idnits 2.17.1 draft-ietf-kitten-aes-cts-hmac-sha2-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 364 has weird spacing: '... Etype encr...' -- The document date (June 28, 2013) is 3948 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Burgin 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: December 30, 2013 The MITRE Corporation 6 June 28, 2013 8 AES Encryption with HMAC-SHA2 for Kerberos 5 9 draft-ietf-kitten-aes-cts-hmac-sha2-01 11 Abstract 13 This document specifies two encryption types and two corresponding 14 checksum types for Kerberos 5. The new types use AES in CTS mode 15 (CBC mode with ciphertext stealing) for confidentiality and HMAC with 16 a SHA-2 hash for integrity. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 30, 2013. 35 Copyright and License Notice 37 Copyright (c) 2013 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 54 3. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 3 55 4. Key Derivation Function . . . . . . . . . . . . . . . . . . . 4 56 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 57 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 8 58 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 59 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 60 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 9 61 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 62 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10 63 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 64 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 67 1. Introduction 69 This document defines two encryption types and two corresponding 70 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 71 To avoid ciphertext expansion, we use the CBC-CS3 variant to CBC mode 72 defined in [SP800-38A+] (this mode is also referred to as CTS). The 73 new types conform to the framework specified in [RFC3961], but do not 74 use the simplified profile. 76 Note that [SP800-38A+] requires the plaintext length to be greater 77 than the block size, so the encryption types have two cases. 79 The encryption and checksum types defined in this document are 80 intended to support NSA's Suite B Profile for Kerberos [suiteb- 81 kerberos] which requires the use of SHA-256 or SHA-384 as the hash 82 algorithm. Differences between the encryption and checksum types 83 defined in this document and existing Kerberos encryption and 84 checksum types are: 86 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 87 SHA-384. 89 * A key derivation function from [SP800-108] which uses the SHA-256 90 or SHA-384 hash algorithm is used to produce keys for encryption, 91 integrity protection, and checksum operations. 93 * The IV used during content encryption is sent as part of the 94 ciphertext, instead of using a confounder. This saves one 95 encryption and decryption operation per message. 97 * The HMAC is calculated over the AES output, instead of being 98 calculated over the plaintext. This allows the message receiver 99 to verify the integrity of the message before decrypting the 100 message. 102 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 103 integrity protection and checksum operations. 105 2. Protocol Key Representation 107 The AES key space is dense, so we can use random or pseudorandom 108 octet strings directly as keys. The byte representation for the key 109 is described in [FIPS197], where the first bit of the bit string is 110 the high bit of the first byte of the byte string (octet string). 112 3. Key Generation from Pass Phrases 114 The pseudorandom function used by PBKDF2 will be the SHA-256 or SHA- 115 384 HMAC of the passphrase and salt. If the enctype is "aes128-cts- 116 hmac-sha256-128", then HMAC-SHA-256 is used as the PRF. If the 117 enctype is "aes256-cts-hmac-sha384-192", then HMAC-SHA-384 is used as 118 the PRF. 120 The final key derivation step uses the algorithm KDF-HMAC-SHA2 121 defined below in Section 4. 123 If no string-to-key parameters are specified, the default number of 124 iterations is raised to 32,768. 126 To ensure that different long-term keys are used with different 127 enctypes, we prepend the enctype name to the salt string, separated 128 by a null byte. The enctype name is "aes128-cts-hmac-sha256-128" or 129 "aes256-cts-hmac-sha384-192" (without the quotes). The user's long- 130 term key is derived as follows 132 saltp = enctype-name | 0x00 | salt 133 tkey = random-to-key(PBKDF2(passphrase, saltp, 134 iter_count, keylength)) 135 key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the 136 byte string {0x6b65726265726f73}. 138 where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when 139 the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the 140 enctype is "aes256-cts-hmac-sha384-192", the value for keylength is 141 the AES key length, and the algorithm KDF-HMAC-SHA2 is defined in 142 Section 4. 144 4. Key Derivation Function 146 We use a key derivation function from Section 5.1 of [SP800-108] 147 which uses the HMAC algorithm as the PRF. The counter i is expressed 148 as four octets in big-endian order. The length of the output key in 149 bits (denoted as k) is also represented as four octets in big-endian 150 order. The "Label" input to the KDF is the usage constant supplied 151 to the key derivation function, and the "Context" input is null. 152 Each application of the KDF only requires a single iteration of the 153 PRF, so n = 1 in the notation of [SP800-108]. 155 In the following summary, | indicates concatenation. The random-to- 156 key function is the identity function, as defined in Section 3. The 157 k-truncate function is defined in [RFC3961], Section 5.1. 159 When the encryption type is aes128-cts-hmac-sha256-128, the output 160 key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, 161 constant) which is computed as follows: 163 K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 0x00 | 00 00 00 80) 164 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 166 When the encryption type is aes256-cts-hmac-sha384-192, the output 167 key length k is 256 bits when computing the base-key and Ke, and the 168 output key length k is 192 bits when deriving Kc and Ki. KDF-HMAC- 169 SHA2(key, constant) is computed as follows: 171 If deriving Kc or Ki (the constant ends with 0x99 or 0x55): 172 k = 192 173 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 0x00 | 00 00 00 C0) 174 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 176 Otherwise (if deriving Ke or deriving the base-key from a 177 passphrase as described in Section 3): 178 k = 256 179 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 0x00 | 00 00 01 00) 180 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 182 The constants used for key derivation are the same as those used in 183 the simplified profile. 185 5. Kerberos Algorithm Protocol Parameters 187 In cases where the plaintext length is greater than the block size: 189 Each encryption will use a 16-octet nonce generated at random by 190 the message originator. The initialization vector (IV) used by 191 AES is obtained by xoring the random nonce with the cipherstate. 193 The ciphertext is the concatenation of the random nonce, the 194 output of AES in CBC-CS3 mode, and the HMAC of the nonce 195 concatenated with the AES output. The HMAC is computed using 196 either SHA-256 or SHA-384. The output of SHA-256 is truncated to 197 128 bits and the output of SHA-384 is truncated to 192 bits. 198 Sample test vectors are given in Appendix A. 200 Decryption is performed by removing the HMAC, verifying the HMAC 201 against the remainder, and then decrypting the remainder if the 202 HMAC is correct. 204 In cases where the plaintext length is less than or equal to the 205 block size, a different algorithm is specified. 207 Each encryption will use a 16-octet nonce generated at random by 208 the message originator. The initialization vector (IV) used by 209 AES is obtained by xoring the random nonce with the cipherstate. 211 The plaintext is padded with zeros so the length of the result is 212 one block length (no zeros are added if the plaintext length 213 equals the block length). The padded plaintext is xored with the 214 IV, then encrypted using AES in ECB mode. The output of AES is 215 split into two parts, so that the length of the first part equals 216 the length of the unpadded plaintext. The nonce is also split 217 into two parts, so that the length of the first part equals the 218 length of the unpadded plaintext. 220 The ciphertext is the concatenation of the first part of the 221 random nonce, the second part of the AES output followed by the 222 first part of the AES output, and the HMAC of the concatenation of 223 the first part of the random nonce, the second part of the AES 224 output followed by the first part of the AES output. The HMAC is 225 computed using either SHA-256 or SHA-384. The output of SHA-256 226 is truncated to 128 bits and the output of SHA-384 is truncated to 227 192 bits. Sample test vectors are given in Appendix A. 229 Decryption is performed by first removing the HMAC, and verifying 230 the HMAC against the remainder. If the HMAC is correct, separate 231 the remainder into N' and C' by taking the first 16 bytes as N', 232 and the following bytes as C'. Split N' into two parts, so that 233 the length of the first part equals the length of C'. Decrypt the 234 concatenation of C' with the second part of N' using ECB mode to 235 get a value P' whose length is one block length. The nonce is 236 recovered by taking the concatenation of the first part of N' with 237 the second part of P' xored with the cipherState (where again, the 238 length of the first part equals the length of C'). The IV is 239 recovered as the nonce xored with cipherState, and the plaintext 240 is recovered as the first part of P' xored with the IV. 242 The following parameters apply to the encryption types aes128-cts- 243 hmac-sha256-128 and aes256-cts-hmac-sha384-192. 245 protocol key format: as defined in Section 2. 247 specific key structure: three protocol-format keys: { Kc, Ke, Ki }. 249 required checksum mechanism: as defined in Section 6. 251 key-generation seed length: key size (128 or 256 bits). 253 string-to-key function: as defined in Section 3. 255 default string-to-key parameters: 00 00 80 00. 257 random-to-key function: identity function. 259 key-derivation function: KDF-HMAC-SHA2 as defined in Section 4. The 260 key usage number is expressed as four octets in big-endian order. 262 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) 263 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) 264 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) 266 cipherState: a 128-bit random nonce. 268 initial cipherState: all bits zero. 270 encryption function: as follows. When the plaintext length is 271 greater than the block size, CTS mode is used. When the plaintext 272 is less than or equal to the block size, ECB mode is used. 274 h = size of truncated HMAC 275 E() = encryption function 276 D() = decryption function 277 c = block size of the encryption algorithm 278 L(x) = length of x 279 < = less-than operator; true == 1, false == 0 280 zeroblock = one block (length c) of zeros 281 o[start:len] = sub-string operation returning the substring of 282 length len of string o starting at byte start 283 (zero-based) 285 encryption function: 286 N = random nonce of length 128 bits 287 IV = N XOR cipherState 288 if (L(P) > c) 289 PC = 0 290 P' = P 291 C = E(Ke, P', IV) 292 // using CBC-CS3-Encrypt defined 293 // in [SP800-38A+] 294 N' = N 295 C' = C 296 else 297 PC = c - L(P) 298 P' = P | zeroblock[0:PC] 299 C = E(Ke, P' XOR IV) 300 // using ECB mode 301 N' = N[0:c - PC] | C[c - PC:PC] 302 C' = C[0:c - PC] 303 H = HMAC(Ki, N' | C') 304 ciphertext = N' | C' | H[1..h] 305 cipherState = N 307 decryption function: 308 (N', C', H) = ciphertext 309 if (H != HMAC(Ki, N' | C')[1..h]) 310 stop, report error 312 if (L(C') > c) 313 // Not short-plaintext 314 IV = N' XOR cipherState 315 P = D(Ke, C', IV) 316 // using CBC-CS3-Decrypt defined 317 // in [SP800-38A+] 318 cipherState = N' 319 stop, output P, success 320 else 321 // Short plaintext 322 PC = c - L(C') 323 C = C' | N'[c - PC:PC] 324 P' = D(Ke, C) 325 // using ECB mode 327 // P' here == (P | zeroblock[0:PC]) XOR IV 328 // so IV[c - PC:PC] == P'[c - PC:PC] 329 // In the non-short-pt case we'd recover 330 // IV as N XOR cipherState, but here we only know 331 // a head of N and tail of IV. 333 N = N'[0:c -PC] | (P' XOR cipherState)[c - PC:PC] 334 IV = N XOR cipherState 335 P = (P' XOR IV)[0:PC] 336 cipherState = N 337 stop, output P, success 339 pseudo-random function: 340 Kp = KDF-HMAC-SHA2(protocol-key, "prf") 341 PRF = HMAC(Kp, octet-string) 343 6. Checksum Parameters 345 The following parameters apply to the checksum types hmac-sha256-128- 346 aes128 and hmac-sha384-192-aes256, which are the associated checksums 347 for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, 348 respectively. 350 associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate 352 get_mic: HMAC(Kc, message)[1..h] 354 verify_mic: get_mic and compare 356 7. IANA Considerations 358 IANA is requested to assign: 360 Encryption type numbers for aes128-cts-hmac-sha256-128 and 361 aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers 362 registry. 364 Etype encryption type Reference 365 ----- --------------- --------- 366 TBD1 aes128-cts-hmac-sha256-128 [this document] 367 TBD2 aes256-cts-hmac-sha384-192 [this document] 369 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 370 aes256 in the Kerberos Checksum Type Numbers registry. 372 Sumtype Checksum type Size Reference 373 ------- ------------- ---- --------- 374 TBD3 hmac-sha256-128-aes128 16 [this document] 375 TBD4 hmac-sha384-192-aes256 24 [this document] 377 8. Security Considerations 379 This specification requires implementations to generate random 380 values. The use of inadequate pseudo-random number generators 381 (PRNGs) can result in little or no security. The generation of 382 quality random numbers is difficult. NIST Special Publication 800-90 383 [SP800-90] and [RFC4086] offer random number generation guidance. 385 This document specifies a mechanism for generating keys from pass 386 phrases or passwords. The salt and iteration count resist brute 387 force and dictionary attacks, however, it is still important to 388 choose or generate strong passphrases. 390 8.1. Random Values in Salt Strings 392 NIST guidance in Section 5.1 of [SP800-132] requires the salt used as 393 input to the PBKDF to contain at least 128 bits of random. Some 394 known issues with including random values in Kerberos encryption type 395 salt strings are: 397 * Cross-realm TGTs are currently managed by entering the same 398 password at two KDCs to get the same keys. If each KDC uses a 399 random salt, they won't have the same keys. 401 * The string-to-key function as defined in [RFC3961] requires the 402 salt to be valid UTF-8 strings. Not every 128-bit random string 403 will be valid UTF-8. 405 * Current implementations of password history checking will not 406 work. 408 * ktutil's add_entry command assumes the default salt. 410 9. References 412 9.1. Normative References 414 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 415 Kerberos 5", RFC 3961, February 2005. 417 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 418 "Randomness Requirements for Security", BCP 106, 419 RFC 4086, June 2005. 421 [FIPS197] National Institute of Standards and Technology, 422 "Advanced Encryption Standard (AES)", FIPS PUB 197, 423 November 2001. 425 9.2. Informative References 427 [SP800-38A+] National Institute of Standards and Technology, 428 "Recommendation for Block Cipher Modes of Operation: 429 Three Variants of Ciphertext Stealing for CBC Mode", 430 Addendum to NIST Special Publication 800-38A, October 431 2010. 433 [SP800-90] National Institute of Standards and Technology, 434 Recommendation for Random Number Generation Using 435 Deterministic Random Bit Generators (Revised), NIST 436 Special Publication 800-90, March 2007. 438 [SP800-108] National Institute of Standards and Technology, 439 "Recommendation for Key Derivation Using Pseudorandom 440 Functions", NIST Special Publication 800-108, October 441 2009. 443 [SP800-132] National Institute of Standards and Technology, 444 "Recommendation for Password-Based Key Derivation, Part 445 1: Storage Applications", NIST Special Publication 800- 446 132, June 2010. 448 [suiteb-kerberos] 449 Burgin, K. and K. Igoe, "Suite B Profile for 450 Kerberos 5", internet-draft draft-burgin-kerberos- 451 suiteb-01, 2012. 453 Appendix A. Test Vectors 455 Sample results for string-to-key conversion: 456 -------------------------------------------- 458 Iteration count = 32768 459 Pass phrase = "password" 460 Saltp for creating 128-bit master key: 461 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 462 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 463 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 464 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 465 (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | 466 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 467 128-bit master key: 468 3C 44 03 85 28 06 BF 5C EE E6 36 48 6C 29 2F D6 470 Saltp for creating 256-bit master key: 471 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 472 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 473 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 474 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 475 (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | 476 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 477 256-bit master key: 478 53 96 0C AF 44 D5 57 4D FF 4D 44 37 38 75 22 B0 479 7F 5B 02 5C 5E 65 BF EF 29 C2 B4 28 98 3B 37 08 481 Sample results for key derivation: 482 ---------------------------------- 484 enctype aes128-cts-hmac-sha256-128: 485 128-bit master key: 486 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 487 Kc value for key usage 2 (constant = 0x0000000299): 488 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 489 Ke value for key usage 2 (constant = 0x00000002AA): 490 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 491 Ki value for key usage 2 (constant = 0x0000000255): 492 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 494 enctype aes256-cts-hmac-sha384-192: 495 256-bit master key: 496 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 497 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 498 Kc value for key usage 2 (constant = 0x0000000299): 499 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 500 BA 41 F2 8F AF 69 E7 3D 502 Ke value for key usage 2 (constant = 0x00000002AA): 503 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 504 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 505 Ki value for key usage 2 (constant = 0x0000000255): 506 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 507 22 C4 D0 0F FC 23 ED 1F 509 Sample encryptions (using the default cipher state): 510 ---------------------------------------------------- 512 128-bit AES key: 513 2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C 514 128-bit HMAC key: 515 67 C3 31 A4 D7 AB 52 EF 3A A9 73 E0 39 AD D3 32 516 Nonce: 517 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 518 Plaintext: (length less than block size) 519 49 6E 63 6F 6E 63 65 69 76 61 62 6C 65 520 AES Output: 521 1C 17 3E AD FC 67 C8 BC B3 A5 93 02 98 CB FC 60 522 HMAC Output (truncated): 523 35 E8 32 B2 EB F4 6A 46 C2 E6 50 D2 50 AB 84 43 524 Ciphertext: (Nonce* | AES Output** | Truncated HMAC Output) 525 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 CB FC 60 526 1C 17 3E AD FC 67 C8 BC B3 A5 93 02 98 35 E8 32 527 B2 EB F4 6A 46 C2 E6 50 D2 50 AB 84 43 529 * Only the first 13 bytes of Nonce are sent. 530 ** The AES Output is split and rearranged as described in Section 5 531 since the plaintext length is less than the block size. 533 128-bit AES key: 534 2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C 535 128-bit HMAC key: 536 67 C3 31 A4 D7 AB 52 EF 3A A9 73 E0 39 AD D3 32 537 Nonce: 538 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 539 Plaintext: (length equals block size) 540 67 61 73 74 72 6F 69 6E 74 65 73 74 69 6E 61 6C 541 AES Output: 542 F6 71 0B 75 0C 60 65 E8 2E BF F8 9D DC E0 C9 B9 543 HMAC Output (truncated): 544 7B 2C D9 70 E6 DF 18 F5 E0 3D 8B 8E 40 02 F4 C0 545 Ciphertext: (Nonce | AES Output | Truncated HMAC Output) 546 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 547 F6 71 0B 75 0C 60 65 E8 2E BF F8 9D DC E0 C9 B9 548 7B 2C D9 70 E6 DF 18 F5 E0 3D 8B 8E 40 02 F4 C0 550 256-bit AES key: 551 60 3D EB 10 15 CA 71 BE 2B 73 AE F0 85 7D 77 81 552 1F 35 2C 07 3B 61 08 D7 2D 98 10 A3 09 14 DF F4 553 192-bit HMAC key: 554 37 16 14 EB 62 24 E1 F0 C4 72 6E E6 BE A7 A3 D2 555 F4 62 C6 AC 66 42 A6 AC 556 Nonce: 557 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 558 Plaintext: (length less than block size) 559 49 6E 63 6F 6E 63 65 69 76 61 62 6C 65 560 AES Output: 561 BD AE EC 5C F9 C9 B6 3C 9D DB A2 B7 9D 5C 6C 0B 562 HMAC Output (truncated): 563 65 D4 C7 07 8E 14 65 8B C9 B3 C4 EA F5 F7 C2 6F 564 ED 36 AC 7A CD 59 19 2B 565 Ciphertext: (Nonce* | AES Output* | Truncated HMAC Output) 566 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 5C 6C 0B 567 BD AE EC 5C F9 C9 B6 3C 9D DB A2 B7 9D 65 D4 C7 568 07 8E 14 65 8B C9 B3 C4 EA F5 F7 C2 6F ED 36 AC 569 7A CD 59 19 2B 571 * Only the first 13 bytes of Nonce are sent. 572 ** The AES Output is split and rearranged as described in Section 5 573 since the plaintext length is less than the block size. 575 256-bit AES key: 576 60 3D EB 10 15 CA 71 BE 2B 73 AE F0 85 7D 77 81 577 1F 35 2C 07 3B 61 08 D7 2D 98 10 A3 09 14 DF F4 578 192-bit HMAC key: 579 37 16 14 EB 62 24 E1 F0 C4 72 6E E6 BE A7 A3 D2 580 F4 62 C6 AC 66 42 A6 AC 581 Nonce: 582 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 583 Plaintext: (length equals block size) 584 67 61 73 74 72 6F 69 6E 74 65 73 74 69 6E 61 6C 585 AES Output: 586 5D E5 49 BE D6 50 23 18 78 8F 14 D2 E1 17 E0 5A 587 HMAC Output (truncated): 588 2C EA DF D5 B0 60 38 DE A9 22 29 2D 7C 56 50 10 589 C5 D6 D2 8D F6 21 E9 7A 590 Ciphertext: (Nonce | AES Output | Truncated HMAC Output) 591 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 592 5D E5 49 BE D6 50 23 18 78 8F 14 D2 E1 17 E0 5A 593 2C EA DF D5 B0 60 38 DE A9 22 29 2D 7C 56 50 10 594 C5 D6 D2 8D F6 21 E9 7A 596 128-bit AES key: 597 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 599 128-bit HMAC key: 600 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 601 Nonce: 602 8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 603 Plaintext: (length greater than the block size) 604 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 605 10 11 12 13 14 606 AES Output: 607 13 64 FB 39 DC C0 E3 D9 83 A7 DB 5B 4B 9F FB CA 608 42 F6 65 88 29 609 HMAC Output (truncated): 610 F2 1F C8 95 75 AE 93 C7 57 18 AB 3C 7C FB 28 E1 611 Ciphertext: (Nonce | AES Output | HMAC Output) 612 8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 613 13 64 FB 39 DC C0 E3 D9 83 A7 DB 5B 4B 9F FB CA 614 42 F6 65 88 29 F2 1F C8 95 75 AE 93 C7 57 18 AB 615 3C 7C FB 28 E1 617 256-bit AES key: 618 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 619 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 620 192-bit HMAC key: 621 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 622 22 C4 D0 0F FC 23 ED 1F 623 Nonce: 624 8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 625 Plaintext: (length greater than the block size) 626 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 627 10 11 12 13 14 628 AES Output: 629 50 CB FF DC DF 38 69 D7 0B EA FF C3 2C 47 0B C6 630 5B 72 C3 37 2D 631 HMAC Output (truncated): 632 6E D7 B3 47 E9 0B BD 8F 31 F5 79 58 F9 69 50 BA 633 A1 41 64 6E 65 6C F6 7C 634 Ciphertext: (Nonce | AES Output | HMAC Output) 635 8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 636 50 CB FF DC DF 38 69 D7 0B EA FF C3 2C 47 0B C6 637 5B 72 C3 37 2D 6E D7 B3 47 E9 0B BD 8F 31 F5 79 638 58 F9 69 50 BA A1 41 64 6E 65 6C F6 7C 640 Sample checksums: 641 ----------------- 643 Checksum type: hmac-sha256-128-aes128 644 128-bit master key: 645 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 646 128-bit HMAC key (Kc, key usage 2): 648 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 649 Plaintext: 650 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 651 10 11 12 13 14 652 Checksum: 653 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 655 Checksum type: hmac-sha384-192-aes256 656 256-bit master key: 657 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 658 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 659 192-bit HMAC key (Kc, key usage 2): 660 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 661 BA 41 F2 8F AF 69 E7 3D 662 Plaintext: 663 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 664 10 11 12 13 14 665 Checksum: 666 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 667 43 C3 BF A0 66 99 67 2A 669 Authors' Addresses 671 Kelley W. Burgin 672 National Security Agency 674 EMail: kwburgi@tycho.ncsc.mil 676 Michael A. Peck 677 The MITRE Corporation 679 EMail: mpeck@mitre.org