idnits 2.17.1 draft-ietf-avtcore-aria-srtp-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 23, 2013) is 3870 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 545 -- Looks like a reference, but probably isn't: '2' on line 575 -- Looks like a reference, but probably isn't: '3' on line 830 -- Possible downref: Non-RFC (?) normative reference: ref. 'GCM' == Outdated reference: A later version (-17) exists of draft-ietf-avtcore-srtp-aes-gcm-07 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore W. Kim 3 Internet-Draft J. Lee 4 Intended status: Standards Track D. Kim 5 Expires: February 24, 2014 J. Park 6 D. Kwon 7 NSRI 8 August 23, 2013 10 The ARIA Algorithm and Its Use with the Secure Real-time Transport 11 Protocol(SRTP) 12 draft-ietf-avtcore-aria-srtp-04 14 Abstract 16 This document describes the use of the ARIA block cipher algorithm 17 within the Secure Real-time Transport Protocol (SRTP) for providing 18 confidentiality for the Real-time Transport Protocol (RTP) traffic 19 and for the control traffic for RTP, the Real-time Transport Control 20 Protocol (RTCP). It details three modes of operation (CTR, CCM, GCM) 21 and a SRTP Key Derivation Function for ARIA. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 24, 2014. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 61 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 6 63 2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9 64 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 11 65 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 67 5.1. SDES . . . . . . . . . . . . . . . . . . . . . . . . . . 12 68 5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 12 69 5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 18 70 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 71 6.1. Normative References . . . . . . . . . . . . . . . . . . 19 72 6.2. Informative References . . . . . . . . . . . . . . . . . 20 73 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21 74 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 21 75 A.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 21 76 A.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22 77 A.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 78 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 23 79 A.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 24 80 A.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 24 81 A.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 25 82 A.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 25 83 A.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 26 84 A.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 26 85 A.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 26 86 A.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 27 87 A.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 27 88 A.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 27 89 A.4.1. ARIA_128 . . . . . . . . . . . . . . . . . . . . . . 28 90 A.4.2. ARIA_192 . . . . . . . . . . . . . . . . . . . . . . 29 91 A.4.3. ARIA_256 . . . . . . . . . . . . . . . . . . . . . . 30 93 1. Introduction 95 This document describes the use of the ARIA [RFC5794] block cipher 96 algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 97 for providing confidentiality for the Real-time Transport Protocol 98 (RTP) [RFC3550] traffic and for the control traffic for RTP, the 99 Real-time Transport Control Protocol (RTCP) [RFC3550]. 101 1.1. ARIA 103 ARIA is a general-purpose block cipher algorithm developed by Korean 104 cryptographers in 2003. It is an iterated block cipher with 128-, 105 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 106 rounds, depending on the key size. It is secure and suitable for 107 most software and hardware implementations on 32-bit and 8-bit 108 processors. It was established as a Korean standard block cipher 109 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 110 especially for government-to-public services. It was included in 111 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 112 identifiers are described in [RFC5794]. 114 1.2. Terminology 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 2. Cryptographic Transforms 122 Block ciphers ARIA and AES share common characteristics including 123 mode, key size, and block size. ARIA does not have any restrictions 124 for modes of operation that are used with this block cipher. We 125 define three modes of running ARIA within the SRTP protocol, (1) ARIA 126 in Counter Mode (ARIA-CTR), (2) ARIA in Counter with CBC-MAC Mode 127 (ARIA-CCM) and (3) ARIA in Galois/Counter Mode (ARIA-GCM). 129 2.1. ARIA-CTR 131 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 132 which it refers to as "AES_CM". Section 2 of [RFC6188] defines 133 "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are 134 defined in the same manner except that each invocation of AES is 135 replaced by that of ARIA, and are denoted by ARIA_128_CTR, 136 ARIA_192_CTR and ARIA_256_CTR respectively, according to the key 137 lengths. The plaintext inputs to the block cipher are formed as in 138 AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs 139 are processed as in AES-CTR. 141 When ARIA-CTR is used, it MUST be used only in conjunction with an 142 authentication function. The ARIA-CTR crypto suites with HMAC-SHA1 143 as an authentication function are listed below. The authentication 144 key length of all crypto suites is 20 octets. 146 +---------------------------+-----------------+------------------+ 147 | Name | Enc. Key Length | Auth. Tag Length | 148 +---------------------------+-----------------+------------------+ 149 | ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets | 150 | ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets | 151 | ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets | 152 | ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets | 153 | ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets | 154 | ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets | 155 +---------------------------+-----------------+------------------+ 157 Table 1: ARIA-CTR Crypto Suites for SRTP/SRTCP 159 The parameters (from Table 2 to Table 7) in each crypto suite listed 160 in Table 1 are described for use with the SDP Security Descriptions 161 attributes [RFC4568]. 163 +---------------------------------+------------------------------+ 164 | Parameter | Value | 165 +---------------------------------+------------------------------+ 166 | Master key length | 128 bits | 167 | Master salt length | 112 bits | 168 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 169 | Default key lifetime | 2^31 packets | 170 | Cipher (for SRTP and SRTCP) | ARIA_128_CTR | 171 | SRTP authentication function | HMAC-SHA1 | 172 | SRTP authentication key length | 160 bits | 173 | SRTP authentication tag length | 80 bits | 174 | SRTCP authentication function | HMAC-SHA1 | 175 | SRTCP authentication key length | 160 bits | 176 | SRTCP authentication tag length | 80 bits | 177 +---------------------------------+------------------------------+ 179 Table 2: The ARIA_128_CTR_HMAC_SHA1_80 Crypto Suite 181 +---------------------------------+------------------------------+ 182 | Parameter | Value | 183 +---------------------------------+------------------------------+ 184 | Master key length | 128 bits | 185 | Master salt length | 112 bits | 186 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 187 | Default key lifetime | 2^31 packets | 188 | Cipher (for SRTP and SRTCP) | ARIA_128_CTR | 189 | SRTP authentication function | HMAC-SHA1 | 190 | SRTP authentication key length | 160 bits | 191 | SRTP authentication tag length | 32 bits | 192 | SRTCP authentication function | HMAC-SHA1 | 193 | SRTCP authentication key length | 160 bits | 194 | SRTCP authentication tag length | 80 bits | 195 +---------------------------------+------------------------------+ 197 Table 3: The ARIA_128_CTR_HMAC_SHA1_32 Crypto Suite 199 +---------------------------------+------------------------------+ 200 | Parameter | Value | 201 +---------------------------------+------------------------------+ 202 | Master key length | 192 bits | 203 | Master salt length | 112 bits | 204 | Key Derivation Function | ARIA_192_CTR_PRF (Section 3) | 205 | Default key lifetime | 2^31 packets | 206 | Cipher (for SRTP and SRTCP) | ARIA_192_CTR | 207 | SRTP authentication function | HMAC-SHA1 | 208 | SRTP authentication key length | 160 bits | 209 | SRTP authentication tag length | 80 bits | 210 | SRTCP authentication function | HMAC-SHA1 | 211 | SRTCP authentication key length | 160 bits | 212 | SRTCP authentication tag length | 80 bits | 213 +---------------------------------+------------------------------+ 215 Table 4: The ARIA_192_CTR_HMAC_SHA1_80 Crypto Suite 217 +---------------------------------+------------------------------+ 218 | Parameter | Value | 219 +---------------------------------+------------------------------+ 220 | Master key length | 192 bits | 221 | Master salt length | 112 bits | 222 | Key Derivation Function | ARIA_192_CTR_PRF (Section 3) | 223 | Default key lifetime | 2^31 packets | 224 | Cipher (for SRTP and SRTCP) | ARIA_192_CTR | 225 | SRTP authentication function | HMAC-SHA1 | 226 | SRTP authentication key length | 160 bits | 227 | SRTP authentication tag length | 32 bits | 228 | SRTCP authentication function | HMAC-SHA1 | 229 | SRTCP authentication key length | 160 bits | 230 | SRTCP authentication tag length | 80 bits | 231 +---------------------------------+------------------------------+ 233 Table 5: The ARIA_192_CTR_HMAC_SHA1_32 Crypto Suite 235 +---------------------------------+------------------------------+ 236 | Parameter | Value | 237 +---------------------------------+------------------------------+ 238 | Master key length | 256 bits | 239 | Master salt length | 112 bits | 240 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 241 | Default key lifetime | 2^31 packets | 242 | Cipher (for SRTP and SRTCP) | ARIA_256_CTR | 243 | SRTP authentication function | HMAC-SHA1 | 244 | SRTP authentication key length | 160 bits | 245 | SRTP authentication tag length | 80 bits | 246 | SRTCP authentication function | HMAC-SHA1 | 247 | SRTCP authentication key length | 160 bits | 248 | SRTCP authentication tag length | 80 bits | 249 +---------------------------------+------------------------------+ 251 Table 6: The ARIA_256_CTR_HMAC_SHA1_80 Crypto Suite 253 +---------------------------------+------------------------------+ 254 | Parameter | Value | 255 +---------------------------------+------------------------------+ 256 | Master key length | 256 bits | 257 | Master salt length | 112 bits | 258 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 259 | Default key lifetime | 2^31 packets | 260 | Cipher (for SRTP and SRTCP) | ARIA_256_CTR | 261 | SRTP authentication function | HMAC-SHA1 | 262 | SRTP authentication key length | 160 bits | 263 | SRTP authentication tag length | 32 bits | 264 | SRTCP authentication function | HMAC-SHA1 | 265 | SRTCP authentication key length | 160 bits | 266 | SRTCP authentication tag length | 80 bits | 267 +---------------------------------+------------------------------+ 269 Table 7: The ARIA_256_CTR_HMAC_SHA1_32 Crypto Suite 271 2.2. ARIA-GCM 273 GCM(Galois Counter Mode) [GCM][RFC5116] is a AEAD(authenticated 274 encryption with associated data) block cipher mode. A detailed 275 description of ARIA-GCM is defined similarly as AES-GCM found in 276 [RFC5116][RFC5282]. 278 The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use 279 of AES-GCM with SRTP. The use of ARIA-GCM with SRTP is defined the 280 same as that of AES-GCM except that each invocation of AES is 281 replaced by ARIA. 283 The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP: 285 +----------------------+-----------------+------------------+ 286 | Name | Enc. Key Length | Auth. Tag Length | 287 +----------------------+-----------------+------------------+ 288 | AEAD_ARIA_128_GCM | 16 octets | 16 octets | 289 | AEAD_ARIA_256_GCM | 32 octets | 16 octets | 290 | AEAD_ARIA_128_GCM_8 | 16 octets | 8 octets | 291 | AEAD_ARIA_256_GCM_8 | 32 octets | 8 octets | 292 | AEAD_ARIA_128_GCM_12 | 16 octets | 12 octets | 293 | AEAD_ARIA_256_GCM_12 | 32 octets | 12 octets | 294 +----------------------+-----------------+------------------+ 296 Table 8: ARIA-GCM Crypto Suites for SRTP/SRTCP 298 The parameters (from Table 9 to Table 14) in each crypto suite listed 299 in Table 8 are described for use with the SDP Security Descriptions 300 attributes [RFC4568]. 302 +--------------------------------+------------------------------+ 303 | Parameter | Value | 304 +--------------------------------+------------------------------+ 305 | Master key length | 128 bits | 306 | Master salt length | 96 bits | 307 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 308 | Default key lifetime (SRTP) | 2^48 packets | 309 | Default key lifetime (SRTCP) | 2^31 packets | 310 | Cipher (for SRTP and SRTCP) | ARIA_128_GCM | 311 | AEAD authentication tag length | 128 bits | 312 +--------------------------------+------------------------------+ 314 Table 9: The AEAD_ARIA_128_GCM Crypto Suite 316 +--------------------------------+------------------------------+ 317 | Parameter | Value | 318 +--------------------------------+------------------------------+ 319 | Master key length | 256 bits | 320 | Master salt length | 96 bits | 321 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 322 | Default key lifetime (SRTP) | 2^48 packets | 323 | Default key lifetime (SRTCP) | 2^31 packets | 324 | Cipher (for SRTP and SRTCP) | ARIA_256_GCM | 325 | AEAD authentication tag length | 128 bits | 326 +--------------------------------+------------------------------+ 328 Table 10: The AEAD_ARIA_256_GCM Crypto Suite 330 +--------------------------------+------------------------------+ 331 | Parameter | Value | 332 +--------------------------------+------------------------------+ 333 | Master key length | 128 bits | 334 | Master salt length | 96 bits | 335 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 336 | Default key lifetime (SRTP) | 2^48 packets | 337 | Default key lifetime (SRTCP) | 2^31 packets | 338 | Cipher (for SRTP and SRTCP) | ARIA_128_GCM | 339 | AEAD authentication tag length | 64 bits | 340 +--------------------------------+------------------------------+ 342 Table 11: The AEAD_ARIA_128_GCM_8 Crypto Suite 344 +--------------------------------+------------------------------+ 345 | Parameter | Value | 346 +--------------------------------+------------------------------+ 347 | Master key length | 256 bits | 348 | Master salt length | 96 bits | 349 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 350 | Default key lifetime (SRTP) | 2^48 packets | 351 | Default key lifetime (SRTCP) | 2^31 packets | 352 | Cipher (for SRTP and SRTCP) | ARIA_256_GCM | 353 | AEAD authentication tag length | 64 bits | 354 +--------------------------------+------------------------------+ 356 Table 12: The AEAD_ARIA_256_GCM_8 Crypto Suite 358 +--------------------------------+------------------------------+ 359 | Parameter | Value | 360 +--------------------------------+------------------------------+ 361 | Master key length | 128 bits | 362 | Master salt length | 96 bits | 363 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 364 | Default key lifetime (SRTP) | 2^48 packets | 365 | Default key lifetime (SRTCP) | 2^31 packets | 366 | Cipher (for SRTP and SRTCP) | ARIA_128_GCM | 367 | AEAD authentication tag length | 96 bits | 368 +--------------------------------+------------------------------+ 370 Table 13: The AEAD_ARIA_128_GCM_12 Crypto Suite 372 +--------------------------------+------------------------------+ 373 | Parameter | Value | 374 +--------------------------------+------------------------------+ 375 | Master key length | 256 bits | 376 | Master salt length | 96 bits | 377 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 378 | Default key lifetime (SRTP) | 2^48 packets | 379 | Default key lifetime (SRTCP) | 2^31 packets | 380 | Cipher (for SRTP and SRTCP) | ARIA_256_GCM | 381 | AEAD authentication tag length | 96 bits | 382 +--------------------------------+------------------------------+ 384 Table 14: The AEAD_ARIA_256_GCM_12 Crypto Suite 386 2.3. ARIA-CCM 388 CCM(Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block 389 cipher mode. A detailed description of ARIA-CCM is defined similarly 390 as AES-CCM found in [RFC5116] [RFC6655] 391 [I-D.ietf-avtcore-srtp-aes-gcm]. 393 The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use 394 of AES-CCM with SRTP. The use of ARIA-CCM with SRTP is defined the 395 same as that of AES-CCM except that each invocation of AES is 396 replaced by ARIA. 398 The ARIA-CCM algorithms in Table 15 may be used with SRTP and SRTCP: 400 +----------------------+-----------------+------------------+ 401 | Name | Enc. Key Length | Auth. Tag Length | 402 +----------------------+-----------------+------------------+ 403 | AEAD_ARIA_128_CCM | 16 octets | 16 octets | 404 | AEAD_ARIA_256_CCM | 32 octets | 16 octets | 405 | AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets | 406 | AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets | 407 | AEAD_ARIA_128_CCM_12 | 16 octets | 12 octets | 408 | AEAD_ARIA_256_CCM_12 | 32 octets | 12 octets | 409 +----------------------+-----------------+------------------+ 411 Table 15: ARIA-CCM Crypto Suites for SRTP/SRTCP 413 The parameters (from Table 16 to Table 21) in each crypto suite 414 listed in Table 15 are described for use with the SDP Security 415 Descriptions attributes [RFC4568]. 417 +--------------------------------+------------------------------+ 418 | Parameter | Value | 419 +--------------------------------+------------------------------+ 420 | Master key length | 128 bits | 421 | Master salt length | 96 bits | 422 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 423 | Default key lifetime (SRTP) | 2^48 packets | 424 | Default key lifetime (SRTCP) | 2^31 packets | 425 | Cipher (for SRTP and SRTCP) | ARIA_128_CCM | 426 | AEAD authentication tag length | 128 bits | 427 +--------------------------------+------------------------------+ 429 Table 16: The AEAD_ARIA_128_CCM Crypto Suite 431 +--------------------------------+------------------------------+ 432 | Parameter | Value | 433 +--------------------------------+------------------------------+ 434 | Master key length | 256 bits | 435 | Master salt length | 96 bits | 436 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 437 | Default key lifetime (SRTP) | 2^48 packets | 438 | Default key lifetime (SRTCP) | 2^31 packets | 439 | Cipher (for SRTP and SRTCP) | ARIA_256_CCM | 440 | AEAD authentication tag length | 128 bits | 441 +--------------------------------+------------------------------+ 443 Table 17: The AEAD_ARIA_256_CCM Crypto Suite 445 +--------------------------------+------------------------------+ 446 | Parameter | Value | 447 +--------------------------------+------------------------------+ 448 | Master key length | 128 bits | 449 | Master salt length | 96 bits | 450 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 451 | Default key lifetime (SRTP) | 2^48 packets | 452 | Default key lifetime (SRTCP) | 2^31 packets | 453 | Cipher (for SRTP and SRTCP) | ARIA_128_CCM | 454 | AEAD authentication tag length | 64 bits | 455 +--------------------------------+------------------------------+ 457 Table 18: The AEAD_ARIA_128_CCM_8 Crypto Suite 459 +--------------------------------+------------------------------+ 460 | Parameter | Value | 461 +--------------------------------+------------------------------+ 462 | Master key length | 256 bits | 463 | Master salt length | 96 bits | 464 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 465 | Default key lifetime (SRTP) | 2^48 packets | 466 | Default key lifetime (SRTCP) | 2^31 packets | 467 | Cipher (for SRTP and SRTCP) | ARIA_256_CCM | 468 | AEAD authentication tag length | 64 bits | 469 +--------------------------------+------------------------------+ 471 Table 19: The AEAD_ARIA_256_CCM_8 Crypto Suite 473 +--------------------------------+------------------------------+ 474 | Parameter | Value | 475 +--------------------------------+------------------------------+ 476 | Master key length | 128 bits | 477 | Master salt length | 96 bits | 478 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 479 | Default key lifetime (SRTP) | 2^48 packets | 480 | Default key lifetime (SRTCP) | 2^31 packets | 481 | Cipher (for SRTP and SRTCP) | ARIA_128_CCM | 482 | AEAD authentication tag length | 96 bits | 483 +--------------------------------+------------------------------+ 485 Table 20: The AEAD_ARIA_128_CCM_12 Crypto Suite 487 +--------------------------------+------------------------------+ 488 | Parameter | Value | 489 +--------------------------------+------------------------------+ 490 | Master key length | 256 bits | 491 | Master salt length | 96 bits | 492 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 493 | Default key lifetime (SRTP) | 2^48 packets | 494 | Default key lifetime (SRTCP) | 2^31 packets | 495 | Cipher (for SRTP and SRTCP) | ARIA_256_CCM | 496 | AEAD authentication tag length | 96 bits | 497 +--------------------------------+------------------------------+ 499 Table 21: The AEAD_ARIA_256_CCM_12 Crypto Suite 501 3. Key Derivation Functions 503 Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 504 derivation function, which it refers to as "AES-CM PRF". Section 3 505 of [RFC6188] defines the AES-192 counter mode key derivation function 506 and the AES-256 counter mode key derivation function, which it refers 507 to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- 508 CTR PRF is defined in a same manner except that each invocation of 509 AES replaced by that of ARIA. According to the key lengths of 510 underlying encryption algorithm, ARIA-CTR PRFs are denoted by 511 "ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The 512 usage requirements of [RFC6188][I-D.ietf-avtcore-srtp-aes-gcm] 513 regarding the AES-CM PRF apply to the ARIA-CTR PRF as well. The PRFs 514 for ARIA crypto suites with SRTP are defined by ARIA-CTR PRF of the 515 equal key length with the encryption algorithm (see Section 2). 516 SRTP_ARIA_128_CTR_HMAC, SRTP_AEAD_ARIA_128_GCM, and 517 SRTP_AEAD_ARIA_128_CCM MUST use the ARIA_128_CTR_PRF Key Derivation 518 Function. SRTP_ARIA_192_CTR_HMAC MUST use that ARIA_192_CTR_PRF Key 519 Derivation Function. And SRTP_ARIA_256_CTR_HMAC, 520 SRTP_AEAD_ARIA_256_GCM, and SRTP_AEAD_ARIA_256_CCM MUST use the 521 ARIA_256_CTR_PRF Key Derivation Function. 523 4. Security Considerations 525 At the time of writing this document no security problem has been 526 found on ARIA (see [TSL]). 528 The security considerations in [RFC3610] [GCM] [RFC3711] [RFC5116] 529 [RFC6188] [I-D.ietf-avtcore-srtp-aes-gcm] apply to this document as 530 well. Ciphersuites with short tag length may be considered for 531 specific application environments stated in 7.5 of [RFC3711], but the 532 risk of weak authentication described in Section 9.5.1 of [RFC3711] 533 should be taken into account. 535 5. IANA Considerations 537 5.1. SDES 539 Security description [RFC4568] defines SRTP "crypto suites". In 540 order to allow SDP to signal the use of the algorithms defined in 541 this document, IANA is requested to add the below crypto suites to 542 the "SRTP Crypto Suite Registrations" created by [RFC4568], at time 543 of writing located on the following IANA page: http://www.iana.org/ 544 assignments/sdp-security-descriptions/sdp-security-descriptions.xml 545 #sdp-security-descriptions-3 [1] 547 srtp-crypto-suite-ext = "ARIA_128_CTR_HMAC_SHA1_80"/ 548 "ARIA_128_CTR_HMAC_SHA1_32"/ 549 "ARIA_192_CTR_HMAC_SHA1_80"/ 550 "ARIA_192_CTR_HMAC_SHA1_32"/ 551 "ARIA_256_CTR_HMAC_SHA1_80"/ 552 "ARIA_256_CTR_HMAC_SHA1_32"/ 553 "AEAD_ARIA_128_GCM" / 554 "AEAD_ARIA_256_GCM" / 555 "AEAD_ARIA_128_GCM_8" / 556 "AEAD_ARIA_256_GCM_8" / 557 "AEAD_ARIA_128_GCM_12" / 558 "AEAD_ARIA_256_GCM_12" / 559 "AEAD_ARIA_128_CCM" / 560 "AEAD_ARIA_256_CCM" / 561 "AEAD_ARIA_128_CCM_8" / 562 "AEAD_ARIA_256_CCM_8" / 563 "AEAD_ARIA_128_CCM_12" / 564 "AEAD_ARIA_256_CCM_12" / 565 srtp-crypto-suite-ext 567 5.2. DTLS-SRTP 569 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 570 In order to allow the use of the algorithms defined in this document 571 in DTLS-SRTP, IANA is requested to add the below crypto suite to the 572 "DTLS-SRTP Protection Profiles" created by [RFC5764], at time of 573 writing located on the following IANA page: http://www.iana.org/ 574 assignments/srtp-protection/srtp-protection.xml#srtp-protection-1 575 [2]. 577 SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} 578 SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} 579 SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} 580 SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} 581 SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} 582 SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} 583 SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} 584 SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} 585 SRTP_AEAD_ARIA_128_GCM_8 = {TBD,TBD} 586 SRTP_AEAD_ARIA_256_GCM_8 = {TBD,TBD} 587 SRTP_AEAD_ARIA_128_GCM_12 = {TBD,TBD} 588 SRTP_AEAD_ARIA_256_GCM_12 = {TBD,TBD} 589 SRTP_AEAD_ARIA_128_CCM = {TBD,TBD} 590 SRTP_AEAD_ARIA_256_CCM = {TBD,TBD} 591 SRTP_AEAD_ARIA_128_CCM_8 = {TBD,TBD} 592 SRTP_AEAD_ARIA_256_CCM_8 = {TBD,TBD} 593 SRTP_AEAD_ARIA_128_CCM_12 = {TBD,TBD} 594 SRTP_AEAD_ARIA_256_CCM_12 = {TBD,TBD} 596 The following list indicates the SRTP transform parameters for each 597 protection profile. The parameters cipher_key_length, 598 cipher_salt_length, auth_key_length, and auth_tag_length express the 599 number of bits in the values to which they refer. The 600 maximum_lifetime parameter indicates the maximum number of packets 601 that can be protected with each single set of keys when the parameter 602 profile is in use. All of these parameters apply to both RTP and 603 RTCP, unless the RTCP parameters are separately specified. 605 SRTP_ARIA_128_CTR_HMAC_SHA1_80 606 cipher: ARIA_128_CTR 607 cipher_key_length: 128 bits 608 cipher_salt_length: 112 bits 609 maximum_lifetime: 2^31 packets 610 key derivation function: ARIA_128_CTR_PRF 611 auth_function: HMAC-SHA1 612 auth_key_length: 160 bits 613 auth_tag_length: 80 bits 615 SRTP_ARIA_128_CTR_HMAC_SHA1_32 616 cipher: ARIA_128_CTR 617 cipher_key_length: 128 bits 618 cipher_salt_length: 112 bits 619 maximum_lifetime: 2^31 packets 620 key derivation function: ARIA_128_CTR_PRF 621 auth_function: HMAC-SHA1 622 auth_key_length: 160 bits 623 SRTP auth_tag_length: 32 bits 624 SRTCP auth_tag_length: 80 bits 626 SRTP_ARIA_192_CTR_HMAC_SHA1_80 627 cipher: ARIA_192_CTR 628 cipher_key_length: 192 bits 629 cipher_salt_length: 112 bits 630 maximum_lifetime: 2^31 packets 631 key derivation function: ARIA_192_CTR_PRF 632 auth_function: HMAC-SHA1 633 auth_key_length: 160 bits 634 auth_tag_length: 80 bits 636 SRTP_ARIA_192_CTR_HMAC_SHA1_32 637 cipher: ARIA_192_CTR 638 cipher_key_length: 192 bits 639 cipher_salt_length: 112 bits 640 maximum_lifetime: 2^31 packets 641 key derivation function: ARIA_192_CTR_PRF 642 auth_function: HMAC-SHA1 643 auth_key_length: 160 bits 644 SRTP auth_tag_length: 32 bits 645 SRTCP auth_tag_length: 80 bits 647 SRTP_ARIA_256_CTR_HMAC_SHA1_80 648 cipher: ARIA_256_CTR 649 cipher_key_length: 256 bits 650 cipher_salt_length: 112 bits 651 maximum_lifetime: 2^31 packets 652 key derivation function: ARIA_256_CTR_PRF 653 auth_function: HMAC-SHA 654 auth_key_length: 160 bits 655 auth_tag_length: 80 bits 657 SRTP_ARIA_256_CTR_HMAC_SHA1_32 658 cipher: ARIA_256_CTR 659 cipher_key_length: 128 bits 660 cipher_salt_length: 112 bits 661 maximum_lifetime: 2^31 packets 662 key derivation function: ARIA_256_CTR_PRF 663 auth_function: HMAC-SHA1 664 auth_key_length: 160 bits 665 SRTP auth_tag_length: 32 bits 666 SRTCP auth_tag_length: 80 bits 668 SRTP_AEAD_ARIA_128_CCM 669 cipher: ARIA_128_CCM 670 cipher_key_length: 128 bits 671 cipher_salt_length: 96 bits 672 aead_auth_tag_length: 128 bits 673 auth_function: NULL 674 auth_key_length: N/A 675 auth_tag_length: N/A 676 key derivation function: ARIA_128_CTR_PRF 677 maximum_lifetime: at most 2^31 SRTCP packets and 678 at most 2^48 SRTP packets 680 SRTP_AEAD_ARIA_256_CCM 681 cipher: ARIA_256_CCM 682 cipher_key_length: 256 bits 683 cipher_salt_length: 96 bits 684 aead_auth_tag_length: 128 bits 685 auth_function: NULL 686 auth_key_length: N/A 687 auth_tag_length: N/A 688 key derivation function: ARIA_256_CTR_PRF 689 maximum_lifetime: at most 2^31 SRTCP packets and 690 at most 2^48 SRTP packets 692 SRTP_AEAD_ARIA_128_CCM_8 693 cipher: ARIA_128_CCM 694 cipher_key_length: 128 bits 695 cipher_salt_length: 96 bits 696 aead_auth_tag_length: 64 bits 697 auth_function: NULL 698 auth_key_length: N/A 699 auth_tag_length: N/A 700 key derivation function: ARIA_128_CTR_PRF 701 maximum_lifetime: at most 2^31 SRTCP packets and 702 at most 2^48 SRTP packets 704 SRTP_AEAD_ARIA_256_CCM_8 705 cipher: ARIA_256_CCM 706 cipher_key_length: 256 bits 707 cipher_salt_length: 96 bits 708 aead_auth_tag_length: 64 bits 709 auth_function: NULL 710 auth_key_length: N/A 711 auth_tag_length: N/A 712 key derivation function: ARIA_256_CTR_PRF 713 maximum_lifetime: at most 2^31 SRTCP packets and 714 at most 2^48 SRTP packets 716 SRTP_AEAD_ARIA_128_CCM_12 717 cipher: ARIA_128_CCM 718 cipher_key_length: 128 bits 719 cipher_salt_length: 96 bits 720 aead_auth_tag_length: 96 bits 721 auth_function: NULL 722 auth_key_length: N/A 723 auth_tag_length: N/A 724 key derivation function: ARIA_128_CTR_PRF 725 maximum_lifetime: at most 2^31 SRTCP packets and 726 at most 2^48 SRTP packets 728 SRTP_AEAD_ARIA_256_CCM_12 729 cipher: ARIA_256_CCM 730 cipher_key_length: 256 bits 731 cipher_salt_length: 96 bits 732 aead_auth_tag_length: 96 bits 733 auth_function: NULL 734 auth_key_length: N/A 735 auth_tag_length: N/A 736 key derivation function: ARIA_256_CTR_PRF 737 maximum_lifetime: at most 2^31 SRTCP packets and 738 at most 2^48 SRTP packets 740 SRTP_AEAD_ARIA_128_GCM 741 cipher: ARIA_128_GCM 742 cipher_key_length: 128 bits 743 cipher_salt_length: 96 bits 744 aead_auth_tag_length: 128 bits 745 auth_function: NULL 746 auth_key_length: N/A 747 auth_tag_length: N/A 748 key derivation function: ARIA_128_CTR_PRF 749 maximum_lifetime: at most 2^31 SRTCP packets and 750 at most 2^48 SRTP packets 752 SRTP_AEAD_ARIA_256_GCM 753 cipher: ARIA_256_GCM 754 cipher_key_length: 256 bits 755 cipher_salt_length: 96 bits 756 aead_auth_tag_length: 128 bits 757 auth_function: NULL 758 auth_key_length: N/A 759 auth_tag_length: N/A 760 key derivation function: ARIA_256_CTR_PRF 761 maximum_lifetime: at most 2^31 SRTCP packets and 762 at most 2^48 SRTP packets 764 SRTP_AEAD_ARIA_128_GCM_8 765 cipher: ARIA_128_GCM 766 cipher_key_length: 128 bits 767 cipher_salt_length: 96 bits 768 aead_auth_tag_length: 64 bits 769 auth_function: NULL 770 auth_key_length: N/A 771 auth_tag_length: N/A 772 key derivation function: ARIA_128_CTR_PRF 773 maximum_lifetime: at most 2^31 SRTCP packets and 774 at most 2^48 SRTP packets 776 SRTP_AEAD_ARIA_256_GCM_8 777 cipher: ARIA_256_GCM 778 cipher_key_length: 256 bits 779 cipher_salt_length: 96 bits 780 aead_auth_tag_length: 64 bits 781 auth_function: NULL 782 auth_key_length: N/A 783 auth_tag_length: N/A 784 key derivation function: ARIA_256_CTR_PRF 785 maximum_lifetime: at most 2^31 SRTCP packets and 786 at most 2^48 SRTP packets 788 SRTP_AEAD_ARIA_128_GCM_12 789 cipher: ARIA_128_GCM 790 cipher_key_length: 128 bits 791 cipher_salt_length: 96 bits 792 aead_auth_tag_length: 96 bits 793 auth_function: NULL 794 auth_key_length: N/A 795 auth_tag_length: N/A 796 key derivation function: ARIA_128_CTR_PRF 797 maximum_lifetime: at most 2^31 SRTCP packets and 798 at most 2^48 SRTP packets 800 SRTP_AEAD_ARIA_256_GCM_12 801 cipher: ARIA_256_GCM 802 cipher_key_length: 256 bits 803 cipher_salt_length: 96 bits 804 aead_auth_tag_length: 96 bits 805 auth_function: NULL 806 auth_key_length: N/A 807 auth_tag_length: N/A 808 key derivation function: ARIA_256_CTR_PRF 809 maximum_lifetime: at most 2^31 SRTCP packets and 810 at most 2^48 SRTP packets 812 Note that these SRTP Protection Profiles do not specify an 813 auth_function, auth_key_length, or auth_tag_length because all of 814 these profiles use AEAD algorithms, and thus do not use a separate 815 auth_function, auth_key, or auth_tag. The term aead_auth_tag_length 816 is used to emphasize that this refers to the authentication tag 817 provided by the AEAD algorithm and that this tag is not located in 818 the authentication tag field provided by SRTP/SRTCP. 820 5.3. MIKEY 822 [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 823 SRTP policy in MIKEY. In order to allow the use of the algorithms 824 defined in this document in MIKEY, IANA is requested to add the below 825 crypto suites to the "MIKEY Security Protocol Parameters SRTP Type 0 826 (Encryption algorithm)" and to add the below PRF to the "MIKEY 827 Security Protocol Parameters SRTP Type 5 (Pseudo Random Function)" 828 created by [RFC3830], at time of writing located on the following 829 IANA page http://www.iana.org/assignments/mikey-payloads/mikey- 830 payloads.xml#mikey-payloads-26 [3]. 832 +---------------+-------+ 833 | SRTP Enc. alg | Value | 834 +---------------+-------+ 835 | ARIA-CTR | TBD | 836 | ARIA-CCM | TBD | 837 | ARIA-GCM | TBD | 838 +---------------+-------+ 840 Default session encryption key length is 16 octets. 842 +----------+-------+ 843 | SRTP PRF | Value | 844 +----------+-------+ 845 | ARIA-CTR | TBD | 846 +----------+-------+ 848 MIKEY specifies the algorithm family separately from the key length 849 (which is specified by the Session Encryption key length) and the 850 authentication tag length. 852 +--------------------------------------+ 853 | Encryption | Encryption | Auth. | 854 | Algorithm | Key Length | Tag Length | 855 +======================================+ 856 SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | 857 SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | 858 SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets | 859 SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets | 860 SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | 861 SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | 862 +======================================+ 864 Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm 866 +--------------------------------------+ 867 | Encryption | Encryption | AEAD Auth. | 868 | Algorithm | Key Length | Tag Length | 869 +======================================+ 870 SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | 871 SRTP_AEAD_ARIA_128_CCM | ARIA-CCM | 16 octets | 16 octets | 872 SRTP_AEAD_ARIA_128_GCM_12 | ARIA-GCM | 16 octets | 12 octets | 873 SRTP_AEAD_ARIA_128_CCM_12 | ARIA-CCM | 16 octets | 12 octets | 874 SRTP_AEAD_ARIA_128_GCM_8 | ARIA-GCM | 16 octets | 8 octets | 875 SRTP_AEAD_ARIA_128_CCM_8 | ARIA-CCM | 16 octets | 8 octets | 876 SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | 877 SRTP_AEAD_ARIA_256_CCM | ARIA-CCM | 32 octets | 16 octets | 878 SRTP_AEAD_ARIA_256_GCM_12 | ARIA-GCM | 32 octets | 12 octets | 879 SRTP_AEAD_ARIA_256_CCM_12 | ARIA-CCM | 32 octets | 12 octets | 880 SRTP_AEAD_ARIA_256_GCM_8 | ARIA-GCM | 32 octets | 8 octets | 881 SRTP_AEAD_ARIA_256_CCM_8 | ARIA-CCM | 32 octets | 8 octets | 882 +======================================+ 884 Figure 2: Mapping MIKEY parameters to AEAD algorithm 886 6. References 888 6.1. Normative References 890 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 891 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP 892 800-38D, November 2007. 894 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 895 Requirement Levels", BCP 14, RFC 2119, March 1997. 897 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 898 Jacobson, "RTP: A Transport Protocol for Real-Time 899 Applications", STD 64, RFC 3550, July 2003. 901 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 902 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 903 RFC 3711, March 2004. 905 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 906 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 907 August 2004. 909 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 910 Description Protocol (SDP) Security Descriptions for Media 911 Streams", RFC 4568, July 2006. 913 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 914 Encryption", RFC 5116, January 2008. 916 [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption 917 Algorithms with the Encrypted Payload of the Internet Key 918 Exchange version 2 (IKEv2) Protocol", RFC 5282, August 919 2008. 921 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 922 Security (DTLS) Extension to Establish Keys for the Secure 923 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 925 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 926 RTP", RFC 6188, March 2011. 928 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 929 Transport Layer Security (TLS)", RFC 6655, July 2012. 931 6.2. Informative References 933 [ARIAKS] Korean Agency for Technology and Standards, "128 bit block 934 encryption algorithm ARIA - Part 1: General (in Korean)", 935 KS X 1213-1:2009, December 2009. 937 [ARIAPKCS] 938 RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS 939 #11 v2.20 Amendment 3 Revision 1, January 2007. 941 [I-D.ietf-avtcore-srtp-aes-gcm] 942 McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated 943 Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp- 944 aes-gcm-07 (work in progress), July 2013. 946 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 947 CBC-MAC (CCM)", RFC 3610, September 2003. 949 [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA 950 Registry Update for Support of the SEED Cipher Algorithm 951 in Multimedia Internet KEYing (MIKEY)", RFC 5748, August 952 2010. 954 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A 955 Description of the ARIA Encryption Algorithm", RFC 5794, 956 March 2010. 958 [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in- 959 the-middle attack on reduced-round ARIA", The Journal of 960 Systems and Software Vol.84(10), pp. 1685-1692, October 961 2011. 963 Appendix A. Test Vectors 965 All values are in hexadecimal. 967 A.1. ARIA-CTR Test Vectors 969 Common values are organized as follows: 971 Rollover Counter: 00000000 972 Sequence Number: 315e 973 SSRC: 20e8f5eb 974 Authentication Key: f93563311b354748c97891379553063116452309 975 Session Salt: cd3a7c42c671e0067a2a2639b43a 976 Initialization Vector: cd3a7c42e69915ed7a2a263985640000 977 RTP header: 8008315ebf2e6fe020e8f5eb 978 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 979 5af5c5e5c5fdf5c55ad57a4a7272d572 980 62e9729566ed66e97ac54a4a5a7ad5e1 981 5ae5fdd5fd5ac5d56ae56ad5c572d54a 982 e54ac55a956afd6aed5a4ac562957a95 983 16991691d572fd14e97ae962ed7a9f4a 984 955af572e162f57a956666e17ae1f54a 985 95f566d54a66e16e4afd6a9f7ae1c5c5 986 5ae5d56afde916c5e94a6ec56695e14a 987 fde1148416e94ad57ac5146ed59d1cc5 989 A.1.1. ARIA_128_CTR_HMAC_SHA1_80 991 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 993 Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 994 a6ccdcb463fbed9cfb3de2fb76fdffa9 995 e481f5efb64c92487f59dabbc7cc72da 996 092485f3fbad87888820b86037311fa4 997 4330e18a59a1e1338ba2c21458493a57 998 463475c54691f91cec785429119e0dfc 999 d9048f90e07fecd50b528e8c62ee6e71 1000 445de5d7f659405135aff3604c2ca4ff 1001 4aaca40809cb9eee42cc4ad232307570 1002 81ca289f2851d3315e9568b501fdce6d 1004 Authenticated portion || Rollover Counter: 1006 8008315ebf2e6fe020e8f5eb1bf753f4 1007 12e6f35058cc398dc851aae3a6ccdcb4 1008 63fbed9cfb3de2fb76fdffa9e481f5ef 1009 b64c92487f59dabbc7cc72da092485f3 1010 fbad87888820b86037311fa44330e18a 1011 59a1e1338ba2c21458493a57463475c5 1012 4691f91cec785429119e0dfcd9048f90 1013 e07fecd50b528e8c62ee6e71445de5d7 1014 f659405135aff3604c2ca4ff4aaca408 1015 09cb9eee42cc4ad23230757081ca289f 1016 2851d3315e9568b501fdce6d00000000 1018 Authentication Tag: f9de4e729054672b0e35 1020 A.1.2. ARIA_192_CTR_HMAC_SHA1_80 1022 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 1023 3e8cd5671a00fe32 1025 Encrypted RTP Payload: 86f4556486642caa67e9b40fef2acda0 1026 6d442517d8d58c15e3e0b5c13a78b8b2 1027 838b7b96961e11acb2af81348272888c 1028 fd9d168ba091fe3e4f7f83c7871570a9 1029 aa9f995036e44c35cb742b601e8d8d08 1030 48320bad732929103f1bfbb1ae873178 1031 0479c5df2d4d41f78f6b96d6832db3db 1032 6af8b3612b27e18a0a29a8a1d280437e 1033 b8dad58e78658ec3b069d7329431c356 1034 c5e612b3dde5bd3f6c9f42f39cf35d3a 1036 Authenticated portion || Rollover Counter: 1037 8008315ebf2e6fe020e8f5eb86f45564 1038 86642caa67e9b40fef2acda06d442517 1039 d8d58c15e3e0b5c13a78b8b2838b7b96 1040 961e11acb2af81348272888cfd9d168b 1041 a091fe3e4f7f83c7871570a9aa9f9950 1042 36e44c35cb742b601e8d8d0848320bad 1043 732929103f1bfbb1ae8731780479c5df 1044 2d4d41f78f6b96d6832db3db6af8b361 1045 2b27e18a0a29a8a1d280437eb8dad58e 1046 78658ec3b069d7329431c356c5e612b3 1047 dde5bd3f6c9f42f39cf35d3a00000000 1049 Authentication Tag: 3935fa37ee96dbc550d5 1051 A.1.3. ARIA_256_CTR_HMAC_SHA1_80 1053 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 1054 3e8cd5671a00fe3216aa5eb105783b54 1056 Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 1057 17ccd7471088af9debf07b55c750f804 1058 a5ac2b737be48140958a9b420524112a 1059 e72e4da5bca59d2b1019ddd7dbdc30b4 1060 3d5f046152ced40947d62d2c93e7b8e5 1061 0f02db2b6b61b010e4c1566884de1fa9 1062 702cdf8157e8aedfe3dd77c76bb50c25 1063 ae4d624615c15acfdeeb5f79482aaa01 1064 d3e4c05eb601eca2bd10518e9d46b021 1065 16359232e9eac0fabd05235dd09e6dea 1067 Authenticated portion || Rollover Counter: 1068 8008315ebf2e6fe020e8f5ebc424c59f 1069 d5696305e5b13d8e8ca7656617ccd747 1070 1088af9debf07b55c750f804a5ac2b73 1071 7be48140958a9b420524112ae72e4da5 1072 bca59d2b1019ddd7dbdc30b43d5f0461 1073 52ced40947d62d2c93e7b8e50f02db2b 1074 6b61b010e4c1566884de1fa9702cdf81 1075 57e8aedfe3dd77c76bb50c25ae4d6246 1076 15c15acfdeeb5f79482aaa01d3e4c05e 1077 b601eca2bd10518e9d46b02116359232 1078 e9eac0fabd05235dd09e6dea00000000 1080 Authentication Tag: 192f515fab04bbb4e62c 1082 A.2. ARIA-GCM Test Vectors 1084 Common values are organized as follows: 1086 Rollover Counter: 00000000 1087 Sequence Number: 315e 1088 SSRC: 20e8f5eb 1089 Encryption Salt: 000000000000000000000000 1091 Initialization Vector: 000020e8f5eb00000000315e 1092 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 1093 5af5c5e5c5fdf5c55ad57a4a7272d572 1094 62e9729566ed66e97ac54a4a5a7ad5e1 1095 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1096 e54ac55a956afd6aed5a4ac562957a95 1097 16991691d572fd14e97ae962ed7a9f4a 1098 955af572e162f57a956666e17ae1f54a 1099 95f566d54a66e16e4afd6a9f7ae1c5c5 1100 5ae5d56afde916c5e94a6ec56695e14a 1101 fde1148416e94ad57ac5146ed59d1cc5 1102 Associated Data: 8008315ebf2e6fe020e8f5eb 1104 The length of encrypted payload is larger than that of payload by 16 1105 octets which the length of the tag from GCM. For other GCM 1106 ciphersuites with shorter tag length than 16 octets, test vectors can 1107 be obtained by truncation from ARIA-GCM test verctors. 1109 A.2.1. ARIA_128_GCM 1111 Key: e91e5e75da65554a48181f3846349562 1113 Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c 1114 d6f7da34f2fe1b3db7cb3dfb9697102e 1115 a0f3c1fc2dbc873d44bceeae8e444297 1116 4ba21ff6789d3272613fb9631a7cf3f1 1117 4bacbeb421633a90ffbe58c2fa6bdca5 1118 34f10d0de0502ce1d531b6336e588782 1119 78531e5c22bc6c85bbd784d78d9e680a 1120 a19031aaf89101d669d7a3965c1f7e16 1121 229d7463e0535f4e253f5d18187d40b8 1122 ae0f564bd970b5e7e2adfb211e89a953 1123 5abace3f37f5a736f4be984bbffbedc1 1125 A.2.2. ARIA_256_GCM 1127 Key: 0c5ffd37a11edc42c325287fc0604f2e 1128 3e8cd5671a00fe3216aa5eb105783b54 1130 Encrypted RTP Payload: 6f9e4bcbc8c85fc0128fb1e4a0a20cb9 1131 932ff74581f54fc013dd054b19f99371 1132 425b352d97d3f337b90b63d1b082adee 1133 ea9d2d7391897d591b985e55fb50cb53 1134 50cf7d38dc27dda127c078a149c8eb98 1135 083d66363a46e3726af217d3a00275ad 1136 5bf772c7610ea4c23006878f0ee69a83 1137 97703169a419303f40b72e4573714d19 1138 e2697df61e7c7252e5abc6bade876ac4 1139 961bfac4d5e867afca351a48aed52822 1140 e210d6ced2cf430ff841472915e7ef48 1142 A.3. ARIA-CCM Test Vectors 1144 Common values are organized as follows: 1146 Rollover Counter: 00000000 1147 Sequence Number: 315e 1148 SSRC: 20e8f5eb 1149 Encryption Salt: 000000000000000000000000 1151 Initialization Vector: 000020e8f5eb00000000315e 1152 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 1153 5af5c5e5c5fdf5c55ad57a4a7272d572 1154 62e9729566ed66e97ac54a4a5a7ad5e1 1155 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1156 e54ac55a956afd6aed5a4ac562957a95 1157 16991691d572fd14e97ae962ed7a9f4a 1158 955af572e162f57a956666e17ae1f54a 1159 95f566d54a66e16e4afd6a9f7ae1c5c5 1160 5ae5d56afde916c5e94a6ec56695e14a 1161 fde1148416e94ad57ac5146ed59d1cc5 1162 Associated Data: 8008315ebf2e6fe020e8f5eb 1164 The length of encrypted payload is larger than that of payload by the 1165 tag length defined for each ciphersuite. 1167 A.3.1. ARIA_128_CCM 1169 Key: 974bee725d44fc3992267b284c3c6750 1171 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1172 daabbd6d670abc4e42f2fd2fca263f09 1173 4f4683e6fb0b10c5093d42b69dce0ba5 1174 46520e7c4400975713f3bde93ef13116 1175 0b9cbcd6df78a1502be7c6ea8d395b9e 1176 d0078819c3105c0ab92cb67b16ba51bb 1177 1f53508738bf7a37c9a905439b88b7af 1178 9d51a407916fdfea8d43bf253721846d 1179 c1671391225fc58d9d0693c8ade6a4ff 1180 b034ee6543dd4e651b7a084eae60f855 1181 40f04b6467e300f6b336aedf9df4185b 1183 A.3.2. ARIA_256_CCM 1185 Key: 0c5ffd37a11edc42c325287fc0604f2e 1186 3e8cd5671a00fe3216aa5eb105783b54 1188 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1189 67fbd09d3a4c38aa32f6d306d3fdda37 1190 8e459b83ed005507449d6cd981a4c1e3 1191 ff4193870c276ef09b6317a01a228320 1192 6ae4b4be0d0b235422c8abb001224106 1193 56b75e1ffc7fb49c0d0c5d6169aa7623 1194 610579968037aee8e83fc26264ea8665 1195 90fd620aa3c0a5f323d953aa7f8defb0 1196 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1197 0594154f405fd630aa4c4d5603efdfa1 1198 87b6bd222c55365a9c7d0b215b77ea41 1200 A.3.3. ARIA_128_CCM_8 1202 Key: 974bee725d44fc3992267b284c3c6750 1204 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1205 daabbd6d670abc4e42f2fd2fca263f09 1206 4f4683e6fb0b10c5093d42b69dce0ba5 1207 46520e7c4400975713f3bde93ef13116 1208 0b9cbcd6df78a1502be7c6ea8d395b9e 1209 d0078819c3105c0ab92cb67b16ba51bb 1210 1f53508738bf7a37c9a905439b88b7af 1211 9d51a407916fdfea8d43bf253721846d 1212 c1671391225fc58d9d0693c8ade6a4ff 1213 b034ee6543dd4e651b7a084eae60f855 1214 dd2282c93a67fe4b 1216 A.3.4. ARIA_256_CCM_8 1218 Key: 0c5ffd37a11edc42c325287fc0604f2e 1219 3e8cd5671a00fe3216aa5eb105783b54 1221 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1222 67fbd09d3a4c38aa32f6d306d3fdda37 1223 8e459b83ed005507449d6cd981a4c1e3 1224 ff4193870c276ef09b6317a01a228320 1225 6ae4b4be0d0b235422c8abb001224106 1226 56b75e1ffc7fb49c0d0c5d6169aa7623 1227 610579968037aee8e83fc26264ea8665 1228 90fd620aa3c0a5f323d953aa7f8defb0 1229 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1230 0594154f405fd630aa4c4d5603efdfa1 1231 828dc0088f99a7ef 1233 A.3.5. ARIA_128_CCM_12 1235 Key: 974bee725d44fc3992267b284c3c6750 1237 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1238 daabbd6d670abc4e42f2fd2fca263f09 1239 4f4683e6fb0b10c5093d42b69dce0ba5 1240 46520e7c4400975713f3bde93ef13116 1241 0b9cbcd6df78a1502be7c6ea8d395b9e 1242 d0078819c3105c0ab92cb67b16ba51bb 1243 1f53508738bf7a37c9a905439b88b7af 1244 9d51a407916fdfea8d43bf253721846d 1245 c1671391225fc58d9d0693c8ade6a4ff 1246 b034ee6543dd4e651b7a084eae60f855 1247 01f3dedd15238da5ebfb1590 1249 A.3.6. ARIA_256_CCM_12 1251 Key: 0c5ffd37a11edc42c325287fc0604f2e 1252 3e8cd5671a00fe3216aa5eb105783b54 1254 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1255 67fbd09d3a4c38aa32f6d306d3fdda37 1256 8e459b83ed005507449d6cd981a4c1e3 1257 ff4193870c276ef09b6317a01a228320 1258 6ae4b4be0d0b235422c8abb001224106 1259 56b75e1ffc7fb49c0d0c5d6169aa7623 1260 610579968037aee8e83fc26264ea8665 1261 90fd620aa3c0a5f323d953aa7f8defb0 1262 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1263 0594154f405fd630aa4c4d5603efdfa1 1264 3615b7f90a651de15da20fb6 1266 A.4. Key Derivation Test Vector 1268 This section provides test vectors for the default key derivation 1269 function, which uses ARIA in Counter Mode. In the following, we walk 1270 through the initial key derivation for the ARIA Counter Mode cipher, 1271 which requires a 16/24/32 octet session encryption key according to 1272 the session encryption key length and a 14 octet session salt, and an 1273 authentication function which requires a 94 octet session 1274 authentication key. These values are called the cipher key, the 1275 cipher salt, and the auth key in the following. The test vectors are 1276 generated in the same way with the test vectors of key derivation 1277 functions in [RFC3711] and [RFC6188] but with each invocation of AES 1278 replaced with an invocation of ARIA. 1280 A.4.1. ARIA_128 1282 The inputs to the key derivation function are the 16 octet master key 1283 and the 14 octet master salt: 1285 master key: e1f97a0d3e018be0d64fa32c06de4139 1286 master salt: 0ec675ad498afeebb6960b3aabe6 1288 index DIV kdr: 000000000000 1289 label: 00 1290 master salt: 0ec675ad498afeebb6960b3aabe6 1291 ----------------------------------------------- 1292 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1294 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1296 cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) 1298 ARIA-CTR crypto suite requires 14 octet cipher salt while ARIA-CCM 1299 and ARIA-GCM crypto suites require 12 octet cipher salt. 1301 index DIV kdr: 000000000000 1302 label: 02 1303 master salt: 0ec675ad498afeebb6960b3aabe6 1304 ---------------------------------------------- 1305 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1307 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1309 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 1311 cipher salt: 9700657f5f34161830d7d85f5dc8 (ARIA-CTR cipher 1312 suite) 1313 9700657f5f34161830d7d85f (ARIA-CCM or 1314 ARIA-GCM cipher suite) 1315 index DIV kdr: 000000000000 1316 label: 01 1317 master salt: 0ec675ad498afeebb6960b3aabe6 1318 ----------------------------------------------- 1319 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1320 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1322 Below, the auth key is shown on the left, while the corresponding 1323 ARIA input blocks are shown on the right. 1325 auth key ARIA input blocks 1327 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 1328 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 1329 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 1330 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 1331 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 1332 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 1334 A.4.2. ARIA_192 1336 The inputs to the key derivation function are the 24 octet master key 1337 and the 14 octet master salt: 1339 master key: 0c5ffd37a11edc42c325287fc0604f2e3e8cd5671a00fe32 1340 master salt: 0ec675ad498afeebb6960b3aabe6 1342 index DIV kdr: 000000000000 1343 label: 00 1344 master salt: 0ec675ad498afeebb6960b3aabe6 1345 ----------------------------------------------- 1346 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1348 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1350 cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output) 1351 d13cbe548b627649 (ARIA-CTR 2nd Output) 1353 ARIA-CTR cipher suite requires 14 octet cipher salt while ARIA-CCM 1354 and ARIA-GCM cipher suites require 12 octet cipher salt. 1356 index DIV kdr: 000000000000 1357 label: 02 1358 master salt: 0ec675ad498afeebb6960b3aabe6 1359 ---------------------------------------------- 1360 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1362 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1364 55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output) 1366 cipher salt: 55c7e3555baf0fdc91c589cfb871 (ARIA-CTR cipher 1367 suite) 1368 55c7e3555baf0fdc91c589cf (ARIA-CCM or 1369 ARIA-GCM cipher suite) 1371 index DIV kdr: 000000000000 1372 label: 01 1373 master salt: 0ec675ad498afeebb6960b3aabe6 1374 ----------------------------------------------- 1375 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1377 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1379 Below, the auth key is shown on the left, while the corresponding 1380 ARIA input blocks are shown on the right. 1382 auth key ARIA input blocks 1384 116902524517f7e767a979ad7678d53a 0ec675ad498afeeab6960b3aabe60000 1385 8cae05a5c9a315d1304f634c81a06617 0ec675ad498afeeab6960b3aabe60001 1386 31fe099d4dcd2202421fe01fc12c65ad 0ec675ad498afeeab6960b3aabe60002 1387 009e920031654855af5d9e820a7831e0 0ec675ad498afeeab6960b3aabe60003 1388 bc2b4744d2a33053eb685138252f2d82 0ec675ad498afeeab6960b3aabe60004 1389 9a89f4a9aa4f97fde0cce9bad3d5 0ec675ad498afeeab6960b3aabe60005 1391 A.4.3. ARIA_256 1393 The inputs to the key derivation function are the 32 octet master key 1394 and the 14 octet master salt: 1396 master key: 0c5ffd37a11edc42c325287fc0604f2e 1397 3e8cd5671a00fe3216aa5eb105783b54 1398 master salt: 0ec675ad498afeebb6960b3aabe6 1400 index DIV kdr: 000000000000 1401 label: 00 1402 master salt: 0ec675ad498afeebb6960b3aabe6 1403 ----------------------------------------------- 1404 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1406 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1408 cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) 1409 f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) 1411 ARIA-CTR cipher suite requires 14 octet cipher salt while ARIA-CCM 1412 and ARIA-GCM cipher suites require 12 octet cipher salt. 1414 index DIV kdr: 000000000000 1415 label: 02 1416 master salt: 0ec675ad498afeebb6960b3aabe6 1417 ---------------------------------------------- 1418 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1420 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1422 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 1424 cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR cipher 1425 suite) 1426 194abaa8553a8eba8a413a34 (ARIA-CCM or 1427 ARIA-GCM cipher suite) 1429 index DIV kdr: 000000000000 1430 label: 01 1431 master salt: 0ec675ad498afeebb6960b3aabe6 1432 ----------------------------------------------- 1433 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1435 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1437 Below, the auth key is shown on the left, while the corresponding 1438 ARIA input blocks are shown on the right. 1440 auth key ARIA input blocks 1442 e58d42915873b71899234807334658f2 0ec675ad498afeeab6960b3aabe60000 1443 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 1444 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 1445 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 1446 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 1447 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 1449 Authors' Addresses 1450 Woo-Hwan Kim 1451 National Security Research Institute 1452 P.O.Box 1, Yuseong 1453 Daejeon 305-350 1454 Korea 1456 EMail: whkim5@ensec.re.kr 1458 Jungkeun Lee 1459 National Security Research Institute 1460 P.O.Box 1, Yuseong 1461 Daejeon 305-350 1462 Korea 1464 EMail: jklee@ensec.re.kr 1466 Dong-Chan Kim 1467 National Security Research Institute 1468 P.O.Box 1, Yuseong 1469 Daejeon 305-350 1470 Korea 1472 EMail: dongchan@ensec.re.kr 1474 Je-Hong Park 1475 National Security Research Institute 1476 P.O.Box 1, Yuseong 1477 Daejeon 305-350 1478 Korea 1480 EMail: jhpark@ensec.re.kr 1482 Daesung Kwon 1483 National Security Research Institute 1484 P.O.Box 1, Yuseong 1485 Daejeon 305-350 1486 Korea 1488 EMail: ds_kwon@ensec.re.kr