idnits 2.17.1 draft-irtf-cfrg-re-keying-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 18 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 20, 2017) is 2474 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1146 == Missing Reference: '2t' is mentioned on line 1119, but not defined Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational June 20, 2017 5 Expires: December 22, 2017 7 Re-keying Mechanisms for Symmetric Keys 8 draft-irtf-cfrg-re-keying-03 10 Abstract 12 If encryption is performed under a single key, there is a certain 13 maximum threshold amount of data that can be safely encrypted. This 14 amount is called key lifetime. This specification contains a 15 description of a variety of methods to increase the lifetime of 16 symmetric keys. It provides external and internal re-keying 17 mechanisms based on hash functions and on block ciphers that can be 18 used with such modes of operations as CTR, GCM, CCM, CBC, CFB, OFB 19 and OMAC. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on December 22, 2017. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Conventions Used in This Document . . . . . . . . . . . . . . 5 57 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 5 58 4. Principles of Choice of Constructions and Security Parameters 6 59 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 8 60 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 10 61 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 11 62 5.2.1. Parallel Construction Based on a KDF on a Block 63 Cipher . . . . . . . . . . . . . . . . . . . . . . . 12 64 5.2.2. Parallel Construction Based on HKDF . . . . . . . . . 12 65 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 13 66 5.3.1. Serial Construction Based on a KDF on a Block Cipher 13 67 5.3.2. Serial Construction Based on HKDF . . . . . . . . . . 14 68 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 14 69 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 17 70 6.2. Constructions that Do Not Require Master Key . . . . . . 17 71 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 17 72 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 19 73 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 21 74 6.2.4. CCM-ACPKM Authenticated Encryption Mode . . . . . . . 23 75 6.3. Constructions that Require Master Key . . . . . . . . . . 25 76 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 25 77 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 26 78 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 29 79 6.3.4. CCM-ACPKM-Master Authenticated Encryption Mode . . . 32 80 6.3.5. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 32 81 6.3.6. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 34 82 6.3.7. OFB-ACPKM-Master Encryption Mode . . . . . . . . . . 36 83 6.3.8. OMAC-ACPKM-Master Mode . . . . . . . . . . . . . . . 37 84 7. Joint Usage of External and Internal Re-keying . . . . . . . 39 85 8. Security Considerations . . . . . . . . . . . . . . . . . . . 39 86 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 87 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 88 9.2. Informative References . . . . . . . . . . . . . . . . . 40 89 Appendix A. Test examples . . . . . . . . . . . . . . . . . . . 41 90 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 45 91 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 46 92 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 46 94 1. Introduction 96 If encryption is performed under a single key, there is a certain 97 maximum threshold amount of data that can be safely encrypted. This 98 amount is called key lifetime and can be calculated from the 99 following considerations: 101 1. Methods based on the combinatorial properties of used encryption 102 mode 104 [Sweet32] is an example of attack that is based on such 105 methods. These methods do not depend on the used block cipher 106 permutation E_{K}. Common encryption modes restrictions 107 resulting from such methods are of order 2^{n/2}. 109 2. Methods based on side-channel analysis issues 111 In most cases these methods do not depend on the used 112 encryption modes and weakly depend on the used block cipher 113 features. Restrictions resulting from these methods are 114 usually the strongest ones. 116 3. Methods based on the properties of the used block cipher 117 permutation E_{K} 119 The most common methods of this type are linear and 120 differential cryptanalysis [LDC]. In most cases these methods 121 do not depend on the used encryption modes. In case of secure 122 block ciphers, restrictions resulting from such methods are 123 roughly the same as the natural limitation 2^n and so can be 124 excluded from consideration as they become trivial. 126 Therefore, as soon as the total size of a plaintext processed with a 127 single key reaches the key lifetime limitation, that key must be 128 replaced. A specific value of the key lifetime is determined in 129 accordance with safety margin for protocol security and methods 130 outlined above. 132 Suppose L is a key lifetime limitation in some protocol P. For 133 simplicity, assume that all messages have the same length m. Hence 134 the number of messages q that can be processed with a single key K 135 should be such that m*q <= L. This can be depicted graphically as a 136 rectangle with sides m and q which is enclosed by area L (see 137 Figure 1). 139 +------------------------+ 140 | L | 141 | +--------m---------+ | 142 | |==================| | 143 | |==================| | 144 | q==================| | m*q <= L 145 | |==================| | 146 | |==================| | 147 | +------------------+ | 148 +------------------------+ 150 Figure 1: Graphic display of the key lifetime limitation 152 Thus, with increasing one of the parameters m or q, the second 153 parameter should be reduced in proportion to the first. 155 In practice, such amount of data that corresponds to limitation L may 156 not be enough. The most simple and obvious way in this situation is 157 a regular renegotiation of a session key. However, this reduces the 158 total performance since it usually entails termination of application 159 data transmission, additional service messages, the use of random 160 number generator and many other additional calculations, including 161 resource-intensive asymmetric cryptography. 163 This specification presents two approaches that extend the key 164 lifetime for a single symmetric key while avoiding renegotiation: 165 external and internal re-keying. External re-keying is performed by 166 a protocol, and it is independent of block cipher, key size, and 167 mode. External re-keying can use parallel or serial construction. 168 In the first case subkeys K^1, K^2,... are generated directly from 169 the key K independently of each other, while in the second case every 170 next subkey depends on the state that is updated after each new 171 subkey generation. Internal re-keying is built into the mode, and it 172 depends heavily on the properties of the block cipher and key size. 174 The re-keying approaches extend the key lifetime for a single agreed 175 key by providing the possibility to strictly limit the key leakage 176 (to meet side channel limitations) and by improving combinatorial 177 properties of a used block cipher encryption mode. 179 As for practical issues, re-keying can be particularly useful in such 180 fields as protocols functioning in hostile environments (additional 181 side channel resistance against DPA or EMI style attacks) or 182 lightweight cryptography (usage of ciphers with small block size 183 leads to very strong combinatorial limitations). Moreover, many 184 mechanisms that use external and internal re-keying provide 185 particular types of PFS security. Also re-keying can provide 186 additional security against possible future attacks on the used 187 ciphers (by limiting the number of plaintext-ciphertext pairs 188 collected by an adversary), however, it must not be used as a method 189 to prolong life of ciphers that are already known to be vulnerable. 191 2. Conventions Used in This Document 193 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 194 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 195 document are to be interpreted as described in [RFC2119]. 197 3. Basic Terms and Definitions 199 This document uses the following terms and definitions for the sets 200 and operations on the elements of these sets: 202 (xor) exclusive-or of two binary vectors of the same length. 204 V* the set of all strings of a finite length (hereinafter 205 referred to as strings), including the empty string; 207 V_s the set of all binary strings of length s, where s is a non- 208 negative integer; substrings and string components are 209 enumerated from right to left starting from one; 211 |X| the bit length of the bit string X; 213 A|B concatenation of strings A and B both belonging to V*, i.e., 214 a string in V_{|A|+|B|}, where the left substring in V_|A| is 215 equal to A, and the right substring in V_|B| is equal to B; 217 Z_{2^n} ring of residues modulo 2^n; 219 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 220 (a_s, ... , a_1), a in V_s, into the integer Int_s(a) = 221 2^{s-1}*a_s + ... + 2*a_2 + a_1; 223 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 224 Int_s; 226 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 227 ... , a_1) in V_s, into the string MSB_i(a) = (a_s, ... , 228 a_{s-i+1}) in V_i; 230 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 231 ... , a_1) in V_s, into the string LSB_i(a) = (a_i, ... , 232 a_1) in V_i; 234 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 235 ... , a_1) in V_s, into the string Inc_c(a) = MSB_{|a|- 236 c}(a) | Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s; 238 a^s denotes the string in V_s that consists of s 'a' bits; 240 E_{K}: V_n -> V_n the block cipher permutation under the key K in 241 V_k; 243 ceil(x) the least integer that is not less than x; 245 k the key K size (in bits), k is multiple of 8; 247 n the block size of the block cipher (in bits), n is multiple 248 of 8; 250 b the total number of data blocks in the plaintext (b = ceil(m/ 251 n)); 253 N the section size (the number of bits in a data section); 255 l the number of data sections in the plaintext; 257 phi_i: V_s -> {0,1} the transformation that maps a string a = (a_s, 258 ... , a_1) into the value phi_i(a) = a_i for all i in {1, ... 259 , s}. 261 A plaintext message P and a ciphertext C are divided into b = 262 ceil(|P|/n) blocks denoted as P = P_1 | P_2 | ... | P_b and C = C_1 | 263 C_2 | ... | C_b, where P_i and C_i are in V_n, for i = 1, 2, ... , 264 b-1, and P_b, C_b are in V_r, where r <= n if not otherwise stated. 266 4. Principles of Choice of Constructions and Security Parameters 268 External re-keying provides an approach, decording to which a key is 269 transformed after encrypting a limited number of messages. A 270 specific external re-keying method is chosen at the protocol level 271 regardless of a used block cipher or encryption mode. External re- 272 keying approach is recommended for usage in protocols that process 273 quite small messages or in protocols that have a way to break a large 274 message into manageable parts. As a result of external re-keying, 275 the number of messages that can be processed with a single symmetric 276 key is substantially increased without loss in message length. 278 The use of external re-keying has the following advantages: 280 1. the lifetime of a negotiated key drastically increases by 281 increasing the number of messages processed with one key; 283 2. it almost does not affect performance in case when a number of 284 messages processed with one key is sufficiently large; 286 3. provides forward and backward security of session keys for all 287 messages. 289 However, the use of external re-keying has the following 290 disadvantages: 292 1. in case of restrictive key lifetime limitations the message sizes 293 can become inconvenient due to impossibility of processing 294 sufficiently large messages, so it could be necessary to perform 295 additional fragmentation at the protocol level; 297 2. it is not transparent: procedures (like IVs generation) must be 298 handled separately. 300 Internal re-keying provides an approach according to which a key is 301 transformed during each separate message processing. Such approaches 302 are integrated into the base modes of operations so every internal 303 re-keying mechanism is defined for a particular mode and block cipher 304 (e.g. depending of block and key sizes). Internal re-keying approach 305 is recommended to be used in protocols that process large messages. 306 As a result of internal re-keying, the size of each single message 307 can be substantially increased without loss in number of messages 308 that can be processed with a single symmetric key. 310 The use of internal re-keying has the following advantages: 312 1. the lifetime of a negotiated key drastically increases by 313 increasing the size of messages processed with one key; 315 2. minimal impact on performance; 317 3. internal re-keying mechanisms without master key does not affect 318 short messages transformation at all; 320 4. transparent (works like any encryption mode): does not require 321 changes of IV's and restarting MACing. 323 However, the use of internal re-keying has the following 324 disadvantages: 326 1. a specific method must not be chosen independently of a mode of 327 operation; 329 2. internal re-keying mechanisms with master key provide backward 330 security of session keys only for one separate message; 332 3. internal re-keying mechanisms without master key do not provide 333 backward security of session keys. 335 Any block cipher modes of operations with internal re-keying can be 336 jointly used with any external re-keying mechanisms. Such joint 337 usage increases both the number of messages processed with one key 338 and their maximum possible size. 340 The use of the same cryptographic primitives both for data processing 341 and re-keying transformation decreases the code size but can lead to 342 some possible vulnerabilities because the adversary always has access 343 to the data processing interface. This vulnerability can be 344 eliminated by using different primitives for data processing and re- 345 keying, however, in this case the security of the whole scheme cannot 346 be reduced to standard notions like PRF or PRP so security 347 estimations become more difficult and unclear. 349 5. External Re-keying Mechanisms 351 This section presents an approach to increase the key lifetime by 352 using a transformation of a previously negotiated key after 353 processing a limited number of integral messages. It provides an 354 external parallel and serial re-keying mechanisms (see [AbBell]). 355 These mechanisms use an initial (negotiated) key as a master key, 356 which is never used directly for the data processing but is used for 357 key generation. Such mechanisms operate outside of the base modes of 358 operations and do not change them at all, therefore they are called 359 "external re-keying" mechanisms in this document. 361 External re-keying mechanisms are recommended for usage in protocols 362 that process quite small messages since the maximum gain in 363 increasing the key lifetime is achieved by increasing the number of 364 messages. 366 External re-keying increases the key lifetime through the following 367 approach. Suppose there is a protocol P with some mode of operation 368 (base encryption or authentication mode). Let L1 be a key lifetime 369 limitation induced by side-channel analysis methods (side-channel 370 limitation), let L2 be a key lifetime limitation induced by methods 371 based on the combinatorial properties of used mode of operation 372 (combinatorial limitation) and let q1, q2 be the total numbers of 373 messages of length m, that can be safely processed with a single key 374 K according to these limitations. 376 Let L = min(L1, L2), q = min (q1, q2), q*m <= L. As L1 limitation is 377 usually much stronger then L2 limitation (L1 < L2), the final key 378 lifetime restriction is equal to the most restrictive limitation L1. 380 Thus, as displayed in Figure 2, without re-keying only q1 (q1*m <= 381 L1) messages can be safely processed. 383 <--------m-------> 384 +----------------+ ^ ^ 385 |================| | | 386 |================| | | 387 K-->|================| q1| 388 |================| | | 389 |==============L1| | | 390 +----------------+ v | 391 | | | 392 | | | 393 | | q2 394 | | | 395 | | | 396 | | | 397 | | | 398 | | | 399 | | | 400 | | | 401 | | | 402 | L2| | 403 +----------------+ v 405 Figure 2: Basic principles of message processing without external re-keying 407 Suppose that the safety margin for the protocol P is fixed and the 408 external re-keying approach is applied. As the key is transformed 409 with an external re-keying mechanism, the leakage of a previous key 410 does not have any impact on the following one, so the side channel 411 limitation L1 goes off. Thus, the resulting key lifetime limitation 412 of the negotiated key K can be calculated on the basis of a new 413 combinatorial limitation L2'. It is proven (see [AbBell]) that the 414 security of the mode of operation that uses external re-keying leads 415 to an increase when compared to base mode without re-keying (thus, L2 416 < L2'). Hence, as displayed in Figure 3, the resulting key lifetime 417 limitation in case of using external re-keying can be increased up to 418 L2'. 420 <-------m-------> 421 +----------------+ 422 |================| 423 |================| 424 K---> |================| 425 | |================| 426 | |==============L1| 427 | +----------------+ 428 | |================| 429 v |================| 430 K^2--> |================| 431 | |================| 432 | |==============L1| 433 | +----------------+ 434 | |================| 435 v |================| 436 ... | . . . | 437 | | 438 | | 439 | L2| 440 +----------------+ 441 | L2'| 442 +----------------+ 444 Figure 3: Basic principles of message processing with external re-keying 446 Note: the key transformation process is depicted in a simplified 447 form. A specific approach (parallel and serial) is described below. 449 Consider an example. Let the message size in protocol P be equal to 450 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external re- 451 keying mechanism is not used, the key K must be renegotiated after 452 processing 128 MB / 1 KB = 131072 messages. 454 If an external re-keying mechanism is used, the key lifetime 455 limitation L1 goes off. Hence the resulting key lifetime limitation 456 in case of using external re-keying can be set to 1 TB (and even 457 more). Thus if an external re-keying mechanism is used, then 1 TB / 458 1 KB = 2^30 messages can be processed before the master key K is 459 renegotiated. This is 8192 times greater than the number of messages 460 that can be processed, when external re-keying mechanism is not used. 462 5.1. Methods of Key Lifetime Control 464 Suppose L is an amount of data that can be safely processed with one 465 key (without re-keying). For i in {1, 2, ..., t} the key K^i (see 466 Figure 1 and Figure 2) should be transformed after processing q_i 467 integral messages, where q_i can be calculated in accordance with one 468 of the following two approaches: 470 o Explicit approach: 471 |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + ... + |M^{i,q_i + 472 1}| > L. 473 This approach allows to use the key K^i in almost optimal way but 474 it cannot be applied in case when messages may be lost or 475 reordered (e.g. DTLS packets). 477 o Implicit approach: 478 q_i = L / m_max, i = 1, ... , t. 479 The amount of data processed with one key K^i is calculated under 480 the assumption that every message has the maximum length m_max. 481 Hence this amount can be considerably less than the key lifetime 482 limitation L. On the other hand this approach can be applied in 483 case when messages may be lost or reordered (e.g. DTLS packets). 485 5.2. Parallel Constructions 487 The main idea behind external re-keying with parallel construction is 488 presented in Figure 4: 490 Maximum message size = m_max. 491 _____________________________________________________________ 493 m_max 494 <----------------> 495 M^{1,1} |=== | 496 M^{1,2} |=============== | 497 +--K^1--> . . . 498 | M^{1,q_1} |======== | 499 | 500 | 501 | M^{2,1} |================| 502 | M^{2,2} |===== | 503 K-----|--K^2--> . . . 504 | M^{2,q_2} |========== | 505 | 506 ... 507 | M^{t,1} |============ | 508 | M^{t,2} |============= | 509 +--K^t--> . . . 510 M^{t,q_t} |========== | 512 _____________________________________________________________ 514 Figure 4: External parallel re-keying mechanisms 516 The key K^i, i = 1, ... , t-1, is updated after processing a certain 517 amount of data (see Section 5.1). 519 5.2.1. Parallel Construction Based on a KDF on a Block Cipher 521 ExtParallelC re-keying mechanism is based on key derivation function 522 on a block cipher and is used to generate t keys for t sections as 523 follows: 525 K^1 | K^2 | ... | K^t = ExtParallelC(K, t*k) = 526 MSB_{t*k}(E_{K}(0) | E_{K}(1) | ... | E_{K}(R-1)), 528 where R = ceil(t*k/n). 530 5.2.2. Parallel Construction Based on HKDF 532 ExtParallelH re-keying mechanism is based on HMAC key derivation 533 function HKDF-Expand, described in [RFC5869], and is used to generate 534 t keys for t sections as follows: 536 K^1 | K^2 | ... | K^t = ExtParallelH(K, t*k) = HKDF-Expand(K, 537 label, t*k), 539 where label is a string (can be a zero-length string) that is defined 540 by a specific protocol. 542 5.3. Serial Constructions 544 The main idea behind external re-keying with serial construction is 545 presented in Figure 5: 547 Maximum message size = m_max. 548 _____________________________________________________________ 549 m_max 550 <----------------> 551 M^{1,1} |=== | 552 M^{1,2} |=============== | 553 K*_1 = K ----K^1--> . . . 554 | M^{1,q_1} |======== | 555 | 556 | 557 | M^{2,1} |================| 558 v M^{2,2} |===== | 559 K*_2 --------K^2--> . . . 560 | M^{2,q_2} |========== | 561 | 562 ... 563 | M^{t,1} |============ | 564 v M^{t,2} |============= | 565 K*_t --------K^t--> . . . 566 M^{t,q_t} |========== | 568 _____________________________________________________________ 570 Figure 5: External serial re-keying mechanisms 572 The key K^i, i = 1, ... , t-1, is updated after processing a certain 573 amount of data (see Section 5.1). 575 5.3.1. Serial Construction Based on a KDF on a Block Cipher 577 The key K^i is calculated using ExtSerialC transformation as follows: 579 K^i = ExtSerialC(K, i) = MSB_k(E_{K*_i}(0) | E_{K*_i}(1) | ... | 580 E_{K*_i}(J-1)), 582 where J = ceil(k/n), i = 1, ... , t, K*_i is calculated as follows: 584 K*_1 = K, 586 K*_{j+1} = MSB_k(E_{K*_j}(J) | E_{K*_j}(J+1) | ... | E_{K*_j}(2J- 587 1)), 589 where j = 1, ... , t-1. 591 5.3.2. Serial Construction Based on HKDF 593 The key K^i is calculated using ExtSerialH transformation as follows: 595 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 597 where i = 1, ... , t, HKDF-Expand is an HMAC-based key derivation 598 function, described in [RFC5869], K*_i is calculated as follows: 600 K*_1 = K, 602 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t-1, 604 where label1 and label2 are different strings (can be a zero-length 605 strings) that are defined by a specific protocol (see, for example, 606 TLS 1.3 updating traffic keys algorithm [TLSDraft]). 608 6. Internal Re-keying Mechanisms 610 This section presents an approach to increase the key lifetime by 611 using a transformation of a previously negotiated key during each 612 separate message processing. 614 It provides internal re-keying mechanisms called ACPKM (Advanced 615 cryptographic prolongation of key material) and ACPKM-Master that do 616 not use and use a master key respectively. Such mechanisms are 617 integrated into the base modes of operations and actually form new 618 modes of operation, therefore they are called "internal re-keying" 619 mechanisms in this document. 621 Internal re-keying mechanism is recommended to be used in protocols 622 that process large single messages (e.g. CMS messages) since the 623 maximum gain in increasing the key lifetime is achieved by increasing 624 the length of a message, while it almost does not affect performance 625 for increasing the number of messages. 627 Internal re-keying increases the key lifetime through the following 628 approach. Suppose there is a protocol P with some base mode of 629 operation. Let L1 and L2 be a side channel and combinatorial 630 limitations respectively and for some fixed amount of messages q let 631 m1, m2 be the length of each separate message, that can be safely 632 processed with a single key K according to these limitations. 634 Thus, by analogy with the Section 5 without re-keying the final key 635 lifetime restriction, as displayed in Figure 6, is equal to L1 and 636 only q messages of the length m1 can be safely processed. 638 K 639 | 640 v 641 ^ +----------------+------------------------------------+ 642 | |==============L1| L2| 643 | |================| | 644 q |================| | 645 | |================| | 646 | |================| | 647 v +----------------+------------------------------------+ 648 <-------m1------> 649 <----------------------------m2-----------------------> 651 Figure 6: Basic principles of message processing without internal re-keying 653 Suppose that the safety margin for the protocol P is fixed and 654 internal re-keying approach is applied to the base mode of operation. 655 Suppose further that for every message the key is transformed after 656 processing N bits of data, where N is a parameter. If q*N does not 657 exceed L1 then the side channel limitation L1 goes off and the 658 resulting key lifetime limitation of the negotiated key K can be 659 calculated on the basis of a new combinatorial limitation L2'. The 660 security of the mode of operation that uses external re-keying must 661 lead to an increase when compared to base mode of operation without 662 re-keying (thus, L2 < L2'). Hence, as displayed in Figure 7, the 663 resulting key lifetime limitation in case of using external re-keying 664 can be increased up to L2'. 666 K -------------> K^2 -----------> . . . 667 | | 668 v v 669 ^ +----------------+----------------+-------------------+----+ 670 | |==============L1|==============L1|====== L2| L2'| 671 | |================|================|====== | | 672 q |================|================|====== . . . | | 673 | |================|================|====== | | 674 | |================|================|====== | | 675 v +----------------+----------------+-------------------+----+ 676 <-------N--------> 678 Figure 7: Basic principles of message processing with internal re-keying 680 Note: the key transformation process is depicted in a simplified 681 form. A specific approach (ACPKM and ACPKM-Master re-keying 682 mechanisms) is described below. 684 Since the performance of encryption can slightly decrease for rather 685 small values of N, the parameter N should be selected for a 686 particular protocol as maximum possible to provide necessary key 687 lifetime for the adversary models that are considered. 689 Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the 690 message size in the protocol be large/unlimited (may exhaust the 691 whole key lifetime L2'). The most restrictive resulting key lifetime 692 limitation is equal to 128 MB. 694 Thus, there is a need to put a limit on the maximum message size 695 m_max. For example, if m_max = 32 MB, it may happen that the 696 renegotiation of key K would be required after processing only four 697 messages. 699 If an internal re-keying mechanism with section size N = 1 MB (see 700 Figure 3 and Figure 4) is used, more then L1 / N = 128 MB / 1 MB = 701 128 messages can be processed before the renegotiation of key K 702 (instead of 4 messages in case when an internal re-keying mechanism 703 is not used). Note that only one section of each message is 704 processed with one key K^i, and, consequently, the key lifetime 705 limitation L1 goes off. Hence the resulting key lifetime limitation 706 in case of using external re-keying can be set to at least 10 TB (in 707 the case when the single large message is processed using the key K). 709 6.1. Methods of Key Lifetime Control 711 Suppose L is an amount of data that can be safely processed with one 712 key (without re-keying), N is a section size (fixed parameter). 713 Suppose M^{i}_1 is the first section of message M^{i}, i = 1, ... , q 714 (see Figure 3 and Figure 4), then the parameter q can be calculated 715 in accordance with one of the following two approaches: 717 o Explicit approach: 718 |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... + |M^{q+1}_1| > 719 L 720 This approach allows to use the key K^i in an almost optimal way 721 but it cannot be applied in case when messages may be lost or 722 reordered (e.g. DTLS packets). 724 o Implicit approach: 725 q = L / N. 726 The amount of data processed with one key K^i is calculated under 727 the assumption that the length of every message is equal or more 728 then section size N and so it can be considerably less than the 729 key lifetime limitation L. On the other hand this approach can be 730 applied in case when messages may be lost or reordered (e.g. DTLS 731 packets). 733 6.2. Constructions that Do Not Require Master Key 735 This section describes the block cipher modes that use the ACPKM re- 736 keying mechanism, which does not use master key: an initial key is 737 used directly for the encryption of the data. 739 6.2.1. ACPKM Re-keying Mechanisms 741 This section defines periodical key transformation with no master key 742 which is called ACPKM re-keying mechanism. This mechanism can be 743 applied to one of the basic encryption modes (CTR and GCM block 744 cipher modes) for getting an extension of this encryption mode that 745 uses periodical key transformation with no master key. This 746 extension can be considered as a new encryption mode. 748 An additional parameter that defines the functioning of base 749 encryption modes with the ACPKM re-keying mechanism is the section 750 size N. The value of N is measured in bits and is fixed within a 751 specific protocol based on the requirements of the system capacity 752 and key lifetime (some recommendations on choice of N will be 753 provided in Section 8). The section size N MUST be divisible by the 754 block size n. 756 The main idea behind internal re-keying with no master key is 757 presented in Figure 8: 759 Section size = const = N, 760 maximum message size = m_max. 761 ____________________________________________________________________ 763 ACPKM ACPKM ACPKM 764 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 765 | | | | 766 | | | | 767 v v v v 768 M^{1} |==========|==========| ... |==========|=======: | 769 M^{2} |==========|==========| ... |=== | : | 770 . . . . . . : 771 : : : : : : : 772 M^{q} |==========|==========| ... |==========|===== : | 773 section : 774 <----------> m_max 775 N bit 776 ___________________________________________________________________ 777 l_max = ceil(m_max/N). 779 Figure 8: Internal re-keying with no master key 781 During the processing of the input message M with the length m in 782 some encryption mode that uses ACPKM key transformation of the key K 783 the message is divided into l = ceil(m/N) sections (denoted as M = 784 M_1 | M_2 | ... | M_l, where M_i is in V_N for i = 1, 2, ... , l-1 785 and M_l is in V_r, r <= N). The first section of each message is 786 processed with the initial key K^1 = K. To process the (i+1)-th 787 section of each message the K^{i+1} key value is calculated using 788 ACPKM transformation as follows: 790 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)), 792 where J = ceil(k/n), parameter c is fixed by a specific encryption 793 mode which uses ACPKM key transformation and D_1, D_2, ... , D_J are 794 in V_n and are calculated as follows: 796 D_1 | D_2 | ... | D_J = MSB_{J*n}(D), 798 where D is the following constant in V_{1024}: 800 D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 801 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f 802 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 803 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f 804 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7 805 | a8 | a9 | aa | ab | ac | ad | ae | af 806 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7 807 | b8 | b9 | ba | bb | bc | bd | be | bf 808 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7 809 | c8 | c9 | ca | cb | cc | cd | ce | cf 810 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7 811 | d8 | d9 | da | db | dc | dd | de | df 812 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7 813 | e8 | e9 | ea | eb | ec | ed | ee | ef 814 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7 815 | f8 | f9 | fa | fb | fc | fd | fe | ff ) 817 N o t e : The constant D is such that D_1, ... , D_J are pairwise 818 different for any allowed n, k values. 820 N o t e : The constant D is such that phi_c(D_t) = 1 for any allowed 821 n, k, c and t in {1, ... , J}. This condition is important, as it 822 allows to prevent collisions of blocks of transformed key and block 823 cipher permutation inputs. 825 6.2.2. CTR-ACPKM Encryption Mode 827 This section defines a CTR-ACPKM encryption mode that uses internal 828 ACPKM re-keying mechanism for the periodical key transformation. 830 The CTR-ACPKM mode can be considered as the extended by the ACPKM re- 831 keying mechanism basic encryption mode CTR (see [MODES]). 833 The CTR-ACPKM encryption mode can be used with the following 834 parameters: 836 o 64 <= n <= 512; 838 o 128 <= k <= 512; 840 o the number of bits c in a specific part of the block to be 841 incremented is such that 16 <= c <= 3/4 n, c is multiple of 8. 843 The CTR-ACPKM mode encryption and decryption procedures are defined 844 as follows: 846 +----------------------------------------------------------------+ 847 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 848 |----------------------------------------------------------------| 849 | Input: | 850 | - Section size N, | 851 | - key K, | 852 | - initial counter nonce ICN in V_{n-c}, | 853 | - plaintext P = P_1 | ... | P_b, |P| < n * 2^{c-1}. | 854 | Output: | 855 | - Ciphertext C. | 856 |----------------------------------------------------------------| 857 | 1. CTR_1 = ICN | 0^c | 858 | 2. For j = 2, 3, ... , b do | 859 | CTR_{j} = Inc_c(CTR_{j-1}) | 860 | 3. K^1 = K | 861 | 4. For i = 2, 3, ... , ceil(|P|/N) | 862 | K^i = ACPKM(K^{i-1}) | 863 | 5. For j = 1, 2, ... , b do | 864 | i = ceil(j*n / N), | 865 | G_j = E_{K^i}(CTR_j) | 866 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 867 | 7. Return C | 868 +----------------------------------------------------------------+ 870 +----------------------------------------------------------------+ 871 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 872 |----------------------------------------------------------------| 873 | Input: | 874 | - Section size N, | 875 | - key K, | 876 | - initial counter nonce ICN in V_{n-c}, | 877 | - ciphertext C = C_1 | ... | C_b, |C| < n * 2^{c-1}. | 878 | Output: | 879 | - Plaintext P. | 880 |----------------------------------------------------------------| 881 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 882 | 2. Return P | 883 +----------------------------------------------------------------+ 885 The initial counter nonce ICN value for each message that is 886 encrypted under the given key must be chosen in a unique manner. 888 The message size MUST NOT exceed n * 2^{c-1} bits. 890 6.2.3. GCM-ACPKM Authenticated Encryption Mode 892 This section defines GCM-ACPKM authenticated encryption mode that 893 uses internal ACPKM re-keying mechanism for the periodical key 894 transformation. 896 The GCM-ACPKM mode can be considered as the basic authenticated 897 encryption mode GCM (see [GCM]) extended by the ACPKM re-keying 898 mechanism. 900 The GCM-ACPKM authenticated encryption mode can be used with the 901 following parameters: 903 o n in {128, 256}; 905 o 128 <= k <= 512; 907 o the number of bits c in a specific part of the block to be 908 incremented is such that 32 <= c <= 3/4 n, c is multiple of 8.; 910 o authentication tag length t. 912 The GCM-ACPKM mode encryption and decryption procedures are defined 913 as follows: 915 +-------------------------------------------------------------------+ 916 | GHASH(X, H) | 917 |-------------------------------------------------------------------| 918 | Input: | 919 | - Bit string X = X_1 | ... | X_m, X_i in V_n for i in 1, ... , m.| 920 | Output: | 921 | - Block GHASH(X, H) in V_n. | 922 |-------------------------------------------------------------------| 923 | 1. Y_0 = 0^n | 924 | 2. For i = 1, ... , m do | 925 | Y_i = (Y_{i-1} (xor) X_i) * H | 926 | 3. Return Y_m | 927 +-------------------------------------------------------------------+ 929 +-------------------------------------------------------------------+ 930 | GCTR(N, K, ICB, X) | 931 |-------------------------------------------------------------------| 932 | Input: | 933 | - Section size N, | 934 | - key K, | 935 | - initial counter block ICB, | 936 | - X = X_1 | ... | X_b, X_i in V_n for i = 1, ... , b-1 and | 937 | X_b in V_r, where r <= n. | 938 | Output: | 939 | - Y in V_{|X|}. | 940 |-------------------------------------------------------------------| 941 | 1. If X in V_0 then return Y, where Y in V_0 | 942 | 2. GCTR_1 = ICB | 943 | 3. For i = 2, ... , b do | 944 | GCTR_i = Inc_c(GCTR_{i-1}) | 945 | 4. K^1 = K | 946 | 5. For j = 2, ... , ceil(l*n / N) | 947 | K^j = ACPKM(K^{j-1}) | 948 | 6. For i = 1, ... , b do | 949 | j = ceil(i*n / N), | 950 | G_i = E_{K_j}(GCTR_i) | 951 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 952 | 8. Return Y. | 953 +-------------------------------------------------------------------+ 955 +-------------------------------------------------------------------+ 956 | GCM-ACPKM-Encrypt(N, K, IV, P, A) | 957 |-------------------------------------------------------------------| 958 | Input: | 959 | - Section size N, | 960 | - key K, | 961 | - initial counter nonce ICN in V_{n-c}, | 962 | - plaintext P, |P| <= n*(2^{c-1} - 2), P = P_1 | ... | P_b, | 963 | - additional authenticated data A. | 964 | Output: | 965 | - Ciphertext C, | 966 | - authentication tag T. | 967 |-------------------------------------------------------------------| 968 | 1. H = E_{K}(0^n) | 969 | 2. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 970 | if c!= 32, then s = n * ceil(|ICN| / n) - |ICN|, | 971 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 972 | 3. C = GCTR(N, K, Inc_32(ICB_0), P) | 973 | 4. u = n*ceil(|C| / n) - |C| | 974 | v = n*ceil(|A| / n) - |A| | 975 | 5. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 976 | | Vec_64(|C|), H) | 977 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 978 | 7. Return C | T | 979 +-------------------------------------------------------------------+ 981 +-------------------------------------------------------------------+ 982 | GCM-ACPKM-Decrypt(N, K, IV, A, C, T) | 983 |-------------------------------------------------------------------| 984 | Input: | 985 | - Section size N, | 986 | - key K, | 987 | - initial counter block ICB, | 988 | - additional authenticated data A. | 989 | - ciphertext C, |C| <= n*(2^{c-1} - 2), C = C_1 | ... | C_b, | 990 | - authentication tag T | 991 | Output: | 992 | - Plaintext P or FAIL. | 993 |-------------------------------------------------------------------| 994 | 1. H = E_{K}(0^n) | 995 | 2. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 996 | if c!= 32, then s = n*ceil(|ICN|/n)-|ICN|, | 997 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 998 | 3. P = GCTR(N, K, Inc_32(ICB_0), C) | 999 | 4. u = n*ceil(|C| / n)-|C| | 1000 | v = n*ceil(|A| / n)-|A| | 1001 | 5. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 1002 | | Vec_64(|C|), H) | 1003 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 1004 | 7. If T = T' then return P; else return FAIL | 1005 +-------------------------------------------------------------------+ 1007 The * operation on (pairs of) the 2^n possible blocks corresponds to 1008 the multiplication operation for the binary Galois (finite) field of 1009 2^n elements defined by the polynomial f as follows (by analogy with 1010 [GCM]): 1012 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1. 1014 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1016 The initial vector IV value for each message that is encrypted under 1017 the given key must be chosen in a unique manner. 1019 The plaintext size MUST NOT exceed n*(2^{c-1} - 2) bits. 1021 The key for computing values E_{K}(ICB_0) and H is not updated and is 1022 equal to the initial key K. 1024 6.2.4. CCM-ACPKM Authenticated Encryption Mode 1026 This section defines a CCM-ACPKM authenticated encryption block 1027 cipher mode that uses internal ACPKM re-keying mechanism for the 1028 periodical key transformation. 1030 The CCM-ACPKM mode can be considered as the extended by the ACPKM re- 1031 keying mechanism basic authenticated encryption mode CCM (see 1032 [RFC3610]). 1034 Since [RFC3610] defines CCM authenticated encryption mode only for 1035 128-bit block size, the CCM-ACPKM authenticated encryption mode can 1036 be used only with the parameter n = 128. However, the CCM-ACPKM 1037 design principles can easily be applied to other block sizes, but 1038 these modes will require their own specifications. 1040 The CCM-ACPKM authenticated encryption mode differs from CCM mode in 1041 keys that are used for encryption during CBC-MAC calculation (see 1042 Section 2.2 of [RFC3610]) and key stream blocks generation (see 1043 Section 2.3 of [RFC3610]). 1045 The CCM mode uses the same initial key K block cipher encryption 1046 operations, while the CCM-ACPKM mode uses the keys K^1, K^2, ..., 1047 which are generated from the key K as follows: 1049 K^1 = K, 1050 K^{i+1} = ACPKM( K^i ). 1052 The keys K^1, K^2, ..., which are used as follows. 1054 CBC-MAC calculation: under a separate message processing during the 1055 first N/n block cipher encryption operations the key K^1 is used, the 1056 key K^2 is used for the next N/n block cipher encryption operations 1057 and so on. For example, if N = 2n, then CBC-MAC calculation for a 1058 sequence of t blocks B_0, B_1, ..., B_t is as follows: 1060 X_1 = E( K^1, B_0 ), 1061 X_2 = E( K^1, X_1 XOR B_1 ), 1062 X_3 = E( K^2, X_2 XOR B_2 ), 1063 X_4 = E( K^2, X_3 XOR B_3 ), 1064 X_5 = E( K^3, X_4 XOR B_4 ), 1065 ... 1066 T = first-M-bytes( X_t+1 ) 1068 The key stream blocks generation: under a separate message processing 1069 during the first N/n block cipher encryption operations the key K^1 1070 is used, the key K^2 is used for the next N/n block cipher encryption 1071 operations and so on. For example, if N = 2n, then the key stream 1072 blocks are generated as follows: 1074 S_0 = E( K^1, A_0 ), 1075 S_1 = E( K^1, A_1 ), 1076 S_2 = E( K^2, A_2 ), 1077 S_3 = E( K^2, A_3 ), 1078 S_4 = E( K^3, A_4 ), 1079 ... 1081 6.3. Constructions that Require Master Key 1083 This section describes the block cipher modes that uses the ACPKM- 1084 Master re-keying mechanism, which use the initial key K as a master 1085 key K, so K is never used directly for the data processing but is 1086 used for key derivation. 1088 6.3.1. ACPKM-Master Key Derivation from the Master Key 1090 This section defines periodical key transformation with master key K 1091 which is called ACPKM-Master re-keying mechanism. This mechanism can 1092 be applied to one of the basic modes of operation (CTR, GCM, CBC, 1093 CFB, OFB, OMAC modes) for getting an extension of this modes of 1094 operations that uses periodical key transformation with master key. 1095 This extension can be considered as a new mode of operation . 1097 Additional parameters that defines the functioning of basic modes of 1098 operation with the ACPKM-Master re-keying mechanism are the section 1099 size N and change frequency T* of the key K. The values of N and T* 1100 are measured in bits and are fixed within a specific protocol based 1101 on the requirements of the system capacity and key lifetime (some 1102 recommendations on choosing N and T* will be provided in Section 8). 1103 The section size N MUST be divisible by the block size n. The key 1104 frequency T* MUST be divisible by n. 1106 The main idea behind internal re-keying with master key is presented 1107 in Figure 9: 1109 Change frequency T*, 1110 section size N, 1111 maximum message size = m_max. 1112 __________________________________________________________________________________ 1114 ACPKM ACPKM 1115 K*_1 = K--------------> K*_2 ---------...---------> K*_l_max 1116 ___|___ ___|___ ___|___ 1117 | | | | | | 1118 v ... v v ... v v ... v 1119 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 1120 | | | | | | 1121 | | | | | | 1122 v v v v v v 1123 M^{1}||========|...|========||========|...|========||...||========|...|== : || 1124 M^{2}||========|...|========||========|...|========||...||========|...|======: || 1125 ... || | | || | | || || | | : || 1126 M^{q}||========|...|========||==== |...| ||...|| |...| : || 1127 section : 1128 <--------> : 1129 N bit m_max 1130 __________________________________________________________________________________ 1131 |K[i]| = d, 1132 t = T*/d, 1133 l_max = ceil(m_max/N). 1135 Figure 9: Internal re-keying with master key 1137 During the processing of the input message M with the length m in 1138 some mode of operation that uses ACPKM-Master key transformation with 1139 the master key K and key frequency T* the message M is divided into l 1140 = ceil(m/N) sections (denoted as M = M_1 | M_2 | ... | M_l, where M_i 1141 is in V_N for i in {1, 2, ... , l-1} and M_l is in V_r, r <= N). The 1142 j-th section of each message is processed with the key material K[j], 1143 j in {1, ... ,l}, |K[j]| = d, that has been calculated with the 1144 ACPKM-Master algorithm as follows: 1146 K[1] | ... | K[l] = ACPKM-Master(T*, K, d*l) = CTR-ACPKM-Encrypt 1147 (T*, K, 1^{n/2}, 0^{d*l}). 1149 6.3.2. CTR-ACPKM-Master Encryption Mode 1151 This section defines a CTR-ACPKM-Master encryption mode that uses 1152 internal ACPKM-Master re-keying mechanism for the periodical key 1153 transformation. 1155 The CTR-ACPKM-Master encryption mode can be considered as the 1156 extended by the ACPKM-Master re-keying mechanism basic encryption 1157 mode CTR (see [MODES]). 1159 The CTR-ACPKM-Master encryption mode can be used with the following 1160 parameters: 1162 o 64 <= n <= 512; 1164 o 128 <= k <= 512; 1166 o the number of bits c in a specific part of the block to be 1167 incremented is such that 32 <= c <= 3/4 n, c is multiple of 8. 1169 The key material K[j] that is used for one section processing is 1170 equal to K^j, |K^j| = k bits. 1172 The CTR-ACPKM-Master mode encryption and decryption procedures are 1173 defined as follows: 1175 +----------------------------------------------------------------+ 1176 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 1177 |----------------------------------------------------------------| 1178 | Input: | 1179 | - Section size N, | 1180 | - master key K, | 1181 | - change frequency T*, | 1182 | - initial counter nonce ICN in V_{n-c}, | 1183 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1184 | Output: | 1185 | - Ciphertext C. | 1186 |----------------------------------------------------------------| 1187 | 1. CTR_1 = ICN | 0^c | 1188 | 2. For j = 2, 3, ... , b do | 1189 | CTR_{j} = Inc_c(CTR_{j-1}) | 1190 | 3. l = ceil(b*n / N) | 1191 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1192 | 5. For j = 1, 2, ... , b do | 1193 | i = ceil(j*n / N), | 1194 | G_j = E_{K^i}(CTR_j) | 1195 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 1196 | 7. Return C | 1197 |----------------------------------------------------------------+ 1199 +----------------------------------------------------------------+ 1200 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 1201 |----------------------------------------------------------------| 1202 | Input: | 1203 | - Section size N, | 1204 | - master key K, | 1205 | - change frequency T*, | 1206 | - initial counter nonce ICN in V_{n-c}, | 1207 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 1208 | Output: | 1209 | - Plaintext P. | 1210 |----------------------------------------------------------------| 1211 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 1212 | 1. Return P | 1213 +----------------------------------------------------------------+ 1215 The initial counter nonce ICN value for each message that is 1216 encrypted under the given key must be chosen in a unique manner. The 1217 counter (CTR_{i+1}) value does not change during key transformation. 1219 The message size MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 1221 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode 1223 This section defines a GCM-ACPKM-Master authenticated encryption mode 1224 that uses internal ACPKM-Master re-keying mechanism for the 1225 periodical key transformation. 1227 The GCM-ACPKM-Master authenticated encryption mode can be considered 1228 as the extended by the ACPKM-Master re-keying mechanism basic 1229 authenticated encryption mode GCM (see [GCM]). 1231 The GCM-ACPKM-Master authenticated encryption mode can be used with 1232 the following parameters: 1234 o n in {128, 256}; 1236 o 128 <= k <= 512; 1238 o the number of bits c in a specific part of the block to be 1239 incremented is such that 32 <= c <= 3/4 n, c is multiple of 8; 1241 o authentication tag length t. 1243 The key material K[j] that is used for one section processing is 1244 equal to K^j, |K^j| = k bits, that is calculated as follows: 1246 K^1 | ... | K^j | ... | K^l = ACPKM-Master(T*, K, k*l). 1248 The GCM-ACPKM-Master mode encryption and decryption procedures are 1249 defined as follows: 1251 +-------------------------------------------------------------------+ 1252 | GHASH(X, H) | 1253 |-------------------------------------------------------------------| 1254 | Input: | 1255 | - Bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 1256 | Output: | 1257 | - Block GHASH(X, H) in V_n | 1258 |-------------------------------------------------------------------| 1259 | 1. Y_0 = 0^n | 1260 | 2. For i = 1, ... , m do | 1261 | Y_i = (Y_{i-1} (xor) X_i)*H | 1262 | 3. Return Y_m | 1263 +-------------------------------------------------------------------+ 1265 +-------------------------------------------------------------------+ 1266 | GCTR(N, K, T*, ICB, X) | 1267 |-------------------------------------------------------------------| 1268 | Input: | 1269 | - Section size N, | 1270 | - master key K, | 1271 | - change frequency T*, | 1272 | - initial counter block ICB, | 1273 | - X = X_1 | ... | X_b, X_i in V_n for i = 1, ... , b-1 and | 1274 | X_b in V_r, where r <= n. | 1275 | Output: | 1276 | - Y in V_{|X|}. | 1277 |-------------------------------------------------------------------| 1278 | 1. If X in V_0 then return Y, where Y in V_0 | 1279 | 2. GCTR_1 = ICB | 1280 | 3. For i = 2, ... , b do | 1281 | GCTR_i = Inc_c(GCTR_{i-1}) | 1282 | 4. l = ceil(b*n / N) | 1283 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1284 | 6. For j = 1, ... , b do | 1285 | i = ceil(j*n / N), | 1286 | G_j = E_{K^i}(GCTR_j) | 1287 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1288 | 8. Return Y | 1289 +-------------------------------------------------------------------+ 1291 +-------------------------------------------------------------------+ 1292 | GCM-ACPKM-Master-Encrypt(N, K, T*, IV, P, A) | 1293 |-------------------------------------------------------------------| 1294 | Input: | 1295 | - Section size N, | 1296 | - master key K, | 1297 | - change frequency T*, | 1298 | - initial counter nonce ICN in V_{n-c}, | 1299 | - plaintext P, |P| <= n*(2^{c-1} - 2). | 1300 | - additional authenticated data A. | 1301 | Output: | 1302 | - Ciphertext C, | 1303 | - authentication tag T. | 1304 |-------------------------------------------------------------------| 1305 | 1. K^1 = ACPKM-Master(T*, K, k) | 1306 | 2. H = E_{K^1}(0^n) | 1307 | 3. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 1308 | if c!= 32, then s = n*ceil(|ICN|/n) - |ICN|, | 1309 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 1310 | 4. C = GCTR(N, K, T*, Inc_32(J_0), P) | 1311 | 5. u = n*ceil(|C| / n) - |C| | 1312 | v = n*ceil(|A| / n) - |A| | 1313 | 6. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 1314 | | Vec_64(|C|), H) | 1315 | 7. T = MSB_t(E_{K^1}(J_0) (xor) S) | 1316 | 8. Return C | T | 1317 +-------------------------------------------------------------------+ 1319 +-------------------------------------------------------------------+ 1320 | GCM-ACPKM-Master-Decrypt(N, K, T*, IV, A, C, T) | 1321 |-------------------------------------------------------------------| 1322 | Input: | 1323 | - Section size N, | 1324 | - master key K, | 1325 | - change frequency T*, | 1326 | - initial counter nonce ICN in V_{n-c}, | 1327 | - additional authenticated data A. | 1328 | - ciphertext C, |C| <= n*(2^{c-1} - 2), | 1329 | - authentication tag T, | 1330 | Output: | 1331 | - Plaintext P or FAIL. | 1332 |-------------------------------------------------------------------| 1333 | 1. K^1 = ACPKM-Master(T*, K, k) | 1334 | 2. H = E_{K^1}(0^n) | 1335 | 3. If c = 32, then ICB_0 = ICN | 0^31 | 1 | 1336 | if c!= 32, then s = n*ceil(|ICN| / n) - |ICN|, | 1337 | ICB_0 = GHASH(ICN | 0^{s+n-64} | Vec_64(|ICN|), H) | 1338 | 4. P = GCTR(N, K, T*, Inc_32(J_0), C) | 1339 | 5. u = n*ceil(|C| / n) - |C| | 1340 | v = n*ceil(|A| / n) - |A| | 1341 | 6. S = GHASH(A | 0^v | C | 0^u | 0^{n-128} | Vec_64(|A|) | | 1342 | | Vec_64(|C|), H) | 1343 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1344 | 8. IF T = T' then return P; else return FAIL. | 1345 +-------------------------------------------------------------------+ 1347 The * operation on (pairs of) the 2^n possible blocks corresponds to 1348 the multiplication operation for the binary Galois (finite) field of 1349 2^n elements defined by the polynomial f as follows (by analogy with 1350 [GCM]): 1352 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1. 1354 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1356 The initial vector IV value for each message that is encrypted under 1357 the given key must be chosen in a unique manner. 1359 The plaintext size MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 1361 6.3.4. CCM-ACPKM-Master Authenticated Encryption Mode 1363 This section defines a CCM-ACPKM-Master authenticated encryption mode 1364 of operations that uses internal ACPKM-Master re-keying mechanism for 1365 the periodical key transformation. 1367 The CCM-ACPKM-Master authenticated encryption mode is differed from 1368 CCM-ACPKM mode in the way the keys K^1, K^2, ... are generated. For 1369 CCM-ACPKM-Master mode the keys are generated as follows: K^i = K[i], 1370 where |K^i|=k and K[1]|K[2]|...|K[l] = ACPKM-Master( T*, K, k*l ). 1372 6.3.5. CBC-ACPKM-Master Encryption Mode 1374 This section defines a CBC-ACPKM-Master encryption mode that uses 1375 internal ACPKM-Master re-keying mechanism for the periodical key 1376 transformation. 1378 The CBC-ACPKM-Master encryption mode can be considered as the 1379 extended by the ACPKM-Master re-keying mechanism basic encryption 1380 mode CBC (see [MODES]). 1382 The CBC-ACPKM-Master encryption mode can be used with the following 1383 parameters: 1385 o 64 <= n <= 512; 1387 o 128 <= k <= 512. 1389 In the specification of the CBC-ACPKM-Master mode the plaintext and 1390 ciphertext must be a sequence of one or more complete data blocks. 1391 If the data string to be encrypted does not initially satisfy this 1392 property, then it MUST be padded to form complete data blocks. The 1393 padding methods are outside the scope of this document. An example 1394 of a padding method can be found in Appendix A of [MODES]. 1396 The key material K[j] that is used for one section processing is 1397 equal to K^j, |K^j| = k bits. 1399 We will denote by D_{K} the decryption function which is a 1400 permutation inverse to the E_{K}. 1402 The CBC-ACPKM-Master mode encryption and decryption procedures are 1403 defined as follows: 1405 +----------------------------------------------------------------+ 1406 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1407 |----------------------------------------------------------------| 1408 | Input: | 1409 | - Section size N, | 1410 | - master key K, | 1411 | - change frequency T*, | 1412 | - initialization vector IV in V_n, | 1413 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k, | 1414 | |P_b| = n. | 1415 | Output: | 1416 | - Ciphertext C. | 1417 |----------------------------------------------------------------| 1418 | 1. l = ceil(b*n/N) | 1419 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1420 | 3. C_0 = IV | 1421 | 4. For j = 1, 2, ... , b do | 1422 | i = ceil(j*n / N), | 1423 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 1424 | 5. Return C = C_1 | ... | C_b | 1425 |----------------------------------------------------------------+ 1427 +----------------------------------------------------------------+ 1428 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1429 |----------------------------------------------------------------| 1430 | Input: | 1431 | - Section size N, | 1432 | - master key K, | 1433 | - change frequency T*, | 1434 | - initialization vector IV in V_n, | 1435 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N/k, | 1436 | |C_b| = n. | 1437 | Output: | 1438 | - Plaintext P. | 1439 |----------------------------------------------------------------| 1440 | 1. l = ceil(b*n / N) | 1441 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1442 | 3. C_0 = IV | 1443 | 4. For j = 1, 2, ... , b do | 1444 | i = ceil(j*n/N) | 1445 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 1446 | 5. Return P = P_1 | ... | P_b | 1447 +----------------------------------------------------------------+ 1449 The initialization vector IV for each message that is encrypted under 1450 the given key need not to be secret, but must be unpredictable. 1452 The message size MUST NOT exceed (2^{n/2-1}*n*N / k) bits. 1454 6.3.6. CFB-ACPKM-Master Encryption Mode 1456 This section defines a CFB-ACPKM-Master encryption mode that uses 1457 internal ACPKM-Master re-keying mechanism for the periodical key 1458 transformation. 1460 The CFB-ACPKM-Master encryption mode can be considered as the 1461 extended by the ACPKM-Master re-keying mechanism basic encryption 1462 mode CFB (see [MODES]). 1464 The CFB-ACPKM-Master encryption mode can be used with the following 1465 parameters: 1467 o 64 <= n <= 512; 1469 o 128 <= k <= 512. 1471 The key material K[j] that is used for one section processing is 1472 equal to K^j, |K^j| = k bits. 1474 The CFB-ACPKM-Master mode encryption and decryption procedures are 1475 defined as follows: 1477 +-------------------------------------------------------------+ 1478 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1479 |-------------------------------------------------------------| 1480 | Input: | 1481 | - Section size N, | 1482 | - master key K, | 1483 | - change frequency T*, | 1484 | - initialization vector IV in V_n, | 1485 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1486 | Output: | 1487 | - Ciphertext C. | 1488 |-------------------------------------------------------------| 1489 | 1. l = ceil(b*n / N) | 1490 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1491 | 3. C_0 = IV | 1492 | 4. For j = 1, 2, ... , b do | 1493 | i = ceil(j*n / N) | 1494 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1495 | 5. Return C = C_1 | ... | C_b. | 1496 |-------------------------------------------------------------+ 1498 +-------------------------------------------------------------+ 1499 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1500 |-------------------------------------------------------------| 1501 | Input: | 1502 | - Section size N, | 1503 | - master key K, | 1504 | - change frequency T*, | 1505 | - initialization vector IV in V_n, | 1506 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k.| 1507 | Output: | 1508 | - Plaintext P. | 1509 |-------------------------------------------------------------| 1510 | 1. l = ceil(b*n / N) | 1511 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1512 | 3. C_0 = IV | 1513 | 4. For j = 1, 2, ... , b do | 1514 | i = ceil(j*n / N), | 1515 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1516 | 5. Return P = P_1 | ... | P_b | 1517 +-------------------------------------------------------------+ 1519 The initialization vector IV for each message that is encrypted under 1520 the given key need not to be secret, but must be unpredictable. 1522 The message size MUST NOT exceed 2^{n/2-1}*n*N/k bits. 1524 6.3.7. OFB-ACPKM-Master Encryption Mode 1526 This section defines an OFB-ACPKM-Master encryption mode that uses 1527 internal ACPKM-Master re-keying mechanism for the periodical key 1528 transformation. 1530 The OFB-ACPKM-Master encryption mode can be considered as the 1531 extended by the ACPKM-Master re-keying mechanism basic encryption 1532 mode OFB (see [MODES]). 1534 The OFB-ACPKM-Master encryption mode can be used with the following 1535 parameters: 1537 o 64 <= n <= 512; 1539 o 128 <= k <= 512. 1541 The key material K[j] used for one section processing is equal to 1542 K^j, |K^j| = k bits. 1544 The OFB-ACPKM-Master mode encryption and decryption procedures are 1545 defined as follows: 1547 +----------------------------------------------------------------+ 1548 | OFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1549 |----------------------------------------------------------------| 1550 | Input: | 1551 | - Section size N, | 1552 | - master key K, | 1553 | - change frequency T*, | 1554 | - initialization vector IV in V_n, | 1555 | - plaintext P = P_1 | ... | P_b, |P| <= 2^{n/2-1}*n*N / k. | 1556 | Output: | 1557 | - Ciphertext C. | 1558 |----------------------------------------------------------------| 1559 | 1. l = ceil(b*n / N) | 1560 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k*l) | 1561 | 3. G_0 = IV | 1562 | 4. For j = 1, 2, ... , b do | 1563 | i = ceil(j*n / N), | 1564 | G_j = E_{K_i}(G_{j-1}) | 1565 | 5. Return C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1566 |----------------------------------------------------------------+ 1568 +----------------------------------------------------------------+ 1569 | OFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1570 |----------------------------------------------------------------| 1571 | Input: | 1572 | - Section size N, | 1573 | - master key K, | 1574 | - change frequency T*, | 1575 | - initialization vector IV in V_n, | 1576 | - ciphertext C = C_1 | ... | C_b, |C| <= 2^{n/2-1}*n*N / k. | 1577 | Output: | 1578 | - Plaintext P. | 1579 |----------------------------------------------------------------| 1580 | 1. Return OFB-ACPKM-Master-Encrypt(N, K, T*, IV, C) | 1581 +----------------------------------------------------------------+ 1583 The initialization vector IV for each message that is encrypted under 1584 the given key need not be unpredictable, but it must be a nonce that 1585 is unique to each execution of the encryption operation. 1587 The message size MUST NOT exceed 2^{n/2-1}*n*N / k bits. 1589 6.3.8. OMAC-ACPKM-Master Mode 1591 This section defines an OMAC-ACPKM-Master message authentication code 1592 calculation mode that uses internal ACPKM-Master re-keying mechanism 1593 for the periodical key transformation. 1595 The OMAC-ACPKM-Master mode can be considered as the extended by the 1596 ACPKM-Master re-keying mechanism basic message authentication code 1597 calculation mode OMAC, which is also known as CMAC (see [RFC4493]). 1599 The OMAC-ACPKM-Master message authentication code calculation mode 1600 can be used with the following parameters: 1602 o n in {64, 128, 256}; 1604 o 128 <= k <= 512. 1606 The key material K[j] that is used for one section processing is 1607 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1609 The following is a specification of the subkey generation process of 1610 OMAC: 1612 +-------------------------------------------------------------------+ 1613 | Generate_Subkey(K1, r) | 1614 |-------------------------------------------------------------------| 1615 | Input: | 1616 | - Key K1, | 1617 | Output: | 1618 | - Key SK. | 1619 |-------------------------------------------------------------------| 1620 | 1. If r = n then return K1 | 1621 | 2. If r < n then | 1622 | if MSB_1(K1) = 0 | 1623 | return K1 << 1 | 1624 | else | 1625 | return (K1 << 1) (xor) R_n | 1626 | | 1627 +-------------------------------------------------------------------+ 1629 Where R_n takes the following values: 1631 o n = 64: R_{64} = 0^{59} | 11011; 1633 o n = 128: R_{128} = 0^{120} | 10000111; 1635 o n = 256: R_{256} = 0^{145} | 10000100101. 1637 The OMAC-ACPKM-Master message authentication code calculation mode is 1638 defined as follows: 1640 +-------------------------------------------------------------------+ 1641 | OMAC-ACPKM-Master(K, N, T*, M) | 1642 |-------------------------------------------------------------------| 1643 | Input: | 1644 | - Section size N, | 1645 | - master key K, | 1646 | - key frequency T*, | 1647 | - plaintext M = M_1 | ... | M_b, |M| <= 2^{n/2}*n^2*N / (k + n). | 1648 | Output: | 1649 | - message authentication code T. | 1650 |-------------------------------------------------------------------| 1651 | 1. C_0 = 0^n | 1652 | 2. l = ceil(b*n / N) | 1653 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K, (k+n)*l | 1654 | 4. For j = 1, 2, ... , b-1 do | 1655 | i = ceil(j*n / N), | 1656 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1657 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1658 | 6. If |M_b| = n then M*_b = M_b | 1659 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1660 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1661 | 8. Return T | 1662 +-------------------------------------------------------------------+ 1664 The message size MUST NOT exceed 2^{n/2}*n^2*N / (k + n) bits. 1666 7. Joint Usage of External and Internal Re-keying 1668 Any mechanism described in Section 5 can be used with any mechanism 1669 described in Section 6. 1671 8. Security Considerations 1673 Re-keying should be used to increase "a priori" security properties 1674 of ciphers in hostile environments (e.g. with side-channel 1675 adversaries). If some non-negligible attacks are known for a cipher, 1676 it must not be used. So re-keying cannot be used as a patch for 1677 vulnerable ciphers. Base cipher properties must be well analyzed, 1678 because security of re-keying mechanisms is based on security of a 1679 block cipher as a pseudorandom function. 1681 Re-keying is not intended to solve any post-quantum security issues 1682 for symmetric crypto since the reduction of security caused by 1683 Grover's algorithm is not connected with a size of plaintext 1684 transformed by a cipher - only a negligible (sufficient for key 1685 uniqueness) material is needed and the aim of re-keying is to limit a 1686 size of plaintext transformed on one key. 1688 Re-keying can provide backward security only if the previous traffic 1689 keys are securely deleted by all parties that have the keys. 1691 9. References 1693 9.1. Normative References 1695 [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of 1696 Operation (GCM)", Submission to NIST 1697 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 1698 gcm/gcm-spec.pdf, January 2004. 1700 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1701 Operation: Methods and Techniques", NIST Special 1702 Publication 800-38A, December 2001. 1704 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1705 Requirement Levels", BCP 14, RFC 2119, 1706 DOI 10.17487/RFC2119, March 1997, 1707 . 1709 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 1710 CBC-MAC (CCM)", RFC 3610, DOI 10.17487/RFC3610, September 1711 2003, . 1713 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1714 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1715 2006, . 1717 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1718 Key Derivation Function (HKDF)", RFC 5869, 1719 DOI 10.17487/RFC5869, May 2010, 1720 . 1722 [TLSDraft] 1723 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1724 Version 1.3", 2017, . 1727 9.2. Informative References 1729 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1730 of a Key: A Comparative Analysis of the Security of Re- 1731 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1732 2000. 1734 [LDC] Howard M. Heys, "A Tutorial on Linear and Differential 1735 Cryptanalysis", 2017, 1736 . 1738 [Sweet32] Karthikeyan Bhargavan, Gaetan Leurent, "On the Practical 1739 (In-)Security of 64-bit Block Ciphers. Collision Attacks 1740 on HTTP over TLS and OpenVPN", 2016, 1741 . 1743 Appendix A. Test examples 1745 CTR-ACPKM mode with AES-256 1746 ********* 1747 c = 64 1748 k = 256 1749 N = 256 1750 n = 128 1752 D_1 1753 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 1755 D_2 1756 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 1758 Key K: 1759 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 1760 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 1762 Plain text P: 1763 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 1764 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1765 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1766 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1767 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1768 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 1769 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 1771 ICN: 1772 12 34 56 78 90 AB CE F0 1774 ACPKM's iteration 1 1775 Process block 1 1776 Input block (ctr) 1777 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 1779 Output block (ctr) 1780 FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 1781 Plain text 1782 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 1784 Cipher text 1785 EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 1787 Process block 2 1788 Input block (ctr) 1789 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 1791 Output block (ctr) 1792 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 1794 Plain text 1795 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1797 Cipher text 1798 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 1800 Input block (ctr) 1801 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 1803 Output block (ctr) 1804 F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 1806 Input block (ctr) 1807 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 1809 Output block (ctr) 1810 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 1812 Updated key: 1813 F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 1814 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 1816 ACPKM's iteration 2 1817 Process block 1 1818 Input block (ctr) 1819 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 1821 Output block (ctr) 1822 E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 1824 Plain text 1825 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1827 Cipher text 1828 F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 1829 Process block 2 1830 Input block (ctr) 1831 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 1833 Output block (ctr) 1834 BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 1836 Plain text 1837 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1839 Cipher text 1840 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 1842 Input block (ctr) 1843 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 1845 Output block (ctr) 1846 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 1848 Input block (ctr) 1849 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 1851 Output block (ctr) 1852 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 1854 Updated key: 1855 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 1856 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 1858 ACPKM's iteration 3 1859 Process block 1 1860 Input block (ctr) 1861 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 1863 Output block (ctr) 1864 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 1866 Plain text 1867 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1869 Cipher text 1870 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 1872 Process block 2 1873 Input block (ctr) 1874 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 1876 Output block (ctr) 1877 C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 1879 Plain text 1880 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 1882 Cipher text 1883 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 1885 Input block (ctr) 1886 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 1888 Output block (ctr) 1889 C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 1891 Input block (ctr) 1892 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 1894 Output block (ctr) 1895 E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 1897 Updated key: 1898 C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 1899 E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 1901 ACPKM's iteration 4 1902 Process block 1 1903 Input block (ctr) 1904 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 1906 Output block (ctr) 1907 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 1909 Plain text 1910 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 1912 Cipher text 1913 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 1915 Input block (ctr) 1916 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 1918 Output block (ctr) 1919 74 1E B5 88 D6 AB DA B6 89 AA FD BA A9 3E A2 46 1921 Input block (ctr) 1922 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 1924 Output block (ctr) 1925 16 3A A6 C2 3C E7 C3 74 CD 38 BF C6 FE 8C C5 FF 1927 Updated key: 1928 74 1E B5 88 D6 AB DA B6 89 AA FD BA A9 3E A2 46 1929 16 3A A6 C2 3C E7 C3 74 CD 38 BF C6 FE 8C C5 FF 1931 Encrypted src 1932 EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 1933 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 1934 F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 1935 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 1936 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 1937 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 1938 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 1940 Appendix B. Contributors 1942 o Russ Housley 1943 Vigil Security, LLC 1944 housley@vigilsec.com 1946 o Mihir Bellare 1947 University of California 1948 mihir@eng.ucsd.edu 1950 o Evgeny Alekseev 1951 CryptoPro 1952 alekseev@cryptopro.ru 1954 o Ekaterina Smyshlyaeva 1955 CryptoPro 1956 ess@cryptopro.ru 1958 o Daniel Fox Franke 1959 Akamai Technologies 1960 dfoxfranke@gmail.com 1962 o Lilia Ahmetzyanova 1963 CryptoPro 1964 lah@cryptopro.ru 1966 o Ruth Ng 1967 University of California, San Diego 1968 ring@eng.ucsd.edu 1970 o Shay Gueron 1971 University of Haifa, Israel 1972 Intel Corporation, Israel Development Center, Israel 1973 shay.gueron@gmail.com 1975 Appendix C. Acknowledgments 1977 We thank Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim Schaad and Paul 1978 Hoffman for their useful comments. 1980 Author's Address 1982 Stanislav Smyshlyaev (editor) 1983 CryptoPro 1984 18, Suschevsky val 1985 Moscow 127018 1986 Russian Federation 1988 Phone: +7 (495) 995-48-20 1989 Email: svs@cryptopro.ru