idnits 2.17.1 draft-housley-ccm-mode-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 101 has weird spacing: '...encrypt l(m) ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0001' on line 1032 -- Looks like a reference, but probably isn't: '0002' on line 1033 == Unused Reference: 'CCM' is defined on line 1082, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force D. Whiting 3 Internet-Draft Hifn 4 Expires: January 2003 R. Housley 5 RSA Laboratories 6 N. Ferguson 7 MacFergus 9 Counter with CBC-MAC (CCM) 10 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with all 15 provisions of Section 10 of RFC2026. 17 Internet-Drafts are working documents of the Internet Engineering Task 18 Force (IETF), its areas, and its working groups. Note that other 19 groups may also distribute working documents as Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 Abstract 34 Counter with CBC-MAC (CCM) is a generic authenticated encryption block 35 cipher mode. CCM is defined for use with 128-bit block ciphers, such 36 as AES. 38 1. Introduction 40 Counter with CBC-MAC (CCM) is a generic authenticated encryption block 41 cipher mode. CCM is only defined for use with 128-bit block ciphers, 42 such as AES [AES]. However, the CCM design principles can easily be 43 applied to other block sizes, but these modes will require their own 44 specifications. 46 1.1. Conventions Used In This Document 48 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 49 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 50 document are to be interpreted as described in [STDWORDS]. 52 2. CCM Mode Specification 54 For the generic CCM mode there are two parameter choices. The first 55 choice is M, the size of the authentication field. The choice of the 56 value for M involves a trade-off between message expansion and the 57 probability that an attacker can undetectably modify a message. Valid 58 values are 4, 6, 8, 10, 12, 14, and 16 octets. The second choice is 59 L, the size of the length field. This value requires a trade-off 60 between the maximum message size and the size of the Nonce. Different 61 applications require different trade-offs, so L is a parameter. Valid 62 values of L range between 2octets and 8 octets (the value L=1 is 63 reserved). 65 Name Description Size Encoding 66 ---- ---------------------------------------- ------ -------- 67 M Number of octets in authentication field 3 bits (M-2)/2 68 L Number of octets in length field 3 bits L-1 70 2.1. Inputs 72 To authenticate and encrypt a message the following information is 73 required: 75 1. An encryption key K suitable for the block cipher. 77 2. A nonce N of 15-L octets. Within the scope of any encryption 78 key K, the nonce value MUST be unique. That is, the set of nonce 79 values used with any given key MUST NOT contain any duplicate 80 values. Using the same nonce for two different messages encrypted 81 with the same key destroys the security properties of this mode. 83 3. The message m, consisting of a string of l(m) octets where 0 84 <= l(m) < 2^(8L). The length restriction ensures that l(m) can be 85 encoded in a field of L octets. 87 4. Additional authenticated data a, consisting of a string of 88 l(a) octets where 0 <= l(a) < 2^64. This additional data is 89 authenticated but not encrypted, and is not included in the output 90 of this mode. It can be used to authenticate plaintext packet 91 headers, or contextual information that affects the interpretation 92 of the message. Users who do not wish to authenticate additional 93 data can provide a string of length zero. 95 The inputs are summarized as: 97 Name Description Size 98 ---- ----------------------------------- ----------------------- 99 K Block cipher key Depends on block cipher 100 N Nonce 15-L octets 101 m Message to authenticate and encrypt l(m) octets 102 a Additional authenticated data l(a) octets 104 2.2. Authentication 106 The first step is to compute the authentication field T. This is 107 done using CBC-MAC [MAC]. We first define a sequence of blocks B_0, 108 B_1, ..., B_n and then apply CBC-MAC to these blocks. 110 The first block B_0 is formatted as follows, where l(m) is encoded in 111 most-significant-byte first order: 113 Octet Number Contents 114 ------------ --------- 115 0 Flags 116 1 ... 15-L Nonce N 117 16-L ... 15 l(m) 119 Within the first block B_0, the Flags field is formatted as follows: 121 Bit Number Contents 122 ---------- ---------------------- 123 7 Reserved (always zero) 124 6 Adata 125 5 ... 3 M 126 2 ... 0 L 128 The Reserved bit is reserved for future expansions and should always 129 be set to zero. The Adata bit is set to zero if l(a)=0, and set to 130 one if l(a)>0. The M field encodes the value of M as (M-2)/2. As M 131 can take on the even values from 4 to 16, the 3-bit field can take on 132 the values from 1 to 7. The L field encodes the size of the length 133 field used to store l(m). The parameter L can take on the values 134 from 2 to 8 (recall, the value L=1 is reserved). This value is 135 encoded in the 3-bit field using the values from 1 to 7 by choosing 136 the field value as L-1 (the zero value is reserved). 138 If l(a)>0 (as indicated by the Adata field), then one or more blocks 139 of authentication data are added. These blocks contain l(a) and a 140 encoded in a reversible manner. We first construct a string that 141 encodes l(a). 143 If 0 < l(a) < (2^16 - 2^8), then the length field is encoded as two 144 octets which contain the value l(a) in most-significant-byte first 145 order. 147 If (2^16 - 2^8) <= l(a) < 2^32, then the length field is encoded as 148 six octets consisting of the octets 0xff, 0xfe, and four octets 149 encoding l(a) in most-significant-byte-first order. 151 If 2^32 <= l(a) < 2^64, then the length field is encoded as ten 152 octets consisting of the octets 0xff, 0xff, and eight octets encoding 153 l(a) in most-significant-byte-first order. 155 The length encoding conventions are summarized in the following 156 table. Note that all fields are interpreted in most-significant-byte 157 first order. 159 First two octets Followed by Comment 160 ----------------- ---------------- ------------------------------- 161 0x0000 Nothing Reserved 162 0x0001 ... 0xFEFF Nothing For 0 < l(a) < (2^16 - 2^8) 163 0xFF00 ... 0xFFFD Nothing Reserved 164 0xFFFE 4 octets of l(a) For (2^16 - 2^8) <= l(a) < 2^32 165 0xFFFF 8 octets of l(a) For 2^32 <= l(a) < 2^64 167 The blocks encoding a are formed by concatenating this string that 168 encodes l(a) with a itself, and splitting the result into 16-octet 169 blocks, and then padding the last block with zeroes if necessary. 170 These blocks are appended to the first block B0. 172 After the (optional) additional authentication blocks have been 173 added, we add the message blocks. The message blocks are formed by 174 splitting the message m into 16-octet blocks, and then padding the 175 last block with zeroes if necessary. If the message m consists of 176 the empty string, then no blocks are added in this step. 178 The result is a sequence of blocks B0, B1, ..., Bn. The CBC-MAC is 179 computed by: 181 X_1 := E( K, B_0 ) 182 X_i+1 := E( K, X_i XOR B_i ) for i=1, ..., n 183 T := first-M-bytes( X_n+1 ) 185 where E() is the block cipher encryption function, and T is the MAC 186 value. CCM was designed with AES in mind for the E() function, but 187 any 128-bit block cipher can be used. Note that the last block B_n 188 is XORed with X_n, and the result is encrypted with the block cipher. 189 If needed, the ciphertext is truncated to give T. 191 2.3. Encryption 193 To encrypt the message data we use Counter (CTR) mode. We first 194 define the key stream blocks by: 196 S_i := E( K, A_i ) for i=0, 1, 2, ... 198 The values A_i are formatted as follows, where both Nonce (N) and 199 Counter (i) fields are encoded in most-significant-byte first order: 201 Octet Number Contents 202 ------------ --------- 203 0 Flags 204 1 ... 15-L Nonce N 205 16-L ... 15 Counter i 207 The Flags field is formatted as follows: 209 Bit Number Contents 210 ---------- ---------------------- 211 7 Reserved (always zero) 212 6 Reserved (always zero) 213 5 ... 3 Zero 214 2 ... 0 L 216 The Reserved bits are reserved for future expansions and MUST be set 217 to zero. Bit 6 corresponds to the Adata bit in the B_0 block, but as 218 this bit is not used here, it is reserved and MUST be set to zero. 219 Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks 220 are distinct from B_0, which has the non-zero encoding of M in this 221 position. Bits 0, 1, and 2 contain L, using the same encoding as in 222 B_0. 224 The message is encrypted by XORing the octets of message m with the 225 first l(m) octets of the concatenation of S_1, S_2, S_3, ... . Note 226 that S_0 is not used to encrypt the message. 228 The authentication value U is computed by encrypting T with the key 229 stream block S_0 and truncating it to the desired length. 231 U := T XOR first-M-bytes( S_0 ) 233 2.4. Output 235 The final result c consists of the encrypted message m, followed by 236 the encrypted authentication value U. 238 2.5. Decryption and Authentication Checking 240 To decrypt a message the following information is required: 242 1. The encryption key K. 244 2. The nonce N. 246 3. The additional authenticated data a. 248 4. The encrypted and authenticated message c. 250 Decryption starts by recomputing the key stream to recover the 251 message m and the MAC value T. The message and additional 252 authentication data is then used to recompute the CBC-MAC value and 253 check T. 255 If the T value is not correct, the receiver MUST NOT reveal any 256 information except for the fact that T is incorrect. The receiver 257 MUST NOT reveal the decrypted message, the value T, or any other 258 information. 260 2.6. Restrictions 262 All implementations MUST limit the total amount of data that is 263 encrypted with a single key. The sender MUST ensure that the total 264 number of block cipher encryption operations in the CBC-MAC and 265 encryption together does not exceed 2^61. (This allows nearly 2^64 266 octets to be encrypted and authenticated using CCM, which should be 267 more than enough for most applications.) Receivers that do not 268 expect to decrypt the same message twice MAY also check this limit. 270 The recipient MUST verify the CBC-MAC before releasing any 271 information such as the plaintext. If the CBC-MAC verification 272 fails, the receiver MUST destroy all information, except for the fact 273 that the CBC-MAC verification failed. 275 3. Security Proof 277 Jakob Jonsson from RSA Laboratories has developed a security proof of 278 CCM. The resulting paper will be published in the proceedings of the 279 SAC '02 conference, so it will be available to everyone very soon. 280 The proof shows that CCM provides a level of confidentiality and 281 authenticity that is in line with other proposed authenticated 282 encryption modes, such as OCB mode [OCB]. 284 4. Rationale 286 The main difficulty in specifying this mode is the trade-off between 287 nonce size and counter size. For a general mode we want to support 288 large messages. Some applications use only small messages, but would 289 rather have a larger nonce. Introducing the L parameter solves this 290 issue. The parameter M gives the traditional trade-off between 291 message expansion and probability of forgery. For most applications, 292 we recommend choosing M at least 8. 294 The CBC-MAC is computed over a sequence of blocks that encode the 295 relevant data in a unique way. Given the block sequence it is easy 296 to recover N, M, L, m, and a. The length encoding of a was chosen to 297 be simple and efficient when a is empty and when a is small. We 298 expect that many implementations will limit the maximum size of a. 300 CCM encryption is a straightforward application of CTR mode [MODES]. 301 As some implementations will support a variable length counter field, 302 we have ensured that the least significant octet of the counter is at 303 one end of the field. This also ensures that the counter is aligned 304 on the block boundary. 306 By encrypting T we avoid CBC-MAC collision attacks. If the block 307 cipher behaves as a pseudo-random permutation, then the key stream is 308 indistinguishable from a random string. Thus, the attacker gets no 309 information about the CBC-MAC results. The only avenue of attack 310 that is left is a differential-style attack, which has no significant 311 chance of success if the block cipher is a pseudo-random permutation. 313 To simplify implementation we use the same block cipher key for the 314 encryption and authentication functions. In our design this is not a 315 problem. All the A blocks are different, and they are different from 316 the B_0 block. If the block cipher behaves like a random 317 permutation, then the outputs are independent of each other, up to 318 the insignificant limitation that they are all different. The only 319 cases where the inputs to the block cipher can overlap are an 320 intermediate value in the CBC-MAC and one of the other encryptions. 321 As all the intermediate values of the CBC-MAC computation are 322 essentially random (because the block cipher behaves like a random 323 permutation) the probability of such a collision is very small. Even 324 if there is a collision, these values only affect T, which is 325 encrypted so that an attacker cannot deduce any information, or 326 detect any collision. 328 Care has been taken to ensure that the blocks used by the 329 authentication function match up with the blocks used by the 330 encryption function. This should simplify hardware implementations, 331 and reduce the amount of byte-shifting required by software 332 implementations. 334 5. Nonce Suggestions 336 The main requirement is that, within the scope of a single key, the 337 nonce values are unique for each message. A common technique is to 338 number messages sequentially, and to use this number as the nonce. 339 Sequential message numbers are also used to detect replay attacks and 340 to detect message reordering, so in many situations (such as IPsec 341 ESP [ESP]) the sequence numbers are already available. 343 Users of CCM, and all other block cipher modes, should be aware of 344 precomputation attacks. These are effectively collision attacks on 345 the cipher key. Let us suppose the key K is 128 bits, and the same 346 nonce value N' is used with many different keys. The attacker 347 chooses a particular nonce N'. She chooses 2^64 different keys at 348 random and computes a table entry for each K value, generating a pair 349 of the form (K,S_1). (Given the key and the nonce, computing S_1 is 350 easy.) She then waits for messages to be sent with nonce N'. We 351 will assume the first 16 bytes of each message are known so that she 352 can compute S_1 for each message. She looks in her table for a pair 353 with a matching S_1 value. She can expect to find a match after 354 checking about 2^64 messages. Once a match is found, the other part 355 of the matched pair is the key in question. The total workload of 356 the attacker is only 2^64 steps, rather than the expected 2^128 357 steps. Similar precomputation attacks exist for all block cipher 358 modes. 360 The main weapon against precomputation attacks is to use a larger 361 key. Using a 256-bit key forces the attacker to perform at least 362 2^128 precomputations, which is infeasible. In situations where 363 using a large key is not possible or desirable (for example, due to 364 the resulting performance impact), users can use part of the nonce to 365 reduce the number of times any specific nonce value is used with 366 different keys. If there is room in the nonce, the sender could add 367 a few random bytes, and send these random bytes along with the 368 message. This makes the precomputation attack much harder, as the 369 attacker now has to precompute a table for each of the possible 370 random values. An alternative is to use something like the sender's 371 Ethernet address. Note that due to the widespread use of DHCP and 372 NAT, IP addresses are rarely unique. Including the Ethernet address 373 forces the attacker to perform the precomputation specifically for a 374 specific source address, and the resulting table could not be used to 375 attack anyone else. Although these solutions can all work, they need 376 careful analysis and almost never entirely prevent these attacks. 377 Where possible, we recommend using a larger key, as this solves all 378 the problems. 380 6. Efficiency and Performance 382 Performance depends on the speed of the block cipher implementation. 383 In hardware, for large packets, the speed achievable for CCM is 384 roughly the same as that achievable with the CBC encryption mode. 386 Encrypting and authenticating an empty message, without any 387 additional authentication data, requires two block cipher encryption 388 operations. For each block of additional authentication data one 389 additional block cipher encryption operation is required (if one 390 includes the length encoding). Each message block requires two block 391 cipher encryption operations. The worst-case situation is when both 392 the message and the additional authentication data are a single 393 octet. In this case, CCM requires five block cipher encryption 394 operations. 396 CCM results in the minimal possible message expansion; the only bits 397 added are the authentication bits. 399 Both the CCM encryption and CCM decryption operations require only 400 the block cipher encryption function. In AES, the encryption and 401 decryption algorithms have some significant differences. Thus, using 402 only the encrypt operation can lead to a significant savings in code 403 size or hardware size. 405 In hardware, CCM can compute the message authentication code and 406 perform encryption in a single pass. That is, the implementation 407 does not have to complete calculation of the message authentication 408 code before encryption can begin. 410 7. Summary of Properties 412 Security Function 413 authenticated encryption 415 Error Propagation 416 none 418 Synchronization 419 same nonce used by sender and recipient 421 Parallelizability 422 encryption can be parallelized, but authentication cannot 424 Keying Material Requirements 425 one key 427 Counter/IV/Nonce Requirements 428 counter and nonce are part of the counter block 430 Memory Requirements 431 requires memory for encrypt operation of the underlying block 432 cipher, plaintext, ciphertext (expanded for CBC-MAC), and a per- 433 packet counter (an integer; at most L octets in size) 435 Pre-processing Capability 436 encryption key stream can be precomputed, but authentication 437 cannot 439 Message Length Requirements 440 octet aligned message of arbitrary length, up to 2^(8*L) octets, 441 and octet aligned arbitrary additional authenticated data, up to 442 2^64 octets 444 Ciphertext Expansion 445 4, 6, 8, 10, 12, 14, or 16 octets depending on size of MAC 446 selected 448 8. Test Vectors 450 These test vectors use AES for the block cipher [AES]. In each of 451 these test vectors, the least significant sixteen bits of the counter 452 block is used for the block counter, and the nonce is 13 octets. 453 Some of the test vectors include a eight octet authentication value, 454 and others include a ten octet authentication value 456 =============== Packet Vector #1 ================== 457 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 458 Nonce = 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 459 Total packet length = 31. [Input with 8 cleartext header octets] 460 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 461 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 462 CBC IV in: 59 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 17 463 CBC IV out:EB 9D 55 47 73 09 55 AB 23 1E 0A 2D FE 4B 90 D6 464 After xor: EB 95 55 46 71 0A 51 AE 25 19 0A 2D FE 4B 90 D6 [hdr] 465 After AES: CD B6 41 1E 3C DC 9B 4F 5D 92 58 B6 9E E7 F0 91 466 After xor: C5 BF 4B 15 30 D1 95 40 4D 83 4A A5 8A F2 E6 86 [msg] 467 After AES: 9C 38 40 5E A0 3C 1B C9 04 B5 8B 40 C7 6C A2 EB 468 After xor: 84 21 5A 45 BC 21 05 C9 04 B5 8B 40 C7 6C A2 EB [msg] 469 After AES: 2D C6 97 E4 11 CA 83 A8 60 C2 C4 06 CC AA 54 2F 470 CBC-MAC : 2D C6 97 E4 11 CA 83 A8 471 CTR Start: 01 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 01 472 CTR[0001]: 50 85 9D 91 6D CB 6D DD E0 77 C2 D1 D4 EC 9F 97 473 CTR[0002]: 75 46 71 7A C6 DE 9A FF 64 0C 9C 06 DE 6D 0D 8F 474 CTR[MAC ]: 3A 2E 46 C8 EC 33 A5 48 475 Total packet length = 39. [Authenticated and Encrypted Output] 476 00 01 02 03 04 05 06 07 58 8C 97 9A 61 C6 63 D2 477 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84 17 478 E8 D1 2C FD F9 26 E0 480 =============== Packet Vector #2 ================== 481 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 482 Nonce = 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 483 Total packet length = 32. [Input with 8 cleartext header octets] 484 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 485 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 486 CBC IV in: 59 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 18 487 CBC IV out:F0 C2 54 D3 CA 03 E2 39 70 BD 24 A8 4C 39 9E 77 488 After xor: F0 CA 54 D2 C8 00 E6 3C 76 BA 24 A8 4C 39 9E 77 [hdr] 489 After AES: 48 DE 8B 86 28 EA 4A 40 00 AA 42 C2 95 BF 4A 8C 490 After xor: 40 D7 81 8D 24 E7 44 4F 10 BB 50 D1 81 AA 5C 9B [msg] 491 After AES: 0F 89 FF BC A6 2B C2 4F 13 21 5F 16 87 96 AA 33 492 After xor: 17 90 E5 A7 BA 36 DC 50 13 21 5F 16 87 96 AA 33 [msg] 493 After AES: F7 B9 05 6A 86 92 6C F3 FB 16 3D C4 99 EF AA 11 494 CBC-MAC : F7 B9 05 6A 86 92 6C F3 495 CTR Start: 01 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 01 496 CTR[0001]: 7A C0 10 3D ED 38 F6 C0 39 0D BA 87 1C 49 91 F4 497 CTR[0002]: D4 0C DE 22 D5 F9 24 24 F7 BE 9A 56 9D A7 9F 51 498 CTR[MAC ]: 57 28 D0 04 96 D2 65 E5 499 Total packet length = 40. [Authenticated and Encrypted Output] 500 00 01 02 03 04 05 06 07 72 C9 1A 36 E1 35 F8 CF 501 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B 502 A0 91 D5 6E 10 40 09 16 504 =============== Packet Vector #3 ================== 505 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 506 Nonce = 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 507 Total packet length = 33. [Input with 8 cleartext header octets] 508 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 509 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 510 20 511 CBC IV in: 59 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 19 512 CBC IV out:6F 8A 12 F7 BF 8D 4D C5 A1 19 6E 95 DF F0 B4 27 513 After xor: 6F 82 12 F6 BD 8E 49 C0 A7 1E 6E 95 DF F0 B4 27 [hdr] 514 After AES: 37 E9 B7 8C C2 20 17 E7 33 80 43 0C BE F4 28 24 515 After xor: 3F E0 BD 87 CE 2D 19 E8 23 91 51 1F AA E1 3E 33 [msg] 516 After AES: 90 CA 05 13 9F 4D 4E CF 22 6F E9 81 C5 9E 2D 40 517 After xor: 88 D3 1F 08 83 50 50 D0 02 6F E9 81 C5 9E 2D 40 [msg] 518 After AES: 73 B4 67 75 C0 26 DE AA 41 03 97 D6 70 FE 5F B0 519 CBC-MAC : 73 B4 67 75 C0 26 DE AA 520 CTR Start: 01 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 01 521 CTR[0001]: 59 B8 EF FF 46 14 73 12 B4 7A 1D 9D 39 3D 3C FF 522 CTR[0002]: 69 F1 22 A0 78 C7 9B 89 77 89 4C 99 97 5C 23 78 523 CTR[MAC ]: 39 6E C0 1A 7D B9 6E 6F 524 Total packet length = 41. [Authenticated and Encrypted Output] 525 00 01 02 03 04 05 06 07 51 B1 E5 F4 4A 19 7D 1D 526 A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 527 57 4A DA A7 6F BD 9F B0 C5 529 =============== Packet Vector #4 ================== 530 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 531 Nonce = 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 532 Total packet length = 31. [Input with 12 cleartext header octets] 533 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 534 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 535 CBC IV in: 59 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 13 536 CBC IV out:06 65 2C 60 0E F5 89 63 CA C3 25 A9 CD 3E 2B E1 537 After xor: 06 69 2C 61 0C F6 8D 66 CC C4 2D A0 C7 35 2B E1 [hdr] 538 After AES: A0 75 09 AC 15 C2 58 86 04 2F 80 60 54 FE A6 86 539 After xor: AC 78 07 A3 05 D3 4A 95 10 3A 96 77 4C E7 BC 9D [msg] 540 After AES: 64 4C 09 90 D9 1B 83 E9 AB 4B 8E ED 06 6F F5 BF 541 After xor: 78 51 17 90 D9 1B 83 E9 AB 4B 8E ED 06 6F F5 BF [msg] 542 After AES: 4B 4F 4B 39 B5 93 E6 BF B0 B2 C2 B7 0F 29 CD 7A 543 CBC-MAC : 4B 4F 4B 39 B5 93 E6 BF 544 CTR Start: 01 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 01 545 CTR[0001]: AE 81 66 6A 83 8B 88 6A EE BF 4A 5B 32 84 50 8A 546 CTR[0002]: D1 B1 92 06 AC 93 9E 2F B6 DD CE 10 A7 74 FD 8D 547 CTR[MAC ]: DD 87 2A 80 7C 75 F8 4E 548 Total packet length = 39. [Authenticated and Encrypted Output] 549 00 01 02 03 04 05 06 07 08 09 0A 0B A2 8C 68 65 550 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C 96 551 C8 61 B9 C9 E6 1E F1 553 =============== Packet Vector #5 ================== 554 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 555 Nonce = 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 556 Total packet length = 32. [Input with 12 cleartext header octets] 557 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 558 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 559 CBC IV in: 59 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 14 560 CBC IV out:00 4C 50 95 45 80 3C 48 51 CD E1 3B 56 C8 9A 85 561 After xor: 00 40 50 94 47 83 38 4D 57 CA E9 32 5C C3 9A 85 [hdr] 562 After AES: E2 B8 F7 CE 49 B2 21 72 84 A8 EA 84 FA AD 67 5C 563 After xor: EE B5 F9 C1 59 A3 33 61 90 BD FC 93 E2 B4 7D 47 [msg] 564 After AES: 3E FB 36 72 25 DB 11 01 D3 C2 2F 0E CA FF 44 F3 565 After xor: 22 E6 28 6D 25 DB 11 01 D3 C2 2F 0E CA FF 44 F3 [msg] 566 After AES: 48 B9 E8 82 55 05 4A B5 49 0A 95 F9 34 9B 4B 5E 567 CBC-MAC : 48 B9 E8 82 55 05 4A B5 568 CTR Start: 01 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 01 569 CTR[0001]: D0 FC F5 74 4D 8F 31 E8 89 5B 05 05 4B 7C 90 C3 570 CTR[0002]: 72 A0 D4 21 9F 0D E1 D4 04 83 BC 2D 3D 0C FC 2A 571 CTR[MAC ]: 19 51 D7 85 28 99 67 26 572 Total packet length = 40. [Authenticated and Encrypted Output] 573 00 01 02 03 04 05 06 07 08 09 0A 0B DC F1 FB 7B 574 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E 575 51 E8 3F 07 7D 9C 2D 93 577 =============== Packet Vector #6 ================== 578 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 579 Nonce = 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 580 Total packet length = 33. [Input with 12 cleartext header octets] 581 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 582 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 583 20 584 CBC IV in: 59 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 15 585 CBC IV out:04 72 DA 4C 6F F6 0A 63 06 52 1A 06 04 80 CD E5 586 After xor: 04 7E DA 4D 6D F5 0E 66 00 55 12 0F 0E 8B CD E5 [hdr] 587 After AES: 64 4C 36 A5 A2 27 37 62 0B 89 F1 D7 BF F2 73 D4 588 After xor: 68 41 38 AA B2 36 25 71 1F 9C E7 C0 A7 EB 69 CF [msg] 589 After AES: 41 E1 19 CD 19 24 CE 77 F1 2F A6 60 C1 6E BB 4E 590 After xor: 5D FC 07 D2 39 24 CE 77 F1 2F A6 60 C1 6E BB 4E [msg] 591 After AES: A5 27 D8 15 6A C3 59 BF 1C B8 86 E6 2F 29 91 29 592 CBC-MAC : A5 27 D8 15 6A C3 59 BF 593 CTR Start: 01 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 01 594 CTR[0001]: 63 CC BE 1E E0 17 44 98 45 64 B2 3A 8D 24 5C 80 595 CTR[0002]: 39 6D BA A2 A7 D2 CB D4 B5 E1 7C 10 79 45 BB C0 596 CTR[MAC ]: E5 7D DC 56 C6 52 92 2B 597 Total packet length = 41. [Authenticated and Encrypted Output] 598 00 01 02 03 04 05 06 07 08 09 0A 0B 6F C1 B0 11 599 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 600 87 40 5A 04 43 AC 91 CB 94 602 =============== Packet Vector #7 ================== 603 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 604 Nonce = 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 605 Total packet length = 31. [Input with 8 cleartext header octets] 606 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 607 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 608 CBC IV in: 61 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 17 609 CBC IV out:60 06 C5 72 DA 23 9C BF A0 5B 0A DE D2 CD A8 1E 610 After xor: 60 0E C5 73 D8 20 98 BA A6 5C 0A DE D2 CD A8 1E [hdr] 611 After AES: 41 7D E2 AE 94 E2 EA D9 00 FC 44 FC D0 69 52 27 612 After xor: 49 74 E8 A5 98 EF E4 D6 10 ED 56 EF C4 7C 44 30 [msg] 613 After AES: 2A 6C 42 CA 49 D7 C7 01 C5 7D 59 FF 87 16 49 0E 614 After xor: 32 75 58 D1 55 CA D9 01 C5 7D 59 FF 87 16 49 0E [msg] 615 After AES: 89 8B D6 45 4E 27 20 BB D2 7E F3 15 7A 7C 90 B2 616 CBC-MAC : 89 8B D6 45 4E 27 20 BB D2 7E 617 CTR Start: 01 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 01 618 CTR[0001]: 09 3C DB B9 C5 52 4F DA C1 C5 EC D2 91 C4 70 AF 619 CTR[0002]: 11 57 83 86 E2 C4 72 B4 8E CC 8A AD AB 77 6F CB 620 CTR[MAC ]: 8D 07 80 25 62 B0 8C 00 A6 EE 621 Total packet length = 41. [Authenticated and Encrypted Output] 622 00 01 02 03 04 05 06 07 01 35 D1 B2 C9 5F 41 D5 623 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C 04 624 8C 56 60 2C 97 AC BB 74 90 626 =============== Packet Vector #8 ================== 627 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 628 Nonce = 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 629 Total packet length = 32. [Input with 8 cleartext header octets] 630 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 631 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 632 CBC IV in: 61 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 18 633 CBC IV out:63 A3 FA E4 6C 79 F3 FA 78 38 B8 A2 80 36 B6 0B 634 After xor: 63 AB FA E5 6E 7A F7 FF 7E 3F B8 A2 80 36 B6 0B [hdr] 635 After AES: 1C 99 1A 3D B7 60 79 27 34 40 79 1F AD 8B 5B 02 636 After xor: 14 90 10 36 BB 6D 77 28 24 51 6B 0C B9 9E 4D 15 [msg] 637 After AES: 14 19 E8 E8 CB BE 75 58 E1 E3 BE 4B 6C 9F 82 E3 638 After xor: 0C 00 F2 F3 D7 A3 6B 47 E1 E3 BE 4B 6C 9F 82 E3 [msg] 639 After AES: E0 16 E8 1C 7F 7B 8A 38 A5 38 F2 CB 5B B6 C1 F2 640 CBC-MAC : E0 16 E8 1C 7F 7B 8A 38 A5 38 641 CTR Start: 01 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 01 642 CTR[0001]: 73 7C 33 91 CC 8E 13 DD E0 AA C5 4B 6D B7 EB 98 643 CTR[0002]: 74 B7 71 77 C5 AA C5 3B 04 A4 F8 70 8E 92 EB 2B 644 CTR[MAC ]: 21 6D AC 2F 8B 4F 1C 07 91 8C 645 Total packet length = 42. [Authenticated and Encrypted Output] 646 00 01 02 03 04 05 06 07 7B 75 39 9A C0 83 1D D2 647 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24 648 C1 7B 44 33 F4 34 96 3F 34 B4 650 =============== Packet Vector #9 ================== 651 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 652 Nonce = 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 653 Total packet length = 33. [Input with 8 cleartext header octets] 654 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 655 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 656 20 657 CBC IV in: 61 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 19 658 CBC IV out:4F 2C 86 11 1E 08 2A DD 6B 44 21 3A B5 13 13 16 659 After xor: 4F 24 86 10 1C 0B 2E D8 6D 43 21 3A B5 13 13 16 [hdr] 660 After AES: F6 EC 56 87 3C 57 12 DC 9C C5 3C A8 D4 D1 ED 0A 661 After xor: FE E5 5C 8C 30 5A 1C D3 8C D4 2E BB C0 C4 FB 1D [msg] 662 After AES: 17 C1 80 A5 31 53 D4 C3 03 85 0C 95 65 80 34 52 663 After xor: 0F D8 9A BE 2D 4E CA DC 23 85 0C 95 65 80 34 52 [msg] 664 After AES: 46 A1 F6 E2 B1 6E 75 F8 1C F5 6B 1A 80 04 44 1B 665 CBC-MAC : 46 A1 F6 E2 B1 6E 75 F8 1C F5 666 CTR Start: 01 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 01 667 CTR[0001]: 8A 5A 10 6B C0 29 9A 55 5B 93 6B 0B 0E A0 DE 5A 668 CTR[0002]: EA 05 FD E2 AB 22 5C FE B7 73 12 CB 88 D9 A5 4A 669 CTR[MAC ]: AC 3D F1 07 DA 30 C4 86 43 BB 670 Total packet length = 43. [Authenticated and Encrypted Output] 671 00 01 02 03 04 05 06 07 82 53 1A 60 CC 24 94 5A 672 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 673 97 EA 9C 07 E5 6B 5E B1 7E 5F 4E 675 =============== Packet Vector #10 ================== 676 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 677 Nonce = 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 678 Total packet length = 31. [Input with 12 cleartext header octets] 679 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 680 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 681 CBC IV in: 61 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 13 682 CBC IV out:7F B8 0A 32 E9 80 57 46 EC 31 6C 3A B2 A2 EB 5D 683 After xor: 7F B4 0A 33 EB 83 53 43 EA 36 64 33 B8 A9 EB 5D [hdr] 684 After AES: 7E 96 96 BF F1 56 D6 A8 6E AC F5 7B 7F 23 47 5A 685 After xor: 72 9B 98 B0 E1 47 C4 BB 7A B9 E3 6C 67 3A 5D 41 [msg] 686 After AES: 8B 4A EE 42 04 24 8A 59 FA CC 88 66 57 66 DD 72 687 After xor: 97 57 F0 42 04 24 8A 59 FA CC 88 66 57 66 DD 72 [msg] 688 After AES: 41 63 89 36 62 ED D7 EB CD 6E 15 C1 89 48 62 05 689 CBC-MAC : 41 63 89 36 62 ED D7 EB CD 6E 690 CTR Start: 01 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 01 691 CTR[0001]: 0B 39 2B 9B 05 66 97 06 3F 12 56 8F 2B 13 A1 0F 692 CTR[0002]: 07 89 65 25 23 40 94 3B 9E 69 B2 56 CC 5E F7 31 693 CTR[MAC ]: 17 09 20 76 09 A0 4E 72 45 B3 694 Total packet length = 41. [Authenticated and Encrypted Output] 695 00 01 02 03 04 05 06 07 08 09 0A 0B 07 34 25 94 696 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B 56 697 6A A9 40 6B 4D 99 99 88 DD 699 =============== Packet Vector #11 ================== 700 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 701 Nonce = 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 702 Total packet length = 32. [Input with 12 cleartext header octets] 703 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 704 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 705 CBC IV in: 61 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 14 706 CBC IV out:B0 84 85 79 51 D2 FA 42 76 EF 3A D7 14 B9 62 87 707 After xor: B0 88 85 78 53 D1 FE 47 70 E8 32 DE 1E B2 62 87 [hdr] 708 After AES: C9 B3 64 7E D8 79 2A 5C 65 B7 CE CC 19 0A 97 0A 709 After xor: C5 BE 6A 71 C8 68 38 4F 71 A2 D8 DB 01 13 8D 11 [msg] 710 After AES: 34 0F 69 17 FA B9 19 D6 1D AC D0 35 36 D6 55 8B 711 After xor: 28 12 77 08 FA B9 19 D6 1D AC D0 35 36 D6 55 8B [msg] 712 After AES: 6B 5E 24 34 12 CC C2 AD 6F 1B 11 C3 A1 A9 D8 BC 713 CBC-MAC : 6B 5E 24 34 12 CC C2 AD 6F 1B 714 CTR Start: 01 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 01 715 CTR[0001]: 6B 66 BC 0C 90 A1 F1 12 FC BE 6F 4E 12 20 77 BC 716 CTR[0002]: 97 9E 57 2B BE 65 8A E5 CC 20 11 83 2A 9A 9B 5B 717 CTR[MAC ]: 9E 64 86 DD 02 B6 49 C1 6D 37 718 Total packet length = 42. [Authenticated and Encrypted Output] 719 00 01 02 03 04 05 06 07 08 09 0A 0B 67 6B B2 03 720 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34 721 F5 3A A2 E9 10 7A 8B 6C 02 2C 723 =============== Packet Vector #12 ================== 724 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 725 Nonce = 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 726 Total packet length = 33. [Input with 12 cleartext header octets] 727 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 728 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 729 20 730 CBC IV in: 61 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 15 731 CBC IV out:5F 8E 8D 02 AD 95 7C 5A 36 14 CF 63 40 16 97 4F 732 After xor: 5F 82 8D 03 AF 96 78 5F 30 13 C7 6A 4A 1D 97 4F [hdr] 733 After AES: 63 FA BD 69 B9 55 65 FF 54 AA F4 60 88 7D EC 9F 734 After xor: 6F F7 B3 66 A9 44 77 EC 40 BF E2 77 90 64 F6 84 [msg] 735 After AES: 5A 76 5F 0B 93 CE 4F 6A B4 1D 91 30 18 57 6A D7 736 After xor: 46 6B 41 14 B3 CE 4F 6A B4 1D 91 30 18 57 6A D7 [msg] 737 After AES: 9D 66 92 41 01 08 D5 B6 A1 45 85 AC AF 86 32 E8 738 CBC-MAC : 9D 66 92 41 01 08 D5 B6 A1 45 739 CTR Start: 01 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 01 740 CTR[0001]: CC F2 AE D9 E0 4A C9 74 E6 58 55 B3 2B 94 30 BF 741 CTR[0002]: A2 CA AC 11 63 F4 07 E5 E5 F6 E3 B3 79 0F 79 F8 742 CTR[MAC ]: 50 7C 31 57 63 EF 78 D3 77 9E 743 Total packet length = 43. [Authenticated and Encrypted Output] 744 00 01 02 03 04 05 06 07 08 09 0A 0B C0 FF A0 D6 745 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 746 43 CD 1A A3 16 62 E7 AD 65 D6 DB 748 =============== Packet Vector #13 ================== 749 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 750 Nonce = 00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA 751 Total packet length = 31. [Input with 8 cleartext header octets] 752 0B E1 A8 8B AC E0 18 B1 08 E8 CF 97 D8 20 EA 25 753 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C 754 CBC IV in: 59 00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA 00 17 755 CBC IV out:33 AE C3 1A 1F B7 CC 35 E5 DA D2 BA C0 90 D9 A3 756 After xor: 33 A6 C8 FB B7 3C 60 D5 FD 6B D2 BA C0 90 D9 A3 [hdr] 757 After AES: B7 56 CA 1E 5B 42 C6 9C 58 E3 0A F5 2B F7 7C FD 758 After xor: BF BE 05 89 83 62 2C B9 DC 83 E3 9F F2 38 2E 74 [msg] 759 After AES: 33 3D 3A 3D 07 B5 3C 7B 22 0E 96 1A 18 A9 A1 9E 760 After xor: 36 70 B3 61 ED 71 40 7B 22 0E 96 1A 18 A9 A1 9E [msg] 761 After AES: 14 BD DB 6B F9 01 63 4D FB 56 51 83 BC 74 93 F7 762 CBC-MAC : 14 BD DB 6B F9 01 63 4D 763 CTR Start: 01 00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA 00 01 764 CTR[0001]: 44 51 B0 11 7A 84 82 BF 03 19 AE C1 59 5E BD DA 765 CTR[0002]: 83 EB 76 E1 3A 44 84 7F 92 20 09 07 76 B8 25 C5 766 CTR[MAC ]: F3 31 2C A0 F5 DC B4 FE 767 Total packet length = 39. [Authenticated and Encrypted Output] 768 0B E1 A8 8B AC E0 18 B1 4C B9 7F 86 A2 A4 68 9A 769 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8 E7 770 8C F7 CB 0C DD D7 B3 772 =============== Packet Vector #14 ================== 773 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 774 Nonce = 00 33 56 8E F7 B2 63 3C 96 96 76 6C FA 775 Total packet length = 32. [Input with 8 cleartext header octets] 776 63 01 8F 76 DC 8A 1B CB 90 20 EA 6F 91 BD D8 5A 777 FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC 778 CBC IV in: 59 00 33 56 8E F7 B2 63 3C 96 96 76 6C FA 00 18 779 CBC IV out:42 0D B1 50 BB 0C 44 DA 83 E4 52 09 55 99 67 E3 780 After xor: 42 05 D2 51 34 7A 98 50 98 2F 52 09 55 99 67 E3 [hdr] 781 After AES: EA D1 CA 56 02 02 09 5C E6 12 B0 D2 18 A0 DD 44 782 After xor: 7A F1 20 39 93 BF D1 06 1C 12 89 68 53 0F 24 FB [msg] 783 After AES: 51 77 41 69 C3 DE 6B 24 13 27 74 90 F5 FF C5 62 784 After xor: E6 EB 31 41 57 42 BB C8 13 27 74 90 F5 FF C5 62 [msg] 785 After AES: D4 CC 3B 82 DF 9F CC 56 7E E5 83 61 D7 8D FB 5E 786 CBC-MAC : D4 CC 3B 82 DF 9F CC 56 787 CTR Start: 01 00 33 56 8E F7 B2 63 3C 96 96 76 6C FA 00 01 788 CTR[0001]: DC EB F4 13 38 3C 66 A0 5A 72 55 EF 98 D7 FF AD 789 CTR[0002]: 2F 54 2C BA 15 D6 6C DF E1 EC 46 8F 0E 68 A1 24 790 CTR[MAC ]: 11 E2 D3 9F A2 E8 0C DC 791 Total packet length = 40. [Authenticated and Encrypted Output] 792 63 01 8F 76 DC 8A 1B CB 4C CB 1E 7C A9 81 BE FA 793 A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33 794 C5 2E E8 1D 7D 77 C0 8A 796 =============== Packet Vector #15 ================== 797 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 798 Nonce = 00 10 3F E4 13 36 71 3C 96 96 76 6C FA 799 Total packet length = 33. [Input with 8 cleartext header octets] 800 AA 6C FA 36 CA E8 6B 40 B9 16 E0 EA CC 1C 00 D7 801 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 802 2E 803 CBC IV in: 59 00 10 3F E4 13 36 71 3C 96 96 76 6C FA 00 19 804 CBC IV out:B3 26 49 FF D5 9F 56 0F 02 2D 11 E2 62 C5 BE EA 805 After xor: B3 2E E3 93 2F A9 9C E7 69 6D 11 E2 62 C5 BE EA [hdr] 806 After AES: 82 50 9E E5 B2 FF DB CA 9B D0 2E 20 6B 3F B7 AD 807 After xor: 3B 46 7E 0F 7E E3 DB 1D 47 3C 46 CC 60 04 0C B7 [msg] 808 After AES: 80 46 0E 4C 08 3A D0 3F B9 A9 13 BE E4 DE 2F 66 809 After xor: 82 98 84 61 12 99 96 2C 97 A9 13 BE E4 DE 2F 66 [msg] 810 After AES: 47 29 CB 00 31 F1 81 C1 92 68 4B 89 A4 71 50 E7 811 CBC-MAC : 47 29 CB 00 31 F1 81 C1 812 CTR Start: 01 00 10 3F E4 13 36 71 3C 96 96 76 6C FA 00 01 813 CTR[0001]: 08 C4 DA C8 EC C1 C0 7B 4C E1 F2 4C 37 5A 47 EE 814 CTR[0002]: A7 87 2E 6C 6D C4 4E 84 26 02 50 4C 3F A5 73 C5 815 CTR[MAC ]: E0 5F B2 6E EA 83 B4 C7 816 Total packet length = 41. [Authenticated and Encrypted Output] 817 AA 6C FA 36 CA E8 6B 40 B1 D2 3A 22 20 DD C0 AC 818 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 819 08 A7 76 79 6E DB 72 35 06 821 =============== Packet Vector #16 ================== 822 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 823 Nonce = 00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA 824 Total packet length = 31. [Input with 12 cleartext header octets] 825 D0 D0 73 5C 53 1E 1B EC F0 49 C2 44 12 DA AC 56 826 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C 827 CBC IV in: 59 00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA 00 13 828 CBC IV out:AB DC 4E C9 AA 72 33 97 DF 2D AD 76 33 DE 3B 0D 829 After xor: AB D0 9E 19 D9 2E 60 89 C4 C1 5D 3F F1 9A 3B 0D [hdr] 830 After AES: 62 86 F6 2F 23 42 63 B0 1C FD 8C 37 40 74 81 EB 831 After xor: 70 5C 5A 79 13 AD C6 89 73 8A 80 D6 E6 1F A0 1C [msg] 832 After AES: 88 95 84 18 CF 79 CA BE EB C0 0C C4 86 E6 01 F7 833 After xor: 3A 85 98 18 CF 79 CA BE EB C0 0C C4 86 E6 01 F7 [msg] 834 After AES: C1 85 92 D9 84 CD 67 80 63 D1 D9 6D C1 DF A1 11 835 CBC-MAC : C1 85 92 D9 84 CD 67 80 836 CTR Start: 01 00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA 00 01 837 CTR[0001]: 06 08 FF 95 A6 94 D5 59 F4 0B B7 9D EF FA 41 DF 838 CTR[0002]: 80 55 3A 75 78 38 04 A9 64 8B 68 DD 7F DC DD 7A 839 CTR[MAC ]: 5B EA DB 4E DF 07 B9 2F 840 Total packet length = 39. [Authenticated and Encrypted Output] 841 D0 D0 73 5C 53 1E 1B EC F0 49 C2 44 14 D2 53 C3 842 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26 9A 843 6F 49 97 5B CA DE AF 845 =============== Packet Vector #17 ================== 846 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 847 Nonce = 00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA 848 Total packet length = 32. [Input with 12 cleartext header octets] 849 77 B6 0F 01 1C 03 E1 52 58 99 BC AE E8 8B 6A 46 850 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D 851 CBC IV in: 59 00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA 00 14 852 CBC IV out:F4 68 FE 5D B1 53 0B 7A 5A A5 FB 27 40 CF 6E 33 853 After xor: F4 64 89 EB BE 52 17 79 BB F7 A3 BE FC 61 6E 33 [hdr] 854 After AES: 23 29 0E 0B 33 45 9A 83 32 2D E4 06 86 67 10 04 855 After xor: CB A2 64 4D F4 C8 F9 66 1C 95 21 40 69 D2 CE 6B [msg] 856 After AES: 8F BE D4 0F 8B 89 B7 B8 20 D5 5F E0 3C E2 43 11 857 After xor: FA 57 18 02 8B 89 B7 B8 20 D5 5F E0 3C E2 43 11 [msg] 858 After AES: 6A DB 15 B6 71 81 B2 E2 2B E3 4A F2 B2 83 E2 29 859 CBC-MAC : 6A DB 15 B6 71 81 B2 E2 860 CTR Start: 01 00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA 00 01 861 CTR[0001]: BD CE 95 5C CF D3 81 0A 91 EA 77 A6 A4 5B C0 4C 862 CTR[0002]: 43 2E F2 32 AE 36 D8 92 22 BF 63 37 E6 B2 6C E8 863 CTR[MAC ]: 1C F7 19 C1 35 7F CC DE 864 Total packet length = 40. [Authenticated and Encrypted Output] 865 77 B6 0F 01 1C 03 E1 52 58 99 BC AE 55 45 FF 1A 866 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F 867 76 2C 0C 77 44 FE 7E 3C 869 =============== Packet Vector #18 ================== 870 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 871 Nonce = 00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA 872 Total packet length = 33. [Input with 12 cleartext header octets] 873 CD 90 44 D2 B7 1F DB 81 20 EA 60 C0 64 35 AC BA 874 FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 875 7F 876 CBC IV in: 59 00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA 00 15 877 CBC IV out:BA 37 74 54 D7 20 A4 59 25 97 F6 A3 D1 D6 BA 67 878 After xor: BA 3B B9 C4 93 F2 13 46 FE 16 D6 49 B1 16 BA 67 [hdr] 879 After AES: 81 6A 20 20 38 D0 A6 30 CB E0 B7 3C 39 BB CE 05 880 After xor: E5 5F 8C 9A C3 C1 0E 1E E4 E7 AA 40 9D 1E 25 DC [msg] 881 After AES: 6D 5C 15 FD 85 2D 5C 3C E3 03 3D 85 DA 57 BD AC 882 After xor: 57 DC 2E 55 FA 2D 5C 3C E3 03 3D 85 DA 57 BD AC [msg] 883 After AES: B0 4A 1C 23 BC 39 B6 51 76 FD 5B FF 9B C1 28 5E 884 CBC-MAC : B0 4A 1C 23 BC 39 B6 51 885 CTR Start: 01 00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA 00 01 886 CTR[0001]: 64 A2 C5 56 50 CE E0 4C 7A 93 D8 EE F5 43 E8 8E 887 CTR[0002]: 18 E7 65 AC B7 B0 E9 AF 09 2B D0 20 6C A1 C8 3C 888 CTR[MAC ]: F7 43 82 79 5C 49 F3 00 889 Total packet length = 41. [Authenticated and Encrypted Output] 890 CD 90 44 D2 B7 1F DB 81 20 EA 60 C0 00 97 69 EC 891 AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 892 C8 47 09 9E 5A E0 70 45 51 894 =============== Packet Vector #19 ================== 895 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 896 Nonce = 00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA 897 Total packet length = 31. [Input with 8 cleartext header octets] 898 D8 5B C7 E6 9F 94 4F B8 8A 19 B9 50 BC F7 1A 01 899 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18 900 CBC IV in: 61 00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA 00 17 901 CBC IV out:44 F7 CC 9C 2B DD 2F 45 F6 38 25 6B 73 6E 1D 7A 902 After xor: 44 FF 14 C7 EC 3B B0 D1 B9 80 25 6B 73 6E 1D 7A [hdr] 903 After AES: 57 C3 73 F8 00 AA 5F CC 7B CF 1D 1B DD BB 4C 52 904 After xor: DD DA CA A8 BC 5D 45 CD F5 91 7A 1A 14 AC CB 37 [msg] 905 After AES: 42 4E 93 72 72 C8 79 B6 11 C7 A5 9F 47 8D 9F D8 906 After xor: DA 47 45 0F CC 15 61 B6 11 C7 A5 9F 47 8D 9F D8 [msg] 907 After AES: 9A CB 03 F8 B9 DB C8 D2 D2 D7 A4 B4 95 25 08 67 908 CBC-MAC : 9A CB 03 F8 B9 DB C8 D2 D2 D7 909 CTR Start: 01 00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA 00 01 910 CTR[0001]: 36 38 34 FA 28 83 3D B7 55 66 0D 98 65 0D 68 46 911 CTR[0002]: 35 E9 63 54 87 16 72 56 3F 0C 08 AF 78 44 31 A9 912 CTR[MAC ]: F9 B7 FA 46 7B 9B 40 45 14 6D 913 Total packet length = 41. [Authenticated and Encrypted Output] 914 D8 5B C7 E6 9F 94 4F B8 BC 21 8D AA 94 74 27 B6 915 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A 63 916 7C F9 BE C2 40 88 97 C6 BA 918 =============== Packet Vector #20 ================== 919 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 920 Nonce = 00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA 921 Total packet length = 32. [Input with 8 cleartext header octets] 922 74 A0 EB C9 06 9F 5B 37 17 61 43 3C 37 C5 A3 5F 923 C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37 924 CBC IV in: 61 00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA 00 18 925 CBC IV out:60 CB 21 CE 40 06 50 AE 2A D2 BE 52 9F 5F 0F C2 926 After xor: 60 C3 55 6E AB CF 56 31 71 E5 BE 52 9F 5F 0F C2 [hdr] 927 After AES: 03 20 64 14 35 32 5D 95 C8 A2 50 40 93 28 DA 9B 928 After xor: 14 41 27 28 02 F7 FE CA 09 51 CF 00 F0 2A 31 0B [msg] 929 After AES: B9 E8 87 95 ED F7 F0 08 15 15 F0 14 E2 FE 0E 48 930 After xor: C5 89 E4 2B D5 3E 74 3F 15 15 F0 14 E2 FE 0E 48 [msg] 931 After AES: 8F AD 0C 23 E9 63 7E 87 FA 21 45 51 1B 47 DE F1 932 CBC-MAC : 8F AD 0C 23 E9 63 7E 87 FA 21 933 CTR Start: 01 00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA 00 01 934 CTR[0001]: 4F 71 A5 C1 12 42 E3 7D 29 F0 FE E4 1B E1 02 5F 935 CTR[0002]: 34 2B D3 F1 7C B7 7B C1 79 0B 05 05 61 59 27 2C 936 CTR[MAC ]: 7F 09 7B EF C6 AA C1 D3 73 65 937 Total packet length = 42. [Authenticated and Encrypted Output] 938 74 A0 EB C9 06 9F 5B 37 58 10 E6 FD 25 87 40 22 939 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6 940 F0 A4 77 CC 2F C9 BF 54 89 44 942 =============== Packet Vector #21 ================== 943 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 944 Nonce = 00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA 945 Total packet length = 33. [Input with 8 cleartext header octets] 946 44 A3 AA 3A AE 64 75 CA A4 34 A8 E5 85 00 C6 E4 947 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B 948 FA 949 CBC IV in: 61 00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA 00 19 950 CBC IV out:43 07 C0 73 A8 9E E1 D5 05 27 B2 9A 62 48 D6 D2 951 After xor: 43 0F 84 D0 02 A4 4F B1 70 ED B2 9A 62 48 D6 D2 [hdr] 952 After AES: B6 0B C6 F5 84 01 75 BC 01 27 70 F1 11 8D 75 10 953 After xor: 12 3F 6E 10 01 01 B3 58 14 17 23 79 73 5B F3 FA [msg] 954 After AES: 7D 5E 64 92 CE 2C B9 EA 7E 4C 4A 09 09 89 C8 FB 955 After xor: E3 DF 54 89 94 C8 9B 81 84 4C 4A 09 09 89 C8 FB [msg] 956 After AES: 68 5F 8D 79 D2 2B 9B 74 21 DF 4C 3E 87 BA 0A AF 957 CBC-MAC : 68 5F 8D 79 D2 2B 9B 74 21 DF 958 CTR Start: 01 00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA 00 01 959 CTR[0001]: 56 8A 45 9E 40 09 48 67 EB 85 E0 9E 6A 2E 64 76 960 CTR[0002]: A6 00 AA 92 92 03 54 9A AE EF 2C CC 59 13 7A 57 961 CTR[MAC ]: 25 1E DC DD 3F 11 10 F3 98 11 962 Total packet length = 43. [Authenticated and Encrypted Output] 963 44 A3 AA 3A AE 64 75 CA F2 BE ED 7B C5 09 8E 83 964 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 965 54 4D 41 51 A4 ED 3A 8B 87 B9 CE 967 =============== Packet Vector #22 ================== 968 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 969 Nonce = 00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA 970 Total packet length = 31. [Input with 12 cleartext header octets] 971 EC 46 BB 63 B0 25 20 C3 3C 49 FD 70 B9 6B 49 E2 972 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2 973 CBC IV in: 61 00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA 00 13 974 CBC IV out:91 14 AD 06 B6 CC 02 35 76 9A B6 14 C4 82 95 03 975 After xor: 91 18 41 40 0D AF B2 10 56 59 8A 5D 39 F2 95 03 [hdr] 976 After AES: 29 BD 7C 27 83 E3 E8 D3 C3 5C 01 F4 4C EC BB FA 977 After xor: 90 D6 35 C5 9E 81 FF 92 A0 74 74 2F 33 80 29 B9 [msg] 978 After AES: 4E DA F4 0D 21 0B D4 5F FE 97 90 B9 AA EC 34 4C 979 After xor: 9C 0D 36 0D 21 0B D4 5F FE 97 90 B9 AA EC 34 4C [msg] 980 After AES: 21 9E F8 90 EA 64 C2 11 A5 37 88 83 E1 BA 22 0D 981 CBC-MAC : 21 9E F8 90 EA 64 C2 11 A5 37 982 CTR Start: 01 00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA 00 01 983 CTR[0001]: 88 BC 19 42 80 C1 FA 3E BE FC EF FB 4D C6 2D 54 984 CTR[0002]: 3E 59 7D A5 AE 21 CC A4 00 9E 4C 0C 91 F6 22 49 985 CTR[MAC ]: 5C BC 30 98 66 02 A9 F4 64 A0 986 Total packet length = 41. [Authenticated and Encrypted Output] 987 EC 46 BB 63 B0 25 20 C3 3C 49 FD 70 31 D7 50 A0 988 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF 7D 989 22 C8 08 8C 66 6B E5 C1 97 991 =============== Packet Vector #23 ================== 992 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 993 Nonce = 00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA 994 Total packet length = 32. [Input with 12 cleartext header octets] 995 47 A6 5A C7 8B 3D 59 42 27 E8 5E 71 E2 FC FB B8 996 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76 997 CBC IV in: 61 00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA 00 14 998 CBC IV out:0F 70 3F 5A 54 2C 44 6E 8B 74 A3 73 9B 48 B9 61 999 After xor: 0F 7C 78 FC 0E EB CF 53 D2 36 84 9B C5 39 B9 61 [hdr] 1000 After AES: 40 5B ED 29 D0 98 AE 91 DB 68 78 F3 68 B8 73 85 1001 After xor: A2 A7 16 91 50 DC 82 E2 C0 91 29 94 A0 47 A4 0C [msg] 1002 After AES: 3D 03 29 3C FD 81 1B 37 01 51 FB C7 85 6B 7A 74 1003 After xor: 63 30 59 4A FD 81 1B 37 01 51 FB C7 85 6B 7A 74 [msg] 1004 After AES: 66 4F 27 16 3E 36 0F 72 62 0D 4E 67 7C E0 61 DE 1005 CBC-MAC : 66 4F 27 16 3E 36 0F 72 62 0D 1006 CTR Start: 01 00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA 00 01 1007 CTR[0001]: 0A 7E 0A 63 53 C8 CF 9E BC 3B 6E 63 15 9A D0 97 1008 CTR[0002]: EA 20 32 DA 27 82 6E 13 9E 1E 72 5C 5B 0D 3E BF 1009 CTR[MAC ]: B9 31 27 CA F0 F1 A1 20 FA 70 1010 Total packet length = 42. [Authenticated and Encrypted Output] 1011 47 A6 5A C7 8B 3D 59 42 27 E8 5E 71 E8 82 F1 DB 1012 D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC 1013 DF 7E 00 DC CE C7 AE 52 98 7D 1015 =============== Packet Vector #24 ================== 1016 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 1017 Nonce = 00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA 1018 Total packet length = 33. [Input with 12 cleartext header octets] 1019 6E 37 A6 EF 54 6D 95 5D 34 AB 60 59 AB F2 1C 0B 1020 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 1021 D4 1022 CBC IV in: 61 00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA 00 15 1023 CBC IV out:67 AC E4 E8 06 77 7A D3 27 1D 0B 93 4C 67 98 15 1024 After xor: 67 A0 8A DF A0 98 2E BE B2 40 3F 38 2C 3E 98 15 [hdr] 1025 After AES: 35 58 F8 7E CA C2 B4 39 B6 7E 75 BB F1 5E 69 08 1026 After xor: 9E AA E4 75 C8 3C 0C B6 33 13 81 18 82 DF D5 EB [msg] 1027 After AES: 54 E4 7B 62 22 F0 BB 87 17 D0 71 6A EB AF 19 9E 1028 After xor: 98 F6 FE 75 F6 F0 BB 87 17 D0 71 6A EB AF 19 9E [msg] 1029 After AES: 23 E3 30 50 BC 57 DC 2C 3D 3E 7C 94 77 D1 49 71 1030 CBC-MAC : 23 E3 30 50 BC 57 DC 2C 3D 3E 1031 CTR Start: 01 00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA 00 01 1032 CTR[0001]: 58 DB 19 B3 88 9A A3 8B 3C A4 0B 16 FF 42 2C 73 1033 CTR[0002]: C3 2F 24 3D 65 DC 7E 9F 4B 02 16 AB 7F B9 6B 4D 1034 CTR[MAC ]: 4E 2D AE D2 53 F6 B1 8A 1D 67 1035 Total packet length = 43. [Authenticated and Encrypted Output] 1036 6E 37 A6 EF 54 6D 95 5D 34 AB 60 59 F3 29 05 B8 1037 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A 1038 B1 6D CE 9E 82 EF A1 6D A6 20 59 1040 9. Intellectual Property Statements 1042 The authors hereby explicitly release any intellectual property 1043 rights to CCM to the public domain. Further, the authors are not 1044 aware of any patent or patent application anywhere in the world that 1045 covers CCM mode. It is our belief that CCM is a simple combination 1046 of well-established techniques, and we believe that CCM is obvious to 1047 a person of ordinary skill in the arts. 1049 10. Security Considerations 1051 We claim that this block cipher mode is secure against attackers 1052 limited to 2^128 steps of operation if the key K is 256 bits or 1053 larger. There are fairly generic precomputation attacks against all 1054 block cipher modes that allow a meet-in-the-middle attack on the key 1055 K. If these attacks can be made, then the theoretical strength of 1056 this, and any other, block cipher mode is limited to 2^(n/2) where n 1057 is the number of bits in the key. The strength of the authentication 1058 is of course limited by M. 1060 Users of smaller key sizes (such as 128-bits) should take precautions 1061 to make the precomputation attacks more difficult. Repeated use of 1062 the same nonce value (with different keys of course) ought to be 1063 avoided. One solution is to include a random value within the nonce. 1064 Of course, a packet counter is also needed within the nonce. Since 1065 the nonce is of limited size, a random value in the nonce provides a 1066 limited amount of additional security. 1068 11. References 1070 This section provides normative and informative references. 1072 11.1. Normative References 1074 [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate 1075 Requirement Levels," RFC 2119, March 1997. 1077 11.2. Informative References 1079 [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard 1080 (AES)," November 2001. 1082 [CCM] Whiting, D., Housley, R. and N. Ferguson, "AES 1083 Encryption & Authentication Using CTR Mode & CBC-MAC," 1084 IEEE P802.11 doc 02/001r2, May 2002. 1086 [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security 1087 Payload (ESP)," RFC 2406, November 1998. 1089 [MAC] NIST, FIPS PUB 113, "Computer Data Authentication," 1090 May 1985. 1092 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes 1093 of Operation: Methods and Techniques," NIST Special 1094 Publication 800-38A, December 2001. 1096 [OCB] Rogaway, P., Bellare, M., Black, J. and T, Krovetz, 1097 "OCB: A block-Cipher Mod of Operation for Efficient 1098 Authenticated Encryption," 8th ACM Conference on 1099 Computer and Communications Security, pp 196-295, 1100 ACM Press, 2001. 1102 12. Author's Address 1104 Doug Whiting 1105 Hifn 1106 5973 Avenida Encinas, #110 1107 Carlsbad, CA 92009 1108 USA 1109 DWhiting@hifn.com 1111 Russell Housley 1112 RSA Laboratories 1113 918 Spring Knoll Drive 1114 Herndon, VA 20170 1115 USA 1116 rhousley@rsasecurity.com 1118 Niels Ferguson 1119 MacFergus BV 1120 Bart de Ligtstraat 64 1121 1097 JE Amsterdam 1122 Netherlands 1123 Niels@ferguson.net 1125 13. Full Copyright Statement 1127 Copyright (C) The Internet Society 2002. All Rights Reserved. 1129 This document and translations of it may be copied and furnished to 1130 others, and derivative works that comment on or otherwise explain it 1131 or assist in its implementation may be prepared, copied, published 1132 and distributed, in whole or in part, without restriction of any 1133 kind, provided that the above copyright notice and this paragraph are 1134 included on all such copies and derivative works. However, this 1135 document itself may not be modified in any way, such as by removing 1136 the copyright notice or references to the Internet Society or other 1137 Internet organizations, except as needed for the purpose of 1138 developing Internet standards in which case the procedures for 1139 copyrights defined in the Internet Standards process must be 1140 followed, or as required to translate it into languages other than 1141 English. 1143 The limited permissions granted above are perpetual and will not be 1144 revoked by the Internet Society or its successors or assigns. 1146 This document and the information contained herein is provided on an 1147 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1148 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1149 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1150 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1151 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.