
Ciphertext: 0xc30e32ffedc0774e6aff6af0869f71aa
0f3af07a9a31a9c684db207eb0ef8e4e
35907aa632c3ffdf868bb7b29d3d46ad
83ce9f9a102ee99d49a53e87f4c3da55
Case #5: Sample transport-mode ESP packet (ping 192.168.123.100)
Key: 90d382b4 10eeba7a d938c46c ec1a82bf
SPI: 4321
Source address: 192.168.123.3
Destination address: 192.168.123.100
Sequence number: 1
IV: e96e8c08 ab465763 fd098d45 dd3ff893
Original packet:
IP header (20 bytes): 45000054 08f20000 4001f9fe c0a87b03 c0a87b64
Data (64 bytes):
08000ebd a70a0000 8e9c083d b95b0700 08090a0b 0c0d0e0f 10111213 14151617
18191a1b 1c1d1e1f 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353637
Augment data with:
Padding: 01020304 05060708 090a0b0c 0d0e
Pad length: 0e
Next header: 01 (ICMP)
Pre-encryption Data with padding, pad length and next header (80 bytes):
08000ebd a70a0000 8e9c083d b95b0700 08090a0b 0c0d0e0f 10111213 14151617
18191a1b 1c1d1e1f 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353637
01020304 05060708 090a0b0c 0d0e0e01
Post-encryption packet with SPI, Sequence number, IV:
IP header: 4500007c 08f20000 4032f9a5 c0a87b03 c0a87b64
SPI/Seq #: 00004321 00000001
IV: e96e8c08 ab465763 fd098d45 dd3ff893
Encrypted Data (80 bytes):
f663c25d 325c18c6 a9453e19 4e120849 a4870b66 cc6b9965 330013b4 898dc856
a4699e52 3a55db08 0b59ec3a 8e4b7e52 775b07d1 db34ed9c 538ab50c 551b874a
a269add0 47ad2d59 13ac19b7 cfbad4a6
Case #6: Sample transport-mode ESP packet (ping -p 77 -s 20 192.168.123.100)
Key: 90d382b4 10eeba7a d938c46c ec1a82bf
SPI: 4321
Source address: 192.168.123.3
Destination address: 192.168.123.100
Sequence number: 8
IV: 69d08df7 d203329d b093fc49 24e5bd80
Original packet:
IP header (20 bytes): 45000030 08fe0000 4001fa16 c0a87b03 c0a87b64
Data (28 bytes):
0800b5e8 a80a0500 a69c083d 0b660e00 77777777 77777777 77777777
Augment data with:
Padding: 0102
Pad length: 02
Next header: 01 (ICMP)
Pre-encryption Data with padding, pad length and next header (32 bytes):
0800b5e8 a80a0500 a69c083d 0b660e00 77777777 77777777 77777777 01020201
Post-encryption packet with SPI, Sequence number, IV:
IP header: 4500004c 08fe0000 4032f9c9 c0a87b03 c0a87b64
SPI/Seq #: 00004321 00000008
IV: 69d08df7 d203329d b093fc49 24e5bd80
Encrypted Data (32 bytes):
f5199588 1ec4e0c4 488987ce 742e8109 689bb379 d2d750c0 d915dca3 46a89f75
Case #7: Sample tunnel-mode ESP packet (ping 192.168.123.200)
Key: 01234567 89abcdef 01234567 89abcdef
SPI: 8765
Source address: 192.168.123.3
Destination address: 192.168.123.200
Sequence number: 2
IV: f4e76524 4f6407ad f13dc138 0f673f37
Original packet:
IP header (20 bytes): 45000054 09040000 4001f988 c0a87b03 c0a87bc8
Data (64 bytes):
08009f76 a90a0100 b49c083d 02a20400 08090a0b 0c0d0e0f 10111213 14151617
18191a1b 1c1d1e1f 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353637
Augment data with:
Padding: 01020304 05060708 090a
Pad length: 0a
Next header: 04 (IP-in-IP)
Pre-encryption Data with original IP header, padding, pad length and
next header (96 bytes):
45000054 09040000 4001f988 c0a87b03 c0a87bc8 08009f76 a90a0100 b49c083d
02a20400 08090a0b 0c0d0e0f 10111213 14151617 18191a1b 1c1d1e1f 20212223
24252627 28292a2b 2c2d2e2f 30313233 34353637 01020304 05060708 090a0a04
Post-encryption packet with SPI, Sequence number, IV:
IP header: 4500008c 09050000 4032f91e c0a87b03 c0a87bc8
SPI/Seq #: 00008765 00000002
IV: f4e76524 4f6407ad f13dc138 0f673f37
Encrypted Data (96 bytes):
773b5241 a4c44922 5e4f3ce5 ed611b0c 237ca96c f74a9301 3c1b0ea1 a0cf70f8
e4ecaec7 8ac53aad 7a0f022b 859243c6 47752e94 a859352b 8a4d4d2d ecd136e5
c177f132 ad3fbfb2 201ac990 4c74ee0a 109e0ca1 e4dfe9d5 a100b842 f1c22f0d
Case #8: Sample tunnel-mode ESP packet (ping -p ff -s 40 192.168.123.200)
Key: 01234567 89abcdef 01234567 89abcdef
SPI: 8765
Source address: 192.168.123.3
Destination address: 192.168.123.200
Sequence number: 5
IV: 85d47224 b5f3dd5d 2101d4ea 8dffab22
Original packet:
IP header (20 bytes): 45000044 090c0000 4001f990 c0a87b03 c0a87bc8
Data (48 bytes):
0800d63c aa0a0200 c69c083d a3de0300 ffffffff ffffffff ffffffff ffffffff
ffffffff ffffffff ffffffff ffffffff
Augment data with:
Padding: 01020304 05060708 090a
Pad length: 0a
Next header: 04 (IP-in-IP)
Pre-encryption Data with original IP header, padding, pad length and
next header (80 bytes):
45000044 090c0000 4001f990 c0a87b03 c0a87bc8 0800d63c aa0a0200 c69c083d
a3de0300 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
ffffffff 01020304 05060708 090a0a04
Post-encryption packet with SPI, Sequence number, IV:
IP header: 4500007c 090d0000 4032f926 c0a87b03 c0a87bc8
SPI/Seq #: 00008765 00000005
IV: 85d47224 b5f3dd5d 2101d4ea 8dffab22
Encrypted Data (80 bytes):
15b92683 819596a8 047232cc 00f7048f e45318e1 1f8a0f62 ede3c3fc 61203bb5
0f980a08 c9843fd3 a1b06d5c 07ff9639 b7eb7dfb 3512e5de 435e7207 ed971ef3
d2726d9b 5ef6affc 6d17a0de cbb13892
5. IKE Interactions
5.1 Phase 1 Identifier
For Phase 1 negotiations, IANA has assigned an Encryption Algorithm For Phase 1 negotiations, IANA has assigned an Encryption Algorithm
ID of 7 for AES-CBC. ID of 7 for AES-CBC.
4.2 Phase 2 Identifier 5.2 Phase 2 Identifier
For Phase 2 negotiations, IANA has assigned an ESP Transform Identi- For Phase 2 negotiations, IANA has assigned an ESP Transform Identi-
fier of 12 for ESP_AES. fier of 12 for ESP_AES.
4.3 Key Length Attribute 5.3 Key Length Attribute
Since the AES allows variable key lengths, the Key Length attribute Since the AES allows variable key lengths, the Key Length attribute
MUST be specified in both a Phase 1 exchange [IKE] and a Phase 2 ex- MUST be specified in both a Phase 1 exchange [IKE] and a Phase 2 ex-
change [DOI]. change [DOI].
4.4 Diffie-Hellman Groups 5.4 Diffie-Hellman Groups
The Diffie-Hellman algorithm is the basis of cryptographic key ex- The Diffie-Hellman algorithm is the basis of cryptographic key ex-
change within IPsec. The algorithm may be implemented using either change within IPsec. The algorithm may be implemented using either
"MODP" (modulus-exponent) groups or "EC" (elliptic curve) groups. The "MODP" (modulus-exponent) groups or "EC" (elliptic curve) groups. The
general procedure is as follows: the initiator chooses a random expo- general procedure is as follows: the initiator chooses a random expo-
nent x with K bits of entropy that is 2K bits in length (the K bits nent x with K bits of entropy that is 2K bits in length (the K bits
may be hashed to produce 2K bits), and then computes g^x using the may be hashed to produce 2K bits), and then computes g^x using the
group operation: group operation:
X = g^x X = g^x
skipping to change at page 7, line 30 skipping to change at page 11, line 10
Z = g^(xy) = Y^x = X^y Z = g^(xy) = Y^x = X^y
From Z, both derive identical cryptographic keys. From Z, both derive identical cryptographic keys.
This description is simplified in the interest of brevity, and an in- This description is simplified in the interest of brevity, and an in-
depth description of this mechanism is beyond the scope of this memo. depth description of this mechanism is beyond the scope of this memo.
For further details, refer to the wealth of published literature on For further details, refer to the wealth of published literature on
this topic. this topic.
4.4.1 Relative Strength 5.4.1 Relative Strength
The relative strength of the encryption keys derived via the Diffie- The relative strength of the encryption keys derived via the Diffie-
Hellman exchange may be characterized in terms the randomness of the Hellman exchange may be characterized in terms the randomness of the
participant's exponents and the strength of the Diffie-Hellman group; participant's exponents and the strength of the Diffie-Hellman group;
if an exponent has at least 128 completely random bits, it is said if an exponent has at least 128 completely random bits, it is said
to have 128-bits of "entropy". If the Diffie-Hellman group cannot be to have 128-bits of "entropy". If the Diffie-Hellman group cannot be
broken in less time than searching a 128-bit key space, then the de- broken in less time than searching a 128-bit key space, then the de-
rived 128-bit key is said to have 128 bits of "strength". For an in- rived 128-bit key is said to have 128 bits of "strength". For an in-
depth discussion regarding relative strength of values derived from depth discussion regarding relative strength of values derived from
DH exchanges, see [KEYLEN-1]. DH exchanges, see [KEYLEN].
In some cases, one may choose to settle for an amount of entropy In some cases, one may choose to settle for an amount of entropy
which is less than that of a completely random key of the given size. which is less than that of a completely random key of the given size.
There are numerous reasons for making such a choice, among which There are numerous reasons for making such a choice, among which
might include a concern for the computational effort required to com- might include a concern for the computational effort required to com-
plete the key exchange. For example, the following table lists recom- plete the key exchange. For example, the following table lists recom-
mended modulus and exponent sizes for various key lengths using ei- mended modulus and exponent sizes for various key lengths using ei-
ther MODP or EC groups. ther MODP or EC groups.
+===========+=================+================+===============+ +===========+=================+================+===============+
skipping to change at page 8, line 21 skipping to change at page 11, line 46
+-----------+-----------------+----------------+---------------+ +-----------+-----------------+----------------+---------------+
| 256 | 512 | 15430 | MODP | | 256 | 512 | 15430 | MODP |
+-----------+-----------------+----------------+---------------+ +-----------+-----------------+----------------+---------------+
| 128 | 248 | 248 | EC2N | | 128 | 248 | 248 | EC2N |
+-----------+-----------------+----------------+---------------+ +-----------+-----------------+----------------+---------------+
| 192 | 376 | 376 | EC2N | | 192 | 376 | 376 | EC2N |
+-----------+-----------------+----------------+---------------+ +-----------+-----------------+----------------+---------------+
| 256 | 504 | 504 | EC2N | | 256 | 504 | 504 | EC2N |
+-----------+-----------------+----------------+---------------+ +-----------+-----------------+----------------+---------------+
NOTE: This table is based on Section 4.5 in [KEYLEN-1] and on email NOTE: This table is based on Section 4.5 in [KEYLEN]
communications with Hilarie Orman [KEYLEN-2].
Note that the sizes of the moduli and exponents for the MODP groups Note that the sizes of the moduli and exponents for the MODP groups
in the table above are very large, and the computational effort re- in the table above are very large, and the computational effort re-
quired to complete the exponentiation and modulo operations with such quired to complete the exponentiation and modulo operations with such
large values is quite significant using hardware commonly available large values is quite significant using hardware commonly available
in the year 2001. If such considerations are deemed important, then in the year 2002. If such considerations are deemed important, then
keys larger than 128 bits SHOULD NOT be used. Further, if it is de- keys larger than 128 bits SHOULD NOT be used. Further, if it is de-
termined that less than 128 bits of strength will suffice for the se- termined that less than 128 bits of strength will suffice for the se-
curity requirements of the given application, then smaller exponents curity requirements of the given application, then smaller exponents
and moduli may be used. and moduli may be used.
[GROUPS] defines four additional Diffie-Hellman MODP groups for IKE. [GROUPS] defines four additional Diffie-Hellman MODP groups for IKE.
Two of these groups, a 3072-bit MODP group and a 4096-bit MODP group, Two of these groups, a 3072-bit MODP group and a 4096-bit MODP group,
could be used to establish 128-bit AES keys. [IKE-ECC] defines four could be used to establish 128-bit AES keys. [IKE-ECC] defines four
additional Diffie-Hellman ECC groups for IKE. Two of these groups, additional Diffie-Hellman ECC groups for IKE. Two of these groups,
Group 8 and 9, both of which are 283-bit ECC groups, could be used to Group 8 and 9, both of which are 283-bit ECC groups, could be used to
establish 128-bit AES keys. Additional information about the rela- establish 128-bit AES keys. Additional information about the rela-
tionship between the group governing a Diffie-Hellman exchange and tionship between the group governing a Diffie-Hellman exchange and
the symmetric keys derived from the exchange can be found in the symmetric keys derived from the exchange can be found in
[KEYLEN-1]. [KEYLEN].
4.5 Hash Algorithm Considerations 5.5 Hash Algorithm Considerations
A companion competition, to select the successor to SHA-1, the wide- A companion competition, to select the successor to SHA-1, the wide-
ly-used hash algorithm, recently concluded. The resulting hashes, ly-used hash algorithm, recently concluded. The resulting hashes,
called SHA-256, SHA-384 and SHA-512 [SHA2-1] are capable of producing called SHA-256, SHA-384 and SHA-512 [SHA2-1, SHA2-2] are capable of
output of three different lengths (256, 384 and 512 bits), sufficient producing output of three different lengths (256, 384 and 512 bits),
for the generation (within IKE) and authentication (within ESP) of sufficient for the generation (within IKE) and authentication (within
the three AES key sizes (128, 192 and 256 bits). IANA has already ESP) of the three AES key sizes (128, 192 and 256 bits). IANA has
assigned Phase 1 Hash Algorithm values of 4, 5 and 6 to SHA2-256, already assigned Phase 1 Hash Algorithm values of 4, 5 and 6 to
SHA2-384, and SHA2-512. IANA has also assigned AH Transform Identi- SHA2-256, SHA2-384, and SHA2-512. IANA has also assigned AH Trans-
fiers of 5, 6 and 7 to AH_SHA2-256, AH_SHA2-384, and AH_SHA2-512.) form Identifiers of 5, 6 and 7 to AH_SHA2-256, AH_SHA2-384, and
AH_SHA2-512.)
However, HMAC-SHA-1 [HMAC-SHA] and HMAC-MD5 [HMAC-MD5] are currently However, HMAC-SHA-1 [HMAC-SHA] and HMAC-MD5 [HMAC-MD5] are currently
considered of sufficient strength to serve both as IKE generators of considered of sufficient strength to serve both as IKE generators of
128-bit AES keys and as ESP authenticators for AES encryption using 128-bit AES keys and as ESP authenticators for AES encryption using
128-bit keys. 128-bit keys.
5. Security Considerations 6. Security Considerations
Implementations are encouraged to use the largest key sizes they can Implementations are encouraged to use the largest key sizes they can
when taking into account performance considerations for their partic- when taking into account performance considerations for their partic-
ular hardware and software configuration. Note that encryption nec- ular hardware and software configuration. Note that encryption nec-
essarily impacts both sides of a secure channel, so such considera- essarily impacts both sides of a secure channel, so such considera-
tion must take into account not only the client side, but the server tion must take into account not only the client side, but the server
as well. However, a key size of 128 bits is considered secure for the as well. However, a key size of 128 bits is considered secure for the
foreseeable future. foreseeable future.
Because the AES algorithm is relatively new and has only undergone
limited cryptographic analysis, its use in IPsec implementations
should be considered experimental. Once NIST has published the AES
FIPS, and at the recommendation of cryptographic experts, AES should
become a default and mandatory-to-implement cipher algorithm for
IPsec.
For more information regarding the necessary use of random IV values, For more information regarding the necessary use of random IV values,
see [CRYPTO-B]. see [CRYPTO-B].
For further security considerations, the reader is encouraged to read For further security considerations, the reader is encouraged to read
[RIJNDAEL]. [AES].
6. IANA Considerations 7. IANA Considerations
IANA has assigned Encryption Algorithm ID 7 to AES-CBC. IANA has assigned Encryption Algorithm ID 7 to AES-CBC.
IANA has assigned ESP Transform Identifier 12 to ESP_AES. IANA has assigned ESP Transform Identifier 12 to ESP_AES.
7. Intellectual Property Rights Statement 8. Intellectual Property Rights Statement
Pursuant to the provisions of [RFC-2026], the authors represent that Pursuant to the provisions of [RFC-2026], the authors represent that
they have disclosed the existence of any proprietary or intellectual they have disclosed the existence of any proprietary or intellectual
property rights in the contribution that are reasonably and personal- property rights in the contribution that are reasonably and personal-
ly known to the authors. The authors do not represent that they per- ly known to the authors. The authors do not represent that they per-
sonally know of all potentially pertinent proprietary and intellectu- sonally know of all potentially pertinent proprietary and intellectu-
al property rights owned or claimed by the organizations they repre- al property rights owned or claimed by the organizations they repre-
sent or third parties. sent or third parties.
The IETF takes no position regarding the validity or scope of any in- The IETF takes no position regarding the validity or scope of any in-
skipping to change at page 10, line 5 skipping to change at page 13, line 24
might not be available; neither does it represent that it has made might not be available; neither does it represent that it has made
any effort to identify any such rights. Information on the IETF's any effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards- procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses rights made available for publication and any assurances of licenses
to be made available, or the result of an attempt made to obtain a to be made available, or the result of an attempt made to obtain a
general license or permission for the use of such proprietary rights general license or permission for the use of such proprietary rights
by implementers or users of this specification can be obtained from by implementers or users of this specification can be obtained from
the IETF Secretariat. the IETF Secretariat.
8. Acknowledgments 9. Acknowledgments
Portions of this text, as well as its general structure, were un- Portions of this text, as well as its general structure, were un-
abashedly lifted from [CBC]. abashedly lifted from [CBC].
The authors want to thank Hilarie Orman for providing expert advice The authors want to thank Hilarie Orman for providing expert advice
(and a sanity check) on key sizes, requirements for Diffie-Hellman (and a sanity check) on key sizes, requirements for Diffie-Hellman
groups, and IKE interactions. groups, and IKE interactions. We also thank Scott Fluhrer for his
helpful comments and recommendations.
9. References 10. References
[AES] NIST, FIPS PUB 197, "Advanced Encryption Standard
(AES)," November 2001.
http://csrc.nist.gov/publications/fips/fips197/fips-197.{ps,pdf}
[ARCH] Kent, S. and R. Atkinson, "Security Architecture for [ARCH] Kent, S. and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998. the Internet Protocol", RFC 2401, November 1998.
[CBC] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher [CBC] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher
Algorithms," RFC 2451, November 1998. Algorithms," RFC 2451, November 1998.
[CRYPTO-B] Bellovin, S., "Probable Plaintext Cryptanalysis of the [CRYPTO-B] Bellovin, S., "Probable Plaintext Cryptanalysis of the
IP Security Protocols", Proceedings of the Symposium on IP Security Protocols", Proceedings of the Symposium on
Network and Distributed System Security, San Diego, CA, Network and Distributed System Security, San Diego, CA,
pp. 155-160, February 1997. pp. 155-160, February 1997.
http://www.research.att.com/~smb/probtxt.{ps, pdf}) http://www.research.att.com/~smb/papers/probtxt.{ps, pdf}
[CRYPTO-S] B. Schneier, "Applied Cryptography Second Edition", [CRYPTO-S] B. Schneier, "Applied Cryptography Second Edition",
John Wiley & Sons, New York, NY, 1995, ISBN John Wiley & Sons, New York, NY, 1995, ISBN
0-471-12845-7. 0-471-12845-7.
[DOI] Piper, D., "The Internet IP Security Domain of [DOI] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP," RFC 2407, November 1998. Interpretation for ISAKMP," RFC 2407, November 1998.
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998. Payload (ESP)", RFC 2406, November 1998.
[EVALUATION] [EVALUATION]
Ferguson, N. and B. Schneier, "A Cryptographic Ferguson, N. and B. Schneier, "A Cryptographic
Evaluation of IPsec," Counterpane Internet Security, Evaluation of IPsec," Counterpane Internet Security,
Inc., January 2000. Inc., January 2000.
http://www.counterpane.com/ipsec.{pdf,ps.zip}
[GROUPS] Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman [GROUPS] Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman
groups for IKE," draft-ietf-ipsec-ike-modp- groups for IKE," draft-ietf-ipsec-ike-modp-
groups-00.txt, October 2000. groups-00.txt, October 2000.
[HMAC-MD5] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within [HMAC-MD5] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
ESP and AH," RFC 2403, November 1998. ESP and AH," RFC 2403, November 1998.
[HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 [HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96
within ESP and AH," RFC 2404, November 1998. within ESP and AH," RFC 2404, November 1998.
[IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998. (IKE)", RFC 2409, November 1998.
[IKE-ECC] Panjwani, P. and Y. Poeluev, "Additional ECC Groups For [IKE-ECC] Panjwani, P. and Y. Poeluev, "Additional ECC Groups For
IKE," draft-ietf-ipsec-ike-ecc-groups-02.txt, May 2000. IKE," draft-ietf-ipsec-ike-ecc-groups-02.txt, May 2000.
[KEYLEN-1] Orman, H. and P. Hoffman, "Determining Strengths For [KEYLEN] Orman, H. and P. Hoffman, "Determining Strengths For
Public Keys Used For Exchanging Symmetric Keys," draft- Public Keys Used For Exchanging Symmetric Keys," draft-
orman-public-key-lengths-01.txt, August 2000. orman-public-key-lengths-01.txt, August 2000.
[KEYLEN-2] Orman, H., email communications, February 2000. [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods and Techniques," NIST Special
[MODES] "Symmetric Key Block Cipher Modes of Operation." Publication 800-38A, December 2001.
http://www.nist.gov/modes http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
[PERF-1] Bassham, L. III, "Efficiency Testing of ANSI C [PERF-1] Bassham, L. III, "Efficiency Testing of ANSI C
Implementations of Round1 Candidate Algorithms for the Implementations of Round1 Candidate Algorithms for the
Advanced Encryption Standard." Advanced Encryption Standard."
http://csrc.nist.gov/encryption/aes/round1/r1-ansic.pdf http://csrc.nist.gov/encryption/aes/round1/r1-ansic.pdf
[PERF-2] Lipmaa, Helger, "Efficiency Testing Table." [PERF-2] Lipmaa, Helger, "AES/Rijndael: speed."
http://home.cyber.ee/helger/aes http://www.tcs.hut.fi/~helger/aes/rijndael.html
[PERF-3] Nechvetal, J., E. Barker, D. Dodson, M. Dworkin, J. [PERF-3] Nechvetal, J., E. Barker, D. Dodson, M. Dworkin, J.
Foti and E. Roback, "Status Report on the First Round Foti and E. Roback, "Status Report on the First Round
of the Development of the Advanced Encryption of the Development of the Advanced Encryption
Standard." Standard."
http://csrc.nist.gov/encryption/aes/round1/r1report.pdf http://csrc.nist.gov/encryption/aes/round1/r1report.pdf
[PERF-4] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C. [PERF-4] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C.
Hall, and N. Ferguson, "Performance Comparison of the Hall, and N. Ferguson, "Performance Comparison of the
AES Submissions." AES Submissions."
http://www.counterpane.com/AES-performance.html http://www.counterpane.com/aes-performance.{pdf,ps.zip}
[RFC-2026] Bradner, S., "The Internet Standards Process -- [RFC-2026] Bradner, S., "The Internet Standards Process --
Revision 3", RFC2026, October 1996. Revision 3", RFC2026, October 1996.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RIJNDAEL] Daemen, J. and V. Rijman, "AES Proposal: Rijndael,"
NIST AES Proposal, Jun 1998.
http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf
[ROAD] Thayer, R., N. Doraswamy and R. Glenn, "IP Security [ROAD] Thayer, R., N. Doraswamy and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998. Document Roadmap", RFC 2411, November 1998.
[SHA2-1] "Descriptions of SHA-256, SHA-384, and SHA-512." [SHA2-1] NIST, Draft FIPS PUB 180-2 "Specifications for the
http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf. Secure Hash Standard," May 2001.
http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf
10. Authors' Addresses [SHA2-2] "Descriptions of SHA-256, SHA-384, and SHA-512."
http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf
11. Authors' Addresses
Sheila Frankel Sheila Frankel
NIST NIST
820 West Diamond Ave. 820 West Diamond Ave.
Room 680 Room 680
Gaithersburg, MD 20899 Gaithersburg, MD 20899
Phone: +1 (301) 975-3297 Phone: +1 (301) 975-3297
Email: sheila.frankel@nist.gov Email: sheila.frankel@nist.gov
Scott Kelly Scott Kelly
SonicWALL, Inc. Black Storm Networks
1160 Bordeaux Dr. 250 Cambridge Ave
Sunnyvale, CA 94089 Palo Alto CA 94304
Phone: +1 (408) 745-9600 Phone: +1 (650) 617-2934
Email: skelly@sonicwall.com Email: scott@bstormnetworks.com
Rob Glenn Rob Glenn
NIST NIST
820 West Diamond Ave. 820 West Diamond Ave.
Room 605 Room 605
Gaithersburg, MD 20899 Gaithersburg, MD 20899
Phone: +1 (301) 975-3667 Phone: +1 (301) 975-3667
Email: rob.glenn@nist.gov Email: rob.glenn@nist.gov
The IPsec working group can be contacted through the chairs: The IPsec working group can be contacted through the chairs:
Barbara Fraser Barbara Fraser
Cisco Systems Inc. Cisco Systems Inc.
Email: byfraser@cisco.com Email: byfraser@cisco.com
Theodore T'so Theodore Ts'o
Massachusetts Institute of Technology Massachusetts Institute of Technology
Email: tytso@mit.edu Email: tytso@mit.edu
11. Full Copyright Statement 12. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved. Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this doc- included on all such copies and derivative works. However, this doc-
ument itself may not be modified in any way, such as by removing the ument itself may not be modified in any way, such as by removing the
 End of changes. 46 change blocks. 
103 lines changed or deleted 294 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/