idnits 2.17.1 draft-ietf-kitten-aes-cts-hmac-sha2-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 282 has weird spacing: '... Etype encr...' -- The document date (July 2, 2014) is 3585 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Jenkins 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: January 3, 2015 The MITRE Corporation 6 K. Burgin 7 July 2, 2014 9 AES Encryption with HMAC-SHA2 for Kerberos 5 10 draft-ietf-kitten-aes-cts-hmac-sha2-03 12 Abstract 14 This document specifies two encryption types and two corresponding 15 checksum types for Kerberos 5. The new types use AES in CTS mode 16 (CBC mode with ciphertext stealing) for confidentiality and HMAC with 17 a SHA-2 hash for integrity. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 20, 2014. 36 Copyright and License Notice 38 Copyright (c) 2014 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 55 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 56 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 57 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 58 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 61 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 65 10.2. Informative References . . . . . . . . . . . . . . . . . 9 66 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 69 1. Introduction 71 This document defines two encryption types and two corresponding 72 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 74 To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode 75 defined in [SP800-38A+], also referred to as ciphertext stealing or 76 CTS mode. The new types conform to the framework specified in 77 [RFC3961], but do not use the simplified profile. 79 The encryption and checksum types defined in this document are 80 intended to support environments that desire to use SHA-256 or SHA- 81 384 as the hash algorithm. Differences between the encryption and 82 checksum types defined in this document and the pre-existing Kerberos 83 AES encryption and checksum types specified in [RFC3962] are: 85 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 86 SHA-384. 88 * A key derivation function from [SP800-108] using the SHA-256 or 89 SHA-384 hash algorithm is used to produce keys for encryption, 90 integrity protection, and checksum operations. 92 * The HMAC is calculated over the cipherstate concatenated with the 93 AES output, instead of being calculated over the confounder and 94 plaintext. This allows the message receiver to verify the 95 integrity of the message before decrypting the message. 97 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 98 integrity protection and checksum operations. 100 2. Protocol Key Representation 102 The AES key space is dense, so we can use random or pseudorandom 103 octet strings directly as keys. The byte representation for the key 104 is described in [FIPS197], where the first bit of the bit string is 105 the high bit of the first byte of the byte string (octet string). 107 3. Key Derivation Function 109 We use a key derivation function from Section 5.1 of [SP800-108] 110 which uses the HMAC algorithm as the PRF. The counter i is expressed 111 as four octets in big-endian order. The length of the output key in 112 bits (denoted as k) is also represented as four octets in big-endian 113 order. The "Label" input to the KDF is the usage constant supplied 114 to the key derivation function, and the "Context" input is null. 115 Each application of the KDF only requires a single iteration of the 116 PRF, so n = 1 in the notation of [SP800-108]. 118 In the following summary, | indicates concatenation. The random-to- 119 key function is the identity function. The k-truncate function is 120 defined in [RFC3961], Section 5.1. 122 When the encryption type is aes128-cts-hmac-sha256-128, the output 123 key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, 124 constant) which is computed as follows: 126 K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) 127 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 129 When the encryption type is aes256-cts-hmac-sha384-192, the output 130 key length k is 256 bits when deriving the base-key (from a 131 passphrase as described in Section 4), Ke, and Kp. The output key 132 length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, 133 constant) is computed as follows: 135 If deriving Kc or Ki (the constant ends with 0x99 or 0x55): 136 k = 192 137 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) 138 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 140 If deriving the base-key (the constant is "kerberos", the byte 141 string 0x6B65726265726F73), Ke (the constant ends with 0xAA), 142 or Kp (the constant is "prf", the byte string 0x707266): 143 k = 256 144 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) 145 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 147 4. Key Generation from Pass Phrases 149 PBKDF2 [RFC2898] is used to derive the base-key from a passphrase 150 and salt. 152 If no string-to-key parameters are specified, the default number of 153 iterations is 32,768. 155 To ensure that different long-term base-keys are used with 156 different enctypes, we prepend the enctype name to the salt, 157 separated by a null byte. The enctype-name is "aes128-cts-hmac- 158 sha256-128" or "aes256-cts-hmac-sha384-192" (without the quotes). 159 The user's long-term base-key is derived as follows 161 saltp = enctype-name | 0x00 | salt 162 tkey = random-to-key(PBKDF2(passphrase, saltp, 163 iter_count, keylength)) 164 base-key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the 165 byte string {0x6B65726265726F73}. 167 where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when 168 the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the 169 enctype is "aes256-cts-hmac-sha384-192", the value for keylength is 170 the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 171 is defined in Section 3. 173 5. Kerberos Algorithm Protocol Parameters 175 The cipherstate is used as the formal initialization vector (IV) 176 input into CBC-CS3. The plaintext is prepended with a 16-octet 177 random nonce generated by the message originator, known as a 178 confounder. 180 The ciphertext is a concatenation of the output of AES in CBC-CS3 181 mode and the HMAC of the cipherstate concatenated with the AES 182 output. The HMAC is computed using either SHA-256 or SHA-384 183 depending on the encryption type. The output of HMAC-SHA-256 is 184 truncated to 128 bits and the output of HMAC-SHA-384 is truncated to 185 192 bits. Sample test vectors are given in Appendix A. 187 Decryption is performed by removing the HMAC, verifying the HMAC 188 against the cipherstate concatenated with the ciphertext, and then 189 decrypting the ciphertext if the HMAC is correct. Finally, the first 190 16 octets of the decryption output (the confounder) is discarded, and 191 the remainder is returned as the plaintext decryption output. 193 The following parameters apply to the encryption types aes128-cts- 194 hmac-sha256-128 and aes256-cts-hmac-sha384-192. 196 protocol key format: as defined in Section 2. 198 specific key structure: three protocol-format keys: { Kc, Ke, Ki }. 200 required checksum mechanism: as defined in Section 6. 202 key-generation seed length: key size (128 or 256 bits). 204 string-to-key function: as defined in Section 4. 206 default string-to-key parameters: 00 00 80 00. 208 random-to-key function: identity function. 210 key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The 211 key usage number is expressed as four octets in big-endian order. 213 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) 214 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) 215 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) 217 cipherstate: a 128-bit CBC initialization vector derived from 218 the ciphertext. 220 initial cipherstate: all bits zero. 222 encryption function: as follows, where E() is AES encryption in 223 CBC-CS3 mode, and h is the size of truncated HMAC. 225 N = random nonce of length 128 bits (the AES block size) 226 IV = cipherstate 227 C = E(Ke, N | plaintext, IV) 228 H = HMAC(Ki, IV | C) 229 ciphertext = C | H[1..h] 230 cipherstate = the last full (128 bit) block of C 231 (i.e. the next-to-last block if the last block 232 is not a full 128 bits) 234 decryption function: as follows, where D() is AES decryption in 235 CBC-CS3 mode, and h is the size of truncated HMAC. 237 (C, H) = ciphertext 238 IV = cipherstate 239 if H != HMAC(Ki, IV | C)[1..h] 240 stop, report error 241 (N, P) = D(Ke, C, IV) 242 Note: N is set to the first block of the decryption output, 243 P is set to the rest of the output. 244 cipherstate = the last full (128 bit) block of C 245 (i.e. the next-to-last block if the last block 246 is not a full 128 bits) 248 pseudo-random function: 249 If the enctype is aes128-cts-hmac-sha256-128: 250 k = 128 252 If the enctype is aes256-cts-hmac-sha384-192: 253 k = 256 255 Kp = KDF-HMAC-SHA2(base-key, "prf") 256 PRF = k-truncate(HMAC-SHA2(Kp, octet-string)) 258 where SHA2 is SHA-256 if the enctype is 259 aes128-cts-hmac-sha256-128, 260 and is SHA-384 if the enctype is aes256-cts-hmac-sha384-192. 262 6. Checksum Parameters 263 The following parameters apply to the checksum types hmac-sha256-128- 264 aes128 and hmac-sha384-192-aes256, which are the associated checksums 265 for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, 266 respectively. 268 associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. 270 get_mic: HMAC(Kc, message)[1..h]. 272 verify_mic: get_mic and compare. 274 7. IANA Considerations 276 IANA is requested to assign: 278 Encryption type numbers for aes128-cts-hmac-sha256-128 and 279 aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers 280 registry. 282 Etype encryption type Reference 283 ----- --------------- --------- 284 TBD1 aes128-cts-hmac-sha256-128 [this document] 285 TBD2 aes256-cts-hmac-sha384-192 [this document] 287 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 288 aes256 in the Kerberos Checksum Type Numbers registry. 290 Sumtype Checksum type Size Reference 291 ------- ------------- ---- --------- 292 TBD3 hmac-sha256-128-aes128 16 [this document] 293 TBD4 hmac-sha384-192-aes256 24 [this document] 295 8. Security Considerations 297 This specification requires implementations to generate random 298 values. The use of inadequate pseudo-random number generators 299 (PRNGs) can result in little or no security. The generation of 300 quality random numbers is difficult. [RFC4086] offers random number 301 generation guidance. 303 This document specifies a mechanism for generating keys from pass 304 phrases or passwords. The salt and iteration count resist brute 305 force and dictionary attacks, however, it is still important to 306 choose or generate strong passphrases. 308 NIST guidance in section 5.3 of [SP800-38A] requires CBC 309 initialization vectors be unpredictable. This specification does not 310 formally comply with that guidance. However, the use of a confounder 311 as the first block of plaintext fills the cryptographic role 312 typically played by an initialization vector. This approach was 313 chosen to align with other Kerberos cryptosystem approaches. 315 8.1. Random Values in Salt Strings 317 NIST guidance in Section 5.1 of [SP800-132] requires that a portion 318 of the salt of at least 128 bits shall be randomly generated. Some 319 known issues with including random values in Kerberos encryption type 320 salt strings are: 322 * The string-to-key function as defined in [RFC3961] requires the 323 salt to be valid UTF-8 strings. Not every 128-bit random string 324 will be valid UTF-8. 326 Further, using a salt containing a random portion may have the 327 following issues with some implementations: 329 * Cross-realm TGTs are typically managed by entering the same 330 password at two KDCs to get the same keys. If each KDC uses a random 331 salt, they won't have the same keys. 333 * Random salts may interfere with password history checking. 335 * ktutil's add_entry command assumes the default salt. 337 9. Acknowledgements 339 Kelley Burgin was employed at the National Security Agency during 340 much of the work on this document. 342 10. References 344 10.1. Normative References 346 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 347 Specification Version 2.0", RFC 2898, September 2000. 349 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 350 Kerberos 5", RFC 3961, February 2005. 352 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 353 Encryption for Kerberos 5", RFC 3962, February 2005. 355 [FIPS197] National Institute of Standards and Technology, 356 "Advanced Encryption Standard (AES)", FIPS PUB 197, 357 November 2001. 359 [SP800-38A+] National Institute of Standards and Technology, 360 "Recommendation for Block Cipher Modes of Operation: 361 Three Variants of Ciphertext Stealing for CBC Mode", 362 NIST Special Publication 800-38A Addendum, October 2010. 364 [SP800-108] National Institute of Standards and Technology, 365 "Recommendation for Key Derivation Using Pseudorandom 366 Functions", NIST Special Publication 800-108, October 367 2009. 369 10.2. Informative References 371 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 372 "Randomness Requirements for Security", BCP 106, RFC 373 4086, June 2005. 375 [SP800-38A] National Institute of Standards and Technology, 376 "Recommendation for Block Cipher Modes of Operation: 377 Methods and Techniques", NIST Special Publication 378 800-38A, December 2001. 380 [SP800-132] National Institute of Standards and Technology, 381 "Recommendation for Password-Based Key Derivation, Part 382 1: Storage Applications", NIST Special Publication 800- 383 132, June 2010. 385 Appendix A. Test Vectors 387 Sample results for string-to-key conversion: 388 -------------------------------------------- 390 Iteration count = 32768 391 Pass phrase = "password" 392 Saltp for creating 128-bit base-key: 393 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 394 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 395 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 396 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 398 (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | 399 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 400 128-bit base-key: 401 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7 403 Saltp for creating 256-bit base-key: 404 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 405 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 406 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 407 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 408 (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | 409 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 410 256-bit base-key: 411 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 412 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 414 Sample results for key derivation: 415 ---------------------------------- 417 enctype aes128-cts-hmac-sha256-128: 418 128-bit base-key: 419 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 420 Kc value for key usage 2 (constant = 0x0000000299): 421 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 422 Ke value for key usage 2 (constant = 0x00000002AA): 423 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 424 Ki value for key usage 2 (constant = 0x0000000255): 425 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 427 enctype aes256-cts-hmac-sha384-192: 428 256-bit base-key: 429 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 430 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 431 Kc value for key usage 2 (constant = 0x0000000299): 432 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 433 BA 41 F2 8F AF 69 E7 3D 434 Ke value for key usage 2 (constant = 0x00000002AA): 435 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 436 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 437 Ki value for key usage 2 (constant = 0x0000000255): 438 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 439 22 C4 D0 0F FC 23 ED 1F 441 Sample encryptions (all using the default cipher state): 442 -------------------------------------------------------- 444 The following test vectors are for 445 enctype aes128-cts-hmac-sha256-128: 447 Plaintext: (empty) 448 Confounder: 449 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 450 128-bit AES key: 451 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 452 128-bit HMAC key: 453 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 454 AES Output: 456 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 457 Truncated HMAC Output: 458 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 459 Ciphertext (AES Output | HMAC Output): 460 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 461 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 463 Plaintext: (length less than block size) 464 00 01 02 03 04 05 465 Confounder: 466 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 467 128-bit AES key: 468 4E FD A6 52 4E 6B 56 B4 F2 12 61 FB FC 93 21 AB 469 128-bit HMAC key: 470 29 1B 0C 37 73 D7 6E E6 BA 2C CF 1E 03 93 F6 3E 471 AES Output: 472 AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 473 F1 4B 93 65 9D 1B 474 Truncated HMAC Output: 475 A0 C5 F4 7C AA 84 42 19 F9 08 AD ED EF 52 5B 71 476 Ciphertext: 477 AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 478 F1 4B 93 65 9D 1B A0 C5 F4 7C AA 84 42 19 F9 08 479 AD ED EF 52 5B 71 481 Plaintext: (length equals block size) 482 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 483 Confounder: 484 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 485 128-bit AES key: 486 FF 82 40 42 4B CC BA 05 56 50 C0 39 3B 83 DF 3B 487 128-bit HMAC key: 488 ED 15 62 8B 45 35 8C BF 7F 50 E7 64 C2 6B 8A 1A 489 AES Output: 490 E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 491 78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC 492 Truncated HMAC Output: 493 C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 494 Ciphertext: 495 E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 496 78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC 497 C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 499 Plaintext: (length greater than block size) 500 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 501 10 11 12 13 14 502 Confounder: 503 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 505 128-bit AES key: 506 B5 9B 88 75 AD 5D CA FF F7 79 4D 93 F8 19 9D 79 507 128-bit HMAC key: 508 0A 42 1D 72 2F 8F C2 D6 84 8B 1C DA D1 5A 49 C9 509 AES Output: 510 C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D 511 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A 512 79 3E 21 09 7D 513 Truncated HMAC Output: 514 5B 03 5D 78 A7 E9 84 75 EC 91 0C E3 7A A0 2A 7D 515 Ciphertext: 516 C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D 517 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A 518 79 3E 21 09 7D 5B 03 5D 78 A7 E9 84 75 EC 91 0C 519 E3 7A A0 2A 7D 521 The following test vectors are for enctype 522 aes256-cts-hmac-sha384-192: 524 Plaintext: (empty) 525 Confounder: 526 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 527 256-bit AES key: 528 0F A2 0D 7D 03 33 EE 65 16 2C DA 67 E7 AD 0D 3C 529 5E 03 1F 3B 66 70 E0 31 28 2F AC C2 87 9C 21 C7 530 192-bit HMAC key: 531 53 BF 30 6A 68 33 A3 25 18 FC B8 5F 63 1D 03 D5 532 2E E3 1B 39 75 2F 57 ED 533 AES Output: 534 FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D 535 Truncated HMAC Output: 536 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 537 AC 3A AB 06 97 FC E8 5A 538 Ciphertext: 539 FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D 540 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 541 AC 3A AB 06 97 FC E8 5A 543 Plaintext: (length less than block size) 544 00 01 02 03 04 05 545 Confounder: 546 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 547 256-bit AES key: 548 47 DA 4C A2 8B D1 C1 14 D5 50 7E 55 81 86 CA 4F 549 DB A0 DA E5 B2 4F 6D 68 89 D5 3A FB F1 D0 B8 36 550 192-bit HMAC key: 551 13 6B 5C 83 C9 53 AE 29 E2 C2 31 6A 7B 34 B8 C2 552 AD 26 E4 66 7F AB 42 6E 554 AES Output: 555 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C 556 74 3B D4 BC 22 EC 557 Truncated HMAC Output: 558 17 2A B2 BB 12 B0 0D BE C2 BF E6 29 CF DD 62 EC 559 3E 45 83 8F A9 FB AE 6E 560 Ciphertext: 561 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C 562 74 3B D4 BC 22 EC 17 2A B2 BB 12 B0 0D BE C2 BF 563 E6 29 CF DD 62 EC 3E 45 83 8F A9 FB AE 6E 565 Plaintext: (length equals block size) 566 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 567 Confounder: 568 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 569 256-bit AES key: 570 5E A6 16 D8 FD A2 33 F1 B4 99 79 A4 B9 FA 01 D3 571 21 B1 3D 6F BD 6E 3B B7 2E 54 B4 85 E2 36 AF 23 572 192-bit HMAC key: 573 AD D3 8D C9 86 83 C5 CC 14 E3 C7 37 EA A7 06 47 574 B3 19 71 0E 87 6A 38 77 575 AES Output: 576 B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 577 FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 578 Truncated HMAC Output: 579 2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 580 B3 C9 6F 4B 45 C1 9B 77 581 Ciphertext: 582 B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 583 FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 584 2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 585 B3 C9 6F 4B 45 C1 9B 77 587 Plaintext: (length greater than block size) 588 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 589 10 11 12 13 14 590 Confounder: 591 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 592 256-bit AES key: 593 B3 A8 02 E3 40 61 3E F1 E0 EC E9 1A 15 7C 59 12 594 6F BD C4 B8 C2 4C 8D 0B 2E 5A 30 F0 1E 7E 34 88 595 192-bit HMAC key: 596 FC 0B 49 9B 83 55 A3 2A C3 C9 AC B6 64 93 63 EB 597 5D BB A4 25 1A 75 B2 0A 598 AES Output: 599 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 600 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B 601 E0 55 F5 69 EB 603 Truncated HMAC Output: 604 7C F8 36 70 75 8C BF DA 31 3C FE F8 74 2B 11 74 605 14 A7 DD 12 B4 96 64 2E 606 Ciphertext: 607 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 608 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B 609 E0 55 F5 69 EB 7C F8 36 70 75 8C BF DA 31 3C FE 610 F8 74 2B 11 74 14 A7 DD 12 B4 96 64 2E 612 Sample checksums: 613 ----------------- 615 Checksum type: hmac-sha256-128-aes128 616 128-bit HMAC key: 617 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 618 Plaintext: 619 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 620 10 11 12 13 14 621 Checksum: 622 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 624 Checksum type: hmac-sha384-192-aes256 625 192-bit HMAC key: 626 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 627 BA 41 F2 8F AF 69 E7 3D 628 Plaintext: 629 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 630 10 11 12 13 14 631 Checksum: 632 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 633 43 C3 BF A0 66 99 67 2A 635 Authors' Addresses 637 Michael J. Jenkins 638 National Security Agency 640 EMail: mjjenki@tycho.ncsc.mil 642 Michael A. Peck 643 The MITRE Corporation 645 EMail: mpeck@mitre.org 647 Kelley W. Burgin 649 Email: kelley.burgin@gmail.com