idnits 2.17.1 draft-ietf-kitten-aes-cts-hmac-sha2-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 302 has weird spacing: '... Etype encr...' -- The document date (September 21, 2014) is 3499 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Jenkins 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: March 25, 2015 The MITRE Corporation 6 K. Burgin 7 September 21, 2014 9 AES Encryption with HMAC-SHA2 for Kerberos 5 10 draft-ietf-kitten-aes-cts-hmac-sha2-05 12 Abstract 14 This document specifies two encryption types and two corresponding 15 checksum types for Kerberos 5. The new types use AES in CTS mode 16 (CBC mode with ciphertext stealing) for confidentiality and HMAC with 17 a SHA-2 hash for integrity. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 22, 2015. 36 Copyright and License Notice 38 Copyright (c) 2014 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 55 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 56 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 57 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 58 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 61 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 65 10.2. Informative References . . . . . . . . . . . . . . . . . 9 66 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 69 1. Introduction 71 This document defines two encryption types and two corresponding 72 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 74 To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode 75 defined in [SP800-38A+], also referred to as ciphertext stealing or 76 CTS mode. The new types conform to the framework specified in 77 [RFC3961], but do not use the simplified profile. 79 The encryption and checksum types defined in this document are 80 intended to support environments that desire to use SHA-256 or SHA- 81 384 as the hash algorithm. Differences between the encryption and 82 checksum types defined in this document and the pre-existing Kerberos 83 AES encryption and checksum types specified in [RFC3962] are: 85 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 86 SHA-384. 88 * A key derivation function from [SP800-108] using the SHA-256 or 89 SHA-384 hash algorithm is used to produce keys for encryption, 90 integrity protection, and checksum operations. 92 * The HMAC is calculated over the cipherstate concatenated with the 93 AES output, instead of being calculated over the confounder and 94 plaintext. This allows the message receiver to verify the 95 integrity of the message before decrypting the message. 97 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 98 integrity protection and checksum operations. 100 2. Protocol Key Representation 102 The AES key space is dense, so we can use random or pseudorandom 103 octet strings directly as keys. The byte representation for the key 104 is described in [FIPS197], where the first bit of the bit string is 105 the high bit of the first byte of the byte string (octet string). 107 3. Key Derivation Function 109 We use a key derivation function from Section 5.1 of [SP800-108] 110 which uses the HMAC algorithm as the PRF. All octets are expressed 111 in big-endian order. The counter i is expressed as four octets and 112 in this document is always 0x00000001 since there is only a single 113 iteration of the PRF. The "Label" input to the NIST KDF is the 114 constant supplied to this key derivation function. When deriving Kc, 115 Ki, or Ke, the constant is the four octet key usage concatenated with 116 0x99, 0x55, or 0xAA respectively. When deriving the base-key, the 117 constant is the ASCII string "kerberos", also known as the byte 118 string 0x6B65726265726F73. When deriving Kp, the constant is the 119 ASCII string "prf", also known as the byte string 0x707266. The 120 "Context" input is omitted. The length of the output key in bits 121 (denoted as k) is also represented as four octets in big-endian 122 order. Each application of the KDF only requires a single iteration 123 of the PRF, so n = 1 in the notation of [SP800-108]. The purposes of 124 the Kc, Ki, Ke, base-key, and Kp keys are described in Section 5. 126 In the following summary, | indicates concatenation. The random-to- 127 key function is the identity function. The k-truncate function is 128 defined in [RFC3961], Section 5.1. 130 When the encryption type is aes128-cts-hmac-sha256-128, the output 131 key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, 132 constant) which is computed as follows: 134 K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) 135 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 137 When the encryption type is aes256-cts-hmac-sha384-192, the output 138 key length k is 256 bits when deriving the base-key (from a 139 passphrase as described in Section 4), Ke, and Kp. The output key 140 length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, 141 constant) is computed as follows: 143 If deriving Kc or Ki (the constant ends with 0x99 or 0x55): 144 k = 192 145 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) 146 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 148 If deriving the base-key (the constant is "kerberos", the byte 149 string 0x6B65726265726F73), Ke (the constant ends with 0xAA), 150 or Kp (the constant is "prf", the byte string 0x707266): 151 k = 256 152 K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) 153 KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) 155 4. Key Generation from Pass Phrases 157 PBKDF2 [RFC2898] is used to derive the base-key from a passphrase 158 and salt. 160 If no string-to-key parameters are specified, the default number of 161 iterations is 32,768. 163 To ensure that different long-term base-keys are used with 164 different enctypes, we prepend the enctype name to the salt, 165 separated by a null byte. The enctype-name is "aes128-cts-hmac- 166 sha256-128" or "aes256-cts-hmac-sha384-192" (without the quotes). 167 The user's long-term base-key is derived as follows 169 saltp = enctype-name | 0x00 | salt 170 tkey = random-to-key(PBKDF2(passphrase, saltp, 171 iter_count, keylength)) 172 base-key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the 173 byte string {0x6B65726265726F73}. 175 where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when 176 the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the 177 enctype is "aes256-cts-hmac-sha384-192", the value for keylength is 178 the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 179 is defined in Section 3. 181 5. Kerberos Algorithm Protocol Parameters 183 The cipherstate is used as the formal initialization vector (IV) 184 input into CBC-CS3. The plaintext is prepended with a 16-octet 185 random nonce generated by the message originator, known as a 186 confounder. 188 The ciphertext is a concatenation of the output of AES in CBC-CS3 189 mode and the HMAC of the cipherstate concatenated with the AES 190 output. The HMAC is computed using either SHA-256 or SHA-384 191 depending on the encryption type. The output of HMAC-SHA-256 is 192 truncated to 128 bits and the output of HMAC-SHA-384 is truncated to 193 192 bits. Sample test vectors are given in Appendix A. 195 Decryption is performed by removing the HMAC, verifying the HMAC 196 against the cipherstate concatenated with the ciphertext, and then 197 decrypting the ciphertext if the HMAC is correct. Finally, the first 198 16 octets of the decryption output (the confounder) is discarded, and 199 the remainder is returned as the plaintext decryption output. 201 The following parameters apply to the encryption types aes128-cts- 202 hmac-sha256-128 and aes256-cts-hmac-sha384-192. 204 protocol key format: as defined in Section 2. 206 specific key structure: three protocol-format keys: { Kc, Ke, Ki }. 208 Kc: the checksum key, inputted into HMAC to provide the checksum 209 mechanism defined in Section 6. 211 Ke: the encryption key, inputted into AES encryption and decryption 212 as defined in "encryption function" and "decryption function" below. 214 Ki: the integrity key, inputted into HMAC to provide authenticated 215 encryption as defined in "encryption function" and "decryption 216 function" below. 218 required checksum mechanism: as defined in Section 6. 220 key-generation seed length: key size (128 or 256 bits). 222 string-to-key function: as defined in Section 4. 224 default string-to-key parameters: 00 00 80 00. 226 random-to-key function: identity function. 228 key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The 229 key usage number is expressed as four octets in big-endian order. 231 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) 232 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) 233 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) 235 cipherstate: a 128-bit CBC initialization vector derived from 236 the ciphertext. 238 initial cipherstate: all bits zero. 240 encryption function: as follows, where E() is AES encryption in 241 CBC-CS3 mode, and h is the size of truncated HMAC. 243 N = random nonce of length 128 bits (the AES block size) 244 IV = cipherstate 245 C = E(Ke, N | plaintext, IV) 246 H = HMAC(Ki, IV | C) 247 ciphertext = C | H[1..h] 248 cipherstate = the last full (128 bit) block of C 249 (i.e. the next-to-last block if the last block 250 is not a full 128 bits) 252 decryption function: as follows, where D() is AES decryption in 253 CBC-CS3 mode, and h is the size of truncated HMAC. 255 (C, H) = ciphertext 256 IV = cipherstate 257 if H != HMAC(Ki, IV | C)[1..h] 258 stop, report error 259 (N, P) = D(Ke, C, IV) 260 Note: N is set to the first block of the decryption output, 261 P is set to the rest of the output. 263 cipherstate = the last full (128 bit) block of C 264 (i.e. the next-to-last block if the last block 265 is not a full 128 bits) 267 pseudo-random function: 268 If the enctype is aes128-cts-hmac-sha256-128: 269 k = 128 271 If the enctype is aes256-cts-hmac-sha384-192: 272 k = 256 274 Kp = KDF-HMAC-SHA2(base-key, "prf") 275 PRF = k-truncate(HMAC-SHA2(Kp, octet-string)) 277 where SHA2 is SHA-256 if the enctype is 278 aes128-cts-hmac-sha256-128, 279 and is SHA-384 if the enctype is aes256-cts-hmac-sha384-192. 281 6. Checksum Parameters 283 The following parameters apply to the checksum types hmac-sha256-128- 284 aes128 and hmac-sha384-192-aes256, which are the associated checksums 285 for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, 286 respectively. 288 associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. 290 get_mic: HMAC(Kc, message)[1..h]. 292 verify_mic: get_mic and compare. 294 7. IANA Considerations 296 IANA is requested to assign: 298 Encryption type numbers for aes128-cts-hmac-sha256-128 and 299 aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers 300 registry. 302 Etype encryption type Reference 303 ----- --------------- --------- 304 TBD1 aes128-cts-hmac-sha256-128 [this document] 305 TBD2 aes256-cts-hmac-sha384-192 [this document] 307 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 308 aes256 in the Kerberos Checksum Type Numbers registry. 310 Sumtype Checksum type Size Reference 311 ------- ------------- ---- --------- 312 TBD3 hmac-sha256-128-aes128 16 [this document] 313 TBD4 hmac-sha384-192-aes256 24 [this document] 315 8. Security Considerations 317 This specification requires implementations to generate random 318 values. The use of inadequate pseudo-random number generators 319 (PRNGs) can result in little or no security. The generation of 320 quality random numbers is difficult. [RFC4086] offers random number 321 generation guidance. 323 This document specifies a mechanism for generating keys from pass 324 phrases or passwords. The salt and iteration count resist brute 325 force and dictionary attacks, however, it is still important to 326 choose or generate strong passphrases. 328 NIST guidance in section 5.3 of [SP800-38A] requires CBC 329 initialization vectors be unpredictable. This specification does not 330 formally comply with that guidance. However, the use of a confounder 331 as the first block of plaintext fills the cryptographic role 332 typically played by an initialization vector. This approach was 333 chosen to align with other Kerberos cryptosystem approaches. 335 8.1. Random Values in Salt Strings 337 NIST guidance in Section 5.1 of [SP800-132] requires that a portion 338 of the salt of at least 128 bits shall be randomly generated. Some 339 known issues with including random values in Kerberos encryption type 340 salt strings are: 342 * The string-to-key function as defined in [RFC3961] requires the 343 salt to be valid UTF-8 strings. Not every 128-bit random string 344 will be valid UTF-8. 346 Further, using a salt containing a random portion may have the 347 following issues with some implementations: 349 * Cross-realm TGTs are typically managed by entering the same 350 password at two KDCs to get the same keys. If each KDC uses a random 351 salt, they won't have the same keys. 353 * Random salts may interfere with password history checking. 355 * ktutil's add_entry command assumes the default salt. 357 9. Acknowledgements 358 Kelley Burgin was employed at the National Security Agency during 359 much of the work on this document. 361 10. References 363 10.1. Normative References 365 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 366 Specification Version 2.0", RFC 2898, September 2000. 368 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 369 Kerberos 5", RFC 3961, February 2005. 371 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 372 Encryption for Kerberos 5", RFC 3962, February 2005. 374 [FIPS197] National Institute of Standards and Technology, 375 "Advanced Encryption Standard (AES)", FIPS PUB 197, 376 November 2001. 378 [SP800-38A+] National Institute of Standards and Technology, 379 "Recommendation for Block Cipher Modes of Operation: 380 Three Variants of Ciphertext Stealing for CBC Mode", 381 NIST Special Publication 800-38A Addendum, October 2010. 383 [SP800-108] National Institute of Standards and Technology, 384 "Recommendation for Key Derivation Using Pseudorandom 385 Functions", NIST Special Publication 800-108, October 386 2009. 388 10.2. Informative References 390 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 391 "Randomness Requirements for Security", BCP 106, RFC 392 4086, June 2005. 394 [SP800-38A] National Institute of Standards and Technology, 395 "Recommendation for Block Cipher Modes of Operation: 396 Methods and Techniques", NIST Special Publication 397 800-38A, December 2001. 399 [SP800-132] National Institute of Standards and Technology, 400 "Recommendation for Password-Based Key Derivation, Part 401 1: Storage Applications", NIST Special Publication 800- 402 132, June 2010. 404 Appendix A. Test Vectors 405 Sample results for string-to-key conversion: 406 -------------------------------------------- 408 Iteration count = 32768 409 Pass phrase = "password" 410 Saltp for creating 128-bit base-key: 411 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 412 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 413 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 414 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 416 (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | 417 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 418 128-bit base-key: 419 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7 421 Saltp for creating 256-bit base-key: 422 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 423 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 424 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 425 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 426 (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | 427 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 428 256-bit base-key: 429 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 430 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 432 Sample results for key derivation: 433 ---------------------------------- 435 enctype aes128-cts-hmac-sha256-128: 436 128-bit base-key: 437 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 438 Kc value for key usage 2 (constant = 0x0000000299): 439 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 440 Ke value for key usage 2 (constant = 0x00000002AA): 441 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 442 Ki value for key usage 2 (constant = 0x0000000255): 443 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 444 Kp value (constant = 0x707266): 445 9C 66 77 98 08 4F 16 82 1E 77 15 DD 5A A6 EB 71 447 enctype aes256-cts-hmac-sha384-192: 448 256-bit base-key: 449 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 450 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 451 Kc value for key usage 2 (constant = 0x0000000299): 452 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 453 BA 41 F2 8F AF 69 E7 3D 454 Ke value for key usage 2 (constant = 0x00000002AA): 455 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 456 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 457 Ki value for key usage 2 (constant = 0x0000000255): 458 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 459 22 C4 D0 0F FC 23 ED 1F 460 Kp value (constant = 0x707266): 461 5D 63 0D B7 EF DE 37 DE 9C 92 03 C5 2B D9 6C 77 462 31 BE 1C 5B DD 50 DC 75 44 D9 60 AF F3 CC 23 04 464 Sample pseudorandom function (PRF) invocations: 465 ---------------------------------------- 467 PRF input octet-string: "test" (0x74657374) 469 enctype aes128-cts-hmac-sha256-128: 470 Kp value: 471 9C 66 77 98 08 4F 16 82 1E 77 15 DD 5A A6 EB 71 472 PRF output: 473 3A CA 18 6C C1 26 56 76 5C FE B1 D2 2D 1C B1 36 475 enctype aes256-cts-hmac-sha384-192: 476 Kp value: 477 5D 63 0D B7 EF DE 37 DE 9C 92 03 C5 2B D9 6C 77 478 31 BE 1C 5B DD 50 DC 75 44 D9 60 AF F3 CC 23 04 479 PRF output: 480 01 72 03 F2 90 CD 16 6C D6 B2 BB 4F 18 7D 16 23 481 6B 9A 4E D7 66 19 D8 11 6C 64 06 A3 37 E7 F9 08 483 Sample encryptions (all using the default cipher state): 484 -------------------------------------------------------- 486 The following test vectors are for 487 enctype aes128-cts-hmac-sha256-128: 489 Plaintext: (empty) 490 Confounder: 491 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 492 128-bit AES key: 493 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 494 128-bit HMAC key: 495 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 496 AES Output: 497 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 498 Truncated HMAC Output: 499 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 500 Ciphertext (AES Output | HMAC Output): 502 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 503 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 505 Plaintext: (length less than block size) 506 00 01 02 03 04 05 507 Confounder: 508 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 509 128-bit AES key: 510 4E FD A6 52 4E 6B 56 B4 F2 12 61 FB FC 93 21 AB 511 128-bit HMAC key: 512 29 1B 0C 37 73 D7 6E E6 BA 2C CF 1E 03 93 F6 3E 513 AES Output: 514 AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 515 F1 4B 93 65 9D 1B 516 Truncated HMAC Output: 517 A0 C5 F4 7C AA 84 42 19 F9 08 AD ED EF 52 5B 71 518 Ciphertext: 519 AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 520 F1 4B 93 65 9D 1B A0 C5 F4 7C AA 84 42 19 F9 08 521 AD ED EF 52 5B 71 523 Plaintext: (length equals block size) 524 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 525 Confounder: 526 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 527 128-bit AES key: 528 FF 82 40 42 4B CC BA 05 56 50 C0 39 3B 83 DF 3B 529 128-bit HMAC key: 530 ED 15 62 8B 45 35 8C BF 7F 50 E7 64 C2 6B 8A 1A 531 AES Output: 532 E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 533 78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC 534 Truncated HMAC Output: 535 C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 536 Ciphertext: 537 E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 538 78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC 539 C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 541 Plaintext: (length greater than block size) 542 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 543 10 11 12 13 14 544 Confounder: 545 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 546 128-bit AES key: 547 B5 9B 88 75 AD 5D CA FF F7 79 4D 93 F8 19 9D 79 548 128-bit HMAC key: 549 0A 42 1D 72 2F 8F C2 D6 84 8B 1C DA D1 5A 49 C9 551 AES Output: 552 C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D 553 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A 554 79 3E 21 09 7D 555 Truncated HMAC Output: 556 5B 03 5D 78 A7 E9 84 75 EC 91 0C E3 7A A0 2A 7D 557 Ciphertext: 558 C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D 559 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A 560 79 3E 21 09 7D 5B 03 5D 78 A7 E9 84 75 EC 91 0C 561 E3 7A A0 2A 7D 563 The following test vectors are for enctype 564 aes256-cts-hmac-sha384-192: 566 Plaintext: (empty) 567 Confounder: 568 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 569 256-bit AES key: 570 0F A2 0D 7D 03 33 EE 65 16 2C DA 67 E7 AD 0D 3C 571 5E 03 1F 3B 66 70 E0 31 28 2F AC C2 87 9C 21 C7 572 192-bit HMAC key: 573 53 BF 30 6A 68 33 A3 25 18 FC B8 5F 63 1D 03 D5 574 2E E3 1B 39 75 2F 57 ED 575 AES Output: 576 FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D 577 Truncated HMAC Output: 578 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 579 AC 3A AB 06 97 FC E8 5A 580 Ciphertext: 581 FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D 582 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 583 AC 3A AB 06 97 FC E8 5A 585 Plaintext: (length less than block size) 586 00 01 02 03 04 05 587 Confounder: 588 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 589 256-bit AES key: 590 47 DA 4C A2 8B D1 C1 14 D5 50 7E 55 81 86 CA 4F 591 DB A0 DA E5 B2 4F 6D 68 89 D5 3A FB F1 D0 B8 36 592 192-bit HMAC key: 593 13 6B 5C 83 C9 53 AE 29 E2 C2 31 6A 7B 34 B8 C2 594 AD 26 E4 66 7F AB 42 6E 595 AES Output: 596 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C 597 74 3B D4 BC 22 EC 598 Truncated HMAC Output: 600 17 2A B2 BB 12 B0 0D BE C2 BF E6 29 CF DD 62 EC 601 3E 45 83 8F A9 FB AE 6E 602 Ciphertext: 603 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C 604 74 3B D4 BC 22 EC 17 2A B2 BB 12 B0 0D BE C2 BF 605 E6 29 CF DD 62 EC 3E 45 83 8F A9 FB AE 6E 607 Plaintext: (length equals block size) 608 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 609 Confounder: 610 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 611 256-bit AES key: 612 5E A6 16 D8 FD A2 33 F1 B4 99 79 A4 B9 FA 01 D3 613 21 B1 3D 6F BD 6E 3B B7 2E 54 B4 85 E2 36 AF 23 614 192-bit HMAC key: 615 AD D3 8D C9 86 83 C5 CC 14 E3 C7 37 EA A7 06 47 616 B3 19 71 0E 87 6A 38 77 617 AES Output: 618 B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 619 FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 620 Truncated HMAC Output: 621 2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 622 B3 C9 6F 4B 45 C1 9B 77 623 Ciphertext: 624 B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 625 FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 626 2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 627 B3 C9 6F 4B 45 C1 9B 77 629 Plaintext: (length greater than block size) 630 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 631 10 11 12 13 14 632 Confounder: 633 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 634 256-bit AES key: 635 B3 A8 02 E3 40 61 3E F1 E0 EC E9 1A 15 7C 59 12 636 6F BD C4 B8 C2 4C 8D 0B 2E 5A 30 F0 1E 7E 34 88 637 192-bit HMAC key: 638 FC 0B 49 9B 83 55 A3 2A C3 C9 AC B6 64 93 63 EB 639 5D BB A4 25 1A 75 B2 0A 640 AES Output: 641 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 642 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B 643 E0 55 F5 69 EB 644 Truncated HMAC Output: 645 7C F8 36 70 75 8C BF DA 31 3C FE F8 74 2B 11 74 646 14 A7 DD 12 B4 96 64 2E 647 Ciphertext: 649 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 650 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B 651 E0 55 F5 69 EB 7C F8 36 70 75 8C BF DA 31 3C FE 652 F8 74 2B 11 74 14 A7 DD 12 B4 96 64 2E 654 Sample checksums: 655 ----------------- 657 Checksum type: hmac-sha256-128-aes128 658 128-bit HMAC key: 659 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 660 Plaintext: 661 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 662 10 11 12 13 14 663 Checksum: 664 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 666 Checksum type: hmac-sha384-192-aes256 667 192-bit HMAC key: 668 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 669 BA 41 F2 8F AF 69 E7 3D 670 Plaintext: 671 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 672 10 11 12 13 14 673 Checksum: 674 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 675 43 C3 BF A0 66 99 67 2A 677 Authors' Addresses 679 Michael J. Jenkins 680 National Security Agency 682 EMail: mjjenki@tycho.ncsc.mil 684 Michael A. Peck 685 The MITRE Corporation 687 EMail: mpeck@mitre.org 689 Kelley W. Burgin 691 Email: kelley.burgin@gmail.com