idnits 2.17.1 draft-ietf-kitten-aes-cts-hmac-sha2-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 5, 2016) is 2852 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Jenkins 3 Internet Draft National Security Agency 4 Intended Status: Informational M. Peck 5 Expires: January 6, 2017 The MITRE Corporation 6 K. Burgin 7 July 5, 2016 9 AES Encryption with HMAC-SHA2 for Kerberos 5 10 draft-ietf-kitten-aes-cts-hmac-sha2-10 12 Abstract 14 This document specifies two encryption types and two corresponding 15 checksum types for Kerberos 5. The new types use AES in CTS mode 16 (CBC mode with ciphertext stealing) for confidentiality and HMAC with 17 a SHA-2 hash for integrity. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 6, 2017. 36 Copyright and License Notice 38 Copyright (c) 2016 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 55 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 56 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 57 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 58 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 61 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 9 62 8.2. Algorithm Rationale . . . . . . . . . . . . . . . . . . . 9 63 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 64 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 66 10.2. Informative References . . . . . . . . . . . . . . . . . 10 67 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 70 1. Introduction 72 This document defines two encryption types and two corresponding 73 checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. 75 To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode 76 defined in [SP800-38A+], also referred to as ciphertext stealing or 77 CTS mode. The new types conform to the framework specified in 78 [RFC3961], but do not use the simplified profile. 80 The encryption and checksum types defined in this document are 81 intended to support environments that desire to use SHA-256 or SHA- 82 384 (defined in [FIPS180]) as the hash algorithm. Differences 83 between the encryption and checksum types defined in this document 84 and the pre-existing Kerberos AES encryption and checksum types 85 specified in [RFC3962] are: 87 * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- 88 SHA-384 (HMAC is defined in [RFC2104]). 90 * A key derivation function from [SP800-108] using the SHA-256 or 91 SHA-384 hash algorithm is used to produce keys for encryption, 92 integrity protection, and checksum operations. 94 * The HMAC is calculated over the cipherstate concatenated with the 95 AES output, instead of being calculated over the confounder and 96 plaintext. This allows the message receiver to verify the 97 integrity of the message before decrypting the message. 99 * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for 100 integrity protection and checksum operations. 102 2. Protocol Key Representation 104 The AES key space is dense, so we can use random or pseudorandom 105 octet strings directly as keys. The byte representation for the key 106 is described in [FIPS197], where the first bit of the bit string is 107 the high bit of the first byte of the byte string (octet string). 109 3. Key Derivation Function 111 We use a key derivation function from Section 5.1 of [SP800-108] 112 which uses the HMAC algorithm as the PRF. 114 function KDF-HMAC-SHA2(key, label, [context,] k): 115 k-truncate(K1) 117 where the value of K1 is computed as below. 119 key: The source of entropy from which subsequent keys are derived 120 (this is known as Ki in [SP800-108]). 122 label: An octet string describing the intended usage of the derived 123 key. 125 context: This parameter is optional. An octet string containing the 126 information related to the derived keying material. It may include 127 identities of parties who are deriving and/or using the derived key 128 material and, optionally, a nonce known by the parties who derive the 129 keys. 131 k: Length in bits of the key to be outputted, expressed in big-endian 132 binary representation in 4 bytes (this is called L in [SP800-108]). 133 Specifically, k=128 is represented as 0x00000080, 192 as 0x000000C0, 134 256 as 0x00000100, and 384 as 0x00000180. 136 When the encryption type is aes128-cts-hmac-sha256-128, k must be no 137 greater than 256. When the encryption type is aes256-cts-hmac-sha384- 138 192, k must be no greater than 384. 140 The k-truncate function is defined in [RFC3961], Section 5.1. It 141 returns the 'k' leftmost bits of the bitstring input. 143 In all computations in this document, | indicates concatenation. 145 When the encryption type is aes128-cts-hmac-sha256-128, then K1 is 146 computed as follows: 148 If the context parameter is not present: 149 K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | k) 151 If the context parameter is present: 152 K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | context | k) 154 When the encryption type is aes256-cts-hmac-sha384-192, then K1 is 155 computed as follows: 157 If the context parameter is not present: 158 K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | k) 160 If the context parameter is present: 161 K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | context | k) 163 In the definitions of K1 above, '0x00000001' is the i parameter (the 164 iteration counter) from Section 5.1 of [SP800-108]. 166 4. Key Generation from Pass Phrases 167 As defined below, the string-to-key function uses PBKDF2 [RFC2898] 168 and KDF-HMAC-SHA2 to derive the base-key from a passphrase and salt. 169 The string-to-key parameter string is four octets indicating an 170 unsigned number in big-endian order, consistent with [RFC3962], 171 except that the default is decimal 32768 if the parameter is not 172 specified. 174 To ensure that different long-term base-keys are used with different 175 enctypes, we prepend the enctype name to the salt, separated by a 176 null byte. The enctype-name is "aes128-cts-hmac-sha256-128" or 177 "aes256-cts-hmac-sha384-192" (without the quotes). 179 The user's long-term base-key is derived as follows: 181 iter_count = string-to-key parameter, default is decimal 32768 182 saltp = enctype-name | 0x00 | salt 183 tkey = random-to-key(PBKDF2(passphrase, saltp, 184 iter_count, keylength)) 185 base-key = random-to-key(KDF-HMAC-SHA2(tkey, "kerberos", 186 keylength)) 188 where "kerberos" is the octet-string 0x6B65726265726F73. 190 where PBKDF2 is the function of that name from RFC 2898, the 191 pseudorandom function used by PBKDF2 is HMAC-SHA-256 when the enctype 192 is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the enctype is 193 "aes256-cts-hmac-sha384-192", the value for keylength is the AES key 194 length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 is defined 195 in Section 3. 197 5. Kerberos Algorithm Protocol Parameters 199 The RFC 3961 cipher state that maintains cryptographic state across 200 different encryption operations using the same key is used as the 201 formal initialization vector (IV) input into CBC-CS3. The plaintext 202 is prepended with a 16-octet random nonce generated by the message 203 originator, known as a confounder. 205 The ciphertext is a concatenation of the output of AES in CBC-CS3 206 mode and the HMAC of the cipher state concatenated with the AES 207 output. The HMAC is computed using either SHA-256 or SHA-384 208 depending on the encryption type. The output of HMAC-SHA-256 is 209 truncated to 128 bits and the output of HMAC-SHA-384 is truncated to 210 192 bits. Sample test vectors are given in Appendix A. 212 Decryption is performed by removing the HMAC, verifying the HMAC 213 against the cipher state concatenated with the ciphertext, and then 214 decrypting the ciphertext if the HMAC is correct. Finally, the first 215 16 octets of the decryption output (the confounder) is discarded, and 216 the remainder is returned as the plaintext decryption output. 218 The following parameters apply to the encryption types aes128-cts- 219 hmac-sha256-128 and aes256-cts-hmac-sha384-192. 221 protocol key format: as defined in Section 2. 223 specific key structure: three derived keys: { Kc, Ke, Ki }. 225 Kc: the checksum key, inputted into HMAC to provide the checksum 226 mechanism defined in Section 6. 228 Ke: the encryption key, inputted into AES encryption and decryption 229 as defined in "encryption function" and "decryption function" below. 231 Ki: the integrity key, inputted into HMAC to provide authenticated 232 encryption as defined in "encryption function" and "decryption 233 function" below. 235 required checksum mechanism: as defined in Section 6. 237 key-generation seed length: key size (128 or 256 bits). 239 string-to-key function: as defined in Section 4. 241 default string-to-key parameters: decimal 32768. 243 random-to-key function: identity function. 245 key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The 246 key usage number is expressed as four octets in big-endian order. 248 If the enctype is aes128-cts-hmac-sha256-128: 249 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128) 250 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 128) 251 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 128) 253 If the enctype is aes256-cts-hmac-sha384-192: 254 Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 192) 255 Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 256) 256 Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 192) 258 cipher state: a 128-bit CBC initialization vector derived from a 259 previous (if any) ciphertext using the same encryption key, as 260 specified below. 262 initial cipher state: all bits zero. 264 encryption function: as follows, where E() is AES encryption in 265 CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or 266 192 bits as described above). 268 N = random nonce of length 128 bits (the AES block size) 269 IV = cipher state 270 C = E(Ke, N | plaintext, IV) 271 H = HMAC(Ki, IV | C) 272 ciphertext = C | H[1..h] 274 Steps to compute the 128-bit cipher state: 275 L = length of C in bits 276 portion C into 128-bit blocks, placing any remainder 277 of less than 128 bits into a final block 278 if L == 128: cipher state = C 279 else if L mod 128 > 0: cipher state = last full (128-bit) 280 block of C (the 281 next-to-last block) 282 else if L mod 128 == 0: cipher state = next-to-last block 283 of C 284 (note that L will never be less than 128 because of the 285 presence of N in the encryption input) 287 decryption function: as follows, where D() is AES decryption in 288 CBC-CS3 mode, and h is the size of truncated HMAC. 290 (C, H) = ciphertext (Note: H is the last h bits of the ciphertext) 291 IV = cipher state 292 if H != HMAC(Ki, IV | C)[1..h] 293 stop, report error 294 (N, P) = D(Ke, C, IV) 295 Note: N is set to the first block of the decryption output, 296 P is set to the rest of the output. 297 cipher state = same as described above in encryption function 299 pseudo-random function: 300 If the enctype is aes128-cts-hmac-sha256-128: 301 PRF = KDF-HMAC-SHA2(input-key, "prf", octet-string, 256) 303 If the enctype is aes256-cts-hmac-sha384-192: 304 PRF = KDF-HMAC-SHA2(input-key, "prf", octet-string, 384) 306 where "prf" is the octet-string 0x707266 308 6. Checksum Parameters 310 The following parameters apply to the checksum types hmac-sha256-128- 311 aes128 and hmac-sha384-192-aes256, which are the associated checksums 312 for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, 313 respectively. 315 associated cryptosystem: aes128-cts-hmac-sha256-128 or aes256-cts- 316 hmac-sha384-192 as appropriate. 318 get_mic: HMAC(Kc, message)[1..h]. 319 where h is 128 bits for checksum type hmac-sha256-128-aes128 320 and 192 bits for checksum type hmac-sha384-192-aes256 322 verify_mic: get_mic and compare. 324 7. IANA Considerations 326 IANA is requested to assign: 328 Encryption type numbers for aes128-cts-hmac-sha256-128 and 329 aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers 330 registry. 332 Etype Encryption type Reference 333 ----- --------------- --------- 334 TBD1 aes128-cts-hmac-sha256-128 [this document] 335 TBD2 aes256-cts-hmac-sha384-192 [this document] 337 Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- 338 aes256 in the Kerberos Checksum Type Numbers registry. 340 Sumtype Checksum type Size Reference 341 ------- ------------- ---- --------- 342 TBD3 hmac-sha256-128-aes128 16 [this document] 343 TBD4 hmac-sha384-192-aes256 24 [this document] 345 8. Security Considerations 347 This specification requires implementations to generate random 348 values. The use of inadequate pseudo-random number generators 349 (PRNGs) can result in little or no security. The generation of 350 quality random numbers is difficult. [RFC4086] offers random number 351 generation guidance. 353 This document specifies a mechanism for generating keys from 354 passphrases or passwords. The use of PBKDF2, a salt, and a large 355 iteration count adds some resistance to off-line dictionary attacks 356 by passive eavesdroppers. Salting prevents rainbow table attacks, 357 while large iteration counts slow password guess attempts. 358 Nonetheless, it is important to choose strong passphrases. Use of 359 other Kerberos extensions that protect against off-line dictionary 360 attacks should also be considered. 362 The NIST guidance in section 5.3 of [SP800-38A], requiring that CBC 363 initialization vectors be unpredictable, is satisfied by the use of a 364 random confounder as the first block of plaintext. The confounder 365 fills the cryptographic role typically played by an initialization 366 vector. This approach was chosen to align with other Kerberos 367 cryptosystem approaches. 369 8.1. Random Values in Salt Strings 371 NIST guidance in Section 5.1 of [SP800-132] requires at least 128 372 bits of the salt to be randomly generated. The string-to-key function 373 as defined in [RFC3961] requires the salt to be valid UTF-8 strings. 374 Not every 128-bit random string will be valid UTF-8, so a UTF-8 375 compatible encoding would be needed to encapsulate the random bits. 376 However, using a salt containing a random portion may have the 377 following issues with some implementations: 379 * Cross-realm krbtgt keys are typically managed by entering the 380 same password at two KDCs to get the same keys. If each KDC uses 381 a random salt, they won't have the same keys. 383 * Random salts may interfere with password history checking. 385 8.2. Algorithm Rationale 387 This document has been written to be consistent with common 388 implementations of AES and SHA-2. The encryption and hash algorithm 389 sizes have been chosen to create a consistent level of protection, 390 with consideration to implementation efficiencies. So, for instance, 391 SHA-384, which would normally be matched to AES-192, is instead 392 matched to AES-256 to leverage the fact that there are efficient 393 hardware implementations of AES-256. Note that, as indicated by the 394 enc-type name "aes256-cts-hmac-sha384-192", the truncation of the 395 HMAC-SHA-384 output to 192-bits results in an overall 192-bit level 396 of security. 398 9. Acknowledgements 400 Kelley Burgin was employed at the National Security Agency during 401 much of the work on this document. 403 10. References 404 10.1. Normative References 406 [RFC2104] Krawczyk, H. et al., "HMAC: Keyed-Hashing for Message 407 Authentication", RFC 2104, February 1997. 409 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 410 Specification Version 2.0", RFC 2898, September 2000. 412 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 413 Kerberos 5", RFC 3961, February 2005. 415 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 416 Encryption for Kerberos 5", RFC 3962, February 2005. 418 [FIPS180] National Institute of Standards and Technology, "Secure 419 Hash Standard", FIPS PUB 180-4, August 2015. 421 [FIPS197] National Institute of Standards and Technology, 422 "Advanced Encryption Standard (AES)", FIPS PUB 197, 423 November 2001. 425 [SP800-38A+] National Institute of Standards and Technology, 426 "Recommendation for Block Cipher Modes of Operation: 427 Three Variants of Ciphertext Stealing for CBC Mode", 428 NIST Special Publication 800-38A Addendum, October 2010. 430 [SP800-108] National Institute of Standards and Technology, 431 "Recommendation for Key Derivation Using Pseudorandom 432 Functions", NIST Special Publication 800-108, October 433 2009. 435 10.2. Informative References 437 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 438 "Randomness Requirements for Security", BCP 106, RFC 439 4086, June 2005. 441 [SP800-38A] National Institute of Standards and Technology, 442 "Recommendation for Block Cipher Modes of Operation: 443 Methods and Techniques", NIST Special Publication 444 800-38A, December 2001. 446 [SP800-132] National Institute of Standards and Technology, 447 "Recommendation for Password-Based Key Derivation, Part 448 1: Storage Applications", NIST Special Publication 800- 449 132, June 2010. 451 Appendix A. Test Vectors 452 Sample results for string-to-key conversion: 453 -------------------------------------------- 455 Iteration count = 32768 456 Pass phrase = "password" 457 Saltp for creating 128-bit base-key: 458 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 459 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 460 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 461 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 463 (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | 464 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 465 128-bit base-key: 466 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7 468 Saltp for creating 256-bit base-key: 469 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 470 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 471 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 472 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E 473 (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | 474 random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 475 256-bit base-key: 476 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 477 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 479 Sample results for key derivation: 480 ---------------------------------- 482 enctype aes128-cts-hmac-sha256-128: 483 128-bit base-key: 484 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 485 Kc value for key usage 2 (label = 0x0000000299): 486 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 487 Ke value for key usage 2 (label = 0x00000002AA): 488 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 489 Ki value for key usage 2 (label = 0x0000000255): 490 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 492 enctype aes256-cts-hmac-sha384-192: 493 256-bit base-key: 494 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 495 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 496 Kc value for key usage 2 (label = 0x0000000299): 497 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 498 BA 41 F2 8F AF 69 E7 3D 499 Ke value for key usage 2 (label = 0x00000002AA): 501 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 502 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 503 Ki value for key usage 2 (label = 0x0000000255): 504 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 505 22 C4 D0 0F FC 23 ED 1F 507 Sample encryptions (all using the default cipher state): 508 -------------------------------------------------------- 509 These sample encryptions use the above sample key 510 derivation results, including use of the same 511 base-key and key usage values. 513 The following test vectors are for 514 enctype aes128-cts-hmac-sha256-128: 516 Plaintext: (empty) 517 Confounder: 518 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 519 128-bit AES key (Ke): 520 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 521 128-bit HMAC key (Ki): 522 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 523 AES Output: 524 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 525 Truncated HMAC Output: 526 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 527 Ciphertext (AES Output | HMAC Output): 528 EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D 529 AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 531 Plaintext: (length less than block size) 532 00 01 02 03 04 05 533 Confounder: 534 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 535 128-bit AES key (Ke): 536 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 537 128-bit HMAC key (Ki): 538 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 539 AES Output: 540 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF 541 B5 54 02 CE F7 E6 542 Truncated HMAC Output: 543 87 7C E9 9E 24 7E 52 D1 6E D4 42 1D FD F8 97 6C 544 Ciphertext: 545 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF 546 B5 54 02 CE F7 E6 87 7C E9 9E 24 7E 52 D1 6E D4 547 42 1D FD F8 97 6C 549 Plaintext: (length equals block size) 550 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 551 Confounder: 552 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 553 128-bit AES key (Ke): 554 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 555 128-bit HMAC key (Ki): 556 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 557 AES Output: 558 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A 559 E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 560 Truncated HMAC Output: 561 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 562 Ciphertext: 563 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A 564 E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 565 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 567 Plaintext: (length greater than block size) 568 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 569 10 11 12 13 14 570 Confounder: 571 A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 572 128-bit AES key (Ke): 573 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 574 128-bit HMAC key (Ki): 575 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C 576 AES Output: 577 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 578 C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC 579 E1 E6 D0 72 C1 580 Truncated HMAC Output: 581 86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC 582 Ciphertext: 583 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 584 C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC 585 E1 E6 D0 72 C1 86 B3 9A 41 3C 2F 92 CA 9B 83 34 586 A2 87 FF CB FC 588 The following test vectors are for enctype 589 aes256-cts-hmac-sha384-192: 591 Plaintext: (empty) 592 Confounder: 593 F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 594 256-bit AES key (Ke): 595 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 596 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 598 192-bit HMAC key (Ki): 599 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 600 22 C4 D0 0F FC 23 ED 1F 601 AES Output: 602 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 603 Truncated HMAC Output: 604 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 605 8B 9B BF BE 7E B4 CE 3C 606 Ciphertext: 607 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 608 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 609 8B 9B BF BE 7E B4 CE 3C 611 Plaintext: (length less than block size) 612 00 01 02 03 04 05 613 Confounder: 614 B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 615 256-bit AES key (Ke): 616 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 617 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 618 192-bit HMAC key (Ki): 619 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 620 22 C4 D0 0F FC 23 ED 1F 621 AES Output: 622 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 623 B7 5F B3 F6 37 B9 624 Truncated HMAC Output: 625 F5 59 C7 F6 64 F6 9E AB 7B 60 92 23 75 26 EA 0D 626 1F 61 CB 20 D6 9D 10 F2 627 Ciphertext: 628 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 629 B7 5F B3 F6 37 B9 F5 59 C7 F6 64 F6 9E AB 7B 60 630 92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2 632 Plaintext: (length equals block size) 633 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 634 Confounder: 635 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 636 256-bit AES key (Ke): 637 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 638 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 639 192-bit HMAC key (Ki): 640 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 641 22 C4 D0 0F FC 23 ED 1F 642 AES Output: 643 BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B 644 BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 645 Truncated HMAC Output: 647 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 648 40 C4 FF 25 5B 36 A2 66 649 Ciphertext: 650 BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B 651 BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 652 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 653 40 C4 FF 25 5B 36 A2 66 655 Plaintext: (length greater than block size) 656 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 657 10 11 12 13 14 658 Confounder: 659 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 660 256-bit AES key (Ke): 661 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 662 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 663 192-bit HMAC key (Ki): 664 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 665 22 C4 D0 0F FC 23 ED 1F 666 AES Output: 667 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 668 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 669 B2 A6 02 AC 86 670 Truncated HMAC Output: 671 FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 672 D2 C1 6B 41 92 E0 1F 62 673 Ciphertext: 674 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 675 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 676 B2 A6 02 AC 86 FE F6 EC B6 47 D6 29 5F AE 07 7A 677 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62 679 Sample checksums: 680 ----------------- 681 These sample checksums use the above sample key 682 derivation results, including use of the same 683 base-key and key usage values. 685 Checksum type: hmac-sha256-128-aes128 686 128-bit HMAC key (Kc): 687 B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 688 Plaintext: 689 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 690 10 11 12 13 14 691 Checksum: 692 D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE 694 Checksum type: hmac-sha384-192-aes256 695 192-bit HMAC key (Kc): 696 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 697 BA 41 F2 8F AF 69 E7 3D 698 Plaintext: 699 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 700 10 11 12 13 14 701 Checksum: 702 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 703 43 C3 BF A0 66 99 67 2A 704 Sample pseudorandom function (PRF) invocations: 705 ---------------------------------------- 707 PRF input octet-string: "test" (0x74657374) 709 enctype aes128-cts-hmac-sha256-128: 710 input-key value / HMAC-SHA-256 key: 711 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C 712 HMAC-SHA-256 input message: 713 00 00 00 01 70 72 66 00 74 65 73 74 00 00 01 00 714 PRF output: 715 9D 18 86 16 F6 38 52 FE 86 91 5B B8 40 B4 A8 86 716 FF 3E 6B B0 F8 19 B4 9B 89 33 93 D3 93 85 42 95 718 enctype aes256-cts-hmac-sha384-192: 719 input-key value / HMAC-SHA-384 key: 720 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 721 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 722 HMAC-SHA-384 input message: 723 00 00 00 01 70 72 66 00 74 65 73 74 00 00 01 80 724 PRF output: 725 98 01 F6 9A 36 8C 2B F6 75 E5 95 21 E1 77 D9 A0 726 7F 67 EF E1 CF DE 8D 3C 8D 6F 6A 02 56 E3 B1 7D 727 B3 C1 B6 2A D1 B8 55 33 60 D1 73 67 EB 15 14 D2 729 Authors' Addresses 731 Michael J. Jenkins 732 National Security Agency 734 EMail: mjjenki@tycho.ncsc.mil 736 Michael A. Peck 737 The MITRE Corporation 739 EMail: mpeck@mitre.org 741 Kelley W. Burgin 743 Email: kelley.burgin@gmail.com