idnits 2.17.1 draft-ietf-kitten-aes-cts-hmac-sha2-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 9, 2015) is 3061 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Jenkins 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: June 11, 2016 The MITRE Corporation 6 K. Burgin 7 December 9, 2015 9 AES Encryption with HMAC-SHA2 for Kerberos 5 10 draft-ietf-kitten-aes-cts-hmac-sha2-08 12 Abstract 14 This document specifies two encryption types and two corresponding 15 checksum types for Kerberos 5. The new types use AES in CTS mode 16 (CBC mode with ciphertext stealing) for confidentiality and HMAC with 17 a SHA-2 hash for integrity. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on June 11, 2016. 36 Copyright and License Notice 38 Copyright (c) 2015 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 55 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 56 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 57 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 58 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 61 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 62 8.2. Algorithm Rationale . . . . . . . . . . . . . . . . . . . 9 63 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 64 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 66 10.2. Informative References . . . . . . . . . . . . . . . . . 9 67 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 70 1. Introduction 72 This document defines two encryption types and two corresponding 73 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 75 To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode 76 defined in [SP800-38A+], also referred to as ciphertext stealing or 77 CTS mode. The new types conform to the framework specified in 78 [RFC3961], but do not use the simplified profile. 80 The encryption and checksum types defined in this document are 81 intended to support environments that desire to use SHA-256 or SHA- 82 384 as the hash algorithm. Differences between the encryption and 83 checksum types defined in this document and the pre-existing Kerberos 84 AES encryption and checksum types specified in [RFC3962] are: 86 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 87 SHA-384. 89 * A key derivation function from [SP800-108] using the SHA-256 or 90 SHA-384 hash algorithm is used to produce keys for encryption, 91 integrity protection, and checksum operations. 93 * The HMAC is calculated over the cipherstate concatenated with the 94 AES output, instead of being calculated over the confounder and 95 plaintext. This allows the message receiver to verify the 96 integrity of the message before decrypting the message. 98 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 99 integrity protection and checksum operations. 101 2. Protocol Key Representation 103 The AES key space is dense, so we can use random or pseudorandom 104 octet strings directly as keys. The byte representation for the key 105 is described in [FIPS197], where the first bit of the bit string is 106 the high bit of the first byte of the byte string (octet string). 108 3. Key Derivation Function 110 We use a key derivation function from Section 5.1 of [SP800-108] 111 which uses the HMAC algorithm as the PRF. 113 KDF-HMAC-SHA2(key, label, k) = k-truncate(K1) 115 key: The source of entropy from which subsequent keys are derived 116 (this is known as Ki in [SP800-108]). 118 label: An octet string describing the intended usage of the derived 119 key. 121 k: Length in bits of the key to be outputted, expressed in big-endian 122 binary representation in 4 bytes (this is known as L in [SP800-108]). 123 (e.g. k = 128 is represented as 0x00000080, 124 k = 192 as 0x000000C0, k = 256 as 0x00000100, 125 k = 384 as 0x00000180) 127 When the encryption type is aes128-cts-hmac-sha256-128, k must be no 128 greater than 256. When the encryption type is aes256-cts-hmac-sha384- 129 192, k must be no greater than 384. 131 The k-truncate function is defined in [RFC3961], Section 5.1. 133 In all computations in this document, | indicates concatenation. 135 When the encryption type is aes128-cts-hmac-sha256-128, then K1 is 136 computed as follows: 138 K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | k) 140 When the encryption type is aes256-cts-hmac-sha384-192, then K1 is 141 computed as follows: 143 K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | k) 145 4. Key Generation from Pass Phrases 147 As defined below, the string-to-key function uses PBKDF2 [RFC2898] 148 and KDF-HMAC-SHA2 to derive the base-key from a passphrase and salt. 150 To ensure that different long-term base-keys are used with different 151 enctypes, we prepend the enctype name to the salt, separated by a 152 null byte. The enctype-name is "aes128-cts-hmac-sha256-128" or 153 "aes256-cts-hmac-sha384-192" (without the quotes). 155 The user's long-term base-key is derived as follows: 157 iter_count = string-to-key parameter (default is 158 decimal 32768 if not specified) 159 saltp = enctype-name | 0x00 | salt 160 tkey = random-to-key(PBKDF2(passphrase, saltp, 161 iter_count, keylength)) 162 base-key = random-to-key(KDF-HMAC-SHA2(tkey, "kerberos", 163 keylength)) 164 where "kerberos" is the octet-string 165 0x6B65726265726F73 167 where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when 168 the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the 169 enctype is "aes256-cts-hmac-sha384-192", the value for keylength is 170 the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 171 is defined in Section 3. 173 5. Kerberos Algorithm Protocol Parameters 175 The cipherstate is used as the formal initialization vector (IV) 176 input into CBC-CS3. The plaintext is prepended with a 16-octet 177 random nonce generated by the message originator, known as a 178 confounder. 180 The ciphertext is a concatenation of the output of AES in CBC-CS3 181 mode and the HMAC of the cipherstate concatenated with the AES 182 output. The HMAC is computed using either SHA-256 or SHA-384 183 depending on the encryption type. The output of HMAC-SHA-256 is 184 truncated to 128 bits and the output of HMAC-SHA-384 is truncated to 185 192 bits. Sample test vectors are given in Appendix A. 187 Decryption is performed by removing the HMAC, verifying the HMAC 188 against the cipherstate concatenated with the ciphertext, and then 189 decrypting the ciphertext if the HMAC is correct. Finally, the first 190 16 octets of the decryption output (the confounder) is discarded, and 191 the remainder is returned as the plaintext decryption output. 193 The following parameters apply to the encryption types aes128-cts- 194 hmac-sha256-128 and aes256-cts-hmac-sha384-192. 196 protocol key format: as defined in Section 2. 198 specific key structure: three protocol-format keys: { Kc, Ke, Ki }. 200 Kc: the checksum key, inputted into HMAC to provide the checksum 201 mechanism defined in Section 6. 203 Ke: the encryption key, inputted into AES encryption and decryption 204 as defined in "encryption function" and "decryption function" below. 206 Ki: the integrity key, inputted into HMAC to provide authenticated 207 encryption as defined in "encryption function" and "decryption 208 function" below. 210 required checksum mechanism: as defined in Section 6. 212 key-generation seed length: key size (128 or 256 bits). 214 string-to-key function: as defined in Section 4. 216 default string-to-key parameters: decimal 32768. 218 random-to-key function: identity function. 220 key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The 221 key usage number is expressed as four octets in big-endian order. 223 If the enctype is aes128-cts-hmac-sha256-128: 224 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128) 225 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 128) 226 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 128) 228 If the enctype is aes256-cts-hmac-sha384-192: 229 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 192) 230 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 256) 231 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 192) 233 cipherstate: a 128-bit CBC initialization vector derived from 234 the ciphertext. 236 initial cipherstate: all bits zero. 238 encryption function: as follows, where E() is AES encryption in 239 CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or 240 192 bits as described above). 242 N = random nonce of length 128 bits (the AES block size) 243 IV = cipherstate 244 C = E(Ke, N | plaintext, IV) 245 H = HMAC(Ki, IV | C) 246 ciphertext = C | H[1..h] 248 Steps to compute the 128-bit cipherstate: 249 L = length of C in bits 250 portion C into 128-bit blocks, placing any remainder 251 of less than 128 bits into a final block 252 if L == 128: cipherstate = C 253 else if L mod 128 > 0: cipherstate = last full (128-bit) 254 block of C (the 255 next-to-last block) 256 else if L mod 128 == 0: cipherstate = next-to-last block 257 of C 259 decryption function: as follows, where D() is AES decryption in 260 CBC-CS3 mode, and h is the size of truncated HMAC. 262 (C, H) = ciphertext 263 IV = cipherstate 264 if H != HMAC(Ki, IV | C)[1..h] 265 stop, report error 266 (N, P) = D(Ke, C, IV) 267 Note: N is set to the first block of the decryption output, 268 P is set to the rest of the output. 269 cipherstate = same as described above in encryption function 271 pseudo-random function: 272 If the enctype is aes128-cts-hmac-sha256-128: 273 PRF = KDF-HMAC-SHA2(base-key, "prf" | octet-string, 256) 275 If the enctype is aes256-cts-hmac-sha384-192: 276 PRF = KDF-HMAC-SHA2(base-key, "prf" | octet-string, 384) 278 where "prf" is the octet-string 0x707266 280 6. Checksum Parameters 282 The following parameters apply to the checksum types hmac-sha256-128- 283 aes128 and hmac-sha384-192-aes256, which are the associated checksums 284 for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, 285 respectively. 287 associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. 289 get_mic: HMAC(Kc, message)[1..h]. 290 where h is 128 bits for checksum type hmac-sha256-128-aes128 291 and 192 bits for checksum type hmac-sha384-192-aes256 293 verify_mic: get_mic and compare. 295 7. IANA Considerations 297 IANA is requested to assign: 299 Encryption type numbers for aes128-cts-hmac-sha256-128 and 300 aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers 301 registry. 303 Etype Encryption type Reference 304 ----- --------------- --------- 305 TBD1 aes128-cts-hmac-sha256-128 [this document] 306 TBD2 aes256-cts-hmac-sha384-192 [this document] 308 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 309 aes256 in the Kerberos Checksum Type Numbers registry. 311 Sumtype Checksum type Size Reference 312 ------- ------------- ---- --------- 313 TBD3 hmac-sha256-128-aes128 16 [this document] 314 TBD4 hmac-sha384-192-aes256 24 [this document] 316 8. Security Considerations 318 This specification requires implementations to generate random 319 values. The use of inadequate pseudo-random number generators 320 (PRNGs) can result in little or no security. The generation of 321 quality random numbers is difficult. [RFC4086] offers random number 322 generation guidance. 324 This document specifies a mechanism for generating keys from pass 325 phrases or passwords. The salt and iteration count resist brute 326 force and dictionary attacks, however, it is still important to 327 choose or generate strong passphrases. 329 NIST guidance in section 5.3 of [SP800-38A] requires CBC 330 initialization vectors be unpredictable. This specification does not 331 formally comply with that guidance. However, the use of a confounder 332 as the first block of plaintext fills the cryptographic role 333 typically played by an initialization vector. This approach was 334 chosen to align with other Kerberos cryptosystem approaches. 336 8.1. Random Values in Salt Strings 338 NIST guidance in Section 5.1 of [SP800-132] requires that a portion 339 of the salt of at least 128 bits shall be randomly generated. Some 340 known issues with including random values in Kerberos encryption type 341 salt strings are: 343 * The string-to-key function as defined in [RFC3961] requires the 344 salt to be valid UTF-8 strings. Not every 128-bit random string 345 will be valid UTF-8. 347 Further, using a salt containing a random portion may have the 348 following issues with some implementations: 350 * Cross-realm TGTs are typically managed by entering the same 351 password at two KDCs to get the same keys. If each KDC uses a random 352 salt, they won't have the same keys. 354 * Random salts may interfere with password history checking. 356 * ktutil's add_entry command assumes the default salt. 358 8.2. Algorithm Rationale 360 This document has been written to be consistent with common 361 implementations of AES and SHA-2. The encryption and hash algorithm 362 sizes have been chosen to create a consistent level of protection, 363 with consideration to implementation efficiencies. So, for instance, 364 SHA-384, which would normally be matched to AES-192, is instead 365 matched to AES-256 to leverage the fact that there are efficient 366 hardware implementations of AES-256. Note that, as indicated by the 367 enc-type name "aes256-cts-hmac-sha384-192", the truncation of the 368 HMAC-SHA-384 output to 192-bits results in an overall 192-bit level 369 of security. 371 9. Acknowledgements 373 Kelley Burgin was employed at the National Security Agency during 374 much of the work on this document. 376 10. References 378 10.1. Normative References 380 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 381 Specification Version 2.0", RFC 2898, September 2000. 383 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 384 Kerberos 5", RFC 3961, February 2005. 386 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 387 Encryption for Kerberos 5", RFC 3962, February 2005. 389 [FIPS197] National Institute of Standards and Technology, 390 "Advanced Encryption Standard (AES)", FIPS PUB 197, 391 November 2001. 393 [SP800-38A+] National Institute of Standards and Technology, 394 "Recommendation for Block Cipher Modes of Operation: 395 Three Variants of Ciphertext Stealing for CBC Mode", 396 NIST Special Publication 800-38A Addendum, October 2010. 398 [SP800-108] National Institute of Standards and Technology, 399 "Recommendation for Key Derivation Using Pseudorandom 400 Functions", NIST Special Publication 800-108, October 401 2009. 403 10.2. Informative References 405 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 406 "Randomness Requirements for Security", BCP 106, RFC 407 4086, June 2005. 409 [SP800-38A] National Institute of Standards and Technology, 410 "Recommendation for Block Cipher Modes of Operation: 411 Methods and Techniques", NIST Special Publication 412 800-38A, December 2001. 414 [SP800-132] National Institute of Standards and Technology, 415 "Recommendation for Password-Based Key Derivation, Part 416 1: Storage Applications", NIST Special Publication 800- 417 132, June 2010. 419 Appendix A. Test Vectors 421 Sample results for string-to-key conversion: 422 -------------------------------------------- 424 Iteration count = 32768 425 Pass phrase = "password" 426 Saltp for creating 128-bit base-key: 427 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 428 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 429 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 430 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 432 (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | 433 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 434 128-bit base-key: 435 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7 437 Saltp for creating 256-bit base-key: 438 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 439 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 440 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 441 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 442 (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | 443 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 444 256-bit base-key: 445 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 446 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 448 Sample results for key derivation: 449 ---------------------------------- 451 enctype aes128-cts-hmac-sha256-128: 452 128-bit base-key: 453 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 455 Kc value for key usage 2 (constant = 0x0000000299): 456 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 457 Ke value for key usage 2 (constant = 0x00000002AA): 458 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 459 Ki value for key usage 2 (constant = 0x0000000255): 460 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 462 enctype aes256-cts-hmac-sha384-192: 463 256-bit base-key: 464 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 465 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 466 Kc value for key usage 2 (constant = 0x0000000299): 467 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 468 BA 41 F2 8F AF 69 E7 3D 469 Ke value for key usage 2 (constant = 0x00000002AA): 470 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 471 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 472 Ki value for key usage 2 (constant = 0x0000000255): 473 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 474 22 C4 D0 0F FC 23 ED 1F 476 Sample encryptions (all using the default cipher state): 477 -------------------------------------------------------- 478 These sample encryptions use the above sample key 479 derivation results, including use of the same 480 base-key and key usage values. 482 The following test vectors are for 483 enctype aes128-cts-hmac-sha256-128: 485 Plaintext: (empty) 486 Confounder: 487 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 488 128-bit AES key (Ke): 489 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 490 128-bit HMAC key (Ki): 491 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 492 AES Output: 493 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 494 Truncated HMAC Output: 495 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 496 Ciphertext (AES Output | HMAC Output): 497 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 498 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 500 Plaintext: (length less than block size) 501 00 01 02 03 04 05 502 Confounder: 504 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 505 128-bit AES key (Ke): 506 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 507 128-bit HMAC key (Ki): 508 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 509 AES Output: 510 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF 511 B5 54 02 CE F7 E6 512 Truncated HMAC Output: 513 87 7C E9 9E 24 7E 52 D1 6E D4 42 1D FD F8 97 6C 514 Ciphertext: 515 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF 516 B5 54 02 CE F7 E6 87 7C E9 9E 24 7E 52 D1 6E D4 517 42 1D FD F8 97 6C 519 Plaintext: (length equals block size) 520 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 521 Confounder: 522 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 523 128-bit AES key (Ke): 524 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 525 128-bit HMAC key (Ki): 526 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 527 AES Output: 528 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A 529 E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 530 Truncated HMAC Output: 531 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 532 Ciphertext: 533 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A 534 E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 535 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 537 Plaintext: (length greater than block size) 538 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 539 10 11 12 13 14 540 Confounder: 541 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 542 128-bit AES key (Ke): 543 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 544 128-bit HMAC key (Ki): 545 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 546 AES Output: 547 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 548 C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC 549 E1 E6 D0 72 C1 550 Truncated HMAC Output: 551 86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC 553 Ciphertext: 554 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 555 C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC 556 E1 E6 D0 72 C1 86 B3 9A 41 3C 2F 92 CA 9B 83 34 557 A2 87 FF CB FC 559 The following test vectors are for enctype 560 aes256-cts-hmac-sha384-192: 562 Plaintext: (empty) 563 Confounder: 564 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 565 256-bit AES key (Ke): 566 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 567 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 568 192-bit HMAC key (Ki): 569 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 570 22 C4 D0 0F FC 23 ED 1F 571 AES Output: 572 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 573 Truncated HMAC Output: 574 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 575 8B 9B BF BE 7E B4 CE 3C 576 Ciphertext: 577 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 578 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 579 8B 9B BF BE 7E B4 CE 3C 581 Plaintext: (length less than block size) 582 00 01 02 03 04 05 583 Confounder: 584 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 585 256-bit AES key (Ke): 586 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 587 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 588 192-bit HMAC key (Ki): 589 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 590 22 C4 D0 0F FC 23 ED 1F 591 AES Output: 592 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 593 B7 5F B3 F6 37 B9 594 Truncated HMAC Output: 595 F5 59 C7 F6 64 F6 9E AB 7B 60 92 23 75 26 EA 0D 596 1F 61 CB 20 D6 9D 10 F2 597 Ciphertext: 598 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 599 B7 5F B3 F6 37 B9 F5 59 C7 F6 64 F6 9E AB 7B 60 600 92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2 602 Plaintext: (length equals block size) 603 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 604 Confounder: 605 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 606 256-bit AES key (Ke): 607 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 608 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 609 192-bit HMAC key (Ki): 610 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 611 22 C4 D0 0F FC 23 ED 1F 612 AES Output: 613 BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B 614 BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 615 Truncated HMAC Output: 616 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 617 40 C4 FF 25 5B 36 A2 66 618 Ciphertext: 619 BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B 620 BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 621 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 622 40 C4 FF 25 5B 36 A2 66 624 Plaintext: (length greater than block size) 625 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 626 10 11 12 13 14 627 Confounder: 628 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 629 256-bit AES key (Ke): 630 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 631 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 632 192-bit HMAC key (Ki): 633 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 634 22 C4 D0 0F FC 23 ED 1F 635 AES Output: 636 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 637 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 638 B2 A6 02 AC 86 639 Truncated HMAC Output: 640 FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 641 D2 C1 6B 41 92 E0 1F 62 642 Ciphertext: 643 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 644 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 645 B2 A6 02 AC 86 FE F6 EC B6 47 D6 29 5F AE 07 7A 646 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62 648 Sample checksums: 649 ----------------- 650 These sample checksums use the above sample key 651 derivation results, including use of the same 652 base-key and key usage values. 654 Checksum type: hmac-sha256-128-aes128 655 128-bit HMAC key (Kc): 656 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 657 Plaintext: 658 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 659 10 11 12 13 14 660 Checksum: 661 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 663 Checksum type: hmac-sha384-192-aes256 664 192-bit HMAC key (Kc): 665 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 666 BA 41 F2 8F AF 69 E7 3D 667 Plaintext: 668 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 669 10 11 12 13 14 670 Checksum: 671 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 672 43 C3 BF A0 66 99 67 2A 674 Sample pseudorandom function (PRF) invocations: 675 ---------------------------------------- 677 PRF input octet-string: "test" (0x74657374) 679 enctype aes128-cts-hmac-sha256-128: 680 base-key value / HMAC-SHA-256 key: 681 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 682 HMAC-SHA-256 input message: 683 00 00 00 01 70 72 66 74 65 73 74 00 00 00 01 00 684 PRF output: 685 14 11 15 B0 A6 CB 9A 1D CB B4 C7 E2 5B 43 32 22 686 52 DE 58 11 21 85 C5 DC F5 12 5E 7B 81 54 8D 39 688 enctype aes256-cts-hmac-sha384-192: 689 base-key value / HMAC-SHA-384 key: 690 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 691 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 692 HMAC-SHA-384 input message: 693 00 00 00 01 70 72 66 74 65 73 74 00 00 00 01 80 694 PRF output: 695 31 0A 4B 5C D2 90 F7 04 33 B2 A1 A1 D0 93 FD F7 696 8C 6C 9D AE 5C AC D3 A7 BD 45 CB 67 44 41 99 43 697 0D 36 19 06 44 E8 A2 16 66 43 AE AD E9 63 87 52 699 Authors' Addresses 701 Michael J. Jenkins 702 National Security Agency 704 EMail: mjjenki@tycho.ncsc.mil 706 Michael A. Peck 707 The MITRE Corporation 709 EMail: mpeck@mitre.org 711 Kelley W. Burgin 713 Email: kelley.burgin@gmail.com