idnits 2.17.1 draft-irtf-cfrg-re-keying-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 17 instances of too long lines in the document, the longest one being 15 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 27, 2017) is 2614 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 696 == Missing Reference: '2t' is mentioned on line 667, but not defined == Missing Reference: 'K' is mentioned on line 1198, but not defined Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational R. Housley 5 Expires: August 31, 2017 Vigil Security, LLC 6 M. Bellare 7 University of California, San Diego 8 E. Alekseev 9 E. Smyshlyaeva 10 CryptoPro 11 February 27, 2017 13 Re-keying Mechanisms for Symmetric Keys 14 draft-irtf-cfrg-re-keying-00 16 Abstract 18 This specification contains a description of a variety of methods to 19 increase the lifetime of symmetric keys. It provides external and 20 internal re-keying mechanisms that can be used with such modes of 21 operations as CTR, GCM, CBC, CFB, OFB and OMAC. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 31, 2017. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 59 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 60 4. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 5 61 4.1. Parallel Constructions . . . . . . . . . . . . . . . . . 5 62 4.1.1. Parallel Construction Based on a KDF on a Block 63 Cipher . . . . . . . . . . . . . . . . . . . . . . . 6 64 4.1.2. Parallel Construction Based on HKDF . . . . . . . . . 6 65 4.2. Serial Constructions . . . . . . . . . . . . . . . . . . 7 66 4.2.1. Serial Construction Based on a KDF on a Block Cipher 7 67 4.2.2. Serial Construction Based on HKDF . . . . . . . . . . 8 68 5. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 8 69 5.1. Constructions that Do Not Require Master Key . . . . . . 8 70 5.1.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 8 71 5.1.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 10 72 5.1.3. GCM-ACPKM Encryption Mode . . . . . . . . . . . . . . 12 73 5.2. Constructions that Require Master Key . . . . . . . . . . 14 74 5.2.1. ACPKM-Master Key Generation from the Master Key . . . 15 75 5.2.2. CTR Mode Key Meshing . . . . . . . . . . . . . . . . 17 76 5.2.3. GCM Mode Key Meshing . . . . . . . . . . . . . . . . 19 77 5.2.4. CBC Mode Key Meshing . . . . . . . . . . . . . . . . 22 78 5.2.5. CFB Mode Key Meshing . . . . . . . . . . . . . . . . 24 79 5.2.6. OFB Mode Key Meshing . . . . . . . . . . . . . . . . 26 80 5.2.7. OMAC Mode Key Meshing . . . . . . . . . . . . . . . . 27 81 6. Joint Usage of External and Internal Re-keying . . . . . . . 29 82 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 83 7.1. Principles of Choice of Constructions and Security 84 Parameters . . . . . . . . . . . . . . . . . . . . . . . 29 85 7.2. Requirements For Base Primitives . . . . . . . . . . . . 30 86 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 87 8.1. Normative References . . . . . . . . . . . . . . . . . . 30 88 8.2. Informative References . . . . . . . . . . . . . . . . . 31 89 Appendix A. Test examples . . . . . . . . . . . . . . . . . . . 31 90 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 35 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 93 1. Introduction 95 Common attacks base their success on the ability to get many 96 encryptions under a single key. If encryption is performed under a 97 single key, there is a certain maximum threshold number of messages 98 that can be safely encrypted. These restrictions can come either 99 from combinatorial properties of the used cipher modes of operation 100 (for example, birthday attack [BDJR]) or from particular 101 cryptographic attacks on the used block cipher (for example, linear 102 cryptanalysis [Matsui]). Moreover, most strict restrictions here 103 follow from the need to resist side-channel attacks. The adversary's 104 opportunity to obtain an essential amount of data processed with a 105 single key leads not only to theoretic but also to practical 106 vulnerabilities (see [BL]). Therefore, when the total size of a 107 plaintext processed with a single key reaches threshold values, this 108 key cannot be used anymore and certain procedures with encryption 109 keys are needed. 111 The most simple and obvious way for overcoming the key lifetimes 112 limitations is a renegotiation of a regular session key. However, 113 this reduces the total performance since it usually entails the 114 frequent use of a public key cryptography. 116 Another way is to use a transformation of a previously negotiated 117 key. This specification presents the description of such mechanisms 118 and the description of the cases when these mechanisms should be 119 applied. 121 2. Conventions Used in This Document 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in [RFC2119]. 127 3. Basic Terms and Definitions 129 This document uses the following terms and definitions for the sets 130 and operations on the elements of these sets: 132 (xor) exclusive-or of two binary vectors of the same length. 134 V* the set of all strings of a finite length (hereinafter 135 referred to as strings), including the empty string; 137 V_s the set of all binary strings of length s, where s is a non- 138 negative integer; substrings and string components are 139 enumerated from right to left starting from one; 141 |X| the bit length of the bit string X; 143 A|B concatenation of strings A and B both belonging to V*, i.e., 144 a string in V_{|A|+|B|}, where the left substring in V_|A| is 145 equal to A, and the right substring in V_|B| is equal to B; 147 Z_{2^n} ring of residues modulo 2^n; 149 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 150 (a_s, ... , a_1), a in V_s, into the integer Int_s(a) = 151 2^s*a_s + ... + 2*a_2 + a_1; 153 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 154 Int_s; 156 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 157 ... , a_1) in V_s, into the string MSB_i(a) = (a_s, ... , 158 a_{s-i+1}) in V_i; 160 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 161 ... , a_1) in V_s, into the string LSB_i(a) = (a_i, ... , 162 a_1) in V_i; 164 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 165 ... , a_1) in V_s, into the string Inc_c(a) = MSB_{|a|- 166 c}(a) | Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s; 168 a^s denotes the string in V_s that consists of s 'a' bits; 170 E_{K}: V_n -> V_n the block cipher permutation under the key K in 171 V_k; 173 ceil(x) the least integer that is not less than x; 175 k the key K size (in bits); 177 n the block size of the block cipher (in bits); 179 b the total number of data blocks in the plaintext (b = ceil(m/ 180 n)); 182 N the section size (the number of bits in a data section); 184 l the number of data sections in the plaintext; 186 m the message M size (in bits); 187 phi_i: V_s -> V_s the transformation that maps a string a = (a_s, 188 ... , a_1) into the string phi_i(a) = a' = (a'_s, ... , 189 a'_1), 1 <= i <= s, such that a'_i = 1 and a'_j = a_j for all 190 j in {1, ... , s}\{i}. 192 A plaintext message P and a ciphertext C are divided into b = ceil(m/ 193 n) segments denoted as P = P_1 | P_2 | ... | P_b and C = C_1 | C_2 | 194 ... | C_b, where P_i and C_i are in V_n, for i = 1, 2, ... , b-1, and 195 P_b, C_b are in V_r, where r <= n if not otherwise stated. 197 4. External Re-keying Mechanisms 199 This section presents an approach to increase the lifetime of 200 negotiated keys after processing a limited number of integral 201 messages. It provides an external parallel and serial re-keying 202 mechanisms (see [AbBell]). These mechanisms use an initial 203 (negotiated) key as a master key, which is never used directly for 204 the data processing but is used for key generation. Such mechanisms 205 operate outside of the base modes of operations and do not change 206 them at all, therefore they are called "external re-keying" in this 207 document. 209 4.1. Parallel Constructions 211 The main idea behind external re-keying with parallel construction is 212 presented in Fig.1: 214 Lifetime of a key = L, 215 maximum message size = m_max. 216 _____________________________________________________________ 218 m_max 219 <----------------> 220 M_{1,1} |=== | 221 M_{1,2} |=============== | 222 +--K^1--> . . . 223 | M_{1,q_1} |======== | 224 | 225 | 226 | M_{2,1} |================| 227 | M_{2,2} |===== | 228 K*----|--K^2--> . . . 229 | M_{2,q_2} |========== | 230 | 231 ... 232 | M_{t,1} |============ | 233 | M_{t,2} |============= | 234 +--K^t--> . . . 235 M_{t,q_t} |========== | 237 _____________________________________________________________ 238 |M_{i,1}| + ... + |M_{i,q_i}| <= L, i = 1, ... , t. 240 Figure 1: External parallel re-keying mechanisms 242 4.1.1. Parallel Construction Based on a KDF on a Block Cipher 244 ExtParallelC re-keying mechanism is based on a block cipher and is 245 used to generate t keys for t sections as follows: 247 K^1 | K^2 | ... | K^t = ExtParallelC(K*, t*k) = 248 MSB_{t*k}(E_{K*}(0) | E_{K*}(1) | ... | E_{K*}(J-1)), 250 where J = ceil(k/n). 252 4.1.2. Parallel Construction Based on HKDF 254 ExtParallelH re-keying mechanism is based on HMAC-based key 255 derivation function HKDF-Expand, described in [RFC5869], and is used 256 to generate t keys for t sections as follows: 258 K^1 | K^2 | ... | K^t = ExtParallelH(K*, t*k) = HKDF-Expand(K*, 259 label, t*k), 261 where label is a string (can be a zero-length string) that is defined 262 by a specific protocol. 264 4.2. Serial Constructions 266 The main idea behind external re-keying with serial construction is 267 presented in Fig.2: 269 Lifetime of a key = L, 270 maximum message size = m_max. 271 _____________________________________________________________ 272 m_max 273 <----------------> 274 M_{1,1} |=== | 275 M_{1,2} |=============== | 276 K*_1 = K* ---K^1--> . . . 277 | M_{1,q_1} |======== | 278 | 279 | 280 | M_{2,1} |================| 281 v M_{2,2} |===== | 282 K*_2 --------K^2--> . . . 283 | M_{2,q_2} |========== | 284 | 285 ... 286 | M_{t,1} |============ | 287 v M_{t,2} |============= | 288 K*_t --------K^t--> . . . 289 M_{t,q_t} |========== | 291 _____________________________________________________________ 292 |M_{i,1}| + ... + |M_{i,q_i}| <= L, i = 1, ... , t. 294 Figure 2: External serial re-keying mechanisms 296 4.2.1. Serial Construction Based on a KDF on a Block Cipher 298 The key K^i is calculated using ExtSerialC transformation as follows: 300 K^i = ExtSerialC(K*, i) = MSB_k(E_{K*_i}(0) | E_{K*_i}(1) | ... | 301 E_{K*_i}(J-1)), 303 where J = ceil(k/n), i = 1, ... , t, K*_i is calculated as follows: 305 K*_1 = K*, 306 K*_{j+1} = MSB_k(E_{K*_j}(J) | E_{K*_j}(J+1) | ... | E_{K*_j}(2J- 307 1)), 309 where j = 1, ... , t-1. 311 4.2.2. Serial Construction Based on HKDF 313 The key K^i is calculated using ExtSerialH transformation as follows: 315 K^i = ExtSerialH(K*, i) = HKDF-Expand(K*_i, label1, k), 317 where i = 1, ... , t, HKDF-Expand is an HMAC-based key derivation 318 function, described in [RFC5869], K*_i is calculated as follows: 320 K*_1 = K*, 322 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t-1, 324 where label1 and label2 are different strings (can be a zero-length 325 strings) that are defined by a specific protocol (see, for example, 326 TLS 1.3 updating traffic keys algorithm [TLSDraft]). 328 5. Internal Re-keying Mechanisms 330 This section presents an approach to increase the lifetime of 331 negotiated key by re-keying during each separate message processing. 332 It provides an internal re-keying mechanisms called ACPKM and ACPKM- 333 Master that do not use and use a master key respectively. Such 334 mechanisms are integrated into the base modes of operations and can 335 be considered as the base mode extensions, therefore they are called 336 "internal re-keying" in this document. 338 5.1. Constructions that Do Not Require Master Key 340 This section describes the block cipher modes that uses the ACPKM re- 341 keying mechanism (described in Section 5.1.1), which does not use 342 master key: an initial key is used directly for the encryption of the 343 data. 345 5.1.1. ACPKM Re-keying Mechanisms 347 This section defines periodical key transformation with no master key 348 which is called ACPKM re-keying mechanism. This mechanism can be 349 applied to one of the basic encryption modes (CTR and GCM block 350 cipher modes) for getting an extension of this encryption mode that 351 uses periodical key transformation with no master key. This 352 extension can be considered as a new encryption mode. 354 An additional parameter that defines the functioning of basic 355 encryption modes with the ACPKM re-keying mechanism is the section 356 size N. The value of N is measured in bits and is fixed within a 357 specific protocol based on the requirements of the system capacity 358 and key lifetime (some recommendations on choosing N will be provided 359 in Section 7). The section size N MUST be divisible by the block 360 size n. 362 The main idea behind internal re-keying with no master key is 363 presented in Fig.3: 365 Lifetime of a key = L, 366 section size = const = N, 367 maximum message size = m_max. 368 ____________________________________________________________________ 370 ACPKM ACPKM ACPKM 371 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 372 | | | | 373 | | | | 374 v v v v 375 Message(1) |==========|==========| ... |==========|=======: | 376 Message(2) |==========|==========| ... |=== | : | 377 . . . . . . : . 378 : : : : : : : : 379 Message(q) |==========|==========| ... |==========|===== : | 380 section : 381 <----------> m_max 382 N bit 383 ___________________________________________________________________ 384 l_max = ceil(m_max/N), 385 q*N <= L. 386 Figure 3: Key meshing with no master key 388 During the processing of the input message M with the length m in 389 some encryption mode that uses ACPKM key transformation of the key K 390 the message is divided into l = ceil(m/N) parts (denoted as M = M_1 | 391 M_2 | ... | M_l, where M_i is in V_N for i = 1, 2, ... , l-1 and M_l 392 is in V_r, r <= N). The first section is processed with the initial 393 key K^1 = K. To process the (i+1)-th section the K^{i+1} key value 394 is calculated using ACPKM transformation as follows: 396 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(W_1) | ... | E_{K^i}(W_J)), 398 where J = ceil(k/n), W_t = phi_c(D_t) for any t in {1, ... ,J} and 399 D_1, D_2, ... , D_J are in V_n and are calculated as follows: 401 D_1 | D_2 | ... | D_J = MSB_{J*n}(D), 403 where D is the following constant in V_{1024}: 405 D = ( F3 | 74 | E9 | 23 | FE | AA | D6 | DD 406 | 98 | B4 | B6 | 3D | 57 | 8B | 35 | AC 407 | A9 | 0F | D7 | 31 | E4 | 1D | 64 | 5E 408 | 40 | 8C | 87 | 87 | 28 | CC | 76 | 90 409 | 37 | 76 | 49 | 9F | 7D | F3 | 3B | 06 410 | 92 | 21 | 7B | 06 | 37 | BA | 9F | B4 411 | F2 | 71 | 90 | 3F | 3C | F6 | FD | 1D 412 | 70 | BB | BB | 88 | E7 | F4 | 1B | 76 413 | 7E | 44 | F9 | 0E | 46 | 91 | 5B | 57 414 | 00 | BC | 13 | 45 | BE | 0D | BD | C7 415 | 61 | 38 | 19 | 3C | 41 | 30 | 86 | 82 416 | 1A | A0 | 45 | 79 | 23 | 4C | 4C | F3 417 | 64 | F2 | 6A | CC | EA | 48 | CB | B4 418 | 0C | B9 | A9 | 28 | C3 | B9 | 65 | CD 419 | 9A | CA | 60 | FB | 9C | A4 | 62 | C7 420 | 22 | C0 | 6C | E2 | 4A | C7 | FB | 5B). 422 N o t e : The constant D is such that phi_c(D_1), ... , phi_c(D_J) 423 are pairwise different for any allowed n, k, c values. 425 N o t e : The constant D is such that D = 426 sha512(streebog512(0^1024)) | sha512(streebog512(1^1024)), where 427 sha512 is a hash function with 512-bit output corresponding to the 428 algorithm SHA-512 [SHA-512], streebog512 is a hash function with 429 512-bit output, corresponding to the algorithm GOST R 34.11-2012 430 [GOST3411-2012], [RFC6986]. 432 5.1.2. CTR-ACPKM Encryption Mode 434 This section defines a CTR-ACPKM encryption mode that uses internal 435 ACPKM re-keying mechanism for the periodical key transformation. 437 The CTR-ACPKM mode can be considered as the extended by the ACPKM re- 438 keying mechanism basic encryption mode CTR (see [MODES]). 440 The CTR-ACPKM encryption mode can be used with the following 441 parameters: 443 o 64 <= n <= 512; 445 o 128 <= k <= 512; 447 o the number of bits c in a specific part of the block to be 448 incremented is such that 32 <= c <= 3/4 n. 450 The CTR-ACPKM mode encryption and decryption procedures are defined 451 as follows: 453 +----------------------------------------------------------------+ 454 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 455 |----------------------------------------------------------------| 456 | Input: | 457 | - Section size N, | 458 | - key K, | 459 | - initial counter nonce ICN in V_{n-c}, | 460 | - plaintext P = P_1 | ... | P_b, |P| < n * 2^{c-1}. | 461 | Output: | 462 | - Ciphertext C. | 463 |----------------------------------------------------------------| 464 | 1. CTR_1 = ICN | 0^c | 465 | 2. For j = 2, 3, ... , b do | 466 | CTR_{j} = Inc_c(CTR_{j-1}) | 467 | 3. K^1 = K | 468 | 4. For i = 2, 3, ... , ceil(|P|/N) | 469 | K^i = ACPKM(K^{i-1}) | 470 | 5. For j = 1, 2, ... , b do | 471 | i = ceil(j*n / N), | 472 | G_j = E_{K^i}(CTR_j) | 473 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 474 | 7. Return C | 475 +----------------------------------------------------------------+ 477 +----------------------------------------------------------------+ 478 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 479 |----------------------------------------------------------------| 480 | Input: | 481 | - Section size N, | 482 | - key K, | 483 | - initial counter nonce ICN in V_{n-c}, | 484 | - ciphertext C = C_1 | ... | C_b, |C| < n * 2^{c-1}. | 485 | Output: | 486 | - Plaintext P. | 487 |----------------------------------------------------------------| 488 | 1. Return CTR-ACPKM-Encrypt(N, K, ICN, C) | 489 +----------------------------------------------------------------+ 491 The initial counter nonce ICN value for each message that is 492 encrypted under the given key must be chosen in a unique manner. 494 The message size m MUST NOT exceed n * 2^{c-1} bits. 496 5.1.3. GCM-ACPKM Encryption Mode 498 This section defines a GCM-ACPKM encryption mode that uses internal 499 ACPKM re-keying mechanism for the periodical key transformation. 501 The GCM-ACPKM mode can be considered as the extended by the ACPKM re- 502 keying mechanism basic encryption mode GCM (see [GCM]). 504 The GCM-ACPKM encryption mode can be used with the following 505 parameters: 507 o n in {128, 256}; 509 o 128 <= k <= 512; 511 o the number of bits c in a specific part of the block to be 512 incremented is such that 32 <= c <= 3/4 n; 514 o authentication tag length t. 516 The GCM-ACPKM mode encryption and decryption procedures are defined 517 as follows: 519 +--------------------------------------------------------------------+ 520 | GHASH(X, H) | 521 |--------------------------------------------------------------------| 522 | Input: | 523 | - Bit string X = X_1 | ... | X_m, X_i in V_n for i in 1, ... , m. | 524 | Output: | 525 | - Block GHASH(X, H) in V_n. | 526 |--------------------------------------------------------------------| 527 | 1. Y_0 = 0^n | 528 | 2. For i = 1, ... , m do | 529 | Y_i = (Y_{i-1} (xor) X_i) * H | 530 | 3. Return Y_m | 531 +--------------------------------------------------------------------+ 533 +--------------------------------------------------------------------+ 534 | GCTR(N, K, ICB, X) | 535 |--------------------------------------------------------------------| 536 | Input: | 537 | - Section size N, | 538 | - key K, | 539 | - initial counter block ICB, | 540 | - X = X_1 | ... | X_b, X_i in V_n for i = 1, ... , b-1 and | 541 | X_b in V_r, where r <= n. | 542 | Output: | 543 | - Y in V_{|X|}. | 544 |--------------------------------------------------------------------| 545 | 1. If X in V_0 then return Y, where Y in V_0 | 546 | 2. GCTR_1 = ICB | 547 | 3. For i = 2, ... , b do | 548 | GCTR_i = Inc_c(GCTR_{i-1}) | 549 | 4. K^1 = K | 550 | 5. For j = 2, ... , ceil(l*n / N) | 551 | K^j = ACPKM(K^{j-1}) | 552 | 6. For i = 1, ... , b do | 553 | j = ceil(i*n / N), | 554 | G_i = E_{K_j}(GCTR_i) | 555 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 556 | 8. Return Y. | 557 +--------------------------------------------------------------------+ 559 +--------------------------------------------------------------------+ 560 | GCM-ACPKM-Encrypt(N, K, IV, P, A) | 561 |--------------------------------------------------------------------| 562 | Input: | 563 | - Section size N, | 564 | - key K, | 565 | - initial counter nonce ICN in V_{n-c}, | 566 | - plaintext P, |P| <= n*(2^{c-1} - 2), P = P_1 | ... | P_b, | 567 | - additional authenticated data A. | 568 | Output: | 569 | - Ciphertext C, | 570 | - authentication tag T. | 571 |--------------------------------------------------------------------| 572 | 1. H = E_{K}(0^n) | 573 | 2. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 574 | if c!= 32, then s = n * ceil(|ICN| / n) - |ICN|, | 575 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 576 | 3. C = GCTR(N, K, Inc_32(ICB_0), P) | 577 | 4. u = n*ceil(|C| / n) - |C| | 578 | v = n*ceil(|A| / n) - |A| | 579 | 5. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 580 | | Vec_64(|C|), H) | 581 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 582 | 7. Return C | T | 583 +--------------------------------------------------------------------+ 585 +--------------------------------------------------------------------+ 586 | GCM-ACPKM-Decrypt(N, K, IV, A, C, T) | 587 |--------------------------------------------------------------------| 588 | Input: | 589 | - Section size N, | 590 | - key K, | 591 | - initial counter block ICB, | 592 | - additional authenticated data A. | 593 | - ciphertext C, |C| <= n*(2^{c-1} - 2), C = C_1 | ... | C_b, | 594 | - authentication tag T | 595 | Output: | 596 | - Plaintext P or FAIL. | 597 |--------------------------------------------------------------------| 598 | 1. H = E_{K}(0^n) | 599 | 2. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 600 | if c!= 32, then s = n*ceil(|ICN|/n)-|ICN|, | 601 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 602 | 3. P = GCTR(N, K, Inc_32(ICB_0), C) | 603 | 4. u = n*ceil(|C| / n)-|C| | 604 | v = n*ceil(|A| / n)-|A| | 605 | 5. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 606 | | Vec_64(|C|), H) | 607 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 608 | 7. If T = T' then return P; else return FAIL | 609 +--------------------------------------------------------------------+ 611 The * operation on (pairs of) the 2^n possible blocks corresponds to 612 the multiplication operation for the binary Galois (finite) field of 613 2^n elements defined by the polynomial f as follows (by analogy with 614 [GCM]): 616 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1. 618 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 620 The initial vector IV value for each message that is encrypted under 621 the given key must be chosen in a unique manner. 623 The message size m MUST NOT exceed n*(2^{c-1} - 2) bits. 625 The key for computing values E_{K}(ICB_0) and H is not updated and is 626 equal to the initial key K. 628 5.2. Constructions that Require Master Key 630 This section describes the block cipher modes that uses the ACPKM- 631 Master re-keying mechanism (described in Section 5.2.1), which use 632 the initial key K as a master key K*, so K is never used directly for 633 the data processing but is used for key derivation. 635 5.2.1. ACPKM-Master Key Generation from the Master Key 637 This section defines periodical key transformation with master key K* 638 which is called ACPKM-Master re-keying mechanism. This mechanism can 639 be applied to one of the basic encryption modes (CTR, GCM, CBC, CFB, 640 OFB, OMAC encryption modes) for getting an extension of this 641 encryption mode that uses periodical key transformation with master 642 key. This extension can be considered as a new encryption mode. 644 Additional parameters that defines the functioning of basic 645 encryption modes with the ACPKM-Master re-keying mechanism are the 646 section size N and change frequency T* of the key K*. The values of 647 N and T* are measured in bits and are fixed within a specific 648 protocol based on the requirements of the system capacity and key 649 lifetime (some recommendations on choosing N and T* will be provided 650 in Section 7). The section size N MUST be divisible by the block 651 size n. The key frequency T* MUST be divisible by n. 653 The main idea behind internal re-keying with master key is presented 654 in Fig.4: 656 Lifetime of a key = L, 657 change frequency T*, 658 section size N, 659 maximum message size = m_max. 660 _______________________________________________________________________________________ 662 ACPKM ACPKM 663 K*_1 = K*-------------> K*_2 ---------...---------> K*_l_max 664 ___|___ ___|___ ___|___ 665 | | | | | | 666 v ... v v ... v v ... v 667 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 668 | | | | | | 669 | | | | | | 670 v v v v v v 671 Message(1)||========|...|========||========|...|========||...||========|...|== : || 672 Message(2)||========|...|========||========|...|========||...||========|...|======: || 673 ... || | | || | | || || | | : || 674 Message(q)||========|...|========||==== |...| ||...|| |...| : || 675 section : 676 <--------> : 677 N bit m_max 678 _______________________________________________________________________________________ 679 |K[i]| = d, 680 t = T*/d, 681 l_max = ceil(m_max/N), 682 q*N <= L. 683 Figure 4: Key meshing with master key 685 During the processing of the input message M with the length m in 686 some encryption mode that uses ACPKM-Master key transformation with 687 the master key K* and key frequency T* the message M is divided into 688 l = ceil(m/N) parts (denoted as M = M_1 | M_2 | ... | M_l, where M_i 689 is in V_N for i in {1, 2, ... , l-1} and M_l is in V_r, r <= N). The 690 j-th section is processed with the key material K[j], j in {1, ... 691 ,l}, |K[j]| = d, that has been calculated with the ACPKM-Master 692 algorithm as follows: 694 IV = 1^{n/2}, 696 K[1] | ... | K[l] = ACPKM-Master(T*, K*, d*l) = CTR-ACPKM-Encrypt 697 (T*, K*, IV, 0^{d*l}). 699 5.2.2. CTR Mode Key Meshing 701 This section defines a CTR-ACPKM-Master encryption mode that uses 702 internal ACPKM-Master re-keying mechanism for the periodical key 703 transformation. 705 The CTR-ACPKM-Master encryption mode can be considered as the 706 extended by the ACPKM-Master re-keying mechanism basic encryption 707 mode CTR (see [MODES]). 709 The CTR-ACPKM-Master encryption mode can be used with the following 710 parameters: 712 o 64 <= n <= 512; 714 o 128 <= k <= 512; 716 o the number of bits c in a specific part of the block to be 717 incremented is such that 32 <= c <= 3/4 n. 719 The key material K[j] that is used for one section processing is 720 equal to K^j, |K^j| = k bits. 722 The CTR-ACPKM-Master mode encryption and decryption procedures are 723 defined as follows: 725 +----------------------------------------------------------------+ 726 | CTR-ACPKM-Master-Encrypt(N, K*, T*, ICN, P) | 727 |----------------------------------------------------------------| 728 | Input: | 729 | - Section size N, | 730 | - master key K*, | 731 | - change frequency T*, | 732 | - initial counter nonce ICN in V_{n-c}, | 733 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 734 | Output: | 735 | - Ciphertext C. | 736 |----------------------------------------------------------------| 737 | 1. CTR_1 = ICN | 0^c | 738 | 2. For j = 2, 3, ... , b do | 739 | CTR_{j} = Inc_c(CTR_{j-1}) | 740 | 3. l = ceil(b*n / N) | 741 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 742 | 5. For j = 1, 2, ... , b do | 743 | i = ceil(j*n / N), | 744 | G_j = E_{K^i}(CTR_j) | 745 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 746 | 7. Return C | 747 |----------------------------------------------------------------+ 749 +----------------------------------------------------------------+ 750 | CTR-ACPKM-Master-Decrypt(N, K*, T*, ICN, C) | 751 |----------------------------------------------------------------| 752 | Input: | 753 | - Section size N, | 754 | - master key K*, | 755 | - change frequency T*, | 756 | - initial counter nonce ICN in V_{n-c}, | 757 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 758 | Output: | 759 | - Plaintext P. | 760 |----------------------------------------------------------------| 761 | 1. Return CTR-ACPKM-Master-Encrypt(N, K*, T*, ICN, C) | 762 +----------------------------------------------------------------+ 764 The initial counter nonce ICN value for each message that is 765 encrypted under the given key must be chosen in a unique manner. The 766 counter (CTR_{i+1}) value does not change during key transformation. 768 The message size m MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 770 5.2.3. GCM Mode Key Meshing 772 This section defines a GCM-ACPKM-Master encryption mode that uses 773 internal ACPKM-Master re-keying mechanism for the periodical key 774 transformation. 776 The GCM-ACPKM-Master encryption mode can be considered as the 777 extended by the ACPKM-Master re-keying mechanism basic encryption 778 mode GCM (see [GCM]). 780 The GCM-ACPKM-Master encryption mode can be used with the following 781 parameters: 783 o n in {128, 256}; 785 o 128 <= k <= 512; 787 o the number of bits c in a specific part of the block to be 788 incremented is such that 32 <= c <= 3/4 n; 790 o authentication tag length t. 792 The key material K[j] that is used for one section processing is 793 equal to K^j, |K^j| = k bits, that is calculated as follows: 795 K^1 | ... | K^j | ... | K^l = ACPKM-Master(T*, K*, k*l). 797 The GCM-ACPKM-Master mode encryption and decryption procedures are 798 defined as follows: 800 +--------------------------------------------------------------------+ 801 | GHASH(X, H) | 802 |--------------------------------------------------------------------| 803 | Input: | 804 | - Bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... , m}| 805 | Output: | 806 | - Block GHASH(X, H) in V_n | 807 |--------------------------------------------------------------------| 808 | 1. Y_0 = 0^n | 809 | 2. For i = 1, ... , m do | 810 | Y_i = (Y_{i-1} (xor) X_i)*H | 811 | 3. Return Y_m | 812 +--------------------------------------------------------------------+ 814 +--------------------------------------------------------------------+ 815 | GCTR(N, K*, T*, ICB, X) | 816 |--------------------------------------------------------------------| 817 | Input: | 818 | - Section size N, | 819 | - master key K*, | 820 | - change frequency T*, | 821 | - initial counter block ICB, | 822 | - X = X_1 | ... | X_b, X_i in V_n for i = 1, ... , b-1 and | 823 | X_b in V_r, where r <= n. | 824 | Output: | 825 | - Y in V_{|X|}. | 826 |--------------------------------------------------------------------| 827 | 1. If X in V_0 then return Y, where Y in V_0 | 828 | 2. GCTR_1 = ICB | 829 | 3. For i = 2, ... , b do | 830 | GCTR_i = Inc_c(GCTR_{i-1}) | 831 | 4. l = ceil(b*n / N) | 832 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 833 | 6. For j = 1, ... , b do | 834 | i = ceil(j*n / N), | 835 | G_j = E_{K^i}(GCTR_j) | 836 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 837 | 8. Return Y | 838 +--------------------------------------------------------------------+ 840 +--------------------------------------------------------------------+ 841 | GCM-ACPKM-Master-Encrypt(N, K*, T*, IV, P, A) | 842 |--------------------------------------------------------------------| 843 | Input: | 844 | - Section size N, | 845 | - master key K*, | 846 | - change frequency T*, | 847 | - initial counter nonce ICN in V_{n-c}, | 848 | - plaintext P, |P| <= n*(2^{c-1} - 2). | 849 | - additional authenticated data A. | 850 | Output: | 851 | - Ciphertext C, | 852 | - authentication tag T. | 853 |--------------------------------------------------------------------| 854 | 1. K^1 = ACPKM-Master(T*, K*, k) | 855 | 2. H = E_{K^1}(0^n) | 856 | 3. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 857 | if c!= 32, then s = n*ceil(|ICN|/n) - |ICN|, | 858 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 859 | 4. C = GCTR(N, K*, T*, Inc_32(J_0), P) | 860 | 5. u = n*ceil(|C| / n) - |C| | 861 | v = n*ceil(|A| / n) - |A| | 862 | 6. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 863 | | Vec_64(|C|), H) | 864 | 7. T = MSB_t(E_{K^1}(J_0) (xor) S) | 865 | 8. Return C | T | 866 +--------------------------------------------------------------------+ 868 +--------------------------------------------------------------------+ 869 | GCM-ACPKM-Master-Decrypt(N, K*, T*, IV, A, C, T) | 870 |--------------------------------------------------------------------| 871 | Input: | 872 | - Section size N, | 873 | - master key K*, | 874 | - change frequency T*, | 875 | - initial counter nonce ICN in V_{n-c}, | 876 | - additional authenticated data A. | 877 | - ciphertext C, |C| <= n*(2^{c-1} - 2), | 878 | - authentication tag T, | 879 | Output: | 880 | - Plaintext P or FAIL. | 881 |--------------------------------------------------------------------| 882 | 1. K^1 = ACPKM-Master(T*, K*, k) | 883 | 2. H = E_{K^1}(0^n) | 884 | 3. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 885 | if c!= 32, then s = n*ceil(|ICN| / n) - |ICN|, | 886 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 887 | 4. P = GCTR(N, K*, T*, Inc_32(J_0), C) | 888 | 5. u = n*ceil(|C| / n) - |C| | 889 | v = n*ceil(|A| / n) - |A| | 890 | 6. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 891 | | Vec_64(|C|), H) | 892 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 893 | 8. IF T = T' then return P; else return FAIL. | 894 +--------------------------------------------------------------------+ 896 The * operation on (pairs of) the 2^n possible blocks corresponds to 897 the multiplication operation for the binary Galois (finite) field of 898 2^n elements defined by the polynomial f as follows (by analogy with 899 [GCM]): 901 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1. 903 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 905 The initial vector IV value for each message that is encrypted under 906 the given key must be chosen in a unique manner. 908 The message size m MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 910 5.2.4. CBC Mode Key Meshing 912 This section defines a CBC-ACPKM-Master encryption mode that uses 913 internal ACPKM-Master re-keying mechanism for the periodical key 914 transformation. 916 The CBC-ACPKM-Master encryption mode can be considered as the 917 extended by the ACPKM-Master re-keying mechanism basic encryption 918 mode CBC (see [MODES]). 920 The CBC-ACPKM-Master encryption mode can be used with the following 921 parameters: 923 o 64 <= n <= 512; 925 o 128 <= k <= 512. 927 In the specification of the CBC-ACPKM-Master mode the plaintext and 928 ciphertext must be a sequence of one or more complete data blocks. 929 If the data string to be encrypted does not initially satisfy this 930 property, then it MUST be padded to form complete data blocks. The 931 padding methods are outside the scope of this document. An example 932 of a padding method can be found in Appendix A of [MODES]. 934 The key material K[j] that is used for one section processing is 935 equal to K^j, |K^j| = k bits. 937 We will denote by D_{K} the decryption function which is a 938 permutation inverse to the E_{K}. 940 The CBC-ACPKM-Master mode encryption and decryption procedures are 941 defined as follows: 943 +----------------------------------------------------------------+ 944 | CBC-ACPKM-Master-Encrypt(N, K*, T*, IV, P) | 945 |----------------------------------------------------------------| 946 | Input: | 947 | - Section size N, | 948 | - master key K*, | 949 | - change frequency T*, | 950 | - initialization vector IV in V_n, | 951 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k, | 952 | |P_b| = n. | 953 | Output: | 954 | - Ciphertext C. | 955 |----------------------------------------------------------------| 956 | 1. l = ceil(b*n/N) | 957 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 958 | 3. C_0 = IV | 959 | 4. For j = 1, 2, ... , b do | 960 | i = ceil(j*n / N), | 961 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 962 | 5. Return C = C_1 | ... | C_b | 963 |----------------------------------------------------------------+ 965 +----------------------------------------------------------------+ 966 | CBC-ACPKM-Master-Decrypt(N, K*, T*, IV, C) | 967 |----------------------------------------------------------------| 968 | Input: | 969 | - Section size N, | 970 | - master key K*, | 971 | - change frequency T*, | 972 | - initialization vector IV in V_n, | 973 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N/k, | 974 | |C_b| = n. | 975 | Output: | 976 | - Plaintext P. | 977 |----------------------------------------------------------------| 978 | 1. l = ceil(b*n / N) | 979 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 980 | 3. C_0 = IV | 981 | 4. For j = 1, 2, ... , b do | 982 | i = ceil(j*n/N) | 983 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 984 | 5. Return P = P_1 | ... | P_b | 985 +----------------------------------------------------------------+ 987 The initialization vector IV for each message that is encrypted under 988 the given key need not to be secret, but must be unpredictable. 990 The message size m MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 992 5.2.5. CFB Mode Key Meshing 994 This section defines a CFB-ACPKM-Master encryption mode that uses 995 internal ACPKM-Master re-keying mechanism for the periodical key 996 transformation. 998 The CFB-ACPKM-Master encryption mode can be considered as the 999 extended by the ACPKM-Master re-keying mechanism basic encryption 1000 mode CFB (see [MODES]). 1002 The CFB-ACPKM-Master encryption mode can be used with the following 1003 parameters: 1005 o 64 <= n <= 512; 1007 o 128 <= k <= 512. 1009 The key material K[j] that is used for one section processing is 1010 equal to K^j, |K^j| = k bits. 1012 The CFB-ACPKM-Master mode encryption and decryption procedures are 1013 defined as follows: 1015 +----------------------------------------------------------------+ 1016 | CFB-ACPKM-Master-Encrypt(N, K*, T*, IV, P) | 1017 |----------------------------------------------------------------| 1018 | Input: | 1019 | - Section size N, | 1020 | - master key K*, | 1021 | - change frequency T*, | 1022 | - initialization vector IV in V_n, | 1023 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1024 | Output: | 1025 | - Ciphertext C. | 1026 |----------------------------------------------------------------| 1027 | 1. l = ceil(b*n / N) | 1028 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 1029 | 3. C_0 = IV | 1030 | 4. For j = 1, 2, ... , b do | 1031 | i = ceil(j*n / N) | 1032 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1033 | 5. Return C = C_1 | ... | C_b. | 1034 |----------------------------------------------------------------+ 1036 +----------------------------------------------------------------+ 1037 | CFB-ACPKM-Master-Decrypt(N, K*, T*, IV, C#) | 1038 |----------------------------------------------------------------| 1039 | Input: | 1040 | - Section size N, | 1041 | - master key K*, | 1042 | - change frequency T*, | 1043 | - initialization vector IV in V_n, | 1044 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 1045 | Output: | 1046 | - Plaintext P. | 1047 |----------------------------------------------------------------| 1048 | 1. l = ceil(b*n / N) | 1049 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 1050 | 3. C_0 = IV | 1051 | 4. For j = 1, 2, ... , b do | 1052 | i = ceil(j*n / N), | 1053 | P_j = E_{K^i}(C_{j-1}) (xor) С_j | 1054 | 5. Return P = P_1 | ... | P_b | 1055 +----------------------------------------------------------------+ 1057 The initialization vector IV for each message that is encrypted under 1058 the given key need not to be secret, but must be unpredictable. 1060 The message size m MUST NOT exceed 2^{n/2-1}*n*N/k bits. 1062 5.2.6. OFB Mode Key Meshing 1064 This section defines an OFB-ACPKM-Master encryption mode that uses 1065 internal ACPKM-Master re-keying mechanism for the periodical key 1066 transformation. 1068 The OFB-ACPKM-Master encryption mode can be considered as the 1069 extended by the ACPKM-Master re-keying mechanism basic encryption 1070 mode OFB (see [MODES]). 1072 The OFB-ACPKM-Master encryption mode can be used with the following 1073 parameters: 1075 o 64 <= n <= 512; 1077 o 128 <= k <= 512. 1079 The key material K[j] used for one section processing is equal to 1080 K^j, |K^j| = k bits. 1082 The OFB-ACPKM-Master mode encryption and decryption procedures are 1083 defined as follows: 1085 +----------------------------------------------------------------+ 1086 | OFB-ACPKM-Master-Encrypt(N, K*, T*, IV, P) | 1087 |----------------------------------------------------------------| 1088 | Input: | 1089 | - Section size N, | 1090 | - master key K*, | 1091 | - change frequency T*, | 1092 | - initialization vector IV in V_n, | 1093 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1094 | Output: | 1095 | - Ciphertext C. | 1096 |----------------------------------------------------------------| 1097 | 1. l = ceil(b*n / N) | 1098 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K*, k*l) | 1099 | 3. G_0 = IV | 1100 | 4. For j = 1, 2, ... , b do | 1101 | i = ceil(j*n / N), | 1102 | G_j = E_{K_i}(G_{j-1}) | 1103 | 5. Return C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1104 |----------------------------------------------------------------+ 1106 +----------------------------------------------------------------+ 1107 | OFB-ACPKM-Master-Decrypt(N, K*, T*, IV, C) | 1108 |----------------------------------------------------------------| 1109 | Input: | 1110 | - Section size N, | 1111 | - master key K*, | 1112 | - change frequency T*, | 1113 | - initialization vector IV in V_n, | 1114 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 1115 | Output: | 1116 | - Plaintext P. | 1117 |----------------------------------------------------------------| 1118 | 1. Return OFB-ACPKM-Master-Encrypt(N, K*, T*, IV, C) | 1119 +----------------------------------------------------------------+ 1121 The initialization vector IV for each message that is encrypted under 1122 the given key need not be unpredictable, but it must be a nonce that 1123 is unique to each execution of the encryption operation. 1125 The message size m MUST NOT exceed 2^{n/2-1}*n*N / k bits. 1127 5.2.7. OMAC Mode Key Meshing 1129 This section defines an OMAC-ACPKM-Master message authentication code 1130 calculation mode that uses internal ACPKM-Master re-keying mechanism 1131 for the periodical key transformation. 1133 The OMAC-ACPKM-Master encryption mode can be considered as the 1134 extended by the ACPKM-Master re-keying mechanism basic message 1135 authentication code calculation mode OMAC (see [RFC4493]). 1137 The OMAC-ACPKM-Master message authentication code calculation mode 1138 can be used with the following parameters: 1140 o n in {64, 128, 256}; 1142 o 128 <= k <= 512. 1144 The key material K[j] that is used for one section processing is 1145 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1147 The following is a specification of the subkey generation process of 1148 OMAC: 1150 +---------------------------------------------------------------------+ 1151 | Generate_Subkey(K, r) | 1152 |---------------------------------------------------------------------| 1153 | Input: | 1154 | - Key K, | 1155 | Output: | 1156 | - Key [K]. | 1157 |---------------------------------------------------------------------| 1158 | 1. If r = n then return K | 1159 | 2. If r < n then | 1160 | if MSB_1(K1) = 0 | 1161 | return K1 << 1 | 1162 | else | 1163 | return (K1 << 1) (xor) R_n | 1164 | | 1165 +---------------------------------------------------------------------+ 1167 Where R_n takes the following values: 1169 o n = 64: R_{64} = 0^{59} | 11011; 1171 o n = 128: R_{128} = 0^{120} | 10000111; 1173 o n = 256: R_{256} = 0^{145} | 10000100101. 1175 The OMAC-ACPKM-Master message authentication code calculation mode is 1176 defined as follows: 1178 +---------------------------------------------------------------------+ 1179 | OMAC-ACPKM-Master(K*, N, T*, M) | 1180 |---------------------------------------------------------------------| 1181 | Input: | 1182 | - Section size N, | 1183 | - master key K*, | 1184 | - key frequency T*, | 1185 | - plaintext M = M_1 | ... | M_b, |M| <= 2^{n/2}*n^2*N / (k + n). | 1186 | Output: | 1187 | - message authentication code T. | 1188 |---------------------------------------------------------------------| 1189 | 1. C_0 = 0^n | 1190 | 2. l = ceil(b*n / N) | 1191 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K*, (k+n)*l) | 1192 | 4. For j = 1, 2, ... , b-1 do | 1193 | i = ceil(j*n / N), | 1194 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1195 | 5. [K] = Generate_Subkey(K^l_1, |M_b|) | 1196 | 6. If |M_b| = n then M*_b = M_b | 1197 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1198 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) [K]) | 1199 | 8. Return T | 1200 +---------------------------------------------------------------------+ 1202 The message size m MUST NOT exceed 2^{n/2}*n^2*N / (k + n) bits. 1204 6. Joint Usage of External and Internal Re-keying 1206 Any mechanism described in Section 4 can be used with any mechanism 1207 described in Section 5. 1209 7. Security Considerations 1211 7.1. Principles of Choice of Constructions and Security Parameters 1213 External re-keying mechanism is RECOMMENDED to be used in protocols 1214 that process pretty small messages (e.g. TLS). 1216 Internal re-keying mechanism is RECOMMENDED to be used in protocols 1217 that can process large messages (e.g. IPSec). 1219 For the protocols that process messages of different lengths it is 1220 RECOMMENDED to use joint methods described in Section 6. 1222 7.2. Requirements For Base Primitives 1224 Re-keying should be used to increase "a priori" security properties 1225 of ciphers in hoslile environments (e.g. with side-channel 1226 adversaries). If some non-negligible attacks are known for a cipher, 1227 it MUST NOT be used. So re-keying can not be used as a patch for 1228 vulnerable ciphers. Base cipher properties must be well analyzed, 1229 because security of re-keying mechanisms is based on security of a 1230 block cipher as a pseudorandom function. 1232 8. References 1234 8.1. Normative References 1236 [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of 1237 Operation (GCM)", Submission to NIST 1238 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 1239 gcm/gcm-spec.pdf, January 2004. 1241 [GOST3411-2012] 1242 Federal Agency on Technical Regulating and Metrology (In 1243 Russian), "Information technology. Cryptographic Data 1244 Security. Hashing function", GOST R 34.11-2012, 2012. 1246 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1247 Operation: Methods and Techniques", NIST Special 1248 Publication 800-38A, December 2001. 1250 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1251 Requirement Levels", BCP 14, RFC 2119, 1252 DOI 10.17487/RFC2119, March 1997, 1253 . 1255 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1256 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1257 2006, . 1259 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1260 Key Derivation Function (HKDF)", RFC 5869, 1261 DOI 10.17487/RFC5869, May 2010, 1262 . 1264 [SHA-512] National Institute of Standards and Technology., "Secure 1265 Hash Standard", FIPS 180-2, August, with Change Notice 1 1266 dated February 2004 2002. 1268 [TLSDraft] 1269 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1270 Version 1.3", 2017, . 1273 8.2. Informative References 1275 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1276 of a Key: A Comparative Analysis of the Security of Re- 1277 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1278 2000. 1280 [BDJR] Bellare M., Desai A., Jokipii E., Rogaway P., "A concrete 1281 security treatment of symmetric encryption", In 1282 Proceedings of 38th Annual Symposium on Foundations of 1283 Computer Science (FOCS '97), pages 394-403. 97, 1997. 1285 [BL] Bhargavan K., Leurent G., "On the Practical (In-)Security 1286 of 64-bit Block Ciphers: Collision Attacks on HTTP over 1287 TLS and OpenVPN", Cryptology ePrint Archive Report 798, 1288 2016. 1290 [Matsui] Matsui M., "Linear Cryptanalysis Method for DES Cipher", 1291 Advanced in Cryptology- EUROCRYPT'93. Lect. Notes in Comp. 1292 Sci., Springer. V.765.P. 386-397, 1994. 1294 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1295 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1296 2013, . 1298 Appendix A. Test examples 1300 CTR-ACPKM mode with AES-256 1301 ********* 1302 c = 64 1303 k = 256 1304 N = 256 1305 n = 128 1307 W_0: 1308 F3 74 E9 23 FE AA D6 DD 98 B4 B6 3D 57 8B 35 AC 1310 W_1: 1311 A9 0F D7 31 E4 1D 64 5E C0 8C 87 87 28 CC 76 90 1313 Key K: 1314 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 1315 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 1317 Plain text P: 1318 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 1319 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1320 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1321 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1322 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1323 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 1324 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 1326 ICN: 1327 12 34 56 78 90 AB CE F0 1329 ACPKM's iteration 1 1331 Process block 1 1333 Input block (ctr) 1334 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 1336 Output block (ctr) 1337 FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 1339 Plain text 1340 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 1342 Cipher text 1343 EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 1345 Process block 2 1347 Input block (ctr) 1348 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 1350 Output block (ctr) 1351 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 1353 Plain text 1354 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1356 Cipher text 1357 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 1359 Updated key 1360 C6 C1 AF 82 3F 52 22 F8 97 CF F1 94 5D F7 21 9E 1361 21 6F 29 0C EF C4 C7 E6 DC C8 B7 DD 83 E0 AE 60 1362 ACPKM's iteration 2 1364 Process block 3 1365 Input block (ctr) 1366 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 1368 Output block (ctr) 1369 92 B4 85 B5 B7 AD 3C 19 7E 53 92 32 13 9C 8E 7A 1371 Plain text 1372 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1374 Cipher text 1375 83 96 B6 F1 E2 CB 4B 91 E7 F9 29 FE FD 63 84 7A 1377 Process block 4 1378 Input block (ctr) 1379 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 1381 Output block (ctr) 1382 59 3A AA 96 7C E3 58 FB 1B 7E 41 A1 77 34 B1 4A 1384 Plain text 1385 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1387 Cipher text 1388 7B 09 EE C3 1A 94 D0 62 B1 C5 8D 4F 88 3E B1 5B 1390 Updated key 1391 65 3E FA 18 0B 0E 68 01 6F 56 54 A5 F3 EE BC D5 1392 04 F1 1F E3 F1 7A 92 07 57 A8 82 BE A5 9E CA 16 1394 ACPKM's iteration 3 1395 Process block 5 1396 Input block (ctr) 1397 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 1399 Output block (ctr) 1400 CE E5 51 54 12 2F 3F E7 8D 8E 86 21 C5 E5 47 12 1402 Plain text 1403 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1405 Cipher text 1406 FD A1 04 32 65 A7 A6 4D 36 42 68 DE CF E5 56 30 1408 Process block 6 1409 Input block (ctr) 1410 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 1412 Output block (ctr) 1413 DE D6 8F 03 FA C5 C5 B6 16 11 A3 78 2C 0D C1 EB 1415 Plain text 1416 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 1418 Cipher text 1419 9A 83 E9 74 72 5C 6F 0D DA FF 5C 72 2C 1C E3 D8 1421 Updated key 1422 C0 D5 50 26 4F DA CE 59 EF 80 9A 50 24 72 06 7D 1423 29 83 74 25 78 C9 60 4F E3 B8 88 4F F8 F5 E2 BD 1425 ACPKM's iteration 4 1426 Process block 7 1427 Input block (ctr) 1428 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 1430 Output block (ctr) 1431 D9 23 A6 CD 8A 00 A1 55 90 09 EC 87 40 B9 D6 AB 1433 Plain text 1434 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 1436 Cipher text 1437 8C 45 D1 45 13 AA 1A 99 7E F6 E6 87 51 9B E5 EF 1439 Updated key 1440 6A A0 92 07 73 31 63 50 46 FA 48 1C 9C 98 7B 6B 1441 FC 99 48 DC BC AE AB C2 6D 46 E9 DD 43 F6 CA 56 1443 Encrypted src 1444 EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 1445 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 1446 83 96 B6 F1 E2 CB 4B 91 E7 F9 29 FE FD 63 84 7A 1447 7B 09 EE C3 1A 94 D0 62 B1 C5 8D 4F 88 3E B1 5B 1448 FD A1 04 32 65 A7 A6 4D 36 42 68 DE CF E5 56 30 1449 9A 83 E9 74 72 5C 6F 0D DA FF 5C 72 2C 1C E3 D8 1450 8C 45 D1 45 13 AA 1A 99 7E F6 E6 87 51 9B E5 EF 1452 Appendix B. Contributors 1454 o Daniel Fox Franke 1455 Akamai Technologies 1456 dfoxfranke@gmail.com 1458 o Lilia Ahmetzyanova 1459 CryptoPro 1460 lah@cryptopro.ru 1462 o Ruth Ng 1463 University of California, San Diego 1464 ring@eng.ucsd.edu 1466 o Shay Gueron 1467 University of Haifa, Israel 1468 Intel Corporation, Israel Development Center, Israel 1469 shay.gueron@gmail.com 1471 Authors' Addresses 1473 Stanislav Smyshlyaev (editor) 1474 CryptoPro 1475 18, Suschevsky val 1476 Moscow 127018 1477 Russian Federation 1479 Phone: +7 (495) 995-48-20 1480 Email: svs@cryptopro.ru 1482 Russ Housley 1483 Vigil Security, LLC 1484 918 Spring Knoll Drive 1485 Herndon VA 20170 1486 USA 1488 Email: housley@vigilsec.com 1490 Mihir Bellare 1491 University of California, San Diego 1492 9500 Gilman Drive 1493 La Jolla California 92093-0404 1494 USA 1496 Phone: (858) 534-4544 1497 Email: mihir@eng.ucsd.edu 1498 Evgeny Alekseev 1499 CryptoPro 1500 18, Suschevsky val 1501 Moscow 127018 1502 Russian Federation 1504 Phone: +7 (495) 995-48-20 1505 Email: alekseev@cryptopro.ru 1507 Ekaterina Smyshlyaeva 1508 CryptoPro 1509 18, Suschevsky val 1510 Moscow 127018 1511 Russian Federation 1513 Phone: +7 (495) 995-48-20 1514 Email: ess@cryptopro.ru