idnits 2.17.1 draft-ietf-avtcore-aria-srtp-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 19, 2013) is 3804 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 557 -- Looks like a reference, but probably isn't: '2' on line 586 -- Looks like a reference, but probably isn't: '3' on line 841 -- Possible downref: Non-RFC (?) normative reference: ref. 'GCM' == Outdated reference: A later version (-17) exists of draft-ietf-avtcore-srtp-aes-gcm-10 ** Downref: Normative reference to an Informational RFC: RFC 5794 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore W. Kim 3 Internet-Draft J. Lee 4 Intended status: Standards Track D. Kim 5 Expires: May 23, 2014 J. Park 6 D. Kwon 7 NSRI 8 November 19, 2013 10 The ARIA Algorithm and Its Use with the Secure Real-time Transport 11 Protocol(SRTP) 12 draft-ietf-avtcore-aria-srtp-06 14 Abstract 16 This document defines the use of the ARIA block cipher algorithm 17 within the Secure Real-time Transport Protocol (SRTP) for providing 18 confidentiality for the Real-time Transport Protocol (RTP) traffic 19 and for the control traffic for RTP, the RTP Control Protocol (RTCP). 20 It details three modes of operation (CTR, CCM, GCM) and a SRTP Key 21 Derivation Function for ARIA. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on May 23, 2014. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 61 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 6 63 2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9 64 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 12 65 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 67 5.1. Security Descriptions (SDES) . . . . . . . . . . . . . . 12 68 5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 13 69 5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 18 70 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 71 6.1. Normative References . . . . . . . . . . . . . . . . . . 20 72 6.2. Informative References . . . . . . . . . . . . . . . . . 21 73 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21 74 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 21 75 A.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22 76 A.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22 77 A.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 78 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 24 79 A.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 24 80 A.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 25 81 A.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 25 82 A.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 26 83 A.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 26 84 A.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 26 85 A.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 27 86 A.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 27 87 A.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 27 88 A.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 28 89 A.4.1. ARIA_128 . . . . . . . . . . . . . . . . . . . . . . 28 90 A.4.2. ARIA_192 . . . . . . . . . . . . . . . . . . . . . . 29 91 A.4.3. ARIA_256 . . . . . . . . . . . . . . . . . . . . . . 30 93 1. Introduction 95 This document defines the use of the ARIA [RFC5794] block cipher 96 algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 97 for providing confidentiality for the Real-time Transport Protocol 98 (RTP) [RFC3550] traffic and for the control traffic for RTP, the RTP 99 Control Protocol (RTCP) [RFC3550]. 101 1.1. ARIA 103 ARIA is a general-purpose block cipher algorithm developed by Korean 104 cryptographers in 2003. It is an iterated block cipher with 128-, 105 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 106 rounds, depending on the key size. It is secure and suitable for 107 most software and hardware implementations on 32-bit and 8-bit 108 processors. It was established as a Korean standard block cipher 109 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 110 especially for government-to-public services. It was included in 111 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 112 identifiers are described in [RFC5794]. 114 1.2. Terminology 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 2. Cryptographic Transforms 122 Block ciphers ARIA and AES share common characteristics including 123 mode, key size, and block size. ARIA does not have any restrictions 124 for modes of operation that are used with this block cipher. We 125 define three modes of running ARIA within the SRTP protocol, (1) ARIA 126 in Counter Mode (ARIA-CTR), (2) ARIA in Counter with CBC-MAC Mode 127 (ARIA-CCM) and (3) ARIA in Galois/Counter Mode (ARIA-GCM). 129 2.1. ARIA-CTR 131 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 132 which it refers to as "AES_CM". Section 2 of [RFC6188] defines 133 "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are 134 defined in the same manner except that each invocation of AES is 135 replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR, 136 ARIA_192_CTR and ARIA_256_CTR respectively, according to the key 137 lengths. The plaintext inputs to the block cipher are formed as in 138 AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs 139 are processed as in AES-CTR. 141 When ARIA-CTR is used, it MUST be used only in conjunction with an 142 authentication function. The ARIA-CTR crypto suites with HMAC-SHA1 143 as an authentication function are listed below. The authentication 144 key length of all crypto suites is 20 octets. 146 Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension 147 keystream generation. When ARIA-CTR is used, the header extension 148 keystream SHALL be generated in the same manner except that each 149 invocation of AES is replaced by that of ARIA [RFC5794]. 151 +---------------------------+-----------------+------------------+ 152 | Name | Enc. Key Length | Auth. Tag Length | 153 +---------------------------+-----------------+------------------+ 154 | ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets | 155 | ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets | 156 | ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets | 157 | ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets | 158 | ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets | 159 | ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets | 160 +---------------------------+-----------------+------------------+ 162 Table 1: ARIA-CTR Crypto Suites for SRTP/SRTCP 164 The parameters (from Table 2 to Table 7) in each crypto suite listed 165 in Table 1 are described for use with the SDP Security Descriptions 166 attributes [RFC4568]. 168 +---------------------------------+------------------------------+ 169 | Parameter | Value | 170 +---------------------------------+------------------------------+ 171 | Master key length | 128 bits | 172 | Master salt length | 112 bits | 173 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 174 | Default key lifetime | 2^31 packets | 175 | Cipher (for SRTP and SRTCP) | ARIA_128_CTR | 176 | SRTP authentication function | HMAC-SHA1 | 177 | SRTP authentication key length | 160 bits | 178 | SRTP authentication tag length | 80 bits | 179 | SRTCP authentication function | HMAC-SHA1 | 180 | SRTCP authentication key length | 160 bits | 181 | SRTCP authentication tag length | 80 bits | 182 +---------------------------------+------------------------------+ 184 Table 2: The ARIA_128_CTR_HMAC_SHA1_80 Crypto Suite 186 +---------------------------------+------------------------------+ 187 | Parameter | Value | 188 +---------------------------------+------------------------------+ 189 | Master key length | 128 bits | 190 | Master salt length | 112 bits | 191 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 192 | Default key lifetime | 2^31 packets | 193 | Cipher (for SRTP and SRTCP) | ARIA_128_CTR | 194 | SRTP authentication function | HMAC-SHA1 | 195 | SRTP authentication key length | 160 bits | 196 | SRTP authentication tag length | 32 bits | 197 | SRTCP authentication function | HMAC-SHA1 | 198 | SRTCP authentication key length | 160 bits | 199 | SRTCP authentication tag length | 80 bits | 200 +---------------------------------+------------------------------+ 202 Table 3: The ARIA_128_CTR_HMAC_SHA1_32 Crypto Suite 204 +---------------------------------+------------------------------+ 205 | Parameter | Value | 206 +---------------------------------+------------------------------+ 207 | Master key length | 192 bits | 208 | Master salt length | 112 bits | 209 | Key Derivation Function | ARIA_192_CTR_PRF (Section 3) | 210 | Default key lifetime | 2^31 packets | 211 | Cipher (for SRTP and SRTCP) | ARIA_192_CTR | 212 | SRTP authentication function | HMAC-SHA1 | 213 | SRTP authentication key length | 160 bits | 214 | SRTP authentication tag length | 80 bits | 215 | SRTCP authentication function | HMAC-SHA1 | 216 | SRTCP authentication key length | 160 bits | 217 | SRTCP authentication tag length | 80 bits | 218 +---------------------------------+------------------------------+ 220 Table 4: The ARIA_192_CTR_HMAC_SHA1_80 Crypto Suite 222 +---------------------------------+------------------------------+ 223 | Parameter | Value | 224 +---------------------------------+------------------------------+ 225 | Master key length | 192 bits | 226 | Master salt length | 112 bits | 227 | Key Derivation Function | ARIA_192_CTR_PRF (Section 3) | 228 | Default key lifetime | 2^31 packets | 229 | Cipher (for SRTP and SRTCP) | ARIA_192_CTR | 230 | SRTP authentication function | HMAC-SHA1 | 231 | SRTP authentication key length | 160 bits | 232 | SRTP authentication tag length | 32 bits | 233 | SRTCP authentication function | HMAC-SHA1 | 234 | SRTCP authentication key length | 160 bits | 235 | SRTCP authentication tag length | 80 bits | 236 +---------------------------------+------------------------------+ 238 Table 5: The ARIA_192_CTR_HMAC_SHA1_32 Crypto Suite 240 +---------------------------------+------------------------------+ 241 | Parameter | Value | 242 +---------------------------------+------------------------------+ 243 | Master key length | 256 bits | 244 | Master salt length | 112 bits | 245 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 246 | Default key lifetime | 2^31 packets | 247 | Cipher (for SRTP and SRTCP) | ARIA_256_CTR | 248 | SRTP authentication function | HMAC-SHA1 | 249 | SRTP authentication key length | 160 bits | 250 | SRTP authentication tag length | 80 bits | 251 | SRTCP authentication function | HMAC-SHA1 | 252 | SRTCP authentication key length | 160 bits | 253 | SRTCP authentication tag length | 80 bits | 254 +---------------------------------+------------------------------+ 256 Table 6: The ARIA_256_CTR_HMAC_SHA1_80 Crypto Suite 258 +---------------------------------+------------------------------+ 259 | Parameter | Value | 260 +---------------------------------+------------------------------+ 261 | Master key length | 256 bits | 262 | Master salt length | 112 bits | 263 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 264 | Default key lifetime | 2^31 packets | 265 | Cipher (for SRTP and SRTCP) | ARIA_256_CTR | 266 | SRTP authentication function | HMAC-SHA1 | 267 | SRTP authentication key length | 160 bits | 268 | SRTP authentication tag length | 32 bits | 269 | SRTCP authentication function | HMAC-SHA1 | 270 | SRTCP authentication key length | 160 bits | 271 | SRTCP authentication tag length | 80 bits | 272 +---------------------------------+------------------------------+ 274 Table 7: The ARIA_256_CTR_HMAC_SHA1_32 Crypto Suite 276 2.2. ARIA-GCM 278 GCM(Galois Counter Mode) [GCM][RFC5116] is a AEAD(authenticated 279 encryption with associated data) block cipher mode. A detailed 280 description of ARIA-GCM is defined similarly as AES-GCM found in 281 [RFC5116][RFC5282]. 283 The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use 284 of AES-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with 285 SRTP is defined the same as that of AES-GCM except that each 286 invocation of AES is replaced by ARIA [RFC5794]. When [RFC6904] is 287 in use, a separate keystream to encrypt selected RTP header extension 288 elements MUST be generated in the same manner defined in 289 [I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by 290 ARIA-CTR. 292 The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP: 294 +----------------------+-----------------+------------------+ 295 | Name | Enc. Key Length | Auth. Tag Length | 296 +----------------------+-----------------+------------------+ 297 | AEAD_ARIA_128_GCM | 16 octets | 16 octets | 298 | AEAD_ARIA_256_GCM | 32 octets | 16 octets | 299 | AEAD_ARIA_128_GCM_8 | 16 octets | 8 octets | 300 | AEAD_ARIA_256_GCM_8 | 32 octets | 8 octets | 301 | AEAD_ARIA_128_GCM_12 | 16 octets | 12 octets | 302 | AEAD_ARIA_256_GCM_12 | 32 octets | 12 octets | 303 +----------------------+-----------------+------------------+ 305 Table 8: ARIA-GCM Crypto Suites for SRTP/SRTCP 307 The parameters (from Table 9 to Table 14) in each crypto suite listed 308 in Table 8 are described for use with the SDP Security Descriptions 309 attributes [RFC4568]. 311 +--------------------------------+------------------------------+ 312 | Parameter | Value | 313 +--------------------------------+------------------------------+ 314 | Master key length | 128 bits | 315 | Master salt length | 96 bits | 316 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 317 | Default key lifetime (SRTP) | 2^48 packets | 318 | Default key lifetime (SRTCP) | 2^31 packets | 319 | Cipher (for SRTP and SRTCP) | ARIA_128_GCM | 320 | AEAD authentication tag length | 128 bits | 321 +--------------------------------+------------------------------+ 323 Table 9: The AEAD_ARIA_128_GCM Crypto Suite 325 +--------------------------------+------------------------------+ 326 | Parameter | Value | 327 +--------------------------------+------------------------------+ 328 | Master key length | 256 bits | 329 | Master salt length | 96 bits | 330 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 331 | Default key lifetime (SRTP) | 2^48 packets | 332 | Default key lifetime (SRTCP) | 2^31 packets | 333 | Cipher (for SRTP and SRTCP) | ARIA_256_GCM | 334 | AEAD authentication tag length | 128 bits | 335 +--------------------------------+------------------------------+ 337 Table 10: The AEAD_ARIA_256_GCM Crypto Suite 339 +--------------------------------+------------------------------+ 340 | Parameter | Value | 341 +--------------------------------+------------------------------+ 342 | Master key length | 128 bits | 343 | Master salt length | 96 bits | 344 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 345 | Default key lifetime (SRTP) | 2^48 packets | 346 | Default key lifetime (SRTCP) | 2^31 packets | 347 | Cipher (for SRTP and SRTCP) | ARIA_128_GCM | 348 | AEAD authentication tag length | 64 bits | 349 +--------------------------------+------------------------------+ 351 Table 11: The AEAD_ARIA_128_GCM_8 Crypto Suite 353 +--------------------------------+------------------------------+ 354 | Parameter | Value | 355 +--------------------------------+------------------------------+ 356 | Master key length | 256 bits | 357 | Master salt length | 96 bits | 358 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 359 | Default key lifetime (SRTP) | 2^48 packets | 360 | Default key lifetime (SRTCP) | 2^31 packets | 361 | Cipher (for SRTP and SRTCP) | ARIA_256_GCM | 362 | AEAD authentication tag length | 64 bits | 363 +--------------------------------+------------------------------+ 365 Table 12: The AEAD_ARIA_256_GCM_8 Crypto Suite 367 +--------------------------------+------------------------------+ 368 | Parameter | Value | 369 +--------------------------------+------------------------------+ 370 | Master key length | 128 bits | 371 | Master salt length | 96 bits | 372 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 373 | Default key lifetime (SRTP) | 2^48 packets | 374 | Default key lifetime (SRTCP) | 2^31 packets | 375 | Cipher (for SRTP and SRTCP) | ARIA_128_GCM | 376 | AEAD authentication tag length | 96 bits | 377 +--------------------------------+------------------------------+ 379 Table 13: The AEAD_ARIA_128_GCM_12 Crypto Suite 381 +--------------------------------+------------------------------+ 382 | Parameter | Value | 383 +--------------------------------+------------------------------+ 384 | Master key length | 256 bits | 385 | Master salt length | 96 bits | 386 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 387 | Default key lifetime (SRTP) | 2^48 packets | 388 | Default key lifetime (SRTCP) | 2^31 packets | 389 | Cipher (for SRTP and SRTCP) | ARIA_256_GCM | 390 | AEAD authentication tag length | 96 bits | 391 +--------------------------------+------------------------------+ 393 Table 14: The AEAD_ARIA_256_GCM_12 Crypto Suite 395 2.3. ARIA-CCM 397 CCM(Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block 398 cipher mode. A detailed description of ARIA-CCM is defined similarly 399 as AES-CCM found in [RFC5116] [RFC6655] 400 [I-D.ietf-avtcore-srtp-aes-gcm]. 402 The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use 403 of AES-CCM with SRTP [RFC3711][RFC6904]. The use of ARIA-CCM with 404 SRTP is defined the same as that of AES-CCM except that each 405 invocation of AES is replaced by ARIA [RFC5794]. When [RFC6904] is 406 in use, a separate keystream to encrypt selected RTP header extension 407 elements MUST be generated in the same manner defined in 408 [I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by 409 ARIA-CTR. 411 The ARIA-CCM algorithms in Table 15 may be used with SRTP and SRTCP: 413 +----------------------+-----------------+------------------+ 414 | Name | Enc. Key Length | Auth. Tag Length | 415 +----------------------+-----------------+------------------+ 416 | AEAD_ARIA_128_CCM | 16 octets | 16 octets | 417 | AEAD_ARIA_256_CCM | 32 octets | 16 octets | 418 | AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets | 419 | AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets | 420 | AEAD_ARIA_128_CCM_12 | 16 octets | 12 octets | 421 | AEAD_ARIA_256_CCM_12 | 32 octets | 12 octets | 422 +----------------------+-----------------+------------------+ 424 Table 15: ARIA-CCM Crypto Suites for SRTP/SRTCP 426 The parameters (from Table 16 to Table 21) in each crypto suite 427 listed in Table 15 are described for use with the SDP Security 428 Descriptions attributes [RFC4568]. 430 +--------------------------------+------------------------------+ 431 | Parameter | Value | 432 +--------------------------------+------------------------------+ 433 | Master key length | 128 bits | 434 | Master salt length | 96 bits | 435 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 436 | Default key lifetime (SRTP) | 2^48 packets | 437 | Default key lifetime (SRTCP) | 2^31 packets | 438 | Cipher (for SRTP and SRTCP) | ARIA_128_CCM | 439 | AEAD authentication tag length | 128 bits | 440 +--------------------------------+------------------------------+ 442 Table 16: The AEAD_ARIA_128_CCM Crypto Suite 444 +--------------------------------+------------------------------+ 445 | Parameter | Value | 446 +--------------------------------+------------------------------+ 447 | Master key length | 256 bits | 448 | Master salt length | 96 bits | 449 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 450 | Default key lifetime (SRTP) | 2^48 packets | 451 | Default key lifetime (SRTCP) | 2^31 packets | 452 | Cipher (for SRTP and SRTCP) | ARIA_256_CCM | 453 | AEAD authentication tag length | 128 bits | 454 +--------------------------------+------------------------------+ 456 Table 17: The AEAD_ARIA_256_CCM Crypto Suite 458 +--------------------------------+------------------------------+ 459 | Parameter | Value | 460 +--------------------------------+------------------------------+ 461 | Master key length | 128 bits | 462 | Master salt length | 96 bits | 463 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 464 | Default key lifetime (SRTP) | 2^48 packets | 465 | Default key lifetime (SRTCP) | 2^31 packets | 466 | Cipher (for SRTP and SRTCP) | ARIA_128_CCM | 467 | AEAD authentication tag length | 64 bits | 468 +--------------------------------+------------------------------+ 470 Table 18: The AEAD_ARIA_128_CCM_8 Crypto Suite 472 +--------------------------------+------------------------------+ 473 | Parameter | Value | 474 +--------------------------------+------------------------------+ 475 | Master key length | 256 bits | 476 | Master salt length | 96 bits | 477 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 478 | Default key lifetime (SRTP) | 2^48 packets | 479 | Default key lifetime (SRTCP) | 2^31 packets | 480 | Cipher (for SRTP and SRTCP) | ARIA_256_CCM | 481 | AEAD authentication tag length | 64 bits | 482 +--------------------------------+------------------------------+ 484 Table 19: The AEAD_ARIA_256_CCM_8 Crypto Suite 486 +--------------------------------+------------------------------+ 487 | Parameter | Value | 488 +--------------------------------+------------------------------+ 489 | Master key length | 128 bits | 490 | Master salt length | 96 bits | 491 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 492 | Default key lifetime (SRTP) | 2^48 packets | 493 | Default key lifetime (SRTCP) | 2^31 packets | 494 | Cipher (for SRTP and SRTCP) | ARIA_128_CCM | 495 | AEAD authentication tag length | 96 bits | 496 +--------------------------------+------------------------------+ 498 Table 20: The AEAD_ARIA_128_CCM_12 Crypto Suite 500 +--------------------------------+------------------------------+ 501 | Parameter | Value | 502 +--------------------------------+------------------------------+ 503 | Master key length | 256 bits | 504 | Master salt length | 96 bits | 505 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 506 | Default key lifetime (SRTP) | 2^48 packets | 507 | Default key lifetime (SRTCP) | 2^31 packets | 508 | Cipher (for SRTP and SRTCP) | ARIA_256_CCM | 509 | AEAD authentication tag length | 96 bits | 510 +--------------------------------+------------------------------+ 511 Table 21: The AEAD_ARIA_256_CCM_12 Crypto Suite 513 3. Key Derivation Functions 515 Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 516 derivation function, which it refers to as "AES-CM PRF". Section 3 517 of [RFC6188] defines the AES-192 counter mode key derivation function 518 and the AES-256 counter mode key derivation function, which it refers 519 to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- 520 CTR PRF is defined in a same manner except that each invocation of 521 AES replaced by that of ARIA. According to the key lengths of 522 underlying encryption algorithm, ARIA-CTR PRFs are denoted by 523 "ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The 524 usage requirements of [RFC6188][I-D.ietf-avtcore-srtp-aes-gcm] 525 regarding the AES-CM PRF apply to the ARIA-CTR PRF as well. The PRFs 526 for ARIA crypto suites with SRTP are defined by ARIA-CTR PRF of the 527 equal key length with the encryption algorithm (see Section 2). 528 SRTP_ARIA_128_CTR_HMAC, SRTP_AEAD_ARIA_128_GCM, and 529 SRTP_AEAD_ARIA_128_CCM MUST use the ARIA_128_CTR_PRF Key Derivation 530 Function. SRTP_ARIA_192_CTR_HMAC MUST use that ARIA_192_CTR_PRF Key 531 Derivation Function. And SRTP_ARIA_256_CTR_HMAC, 532 SRTP_AEAD_ARIA_256_GCM, and SRTP_AEAD_ARIA_256_CCM MUST use the 533 ARIA_256_CTR_PRF Key Derivation Function. 535 4. Security Considerations 537 At the time of writing this document no security problem has been 538 found on ARIA (see [TSL]). 540 The security considerations in [RFC3610] [GCM] [RFC3711] [RFC5116] 541 [RFC6188] [RFC6904] [I-D.ietf-avtcore-srtp-aes-gcm] apply to this 542 document as well. Ciphersuites with short tag length may be 543 considered for specific application environments stated in 7.5 of 544 [RFC3711], but the risk of weak authentication described in 545 Section 9.5.1 of [RFC3711] should be taken into account. 547 5. IANA Considerations 549 5.1. Security Descriptions (SDES) 551 SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". In 552 order to allow SDP to signal the use of the algorithms defined in 553 this document, IANA is requested to add the below crypto suites to 554 the "SRTP Crypto Suite Registrations" created by [RFC4568], at time 555 of writing located on the following IANA page: http://www.iana.org/ 556 assignments/sdp-security-descriptions/sdp-security-descriptions.xml 557 #sdp-security-descriptions-3 [1] 558 srtp-crypto-suite-ext = "ARIA_128_CTR_HMAC_SHA1_80"/ 559 "ARIA_128_CTR_HMAC_SHA1_32"/ 560 "ARIA_192_CTR_HMAC_SHA1_80"/ 561 "ARIA_192_CTR_HMAC_SHA1_32"/ 562 "ARIA_256_CTR_HMAC_SHA1_80"/ 563 "ARIA_256_CTR_HMAC_SHA1_32"/ 564 "AEAD_ARIA_128_GCM" / 565 "AEAD_ARIA_256_GCM" / 566 "AEAD_ARIA_128_GCM_8" / 567 "AEAD_ARIA_256_GCM_8" / 568 "AEAD_ARIA_128_GCM_12" / 569 "AEAD_ARIA_256_GCM_12" / 570 "AEAD_ARIA_128_CCM" / 571 "AEAD_ARIA_256_CCM" / 572 "AEAD_ARIA_128_CCM_8" / 573 "AEAD_ARIA_256_CCM_8" / 574 "AEAD_ARIA_128_CCM_12" / 575 "AEAD_ARIA_256_CCM_12" / 576 srtp-crypto-suite-ext 578 5.2. DTLS-SRTP 580 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 581 In order to allow the use of the algorithms defined in this document 582 in DTLS-SRTP, IANA is requested to add the below protection profiles 583 to the "DTLS-SRTP Protection Profiles" created by [RFC5764], at time 584 of writing located on the following IANA page: http://www.iana.org/ 585 assignments/srtp-protection/srtp-protection.xml#srtp-protection-1 586 [2]. 588 SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} 589 SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} 590 SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} 591 SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} 592 SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} 593 SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} 594 SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} 595 SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} 596 SRTP_AEAD_ARIA_128_GCM_8 = {TBD,TBD} 597 SRTP_AEAD_ARIA_256_GCM_8 = {TBD,TBD} 598 SRTP_AEAD_ARIA_128_GCM_12 = {TBD,TBD} 599 SRTP_AEAD_ARIA_256_GCM_12 = {TBD,TBD} 600 SRTP_AEAD_ARIA_128_CCM = {TBD,TBD} 601 SRTP_AEAD_ARIA_256_CCM = {TBD,TBD} 602 SRTP_AEAD_ARIA_128_CCM_8 = {TBD,TBD} 603 SRTP_AEAD_ARIA_256_CCM_8 = {TBD,TBD} 604 SRTP_AEAD_ARIA_128_CCM_12 = {TBD,TBD} 605 SRTP_AEAD_ARIA_256_CCM_12 = {TBD,TBD} 607 The following list indicates the SRTP transform parameters for each 608 protection profile. The parameters cipher_key_length, 609 cipher_salt_length, auth_key_length, and auth_tag_length express the 610 number of bits in the values to which they refer. The 611 maximum_lifetime parameter indicates the maximum number of packets 612 that can be protected with each single set of keys when the parameter 613 profile is in use. All of these parameters apply to both RTP and 614 RTCP, unless the RTCP parameters are separately specified. 616 SRTP_ARIA_128_CTR_HMAC_SHA1_80 617 cipher: ARIA_128_CTR 618 cipher_key_length: 128 bits 619 cipher_salt_length: 112 bits 620 maximum_lifetime: 2^31 packets 621 key derivation function: ARIA_128_CTR_PRF 622 auth_function: HMAC-SHA1 623 auth_key_length: 160 bits 624 auth_tag_length: 80 bits 626 SRTP_ARIA_128_CTR_HMAC_SHA1_32 627 cipher: ARIA_128_CTR 628 cipher_key_length: 128 bits 629 cipher_salt_length: 112 bits 630 maximum_lifetime: 2^31 packets 631 key derivation function: ARIA_128_CTR_PRF 632 auth_function: HMAC-SHA1 633 auth_key_length: 160 bits 634 SRTP auth_tag_length: 32 bits 635 SRTCP auth_tag_length: 80 bits 637 SRTP_ARIA_192_CTR_HMAC_SHA1_80 638 cipher: ARIA_192_CTR 639 cipher_key_length: 192 bits 640 cipher_salt_length: 112 bits 641 maximum_lifetime: 2^31 packets 642 key derivation function: ARIA_192_CTR_PRF 643 auth_function: HMAC-SHA1 644 auth_key_length: 160 bits 645 auth_tag_length: 80 bits 647 SRTP_ARIA_192_CTR_HMAC_SHA1_32 648 cipher: ARIA_192_CTR 649 cipher_key_length: 192 bits 650 cipher_salt_length: 112 bits 651 maximum_lifetime: 2^31 packets 652 key derivation function: ARIA_192_CTR_PRF 653 auth_function: HMAC-SHA1 654 auth_key_length: 160 bits 655 SRTP auth_tag_length: 32 bits 656 SRTCP auth_tag_length: 80 bits 658 SRTP_ARIA_256_CTR_HMAC_SHA1_80 659 cipher: ARIA_256_CTR 660 cipher_key_length: 256 bits 661 cipher_salt_length: 112 bits 662 maximum_lifetime: 2^31 packets 663 key derivation function: ARIA_256_CTR_PRF 664 auth_function: HMAC-SHA1 665 auth_key_length: 160 bits 666 auth_tag_length: 80 bits 668 SRTP_ARIA_256_CTR_HMAC_SHA1_32 669 cipher: ARIA_256_CTR 670 cipher_key_length: 128 bits 671 cipher_salt_length: 112 bits 672 maximum_lifetime: 2^31 packets 673 key derivation function: ARIA_256_CTR_PRF 674 auth_function: HMAC-SHA1 675 auth_key_length: 160 bits 676 SRTP auth_tag_length: 32 bits 677 SRTCP auth_tag_length: 80 bits 679 SRTP_AEAD_ARIA_128_CCM 680 cipher: ARIA_128_CCM 681 cipher_key_length: 128 bits 682 cipher_salt_length: 96 bits 683 aead_auth_tag_length: 128 bits 684 auth_function: NULL 685 auth_key_length: N/A 686 auth_tag_length: N/A 687 key derivation function: ARIA_128_CTR_PRF 688 maximum_lifetime: at most 2^31 SRTCP packets and 689 at most 2^48 SRTP packets 691 SRTP_AEAD_ARIA_256_CCM 692 cipher: ARIA_256_CCM 693 cipher_key_length: 256 bits 694 cipher_salt_length: 96 bits 695 aead_auth_tag_length: 128 bits 696 auth_function: NULL 697 auth_key_length: N/A 698 auth_tag_length: N/A 699 key derivation function: ARIA_256_CTR_PRF 700 maximum_lifetime: at most 2^31 SRTCP packets and 701 at most 2^48 SRTP packets 703 SRTP_AEAD_ARIA_128_CCM_8 704 cipher: ARIA_128_CCM 705 cipher_key_length: 128 bits 706 cipher_salt_length: 96 bits 707 aead_auth_tag_length: 64 bits 708 auth_function: NULL 709 auth_key_length: N/A 710 auth_tag_length: N/A 711 key derivation function: ARIA_128_CTR_PRF 712 maximum_lifetime: at most 2^31 SRTCP packets and 713 at most 2^48 SRTP packets 715 SRTP_AEAD_ARIA_256_CCM_8 716 cipher: ARIA_256_CCM 717 cipher_key_length: 256 bits 718 cipher_salt_length: 96 bits 719 aead_auth_tag_length: 64 bits 720 auth_function: NULL 721 auth_key_length: N/A 722 auth_tag_length: N/A 723 key derivation function: ARIA_256_CTR_PRF 724 maximum_lifetime: at most 2^31 SRTCP packets and 725 at most 2^48 SRTP packets 727 SRTP_AEAD_ARIA_128_CCM_12 728 cipher: ARIA_128_CCM 729 cipher_key_length: 128 bits 730 cipher_salt_length: 96 bits 731 aead_auth_tag_length: 96 bits 732 auth_function: NULL 733 auth_key_length: N/A 734 auth_tag_length: N/A 735 key derivation function: ARIA_128_CTR_PRF 736 maximum_lifetime: at most 2^31 SRTCP packets and 737 at most 2^48 SRTP packets 739 SRTP_AEAD_ARIA_256_CCM_12 740 cipher: ARIA_256_CCM 741 cipher_key_length: 256 bits 742 cipher_salt_length: 96 bits 743 aead_auth_tag_length: 96 bits 744 auth_function: NULL 745 auth_key_length: N/A 746 auth_tag_length: N/A 747 key derivation function: ARIA_256_CTR_PRF 748 maximum_lifetime: at most 2^31 SRTCP packets and 749 at most 2^48 SRTP packets 751 SRTP_AEAD_ARIA_128_GCM 752 cipher: ARIA_128_GCM 753 cipher_key_length: 128 bits 754 cipher_salt_length: 96 bits 755 aead_auth_tag_length: 128 bits 756 auth_function: NULL 757 auth_key_length: N/A 758 auth_tag_length: N/A 759 key derivation function: ARIA_128_CTR_PRF 760 maximum_lifetime: at most 2^31 SRTCP packets and 761 at most 2^48 SRTP packets 763 SRTP_AEAD_ARIA_256_GCM 764 cipher: ARIA_256_GCM 765 cipher_key_length: 256 bits 766 cipher_salt_length: 96 bits 767 aead_auth_tag_length: 128 bits 768 auth_function: NULL 769 auth_key_length: N/A 770 auth_tag_length: N/A 771 key derivation function: ARIA_256_CTR_PRF 772 maximum_lifetime: at most 2^31 SRTCP packets and 773 at most 2^48 SRTP packets 775 SRTP_AEAD_ARIA_128_GCM_8 776 cipher: ARIA_128_GCM 777 cipher_key_length: 128 bits 778 cipher_salt_length: 96 bits 779 aead_auth_tag_length: 64 bits 780 auth_function: NULL 781 auth_key_length: N/A 782 auth_tag_length: N/A 783 key derivation function: ARIA_128_CTR_PRF 784 maximum_lifetime: at most 2^31 SRTCP packets and 785 at most 2^48 SRTP packets 787 SRTP_AEAD_ARIA_256_GCM_8 788 cipher: ARIA_256_GCM 789 cipher_key_length: 256 bits 790 cipher_salt_length: 96 bits 791 aead_auth_tag_length: 64 bits 792 auth_function: NULL 793 auth_key_length: N/A 794 auth_tag_length: N/A 795 key derivation function: ARIA_256_CTR_PRF 796 maximum_lifetime: at most 2^31 SRTCP packets and 797 at most 2^48 SRTP packets 799 SRTP_AEAD_ARIA_128_GCM_12 800 cipher: ARIA_128_GCM 801 cipher_key_length: 128 bits 802 cipher_salt_length: 96 bits 803 aead_auth_tag_length: 96 bits 804 auth_function: NULL 805 auth_key_length: N/A 806 auth_tag_length: N/A 807 key derivation function: ARIA_128_CTR_PRF 808 maximum_lifetime: at most 2^31 SRTCP packets and 809 at most 2^48 SRTP packets 811 SRTP_AEAD_ARIA_256_GCM_12 812 cipher: ARIA_256_GCM 813 cipher_key_length: 256 bits 814 cipher_salt_length: 96 bits 815 aead_auth_tag_length: 96 bits 816 auth_function: NULL 817 auth_key_length: N/A 818 auth_tag_length: N/A 819 key derivation function: ARIA_256_CTR_PRF 820 maximum_lifetime: at most 2^31 SRTCP packets and 821 at most 2^48 SRTP packets 823 Note that SRTP Protection Profiles which use AEAD algorithms do not 824 specify an auth_function, auth_key_length, or auth_tag_length, since 825 they do not use a separate auth_function, auth_key, or auth_tag. The 826 term aead_auth_tag_length is used to emphasize that this refers to 827 the authentication tag provided by the AEAD algorithm and that this 828 tag is not located in the authentication tag field provided by SRTP/ 829 SRTCP. 831 5.3. MIKEY 833 [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 834 SRTP policy in MIKEY. In order to allow the use of the algorithms 835 defined in this document in MIKEY, IANA is requested to add the below 836 three encryption algorithms to the "MIKEY Security Protocol 837 Parameters SRTP Type 0 (Encryption algorithm)" and to add the below 838 PRF to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo 839 Random Function)" created by [RFC3830], at time of writing located on 840 the following IANA page: http://www.iana.org/assignments/mikey- 841 payloads/mikey-payloads.xml#mikey-payloads-26 [3]. 843 +---------------+-------+ 844 | SRTP Enc. alg | Value | 845 +---------------+-------+ 846 | ARIA-CTR | TBD | 847 | ARIA-CCM | TBD | 848 | ARIA-GCM | TBD | 849 +---------------+-------+ 851 Default session encryption key length is 16 octets. 853 +----------+-------+ 854 | SRTP PRF | Value | 855 +----------+-------+ 856 | ARIA-CTR | TBD | 857 +----------+-------+ 859 MIKEY specifies the algorithm family separately from the key length 860 (which is specified by the Session Encryption key length) and the 861 authentication tag length. The SDP Security Descriptions [RFC4568] 862 crypto suits and corresponding DTLS-SRTP [RFC5764] protection 863 profiles are mapped to MIKEY parameter sets as shown below. 865 +--------------------------------------+ 866 | Encryption | Encryption | Auth. | 867 | Algorithm | Key Length | Tag Length | 868 +======================================+ 869 SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | 870 SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | 871 SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets | 872 SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets | 873 SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | 874 SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | 875 +======================================+ 877 Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm 879 +--------------------------------------+ 880 | Encryption | Encryption | AEAD Auth. | 881 | Algorithm | Key Length | Tag Length | 882 +======================================+ 883 SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | 884 SRTP_AEAD_ARIA_128_CCM | ARIA-CCM | 16 octets | 16 octets | 885 SRTP_AEAD_ARIA_128_GCM_12 | ARIA-GCM | 16 octets | 12 octets | 886 SRTP_AEAD_ARIA_128_CCM_12 | ARIA-CCM | 16 octets | 12 octets | 887 SRTP_AEAD_ARIA_128_GCM_8 | ARIA-GCM | 16 octets | 8 octets | 888 SRTP_AEAD_ARIA_128_CCM_8 | ARIA-CCM | 16 octets | 8 octets | 889 SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | 890 SRTP_AEAD_ARIA_256_CCM | ARIA-CCM | 32 octets | 16 octets | 891 SRTP_AEAD_ARIA_256_GCM_12 | ARIA-GCM | 32 octets | 12 octets | 892 SRTP_AEAD_ARIA_256_CCM_12 | ARIA-CCM | 32 octets | 12 octets | 893 SRTP_AEAD_ARIA_256_GCM_8 | ARIA-GCM | 32 octets | 8 octets | 894 SRTP_AEAD_ARIA_256_CCM_8 | ARIA-CCM | 32 octets | 8 octets | 895 +======================================+ 897 Figure 2: Mapping MIKEY parameters to AEAD algorithm 899 6. References 901 6.1. Normative References 903 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 904 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP 905 800-38D, November 2007. 907 [I-D.ietf-avtcore-srtp-aes-gcm] 908 McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated 909 Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp- 910 aes-gcm-10 (work in progress), September 2013. 912 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 913 Requirement Levels", BCP 14, RFC 2119, March 1997. 915 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 916 Jacobson, "RTP: A Transport Protocol for Real-Time 917 Applications", STD 64, RFC 3550, July 2003. 919 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 920 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 921 RFC 3711, March 2004. 923 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 924 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 925 August 2004. 927 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 928 Description Protocol (SDP) Security Descriptions for Media 929 Streams", RFC 4568, July 2006. 931 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 932 Encryption", RFC 5116, January 2008. 934 [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption 935 Algorithms with the Encrypted Payload of the Internet Key 936 Exchange version 2 (IKEv2) Protocol", RFC 5282, August 937 2008. 939 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 940 Security (DTLS) Extension to Establish Keys for the Secure 941 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 943 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A 944 Description of the ARIA Encryption Algorithm", RFC 5794, 945 March 2010. 947 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 948 RTP", RFC 6188, March 2011. 950 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 951 Transport Layer Security (TLS)", RFC 6655, July 2012. 953 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 954 Real-time Transport Protocol (SRTP)", RFC 6904, April 955 2013. 957 6.2. Informative References 959 [ARIAKS] Korean Agency for Technology and Standards, "128 bit block 960 encryption algorithm ARIA - Part 1: General (in Korean)", 961 KS X 1213-1:2009, December 2009. 963 [ARIAPKCS] 964 RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS 965 #11 v2.20 Amendment 3 Revision 1, January 2007. 967 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 968 CBC-MAC (CCM)", RFC 3610, September 2003. 970 [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA 971 Registry Update for Support of the SEED Cipher Algorithm 972 in Multimedia Internet KEYing (MIKEY)", RFC 5748, August 973 2010. 975 [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in- 976 the-middle attack on reduced-round ARIA", The Journal of 977 Systems and Software Vol.84(10), pp. 1685-1692, October 978 2011. 980 Appendix A. Test Vectors 982 All values are in hexadecimal and represented by the network order 983 (called big endian). 985 A.1. ARIA-CTR Test Vectors 987 Common values are organized as follows: 989 Rollover Counter: 00000000 990 Sequence Number: 315e 991 SSRC: 20e8f5eb 992 Authentication Key: f93563311b354748c97891379553063116452309 993 Session Salt: cd3a7c42c671e0067a2a2639b43a 994 Initialization Vector: cd3a7c42e69915ed7a2a263985640000 995 RTP header: 8008315ebf2e6fe020e8f5eb 996 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 997 5af5c5e5c5fdf5c55ad57a4a7272d572 998 62e9729566ed66e97ac54a4a5a7ad5e1 999 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1000 e54ac55a956afd6aed5a4ac562957a95 1001 16991691d572fd14e97ae962ed7a9f4a 1002 955af572e162f57a956666e17ae1f54a 1003 95f566d54a66e16e4afd6a9f7ae1c5c5 1004 5ae5d56afde916c5e94a6ec56695e14a 1005 fde1148416e94ad57ac5146ed59d1cc5 1007 A.1.1. ARIA_128_CTR_HMAC_SHA1_80 1009 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 1011 Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 1012 a6ccdcb463fbed9cfb3de2fb76fdffa9 1013 e481f5efb64c92487f59dabbc7cc72da 1014 092485f3fbad87888820b86037311fa4 1015 4330e18a59a1e1338ba2c21458493a57 1016 463475c54691f91cec785429119e0dfc 1017 d9048f90e07fecd50b528e8c62ee6e71 1018 445de5d7f659405135aff3604c2ca4ff 1019 4aaca40809cb9eee42cc4ad232307570 1020 81ca289f2851d3315e9568b501fdce6d 1022 Authenticated portion || Rollover Counter: 1023 8008315ebf2e6fe020e8f5eb1bf753f4 1024 12e6f35058cc398dc851aae3a6ccdcb4 1025 63fbed9cfb3de2fb76fdffa9e481f5ef 1026 b64c92487f59dabbc7cc72da092485f3 1027 fbad87888820b86037311fa44330e18a 1028 59a1e1338ba2c21458493a57463475c5 1029 4691f91cec785429119e0dfcd9048f90 1030 e07fecd50b528e8c62ee6e71445de5d7 1031 f659405135aff3604c2ca4ff4aaca408 1032 09cb9eee42cc4ad23230757081ca289f 1033 2851d3315e9568b501fdce6d00000000 1035 Authentication Tag: f9de4e729054672b0e35 1037 A.1.2. ARIA_192_CTR_HMAC_SHA1_80 1038 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 1039 3e8cd5671a00fe32 1041 Encrypted RTP Payload: 86f4556486642caa67e9b40fef2acda0 1042 6d442517d8d58c15e3e0b5c13a78b8b2 1043 838b7b96961e11acb2af81348272888c 1044 fd9d168ba091fe3e4f7f83c7871570a9 1045 aa9f995036e44c35cb742b601e8d8d08 1046 48320bad732929103f1bfbb1ae873178 1047 0479c5df2d4d41f78f6b96d6832db3db 1048 6af8b3612b27e18a0a29a8a1d280437e 1049 b8dad58e78658ec3b069d7329431c356 1050 c5e612b3dde5bd3f6c9f42f39cf35d3a 1052 Authenticated portion || Rollover Counter: 1053 8008315ebf2e6fe020e8f5eb86f45564 1054 86642caa67e9b40fef2acda06d442517 1055 d8d58c15e3e0b5c13a78b8b2838b7b96 1056 961e11acb2af81348272888cfd9d168b 1057 a091fe3e4f7f83c7871570a9aa9f9950 1058 36e44c35cb742b601e8d8d0848320bad 1059 732929103f1bfbb1ae8731780479c5df 1060 2d4d41f78f6b96d6832db3db6af8b361 1061 2b27e18a0a29a8a1d280437eb8dad58e 1062 78658ec3b069d7329431c356c5e612b3 1063 dde5bd3f6c9f42f39cf35d3a00000000 1065 Authentication Tag: 3935fa37ee96dbc550d5 1067 A.1.3. ARIA_256_CTR_HMAC_SHA1_80 1069 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 1070 3e8cd5671a00fe3216aa5eb105783b54 1072 Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 1073 17ccd7471088af9debf07b55c750f804 1074 a5ac2b737be48140958a9b420524112a 1075 e72e4da5bca59d2b1019ddd7dbdc30b4 1076 3d5f046152ced40947d62d2c93e7b8e5 1077 0f02db2b6b61b010e4c1566884de1fa9 1078 702cdf8157e8aedfe3dd77c76bb50c25 1079 ae4d624615c15acfdeeb5f79482aaa01 1080 d3e4c05eb601eca2bd10518e9d46b021 1081 16359232e9eac0fabd05235dd09e6dea 1083 Authenticated portion || Rollover Counter: 1084 8008315ebf2e6fe020e8f5ebc424c59f 1085 d5696305e5b13d8e8ca7656617ccd747 1086 1088af9debf07b55c750f804a5ac2b73 1087 7be48140958a9b420524112ae72e4da5 1088 bca59d2b1019ddd7dbdc30b43d5f0461 1089 52ced40947d62d2c93e7b8e50f02db2b 1090 6b61b010e4c1566884de1fa9702cdf81 1091 57e8aedfe3dd77c76bb50c25ae4d6246 1092 15c15acfdeeb5f79482aaa01d3e4c05e 1093 b601eca2bd10518e9d46b02116359232 1094 e9eac0fabd05235dd09e6dea00000000 1096 Authentication Tag: 192f515fab04bbb4e62c 1098 A.2. ARIA-GCM Test Vectors 1100 Common values are organized as follows: 1102 Rollover Counter: 00000000 1103 Sequence Number: 315e 1104 SSRC: 20e8f5eb 1105 Encryption Salt: 000000000000000000000000 1107 Initialization Vector: 000020e8f5eb00000000315e 1108 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 1109 5af5c5e5c5fdf5c55ad57a4a7272d572 1110 62e9729566ed66e97ac54a4a5a7ad5e1 1111 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1112 e54ac55a956afd6aed5a4ac562957a95 1113 16991691d572fd14e97ae962ed7a9f4a 1114 955af572e162f57a956666e17ae1f54a 1115 95f566d54a66e16e4afd6a9f7ae1c5c5 1116 5ae5d56afde916c5e94a6ec56695e14a 1117 fde1148416e94ad57ac5146ed59d1cc5 1118 Associated Data: 8008315ebf2e6fe020e8f5eb 1120 The length of encrypted payload is larger than that of payload by 16 1121 octets which the length of the tag from GCM. For other GCM 1122 ciphersuites with shorter tag length than 16 octets, test vectors can 1123 be obtained by truncation from ARIA-GCM test verctors. 1125 A.2.1. ARIA_128_GCM 1127 Key: e91e5e75da65554a48181f3846349562 1129 Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c 1130 d6f7da34f2fe1b3db7cb3dfb9697102e 1131 a0f3c1fc2dbc873d44bceeae8e444297 1132 4ba21ff6789d3272613fb9631a7cf3f1 1133 4bacbeb421633a90ffbe58c2fa6bdca5 1134 34f10d0de0502ce1d531b6336e588782 1135 78531e5c22bc6c85bbd784d78d9e680a 1136 a19031aaf89101d669d7a3965c1f7e16 1137 229d7463e0535f4e253f5d18187d40b8 1138 ae0f564bd970b5e7e2adfb211e89a953 1139 5abace3f37f5a736f4be984bbffbedc1 1141 A.2.2. ARIA_256_GCM 1143 Key: 0c5ffd37a11edc42c325287fc0604f2e 1144 3e8cd5671a00fe3216aa5eb105783b54 1146 Encrypted RTP Payload: 6f9e4bcbc8c85fc0128fb1e4a0a20cb9 1147 932ff74581f54fc013dd054b19f99371 1148 425b352d97d3f337b90b63d1b082adee 1149 ea9d2d7391897d591b985e55fb50cb53 1150 50cf7d38dc27dda127c078a149c8eb98 1151 083d66363a46e3726af217d3a00275ad 1152 5bf772c7610ea4c23006878f0ee69a83 1153 97703169a419303f40b72e4573714d19 1154 e2697df61e7c7252e5abc6bade876ac4 1155 961bfac4d5e867afca351a48aed52822 1156 e210d6ced2cf430ff841472915e7ef48 1158 A.3. ARIA-CCM Test Vectors 1160 Common values are organized as follows: 1162 Rollover Counter: 00000000 1163 Sequence Number: 315e 1164 SSRC: 20e8f5eb 1165 Encryption Salt: 000000000000000000000000 1167 Initialization Vector: 000020e8f5eb00000000315e 1168 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 1169 5af5c5e5c5fdf5c55ad57a4a7272d572 1170 62e9729566ed66e97ac54a4a5a7ad5e1 1171 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1172 e54ac55a956afd6aed5a4ac562957a95 1173 16991691d572fd14e97ae962ed7a9f4a 1174 955af572e162f57a956666e17ae1f54a 1175 95f566d54a66e16e4afd6a9f7ae1c5c5 1176 5ae5d56afde916c5e94a6ec56695e14a 1177 fde1148416e94ad57ac5146ed59d1cc5 1178 Associated Data: 8008315ebf2e6fe020e8f5eb 1180 The length of encrypted payload is larger than that of payload by the 1181 tag length defined for each ciphersuite. 1183 A.3.1. ARIA_128_CCM 1185 Key: 974bee725d44fc3992267b284c3c6750 1187 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1188 daabbd6d670abc4e42f2fd2fca263f09 1189 4f4683e6fb0b10c5093d42b69dce0ba5 1190 46520e7c4400975713f3bde93ef13116 1191 0b9cbcd6df78a1502be7c6ea8d395b9e 1192 d0078819c3105c0ab92cb67b16ba51bb 1193 1f53508738bf7a37c9a905439b88b7af 1194 9d51a407916fdfea8d43bf253721846d 1195 c1671391225fc58d9d0693c8ade6a4ff 1196 b034ee6543dd4e651b7a084eae60f855 1197 40f04b6467e300f6b336aedf9df4185b 1199 A.3.2. ARIA_256_CCM 1201 Key: 0c5ffd37a11edc42c325287fc0604f2e 1202 3e8cd5671a00fe3216aa5eb105783b54 1204 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1205 67fbd09d3a4c38aa32f6d306d3fdda37 1206 8e459b83ed005507449d6cd981a4c1e3 1207 ff4193870c276ef09b6317a01a228320 1208 6ae4b4be0d0b235422c8abb001224106 1209 56b75e1ffc7fb49c0d0c5d6169aa7623 1210 610579968037aee8e83fc26264ea8665 1211 90fd620aa3c0a5f323d953aa7f8defb0 1212 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1213 0594154f405fd630aa4c4d5603efdfa1 1214 87b6bd222c55365a9c7d0b215b77ea41 1216 A.3.3. ARIA_128_CCM_8 1218 Key: 974bee725d44fc3992267b284c3c6750 1220 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1221 daabbd6d670abc4e42f2fd2fca263f09 1222 4f4683e6fb0b10c5093d42b69dce0ba5 1223 46520e7c4400975713f3bde93ef13116 1224 0b9cbcd6df78a1502be7c6ea8d395b9e 1225 d0078819c3105c0ab92cb67b16ba51bb 1226 1f53508738bf7a37c9a905439b88b7af 1227 9d51a407916fdfea8d43bf253721846d 1228 c1671391225fc58d9d0693c8ade6a4ff 1229 b034ee6543dd4e651b7a084eae60f855 1230 dd2282c93a67fe4b 1232 A.3.4. ARIA_256_CCM_8 1234 Key: 0c5ffd37a11edc42c325287fc0604f2e 1235 3e8cd5671a00fe3216aa5eb105783b54 1237 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1238 67fbd09d3a4c38aa32f6d306d3fdda37 1239 8e459b83ed005507449d6cd981a4c1e3 1240 ff4193870c276ef09b6317a01a228320 1241 6ae4b4be0d0b235422c8abb001224106 1242 56b75e1ffc7fb49c0d0c5d6169aa7623 1243 610579968037aee8e83fc26264ea8665 1244 90fd620aa3c0a5f323d953aa7f8defb0 1245 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1246 0594154f405fd630aa4c4d5603efdfa1 1247 828dc0088f99a7ef 1249 A.3.5. ARIA_128_CCM_12 1251 Key: 974bee725d44fc3992267b284c3c6750 1253 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1254 daabbd6d670abc4e42f2fd2fca263f09 1255 4f4683e6fb0b10c5093d42b69dce0ba5 1256 46520e7c4400975713f3bde93ef13116 1257 0b9cbcd6df78a1502be7c6ea8d395b9e 1258 d0078819c3105c0ab92cb67b16ba51bb 1259 1f53508738bf7a37c9a905439b88b7af 1260 9d51a407916fdfea8d43bf253721846d 1261 c1671391225fc58d9d0693c8ade6a4ff 1262 b034ee6543dd4e651b7a084eae60f855 1263 01f3dedd15238da5ebfb1590 1265 A.3.6. ARIA_256_CCM_12 1267 Key: 0c5ffd37a11edc42c325287fc0604f2e 1268 3e8cd5671a00fe3216aa5eb105783b54 1270 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1271 67fbd09d3a4c38aa32f6d306d3fdda37 1272 8e459b83ed005507449d6cd981a4c1e3 1273 ff4193870c276ef09b6317a01a228320 1274 6ae4b4be0d0b235422c8abb001224106 1275 56b75e1ffc7fb49c0d0c5d6169aa7623 1276 610579968037aee8e83fc26264ea8665 1277 90fd620aa3c0a5f323d953aa7f8defb0 1278 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1279 0594154f405fd630aa4c4d5603efdfa1 1280 3615b7f90a651de15da20fb6 1282 A.4. Key Derivation Test Vector 1284 This section provides test vectors for the default key derivation 1285 function, which uses ARIA in Counter Mode. In the following, we walk 1286 through the initial key derivation for the ARIA Counter Mode cipher, 1287 which requires a 16/24/32 octet session encryption key according to 1288 the session encryption key length and a 14 octet session salt, and an 1289 authentication function which requires a 94 octet session 1290 authentication key. These values are called the cipher key, the 1291 cipher salt, and the auth key in the following. The test vectors are 1292 generated in the same way with the test vectors of key derivation 1293 functions in [RFC3711] and [RFC6188] but with each invocation of AES 1294 replaced with an invocation of ARIA. 1296 A.4.1. ARIA_128 1298 The inputs to the key derivation function are the 16 octet master key 1299 and the 14 octet master salt: 1301 master key: e1f97a0d3e018be0d64fa32c06de4139 1302 master salt: 0ec675ad498afeebb6960b3aabe6 1304 index DIV kdr: 000000000000 1305 label: 00 1306 master salt: 0ec675ad498afeebb6960b3aabe6 1307 ----------------------------------------------- 1308 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1310 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1312 cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) 1314 ARIA-CTR crypto suite requires 14 octet cipher salt while ARIA-CCM 1315 and ARIA-GCM crypto suites require 12 octet cipher salt. 1317 index DIV kdr: 000000000000 1318 label: 02 1319 master salt: 0ec675ad498afeebb6960b3aabe6 1320 ---------------------------------------------- 1321 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1323 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1324 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 1326 cipher salt: 9700657f5f34161830d7d85f5dc8 (ARIA-CTR cipher 1327 suite) 1328 9700657f5f34161830d7d85f (ARIA-CCM or 1329 ARIA-GCM cipher suite) 1330 index DIV kdr: 000000000000 1331 label: 01 1332 master salt: 0ec675ad498afeebb6960b3aabe6 1333 ----------------------------------------------- 1334 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1336 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1338 Below, the auth key is shown on the left, while the corresponding 1339 ARIA input blocks are shown on the right. 1341 auth key ARIA input blocks 1343 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 1344 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 1345 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 1346 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 1347 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 1348 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 1350 A.4.2. ARIA_192 1352 The inputs to the key derivation function are the 24 octet master key 1353 and the 14 octet master salt: 1355 master key: 0c5ffd37a11edc42c325287fc0604f2e3e8cd5671a00fe32 1356 master salt: 0ec675ad498afeebb6960b3aabe6 1358 index DIV kdr: 000000000000 1359 label: 00 1360 master salt: 0ec675ad498afeebb6960b3aabe6 1361 ----------------------------------------------- 1362 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1364 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1366 cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output) 1367 d13cbe548b627649 (ARIA-CTR 2nd Output) 1369 ARIA-CTR cipher suite requires 14 octet cipher salt while ARIA-CCM 1370 and ARIA-GCM cipher suites require 12 octet cipher salt. 1372 index DIV kdr: 000000000000 1373 label: 02 1374 master salt: 0ec675ad498afeebb6960b3aabe6 1375 ---------------------------------------------- 1376 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1378 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1380 55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output) 1382 cipher salt: 55c7e3555baf0fdc91c589cfb871 (ARIA-CTR cipher 1383 suite) 1384 55c7e3555baf0fdc91c589cf (ARIA-CCM or 1385 ARIA-GCM cipher suite) 1387 index DIV kdr: 000000000000 1388 label: 01 1389 master salt: 0ec675ad498afeebb6960b3aabe6 1390 ----------------------------------------------- 1391 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1393 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1395 Below, the auth key is shown on the left, while the corresponding 1396 ARIA input blocks are shown on the right. 1398 auth key ARIA input blocks 1400 116902524517f7e767a979ad7678d53a 0ec675ad498afeeab6960b3aabe60000 1401 8cae05a5c9a315d1304f634c81a06617 0ec675ad498afeeab6960b3aabe60001 1402 31fe099d4dcd2202421fe01fc12c65ad 0ec675ad498afeeab6960b3aabe60002 1403 009e920031654855af5d9e820a7831e0 0ec675ad498afeeab6960b3aabe60003 1404 bc2b4744d2a33053eb685138252f2d82 0ec675ad498afeeab6960b3aabe60004 1405 9a89f4a9aa4f97fde0cce9bad3d5 0ec675ad498afeeab6960b3aabe60005 1407 A.4.3. ARIA_256 1409 The inputs to the key derivation function are the 32 octet master key 1410 and the 14 octet master salt: 1412 master key: 0c5ffd37a11edc42c325287fc0604f2e 1413 3e8cd5671a00fe3216aa5eb105783b54 1414 master salt: 0ec675ad498afeebb6960b3aabe6 1416 index DIV kdr: 000000000000 1417 label: 00 1418 master salt: 0ec675ad498afeebb6960b3aabe6 1419 ----------------------------------------------- 1420 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1422 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1424 cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) 1425 f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) 1427 ARIA-CTR cipher suite requires 14 octet cipher salt while ARIA-CCM 1428 and ARIA-GCM cipher suites require 12 octet cipher salt. 1430 index DIV kdr: 000000000000 1431 label: 02 1432 master salt: 0ec675ad498afeebb6960b3aabe6 1433 ---------------------------------------------- 1434 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1436 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1438 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 1440 cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR cipher 1441 suite) 1442 194abaa8553a8eba8a413a34 (ARIA-CCM or 1443 ARIA-GCM cipher suite) 1445 index DIV kdr: 000000000000 1446 label: 01 1447 master salt: 0ec675ad498afeebb6960b3aabe6 1448 ----------------------------------------------- 1449 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1451 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1453 Below, the auth key is shown on the left, while the corresponding 1454 ARIA input blocks are shown on the right. 1456 auth key ARIA input blocks 1458 e58d42915873b71899234807334658f2 0ec675ad498afeeab6960b3aabe60000 1459 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 1460 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 1461 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 1462 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 1463 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 1465 Authors' Addresses 1466 Woo-Hwan Kim 1467 National Security Research Institute 1468 P.O.Box 1, Yuseong 1469 Daejeon 305-350 1470 Korea 1472 EMail: whkim5@ensec.re.kr 1474 Jungkeun Lee 1475 National Security Research Institute 1476 P.O.Box 1, Yuseong 1477 Daejeon 305-350 1478 Korea 1480 EMail: jklee@ensec.re.kr 1482 Dong-Chan Kim 1483 National Security Research Institute 1484 P.O.Box 1, Yuseong 1485 Daejeon 305-350 1486 Korea 1488 EMail: dongchan@ensec.re.kr 1490 Je-Hong Park 1491 National Security Research Institute 1492 P.O.Box 1, Yuseong 1493 Daejeon 305-350 1494 Korea 1496 EMail: jhpark@ensec.re.kr 1498 Daesung Kwon 1499 National Security Research Institute 1500 P.O.Box 1, Yuseong 1501 Daejeon 305-350 1502 Korea 1504 EMail: ds_kwon@ensec.re.kr