idnits 2.17.1 draft-ietf-kitten-aes-cbc-hmac-sha2-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 285 has weird spacing: '... Etype encr...' -- The document date (October 1, 2013) is 3857 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Jenkins 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: April 4, 2014 The MITRE Corporation 6 K. Burgin 7 October 1, 2013 9 AES Encryption with HMAC-SHA2 for Kerberos 5 10 draft-ietf-kitten-aes-cbc-hmac-sha2-00 12 Abstract 14 This document specifies two encryption types and two corresponding 15 checksum types for Kerberos 5. The new types use AES in CBC mode 16 with plaintext padding for confidentiality and HMAC with a SHA-2 hash 17 for integrity. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 20, 2014. 36 Copyright and License Notice 38 Copyright (c) 2013 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 55 3. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 3 56 4. Key Derivation Function . . . . . . . . . . . . . . . . . . . 4 57 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 58 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 61 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 65 10.2. Informative References . . . . . . . . . . . . . . . . . 8 66 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 69 1. Introduction 71 This document defines two encryption types and two corresponding 72 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 73 The plaintext is padded to a multiple of the AES block size using the 74 algorithm in Section 6.3 of [RFC5652]. The new types conform to the 75 framework specified in [RFC3961], but do not use the simplified 76 profile. 78 The encryption and checksum types defined in this document are 79 intended to support NSA's Suite B Profile for Kerberos [suiteb- 80 kerberos] which requires the use of SHA-256 or SHA-384 as the hash 81 algorithm. Differences between the encryption and checksum types 82 defined in this document and existing Kerberos encryption and 83 checksum types are: 85 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 86 SHA-384. 88 * A key derivation function from [SP800-108] which uses the SHA-256 89 or SHA-384 hash algorithm is used to produce keys for encryption, 90 integrity protection, and checksum operations. 92 * The plaintext is padded so the resulting length is a multiple of 93 the AES block length. This allows for AES encryption using CBC 94 mode as defined in [SP800-38A] instead of using ciphertext 95 stealing (CTS) mode. 97 * The random nonce used during content encryption is sent as part of 98 the ciphertext, instead of using a confounder. This saves one 99 encryption and decryption operation per message. 101 * The HMAC is calculated over the random nonce concatenated with the 102 AES output, instead of being calculated over the confounder and 103 plaintext. This allows the message receiver to verify the 104 integrity of the message before decrypting the message. 106 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 107 integrity protection and checksum operations. 109 2. Protocol Key Representation 111 The AES key space is dense, so we can use random or pseudorandom 112 octet strings directly as keys. The byte representation for the key 113 is described in [FIPS197], where the first bit of the bit string is 114 the high bit of the first byte of the byte string (octet string). 116 3. Key Generation from Pass Phrases 117 The pseudorandom function used by PBKDF2 will be the SHA-256 or SHA- 118 384 HMAC of the passphrase and salt. If the enctype is "aes128-cbc- 119 hmac-sha256-128", then HMAC-SHA-256 is used as the PRF. If the 120 enctype is "aes256-cbc-hmac-sha384-192", then HMAC-SHA-384 is used as 121 the PRF. 123 The final key derivation step uses the algorithm KDF-HMAC-SHA2 124 defined below in Section 4. 126 If no string-to-key parameters are specified, the default number of 127 iterations is 32,768. 129 To ensure that different long-term keys are used with different 130 enctypes, we prepend the enctype name to the salt string, separated 131 by a null byte. The enctype name is "aes128-cbc-hmac-sha256-128" or 132 "aes256-cbc-hmac-sha384-192" (without the quotes). The user's long- 133 term key is derived as follows 135 saltp = enctype-name | 0x00 | salt 136 tkey = random-to-key(PBKDF2(passphrase, saltp, 137 iter_count, keylength)) 138 key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the 139 byte string {0x6b65726265726f73}. 141 where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when 142 the enctype is "aes128-cbc-hmac-sha256-128" and HMAC-SHA-384 when the 143 enctype is "aes256-cbc-hmac-sha384-192", the value for keylength is 144 the AES key length, and the algorithm KDF-HMAC-SHA2 is defined in 145 Section 4. 147 4. Key Derivation Function 149 We use a key derivation function from Section 5.1 of [SP800-108] 150 which uses the HMAC algorithm as the PRF. The counter i is expressed 151 as four octets in big-endian order. The length of the output key in 152 bits (denoted as k) is also represented as four octets in big-endian 153 order. The "Label" input to the KDF is the usage constant supplied 154 to the key derivation function, and the "Context" input is null. 155 Each application of the KDF only requires a single iteration of the 156 PRF, so n = 1 in the notation of [SP800-108]. 158 In the following summary, | indicates concatenation. The random-to- 159 key function is the identity function, as defined in Section 3. The 160 k-truncate function is defined in [RFC3961], Section 5.1. 162 When the encryption type is aes128-cbc-hmac-sha256-128, the output 163 key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, 164 constant) which is computed as follows: 166 K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 0x00 | 00 00 00 80) 167 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 169 When the encryption type is aes256-cbc-hmac-sha384-192, the output 170 key length k is 256 bits when computing the base-key and Ke, and the 171 output key length k is 192 bits when deriving Kc and Ki. KDF-HMAC- 172 SHA2(key, constant) is computed as follows: 174 If deriving Kc or Ki (the constant ends with 0x99 or 0x55): 175 k = 192 176 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 0x00 | 00 00 00 C0) 177 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 179 Otherwise (if deriving Ke or deriving the base-key from a 180 passphrase as described in Section 3): 181 k = 256 182 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 0x00 | 00 00 01 00) 183 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 185 The constants used for key derivation are the same as those used in 186 the simplified profile. 188 5. Kerberos Algorithm Protocol Parameters 190 Each encryption will use a 16-octet nonce generated at random by the 191 message originator. The initialization vector (IV) used by AES is 192 obtained by xoring the random nonce with the cipherState. 194 CBC mode [SP800-38A] requires the plaintext length be a multiple of 195 the AES block size, so the plaintext is padded using the algorithm in 196 Section 6.3 of [RFC5652]. 198 The ciphertext is the concatenation of the random nonce, the output 199 of AES in CBC mode, and the HMAC of the nonce concatenated with the 200 AES output. The HMAC is computed using either SHA-256 or SHA-384. 201 The output of HMAC-SHA-256 is truncated to 128 bits and the output of 202 HMAC-SHA-384 is truncated to 192 bits. Sample test vectors are given 203 in Appendix A. 205 Decryption is performed by removing the HMAC, verifying the HMAC 206 against the remainder, and then decrypting the remainder if the HMAC 207 is correct. 209 The following parameters apply to the encryption types aes128-cbc- 210 hmac-sha256-128 and aes256-cbc-hmac-sha384-192. 212 protocol key format: as defined in Section 2. 214 specific key structure: three protocol-format keys: { Kc, Ke, Ki }. 216 required checksum mechanism: as defined in Section 6. 218 key-generation seed length: key size (128 or 256 bits). 220 string-to-key function: as defined in Section 3. 222 default string-to-key parameters: 00 00 80 00. 224 random-to-key function: identity function. 226 key-derivation function: KDF-HMAC-SHA2 as defined in Section 4. The 227 key usage number is expressed as four octets in big-endian order. 229 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) 230 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) 231 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) 233 cipherState: a 128-bit random nonce. 235 initial cipherState: all bits zero. 237 encryption function: as follows, where E() is AES encryption in CBC 238 mode, h is the size of truncated HMAC, and c is the AES block size. 240 N = random nonce of length c (128 bits) 241 IV = N XOR cipherState 242 pad = Shortest string of non-zero length to bring the plaintext 243 to a length that is a multiple of c. The value of each 244 added octet equals the number of octets that are added. 245 C = E(Ke, plaintext | pad, IV) 246 H = HMAC(Ki, N | C) 247 ciphertext = N | C | H[1..h] 248 cipherState = N 250 decryption function: as follows, where D() is AES encryption in CBC 251 mode, and h is the size of truncated HMAC. 253 (N, C, H) = ciphertext 254 if H != HMAC(Ki, N | C)[1..h] 255 stop, report error 256 IV = N XOR cipherState 257 P | pad = D(Ke, C, IV) 258 cipherState = N 260 pseudo-random function: 261 Kp = KDF-HMAC-SHA2(protocol-key, "prf") 262 PRF = HMAC(Kp, octet-string) 264 6. Checksum Parameters 266 The following parameters apply to the checksum types hmac-sha256-128- 267 aes128 and hmac-sha384-192-aes256, which are the associated checksums 268 for aes128-cbc-hmac-sha256-128 and aes256-cbc-hmac-sha384-192, 269 respectively. 271 associated cryptosystem: AES-128-CBC or AES-256-CBC as appropriate. 273 get_mic: HMAC(Kc, message)[1..h]. 275 verify_mic: get_mic and compare. 277 7. IANA Considerations 279 IANA is requested to assign: 281 Encryption type numbers for aes128-cbc-hmac-sha256-128 and 282 aes256-cbc-hmac-sha384-192 in the Kerberos Encryption Type Numbers 283 registry. 285 Etype encryption type Reference 286 ----- --------------- --------- 287 TBD1 aes128-cbc-hmac-sha256-128 [this document] 288 TBD2 aes256-cbc-hmac-sha384-192 [this document] 290 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 291 aes256 in the Kerberos Checksum Type Numbers registry. 293 Sumtype Checksum type Size Reference 294 ------- ------------- ---- --------- 295 TBD3 hmac-sha256-128-aes128 16 [this document] 296 TBD4 hmac-sha384-192-aes256 24 [this document] 298 8. Security Considerations 300 This specification requires implementations to generate random 301 values. The use of inadequate pseudo-random number generators 302 (PRNGs) can result in little or no security. The generation of 303 quality random numbers is difficult. [RFC4086] offers random number 304 generation guidance. 306 This document specifies a mechanism for generating keys from pass 307 phrases or passwords. The salt and iteration count resist brute 308 force and dictionary attacks, however, it is still important to 309 choose or generate strong passphrases. 311 8.1. Random Values in Salt Strings 313 NIST guidance in Section 5.1 of [SP800-132] requires the salt used as 314 input to the PBKDF to contain at least 128 bits of random. Some 315 known issues with including random values in Kerberos encryption type 316 salt strings are: 318 * Cross-realm TGTs are currently managed by entering the same 319 password at two KDCs to get the same keys. If each KDC uses a 320 random salt, they won't have the same keys. 322 * The string-to-key function as defined in [RFC3961] requires the 323 salt to be valid UTF-8 strings. Not every 128-bit random string 324 will be valid UTF-8. 326 * Current implementations of password history checking will not 327 work. 329 * ktutil's add_entry command assumes the default salt. 331 9. Acknowledgements 333 Kelley Burgin was employed at the National Security Agency during 334 much of the work on this document. 336 10. References 338 10.1. Normative References 340 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 341 Kerberos 5", RFC 3961, February 2005. 343 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", 344 RFC5652, September 2009. 346 [FIPS197] National Institute of Standards and Technology, 347 "Advanced Encryption Standard (AES)", FIPS PUB 197, 348 November 2001. 350 10.2. Informative References 352 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 353 "Randomness Requirements for Security", BCP 106, RFC 354 4086, June 2005. 356 [SP800-38A] National Institute of Standards and Technology, 357 "Recommendation for Block Cipher Modes of Operation: 358 Methods and Techniques", NIST Special Publication 359 800-38A, December 2001. 361 [SP800-108] National Institute of Standards and Technology, 362 "Recommendation for Key Derivation Using Pseudorandom 363 Functions", NIST Special Publication 800-108, October 364 2009. 366 [SP800-132] National Institute of Standards and Technology, 367 "Recommendation for Password-Based Key Derivation, Part 368 1: Storage Applications", NIST Special Publication 800- 369 132, June 2010. 371 [suiteb-kerberos] 372 Burgin, K. and K. Igoe, "Suite B Profile for 373 Kerberos 5", internet-draft draft-burgin-kerberos- 374 suiteb-01, Work In Progress, 2012. 376 Appendix A. Test Vectors 378 Sample results for string-to-key conversion: 379 -------------------------------------------- 381 Iteration count = 32768 382 Pass phrase = "password" 383 Saltp for creating 128-bit master key: 384 61 65 73 31 32 38 2D 63 62 63 2D 68 6D 61 63 2D 385 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 386 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 387 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 388 (The saltp is "aes128-cbc-hmac-sha256-128" | 0x00 | 389 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 390 128-bit master key: 391 C3 19 22 E2 EA 3A 67 05 E0 B9 AC 57 08 82 48 28 393 Saltp for creating 256-bit master key: 394 61 65 73 32 35 36 2D 63 62 63 2D 68 6D 61 63 2D 395 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 396 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 397 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 398 (The saltp is "aes256-cbc-hmac-sha384-192" | 0x00 | 399 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 400 256-bit master key: 401 77 73 83 E7 C4 76 1D CE FC 5B D8 F8 A7 28 37 8A 402 5E 63 BC B2 0E B9 A2 BB C5 1E 73 56 8A FC CD E6 404 Sample results for key derivation: 405 ---------------------------------- 407 enctype aes128-cbc-hmac-sha256-128: 408 128-bit master key: 409 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 410 Kc value for key usage 2 (constant = 0x0000000299): 411 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 412 Ke value for key usage 2 (constant = 0x00000002AA): 413 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 414 Ki value for key usage 2 (constant = 0x0000000255): 415 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 417 enctype aes256-cbc-hmac-sha384-192: 418 256-bit master key: 419 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 420 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 421 Kc value for key usage 2 (constant = 0x0000000299): 422 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 423 BA 41 F2 8F AF 69 E7 3D 424 Ke value for key usage 2 (constant = 0x00000002AA): 425 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 426 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 427 Ki value for key usage 2 (constant = 0x0000000255): 428 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 429 22 C4 D0 0F FC 23 ED 1F 431 Sample encryptions (using the default cipher state): 432 ---------------------------------------------------- 434 Plaintext: (empty) 435 Nonce: 436 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 437 128-bit AES key: 438 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 439 128-bit HMAC key: 440 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 441 AES Output: 442 9E 30 E1 7A 01 BC E8 5B 59 90 C8 90 1A 55 1D 8C 443 HMAC Output: 444 0C 80 06 07 A4 6E 35 2C A7 73 CE 52 69 51 63 57 445 Ciphertext: 446 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 447 9E 30 E1 7A 01 BC E8 5B 59 90 C8 90 1A 55 1D 8C 448 0C 80 06 07 A4 6E 35 2C A7 73 CE 52 69 51 63 57 450 Plaintext: (length less than block size) 451 00 01 02 03 04 05 453 Nonce: 454 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 455 128-bit AES key: 456 4E FD A6 52 4E 6B 56 B4 F2 12 61 FB FC 93 21 AB 457 128-bit HMAC key: 458 29 1B 0C 37 73 D7 6E E6 BA 2C CF 1E 03 93 F6 3E 459 AES Output: 460 2B E8 63 D7 B1 D4 F0 4D 95 F2 17 D6 9E C2 14 23 461 HMAC Output: 462 5F D1 CB B9 C0 6E 42 6E F9 95 05 B5 FB 42 6F 6A 463 Ciphertext: 464 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 465 2B E8 63 D7 B1 D4 F0 4D 95 F2 17 D6 9E C2 14 23 466 5F D1 CB B9 C0 6E 42 6E F9 95 05 B5 FB 42 6F 6A 468 Plaintext: (length equals block size) 469 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 470 Nonce: 471 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 472 128-bit AES key: 473 FF 82 40 42 4B CC BA 05 56 50 C0 39 3B 83 DF 3B 474 128-bit HMAC key: 475 ED 15 62 8B 45 35 8C BF 7F 50 E7 64 C2 6B 8A 1A 476 AES Output: 477 AD 5D 0C E8 93 48 A8 16 07 11 09 75 6A 83 FB 09 478 D2 3F 29 30 68 F9 D4 E5 1F B8 92 B0 61 C7 43 BF 479 HMAC Output: 480 3A 40 51 A4 8B 7A 11 B3 91 F1 36 67 98 16 24 AD 481 Ciphertext: 482 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 483 AD 5D 0C E8 93 48 A8 16 07 11 09 75 6A 83 FB 09 484 D2 3F 29 30 68 F9 D4 E5 1F B8 92 B0 61 C7 43 BF 485 3A 40 51 A4 8B 7A 11 B3 91 F1 36 67 98 16 24 AD 487 Plaintext: (length greater than block size) 488 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 489 10 11 12 13 14 490 Nonce: 491 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 492 128-bit AES key: 493 B5 9B 88 75 AD 5D CA FF F7 79 4D 93 F8 19 9D 79 494 128-bit HMAC key: 495 0A 42 1D 72 2F 8F C2 D6 84 8B 1C DA D1 5A 49 C9 496 AES Output: 497 DA A3 99 2E 39 5C 5D E1 34 EB 1A CC 73 8D CE 02 498 35 B9 D6 5A 63 0B 8D 84 BC 78 E9 38 75 79 5E DF 499 HMAC Output: 500 CF 68 74 07 12 22 6C 61 C1 E4 A6 78 A9 7C 86 60 502 Ciphertext: 503 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 504 DA A3 99 2E 39 5C 5D E1 34 EB 1A CC 73 8D CE 02 505 35 B9 D6 5A 63 0B 8D 84 BC 78 E9 38 75 79 5E DF 506 CF 68 74 07 12 22 6C 61 C1 E4 A6 78 A9 7C 86 60 508 Plaintext: (empty) 509 Nonce: 510 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 511 256-bit AES key: 512 0F A2 0D 7D 03 33 EE 65 16 2C DA 67 E7 AD 0D 3C 513 5E 03 1F 3B 66 70 E0 31 28 2F AC C2 87 9C 21 C7 514 192-bit HMAC key: 515 53 BF 30 6A 68 33 A3 25 18 FC B8 5F 63 1D 03 D5 516 2E E3 1B 39 75 2F 57 ED 517 AES Output: 518 73 1E 56 A3 D9 DA 70 87 5C 74 C7 67 73 C2 F7 EB 519 HMAC Output: 520 FA F7 49 55 33 7E 20 98 C4 B4 F7 8F 35 5B 8A B9 521 72 6D 40 AC F3 5D B3 7B 522 Ciphertext: 523 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 524 73 1E 56 A3 D9 DA 70 87 5C 74 C7 67 73 C2 F7 EB 525 FA F7 49 55 33 7E 20 98 C4 B4 F7 8F 35 5B 8A B9 526 72 6D 40 AC F3 5D B3 7B 528 Plaintext: (length less than block size) 529 00 01 02 03 04 05 530 Nonce: 531 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 532 256-bit AES key: 533 47 DA 4C A2 8B D1 C1 14 D5 50 7E 55 81 86 CA 4F 534 DB A0 DA E5 B2 4F 6D 68 89 D5 3A FB F1 D0 B8 36 535 192-bit HMAC key: 536 13 6B 5C 83 C9 53 AE 29 E2 C2 31 6A 7B 34 B8 C2 537 AD 26 E4 66 7F AB 42 6E 538 AES Output: 539 EF DE 87 A1 14 2D B5 C7 4A 42 52 A7 A7 77 5A 3E 540 HMAC Output: 541 45 02 19 E4 A8 C6 3E 8F E6 DB F5 08 78 E4 28 40 542 E9 36 DD 0A 66 1C A9 9C 543 Ciphertext: 544 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 545 EF DE 87 A1 14 2D B5 C7 4A 42 52 A7 A7 77 5A 3E 546 45 02 19 E4 A8 C6 3E 8F E6 DB F5 08 78 E4 28 40 547 E9 36 DD 0A 66 1C A9 9C 549 Plaintext: (length equals block size) 550 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 551 Nonce: 552 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 553 256-bit AES key: 554 5E A6 16 D8 FD A2 33 F1 B4 99 79 A4 B9 FA 01 D3 555 21 B1 3D 6F BD 6E 3B B7 2E 54 B4 85 E2 36 AF 23 556 192-bit HMAC key: 557 AD D3 8D C9 86 83 C5 CC 14 E3 C7 37 EA A7 06 47 558 B3 19 71 0E 87 6A 38 77 559 AES Output: 560 E4 09 FF 7A 93 60 E9 72 7B 3F 88 35 28 73 E0 CF 561 B3 21 90 09 69 7D 79 6A 51 9C A3 86 DF 84 5D AD 562 HMAC Output: 563 60 75 75 AA D0 05 9F 9A C8 16 EA E0 B9 B5 00 2E 564 42 33 AA 53 89 9F AB 39 565 Ciphertext: 566 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 567 E4 09 FF 7A 93 60 E9 72 7B 3F 88 35 28 73 E0 CF 568 B3 21 90 09 69 7D 79 6A 51 9C A3 86 DF 84 5D AD 569 60 75 75 AA D0 05 9F 9A C8 16 EA E0 B9 B5 00 2E 570 42 33 AA 53 89 9F AB 39 572 Plaintext: (length greater than block size) 573 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 574 10 11 12 13 14 575 Nonce: 576 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 577 256-bit AES key: 578 B3 A8 02 E3 40 61 3E F1 E0 EC E9 1A 15 7C 59 12 579 6F BD C4 B8 C2 4C 8D 0B 2E 5A 30 F0 1E 7E 34 88 580 192-bit HMAC key: 581 FC 0B 49 9B 83 55 A3 2A C3 C9 AC B6 64 93 63 EB 582 5D BB A4 25 1A 75 B2 0A 583 AES Output: 584 F6 2D D7 FF 39 A8 EE D2 4C C5 A8 CF 84 15 71 1C 585 F5 05 05 2F 9B AD 75 C8 27 9D 05 D4 81 CF A9 73 586 HMAC Output: 587 DB 3B C2 37 0F 9D A6 F1 F7 99 32 A0 A6 4F 7A 7A 588 BD B9 B3 35 47 DD 9B 62 589 Ciphertext: 590 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 591 F6 2D D7 FF 39 A8 EE D2 4C C5 A8 CF 84 15 71 1C 592 F5 05 05 2F 9B AD 75 C8 27 9D 05 D4 81 CF A9 73 593 DB 3B C2 37 0F 9D A6 F1 F7 99 32 A0 A6 4F 7A 7A 594 BD B9 B3 35 47 DD 9B 62 596 Sample checksums: 597 ----------------- 598 Checksum type: hmac-sha256-128-aes128 599 128-bit master key: 600 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 601 128-bit HMAC key (Kc, key usage 2): 602 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 603 Plaintext: 604 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 605 10 11 12 13 14 606 Checksum: 607 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 609 Checksum type: hmac-sha384-192-aes256 610 256-bit master key: 611 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 612 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 613 192-bit HMAC key (Kc, key usage 2): 614 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 615 BA 41 F2 8F AF 69 E7 3D 616 Plaintext: 617 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 618 10 11 12 13 14 619 Checksum: 620 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 621 43 C3 BF A0 66 99 67 2A 623 Authors' Addresses 625 Michael J. Jenkins 626 National Security Agency 628 EMail: mjjenki@tycho.ncsc.mil 630 Michael A. Peck 631 The MITRE Corporation 633 EMail: mpeck@mitre.org 635 Kelley W. Burgin 637 Email: kelley.burgin@gmail.com