idnits 2.17.1 draft-ietf-krb-wg-camellia-cts-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC3962]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 1, 2012) is 4218 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'RFCXXXX' is mentioned on line 264, but not defined Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Kerberos Working Group G. Hudson 3 Internet-Draft MIT Kerberos Consortium 4 Intended status: Informational October 1, 2012 5 Expires: April 4, 2013 7 Camellia Encryption for Kerberos 5 8 draft-ietf-krb-wg-camellia-cts-02 10 Abstract 12 This document specifies two encryption types and two corresponding 13 checksum types for the Kerberos cryptosystem framework defined in RFC 14 3961. The new types use the Camellia block cipher in CBC-mode with 15 ciphertext stealing [RFC3962] and the CMAC algorithm for integrity 16 protection. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on April 4, 2013. 35 Copyright Notice 37 Copyright (c) 2012 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Introduction 52 The Camellia block cipher, described in [RFC3713], has a 128-bit 53 block size and a 128-bit, 192-bit, or 256-bit key size, similar to 54 AES. This document specifies Kerberos encryption and checksum types 55 for Camellia using 128-bit or 256-bit keys. The new types conform to 56 the framework specified in [RFC3961], but do not use the simplified 57 profile. 59 Like the simplified profile, the new types use key derivation to 60 produce keys for encryption, integrity protection, and checksum 61 operations. Instead of the [RFC3961] section 5.1 key derivation 62 function, the new types use a key derivation function from the family 63 specified in [SP800-108]. 65 The new types use the CMAC algorithm for integrity protection and 66 checksum operations. As a consequence, they do not rely on a hash 67 algorithm except when generating keys from strings. 69 Like the AES encryption types [RFC3962], the new encryption types use 70 CBC mode with ciphertext stealing to avoid the need for padding. 71 They also use the same PBKDF2 algorithm for key generation from 72 strings, with a modification to the salt string to ensure that 73 different keys are generated for Camellia and AES encryption types. 75 2. Protocol Key Representation 77 The Camellia key space is dense, so we use random octet strings 78 directly as keys. The first bit of the Camellia bit string is the 79 high bit of the first byte of the random octet string. 81 3. Key Derivation 83 We use a key derivation function from the family specified in 84 [SP800-108] section 5.2, "KDF in Feedback Mode". The PRF parameter 85 of the key derivation function is CMAC with Camellia-128 or Camellia- 86 256 as the underlying block cipher; this PRF has an output size of 87 128 bits. A block counter is used with a length of 4 bytes, 88 represented in big-endian order. The length of the output key in 89 bits (denoted as k) is also represented as a four-byte string in big- 90 endian order. The label input to the KDF is the usage constant 91 supplied to the key derivation function, and the context is unused. 92 In the following summary, | indicates concatenation. The random-to- 93 key function is the identity function, as defined in Section 6. The 94 k-truncate funtion is defined in [RFC3961] section 5.1. 96 n = ceiling(k / 128) 97 K(0) = zeros 98 K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k) 99 DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n)) 100 KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant)) 102 The constants used for key derivation are the same as those used in 103 the simplified profile. 105 4. Key Generation from Strings 107 We use a variation on the key generation algorithm specified in 108 [RFC3962] section 4. 110 First, to ensure that different long-term keys are used with Camellia 111 and AES, we prepend the enctype name to the salt string, separated by 112 a null byte. The enctype name is "camellia128-cts-cmac" or 113 "camellia256-cts-cmac" (without the quotes). 115 Second, the final key derivation step uses the algorithm described in 116 Section 3 instead of the key derivation algorithm used by the 117 simplified profile. 119 Third, if no string-to-key parameters are specified, the default 120 number of iterations is raised to 32768. 122 saltp = enctype-name | 0x00 | salt 123 tkey = random-to-key(PBKDF2-HMAC-SHA1(passphrase, saltp, 124 iter_count, keylength)) 125 key = KDF-FEEDBACK-CMAC(tkey, "kerberos") 127 5. CMAC Checksum Algorithm 129 For integrity protection and checksums, we use the CMAC function 130 defined in [SP800-38B], with Camellia-128 or Camellia-256 as the 131 underlying block cipher. The output length (Tlen) is 128 bits for 132 both key sizes. 134 6. Encryption Algorithm Parameters 136 The following parameters, required by [RFC3961] section 3, apply to 137 the encryption types camellia128-cts-cmac, which uses a 128-bit 138 protocol key, and camellia256-cts-cmac, which uses a 256-bit protocol 139 key. 141 Protocol key format: as defined in Section 2. 143 Specific key structure: three protocol format keys: { Kc, Ke, Ki }. 145 Required checksum mechanism: as defined in Section 7. 147 Key generation seed length: the key size (128 or 256 bits). 149 String-to-key function: as defined in Section 4. 151 Random-to-key function: identity function. 153 Key-derivation function: as indicated below, with usage represented 154 as four octets in big-endian order. 156 String-to-key parameter format: four octets indicating a 32-bit 157 iteration count in big-endian order. Implementations may limit the 158 count as specified in [RFC3962] section 4. 160 Default string-to-key parameters: 00 00 80 00. 162 Kc = KDF-FEEDBACK-CMAC(base-key, usage | 0x99) 163 Ke = KDF-FEEDBACK-CMAC(base-key, usage | 0xAA) 164 Ki = KDF-FEEDBACK-CMAC(base-key, usage | 0x55) 166 Cipher state: a 128-bit CBC initialization vector. 168 Initial cipher state: all bits zero. 170 Encryption function: as follows, where E() is Camellia encryption in 171 CBC-CTS mode, with the next-to-last block used as the CBC-style ivec, 172 or the last block if there is only one. 174 conf = Random string of 128 bits 175 (C, newstate) = E(Ke, conf | plaintext, oldstate) 176 M = CMAC(Ki, conf | plaintext) 177 ciphertext = C | M 179 Decryption function: as follows, where D() is Camellia decryption in 180 CBC-CTS mode, with the ivec treated as in E(). To separate the 181 ciphertext into C and M components, use the final final 16 bytes for 182 M and all of the preceding bytes for C. 184 (C, M) = ciphertext 185 (P, newIV) = D(Ke, C, oldstate) 186 if (M != CMAC(Ki, P)) report error 187 newstate = newIV 188 Pseudo-random function: as follows. 190 Kp = KDF-FEEDBACK-CMAC(protocol-key, "prf") 191 PRF = CMAC(Kp, octet-string) 193 7. Checksum Parameters 195 The following parameters, required by [RFC3961] section 4, apply to 196 the checksum types cmac-camellia128 and cmac-camellia256, which are 197 the associated checksum for camellia128-cts-cmac and camellia256-cts- 198 cmac respectively. 200 Associated cryptosystem: Camellia-128 or Camellia-256 as appropriate 201 for the checksum type. 203 get_mic: CMAC(Kc, message). 205 verify_mic: get_mic and compare. 207 8. Security Considerations 209 [CRYPTOENG] chapter 4 discusses weaknesses of the CBC cipher mode. 210 An attacker who can observe enough messages generated with the same 211 key to encounter a collision in ciphertext blocks could recover the 212 XOR of the plaintexts of the previous blocks. Observing such a 213 collision becomes likely as the number of blocks observed approaches 214 2^64. This consideration applies to all previously standardized 215 Kerberos encryption types and all uses of CBC encryption with 128-bit 216 block ciphers in other protocols. Kerberos deployments can mitigate 217 this concern by rolling over keys often enough to make observing 2^64 218 messages unlikely. 220 Because the new checksum types are deterministic, an attacker could 221 pre-compute checksums for a known plain-text message in 2^64 randomly 222 chosen protocol keys. The attacker could then observe checksums 223 legitimately computed in different keys until a collision with one of 224 the pre-computed keys is observed; this becomes likely after the 225 number of observed checksums approaches 2^64. Observing such a 226 collision allows the attacker to recover the protocol key. This 227 consideration applies to most previously standardized Kerberos 228 checksum types and most uses of 128-bit checksums in other protocols. 230 Kerberos deployments should not migrate to the Camellia encryption 231 types simply because they are newer, but should use them only if 232 business needs require the use of Camellia, or if a serious flaw is 233 discovered in AES which does not apply to Camellia. 235 The security considerations described in [RFC3962] section 8 236 regarding the string-to-key algorithm also apply to the Camellia 237 encryption types. 239 At the time of writing this document, there are no known weak keys 240 for Camellia, and no security problem has been found on Camellia (see 241 [NESSIE], [CRYPTREC], and [LNCS5867]). 243 9. IANA Considerations 245 IANA has assigned the following numbers from the Encryption Type 246 Numbers and Checksum Type Numbers registries defined in [RFC3961] 247 section 11. 249 Encryption types 251 +-------+----------------------+-----------+ 252 | etype | encryption type | Reference | 253 +-------+----------------------+-----------+ 254 | TBD1 | camellia128-cts-cmac | [RFCXXXX] | 255 | TBD2 | camellia256-cts-cmac | [RFCXXXX] | 256 +-------+----------------------+-----------+ 258 Checksum types 260 +---------------+------------------+---------------+-----------+ 261 | sumtype value | Checksum type | checksum size | Reference | 262 +---------------+------------------+---------------+-----------+ 263 | TBD3 | cmac-camellia128 | 16 | [RFCXXXX] | 264 | TBD4 | cmac-camellia256 | 16 | [RFCXXXX] | 265 +---------------+------------------+---------------+-----------+ 267 [TO BE REMOVED: These registries are at: http://www.iana.org/ 268 assignments/kerberos-parameters/kerberos-parameters.xml] 270 10. Test Vectors 272 Sample results for string-to-key conversion: 274 Iteration count = 1 275 Pass phrase = "password" 276 Salt = "ATHENA.MIT.EDUraeburn" 277 128-bit Camellia key: 278 57 D0 29 72 98 FF D9 D3 5D E5 A4 7F B4 BD E2 4B 279 256-bit Camellia key: 280 B9 D6 82 8B 20 56 B7 BE 65 6D 88 A1 23 B1 FA C6 281 82 14 AC 2B 72 7E CF 5F 69 AF E0 C4 DF 2A 6D 2C 283 Iteration count = 2 284 Pass phrase = "password" 285 Salt = "ATHENA.MIT.EDUraeburn" 286 128-bit Camellia key: 287 73 F1 B5 3A A0 F3 10 F9 3B 1D E8 CC AA 0C B1 52 288 256-bit Camellia key: 289 83 FC 58 66 E5 F8 F4 C6 F3 86 63 C6 5C 87 54 9F 290 34 2B C4 7E D3 94 DC 9D 3C D4 D1 63 AD E3 75 E3 292 Iteration count = 1200 293 Pass phrase = "password" 294 Salt = "ATHENA.MIT.EDUraeburn" 295 128-bit Camellia key: 296 8E 57 11 45 45 28 55 57 5F D9 16 E7 B0 44 87 AA 297 256-bit Camellia key: 298 77 F4 21 A6 F2 5E 13 83 95 E8 37 E5 D8 5D 38 5B 299 4C 1B FD 77 2E 11 2C D9 20 8C E7 2A 53 0B 15 E6 301 Iteration count = 5 302 Pass phrase = "password" 303 Salt=0x1234567878563412 304 128-bit Camellia key: 305 00 49 8F D9 16 BF C1 C2 B1 03 1C 17 08 01 B3 81 306 256-bit Camellia key: 307 11 08 3A 00 BD FE 6A 41 B2 F1 97 16 D6 20 2F 0A 308 FA 94 28 9A FE 8B 27 A0 49 BD 28 B1 D7 6C 38 9A 310 Iteration count = 1200 311 Pass phrase = (64 characters) 312 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 313 Salt="pass phrase equals block size" 314 128-bit Camellia key: 315 8B F6 C3 EF 70 9B 98 1D BB 58 5D 08 68 43 BE 05 316 256-bit Camellia key: 317 11 9F E2 A1 CB 0B 1B E0 10 B9 06 7A 73 DB 63 ED 318 46 65 B4 E5 3A 98 D1 78 03 5D CF E8 43 A6 B9 B0 320 Iteration count = 1200 321 Pass phrase = (65 characters) 322 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 323 Salt = "pass phrase exceeds block size" 324 128-bit Camellia key: 325 57 52 AC 8D 6A D1 CC FE 84 30 B3 12 87 1C 2F 74 326 256-bit Camellia key: 327 61 4D 5D FC 0B A6 D3 90 B4 12 B8 9A E4 D5 B0 88 328 B6 12 B3 16 51 09 94 67 9D DB 43 83 C7 12 6D DF 330 Iteration count = 50 331 Pass phrase = g-clef (0xf09d849e) 332 Salt = "EXAMPLE.COMpianist" 333 128-bit Camellia key: 334 CC 75 C7 FD 26 0F 1C 16 58 01 1F CC 0D 56 06 16 335 256-bit Camellia key: 336 16 3B 76 8C 6D B1 48 B4 EE C7 16 3D F5 AE D7 0E 337 20 6B 68 CE C0 78 BC 06 9E D6 8A 7E D3 6B 1E CC 339 Sample results for key derivation: 341 128-bit Camellia key: 342 57 D0 29 72 98 FF D9 D3 5D E5 A4 7F B4 BD E2 4B 343 Kc value for key usage 2 (constant = 0x0000000299): 344 D1 55 77 5A 20 9D 05 F0 2B 38 D4 2A 38 9E 5A 56 345 Ke value for key usage 2 (constant = 0x00000002AA): 346 64 DF 83 F8 5A 53 2F 17 57 7D 8C 37 03 57 96 AB 347 Ki value for key usage 2 (constant = 0x0000000255): 348 3E 4F BD F3 0F B8 25 9C 42 5C B6 C9 6F 1F 46 35 350 256-bit Camellia key: 351 B9 D6 82 8B 20 56 B7 BE 65 6D 88 A1 23 B1 FA C6 352 82 14 AC 2B 72 7E CF 5F 69 AF E0 C4 DF 2A 6D 2C 353 Kc value for key usage 2 (constant = 0x0000000299): 354 E4 67 F9 A9 55 2B C7 D3 15 5A 62 20 AF 9C 19 22 355 0E EE D4 FF 78 B0 D1 E6 A1 54 49 91 46 1A 9E 50 356 Ke value for key usage 2 (constant = 0x00000002AA): 357 41 2A EF C3 62 A7 28 5F C3 96 6C 6A 51 81 E7 60 358 5A E6 75 23 5B 6D 54 9F BF C9 AB 66 30 A4 C6 04 359 Ki value for key usage 2 (constant = 0x0000000255): 360 FA 62 4F A0 E5 23 99 3F A3 88 AE FD C6 7E 67 EB 361 CD 8C 08 E8 A0 24 6B 1D 73 B0 D1 DD 9F C5 82 B0 363 Sample encryptions (all using the default cipher state): 365 Plaintext: (empty) 366 128-bit Camellia key: 367 1D C4 6A 8D 76 3F 4F 93 74 2B CB A3 38 75 76 C3 368 Random confounder: 369 B6 98 22 A1 9A 6B 09 C0 EB C8 55 7D 1F 1B 6C 0A 370 Ciphertext: 371 C4 66 F1 87 10 69 92 1E DB 7C 6F DE 24 4A 52 DB 372 0B A1 0E DC 19 7B DB 80 06 65 8C A3 CC CE 6E B8 374 Plaintext: 1 375 Random confounder: 376 6F 2F C3 C2 A1 66 FD 88 98 96 7A 83 DE 95 96 D9 377 128-bit Camellia key: 379 50 27 BC 23 1D 0F 3A 9D 23 33 3F 1C A6 FD BE 7C 380 Ciphertext: 381 84 2D 21 FD 95 03 11 C0 DD 46 4A 3F 4B E8 D6 DA 382 88 A5 6D 55 9C 9B 47 D3 F9 A8 50 67 AF 66 15 59 383 B8 385 Plaintext: 9 bytesss 386 Random confounder: 387 A5 B4 A7 1E 07 7A EE F9 3C 87 63 C1 8F DB 1F 10 388 128-bit Camellia key: 389 A1 BB 61 E8 05 F9 BA 6D DE 8F DB DD C0 5C DE A0 390 Ciphertext: 391 61 9F F0 72 E3 62 86 FF 0A 28 DE B3 A3 52 EC 0D 392 0E DF 5C 51 60 D6 63 C9 01 75 8C CF 9D 1E D3 3D 393 71 DB 8F 23 AA BF 83 48 A0 395 Plaintext: 13 bytes byte 396 Random confounder: 397 19 FE E4 0D 81 0C 52 4B 5B 22 F0 18 74 C6 93 DA 398 128-bit Camellia key: 399 2C A2 7A 5F AF 55 32 24 45 06 43 4E 1C EF 66 76 400 Ciphertext: 401 B8 EC A3 16 7A E6 31 55 12 E5 9F 98 A7 C5 00 20 402 5E 5F 63 FF 3B B3 89 AF 1C 41 A2 1D 64 0D 86 15 403 C9 ED 3F BE B0 5A B6 AC B6 76 89 B5 EA 405 Plaintext: 30 bytes bytes bytes bytes byt 406 Random confounder: 407 CA 7A 7A B4 BE 19 2D AB D6 03 50 6D B1 9C 39 E2 408 128-bit Camellia key: 409 78 24 F8 C1 6F 83 FF 35 4C 6B F7 51 5B 97 3F 43 410 Ciphertext: 411 A2 6A 39 05 A4 FF D5 81 6B 7B 1E 27 38 0D 08 09 412 0C 8E C1 F3 04 49 6E 1A BD CD 2B DC D1 DF FC 66 413 09 89 E1 17 A7 13 DD BB 57 A4 14 6C 15 87 CB A4 414 35 66 65 59 1D 22 40 28 2F 58 42 B1 05 A5 416 Plaintext: (empty) 417 Random confounder: 418 3C BB D2 B4 59 17 94 10 67 F9 65 99 BB 98 92 6C 419 256-bit Camellia key: 420 B6 1C 86 CC 4E 5D 27 57 54 5A D4 23 39 9F B7 03 421 1E CA B9 13 CB B9 00 BD 7A 3C 6D D8 BF 92 01 5B 422 Ciphertext: 423 03 88 6D 03 31 0B 47 A6 D8 F0 6D 7B 94 D1 DD 83 424 7E CC E3 15 EF 65 2A FF 62 08 59 D9 4A 25 92 66 426 Plaintext: 1 427 Random confounder: 428 DE F4 87 FC EB E6 DE 63 46 D4 DA 45 21 BB A2 D2 429 256-bit Camellia key: 430 1B 97 FE 0A 19 0E 20 21 EB 30 75 3E 1B 6E 1E 77 431 B0 75 4B 1D 68 46 10 35 58 64 10 49 63 46 38 33 432 Ciphertext: 433 2C 9C 15 70 13 3C 99 BF 6A 34 BC 1B 02 12 00 2F 434 D1 94 33 87 49 DB 41 35 49 7A 34 7C FC D9 D1 8A 435 12 437 Plaintext: 9 bytesss 438 Random confounder: 439 AD 4F F9 04 D3 4E 55 53 84 B1 41 00 FC 46 5F 88 440 256-bit Camellia key: 441 32 16 4C 5B 43 4D 1D 15 38 E4 CF D9 BE 80 40 FE 442 8C 4A C7 AC C4 B9 3D 33 14 D2 13 36 68 14 7A 05 443 Ciphertext: 444 9C 6D E7 5F 81 2D E7 ED 0D 28 B2 96 35 57 A1 15 445 64 09 98 27 5B 0A F5 15 27 09 91 3F F5 2A 2A 9C 446 8E 63 B8 72 F9 2E 64 C8 39 448 Plaintext: 13 bytes byte 449 Random confounder: 450 CF 9B CA 6D F1 14 4E 0C 0A F9 B8 F3 4C 90 D5 14 451 256-bit Camellia key: 452 B0 38 B1 32 CD 8E 06 61 22 67 FA B7 17 00 66 D8 453 8A EC CB A0 B7 44 BF C6 0D C8 9B CA 18 2D 07 15 454 Ciphertext: 455 EE EC 85 A9 81 3C DC 53 67 72 AB 9B 42 DE FC 57 456 06 F7 26 E9 75 DD E0 5A 87 EB 54 06 EA 32 4C A1 457 85 C9 98 6B 42 AA BE 79 4B 84 82 1B EE 459 Plaintext: 30 bytes bytes bytes bytes byt 460 Random confounder: 461 64 4D EF 38 DA 35 00 72 75 87 8D 21 68 55 E2 28 462 256-bit Camellia key: 463 CC FC D3 49 BF 4C 66 77 E8 6E 4B 02 B8 EA B9 24 464 A5 46 AC 73 1C F9 BF 69 89 B9 96 E7 D6 BF BB A7 465 Ciphertext: 466 0E 44 68 09 85 85 5F 2D 1F 18 12 52 9C A8 3B FD 467 8E 34 9D E6 FD 9A DA 0B AA A0 48 D6 8E 26 5F EB 468 F3 4A D1 25 5A 34 49 99 AD 37 14 68 87 A6 C6 84 469 57 31 AC 7F 46 37 6A 05 04 CD 06 57 14 74 471 Sample checksums: 473 Plaintext: abcdefghijk 474 Checksum type: cmac-camellia128 475 128-bit Camellia key: 476 1D C4 6A 8D 76 3F 4F 93 74 2B CB A3 38 75 76 C3 477 Key usage: 7 478 Checksum: 479 11 78 E6 C5 C4 7A 8C 1A E0 C4 B9 C7 D4 EB 7B 6B 481 Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ 482 Checksum type: cmac-camellia128 483 128-bit Camellia key: 484 50 27 BC 23 1D 0F 3A 9D 23 33 3F 1C A6 FD BE 7C 485 Key usage: 8 486 Checksum: 487 D1 B3 4F 70 04 A7 31 F2 3A 0C 00 BF 6C 3F 75 3A 489 Plaintext: 123456789 490 Checksum type: cmac-camellia256 491 256-bit Camellia key: 492 B6 1C 86 CC 4E 5D 27 57 54 5A D4 23 39 9F B7 03 493 1E CA B9 13 CB B9 00 BD 7A 3C 6D D8 BF 92 01 5B 494 Key usage: 9 495 Checksum: 496 87 A1 2C FD 2B 96 21 48 10 F0 1C 82 6E 77 44 B1 498 Plaintext: !@#$%^&*()!@#$%^&*()!@#$%^&*() 499 Checksum type: cmac-camellia256 500 256-bit Camellia key: 501 32 16 4C 5B 43 4D 1D 15 38 E4 CF D9 BE 80 40 FE 502 8C 4A C7 AC C4 B9 3D 33 14 D2 13 36 68 14 7A 05 503 Key usage: 10 504 Checksum: 505 3F A0 B4 23 55 E5 2B 18 91 87 29 4A A2 52 AB 64 507 11. References 509 11.1. Normative References 511 [RFC3713] Matsui, M., Nakajima, J., and S. Moriai, "A Description of 512 the Camellia Encryption Algorithm", RFC 3713, April 2004. 514 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 515 Kerberos 5", RFC 3961, February 2005. 517 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 518 Encryption for Kerberos 5", RFC 3962, February 2005. 520 [SP800-38B] 521 Dworkin, M., "Recommendation for Block Cipher Modes of 522 Operation: The CMAC Mode for Authentication", NIST Special 523 Publication 800-38B, October 2009. 525 [SP800-108] 526 Chen, L., "Recommendation for Key Derivation Using 527 Pseudorandom Functions", NIST Special Publication 800-108, 528 October 2009. 530 11.2. Non-normative References 532 [CRYPTOENG] 533 Schneier, B., "Cryptography Engineering", March 2010. 535 [CRYPTREC] 536 Information-technology Promotion Agency (IPA), 537 "Cryptography Research and Evaluation Committees", 538 . 540 [LNCS5867] 541 Mala, H., Shakiba, M., and M. Dakhil-alian, "New Results 542 on Impossible Different Cryptanalysis of Reduced Round 543 Camellia-128", LNCS 5867, November 2009, 544 . 546 [NESSIE] The NESSIE Project, "New European Schemes for Signatures, 547 Integrity, and Encryption", 548 . 550 Appendix A. Acknowledgements 552 The author would like to thank Ken Raeburn, Satoru Kanno, Jeffrey 553 Hutzelman, Nico Williams, Sam Hartman, and Tom Yu for their help in 554 reviewing and providing feedback on this document. 556 Author's Address 558 Greg Hudson 559 MIT Kerberos Consortium 561 Email: ghudson@mit.edu