idnits 2.17.1 draft-irtf-cfrg-re-keying-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 16 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 7, 2017) is 2599 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 695 == Missing Reference: '2t' is mentioned on line 669, but not defined Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational R. Housley 5 Expires: September 8, 2017 Vigil Security, LLC 6 M. Bellare 7 University of California, San Diego 8 E. Alekseev 9 E. Smyshlyaeva 10 CryptoPro 11 March 7, 2017 13 Re-keying Mechanisms for Symmetric Keys 14 draft-irtf-cfrg-re-keying-01 16 Abstract 18 This specification contains a description of a variety of methods to 19 increase the lifetime of symmetric keys. It provides external and 20 internal re-keying mechanisms that can be used with such modes of 21 operations as CTR, GCM, CBC, CFB, OFB and OMAC. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 8, 2017. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 59 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 60 4. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 5 61 4.1. Parallel Constructions . . . . . . . . . . . . . . . . . 5 62 4.1.1. Parallel Construction Based on a KDF on a Block 63 Cipher . . . . . . . . . . . . . . . . . . . . . . . 6 64 4.1.2. Parallel Construction Based on HKDF . . . . . . . . . 6 65 4.2. Serial Constructions . . . . . . . . . . . . . . . . . . 7 66 4.2.1. Serial Construction Based on a KDF on a Block Cipher 7 67 4.2.2. Serial Construction Based on HKDF . . . . . . . . . . 8 68 5. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 8 69 5.1. Constructions that Do Not Require Master Key . . . . . . 8 70 5.1.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 8 71 5.1.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 10 72 5.1.3. GCM-ACPKM Encryption Mode . . . . . . . . . . . . . . 12 73 5.2. Constructions that Require Master Key . . . . . . . . . . 14 74 5.2.1. ACPKM-Master Key Generation from the Master Key . . . 15 75 5.2.2. CTR Mode Key Meshing . . . . . . . . . . . . . . . . 16 76 5.2.3. GCM Mode Key Meshing . . . . . . . . . . . . . . . . 19 77 5.2.4. CBC Mode Key Meshing . . . . . . . . . . . . . . . . 22 78 5.2.5. CFB Mode Key Meshing . . . . . . . . . . . . . . . . 24 79 5.2.6. OFB Mode Key Meshing . . . . . . . . . . . . . . . . 26 80 5.2.7. OMAC Mode Key Meshing . . . . . . . . . . . . . . . . 27 81 6. Joint Usage of External and Internal Re-keying . . . . . . . 29 82 7. Scope of Usage of Rekeying-Based Schemas . . . . . . . . . . 29 83 7.1. Key Transformation Rules . . . . . . . . . . . . . . . . 29 84 7.2. Principles of Choice of Constructions and Security 85 Parameters . . . . . . . . . . . . . . . . . . . . . . . 30 86 8. Security Considerations . . . . . . . . . . . . . . . . . . . 32 87 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 88 9.1. Normative References . . . . . . . . . . . . . . . . . . 33 89 9.2. Informative References . . . . . . . . . . . . . . . . . 33 90 Appendix A. Test examples . . . . . . . . . . . . . . . . . . . 34 91 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 37 92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 94 1. Introduction 96 Common cryptographic attacks base their success on the ability to get 97 many encryptions under a single key. If encryption is performed 98 under a single key, there is a certain maximum threshold number of 99 messages that can be safely encrypted. These restrictions can come 100 either from combinatorial properties of the used cipher modes of 101 operation (for example, birthday attack [BDJR]) or from particular 102 cryptographic attacks on the used block cipher (for example, linear 103 cryptanalysis [Matsui]). Moreover, most strict restrictions here 104 follow from the need to resist side-channel attacks. The adversary's 105 opportunity to obtain an essential amount of data processed with a 106 single key leads not only to theoretic but also to practical 107 vulnerabilities (see [BL]). Therefore, when the total size of a 108 plaintext processed with a single key reaches the threshold, this key 109 must be replaced. 111 The most simple and obvious way for overcoming the key lifetimes 112 limitations is a renegotiation of a regular session key. However, 113 this reduces the total performance since it usually entails the 114 frequent use of a public key cryptography. 116 Another way is to use a transformation of a previously negotiated 117 key. This specification presents the description of such mechanisms 118 and the description of the cases when these mechanisms should be 119 applied. 121 2. Conventions Used in This Document 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in [RFC2119]. 127 3. Basic Terms and Definitions 129 This document uses the following terms and definitions for the sets 130 and operations on the elements of these sets: 132 (xor) exclusive-or of two binary vectors of the same length. 134 V* the set of all strings of a finite length (hereinafter 135 referred to as strings), including the empty string; 137 V_s the set of all binary strings of length s, where s is a non- 138 negative integer; substrings and string components are 139 enumerated from right to left starting from one; 141 |X| the bit length of the bit string X; 142 A|B concatenation of strings A and B both belonging to V*, i.e., 143 a string in V_{|A|+|B|}, where the left substring in V_|A| is 144 equal to A, and the right substring in V_|B| is equal to B; 146 Z_{2^n} ring of residues modulo 2^n; 148 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 149 (a_s, ... , a_1), a in V_s, into the integer Int_s(a) = 150 2^s*a_s + ... + 2*a_2 + a_1; 152 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 153 Int_s; 155 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 156 ... , a_1) in V_s, into the string MSB_i(a) = (a_s, ... , 157 a_{s-i+1}) in V_i; 159 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 160 ... , a_1) in V_s, into the string LSB_i(a) = (a_i, ... , 161 a_1) in V_i; 163 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 164 ... , a_1) in V_s, into the string Inc_c(a) = MSB_{|a|- 165 c}(a) | Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s; 167 a^s denotes the string in V_s that consists of s 'a' bits; 169 E_{K}: V_n -> V_n the block cipher permutation under the key K in 170 V_k; 172 ceil(x) the least integer that is not less than x; 174 k the key K size (in bits); 176 n the block size of the block cipher (in bits); 178 b the total number of data blocks in the plaintext (b = ceil(m/ 179 n)); 181 N the section size (the number of bits in a data section); 183 l the number of data sections in the plaintext; 185 m the message M size (in bits); 187 phi_i: V_s -> V_s the transformation that maps a string a = (a_s, 188 ... , a_1) into the string phi_i(a) = a' = (a'_s, ... , 189 a'_1), 1 <= i <= s, such that a'_i = 1 and a'_j = a_j for all 190 j in {1, ... , s}\{i}. 192 A plaintext message P and a ciphertext C are divided into b = ceil(m/ 193 n) segments denoted as P = P_1 | P_2 | ... | P_b and C = C_1 | C_2 | 194 ... | C_b, where P_i and C_i are in V_n, for i = 1, 2, ... , b-1, and 195 P_b, C_b are in V_r, where r <= n if not otherwise stated. 197 4. External Re-keying Mechanisms 199 This section presents an approach to increase the lifetime of 200 negotiated keys after processing a limited number of integral 201 messages. It provides an external parallel and serial re-keying 202 mechanisms (see [AbBell]). These mechanisms use an initial 203 (negotiated) key as a master key, which is never used directly for 204 the data processing but is used for key generation. Such mechanisms 205 operate outside of the base modes of operations and do not change 206 them at all, therefore they are called "external re-keying" in this 207 document. 209 4.1. Parallel Constructions 211 The main idea behind external re-keying with parallel construction is 212 presented in Fig.1: 214 Maximum message size = m_max. 215 _____________________________________________________________ 217 m_max 218 <----------------> 219 M^{1,1} |=== | 220 M^{1,2} |=============== | 221 +--K^1--> . . . 222 | M^{1,q_1} |======== | 223 | 224 | 225 | M^{2,1} |================| 226 | M^{2,2} |===== | 227 K-----|--K^2--> . . . 228 | M^{2,q_2} |========== | 229 | 230 ... 231 | M^{t,1} |============ | 232 | M^{t,2} |============= | 233 +--K^t--> . . . 234 M^{t,q_t} |========== | 236 _____________________________________________________________ 238 Figure 1: External parallel re-keying mechanisms 240 The key K^i, i = 1, ... , t-1, is updated after processing a certain 241 amount of data (see Section 7.1). 243 4.1.1. Parallel Construction Based on a KDF on a Block Cipher 245 ExtParallelC re-keying mechanism is based on a block cipher and is 246 used to generate t keys for t sections as follows: 248 K^1 | K^2 | ... | K^t = ExtParallelC(K, t*k) = 249 MSB_{t*k}(E_{K}(0) | E_{K}(1) | ... | E_{K}(J-1)), 251 where J = ceil(k/n). 253 4.1.2. Parallel Construction Based on HKDF 255 ExtParallelH re-keying mechanism is based on HMAC key derivation 256 function HKDF-Expand, described in [RFC5869], and is used to generate 257 t keys for t sections as follows: 259 K^1 | K^2 | ... | K^t = ExtParallelH(K, t*k) = HKDF-Expand(K, 260 label, t*k), 262 where label is a string (can be a zero-length string) that is defined 263 by a specific protocol. 265 4.2. Serial Constructions 267 The main idea behind external re-keying with serial construction is 268 presented in Fig.2: 270 Maximum message size = m_max. 271 _____________________________________________________________ 272 m_max 273 <----------------> 274 M^{1,1} |=== | 275 M^{1,2} |=============== | 276 K*_1 = K ----K^1--> . . . 277 | M^{1,q_1} |======== | 278 | 279 | 280 | M^{2,1} |================| 281 v M^{2,2} |===== | 282 K*_2 --------K^2--> . . . 283 | M^{2,q_2} |========== | 284 | 285 ... 286 | M^{t,1} |============ | 287 v M^{t,2} |============= | 288 K*_t --------K^t--> . . . 289 M^{t,q_t} |========== | 291 _____________________________________________________________ 293 Figure 2: External serial re-keying mechanisms 295 The key K^i, i = 1, ... , t-1, is updated after processing a certain 296 amount of data (see Section 7.1). 298 4.2.1. Serial Construction Based on a KDF on a Block Cipher 300 The key K^i is calculated using ExtSerialC transformation as follows: 302 K^i = ExtSerialC(K, i) = MSB_k(E_{K*_i}(0) | E_{K*_i}(1) | ... | 303 E_{K*_i}(J-1)), 305 where J = ceil(k/n), i = 1, ... , t, K*_i is calculated as follows: 307 K*_1 = K, 309 K*_{j+1} = MSB_k(E_{K*_j}(J) | E_{K*_j}(J+1) | ... | E_{K*_j}(2J- 310 1)), 312 where j = 1, ... , t-1. 314 4.2.2. Serial Construction Based on HKDF 316 The key K^i is calculated using ExtSerialH transformation as follows: 318 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 320 where i = 1, ... , t, HKDF-Expand is an HMAC-based key derivation 321 function, described in [RFC5869], K*_i is calculated as follows: 323 K*_1 = K, 325 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t-1, 327 where label1 and label2 are different strings (can be a zero-length 328 strings) that are defined by a specific protocol (see, for example, 329 TLS 1.3 updating traffic keys algorithm [TLSDraft]). 331 5. Internal Re-keying Mechanisms 333 This section presents an approach to increase the lifetime of 334 negotiated key by re-keying during each separate message processing. 335 It provides an internal re-keying mechanisms called ACPKM and ACPKM- 336 Master that do not use and use a master key respectively. Such 337 mechanisms are integrated into the base modes of operations and can 338 be considered as the base mode extensions, therefore they are called 339 "internal re-keying" in this document. 341 5.1. Constructions that Do Not Require Master Key 343 This section describes the block cipher modes that uses the ACPKM re- 344 keying mechanism, which does not use master key: an initial key is 345 used directly for the encryption of the data. 347 5.1.1. ACPKM Re-keying Mechanisms 349 This section defines periodical key transformation with no master key 350 which is called ACPKM re-keying mechanism. This mechanism can be 351 applied to one of the basic encryption modes (CTR and GCM block 352 cipher modes) for getting an extension of this encryption mode that 353 uses periodical key transformation with no master key. This 354 extension can be considered as a new encryption mode. 356 An additional parameter that defines the functioning of basic 357 encryption modes with the ACPKM re-keying mechanism is the section 358 size N. The value of N is measured in bits and is fixed within a 359 specific protocol based on the requirements of the system capacity 360 and key lifetime (some recommendations on choosing N will be provided 361 in Section 8). The section size N MUST be divisible by the block 362 size n. 364 The main idea behind internal re-keying with no master key is 365 presented in Fig.3: 367 Section size = const = N, 368 maximum message size = m_max. 369 ____________________________________________________________________ 371 ACPKM ACPKM ACPKM 372 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 373 | | | | 374 | | | | 375 v v v v 376 M^{1} |==========|==========| ... |==========|=======: | 377 M^{2} |==========|==========| ... |=== | : | 378 . . . . . . : 379 : : : : : : : 380 M^{q} |==========|==========| ... |==========|===== : | 381 section : 382 <----------> m_max 383 N bit 384 ___________________________________________________________________ 385 l_max = ceil(m_max/N). 387 Figure 3: Key meshing with no master key 389 During the processing of the input message M with the length m in 390 some encryption mode that uses ACPKM key transformation of the key K 391 the message is divided into l = ceil(m/N) sections (denoted as M = 392 M_1 | M_2 | ... | M_l, where M_i is in V_N for i = 1, 2, ... , l-1 393 and M_l is in V_r, r <= N). The first section of each message is 394 processed with the initial key K^1 = K. To process the (i+1)-th 395 section of each message the K^{i+1} key value is calculated using 396 ACPKM transformation as follows: 398 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(W_1) | ... | E_{K^i}(W_J)), 400 where J = ceil(k/n), W_t = phi_c(D_t) for any t in {1, ... ,J} and 401 D_1, D_2, ... , D_J are in V_n and are calculated as follows: 403 D_1 | D_2 | ... | D_J = MSB_{J*n}(D), 405 where D is the following constant in V_{1024}: 407 D = ( F3 | 74 | E9 | 23 | FE | AA | D6 | DD 408 | 98 | B4 | B6 | 3D | 57 | 8B | 35 | AC 409 | A9 | 0F | D7 | 31 | E4 | 1D | 64 | 5E 410 | 40 | 8C | 87 | 87 | 28 | CC | 76 | 90 411 | 37 | 76 | 49 | 9F | 7D | F3 | 3B | 06 412 | 92 | 21 | 7B | 06 | 37 | BA | 9F | B4 413 | F2 | 71 | 90 | 3F | 3C | F6 | FD | 1D 414 | 70 | BB | BB | 88 | E7 | F4 | 1B | 76 415 | 7E | 44 | F9 | 0E | 46 | 91 | 5B | 57 416 | 00 | BC | 13 | 45 | BE | 0D | BD | C7 417 | 61 | 38 | 19 | 3C | 41 | 30 | 86 | 82 418 | 1A | A0 | 45 | 79 | 23 | 4C | 4C | F3 419 | 64 | F2 | 6A | CC | EA | 48 | CB | B4 420 | 0C | B9 | A9 | 28 | C3 | B9 | 65 | CD 421 | 9A | CA | 60 | FB | 9C | A4 | 62 | C7 422 | 22 | C0 | 6C | E2 | 4A | C7 | FB | 5B). 424 N o t e : The constant D is such that phi_c(D_1), ... , phi_c(D_J) 425 are pairwise different for any allowed n, k, c values. 427 N o t e : The constant D is such that D = 428 sha512(streebog512(0^1024)) | sha512(streebog512(1^1024)), where 429 sha512 is a hash function with 512-bit output corresponding to the 430 algorithm SHA-512 [SHA-512], streebog512 is a hash function with 431 512-bit output, corresponding to the algorithm GOST R 34.11-2012 432 [GOST3411-2012], [RFC6986]. 434 5.1.2. CTR-ACPKM Encryption Mode 436 This section defines a CTR-ACPKM encryption mode that uses internal 437 ACPKM re-keying mechanism for the periodical key transformation. 439 The CTR-ACPKM mode can be considered as the extended by the ACPKM re- 440 keying mechanism basic encryption mode CTR (see [MODES]). 442 The CTR-ACPKM encryption mode can be used with the following 443 parameters: 445 o 64 <= n <= 512; 447 o 128 <= k <= 512; 449 o the number of bits c in a specific part of the block to be 450 incremented is such that 32 <= c <= 3/4 n. 452 The CTR-ACPKM mode encryption and decryption procedures are defined 453 as follows: 455 +----------------------------------------------------------------+ 456 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 457 |----------------------------------------------------------------| 458 | Input: | 459 | - Section size N, | 460 | - key K, | 461 | - initial counter nonce ICN in V_{n-c}, | 462 | - plaintext P = P_1 | ... | P_b, |P| < n * 2^{c-1}. | 463 | Output: | 464 | - Ciphertext C. | 465 |----------------------------------------------------------------| 466 | 1. CTR_1 = ICN | 0^c | 467 | 2. For j = 2, 3, ... , b do | 468 | CTR_{j} = Inc_c(CTR_{j-1}) | 469 | 3. K^1 = K | 470 | 4. For i = 2, 3, ... , ceil(|P|/N) | 471 | K^i = ACPKM(K^{i-1}) | 472 | 5. For j = 1, 2, ... , b do | 473 | i = ceil(j*n / N), | 474 | G_j = E_{K^i}(CTR_j) | 475 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 476 | 7. Return C | 477 +----------------------------------------------------------------+ 479 +----------------------------------------------------------------+ 480 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 481 |----------------------------------------------------------------| 482 | Input: | 483 | - Section size N, | 484 | - key K, | 485 | - initial counter nonce ICN in V_{n-c}, | 486 | - ciphertext C = C_1 | ... | C_b, |C| < n * 2^{c-1}. | 487 | Output: | 488 | - Plaintext P. | 489 |----------------------------------------------------------------| 490 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 491 | 2. Return P | 492 +----------------------------------------------------------------+ 494 The initial counter nonce ICN value for each message that is 495 encrypted under the given key must be chosen in a unique manner. 497 The message size m MUST NOT exceed n * 2^{c-1} bits. 499 5.1.3. GCM-ACPKM Encryption Mode 501 This section defines a GCM-ACPKM encryption mode that uses internal 502 ACPKM re-keying mechanism for the periodical key transformation. 504 The GCM-ACPKM mode can be considered as the extended by the ACPKM re- 505 keying mechanism basic encryption mode GCM (see [GCM]). 507 The GCM-ACPKM encryption mode can be used with the following 508 parameters: 510 o n in {128, 256}; 512 o 128 <= k <= 512; 514 o the number of bits c in a specific part of the block to be 515 incremented is such that 32 <= c <= 3/4 n; 517 o authentication tag length t. 519 The GCM-ACPKM mode encryption and decryption procedures are defined 520 as follows: 522 +-------------------------------------------------------------------+ 523 | GHASH(X, H) | 524 |-------------------------------------------------------------------| 525 | Input: | 526 | - Bit string X = X_1 | ... | X_m, X_i in V_n for i in 1, ... , m.| 527 | Output: | 528 | - Block GHASH(X, H) in V_n. | 529 |-------------------------------------------------------------------| 530 | 1. Y_0 = 0^n | 531 | 2. For i = 1, ... , m do | 532 | Y_i = (Y_{i-1} (xor) X_i) * H | 533 | 3. Return Y_m | 534 +-------------------------------------------------------------------+ 536 +-------------------------------------------------------------------+ 537 | GCTR(N, K, ICB, X) | 538 |-------------------------------------------------------------------| 539 | Input: | 540 | - Section size N, | 541 | - key K, | 542 | - initial counter block ICB, | 543 | - X = X_1 | ... | X_b, X_i in V_n for i = 1, ... , b-1 and | 544 | X_b in V_r, where r <= n. | 545 | Output: | 546 | - Y in V_{|X|}. | 547 |-------------------------------------------------------------------| 548 | 1. If X in V_0 then return Y, where Y in V_0 | 549 | 2. GCTR_1 = ICB | 550 | 3. For i = 2, ... , b do | 551 | GCTR_i = Inc_c(GCTR_{i-1}) | 552 | 4. K^1 = K | 553 | 5. For j = 2, ... , ceil(l*n / N) | 554 | K^j = ACPKM(K^{j-1}) | 555 | 6. For i = 1, ... , b do | 556 | j = ceil(i*n / N), | 557 | G_i = E_{K_j}(GCTR_i) | 558 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 559 | 8. Return Y. | 560 +-------------------------------------------------------------------+ 562 +-------------------------------------------------------------------+ 563 | GCM-ACPKM-Encrypt(N, K, IV, P, A) | 564 |-------------------------------------------------------------------| 565 | Input: | 566 | - Section size N, | 567 | - key K, | 568 | - initial counter nonce ICN in V_{n-c}, | 569 | - plaintext P, |P| <= n*(2^{c-1} - 2), P = P_1 | ... | P_b, | 570 | - additional authenticated data A. | 571 | Output: | 572 | - Ciphertext C, | 573 | - authentication tag T. | 574 |-------------------------------------------------------------------| 575 | 1. H = E_{K}(0^n) | 576 | 2. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 577 | if c!= 32, then s = n * ceil(|ICN| / n) - |ICN|, | 578 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 579 | 3. C = GCTR(N, K, Inc_32(ICB_0), P) | 580 | 4. u = n*ceil(|C| / n) - |C| | 581 | v = n*ceil(|A| / n) - |A| | 582 | 5. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 583 | | Vec_64(|C|), H) | 584 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 585 | 7. Return C | T | 586 +-------------------------------------------------------------------+ 588 +-------------------------------------------------------------------+ 589 | GCM-ACPKM-Decrypt(N, K, IV, A, C, T) | 590 |-------------------------------------------------------------------| 591 | Input: | 592 | - Section size N, | 593 | - key K, | 594 | - initial counter block ICB, | 595 | - additional authenticated data A. | 596 | - ciphertext C, |C| <= n*(2^{c-1} - 2), C = C_1 | ... | C_b, | 597 | - authentication tag T | 598 | Output: | 599 | - Plaintext P or FAIL. | 600 |-------------------------------------------------------------------| 601 | 1. H = E_{K}(0^n) | 602 | 2. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 603 | if c!= 32, then s = n*ceil(|ICN|/n)-|ICN|, | 604 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 605 | 3. P = GCTR(N, K, Inc_32(ICB_0), C) | 606 | 4. u = n*ceil(|C| / n)-|C| | 607 | v = n*ceil(|A| / n)-|A| | 608 | 5. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 609 | | Vec_64(|C|), H) | 610 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 611 | 7. If T = T' then return P; else return FAIL | 612 +-------------------------------------------------------------------+ 614 The * operation on (pairs of) the 2^n possible blocks corresponds to 615 the multiplication operation for the binary Galois (finite) field of 616 2^n elements defined by the polynomial f as follows (by analogy with 617 [GCM]): 619 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1. 621 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 623 The initial vector IV value for each message that is encrypted under 624 the given key must be chosen in a unique manner. 626 The message size m MUST NOT exceed n*(2^{c-1} - 2) bits. 628 The key for computing values E_{K}(ICB_0) and H is not updated and is 629 equal to the initial key K. 631 5.2. Constructions that Require Master Key 633 This section describes the block cipher modes that uses the ACPKM- 634 Master re-keying mechanism, which use the initial key K as a master 635 key K, so K is never used directly for the data processing but is 636 used for key derivation. 638 5.2.1. ACPKM-Master Key Generation from the Master Key 640 This section defines periodical key transformation with master key K 641 which is called ACPKM-Master re-keying mechanism. This mechanism can 642 be applied to one of the basic encryption modes (CTR, GCM, CBC, CFB, 643 OFB, OMAC encryption modes) for getting an extension of this 644 encryption mode that uses periodical key transformation with master 645 key. This extension can be considered as a new encryption mode. 647 Additional parameters that defines the functioning of basic 648 encryption modes with the ACPKM-Master re-keying mechanism are the 649 section size N and change frequency T* of the key K. The values of N 650 and T* are measured in bits and are fixed within a specific protocol 651 based on the requirements of the system capacity and key lifetime 652 (some recommendations on choosing N and T* will be provided in 653 Section 8). The section size N MUST be divisible by the block size 654 n. The key frequency T* MUST be divisible by n. 656 The main idea behind internal re-keying with master key is presented 657 in Fig.4: 659 Change frequency T*, 660 section size N, 661 maximum message size = m_max. 662 __________________________________________________________________________________ 664 ACPKM ACPKM 665 K*_1 = K--------------> K*_2 ---------...---------> K*_l_max 666 ___|___ ___|___ ___|___ 667 | | | | | | 668 v ... v v ... v v ... v 669 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 670 | | | | | | 671 | | | | | | 672 v v v v v v 673 M^{1}||========|...|========||========|...|========||...||========|...|== : || 674 M^{2}||========|...|========||========|...|========||...||========|...|======: || 675 ... || | | || | | || || | | : || 676 M^{q}||========|...|========||==== |...| ||...|| |...| : || 677 section : 678 <--------> : 679 N bit m_max 680 __________________________________________________________________________________ 681 |K[i]| = d, 682 t = T*/d, 683 l_max = ceil(m_max/N). 684 Figure 4: Key meshing with master key 686 During the processing of the input message M with the length m in 687 some encryption mode that uses ACPKM-Master key transformation with 688 the master key K and key frequency T* the message M is divided into l 689 = ceil(m/N) sections (denoted as M = M_1 | M_2 | ... | M_l, where M_i 690 is in V_N for i in {1, 2, ... , l-1} and M_l is in V_r, r <= N). The 691 j-th section of each message is processed with the key material K[j], 692 j in {1, ... ,l}, |K[j]| = d, that has been calculated with the 693 ACPKM-Master algorithm as follows: 695 K[1] | ... | K[l] = ACPKM-Master(T*, K, d*l) = CTR-ACPKM-Encrypt 696 (T*, K, 1^{n/2}, 0^{d*l}). 698 5.2.2. CTR Mode Key Meshing 700 This section defines a CTR-ACPKM-Master encryption mode that uses 701 internal ACPKM-Master re-keying mechanism for the periodical key 702 transformation. 704 The CTR-ACPKM-Master encryption mode can be considered as the 705 extended by the ACPKM-Master re-keying mechanism basic encryption 706 mode CTR (see [MODES]). 708 The CTR-ACPKM-Master encryption mode can be used with the following 709 parameters: 711 o 64 <= n <= 512; 713 o 128 <= k <= 512; 715 o the number of bits c in a specific part of the block to be 716 incremented is such that 32 <= c <= 3/4 n. 718 The key material K[j] that is used for one section processing is 719 equal to K^j, |K^j| = k bits. 721 The CTR-ACPKM-Master mode encryption and decryption procedures are 722 defined as follows: 724 +----------------------------------------------------------------+ 725 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 726 |----------------------------------------------------------------| 727 | Input: | 728 | - Section size N, | 729 | - master key K, | 730 | - change frequency T*, | 731 | - initial counter nonce ICN in V_{n-c}, | 732 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 733 | Output: | 734 | - Ciphertext C. | 735 |----------------------------------------------------------------| 736 | 1. CTR_1 = ICN | 0^c | 737 | 2. For j = 2, 3, ... , b do | 738 | CTR_{j} = Inc_c(CTR_{j-1}) | 739 | 3. l = ceil(b*n / N) | 740 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 741 | 5. For j = 1, 2, ... , b do | 742 | i = ceil(j*n / N), | 743 | G_j = E_{K^i}(CTR_j) | 744 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 745 | 7. Return C | 746 |----------------------------------------------------------------+ 748 +----------------------------------------------------------------+ 749 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 750 |----------------------------------------------------------------| 751 | Input: | 752 | - Section size N, | 753 | - master key K, | 754 | - change frequency T*, | 755 | - initial counter nonce ICN in V_{n-c}, | 756 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 757 | Output: | 758 | - Plaintext P. | 759 |----------------------------------------------------------------| 760 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 761 | 1. Return P | 762 +----------------------------------------------------------------+ 764 The initial counter nonce ICN value for each message that is 765 encrypted under the given key must be chosen in a unique manner. The 766 counter (CTR_{i+1}) value does not change during key transformation. 768 The message size m MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 770 5.2.3. GCM Mode Key Meshing 772 This section defines a GCM-ACPKM-Master encryption mode that uses 773 internal ACPKM-Master re-keying mechanism for the periodical key 774 transformation. 776 The GCM-ACPKM-Master encryption mode can be considered as the 777 extended by the ACPKM-Master re-keying mechanism basic encryption 778 mode GCM (see [GCM]). 780 The GCM-ACPKM-Master encryption mode can be used with the following 781 parameters: 783 o n in {128, 256}; 785 o 128 <= k <= 512; 787 o the number of bits c in a specific part of the block to be 788 incremented is such that 32 <= c <= 3/4 n; 790 o authentication tag length t. 792 The key material K[j] that is used for one section processing is 793 equal to K^j, |K^j| = k bits, that is calculated as follows: 795 K^1 | ... | K^j | ... | K^l = ACPKM-Master(T*, K, k*l). 797 The GCM-ACPKM-Master mode encryption and decryption procedures are 798 defined as follows: 800 +-------------------------------------------------------------------+ 801 | GHASH(X, H) | 802 |-------------------------------------------------------------------| 803 | Input: | 804 | - Bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 805 | Output: | 806 | - Block GHASH(X, H) in V_n | 807 |-------------------------------------------------------------------| 808 | 1. Y_0 = 0^n | 809 | 2. For i = 1, ... , m do | 810 | Y_i = (Y_{i-1} (xor) X_i)*H | 811 | 3. Return Y_m | 812 +-------------------------------------------------------------------+ 814 +-------------------------------------------------------------------+ 815 | GCTR(N, K, T*, ICB, X) | 816 |-------------------------------------------------------------------| 817 | Input: | 818 | - Section size N, | 819 | - master key K, | 820 | - change frequency T*, | 821 | - initial counter block ICB, | 822 | - X = X_1 | ... | X_b, X_i in V_n for i = 1, ... , b-1 and | 823 | X_b in V_r, where r <= n. | 824 | Output: | 825 | - Y in V_{|X|}. | 826 |-------------------------------------------------------------------| 827 | 1. If X in V_0 then return Y, where Y in V_0 | 828 | 2. GCTR_1 = ICB | 829 | 3. For i = 2, ... , b do | 830 | GCTR_i = Inc_c(GCTR_{i-1}) | 831 | 4. l = ceil(b*n / N) | 832 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 833 | 6. For j = 1, ... , b do | 834 | i = ceil(j*n / N), | 835 | G_j = E_{K^i}(GCTR_j) | 836 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 837 | 8. Return Y | 838 +-------------------------------------------------------------------+ 840 +-------------------------------------------------------------------+ 841 | GCM-ACPKM-Master-Encrypt(N, K, T*, IV, P, A) | 842 |-------------------------------------------------------------------| 843 | Input: | 844 | - Section size N, | 845 | - master key K, | 846 | - change frequency T*, | 847 | - initial counter nonce ICN in V_{n-c}, | 848 | - plaintext P, |P| <= n*(2^{c-1} - 2). | 849 | - additional authenticated data A. | 850 | Output: | 851 | - Ciphertext C, | 852 | - authentication tag T. | 853 |-------------------------------------------------------------------| 854 | 1. K^1 = ACPKM-Master(T*, K, k) | 855 | 2. H = E_{K^1}(0^n) | 856 | 3. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 857 | if c!= 32, then s = n*ceil(|ICN|/n) - |ICN|, | 858 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 859 | 4. C = GCTR(N, K, T*, Inc_32(J_0), P) | 860 | 5. u = n*ceil(|C| / n) - |C| | 861 | v = n*ceil(|A| / n) - |A| | 862 | 6. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 863 | | Vec_64(|C|), H) | 864 | 7. T = MSB_t(E_{K^1}(J_0) (xor) S) | 865 | 8. Return C | T | 866 +-------------------------------------------------------------------+ 868 +-------------------------------------------------------------------+ 869 | GCM-ACPKM-Master-Decrypt(N, K, T*, IV, A, C, T) | 870 |-------------------------------------------------------------------| 871 | Input: | 872 | - Section size N, | 873 | - master key K, | 874 | - change frequency T*, | 875 | - initial counter nonce ICN in V_{n-c}, | 876 | - additional authenticated data A. | 877 | - ciphertext C, |C| <= n*(2^{c-1} - 2), | 878 | - authentication tag T, | 879 | Output: | 880 | - Plaintext P or FAIL. | 881 |-------------------------------------------------------------------| 882 | 1. K^1 = ACPKM-Master(T*, K, k) | 883 | 2. H = E_{K^1}(0^n) | 884 | 3. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 885 | if c!= 32, then s = n*ceil(|ICN| / n) - |ICN|, | 886 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 887 | 4. P = GCTR(N, K, T*, Inc_32(J_0), C) | 888 | 5. u = n*ceil(|C| / n) - |C| | 889 | v = n*ceil(|A| / n) - |A| | 890 | 6. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 891 | | Vec_64(|C|), H) | 892 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 893 | 8. IF T = T' then return P; else return FAIL. | 894 +-------------------------------------------------------------------+ 896 The * operation on (pairs of) the 2^n possible blocks corresponds to 897 the multiplication operation for the binary Galois (finite) field of 898 2^n elements defined by the polynomial f as follows (by analogy with 899 [GCM]): 901 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1. 903 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 905 The initial vector IV value for each message that is encrypted under 906 the given key must be chosen in a unique manner. 908 The message size m MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 910 5.2.4. CBC Mode Key Meshing 912 This section defines a CBC-ACPKM-Master encryption mode that uses 913 internal ACPKM-Master re-keying mechanism for the periodical key 914 transformation. 916 The CBC-ACPKM-Master encryption mode can be considered as the 917 extended by the ACPKM-Master re-keying mechanism basic encryption 918 mode CBC (see [MODES]). 920 The CBC-ACPKM-Master encryption mode can be used with the following 921 parameters: 923 o 64 <= n <= 512; 925 o 128 <= k <= 512. 927 In the specification of the CBC-ACPKM-Master mode the plaintext and 928 ciphertext must be a sequence of one or more complete data blocks. 929 If the data string to be encrypted does not initially satisfy this 930 property, then it MUST be padded to form complete data blocks. The 931 padding methods are outside the scope of this document. An example 932 of a padding method can be found in Appendix A of [MODES]. 934 The key material K[j] that is used for one section processing is 935 equal to K^j, |K^j| = k bits. 937 We will denote by D_{K} the decryption function which is a 938 permutation inverse to the E_{K}. 940 The CBC-ACPKM-Master mode encryption and decryption procedures are 941 defined as follows: 943 +----------------------------------------------------------------+ 944 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 945 |----------------------------------------------------------------| 946 | Input: | 947 | - Section size N, | 948 | - master key K, | 949 | - change frequency T*, | 950 | - initialization vector IV in V_n, | 951 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k, | 952 | |P_b| = n. | 953 | Output: | 954 | - Ciphertext C. | 955 |----------------------------------------------------------------| 956 | 1. l = ceil(b*n/N) | 957 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 958 | 3. C_0 = IV | 959 | 4. For j = 1, 2, ... , b do | 960 | i = ceil(j*n / N), | 961 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 962 | 5. Return C = C_1 | ... | C_b | 963 |----------------------------------------------------------------+ 965 +----------------------------------------------------------------+ 966 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 967 |----------------------------------------------------------------| 968 | Input: | 969 | - Section size N, | 970 | - master key K, | 971 | - change frequency T*, | 972 | - initialization vector IV in V_n, | 973 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N/k, | 974 | |C_b| = n. | 975 | Output: | 976 | - Plaintext P. | 977 |----------------------------------------------------------------| 978 | 1. l = ceil(b*n / N) | 979 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 980 | 3. C_0 = IV | 981 | 4. For j = 1, 2, ... , b do | 982 | i = ceil(j*n/N) | 983 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 984 | 5. Return P = P_1 | ... | P_b | 985 +----------------------------------------------------------------+ 987 The initialization vector IV for each message that is encrypted under 988 the given key need not to be secret, but must be unpredictable. 990 The message size m MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 992 5.2.5. CFB Mode Key Meshing 994 This section defines a CFB-ACPKM-Master encryption mode that uses 995 internal ACPKM-Master re-keying mechanism for the periodical key 996 transformation. 998 The CFB-ACPKM-Master encryption mode can be considered as the 999 extended by the ACPKM-Master re-keying mechanism basic encryption 1000 mode CFB (see [MODES]). 1002 The CFB-ACPKM-Master encryption mode can be used with the following 1003 parameters: 1005 o 64 <= n <= 512; 1007 o 128 <= k <= 512. 1009 The key material K[j] that is used for one section processing is 1010 equal to K^j, |K^j| = k bits. 1012 The CFB-ACPKM-Master mode encryption and decryption procedures are 1013 defined as follows: 1015 +-------------------------------------------------------------+ 1016 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1017 |-------------------------------------------------------------| 1018 | Input: | 1019 | - Section size N, | 1020 | - master key K, | 1021 | - change frequency T*, | 1022 | - initialization vector IV in V_n, | 1023 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1024 | Output: | 1025 | - Ciphertext C. | 1026 |-------------------------------------------------------------| 1027 | 1. l = ceil(b*n / N) | 1028 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1029 | 3. C_0 = IV | 1030 | 4. For j = 1, 2, ... , b do | 1031 | i = ceil(j*n / N) | 1032 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1033 | 5. Return C = C_1 | ... | C_b. | 1034 |-------------------------------------------------------------+ 1036 +-------------------------------------------------------------+ 1037 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C#) | 1038 |-------------------------------------------------------------| 1039 | Input: | 1040 | - Section size N, | 1041 | - master key K, | 1042 | - change frequency T*, | 1043 | - initialization vector IV in V_n, | 1044 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k.| 1045 | Output: | 1046 | - Plaintext P. | 1047 |-------------------------------------------------------------| 1048 | 1. l = ceil(b*n / N) | 1049 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1050 | 3. C_0 = IV | 1051 | 4. For j = 1, 2, ... , b do | 1052 | i = ceil(j*n / N), | 1053 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1054 | 5. Return P = P_1 | ... | P_b | 1055 +-------------------------------------------------------------+ 1057 The initialization vector IV for each message that is encrypted under 1058 the given key need not to be secret, but must be unpredictable. 1060 The message size m MUST NOT exceed 2^{n/2-1}*n*N/k bits. 1062 5.2.6. OFB Mode Key Meshing 1064 This section defines an OFB-ACPKM-Master encryption mode that uses 1065 internal ACPKM-Master re-keying mechanism for the periodical key 1066 transformation. 1068 The OFB-ACPKM-Master encryption mode can be considered as the 1069 extended by the ACPKM-Master re-keying mechanism basic encryption 1070 mode OFB (see [MODES]). 1072 The OFB-ACPKM-Master encryption mode can be used with the following 1073 parameters: 1075 o 64 <= n <= 512; 1077 o 128 <= k <= 512. 1079 The key material K[j] used for one section processing is equal to 1080 K^j, |K^j| = k bits. 1082 The OFB-ACPKM-Master mode encryption and decryption procedures are 1083 defined as follows: 1085 +----------------------------------------------------------------+ 1086 | OFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1087 |----------------------------------------------------------------| 1088 | Input: | 1089 | - Section size N, | 1090 | - master key K, | 1091 | - change frequency T*, | 1092 | - initialization vector IV in V_n, | 1093 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1094 | Output: | 1095 | - Ciphertext C. | 1096 |----------------------------------------------------------------| 1097 | 1. l = ceil(b*n / N) | 1098 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1099 | 3. G_0 = IV | 1100 | 4. For j = 1, 2, ... , b do | 1101 | i = ceil(j*n / N), | 1102 | G_j = E_{K_i}(G_{j-1}) | 1103 | 5. Return C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1104 |----------------------------------------------------------------+ 1106 +----------------------------------------------------------------+ 1107 | OFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1108 |----------------------------------------------------------------| 1109 | Input: | 1110 | - Section size N, | 1111 | - master key K, | 1112 | - change frequency T*, | 1113 | - initialization vector IV in V_n, | 1114 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 1115 | Output: | 1116 | - Plaintext P. | 1117 |----------------------------------------------------------------| 1118 | 1. Return OFB-ACPKM-Master-Encrypt(N, K, T*, IV, C) | 1119 +----------------------------------------------------------------+ 1121 The initialization vector IV for each message that is encrypted under 1122 the given key need not be unpredictable, but it must be a nonce that 1123 is unique to each execution of the encryption operation. 1125 The message size m MUST NOT exceed 2^{n/2-1}*n*N / k bits. 1127 5.2.7. OMAC Mode Key Meshing 1129 This section defines an OMAC-ACPKM-Master message authentication code 1130 calculation mode that uses internal ACPKM-Master re-keying mechanism 1131 for the periodical key transformation. 1133 The OMAC-ACPKM-Master encryption mode can be considered as the 1134 extended by the ACPKM-Master re-keying mechanism basic message 1135 authentication code calculation mode OMAC, which is also known as 1136 CMAC (see [RFC4493]). 1138 The OMAC-ACPKM-Master message authentication code calculation mode 1139 can be used with the following parameters: 1141 o n in {64, 128, 256}; 1143 o 128 <= k <= 512. 1145 The key material K[j] that is used for one section processing is 1146 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1148 The following is a specification of the subkey generation process of 1149 OMAC: 1151 +-------------------------------------------------------------------+ 1152 | Generate_Subkey(K1, r) | 1153 |-------------------------------------------------------------------| 1154 | Input: | 1155 | - Key K1, | 1156 | Output: | 1157 | - Key SK. | 1158 |-------------------------------------------------------------------| 1159 | 1. If r = n then return K1 | 1160 | 2. If r < n then | 1161 | if MSB_1(K1) = 0 | 1162 | return K1 << 1 | 1163 | else | 1164 | return (K1 << 1) (xor) R_n | 1165 | | 1166 +-------------------------------------------------------------------+ 1168 Where R_n takes the following values: 1170 o n = 64: R_{64} = 0^{59} | 11011; 1172 o n = 128: R_{128} = 0^{120} | 10000111; 1174 o n = 256: R_{256} = 0^{145} | 10000100101. 1176 The OMAC-ACPKM-Master message authentication code calculation mode is 1177 defined as follows: 1179 +-------------------------------------------------------------------+ 1180 | OMAC-ACPKM-Master(K, N, T*, M) | 1181 |-------------------------------------------------------------------| 1182 | Input: | 1183 | - Section size N, | 1184 | - master key K, | 1185 | - key frequency T*, | 1186 | - plaintext M = M_1 | ... | M_b, |M| <= 2^{n/2}*n^2*N / (k + n). | 1187 | Output: | 1188 | - message authentication code T. | 1189 |-------------------------------------------------------------------| 1190 | 1. C_0 = 0^n | 1191 | 2. l = ceil(b*n / N) | 1192 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K, (k+n)*l | 1193 | 4. For j = 1, 2, ... , b-1 do | 1194 | i = ceil(j*n / N), | 1195 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1196 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1197 | 6. If |M_b| = n then M*_b = M_b | 1198 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1199 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1200 | 8. Return T | 1201 +-------------------------------------------------------------------+ 1203 The message size m MUST NOT exceed 2^{n/2}*n^2*N / (k + n) bits. 1205 6. Joint Usage of External and Internal Re-keying 1207 Any mechanism described in Section 4 can be used with any mechanism 1208 described in Section 5. 1210 7. Scope of Usage of Rekeying-Based Schemas 1212 7.1. Key Transformation Rules 1214 External re-keying mechanisms increase the number of messages that 1215 can be processed with one negotiated key. 1217 The key K^i (see Figure 1 and Figure 2) can be transformed in 1218 accordance with one of the following two approaches: 1220 o Explicit approach: 1221 |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + ... + |M^{i,q_i + 1222 1}| > L, i = 1, ... , t. 1223 This approach allows to use the key K^i in almost optimal way but 1224 it cannot be applied in case when messages may be lost or 1225 reordered (e.g. DTLS packets). 1227 o Implicit approach: 1228 q_i = L / m_max, i = 1, ... , t. 1229 The amount of data processed with one key K^i is calculated under 1230 the assumption that every message has the maximum length m_max. 1231 Hence this amount can be considerably less than the key lifetime 1232 limitation L. On the other hand this approach can be applied in 1233 case when messages may be lost or reordered (e.g. DTLS packets). 1235 Internal re-keying mechanisms increase the length of messages that 1236 can be processed with one negotiated key. 1238 The key K (see Figure 3 and Figure 4) can be updated in accordance 1239 with one of the following two approaches: 1241 o Explicit approach: 1242 |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... + |M^{q+1}_1| > 1243 L (where M^{i}_1 is the first section of message M^{i}, i = 1, ... 1244 , q). 1245 This approach allows to use the key K^i in almost optimal way but 1246 it cannot be applied in case messages data may be lost or 1247 reordered (e.g. DTLS packets). 1249 o Implicit approach: 1250 q = L / N. 1251 The amount of data processed with one key K^i is calculated under 1252 the assumption that the length of every message is equal or more 1253 then section size N and so it can be considerably less than the 1254 key lifetime limitation L. On the other hand this approach can be 1255 applied in case when messages may be lost or reordered (e.g. DTLS 1256 packets). 1258 7.2. Principles of Choice of Constructions and Security Parameters 1260 External re-keying mechanism is recommended to be used in protocols 1261 that process pretty small messages (e.g. TLS records are 2^14 bytes 1262 or less). 1264 Consider an example. Let the message size in some protocol P be 1265 equal to 1 KB (m_max = 1 KB). Suppose a cipher E is used for 1266 encrypting and L1 = 128 MB is the key lifetime limitation induced by 1267 side channels analysis methods. Let the key lifetime limitation L2 1268 induced by the analysis of encryption mode used in this protocol be 1269 equal to 1 TB. The most restrictive resulting key lifetime 1270 limitation is equal to 128 MB. 1272 Thus, if external re-keying mechanism is not used, the key K must be 1273 renegotiated after processing 128 MB / 1 KB = 131072 messages. 1275 If an external re-keying mechanism with parameter L = 64 MB (see 1276 Section 7.1 ) that limits the amount of data processed with one key 1277 K^i is used, the key lifetime limitation L1 induced by the side 1278 channels analysis methods goes off. Thus the resulting key lifetime 1279 limitation of the negotiated key K can be calculated on the basis of 1280 the used encryption mode analysis. It is proven that the security of 1281 the encryption mode that uses external re-keying leads to an increase 1282 when compared to base encryption mode without re-keying (see 1283 [AbBell]). Hence the resulting key lifetime limitation in case of 1284 using external re-keying is equal to 1 TB. 1286 Thus if an external re-keying mechanism is used, then 1 TB / 1 KB = 1287 2^30 messages can be processed before the key K is renegotiated, 1288 which is 8192 times greater than the number of messages that can be 1289 processed, when external re-keying mechanism is not used. 1291 An internal re-keying mechanism is recommended to be used in 1292 protocols that can process large single messages (e.g. CMS 1293 messages). 1295 Since the performance of encryption can slightly decrease for rather 1296 small values of N, the parameter N should be selected for a 1297 particular protocol as maximum possible to provide necessary key 1298 lifetime for the adversary models that are considered. 1300 Consider an example. Let the message size in some protocol P' is 1301 large/unlimited. Suppose a cipher E is used for encrypting and L1 = 1302 128 MB is the most restrictive key lifetime limitation induced by the 1303 side channels analysis methods. 1305 Thus, there is a need to put a limit on maximum message size m_max. 1306 For example, if m_max = 32 MB, it may happen that the renegotiation 1307 of key K would be required after processing only four messages. 1309 If an internal re-keying mechanism with section size N = 1 MB (see 1310 Figure 3 and Figure 4) is used, maximum message size limit m_max can 1311 be increased to hundreds of terabytes and L / N = 128 MB / 1 MB = 128 1312 messages can be processed before the renegotiation of key K (instead 1313 of 4 messages in case when an internal re-keying mechanism is not 1314 used). 1316 For the protocols that process messages of different lengths it is 1317 recommended to use joint methods (see Section 6). 1319 8. Security Considerations 1321 Re-keying should be used to increase "a priori" security properties 1322 of ciphers in hostile environments (e.g. with side-channel 1323 adversaries). If some non-negligible attacks are known for a cipher, 1324 it must not be used. So re-keying cannot be used as a patch for 1325 vulnerable ciphers. Base cipher properties must be well analyzed, 1326 because security of re-keying mechanisms is based on security of a 1327 block cipher as a pseudorandom function. 1329 The key lifetime limitation can be subject to the following 1330 considerations: 1332 1. Methods of analysis based on the used encryption mode properties. 1334 * These methods do not depend on the used block cipher 1335 permutation E_{K}. 1337 * For standard encryption modes this restriction has the order 1338 2^{n/2}. 1340 2. Methods based on the side channels analysis. 1342 * These methods do not depend on the used encryption modes. 1344 * These methods are weakly dependent on the used block cipher 1345 features (only the way of elementary internal transformation 1346 that uses key material matter, in most cases this is (xor)). 1348 * Restrictions resulting from these methods are usually the 1349 strongest ones. 1351 3. Methods based on the properties of the used block cipher 1352 permutation E_{K} (for example, linear or differential 1353 cryptanalysis). 1355 * In most cases these methods do not depend on the used 1356 encryption modes. 1358 * In case of secure block ciphers restrictions resulting from 1359 such methods are roughly the same as the natural limitation 1360 2^n. 1362 9. References 1363 9.1. Normative References 1365 [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of 1366 Operation (GCM)", Submission to NIST 1367 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 1368 gcm/gcm-spec.pdf, January 2004. 1370 [GOST3411-2012] 1371 Federal Agency on Technical Regulating and Metrology (In 1372 Russian), "Information technology. Cryptographic Data 1373 Security. Hashing function", GOST R 34.11-2012, 2012. 1375 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1376 Operation: Methods and Techniques", NIST Special 1377 Publication 800-38A, December 2001. 1379 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1380 Requirement Levels", BCP 14, RFC 2119, 1381 DOI 10.17487/RFC2119, March 1997, 1382 . 1384 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1385 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1386 2006, . 1388 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1389 Key Derivation Function (HKDF)", RFC 5869, 1390 DOI 10.17487/RFC5869, May 2010, 1391 . 1393 [SHA-512] National Institute of Standards and Technology., "Secure 1394 Hash Standard", FIPS 180-2, August, with Change Notice 1 1395 dated February 2004 2002. 1397 [TLSDraft] 1398 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1399 Version 1.3", 2017, . 1402 9.2. Informative References 1404 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1405 of a Key: A Comparative Analysis of the Security of Re- 1406 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1407 2000. 1409 [BDJR] Bellare M., Desai A., Jokipii E., Rogaway P., "A concrete 1410 security treatment of symmetric encryption", In 1411 Proceedings of 38th Annual Symposium on Foundations of 1412 Computer Science (FOCS '97), pages 394-403. 97, 1997. 1414 [BL] Bhargavan K., Leurent G., "On the Practical (In-)Security 1415 of 64-bit Block Ciphers: Collision Attacks on HTTP over 1416 TLS and OpenVPN", Cryptology ePrint Archive Report 798, 1417 2016. 1419 [Matsui] Matsui M., "Linear Cryptanalysis Method for DES Cipher", 1420 Advanced in Cryptology- EUROCRYPT'93. Lect. Notes in Comp. 1421 Sci., Springer. V.765.P. 386-397, 1994. 1423 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1424 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1425 2013, . 1427 Appendix A. Test examples 1429 CTR-ACPKM mode with AES-256 1430 ********* 1431 c = 64 1432 k = 256 1433 N = 256 1434 n = 128 1436 W_0: 1437 F3 74 E9 23 FE AA D6 DD 98 B4 B6 3D 57 8B 35 AC 1439 W_1: 1440 A9 0F D7 31 E4 1D 64 5E C0 8C 87 87 28 CC 76 90 1442 Key K: 1443 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 1444 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 1446 Plain text P: 1447 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 1448 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1449 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1450 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1451 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1452 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 1453 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 1455 ICN: 1457 12 34 56 78 90 AB CE F0 1459 ACPKM's iteration 1 1461 Process block 1 1463 Input block (ctr) 1464 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 1466 Output block (ctr) 1467 FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 1469 Plain text 1470 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 1472 Cipher text 1473 EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 1475 Process block 2 1477 Input block (ctr) 1478 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 1480 Output block (ctr) 1481 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 1483 Plain text 1484 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1486 Cipher text 1487 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 1489 Updated key 1490 C6 C1 AF 82 3F 52 22 F8 97 CF F1 94 5D F7 21 9E 1491 21 6F 29 0C EF C4 C7 E6 DC C8 B7 DD 83 E0 AE 60 1493 ACPKM's iteration 2 1495 Process block 3 1496 Input block (ctr) 1497 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 1499 Output block (ctr) 1500 92 B4 85 B5 B7 AD 3C 19 7E 53 92 32 13 9C 8E 7A 1502 Plain text 1503 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1504 Cipher text 1505 83 96 B6 F1 E2 CB 4B 91 E7 F9 29 FE FD 63 84 7A 1507 Process block 4 1508 Input block (ctr) 1509 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 1511 Output block (ctr) 1512 59 3A AA 96 7C E3 58 FB 1B 7E 41 A1 77 34 B1 4A 1514 Plain text 1515 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1517 Cipher text 1518 7B 09 EE C3 1A 94 D0 62 B1 C5 8D 4F 88 3E B1 5B 1520 Updated key 1521 65 3E FA 18 0B 0E 68 01 6F 56 54 A5 F3 EE BC D5 1522 04 F1 1F E3 F1 7A 92 07 57 A8 82 BE A5 9E CA 16 1524 ACPKM's iteration 3 1525 Process block 5 1526 Input block (ctr) 1527 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 1529 Output block (ctr) 1530 CE E5 51 54 12 2F 3F E7 8D 8E 86 21 C5 E5 47 12 1532 Plain text 1533 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1535 Cipher text 1536 FD A1 04 32 65 A7 A6 4D 36 42 68 DE CF E5 56 30 1538 Process block 6 1539 Input block (ctr) 1540 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 1542 Output block (ctr) 1543 DE D6 8F 03 FA C5 C5 B6 16 11 A3 78 2C 0D C1 EB 1545 Plain text 1546 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 1548 Cipher text 1549 9A 83 E9 74 72 5C 6F 0D DA FF 5C 72 2C 1C E3 D8 1551 Updated key 1552 C0 D5 50 26 4F DA CE 59 EF 80 9A 50 24 72 06 7D 1553 29 83 74 25 78 C9 60 4F E3 B8 88 4F F8 F5 E2 BD 1555 ACPKM's iteration 4 1556 Process block 7 1557 Input block (ctr) 1558 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 1560 Output block (ctr) 1561 D9 23 A6 CD 8A 00 A1 55 90 09 EC 87 40 B9 D6 AB 1563 Plain text 1564 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 1566 Cipher text 1567 8C 45 D1 45 13 AA 1A 99 7E F6 E6 87 51 9B E5 EF 1569 Updated key 1570 6A A0 92 07 73 31 63 50 46 FA 48 1C 9C 98 7B 6B 1571 FC 99 48 DC BC AE AB C2 6D 46 E9 DD 43 F6 CA 56 1573 Encrypted src 1574 EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 1575 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 1576 83 96 B6 F1 E2 CB 4B 91 E7 F9 29 FE FD 63 84 7A 1577 7B 09 EE C3 1A 94 D0 62 B1 C5 8D 4F 88 3E B1 5B 1578 FD A1 04 32 65 A7 A6 4D 36 42 68 DE CF E5 56 30 1579 9A 83 E9 74 72 5C 6F 0D DA FF 5C 72 2C 1C E3 D8 1580 8C 45 D1 45 13 AA 1A 99 7E F6 E6 87 51 9B E5 EF 1582 Appendix B. Contributors 1584 o Daniel Fox Franke 1585 Akamai Technologies 1586 dfoxfranke@gmail.com 1588 o Lilia Ahmetzyanova 1589 CryptoPro 1590 lah@cryptopro.ru 1592 o Ruth Ng 1593 University of California, San Diego 1594 ring@eng.ucsd.edu 1596 o Shay Gueron 1597 University of Haifa, Israel 1598 Intel Corporation, Israel Development Center, Israel 1599 shay.gueron@gmail.com 1601 Authors' Addresses 1603 Stanislav Smyshlyaev (editor) 1604 CryptoPro 1605 18, Suschevsky val 1606 Moscow 127018 1607 Russian Federation 1609 Phone: +7 (495) 995-48-20 1610 Email: svs@cryptopro.ru 1612 Russ Housley 1613 Vigil Security, LLC 1614 918 Spring Knoll Drive 1615 Herndon VA 20170 1616 USA 1618 Email: housley@vigilsec.com 1620 Mihir Bellare 1621 University of California, San Diego 1622 9500 Gilman Drive 1623 La Jolla California 92093-0404 1624 USA 1626 Phone: (858) 534-4544 1627 Email: mihir@eng.ucsd.edu 1629 Evgeny Alekseev 1630 CryptoPro 1631 18, Suschevsky val 1632 Moscow 127018 1633 Russian Federation 1635 Phone: +7 (495) 995-48-20 1636 Email: alekseev@cryptopro.ru 1637 Ekaterina Smyshlyaeva 1638 CryptoPro 1639 18, Suschevsky val 1640 Moscow 127018 1641 Russian Federation 1643 Phone: +7 (495) 995-48-20 1644 Email: ess@cryptopro.ru