idnits 2.17.1 draft-housley-ccm-mode-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 101 has weird spacing: '...encrypt l(m) ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0001' on line 1041 -- Looks like a reference, but probably isn't: '0002' on line 1042 == Unused Reference: 'CCM' is defined on line 1091, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force D. Whiting 3 Internet-Draft Hifn 4 Expires: March 2003 R. Housley 5 RSA Laboratories 6 N. Ferguson 7 MacFergus 9 Counter with CBC-MAC (CCM) 10 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with all 15 provisions of Section 10 of RFC2026. 17 Internet-Drafts are working documents of the Internet Engineering Task 18 Force (IETF), its areas, and its working groups. Note that other 19 groups may also distribute working documents as Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 Abstract 34 Counter with CBC-MAC (CCM) is a generic authenticated encryption block 35 cipher mode. CCM is defined for use with 128-bit block ciphers, such 36 as AES. 38 1. Introduction 40 Counter with CBC-MAC (CCM) is a generic authenticated encryption block 41 cipher mode. CCM is only defined for use with 128-bit block ciphers, 42 such as AES [AES]. However, the CCM design principles can easily be 43 applied to other block sizes, but these modes will require their own 44 specifications. 46 1.1. Conventions Used In This Document 48 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 49 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 50 document are to be interpreted as described in [STDWORDS]. 52 2. CCM Mode Specification 54 For the generic CCM mode there are two parameter choices. The first 55 choice is M, the size of the authentication field. The choice of the 56 value for M involves a trade-off between message expansion and the 57 probability that an attacker can undetectably modify a message. Valid 58 values are 4, 6, 8, 10, 12, 14, and 16 octets. The second choice is 59 L, the size of the length field. This value requires a trade-off 60 between the maximum message size and the size of the Nonce. Different 61 applications require different trade-offs, so L is a parameter. Valid 62 values of L range between 2octets and 8 octets (the value L=1 is 63 reserved). 65 Name Description Size Encoding 66 ---- ---------------------------------------- ------ -------- 67 M Number of octets in authentication field 3 bits (M-2)/2 68 L Number of octets in length field 3 bits L-1 70 2.1. Inputs 72 To authenticate and encrypt a message the following information is 73 required: 75 1. An encryption key K suitable for the block cipher. 77 2. A nonce N of 15-L octets. Within the scope of any encryption 78 key K, the nonce value MUST be unique. That is, the set of nonce 79 values used with any given key MUST NOT contain any duplicate 80 values. Using the same nonce for two different messages encrypted 81 with the same key destroys the security properties of this mode. 83 3. The message m, consisting of a string of l(m) octets where 0 84 <= l(m) < 2^(8L). The length restriction ensures that l(m) can be 85 encoded in a field of L octets. 87 4. Additional authenticated data a, consisting of a string of 88 l(a) octets where 0 <= l(a) < 2^64. This additional data is 89 authenticated but not encrypted, and is not included in the output 90 of this mode. It can be used to authenticate plaintext packet 91 headers, or contextual information that affects the interpretation 92 of the message. Users who do not wish to authenticate additional 93 data can provide a string of length zero. 95 The inputs are summarized as: 97 Name Description Size 98 ---- ----------------------------------- ----------------------- 99 K Block cipher key Depends on block cipher 100 N Nonce 15-L octets 101 m Message to authenticate and encrypt l(m) octets 102 a Additional authenticated data l(a) octets 104 2.2. Authentication 106 The first step is to compute the authentication field T. This is 107 done using CBC-MAC [MAC]. We first define a sequence of blocks B_0, 108 B_1, ..., B_n and then apply CBC-MAC to these blocks. 110 The first block B_0 is formatted as follows, where l(m) is encoded in 111 most-significant-byte first order: 113 Octet Number Contents 114 ------------ --------- 115 0 Flags 116 1 ... 15-L Nonce N 117 16-L ... 15 l(m) 119 Within the first block B_0, the Flags field is formatted as follows: 121 Bit Number Contents 122 ---------- ---------------------- 123 7 Reserved (always zero) 124 6 Adata 125 5 ... 3 M 126 2 ... 0 L 128 Another way say the same thing is: Flags = 64*Adata + 8*M + L. 130 The Reserved bit is reserved for future expansions and should always 131 be set to zero. The Adata bit is set to zero if l(a)=0, and set to 132 one if l(a)>0. The M field encodes the value of M as (M-2)/2. As M 133 can take on the even values from 4 to 16, the 3-bit field can take on 134 the values from one to seven. The 3-bit field MUST NOT have a value 135 of zero, which would correspond to a 16-bit integrity check value. 136 The L field encodes the size of the length field used to store l(m). 137 The parameter L can take on the values from 2 to 8 (recall, the value 138 L=1 is reserved). This value is encoded in the 3-bit field using the 139 values from one to seven by choosing the field value as L-1 (the zero 140 value is reserved). 142 If l(a)>0 (as indicated by the Adata field), then one or more blocks 143 of authentication data are added. These blocks contain l(a) and a 144 encoded in a reversible manner. We first construct a string that 145 encodes l(a). 147 If 0 < l(a) < (2^16 - 2^8), then the length field is encoded as two 148 octets which contain the value l(a) in most-significant-byte first 149 order. 151 If (2^16 - 2^8) <= l(a) < 2^32, then the length field is encoded as 152 six octets consisting of the octets 0xff, 0xfe, and four octets 153 encoding l(a) in most-significant-byte-first order. 155 If 2^32 <= l(a) < 2^64, then the length field is encoded as ten 156 octets consisting of the octets 0xff, 0xff, and eight octets encoding 157 l(a) in most-significant-byte-first order. 159 The length encoding conventions are summarized in the following 160 table. Note that all fields are interpreted in most-significant-byte 161 first order. 163 First two octets Followed by Comment 164 ----------------- ---------------- ------------------------------- 165 0x0000 Nothing Reserved 166 0x0001 ... 0xFEFF Nothing For 0 < l(a) < (2^16 - 2^8) 167 0xFF00 ... 0xFFFD Nothing Reserved 168 0xFFFE 4 octets of l(a) For (2^16 - 2^8) <= l(a) < 2^32 169 0xFFFF 8 octets of l(a) For 2^32 <= l(a) < 2^64 171 The blocks encoding a are formed by concatenating this string that 172 encodes l(a) with a itself, and splitting the result into 16-octet 173 blocks, and then padding the last block with zeroes if necessary. 174 These blocks are appended to the first block B0. 176 After the (optional) additional authentication blocks have been 177 added, we add the message blocks. The message blocks are formed by 178 splitting the message m into 16-octet blocks, and then padding the 179 last block with zeroes if necessary. If the message m consists of 180 the empty string, then no blocks are added in this step. 182 The result is a sequence of blocks B0, B1, ..., Bn. The CBC-MAC is 183 computed by: 185 X_1 := E( K, B_0 ) 186 X_i+1 := E( K, X_i XOR B_i ) for i=1, ..., n 187 T := first-M-bytes( X_n+1 ) 189 where E() is the block cipher encryption function, and T is the MAC 190 value. CCM was designed with AES in mind for the E() function, but 191 any 128-bit block cipher can be used. Note that the last block B_n 192 is XORed with X_n, and the result is encrypted with the block cipher. 193 If needed, the ciphertext is truncated to give T. 195 2.3. Encryption 197 To encrypt the message data we use Counter (CTR) mode. We first 198 define the key stream blocks by: 200 S_i := E( K, A_i ) for i=0, 1, 2, ... 202 The values A_i are formatted as follows, where both Nonce (N) and 203 Counter (i) fields are encoded in most-significant-byte first order: 205 Octet Number Contents 206 ------------ --------- 207 0 Flags 208 1 ... 15-L Nonce N 209 16-L ... 15 Counter i 211 The Flags field is formatted as follows: 213 Bit Number Contents 214 ---------- ---------------------- 215 7 Reserved (always zero) 216 6 Reserved (always zero) 217 5 ... 3 Zero 218 2 ... 0 L 220 Another way say the same thing is: Flags = L. 222 The Reserved bits are reserved for future expansions and MUST be set 223 to zero. Bit 6 corresponds to the Adata bit in the B_0 block, but as 224 this bit is not used here, it is reserved and MUST be set to zero. 225 Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks 226 are distinct from B_0, which has the non-zero encoding of M in this 227 position. Bits 0, 1, and 2 contain L, using the same encoding as in 228 B_0. 230 The message is encrypted by XORing the octets of message m with the 231 first l(m) octets of the concatenation of S_1, S_2, S_3, ... . Note 232 that S_0 is not used to encrypt the message. 234 The authentication value U is computed by encrypting T with the key 235 stream block S_0 and truncating it to the desired length. 237 U := T XOR first-M-bytes( S_0 ) 239 2.4. Output 241 The final result c consists of the encrypted message followed by the 242 encrypted authentication value U. 244 2.5. Decryption and Authentication Checking 246 To decrypt a message the following information is required: 248 1. The encryption key K. 250 2. The nonce N. 252 3. The additional authenticated data a. 254 4. The encrypted and authenticated message c. 256 Decryption starts by recomputing the key stream to recover the 257 message m and the MAC value T. The message and additional 258 authentication data is then used to recompute the CBC-MAC value and 259 check T. 261 If the T value is not correct, the receiver MUST NOT reveal any 262 information except for the fact that T is incorrect. The receiver 263 MUST NOT reveal the decrypted message, the value T, or any other 264 information. 266 2.6. Restrictions 268 To preserve security, implementations need to limit the total amount 269 of data that is encrypted with a single key; the total number of 270 block cipher encryption operations in the CBC-MAC and encryption 271 together cannot exceed 2^61. (This allows nearly 2^64 octets to be 272 encrypted and authenticated using CCM. This is roughly 16 million 273 terabytes, which should be more than enough for most applications.) 274 In an environment where this limit might be reached, the sender MUST 275 ensure that the total number of block cipher encryption operations in 276 the CBC-MAC and encryption together does not exceed 2^61. Receivers 277 that do not expect to decrypt the same message twice MAY also check 278 this limit. 280 The recipient MUST verify the CBC-MAC before releasing any 281 information such as the plaintext. If the CBC-MAC verification 282 fails, the receiver MUST destroy all information, except for the fact 283 that the CBC-MAC verification failed. 285 3. Security Proof 287 Jakob Jonsson has developed a security proof of CCM [PROOF]. The 288 resulting paper was presented at the SAC 2002 conference. The proof 289 shows that CCM provides a level of confidentiality and authenticity 290 that is in line with other proposed authenticated encryption modes, 291 such as OCB mode [OCB]. 293 4. Rationale 295 The main difficulty in specifying this mode is the trade-off between 296 nonce size and counter size. For a general mode we want to support 297 large messages. Some applications use only small messages, but would 298 rather have a larger nonce. Introducing the L parameter solves this 299 issue. The parameter M gives the traditional trade-off between 300 message expansion and probability of forgery. For most applications, 301 we recommend choosing M at least 8. 303 The CBC-MAC is computed over a sequence of blocks that encode the 304 relevant data in a unique way. Given the block sequence it is easy 305 to recover N, M, L, m, and a. The length encoding of a was chosen to 306 be simple and efficient when a is empty and when a is small. We 307 expect that many implementations will limit the maximum size of a. 309 CCM encryption is a straightforward application of CTR mode [MODES]. 310 As some implementations will support a variable length counter field, 311 we have ensured that the least significant octet of the counter is at 312 one end of the field. This also ensures that the counter is aligned 313 on the block boundary. 315 By encrypting T we avoid CBC-MAC collision attacks. If the block 316 cipher behaves as a pseudo-random permutation, then the key stream is 317 indistinguishable from a random string. Thus, the attacker gets no 318 information about the CBC-MAC results. The only avenue of attack 319 that is left is a differential-style attack, which has no significant 320 chance of success if the block cipher is a pseudo-random permutation. 322 To simplify implementation we use the same block cipher key for the 323 encryption and authentication functions. In our design this is not a 324 problem. All the A blocks are different, and they are different from 325 the B_0 block. If the block cipher behaves like a random 326 permutation, then the outputs are independent of each other, up to 327 the insignificant limitation that they are all different. The only 328 cases where the inputs to the block cipher can overlap are an 329 intermediate value in the CBC-MAC and one of the other encryptions. 330 As all the intermediate values of the CBC-MAC computation are 331 essentially random (because the block cipher behaves like a random 332 permutation) the probability of such a collision is very small. Even 333 if there is a collision, these values only affect T, which is 334 encrypted so that an attacker cannot deduce any information, or 335 detect any collision. 337 Care has been taken to ensure that the blocks used by the 338 authentication function match up with the blocks used by the 339 encryption function. This should simplify hardware implementations, 340 and reduce the amount of byte-shifting required by software 341 implementations. 343 5. Nonce Suggestions 345 The main requirement is that, within the scope of a single key, the 346 nonce values are unique for each message. A common technique is to 347 number messages sequentially, and to use this number as the nonce. 348 Sequential message numbers are also used to detect replay attacks and 349 to detect message reordering, so in many situations (such as IPsec 350 ESP [ESP]) the sequence numbers are already available. 352 Users of CCM, and all other block cipher modes, should be aware of 353 precomputation attacks. These are effectively collision attacks on 354 the cipher key. Let us suppose the key K is 128 bits, and the same 355 nonce value N' is used with many different keys. The attacker 356 chooses a particular nonce N'. She chooses 2^64 different keys at 357 random and computes a table entry for each K value, generating a pair 358 of the form (K,S_1). (Given the key and the nonce, computing S_1 is 359 easy.) She then waits for messages to be sent with nonce N'. We 360 will assume the first 16 bytes of each message are known so that she 361 can compute S_1 for each message. She looks in her table for a pair 362 with a matching S_1 value. She can expect to find a match after 363 checking about 2^64 messages. Once a match is found, the other part 364 of the matched pair is the key in question. The total workload of 365 the attacker is only 2^64 steps, rather than the expected 2^128 366 steps. Similar precomputation attacks exist for all block cipher 367 modes. 369 The main weapon against precomputation attacks is to use a larger 370 key. Using a 256-bit key forces the attacker to perform at least 371 2^128 precomputations, which is infeasible. In situations where 372 using a large key is not possible or desirable (for example, due to 373 the resulting performance impact), users can use part of the nonce to 374 reduce the number of times any specific nonce value is used with 375 different keys. If there is room in the nonce, the sender could add 376 a few random bytes, and send these random bytes along with the 377 message. This makes the precomputation attack much harder, as the 378 attacker now has to precompute a table for each of the possible 379 random values. An alternative is to use something like the sender's 380 Ethernet address. Note that due to the widespread use of DHCP and 381 NAT, IP addresses are rarely unique. Including the Ethernet address 382 forces the attacker to perform the precomputation specifically for a 383 specific source address, and the resulting table could not be used to 384 attack anyone else. Although these solutions can all work, they need 385 careful analysis and almost never entirely prevent these attacks. 386 Where possible, we recommend using a larger key, as this solves all 387 the problems. 389 6. Efficiency and Performance 391 Performance depends on the speed of the block cipher implementation. 392 In hardware, for large packets, the speed achievable for CCM is 393 roughly the same as that achievable with the CBC encryption mode. 395 Encrypting and authenticating an empty message, without any 396 additional authentication data, requires two block cipher encryption 397 operations. For each block of additional authentication data one 398 additional block cipher encryption operation is required (if one 399 includes the length encoding). Each message block requires two block 400 cipher encryption operations. The worst-case situation is when both 401 the message and the additional authentication data are a single 402 octet. In this case, CCM requires five block cipher encryption 403 operations. 405 CCM results in the minimal possible message expansion; the only bits 406 added are the authentication bits. 408 Both the CCM encryption and CCM decryption operations require only 409 the block cipher encryption function. In AES, the encryption and 410 decryption algorithms have some significant differences. Thus, using 411 only the encrypt operation can lead to a significant savings in code 412 size or hardware size. 414 In hardware, CCM can compute the message authentication code and 415 perform encryption in a single pass. That is, the implementation 416 does not have to complete calculation of the message authentication 417 code before encryption can begin. 419 7. Summary of Properties 421 Security Function 422 authenticated encryption 424 Error Propagation 425 none 427 Synchronization 428 same nonce used by sender and recipient 430 Parallelizability 431 encryption can be parallelized, but authentication cannot 433 Keying Material Requirements 434 one key 436 Counter/IV/Nonce Requirements 437 counter and nonce are part of the counter block 439 Memory Requirements 440 requires memory for encrypt operation of the underlying block 441 cipher, plaintext, ciphertext (expanded for CBC-MAC), and a per- 442 packet counter (an integer; at most L octets in size) 444 Pre-processing Capability 445 encryption key stream can be precomputed, but authentication 446 cannot 448 Message Length Requirements 449 octet aligned message of arbitrary length, up to 2^(8*L) octets, 450 and octet aligned arbitrary additional authenticated data, up to 451 2^64 octets 453 Ciphertext Expansion 454 4, 6, 8, 10, 12, 14, or 16 octets depending on size of MAC 455 selected 457 8. Test Vectors 459 These test vectors use AES for the block cipher [AES]. In each of 460 these test vectors, the least significant sixteen bits of the counter 461 block is used for the block counter, and the nonce is 13 octets. 462 Some of the test vectors include a eight octet authentication value, 463 and others include a ten octet authentication value 465 =============== Packet Vector #1 ================== 466 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 467 Nonce = 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 468 Total packet length = 31. [Input with 8 cleartext header octets] 469 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 470 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 471 CBC IV in: 59 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 17 472 CBC IV out:EB 9D 55 47 73 09 55 AB 23 1E 0A 2D FE 4B 90 D6 473 After xor: EB 95 55 46 71 0A 51 AE 25 19 0A 2D FE 4B 90 D6 [hdr] 474 After AES: CD B6 41 1E 3C DC 9B 4F 5D 92 58 B6 9E E7 F0 91 475 After xor: C5 BF 4B 15 30 D1 95 40 4D 83 4A A5 8A F2 E6 86 [msg] 476 After AES: 9C 38 40 5E A0 3C 1B C9 04 B5 8B 40 C7 6C A2 EB 477 After xor: 84 21 5A 45 BC 21 05 C9 04 B5 8B 40 C7 6C A2 EB [msg] 478 After AES: 2D C6 97 E4 11 CA 83 A8 60 C2 C4 06 CC AA 54 2F 479 CBC-MAC : 2D C6 97 E4 11 CA 83 A8 480 CTR Start: 01 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 01 481 CTR[0001]: 50 85 9D 91 6D CB 6D DD E0 77 C2 D1 D4 EC 9F 97 482 CTR[0002]: 75 46 71 7A C6 DE 9A FF 64 0C 9C 06 DE 6D 0D 8F 483 CTR[MAC ]: 3A 2E 46 C8 EC 33 A5 48 484 Total packet length = 39. [Authenticated and Encrypted Output] 485 00 01 02 03 04 05 06 07 58 8C 97 9A 61 C6 63 D2 486 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84 17 487 E8 D1 2C FD F9 26 E0 489 =============== Packet Vector #2 ================== 490 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 491 Nonce = 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 492 Total packet length = 32. [Input with 8 cleartext header octets] 493 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 494 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 495 CBC IV in: 59 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 18 496 CBC IV out:F0 C2 54 D3 CA 03 E2 39 70 BD 24 A8 4C 39 9E 77 497 After xor: F0 CA 54 D2 C8 00 E6 3C 76 BA 24 A8 4C 39 9E 77 [hdr] 498 After AES: 48 DE 8B 86 28 EA 4A 40 00 AA 42 C2 95 BF 4A 8C 499 After xor: 40 D7 81 8D 24 E7 44 4F 10 BB 50 D1 81 AA 5C 9B [msg] 500 After AES: 0F 89 FF BC A6 2B C2 4F 13 21 5F 16 87 96 AA 33 501 After xor: 17 90 E5 A7 BA 36 DC 50 13 21 5F 16 87 96 AA 33 [msg] 502 After AES: F7 B9 05 6A 86 92 6C F3 FB 16 3D C4 99 EF AA 11 503 CBC-MAC : F7 B9 05 6A 86 92 6C F3 504 CTR Start: 01 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 01 505 CTR[0001]: 7A C0 10 3D ED 38 F6 C0 39 0D BA 87 1C 49 91 F4 506 CTR[0002]: D4 0C DE 22 D5 F9 24 24 F7 BE 9A 56 9D A7 9F 51 507 CTR[MAC ]: 57 28 D0 04 96 D2 65 E5 508 Total packet length = 40. [Authenticated and Encrypted Output] 509 00 01 02 03 04 05 06 07 72 C9 1A 36 E1 35 F8 CF 510 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B 511 A0 91 D5 6E 10 40 09 16 513 =============== Packet Vector #3 ================== 514 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 515 Nonce = 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 516 Total packet length = 33. [Input with 8 cleartext header octets] 517 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 518 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 519 20 520 CBC IV in: 59 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 19 521 CBC IV out:6F 8A 12 F7 BF 8D 4D C5 A1 19 6E 95 DF F0 B4 27 522 After xor: 6F 82 12 F6 BD 8E 49 C0 A7 1E 6E 95 DF F0 B4 27 [hdr] 523 After AES: 37 E9 B7 8C C2 20 17 E7 33 80 43 0C BE F4 28 24 524 After xor: 3F E0 BD 87 CE 2D 19 E8 23 91 51 1F AA E1 3E 33 [msg] 525 After AES: 90 CA 05 13 9F 4D 4E CF 22 6F E9 81 C5 9E 2D 40 526 After xor: 88 D3 1F 08 83 50 50 D0 02 6F E9 81 C5 9E 2D 40 [msg] 527 After AES: 73 B4 67 75 C0 26 DE AA 41 03 97 D6 70 FE 5F B0 528 CBC-MAC : 73 B4 67 75 C0 26 DE AA 529 CTR Start: 01 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 01 530 CTR[0001]: 59 B8 EF FF 46 14 73 12 B4 7A 1D 9D 39 3D 3C FF 531 CTR[0002]: 69 F1 22 A0 78 C7 9B 89 77 89 4C 99 97 5C 23 78 532 CTR[MAC ]: 39 6E C0 1A 7D B9 6E 6F 533 Total packet length = 41. [Authenticated and Encrypted Output] 534 00 01 02 03 04 05 06 07 51 B1 E5 F4 4A 19 7D 1D 535 A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 536 57 4A DA A7 6F BD 9F B0 C5 538 =============== Packet Vector #4 ================== 539 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 540 Nonce = 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 541 Total packet length = 31. [Input with 12 cleartext header octets] 542 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 543 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 544 CBC IV in: 59 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 13 545 CBC IV out:06 65 2C 60 0E F5 89 63 CA C3 25 A9 CD 3E 2B E1 546 After xor: 06 69 2C 61 0C F6 8D 66 CC C4 2D A0 C7 35 2B E1 [hdr] 547 After AES: A0 75 09 AC 15 C2 58 86 04 2F 80 60 54 FE A6 86 548 After xor: AC 78 07 A3 05 D3 4A 95 10 3A 96 77 4C E7 BC 9D [msg] 549 After AES: 64 4C 09 90 D9 1B 83 E9 AB 4B 8E ED 06 6F F5 BF 550 After xor: 78 51 17 90 D9 1B 83 E9 AB 4B 8E ED 06 6F F5 BF [msg] 551 After AES: 4B 4F 4B 39 B5 93 E6 BF B0 B2 C2 B7 0F 29 CD 7A 552 CBC-MAC : 4B 4F 4B 39 B5 93 E6 BF 553 CTR Start: 01 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 01 554 CTR[0001]: AE 81 66 6A 83 8B 88 6A EE BF 4A 5B 32 84 50 8A 555 CTR[0002]: D1 B1 92 06 AC 93 9E 2F B6 DD CE 10 A7 74 FD 8D 556 CTR[MAC ]: DD 87 2A 80 7C 75 F8 4E 557 Total packet length = 39. [Authenticated and Encrypted Output] 558 00 01 02 03 04 05 06 07 08 09 0A 0B A2 8C 68 65 559 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C 96 560 C8 61 B9 C9 E6 1E F1 562 =============== Packet Vector #5 ================== 563 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 564 Nonce = 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 565 Total packet length = 32. [Input with 12 cleartext header octets] 566 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 567 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 568 CBC IV in: 59 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 14 569 CBC IV out:00 4C 50 95 45 80 3C 48 51 CD E1 3B 56 C8 9A 85 570 After xor: 00 40 50 94 47 83 38 4D 57 CA E9 32 5C C3 9A 85 [hdr] 571 After AES: E2 B8 F7 CE 49 B2 21 72 84 A8 EA 84 FA AD 67 5C 572 After xor: EE B5 F9 C1 59 A3 33 61 90 BD FC 93 E2 B4 7D 47 [msg] 573 After AES: 3E FB 36 72 25 DB 11 01 D3 C2 2F 0E CA FF 44 F3 574 After xor: 22 E6 28 6D 25 DB 11 01 D3 C2 2F 0E CA FF 44 F3 [msg] 575 After AES: 48 B9 E8 82 55 05 4A B5 49 0A 95 F9 34 9B 4B 5E 576 CBC-MAC : 48 B9 E8 82 55 05 4A B5 577 CTR Start: 01 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 01 578 CTR[0001]: D0 FC F5 74 4D 8F 31 E8 89 5B 05 05 4B 7C 90 C3 579 CTR[0002]: 72 A0 D4 21 9F 0D E1 D4 04 83 BC 2D 3D 0C FC 2A 580 CTR[MAC ]: 19 51 D7 85 28 99 67 26 581 Total packet length = 40. [Authenticated and Encrypted Output] 582 00 01 02 03 04 05 06 07 08 09 0A 0B DC F1 FB 7B 583 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E 584 51 E8 3F 07 7D 9C 2D 93 586 =============== Packet Vector #6 ================== 587 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 588 Nonce = 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 589 Total packet length = 33. [Input with 12 cleartext header octets] 590 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 591 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 592 20 593 CBC IV in: 59 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 15 594 CBC IV out:04 72 DA 4C 6F F6 0A 63 06 52 1A 06 04 80 CD E5 595 After xor: 04 7E DA 4D 6D F5 0E 66 00 55 12 0F 0E 8B CD E5 [hdr] 596 After AES: 64 4C 36 A5 A2 27 37 62 0B 89 F1 D7 BF F2 73 D4 597 After xor: 68 41 38 AA B2 36 25 71 1F 9C E7 C0 A7 EB 69 CF [msg] 598 After AES: 41 E1 19 CD 19 24 CE 77 F1 2F A6 60 C1 6E BB 4E 599 After xor: 5D FC 07 D2 39 24 CE 77 F1 2F A6 60 C1 6E BB 4E [msg] 600 After AES: A5 27 D8 15 6A C3 59 BF 1C B8 86 E6 2F 29 91 29 601 CBC-MAC : A5 27 D8 15 6A C3 59 BF 602 CTR Start: 01 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 01 603 CTR[0001]: 63 CC BE 1E E0 17 44 98 45 64 B2 3A 8D 24 5C 80 604 CTR[0002]: 39 6D BA A2 A7 D2 CB D4 B5 E1 7C 10 79 45 BB C0 605 CTR[MAC ]: E5 7D DC 56 C6 52 92 2B 606 Total packet length = 41. [Authenticated and Encrypted Output] 607 00 01 02 03 04 05 06 07 08 09 0A 0B 6F C1 B0 11 608 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 609 87 40 5A 04 43 AC 91 CB 94 611 =============== Packet Vector #7 ================== 612 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 613 Nonce = 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 614 Total packet length = 31. [Input with 8 cleartext header octets] 615 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 616 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 617 CBC IV in: 61 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 17 618 CBC IV out:60 06 C5 72 DA 23 9C BF A0 5B 0A DE D2 CD A8 1E 619 After xor: 60 0E C5 73 D8 20 98 BA A6 5C 0A DE D2 CD A8 1E [hdr] 620 After AES: 41 7D E2 AE 94 E2 EA D9 00 FC 44 FC D0 69 52 27 621 After xor: 49 74 E8 A5 98 EF E4 D6 10 ED 56 EF C4 7C 44 30 [msg] 622 After AES: 2A 6C 42 CA 49 D7 C7 01 C5 7D 59 FF 87 16 49 0E 623 After xor: 32 75 58 D1 55 CA D9 01 C5 7D 59 FF 87 16 49 0E [msg] 624 After AES: 89 8B D6 45 4E 27 20 BB D2 7E F3 15 7A 7C 90 B2 625 CBC-MAC : 89 8B D6 45 4E 27 20 BB D2 7E 626 CTR Start: 01 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 01 627 CTR[0001]: 09 3C DB B9 C5 52 4F DA C1 C5 EC D2 91 C4 70 AF 628 CTR[0002]: 11 57 83 86 E2 C4 72 B4 8E CC 8A AD AB 77 6F CB 629 CTR[MAC ]: 8D 07 80 25 62 B0 8C 00 A6 EE 630 Total packet length = 41. [Authenticated and Encrypted Output] 631 00 01 02 03 04 05 06 07 01 35 D1 B2 C9 5F 41 D5 632 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C 04 633 8C 56 60 2C 97 AC BB 74 90 635 =============== Packet Vector #8 ================== 636 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 637 Nonce = 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 638 Total packet length = 32. [Input with 8 cleartext header octets] 639 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 640 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 641 CBC IV in: 61 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 18 642 CBC IV out:63 A3 FA E4 6C 79 F3 FA 78 38 B8 A2 80 36 B6 0B 643 After xor: 63 AB FA E5 6E 7A F7 FF 7E 3F B8 A2 80 36 B6 0B [hdr] 644 After AES: 1C 99 1A 3D B7 60 79 27 34 40 79 1F AD 8B 5B 02 645 After xor: 14 90 10 36 BB 6D 77 28 24 51 6B 0C B9 9E 4D 15 [msg] 646 After AES: 14 19 E8 E8 CB BE 75 58 E1 E3 BE 4B 6C 9F 82 E3 647 After xor: 0C 00 F2 F3 D7 A3 6B 47 E1 E3 BE 4B 6C 9F 82 E3 [msg] 648 After AES: E0 16 E8 1C 7F 7B 8A 38 A5 38 F2 CB 5B B6 C1 F2 649 CBC-MAC : E0 16 E8 1C 7F 7B 8A 38 A5 38 650 CTR Start: 01 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 01 651 CTR[0001]: 73 7C 33 91 CC 8E 13 DD E0 AA C5 4B 6D B7 EB 98 652 CTR[0002]: 74 B7 71 77 C5 AA C5 3B 04 A4 F8 70 8E 92 EB 2B 653 CTR[MAC ]: 21 6D AC 2F 8B 4F 1C 07 91 8C 654 Total packet length = 42. [Authenticated and Encrypted Output] 655 00 01 02 03 04 05 06 07 7B 75 39 9A C0 83 1D D2 656 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24 657 C1 7B 44 33 F4 34 96 3F 34 B4 659 =============== Packet Vector #9 ================== 660 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 661 Nonce = 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 662 Total packet length = 33. [Input with 8 cleartext header octets] 663 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 664 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 665 20 666 CBC IV in: 61 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 19 667 CBC IV out:4F 2C 86 11 1E 08 2A DD 6B 44 21 3A B5 13 13 16 668 After xor: 4F 24 86 10 1C 0B 2E D8 6D 43 21 3A B5 13 13 16 [hdr] 669 After AES: F6 EC 56 87 3C 57 12 DC 9C C5 3C A8 D4 D1 ED 0A 670 After xor: FE E5 5C 8C 30 5A 1C D3 8C D4 2E BB C0 C4 FB 1D [msg] 671 After AES: 17 C1 80 A5 31 53 D4 C3 03 85 0C 95 65 80 34 52 672 After xor: 0F D8 9A BE 2D 4E CA DC 23 85 0C 95 65 80 34 52 [msg] 673 After AES: 46 A1 F6 E2 B1 6E 75 F8 1C F5 6B 1A 80 04 44 1B 674 CBC-MAC : 46 A1 F6 E2 B1 6E 75 F8 1C F5 675 CTR Start: 01 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 01 676 CTR[0001]: 8A 5A 10 6B C0 29 9A 55 5B 93 6B 0B 0E A0 DE 5A 677 CTR[0002]: EA 05 FD E2 AB 22 5C FE B7 73 12 CB 88 D9 A5 4A 678 CTR[MAC ]: AC 3D F1 07 DA 30 C4 86 43 BB 679 Total packet length = 43. [Authenticated and Encrypted Output] 680 00 01 02 03 04 05 06 07 82 53 1A 60 CC 24 94 5A 681 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 682 97 EA 9C 07 E5 6B 5E B1 7E 5F 4E 684 =============== Packet Vector #10 ================== 685 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 686 Nonce = 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 687 Total packet length = 31. [Input with 12 cleartext header octets] 688 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 689 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 690 CBC IV in: 61 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 13 691 CBC IV out:7F B8 0A 32 E9 80 57 46 EC 31 6C 3A B2 A2 EB 5D 692 After xor: 7F B4 0A 33 EB 83 53 43 EA 36 64 33 B8 A9 EB 5D [hdr] 693 After AES: 7E 96 96 BF F1 56 D6 A8 6E AC F5 7B 7F 23 47 5A 694 After xor: 72 9B 98 B0 E1 47 C4 BB 7A B9 E3 6C 67 3A 5D 41 [msg] 695 After AES: 8B 4A EE 42 04 24 8A 59 FA CC 88 66 57 66 DD 72 696 After xor: 97 57 F0 42 04 24 8A 59 FA CC 88 66 57 66 DD 72 [msg] 697 After AES: 41 63 89 36 62 ED D7 EB CD 6E 15 C1 89 48 62 05 698 CBC-MAC : 41 63 89 36 62 ED D7 EB CD 6E 699 CTR Start: 01 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 01 700 CTR[0001]: 0B 39 2B 9B 05 66 97 06 3F 12 56 8F 2B 13 A1 0F 701 CTR[0002]: 07 89 65 25 23 40 94 3B 9E 69 B2 56 CC 5E F7 31 702 CTR[MAC ]: 17 09 20 76 09 A0 4E 72 45 B3 703 Total packet length = 41. [Authenticated and Encrypted Output] 704 00 01 02 03 04 05 06 07 08 09 0A 0B 07 34 25 94 705 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B 56 706 6A A9 40 6B 4D 99 99 88 DD 708 =============== Packet Vector #11 ================== 709 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 710 Nonce = 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 711 Total packet length = 32. [Input with 12 cleartext header octets] 712 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 713 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 714 CBC IV in: 61 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 14 715 CBC IV out:B0 84 85 79 51 D2 FA 42 76 EF 3A D7 14 B9 62 87 716 After xor: B0 88 85 78 53 D1 FE 47 70 E8 32 DE 1E B2 62 87 [hdr] 717 After AES: C9 B3 64 7E D8 79 2A 5C 65 B7 CE CC 19 0A 97 0A 718 After xor: C5 BE 6A 71 C8 68 38 4F 71 A2 D8 DB 01 13 8D 11 [msg] 719 After AES: 34 0F 69 17 FA B9 19 D6 1D AC D0 35 36 D6 55 8B 720 After xor: 28 12 77 08 FA B9 19 D6 1D AC D0 35 36 D6 55 8B [msg] 721 After AES: 6B 5E 24 34 12 CC C2 AD 6F 1B 11 C3 A1 A9 D8 BC 722 CBC-MAC : 6B 5E 24 34 12 CC C2 AD 6F 1B 723 CTR Start: 01 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 01 724 CTR[0001]: 6B 66 BC 0C 90 A1 F1 12 FC BE 6F 4E 12 20 77 BC 725 CTR[0002]: 97 9E 57 2B BE 65 8A E5 CC 20 11 83 2A 9A 9B 5B 726 CTR[MAC ]: 9E 64 86 DD 02 B6 49 C1 6D 37 727 Total packet length = 42. [Authenticated and Encrypted Output] 728 00 01 02 03 04 05 06 07 08 09 0A 0B 67 6B B2 03 729 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34 730 F5 3A A2 E9 10 7A 8B 6C 02 2C 732 =============== Packet Vector #12 ================== 733 AES Key = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 734 Nonce = 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 735 Total packet length = 33. [Input with 12 cleartext header octets] 736 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 737 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 738 20 739 CBC IV in: 61 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 15 740 CBC IV out:5F 8E 8D 02 AD 95 7C 5A 36 14 CF 63 40 16 97 4F 741 After xor: 5F 82 8D 03 AF 96 78 5F 30 13 C7 6A 4A 1D 97 4F [hdr] 742 After AES: 63 FA BD 69 B9 55 65 FF 54 AA F4 60 88 7D EC 9F 743 After xor: 6F F7 B3 66 A9 44 77 EC 40 BF E2 77 90 64 F6 84 [msg] 744 After AES: 5A 76 5F 0B 93 CE 4F 6A B4 1D 91 30 18 57 6A D7 745 After xor: 46 6B 41 14 B3 CE 4F 6A B4 1D 91 30 18 57 6A D7 [msg] 746 After AES: 9D 66 92 41 01 08 D5 B6 A1 45 85 AC AF 86 32 E8 747 CBC-MAC : 9D 66 92 41 01 08 D5 B6 A1 45 748 CTR Start: 01 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 01 749 CTR[0001]: CC F2 AE D9 E0 4A C9 74 E6 58 55 B3 2B 94 30 BF 750 CTR[0002]: A2 CA AC 11 63 F4 07 E5 E5 F6 E3 B3 79 0F 79 F8 751 CTR[MAC ]: 50 7C 31 57 63 EF 78 D3 77 9E 752 Total packet length = 43. [Authenticated and Encrypted Output] 753 00 01 02 03 04 05 06 07 08 09 0A 0B C0 FF A0 D6 754 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 755 43 CD 1A A3 16 62 E7 AD 65 D6 DB 757 =============== Packet Vector #13 ================== 758 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 759 Nonce = 00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA 760 Total packet length = 31. [Input with 8 cleartext header octets] 761 0B E1 A8 8B AC E0 18 B1 08 E8 CF 97 D8 20 EA 25 762 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C 763 CBC IV in: 59 00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA 00 17 764 CBC IV out:33 AE C3 1A 1F B7 CC 35 E5 DA D2 BA C0 90 D9 A3 765 After xor: 33 A6 C8 FB B7 3C 60 D5 FD 6B D2 BA C0 90 D9 A3 [hdr] 766 After AES: B7 56 CA 1E 5B 42 C6 9C 58 E3 0A F5 2B F7 7C FD 767 After xor: BF BE 05 89 83 62 2C B9 DC 83 E3 9F F2 38 2E 74 [msg] 768 After AES: 33 3D 3A 3D 07 B5 3C 7B 22 0E 96 1A 18 A9 A1 9E 769 After xor: 36 70 B3 61 ED 71 40 7B 22 0E 96 1A 18 A9 A1 9E [msg] 770 After AES: 14 BD DB 6B F9 01 63 4D FB 56 51 83 BC 74 93 F7 771 CBC-MAC : 14 BD DB 6B F9 01 63 4D 772 CTR Start: 01 00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA 00 01 773 CTR[0001]: 44 51 B0 11 7A 84 82 BF 03 19 AE C1 59 5E BD DA 774 CTR[0002]: 83 EB 76 E1 3A 44 84 7F 92 20 09 07 76 B8 25 C5 775 CTR[MAC ]: F3 31 2C A0 F5 DC B4 FE 776 Total packet length = 39. [Authenticated and Encrypted Output] 777 0B E1 A8 8B AC E0 18 B1 4C B9 7F 86 A2 A4 68 9A 778 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8 E7 779 8C F7 CB 0C DD D7 B3 781 =============== Packet Vector #14 ================== 782 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 783 Nonce = 00 33 56 8E F7 B2 63 3C 96 96 76 6C FA 784 Total packet length = 32. [Input with 8 cleartext header octets] 785 63 01 8F 76 DC 8A 1B CB 90 20 EA 6F 91 BD D8 5A 786 FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC 787 CBC IV in: 59 00 33 56 8E F7 B2 63 3C 96 96 76 6C FA 00 18 788 CBC IV out:42 0D B1 50 BB 0C 44 DA 83 E4 52 09 55 99 67 E3 789 After xor: 42 05 D2 51 34 7A 98 50 98 2F 52 09 55 99 67 E3 [hdr] 790 After AES: EA D1 CA 56 02 02 09 5C E6 12 B0 D2 18 A0 DD 44 791 After xor: 7A F1 20 39 93 BF D1 06 1C 12 89 68 53 0F 24 FB [msg] 792 After AES: 51 77 41 69 C3 DE 6B 24 13 27 74 90 F5 FF C5 62 793 After xor: E6 EB 31 41 57 42 BB C8 13 27 74 90 F5 FF C5 62 [msg] 794 After AES: D4 CC 3B 82 DF 9F CC 56 7E E5 83 61 D7 8D FB 5E 795 CBC-MAC : D4 CC 3B 82 DF 9F CC 56 796 CTR Start: 01 00 33 56 8E F7 B2 63 3C 96 96 76 6C FA 00 01 797 CTR[0001]: DC EB F4 13 38 3C 66 A0 5A 72 55 EF 98 D7 FF AD 798 CTR[0002]: 2F 54 2C BA 15 D6 6C DF E1 EC 46 8F 0E 68 A1 24 799 CTR[MAC ]: 11 E2 D3 9F A2 E8 0C DC 800 Total packet length = 40. [Authenticated and Encrypted Output] 801 63 01 8F 76 DC 8A 1B CB 4C CB 1E 7C A9 81 BE FA 802 A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33 803 C5 2E E8 1D 7D 77 C0 8A 805 =============== Packet Vector #15 ================== 806 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 807 Nonce = 00 10 3F E4 13 36 71 3C 96 96 76 6C FA 808 Total packet length = 33. [Input with 8 cleartext header octets] 809 AA 6C FA 36 CA E8 6B 40 B9 16 E0 EA CC 1C 00 D7 810 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 811 2E 812 CBC IV in: 59 00 10 3F E4 13 36 71 3C 96 96 76 6C FA 00 19 813 CBC IV out:B3 26 49 FF D5 9F 56 0F 02 2D 11 E2 62 C5 BE EA 814 After xor: B3 2E E3 93 2F A9 9C E7 69 6D 11 E2 62 C5 BE EA [hdr] 815 After AES: 82 50 9E E5 B2 FF DB CA 9B D0 2E 20 6B 3F B7 AD 816 After xor: 3B 46 7E 0F 7E E3 DB 1D 47 3C 46 CC 60 04 0C B7 [msg] 817 After AES: 80 46 0E 4C 08 3A D0 3F B9 A9 13 BE E4 DE 2F 66 818 After xor: 82 98 84 61 12 99 96 2C 97 A9 13 BE E4 DE 2F 66 [msg] 819 After AES: 47 29 CB 00 31 F1 81 C1 92 68 4B 89 A4 71 50 E7 820 CBC-MAC : 47 29 CB 00 31 F1 81 C1 821 CTR Start: 01 00 10 3F E4 13 36 71 3C 96 96 76 6C FA 00 01 822 CTR[0001]: 08 C4 DA C8 EC C1 C0 7B 4C E1 F2 4C 37 5A 47 EE 823 CTR[0002]: A7 87 2E 6C 6D C4 4E 84 26 02 50 4C 3F A5 73 C5 824 CTR[MAC ]: E0 5F B2 6E EA 83 B4 C7 825 Total packet length = 41. [Authenticated and Encrypted Output] 826 AA 6C FA 36 CA E8 6B 40 B1 D2 3A 22 20 DD C0 AC 827 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 828 08 A7 76 79 6E DB 72 35 06 830 =============== Packet Vector #16 ================== 831 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 832 Nonce = 00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA 833 Total packet length = 31. [Input with 12 cleartext header octets] 834 D0 D0 73 5C 53 1E 1B EC F0 49 C2 44 12 DA AC 56 835 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C 836 CBC IV in: 59 00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA 00 13 837 CBC IV out:AB DC 4E C9 AA 72 33 97 DF 2D AD 76 33 DE 3B 0D 838 After xor: AB D0 9E 19 D9 2E 60 89 C4 C1 5D 3F F1 9A 3B 0D [hdr] 839 After AES: 62 86 F6 2F 23 42 63 B0 1C FD 8C 37 40 74 81 EB 840 After xor: 70 5C 5A 79 13 AD C6 89 73 8A 80 D6 E6 1F A0 1C [msg] 841 After AES: 88 95 84 18 CF 79 CA BE EB C0 0C C4 86 E6 01 F7 842 After xor: 3A 85 98 18 CF 79 CA BE EB C0 0C C4 86 E6 01 F7 [msg] 843 After AES: C1 85 92 D9 84 CD 67 80 63 D1 D9 6D C1 DF A1 11 844 CBC-MAC : C1 85 92 D9 84 CD 67 80 845 CTR Start: 01 00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA 00 01 846 CTR[0001]: 06 08 FF 95 A6 94 D5 59 F4 0B B7 9D EF FA 41 DF 847 CTR[0002]: 80 55 3A 75 78 38 04 A9 64 8B 68 DD 7F DC DD 7A 848 CTR[MAC ]: 5B EA DB 4E DF 07 B9 2F 849 Total packet length = 39. [Authenticated and Encrypted Output] 850 D0 D0 73 5C 53 1E 1B EC F0 49 C2 44 14 D2 53 C3 851 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26 9A 852 6F 49 97 5B CA DE AF 854 =============== Packet Vector #17 ================== 855 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 856 Nonce = 00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA 857 Total packet length = 32. [Input with 12 cleartext header octets] 858 77 B6 0F 01 1C 03 E1 52 58 99 BC AE E8 8B 6A 46 859 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D 860 CBC IV in: 59 00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA 00 14 861 CBC IV out:F4 68 FE 5D B1 53 0B 7A 5A A5 FB 27 40 CF 6E 33 862 After xor: F4 64 89 EB BE 52 17 79 BB F7 A3 BE FC 61 6E 33 [hdr] 863 After AES: 23 29 0E 0B 33 45 9A 83 32 2D E4 06 86 67 10 04 864 After xor: CB A2 64 4D F4 C8 F9 66 1C 95 21 40 69 D2 CE 6B [msg] 865 After AES: 8F BE D4 0F 8B 89 B7 B8 20 D5 5F E0 3C E2 43 11 866 After xor: FA 57 18 02 8B 89 B7 B8 20 D5 5F E0 3C E2 43 11 [msg] 867 After AES: 6A DB 15 B6 71 81 B2 E2 2B E3 4A F2 B2 83 E2 29 868 CBC-MAC : 6A DB 15 B6 71 81 B2 E2 869 CTR Start: 01 00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA 00 01 870 CTR[0001]: BD CE 95 5C CF D3 81 0A 91 EA 77 A6 A4 5B C0 4C 871 CTR[0002]: 43 2E F2 32 AE 36 D8 92 22 BF 63 37 E6 B2 6C E8 872 CTR[MAC ]: 1C F7 19 C1 35 7F CC DE 873 Total packet length = 40. [Authenticated and Encrypted Output] 874 77 B6 0F 01 1C 03 E1 52 58 99 BC AE 55 45 FF 1A 875 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F 876 76 2C 0C 77 44 FE 7E 3C 878 =============== Packet Vector #18 ================== 879 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 880 Nonce = 00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA 881 Total packet length = 33. [Input with 12 cleartext header octets] 882 CD 90 44 D2 B7 1F DB 81 20 EA 60 C0 64 35 AC BA 883 FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 884 7F 885 CBC IV in: 59 00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA 00 15 886 CBC IV out:BA 37 74 54 D7 20 A4 59 25 97 F6 A3 D1 D6 BA 67 887 After xor: BA 3B B9 C4 93 F2 13 46 FE 16 D6 49 B1 16 BA 67 [hdr] 888 After AES: 81 6A 20 20 38 D0 A6 30 CB E0 B7 3C 39 BB CE 05 889 After xor: E5 5F 8C 9A C3 C1 0E 1E E4 E7 AA 40 9D 1E 25 DC [msg] 890 After AES: 6D 5C 15 FD 85 2D 5C 3C E3 03 3D 85 DA 57 BD AC 891 After xor: 57 DC 2E 55 FA 2D 5C 3C E3 03 3D 85 DA 57 BD AC [msg] 892 After AES: B0 4A 1C 23 BC 39 B6 51 76 FD 5B FF 9B C1 28 5E 893 CBC-MAC : B0 4A 1C 23 BC 39 B6 51 894 CTR Start: 01 00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA 00 01 895 CTR[0001]: 64 A2 C5 56 50 CE E0 4C 7A 93 D8 EE F5 43 E8 8E 896 CTR[0002]: 18 E7 65 AC B7 B0 E9 AF 09 2B D0 20 6C A1 C8 3C 897 CTR[MAC ]: F7 43 82 79 5C 49 F3 00 898 Total packet length = 41. [Authenticated and Encrypted Output] 899 CD 90 44 D2 B7 1F DB 81 20 EA 60 C0 00 97 69 EC 900 AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 901 C8 47 09 9E 5A E0 70 45 51 903 =============== Packet Vector #19 ================== 904 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 905 Nonce = 00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA 906 Total packet length = 31. [Input with 8 cleartext header octets] 907 D8 5B C7 E6 9F 94 4F B8 8A 19 B9 50 BC F7 1A 01 908 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18 909 CBC IV in: 61 00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA 00 17 910 CBC IV out:44 F7 CC 9C 2B DD 2F 45 F6 38 25 6B 73 6E 1D 7A 911 After xor: 44 FF 14 C7 EC 3B B0 D1 B9 80 25 6B 73 6E 1D 7A [hdr] 912 After AES: 57 C3 73 F8 00 AA 5F CC 7B CF 1D 1B DD BB 4C 52 913 After xor: DD DA CA A8 BC 5D 45 CD F5 91 7A 1A 14 AC CB 37 [msg] 914 After AES: 42 4E 93 72 72 C8 79 B6 11 C7 A5 9F 47 8D 9F D8 915 After xor: DA 47 45 0F CC 15 61 B6 11 C7 A5 9F 47 8D 9F D8 [msg] 916 After AES: 9A CB 03 F8 B9 DB C8 D2 D2 D7 A4 B4 95 25 08 67 917 CBC-MAC : 9A CB 03 F8 B9 DB C8 D2 D2 D7 918 CTR Start: 01 00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA 00 01 919 CTR[0001]: 36 38 34 FA 28 83 3D B7 55 66 0D 98 65 0D 68 46 920 CTR[0002]: 35 E9 63 54 87 16 72 56 3F 0C 08 AF 78 44 31 A9 921 CTR[MAC ]: F9 B7 FA 46 7B 9B 40 45 14 6D 922 Total packet length = 41. [Authenticated and Encrypted Output] 923 D8 5B C7 E6 9F 94 4F B8 BC 21 8D AA 94 74 27 B6 924 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A 63 925 7C F9 BE C2 40 88 97 C6 BA 927 =============== Packet Vector #20 ================== 928 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 929 Nonce = 00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA 930 Total packet length = 32. [Input with 8 cleartext header octets] 931 74 A0 EB C9 06 9F 5B 37 17 61 43 3C 37 C5 A3 5F 932 C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37 933 CBC IV in: 61 00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA 00 18 934 CBC IV out:60 CB 21 CE 40 06 50 AE 2A D2 BE 52 9F 5F 0F C2 935 After xor: 60 C3 55 6E AB CF 56 31 71 E5 BE 52 9F 5F 0F C2 [hdr] 936 After AES: 03 20 64 14 35 32 5D 95 C8 A2 50 40 93 28 DA 9B 937 After xor: 14 41 27 28 02 F7 FE CA 09 51 CF 00 F0 2A 31 0B [msg] 938 After AES: B9 E8 87 95 ED F7 F0 08 15 15 F0 14 E2 FE 0E 48 939 After xor: C5 89 E4 2B D5 3E 74 3F 15 15 F0 14 E2 FE 0E 48 [msg] 940 After AES: 8F AD 0C 23 E9 63 7E 87 FA 21 45 51 1B 47 DE F1 941 CBC-MAC : 8F AD 0C 23 E9 63 7E 87 FA 21 942 CTR Start: 01 00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA 00 01 943 CTR[0001]: 4F 71 A5 C1 12 42 E3 7D 29 F0 FE E4 1B E1 02 5F 944 CTR[0002]: 34 2B D3 F1 7C B7 7B C1 79 0B 05 05 61 59 27 2C 945 CTR[MAC ]: 7F 09 7B EF C6 AA C1 D3 73 65 946 Total packet length = 42. [Authenticated and Encrypted Output] 947 74 A0 EB C9 06 9F 5B 37 58 10 E6 FD 25 87 40 22 948 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6 949 F0 A4 77 CC 2F C9 BF 54 89 44 951 =============== Packet Vector #21 ================== 952 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 953 Nonce = 00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA 954 Total packet length = 33. [Input with 8 cleartext header octets] 955 44 A3 AA 3A AE 64 75 CA A4 34 A8 E5 85 00 C6 E4 956 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B 957 FA 958 CBC IV in: 61 00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA 00 19 959 CBC IV out:43 07 C0 73 A8 9E E1 D5 05 27 B2 9A 62 48 D6 D2 960 After xor: 43 0F 84 D0 02 A4 4F B1 70 ED B2 9A 62 48 D6 D2 [hdr] 961 After AES: B6 0B C6 F5 84 01 75 BC 01 27 70 F1 11 8D 75 10 962 After xor: 12 3F 6E 10 01 01 B3 58 14 17 23 79 73 5B F3 FA [msg] 963 After AES: 7D 5E 64 92 CE 2C B9 EA 7E 4C 4A 09 09 89 C8 FB 964 After xor: E3 DF 54 89 94 C8 9B 81 84 4C 4A 09 09 89 C8 FB [msg] 965 After AES: 68 5F 8D 79 D2 2B 9B 74 21 DF 4C 3E 87 BA 0A AF 966 CBC-MAC : 68 5F 8D 79 D2 2B 9B 74 21 DF 967 CTR Start: 01 00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA 00 01 968 CTR[0001]: 56 8A 45 9E 40 09 48 67 EB 85 E0 9E 6A 2E 64 76 969 CTR[0002]: A6 00 AA 92 92 03 54 9A AE EF 2C CC 59 13 7A 57 970 CTR[MAC ]: 25 1E DC DD 3F 11 10 F3 98 11 971 Total packet length = 43. [Authenticated and Encrypted Output] 972 44 A3 AA 3A AE 64 75 CA F2 BE ED 7B C5 09 8E 83 973 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 974 54 4D 41 51 A4 ED 3A 8B 87 B9 CE 976 =============== Packet Vector #22 ================== 977 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 978 Nonce = 00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA 979 Total packet length = 31. [Input with 12 cleartext header octets] 980 EC 46 BB 63 B0 25 20 C3 3C 49 FD 70 B9 6B 49 E2 981 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2 982 CBC IV in: 61 00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA 00 13 983 CBC IV out:91 14 AD 06 B6 CC 02 35 76 9A B6 14 C4 82 95 03 984 After xor: 91 18 41 40 0D AF B2 10 56 59 8A 5D 39 F2 95 03 [hdr] 985 After AES: 29 BD 7C 27 83 E3 E8 D3 C3 5C 01 F4 4C EC BB FA 986 After xor: 90 D6 35 C5 9E 81 FF 92 A0 74 74 2F 33 80 29 B9 [msg] 987 After AES: 4E DA F4 0D 21 0B D4 5F FE 97 90 B9 AA EC 34 4C 988 After xor: 9C 0D 36 0D 21 0B D4 5F FE 97 90 B9 AA EC 34 4C [msg] 989 After AES: 21 9E F8 90 EA 64 C2 11 A5 37 88 83 E1 BA 22 0D 990 CBC-MAC : 21 9E F8 90 EA 64 C2 11 A5 37 991 CTR Start: 01 00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA 00 01 992 CTR[0001]: 88 BC 19 42 80 C1 FA 3E BE FC EF FB 4D C6 2D 54 993 CTR[0002]: 3E 59 7D A5 AE 21 CC A4 00 9E 4C 0C 91 F6 22 49 994 CTR[MAC ]: 5C BC 30 98 66 02 A9 F4 64 A0 995 Total packet length = 41. [Authenticated and Encrypted Output] 996 EC 46 BB 63 B0 25 20 C3 3C 49 FD 70 31 D7 50 A0 997 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF 7D 998 22 C8 08 8C 66 6B E5 C1 97 1000 =============== Packet Vector #23 ================== 1001 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 1002 Nonce = 00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA 1003 Total packet length = 32. [Input with 12 cleartext header octets] 1004 47 A6 5A C7 8B 3D 59 42 27 E8 5E 71 E2 FC FB B8 1005 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76 1006 CBC IV in: 61 00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA 00 14 1007 CBC IV out:0F 70 3F 5A 54 2C 44 6E 8B 74 A3 73 9B 48 B9 61 1008 After xor: 0F 7C 78 FC 0E EB CF 53 D2 36 84 9B C5 39 B9 61 [hdr] 1009 After AES: 40 5B ED 29 D0 98 AE 91 DB 68 78 F3 68 B8 73 85 1010 After xor: A2 A7 16 91 50 DC 82 E2 C0 91 29 94 A0 47 A4 0C [msg] 1011 After AES: 3D 03 29 3C FD 81 1B 37 01 51 FB C7 85 6B 7A 74 1012 After xor: 63 30 59 4A FD 81 1B 37 01 51 FB C7 85 6B 7A 74 [msg] 1013 After AES: 66 4F 27 16 3E 36 0F 72 62 0D 4E 67 7C E0 61 DE 1014 CBC-MAC : 66 4F 27 16 3E 36 0F 72 62 0D 1015 CTR Start: 01 00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA 00 01 1016 CTR[0001]: 0A 7E 0A 63 53 C8 CF 9E BC 3B 6E 63 15 9A D0 97 1017 CTR[0002]: EA 20 32 DA 27 82 6E 13 9E 1E 72 5C 5B 0D 3E BF 1018 CTR[MAC ]: B9 31 27 CA F0 F1 A1 20 FA 70 1019 Total packet length = 42. [Authenticated and Encrypted Output] 1020 47 A6 5A C7 8B 3D 59 42 27 E8 5E 71 E8 82 F1 DB 1021 D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC 1022 DF 7E 00 DC CE C7 AE 52 98 7D 1024 =============== Packet Vector #24 ================== 1025 AES Key = D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B 1026 Nonce = 00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA 1027 Total packet length = 33. [Input with 12 cleartext header octets] 1028 6E 37 A6 EF 54 6D 95 5D 34 AB 60 59 AB F2 1C 0B 1029 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 1030 D4 1031 CBC IV in: 61 00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA 00 15 1032 CBC IV out:67 AC E4 E8 06 77 7A D3 27 1D 0B 93 4C 67 98 15 1033 After xor: 67 A0 8A DF A0 98 2E BE B2 40 3F 38 2C 3E 98 15 [hdr] 1034 After AES: 35 58 F8 7E CA C2 B4 39 B6 7E 75 BB F1 5E 69 08 1035 After xor: 9E AA E4 75 C8 3C 0C B6 33 13 81 18 82 DF D5 EB [msg] 1036 After AES: 54 E4 7B 62 22 F0 BB 87 17 D0 71 6A EB AF 19 9E 1037 After xor: 98 F6 FE 75 F6 F0 BB 87 17 D0 71 6A EB AF 19 9E [msg] 1038 After AES: 23 E3 30 50 BC 57 DC 2C 3D 3E 7C 94 77 D1 49 71 1039 CBC-MAC : 23 E3 30 50 BC 57 DC 2C 3D 3E 1040 CTR Start: 01 00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA 00 01 1041 CTR[0001]: 58 DB 19 B3 88 9A A3 8B 3C A4 0B 16 FF 42 2C 73 1042 CTR[0002]: C3 2F 24 3D 65 DC 7E 9F 4B 02 16 AB 7F B9 6B 4D 1043 CTR[MAC ]: 4E 2D AE D2 53 F6 B1 8A 1D 67 1044 Total packet length = 43. [Authenticated and Encrypted Output] 1045 6E 37 A6 EF 54 6D 95 5D 34 AB 60 59 F3 29 05 B8 1046 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A 1047 B1 6D CE 9E 82 EF A1 6D A6 20 59 1049 9. Intellectual Property Statements 1051 The authors hereby explicitly release any intellectual property 1052 rights to CCM to the public domain. Further, the authors are not 1053 aware of any patent or patent application anywhere in the world that 1054 covers CCM mode. It is our belief that CCM is a simple combination 1055 of well-established techniques, and we believe that CCM is obvious to 1056 a person of ordinary skill in the arts. 1058 10. Security Considerations 1060 We claim that this block cipher mode is secure against attackers 1061 limited to 2^128 steps of operation if the key K is 256 bits or 1062 larger. There are fairly generic precomputation attacks against all 1063 block cipher modes that allow a meet-in-the-middle attack on the key 1064 K. If these attacks can be made, then the theoretical strength of 1065 this, and any other, block cipher mode is limited to 2^(n/2) where n 1066 is the number of bits in the key. The strength of the authentication 1067 is of course limited by M. 1069 Users of smaller key sizes (such as 128-bits) should take precautions 1070 to make the precomputation attacks more difficult. Repeated use of 1071 the same nonce value (with different keys of course) ought to be 1072 avoided. One solution is to include a random value within the nonce. 1073 Of course, a packet counter is also needed within the nonce. Since 1074 the nonce is of limited size, a random value in the nonce provides a 1075 limited amount of additional security. 1077 11. References 1079 This section provides normative and informative references. 1081 11.1. Normative References 1083 [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate 1084 Requirement Levels," RFC 2119, March 1997. 1086 11.2. Informative References 1088 [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard 1089 (AES)," November 2001. 1091 [CCM] Whiting, D., Housley, R. and N. Ferguson, "AES 1092 Encryption & Authentication Using CTR Mode & CBC-MAC," 1093 IEEE P802.11 doc 02/001r2, May 2002. 1095 [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security 1096 Payload (ESP)," RFC 2406, November 1998. 1098 [MAC] NIST, FIPS PUB 113, "Computer Data Authentication," 1099 May 1985. 1101 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes 1102 of Operation: Methods and Techniques," NIST Special 1103 Publication 800-38A, December 2001. 1105 [OCB] Rogaway, P., Bellare, M., Black, J. and T, Krovetz, 1106 "OCB: A block-Cipher Mod of Operation for Efficient 1107 Authenticated Encryption," 8th ACM Conference on 1108 Computer and Communications Security, pp 196-295, 1109 ACM Press, 2001. 1111 [PROOF] Jonsson, J., "On the Security of CTR + CBC-MAC," 1112 SAC 2002 -- Ninth Annual Workshop on Selected Areas 1113 of Cryptography, Workshop Record version, 2002. 1114 Final version to appear in the LNCS Proceedings. 1116 12. Author's Address 1118 Doug Whiting 1119 Hifn 1120 5973 Avenida Encinas, #110 1121 Carlsbad, CA 92009 1122 USA 1123 DWhiting@hifn.com 1125 Russell Housley 1126 RSA Laboratories 1127 918 Spring Knoll Drive 1128 Herndon, VA 20170 1129 USA 1130 rhousley@rsasecurity.com 1132 Niels Ferguson 1133 MacFergus BV 1134 Bart de Ligtstraat 64 1135 1097 JE Amsterdam 1136 Netherlands 1137 Niels@ferguson.net 1139 13. Full Copyright Statement 1141 Copyright (C) The Internet Society 2002. All Rights Reserved. 1143 This document and translations of it may be copied and furnished to 1144 others, and derivative works that comment on or otherwise explain it 1145 or assist in its implementation may be prepared, copied, published 1146 and distributed, in whole or in part, without restriction of any 1147 kind, provided that the above copyright notice and this paragraph are 1148 included on all such copies and derivative works. However, this 1149 document itself may not be modified in any way, such as by removing 1150 the copyright notice or references to the Internet Society or other 1151 Internet organizations, except as needed for the purpose of 1152 developing Internet standards in which case the procedures for 1153 copyrights defined in the Internet Standards process must be 1154 followed, or as required to translate it into languages other than 1155 English. 1157 The limited permissions granted above are perpetual and will not be 1158 revoked by the Internet Society or its successors or assigns. 1160 This document and the information contained herein is provided on an 1161 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1162 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1163 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1164 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1165 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.