idnits 2.17.1 draft-ietf-kitten-aes-cts-hmac-sha2-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 270 has weird spacing: '... Etype encr...' -- The document date (May 6, 2014) is 3636 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Jenkins 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: November 7, 2014 The MITRE Corporation 6 K. Burgin 7 May 6, 2014 9 AES Encryption with HMAC-SHA2 for Kerberos 5 10 draft-ietf-kitten-aes-cts-hmac-sha2-02 12 Abstract 14 This document specifies two encryption types and two corresponding 15 checksum types for Kerberos 5. The new types use AES in CTS mode 16 (CBC mode with ciphertext stealing) for confidentiality and HMAC with 17 a SHA-2 hash for integrity. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 20, 2014. 36 Copyright and License Notice 38 Copyright (c) 2014 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 55 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 56 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 57 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 58 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 61 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 7 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 65 10.2. Informative References . . . . . . . . . . . . . . . . . 8 66 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 69 1. Introduction 71 This document defines two encryption types and two corresponding 72 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 74 To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode 75 defined in [SP800-38A+], also referred to as ciphertext stealing or 76 CTS mode. The new types conform to the framework specified in 77 [RFC3961], but do not use the simplified profile. 79 The encryption and checksum types defined in this document are 80 intended to support environments that desire to use SHA-256 or SHA- 81 384 as the hash algorithm. Differences between the encryption and 82 checksum types defined in this document and the pre-existing Kerberos 83 AES encryption and checksum types specified in [RFC3962] are: 85 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 86 SHA-384. 88 * A key derivation function from [SP800-108] using the SHA-256 or 89 SHA-384 hash algorithm is used to produce keys for encryption, 90 integrity protection, and checksum operations. 92 * The HMAC is calculated over the cipherstate concatenated with the 93 AES output, instead of being calculated over the confounder and 94 plaintext. This allows the message receiver to verify the 95 integrity of the message before decrypting the message. 97 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 98 integrity protection and checksum operations. 100 2. Protocol Key Representation 102 The AES key space is dense, so we can use random or pseudorandom 103 octet strings directly as keys. The byte representation for the key 104 is described in [FIPS197], where the first bit of the bit string is 105 the high bit of the first byte of the byte string (octet string). 107 3. Key Derivation Function 109 We use a key derivation function from Section 5.1 of [SP800-108] 110 which uses the HMAC algorithm as the PRF. The counter i is expressed 111 as four octets in big-endian order. The length of the output key in 112 bits (denoted as k) is also represented as four octets in big-endian 113 order. The "Label" input to the KDF is the usage constant supplied 114 to the key derivation function, and the "Context" input is null. 115 Each application of the KDF only requires a single iteration of the 116 PRF, so n = 1 in the notation of [SP800-108]. 118 In the following summary, | indicates concatenation. The random-to- 119 key function is the identity function. The k-truncate function is 120 defined in [RFC3961], Section 5.1. 122 When the encryption type is aes128-cts-hmac-sha256-128, the output 123 key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, 124 constant) which is computed as follows: 126 K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) 127 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 129 When the encryption type is aes256-cts-hmac-sha384-192, the output 130 key length k is 256 bits when deriving the base-key (from a 131 passphrase as described in Section 4) and Ke, and the output key 132 length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, 133 constant) is computed as follows: 135 If deriving Kc or Ki (the constant ends with 0x99 or 0x55): 136 k = 192 137 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) 138 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 140 If deriving the base-key (the constant is "kerberos", the byte 141 string 0x6B65726265726F73) or Ke (the constant ends with 0xAA): 142 k = 256 143 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) 144 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 146 4. Key Generation from Pass Phrases 148 PBKDF2 [RFC2898] is used to derive the base-key from a passphrase 149 and salt. 151 If no string-to-key parameters are specified, the default number of 152 iterations is 32,768. 154 To ensure that different long-term base-keys are used with 155 different enctypes, we prepend the enctype name to the salt, 156 separated by a null byte. The enctype-name is "aes128-cts-hmac- 157 sha256-128" or "aes256-cts-hmac-sha384-192" (without the quotes). 158 The user's long-term base-key is derived as follows 160 saltp = enctype-name | 0x00 | salt 161 tkey = random-to-key(PBKDF2(passphrase, saltp, 162 iter_count, keylength)) 163 base-key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the 164 byte string {0x6B65726265726F73}. 166 where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when 167 the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the 168 enctype is "aes256-cts-hmac-sha384-192", the value for keylength is 169 the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 170 is defined in Section 3. 172 5. Kerberos Algorithm Protocol Parameters 174 The cipherstate is used as the formal initialization vector (IV) 175 input into CBC-CS3. The plaintext is prepended with a 16-octet 176 random nonce generated by the message originator, known as a 177 confounder. 179 The ciphertext is a concatenation of the output of AES in CBC-CS3 180 mode and the HMAC of the cipherstate concatenated with the AES 181 output. The HMAC is computed using either SHA-256 or SHA-384 182 depending on the encryption type. The output of HMAC-SHA-256 is 183 truncated to 128 bits and the output of HMAC-SHA-384 is truncated to 184 192 bits. Sample test vectors are given in Appendix A. 186 Decryption is performed by removing the HMAC, verifying the HMAC 187 against the cipherstate concatenated with the ciphertext, and then 188 decrypting the ciphertext if the HMAC is correct. Finally, the first 189 16 octets of the decryption output (the confounder) is discarded, and 190 the remainder is returned as the plaintext decryption output. 192 The following parameters apply to the encryption types aes128-cts- 193 hmac-sha256-128 and aes256-cts-hmac-sha384-192. 195 protocol key format: as defined in Section 2. 197 specific key structure: three protocol-format keys: { Kc, Ke, Ki }. 199 required checksum mechanism: as defined in Section 6. 201 key-generation seed length: key size (128 or 256 bits). 203 string-to-key function: as defined in Section 4. 205 default string-to-key parameters: 00 00 80 00. 207 random-to-key function: identity function. 209 key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The 210 key usage number is expressed as four octets in big-endian order. 212 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) 213 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) 214 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) 216 cipherstate: a 128-bit CBC initialization vector. 218 initial cipherstate: all bits zero. 220 encryption function: as follows, where E() is AES encryption in 221 CBC-CS3 mode, h is the size of truncated HMAC, and c is the AES 222 block size. 224 N = random nonce of length c (128 bits) 225 IV = cipherstate 226 C = E(Ke, N | plaintext, IV) 227 H = HMAC(Ki, IV | C) 228 ciphertext = C | H[1..h] 229 cipherstate = next-to-last 128-bit block of C 230 Note: if C is only a single block, then cipherstate = C 232 decryption function: as follows, where D() is AES encryption in 233 CBC-CS3 mode, and h is the size of truncated HMAC. 235 (C, H) = ciphertext 236 IV = cipherstate 237 if H != HMAC(Ki, IV | C)[1..h] 238 stop, report error 239 (N, P) = D(Ke, C, IV) 240 Note: N is set to the first block of the decryption output, 241 P is set to the rest of the output. 242 cipherstate = next-to-last 128-bit block of C 243 Note: if C is only a single block, then cipherstate = C 245 pseudo-random function: 246 Kp = KDF-HMAC-SHA2(protocol-key, "prf") 247 PRF = HMAC(Kp, octet-string) 249 6. Checksum Parameters 251 The following parameters apply to the checksum types hmac-sha256-128- 252 aes128 and hmac-sha384-192-aes256, which are the associated checksums 253 for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, 254 respectively. 256 associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. 258 get_mic: HMAC(Kc, message)[1..h]. 260 verify_mic: get_mic and compare. 262 7. IANA Considerations 264 IANA is requested to assign: 266 Encryption type numbers for aes128-cts-hmac-sha256-128 and 267 aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers 268 registry. 270 Etype encryption type Reference 271 ----- --------------- --------- 272 TBD1 aes128-cts-hmac-sha256-128 [this document] 273 TBD2 aes256-cts-hmac-sha384-192 [this document] 275 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 276 aes256 in the Kerberos Checksum Type Numbers registry. 278 Sumtype Checksum type Size Reference 279 ------- ------------- ---- --------- 280 TBD3 hmac-sha256-128-aes128 16 [this document] 281 TBD4 hmac-sha384-192-aes256 24 [this document] 283 8. Security Considerations 285 This specification requires implementations to generate random 286 values. The use of inadequate pseudo-random number generators 287 (PRNGs) can result in little or no security. The generation of 288 quality random numbers is difficult. [RFC4086] offers random number 289 generation guidance. 291 This document specifies a mechanism for generating keys from pass 292 phrases or passwords. The salt and iteration count resist brute 293 force and dictionary attacks, however, it is still important to 294 choose or generate strong passphrases. 296 NIST guidance in section 5.3 of [SP800-38A] requires CBC 297 initialization vectors be unpredictable. This specification does not 298 formally comply with that guidance. However, the use of a confounder 299 as the first block of plaintext fills the cryptographic role 300 typically played by an initialization vector. This approach was 301 chosen to align with other Kerberos cryptosystem approaches. 303 8.1. Random Values in Salt Strings 305 NIST guidance in Section 5.1 of [SP800-132] requires the salt used as 306 input to the PBKDF to contain at least 128 bits of random. Some 307 known issues with including random values in Kerberos encryption type 308 salt strings are: 310 * Cross-realm TGTs are currently managed by entering the same 311 password at two KDCs to get the same keys. If each KDC uses a 312 random salt, they won't have the same keys. 314 * The string-to-key function as defined in [RFC3961] requires the 315 salt to be valid UTF-8 strings. Not every 128-bit random string 316 will be valid UTF-8. 318 * Current implementations of password history checking will not 319 work. 321 * ktutil's add_entry command assumes the default salt. 323 9. Acknowledgements 325 Kelley Burgin was employed at the National Security Agency during 326 much of the work on this document. 328 10. References 330 10.1. Normative References 332 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 333 Specification Version 2.0", RFC 2898, September 2000. 335 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 336 Kerberos 5", RFC 3961, February 2005. 338 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 339 Encryption for Kerberos 5", RFC 3962, February 2005. 341 [FIPS197] National Institute of Standards and Technology, 342 "Advanced Encryption Standard (AES)", FIPS PUB 197, 343 November 2001. 345 [SP800-38A+] National Institute of Standards and Technology, 346 "Recommendation for Block Cipher Modes of Operation: 347 Three Variants of Ciphertext Stealing for CBC Mode", 348 NIST Special Publication 800-38A Addendum, October 2010. 350 [SP800-108] National Institute of Standards and Technology, 351 "Recommendation for Key Derivation Using Pseudorandom 352 Functions", NIST Special Publication 800-108, October 353 2009. 355 10.2. Informative References 357 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 358 "Randomness Requirements for Security", BCP 106, RFC 359 4086, June 2005. 361 [SP800-38A] National Institute of Standards and Technology, 362 "Recommendation for Block Cipher Modes of Operation: 363 Methods and Techniques", NIST Special Publication 364 800-38A, December 2001. 366 [SP800-132] National Institute of Standards and Technology, 367 "Recommendation for Password-Based Key Derivation, Part 368 1: Storage Applications", NIST Special Publication 800- 369 132, June 2010. 371 Appendix A. Test Vectors 373 Sample results for string-to-key conversion: 374 -------------------------------------------- 376 Iteration count = 32768 377 Pass phrase = "password" 378 Saltp for creating 128-bit base-key: 379 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 380 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 381 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 382 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 384 (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | 385 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 386 128-bit base-key: 387 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7 389 Saltp for creating 256-bit base-key: 390 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 391 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 392 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 393 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 394 (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | 395 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 396 256-bit base-key: 397 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 398 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 400 Sample results for key derivation: 401 ---------------------------------- 403 enctype aes128-cts-hmac-sha256-128: 404 128-bit base-key: 405 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 407 Kc value for key usage 2 (constant = 0x0000000299): 408 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 409 Ke value for key usage 2 (constant = 0x00000002AA): 410 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 411 Ki value for key usage 2 (constant = 0x0000000255): 412 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 414 enctype aes256-cts-hmac-sha384-192: 415 256-bit base-key: 416 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 417 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 418 Kc value for key usage 2 (constant = 0x0000000299): 419 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 420 BA 41 F2 8F AF 69 E7 3D 421 Ke value for key usage 2 (constant = 0x00000002AA): 422 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 423 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 424 Ki value for key usage 2 (constant = 0x0000000255): 425 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 426 22 C4 D0 0F FC 23 ED 1F 428 Sample encryptions (all using the default cipher state): 429 ---------------------------------------------------- 431 The following test vectors are for 432 enctype aes128-cts-hmac-sha256-128: 434 Plaintext: (empty) 435 Confounder: 436 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 437 128-bit AES key: 438 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 439 128-bit HMAC key: 440 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 441 AES Output: 442 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 443 Truncated HMAC Output: 444 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 445 Ciphertext (AES Output | HMAC Output): 446 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 447 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 449 Plaintext: (length less than block size) 450 00 01 02 03 04 05 451 Confounder: 452 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 453 128-bit AES key: 454 4E FD A6 52 4E 6B 56 B4 F2 12 61 FB FC 93 21 AB 456 128-bit HMAC key: 457 29 1B 0C 37 73 D7 6E E6 BA 2C CF 1E 03 93 F6 3E 458 AES Output: 459 AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 460 F1 4B 93 65 9D 1B 461 Truncated HMAC Output: 462 A0 C5 F4 7C AA 84 42 19 F9 08 AD ED EF 52 5B 71 463 Ciphertext: 464 AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 465 F1 4B 93 65 9D 1B A0 C5 F4 7C AA 84 42 19 F9 08 466 AD ED EF 52 5B 71 468 Plaintext: (length equals block size) 469 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 470 Confounder: 471 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 472 128-bit AES key: 473 FF 82 40 42 4B CC BA 05 56 50 C0 39 3B 83 DF 3B 474 128-bit HMAC key: 475 ED 15 62 8B 45 35 8C BF 7F 50 E7 64 C2 6B 8A 1A 476 AES Output: 477 E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 478 78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC 479 Truncated HMAC Output: 480 C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 481 Ciphertext: 482 E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 483 78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC 484 C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 486 Plaintext: (length greater than block size) 487 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 488 10 11 12 13 14 489 Confounder: 490 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 491 128-bit AES key: 492 B5 9B 88 75 AD 5D CA FF F7 79 4D 93 F8 19 9D 79 493 128-bit HMAC key: 494 0A 42 1D 72 2F 8F C2 D6 84 8B 1C DA D1 5A 49 C9 495 AES Output: 496 C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D 497 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A 498 79 3E 21 09 7D 499 Truncated HMAC Output: 500 5B 03 5D 78 A7 E9 84 75 EC 91 0C E3 7A A0 2A 7D 501 Ciphertext: 502 C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D 503 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A 504 79 3E 21 09 7D 5B 03 5D 78 A7 E9 84 75 EC 91 0C 505 E3 7A A0 2A 7D 507 The following test vectors are for enctype 508 aes256-cts-hmac-sha384-192: 510 Plaintext: (empty) 511 Confounder: 512 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 513 256-bit AES key: 514 0F A2 0D 7D 03 33 EE 65 16 2C DA 67 E7 AD 0D 3C 515 5E 03 1F 3B 66 70 E0 31 28 2F AC C2 87 9C 21 C7 516 192-bit HMAC key: 517 53 BF 30 6A 68 33 A3 25 18 FC B8 5F 63 1D 03 D5 518 2E E3 1B 39 75 2F 57 ED 519 AES Output: 520 FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D 521 Truncated HMAC Output: 522 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 523 AC 3A AB 06 97 FC E8 5A 524 Ciphertext: 525 FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D 526 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 527 AC 3A AB 06 97 FC E8 5A 529 Plaintext: (length less than block size) 530 00 01 02 03 04 05 531 Confounder: 532 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 533 256-bit AES key: 534 47 DA 4C A2 8B D1 C1 14 D5 50 7E 55 81 86 CA 4F 535 DB A0 DA E5 B2 4F 6D 68 89 D5 3A FB F1 D0 B8 36 536 192-bit HMAC key: 537 13 6B 5C 83 C9 53 AE 29 E2 C2 31 6A 7B 34 B8 C2 538 AD 26 E4 66 7F AB 42 6E 539 AES Output: 540 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C 541 74 3B D4 BC 22 EC 542 Truncated HMAC Output: 543 17 2A B2 BB 12 B0 0D BE C2 BF E6 29 CF DD 62 EC 544 3E 45 83 8F A9 FB AE 6E 545 Ciphertext: 546 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C 547 74 3B D4 BC 22 EC 17 2A B2 BB 12 B0 0D BE C2 BF 548 E6 29 CF DD 62 EC 3E 45 83 8F A9 FB AE 6E 550 Plaintext: (length equals block size) 551 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 553 Confounder: 554 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 555 256-bit AES key: 556 5E A6 16 D8 FD A2 33 F1 B4 99 79 A4 B9 FA 01 D3 557 21 B1 3D 6F BD 6E 3B B7 2E 54 B4 85 E2 36 AF 23 558 192-bit HMAC key: 559 AD D3 8D C9 86 83 C5 CC 14 E3 C7 37 EA A7 06 47 560 B3 19 71 0E 87 6A 38 77 561 AES Output: 562 B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 563 FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 564 Truncated HMAC Output: 565 2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 566 B3 C9 6F 4B 45 C1 9B 77 567 Ciphertext: 568 B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 569 FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 570 2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 571 B3 C9 6F 4B 45 C1 9B 77 573 Plaintext: (length greater than block size) 574 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 575 10 11 12 13 14 576 Confounder: 577 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 578 256-bit AES key: 579 B3 A8 02 E3 40 61 3E F1 E0 EC E9 1A 15 7C 59 12 580 6F BD C4 B8 C2 4C 8D 0B 2E 5A 30 F0 1E 7E 34 88 581 192-bit HMAC key: 582 FC 0B 49 9B 83 55 A3 2A C3 C9 AC B6 64 93 63 EB 583 5D BB A4 25 1A 75 B2 0A 584 AES Output: 585 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 586 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B 587 E0 55 F5 69 EB 588 Truncated HMAC Output: 589 7C F8 36 70 75 8C BF DA 31 3C FE F8 74 2B 11 74 590 14 A7 DD 12 B4 96 64 2E 591 Ciphertext: 592 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 593 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B 594 E0 55 F5 69 EB 7C F8 36 70 75 8C BF DA 31 3C FE 595 F8 74 2B 11 74 14 A7 DD 12 B4 96 64 2E 597 Sample checksums: 598 ----------------- 599 Checksum type: hmac-sha256-128-aes128 600 128-bit HMAC key: 601 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 602 Plaintext: 603 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 604 10 11 12 13 14 605 Checksum: 606 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 608 Checksum type: hmac-sha384-192-aes256 609 192-bit HMAC key: 610 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 611 BA 41 F2 8F AF 69 E7 3D 612 Plaintext: 613 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 614 10 11 12 13 14 615 Checksum: 616 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 617 43 C3 BF A0 66 99 67 2A 619 Authors' Addresses 621 Michael J. Jenkins 622 National Security Agency 624 EMail: mjjenki@tycho.ncsc.mil 626 Michael A. Peck 627 The MITRE Corporation 629 EMail: mpeck@mitre.org 631 Kelley W. Burgin 633 Email: kelley.burgin@gmail.com