idnits 2.17.1 draft-irtf-cfrg-re-keying-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 18 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 2, 2018) is 2273 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1320 == Missing Reference: '2t' is mentioned on line 1293, but not defined ** Obsolete normative reference: RFC 6347 (ref. 'DTLS') (Obsoleted by RFC 9147) ** Obsolete normative reference: RFC 5246 (ref. 'TLS') (Obsoleted by RFC 8446) Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational February 2, 2018 5 Expires: August 6, 2018 7 Re-keying Mechanisms for Symmetric Keys 8 draft-irtf-cfrg-re-keying-11 10 Abstract 12 A certain maximum amount of data can be safely encrypted when 13 encryption is performed under a single key. This amount is called 14 "key lifetime". This specification describes a variety of methods to 15 increase the lifetime of symmetric keys. It provides two types of 16 re-keying mechanisms based on hash functions and on block ciphers, 17 that can be used with modes of operations such as CTR, GCM, CBC, CFB 18 and OMAC. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 6, 2018. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 6 56 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 6 57 4. Choosing Constructions and Security Parameters . . . . . . . 7 58 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 10 59 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 13 60 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 13 61 5.2.1. Parallel Construction Based on a KDF on a Block 62 Cipher . . . . . . . . . . . . . . . . . . . . . . . 14 63 5.2.2. Parallel Construction Based on a KDF on a Hash 64 Function . . . . . . . . . . . . . . . . . . . . . . 14 65 5.2.3. Tree-based Construction . . . . . . . . . . . . . . . 15 66 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 16 67 5.3.1. Serial Construction Based on a KDF on a Block Cipher 17 68 5.3.2. Serial Construction Based on a KDF on a Hash Function 18 69 5.4. Exploiting Additional Entropy on Re-keying . . . . . . . 18 70 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 19 71 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 21 72 6.2. Constructions that Do Not Require Master Key . . . . . . 22 73 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 22 74 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 75 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 76 6.3. Constructions that Require Master Key . . . . . . . . . . 28 77 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 28 78 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 30 79 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 32 80 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 34 81 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 37 82 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 39 83 7. Joint Usage of External and Internal Re-keying . . . . . . . 40 84 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 85 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 86 9.1. Normative References . . . . . . . . . . . . . . . . . . 42 87 9.2. Informative References . . . . . . . . . . . . . . . . . 43 88 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 45 89 A.1. Test Examples for External Re-keying . . . . . . . . . . 45 90 A.1.1. External Re-keying with a Parallel Construction . . . 45 91 A.1.2. External Re-keying with a Serial Construction . . . . 47 92 A.2. Test Examples for Internal Re-keying . . . . . . . . . . 50 93 A.2.1. Internal Re-keying Mechanisms that Do Not Require 94 Master Key . . . . . . . . . . . . . . . . . . . . . 50 95 A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 54 96 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 66 97 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 67 98 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 67 100 1. Introduction 102 A certain maximum amount of data can be safely encrypted when 103 encryption is performed under a single key. Hereinafter this amount 104 will be referred to as "key lifetime". The key lifetime can be 105 calculated from the following considerations: 107 1. Methods based on the combinatorial properties of the used block 108 cipher mode of operation 110 These methods do not depend on the underlying block cipher. 111 Common modes restrictions derived from such methods are of order 112 2^{n/2}, where n is a block size defined in Section 3. [Sweet32] 113 is an example of attack that is based on such methods. 115 2. Methods based on side-channel analysis issues 117 In most cases these methods do not depend on the used encryption 118 modes and weakly depend on the used block cipher features. 119 Limitations resulting from these considerations are usually the 120 most restrictive ones. [TEMPEST] is an example of attack that is 121 based on such methods. 123 3. Methods based on the properties of the used block cipher 125 The most common methods of this type are linear and differential 126 cryptanalysis [LDC]. In most cases these methods do not depend on 127 the used modes of operation. In case of secure block ciphers, 128 bounds resulting from such methods are roughly the same as the 129 natural bounds of 2^n, and are dominated by the other bounds 130 above. Therefore, they can be excluded from the considerations 131 here. 133 As a result, it is important to replace a key as soon as the total 134 size of the processed plaintext under that key reaches the lifetime 135 limitation. A specific value of the key lifetime should be 136 determined in accordance with some safety margin for protocol 137 security and the methods outlined above. 139 Suppose L is a key lifetime limitation in some protocol P. For 140 simplicity, assume that all messages have the same length m. Hence, 141 the number of messages q that can be processed with a single key K 142 should be such that m * q <= L. This can be depicted graphically as 143 a rectangle with sides m and q which is enclosed by area L (see 144 Figure 1). 146 +------------------------+ 147 | L | 148 | +--------m---------+ | 149 | |==================| | 150 | |==================| | 151 | q==================| | m * q <= L 152 | |==================| | 153 | |==================| | 154 | +------------------+ | 155 +------------------------+ 157 Figure 1: Graphic display of the key lifetime limitation 159 In practice, such amount of data that corresponds to limitation L may 160 not be enough. The simplest and obvious way in this situation is a 161 regular renegotiation of an initial key after processing this 162 threshold amount of data L. However, this reduces the total 163 performance, since it usually entails termination of application data 164 transmission, additional service messages, the use of random number 165 generator and many other additional calculations, including resource- 166 intensive public key cryptography. 168 For the protocols based on block ciphers or stream ciphers a more 169 efficient way to increasing the key lifetime is to use various re- 170 keying mechanisms. This specification considers only the case of re- 171 keying mechanisms for block ciphers, while re-keying mechanisms 172 typical for stream ciphers (e.g., [Pietrzak2009], [FPS2012]) case go 173 beyond the scope of this document. 175 Re-keying mechanisms can be applied on the different protocol levels: 176 on the block cipher level (this approach is known as fresh re-keying 177 and is described, for instance, in [FRESHREKEYING]), on the block 178 cipher mode of operation level (see Section 6), on the protocol level 179 above the block cipher mode of operation (see Section 5). The usage 180 of the first approach is highly inefficient due to the key changing 181 after processing each message block. Moreover, fresh re-keying 182 mechanisms can change the block cipher internal structure, and, 183 consequently, can require the additional security analysis for each 184 particular block cipher. As a result, this approach depends on 185 particular primitive properties and can not be applied to any block 186 cipher, therefore, fresh re-keying mechanisms go beyond the scope of 187 this document. 189 Thus, this document contains the list of recommended re-keying 190 mechanisms that can be used in the symmetric encryption schemes based 191 on the block ciphers. These mechanisms are independent from the 192 particular block cipher specification and their security properties 193 rely only on the standard block cipher security assumption. 195 This specification presents two basic approaches to extend the 196 lifetime of a key while avoiding renegotiation that were introduced 197 in [AAOS2017]: 199 1. External re-keying 201 External re-keying is performed by a protocol, and it is 202 independent of the underlying block cipher and the mode of 203 operation. External re-keying can use parallel and serial 204 constructions. In the parallel case, data processing keys K^1, 205 K^2, ... are generated directly from the initial key K 206 independently of each other. In the serial case, every data 207 processing key depends on the state that is updated after the 208 generation of each new data processing key. 210 As a generalization of external parallel re-keying an external 211 tree-based mechanism can be considered. It is specified in the 212 Section 5.2.3 and can be viewed as the [GGM] tree generalization. 213 Similar construction is used in the one-way tree mechanism 214 ([OWT]). 216 2. Internal re-keying 218 Internal re-keying is built into the mode, and it depends heavily 219 on the properties of the mode of operation and the block size. 221 The re-keying approaches extend the key lifetime for a single initial 222 key by providing the possibility to limit the leakages (via side 223 channels) and by improving combinatorial properties of the used block 224 cipher mode of operation. 226 In practical applications, re-keying can be useful for protocols that 227 need to operate in hostile environments or under restricted resource 228 conditions (e.g., that require lightweight cryptography, where 229 ciphers have a small block size, that imposes strict combinatorial 230 limitations). Moreover, mechanisms that use external and internal 231 re-keying may provide some properties of forward security and 232 potentially some protection against future attacks (by limiting the 233 number of plaintext-ciphertext pairs that an adversary can collect). 234 External and internal re-keying can be used in network protocols as 235 well as in the systems for data-at-rest encryption. 237 Depending on the concrete protocol characteristics there might be 238 situations in which both external and internal re-keying mechanisms 239 (see Section 7) can be applied. For example, the similar approach 240 was used in the Taha's tree construction (see [TAHA]). 242 It is worthwhile to say that the re-keying mechanisms recommended in 243 this document are targeted to provide PFS property and are not 244 suitable for the cases when this property should be omitted in favor 245 of performance characteristics, side leakage resilience or some other 246 properties. The another re-keying approach is key updating (key 247 regression) algorithms (e.g., [FKK2005] and [KMNT2003]), but they 248 pursue the goal different from increasing key lifetime and the 249 absence of PFS property is the base claim of this approach. 250 Therefore, key regression algorithms are excluded from the 251 considerations here. 253 2. Conventions Used in This Document 255 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 256 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 257 document are to be interpreted as described in [RFC2119]. 259 3. Basic Terms and Definitions 261 This document uses the following terms and definitions for the sets 262 and operations on the elements of these sets: 264 V* the set of all bit strings of a finite length (hereinafter 265 referred to as strings), including the empty string; 266 substrings and string components are enumerated from right to 267 left starting from one; 269 V_s the set of all bit strings of length s, where s is a non- 270 negative integer; 272 |X| the bit length of the bit string X; 274 A | B concatenation of strings A and B both belonging to V*, i.e., 275 a string in V_{|A|+|B|}, where the left substring in V_|A| is 276 equal to A, and the right substring in V_|B| is equal to B; 278 (xor) exclusive-or of two bit strings of the same length; 280 Z_{2^n} ring of residues modulo 2^n; 282 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 283 (a_s, ... , a_1) in V_s into the integer Int_s(a) = 2^{s-1} * 284 a_s + ... + 2 * a_2 + a_1 (the interpretation of the binary 285 string as an integer); 287 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 288 Int_s (the interpretation of an integer as a binary string); 290 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 291 ... , a_1) in V_s into the string MSB_i(a) = (a_s, ... , 292 a_{s-i+1}) in V_i (most significant bits); 294 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 295 ... , a_1) in V_s into the string LSB_i(a) = (a_i, ... , a_1) 296 in V_i (least significant bits); 298 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 299 ... , a_1) in V_s into the string Inc_c(a) = MSB_{|a|-c}(a) | 300 Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s; 302 a^s denotes the string in V_s that consists of s 'a' bits; 304 E_{K}: V_n -> V_n the block cipher permutation under the key K in 305 V_k; 307 ceil(x) the smallest integer that is greater than or equal to x; 309 floor(x) the biggest integer that is less than or equal to x; 311 k the bit-length of the K; k is assumed to be divisible by 8; 313 n the block size of the block cipher (in bits); n is assumed to 314 be divisible by 8; 316 b the number of data blocks in the plaintext P (b = 317 ceil(|P|/n)); 319 N the section size (the number of bits that are processed with 320 one section key before this key is transformed). 322 A plaintext message P and the corresponding ciphertext C are divided 323 into b = ceil(|P|/n) blocks, denoted P = P_1 | P_2 | ... | P_b and C 324 = C_1 | C_2 | ... | C_b, respectively. The first b-1 blocks P_i and 325 C_i are in V_n, for i = 1, 2, ... , b-1. The b-th blocks P_b, C_b 326 may be an incomplete blocks, i.e., in V_r, where r <= n if not 327 otherwise specified. 329 4. Choosing Constructions and Security Parameters 331 External re-keying is an approach assuming that a key is transformed 332 after encrypting a limited number of entire messages. External re- 333 keying method is chosen at the protocol level, regardless of the 334 underlying block cipher or the encryption mode. External re-keying 335 is recommended for protocols that process relatively short messages 336 or for protocols that have a way to divide a long message into 337 manageable pieces. Through external re-keying the number of messages 338 that can be securely processed with a single initial key K is 339 substantially increased without loss in message length. 341 External re-keying has the following advantages: 343 1. it increases the lifetime of an initial key by increasing the 344 number of messages processed with this key; 346 2. it has negligible affect on the performance, when the number of 347 messages processed under one initial key is sufficiently large; 349 3. it provides forward and backward security of data processing 350 keys. 352 However, the use of external re-keying has the following 353 disadvantage: in case of restrictive key lifetime limitations the 354 message sizes can become inconvenient due to impossibility of 355 processing sufficiently large messages, so it could be necessary to 356 perform additional fragmentation at the protocol level. E.g. if the 357 key lifetime L is 1 GB and the message length m = 3 GB, then this 358 message cannot be processed as a whole and it should be divided into 359 three fragments that will be processed separately. 361 Internal re-keying is an approach assuming that a key is transformed 362 during each separate message processing. Such procedures are 363 integrated into the base modes of operations, so every internal re- 364 keying mechanism is defined for the particular operation mode and the 365 block size of the used cipher. Internal re-keying is recommended for 366 protocols that process long messages: the size of each single message 367 can be substantially increased without loss in number of messages 368 that can be securely processed with a single initial key. 370 Internal re-keying has the following advantages: 372 1. it increases the lifetime of an initial key by increasing the 373 size of the messages processed with one initial key; 375 2. it has minimal impact on performance; 377 3. internal re-keying mechanisms without a master key does not 378 affect short messages transformation at all; 380 4. it is transparent (works like any mode of operation): does not 381 require changes of IV's and restarting MACing. 383 However, the use of internal re-keying has the following 384 disadvantages: 386 1. a specific method must not be chosen independently of a mode of 387 operation; 389 2. internal re-keying mechanisms without a master key do not provide 390 backward security of data processing keys. 392 Any block cipher modes of operations with internal re-keying can be 393 jointly used with any external re-keying mechanisms. Such joint 394 usage increases both the number of messages processed with one 395 initial key and their maximum possible size. 397 If the adversary has access to the data processing interface the use 398 of the same cryptographic primitives both for data processing and re- 399 keying transformation decreases the code size but can lead to some 400 possible vulnerabilities. This vulnerability can be eliminated by 401 using different primitives for data processing and re-keying, e.g., 402 block cipher for data processing and hash for re-keying (see 403 Section 5.2.2 and Section 5.3.2). However, in this case the security 404 of the whole scheme cannot be reduced to standard notions like PRF or 405 PRP, so security estimations become more difficult and unclear. 407 Summing up the above-mentioned issues briefly: 409 1. If a protocol assumes processing long records (e.g., [CMS]), 410 internal re-keying should be used. If a protocol assumes 411 processing a significant amount of ordered records, which can be 412 considered as a single data stream (e.g., [TLS], [SSH]), internal 413 re-keying may also be used. 415 2. For protocols which allow out-of-order delivery and lost records 416 (e.g., [DTLS], [ESP]) external re-keying should be used as in 417 this case records cannot be considered as a single data stream. 418 If at the same time records are long enough, internal re-keying 419 should be additionally used during each separate message 420 processing. 422 For external re-keying: 424 1. If it is desirable to separate transformations used for data 425 processing and for key update, hash function based re-keying 426 should be used. 428 2. If parallel data processing is required, then parallel external 429 re-keying should be used. 431 3. In case of restrictive key lifetime limitations external tree- 432 based re-keying should be used. 434 For internal re-keying: 436 1. If the property of forward and backward security is desirable for 437 data processing keys and if additional key material can be easily 438 obtained for the data processing stage, internal re-keying with a 439 master key should be used. 441 5. External Re-keying Mechanisms 443 This section presents an approach to increase the initial key 444 lifetime by using a transformation of a data processing key (frame 445 key) after processing a limited number of entire messages (frame). 446 It provides external parallel and serial re-keying mechanisms (see 447 [AbBell]). These mechanisms use initial key K only for frame keys 448 generation and never use it directly for data processing. Such 449 mechanisms operate outside of the base modes of operations and do not 450 change them at all, therefore they are called "external re-keying" 451 mechanisms in this document. 453 External re-keying mechanisms are recommended for usage in protocols 454 that process quite small messages, since the maximum gain in 455 increasing the initial key lifetime is achieved by increasing the 456 number of messages. 458 External re-keying increases the initial key lifetime through the 459 following approach. Suppose there is a protocol P with some mode of 460 operation (base encryption or authentication mode). Let L1 be a key 461 lifetime limitation induced by side-channel analysis methods (side- 462 channel limitation), let L2 be a key lifetime limitation induced by 463 methods based on the combinatorial properties of a used mode of 464 operation (combinatorial limitation) and let q1, q2 be the total 465 numbers of messages of length m, that can be safely processed with an 466 initial key K according to these limitations. 468 Let L = min(L1, L2), q = min (q1, q2), q * m <= L. As L1 limitation 469 is usually much stronger than L2 limitation (L1 < L2), the final key 470 lifetime restriction is equal to the most restrictive limitation L1. 471 Thus, as displayed in Figure 2, without re-keying only q1 (q1 * m <= 472 L1) messages can be safely processed. 474 <--------m-------> 475 +----------------+ ^ ^ 476 |================| | | 477 |================| | | 478 K-->|================| q1| 479 |================| | | 480 |==============L1| | | 481 +----------------+ v | 482 | | | 483 | | | 484 | | q2 485 | | | 486 | | | 487 | | | 488 | | | 489 | | | 490 | | | 491 | | | 492 | | | 493 | L2| | 494 +----------------+ v 496 Figure 2: Basic principles of message processing without external re-keying 498 Suppose that the safety margin for the protocol P is fixed and the 499 external re-keying approach is applied to the initial key K to 500 generate the sequence of frame keys. The frame keys are generated in 501 such a way that the leakage of a previous frame key does not have any 502 impact on the following one, so the side channel limitation L1 goes 503 off. Thus, the resulting key lifetime limitation of the initial key 504 K can be calculated on the basis of a new combinatorial limitation 505 L2'. It is proven (see [AbBell]) that the security of the mode of 506 operation that uses external re-keying leads to an increase when 507 compared to base mode without re-keying (thus, L2 < L2'). Hence, as 508 displayed in Figure 3, the resulting key lifetime limitation in case 509 of using external re-keying can be increased up to L2'. 511 <--------m-------> 512 K +----------------+ 513 | |================| 514 v |================| 515 K^1--> |================| 516 | |================| 517 | |==============L1| 518 | +----------------+ 519 | |================| 520 v |================| 521 K^2--> |================| 522 | |================| 523 | |==============L1| 524 | +----------------+ 525 | |================| 526 v |================| 527 ... | . . . | 528 | | 529 | | 530 | L2| 531 +----------------+ 532 | | 533 ... ... 534 | L2'| 535 +----------------+ 537 Figure 3: Basic principles of message processing with external re-keying 539 Note: the key transformation process is depicted in a simplified 540 form. A specific approach (parallel and serial) is described below. 542 Consider an example. Let the message size in a protocol P be equal 543 to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external 544 re-keying mechanism is not used, the initial key K must be 545 renegotiated after processing 128 MB / 1 KB = 131072 messages. 547 If an external re-keying mechanism is used, the key lifetime 548 limitation L1 goes off. Hence the resulting key lifetime limitation 549 L2' can be set to more then 1 TB. Thus if an external re-keying 550 mechanism is used, more then 1 TB / 1 KB = 2^30 messages can be 551 processed before the initial key K is renegotiated. This is 8192 552 times greater than the number of messages that can be processed, when 553 external re-keying mechanism is not used. 555 5.1. Methods of Key Lifetime Control 557 Suppose L is an amount of data that can be safely processed with one 558 frame key. For i in {1, 2, ... , t} the frame key K^i (see Figure 4 559 and Figure 5) should be transformed after processing q_i messages, 560 where q_i can be calculated in accordance with one of the following 561 approaches: 563 Explicit approach: 565 q_i is such that |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + 566 ... + |M^{i,q_i+1}| > L. 567 This approach allows to use the frame key K^i in almost optimal 568 way but it can be applied only in case when messages cannot be 569 lost or reordered (e.g., TLS records). 571 Implicit approach: 573 q_i = L / m_max, i = 1, ... , t. 574 The amount of data processed with one frame key K^i is calculated 575 under the assumption that every message has the maximum length 576 m_max. Hence this amount can be considerably less than the key 577 lifetime limitation L. On the other hand, this approach can be 578 applied in case when messages may be lost or reordered (e.g., DTLS 579 records). 581 Dynamic key changes: 583 We can organize the key change using the Protected Point to Point 584 ([P3]) solution by building a protected tunnel between the 585 endpoints in which the information about frame key updating can be 586 safely passed across. This can be useful, for example, when we 587 wish the adversary not to detect the key change during the 588 protocol evaluation. 590 5.2. Parallel Constructions 592 External parallel re-keying mechanisms generate frame keys K^1, K^2, 593 ... directly from the initial key K independently of each other. 595 The main idea behind external re-keying with a parallel construction 596 is presented in Figure 4: 598 Maximum message size = m_max. 599 _____________________________________________________________ 601 m_max 602 <----------------> 603 M^{1,1} |=== | 604 M^{1,2} |=============== | 605 +->K^1--> ... ... 606 | M^{1,q_1} |======== | 607 | 608 | 609 | M^{2,1} |================| 610 | M^{2,2} |===== | 611 K-----|->K^2--> ... ... 612 | M^{2,q_2} |========== | 613 | 614 ... 615 | M^{t,1} |============ | 616 | M^{t,2} |============= | 617 +->K^t--> ... ... 618 M^{t,q_t} |========== | 620 _____________________________________________________________ 622 Figure 4: External parallel re-keying mechanisms 624 The frame key K^i, i = 1, ... , t-1, is updated after processing a 625 certain amount of messages (see Section 5.1). 627 5.2.1. Parallel Construction Based on a KDF on a Block Cipher 629 ExtParallelC re-keying mechanism is based on the key derivation 630 function on a block cipher and is used to generate t frame keys as 631 follows: 633 K^1 | K^2 | ... | K^t = ExtParallelC(K, t * k) = MSB_{t * 634 k}(E_{K}(Vec_n(0)) | 635 E_{K}(Vec_n(1)) | ... | E_{K}(Vec_n(R - 1))), 637 where R = ceil(t * k/n). 639 5.2.2. Parallel Construction Based on a KDF on a Hash Function 641 ExtParallelH re-keying mechanism is based on the key derivation 642 function HKDF-Expand, described in [RFC5869], and is used to generate 643 t frame keys as follows: 645 K^1 | K^2 | ... | K^t = ExtParallelH(K, t * k) = HKDF-Expand(K, 646 label, t * k), 648 where label is a string (may be a zero-length string) that is defined 649 by a specific protocol. 651 5.2.3. Tree-based Construction 653 The application of external tree-based mechanism leads to the 654 construction of the key tree with the initial key K (root key) at the 655 0-level and the frame keys K^1, K^2, ... at the last level as 656 described in Figure 6. 658 K_root = K 659 ___________|___________ 660 | ... | 661 V V 662 K{1,1} K{1,W1} 663 ______|______ ______|______ 664 | ... | | ... | 665 V V V V 666 K{2,1} K{2,W2} K{2,(W1-1)*W2+1} K{2,W1*W2} 667 __|__ __|__ __|__ __|__ 668 | ... | | ... | | ... | | ... | 669 V V V V V V V V 670 K{3,1} ... ... ... ... ... ... K{3,W1*W2*W3} 672 ... ... 673 __|__ ... __|__ 674 | ... | | ... | 675 V V V V 676 K{h,1} K{h,Wh} K{h,(W1*...*W{h-1}-1)*Wh+1} K{h,W1*...*Wh} 677 // \\ // \\ 678 K^1 K^{Wh} K^{(W1*...*W{h-1}-1)*Wh+1} K^{W1*...*Wh} 679 _______________________________________________________________________ 681 Figure 6: External Tree-based Mechanism 683 The tree height h and the number of keys Wj, j in {1, ... , h}, which 684 can be partitioned from "parent" key, are defined in accordance with 685 a specific protocol and key lifetime limitations for the used 686 derivation functions. 688 Each j-level key K{j,w}, where j in {1, ... , h}, w in {1, ... , W1 * 689 ... * Wj}, is derived from the (j-1)-level "parent" key K{j-1,ceil(w/ 690 Wi)} (and other appropriate input data) using the j-th level 691 derivation function that can be based on the block cipher function or 692 on the hash function and that is defined in accordance with a 693 specific protocol. 695 The i-th frame K^i, i in {1, 2, ... , W1*...*Wh}, can be calculated 696 as follows: 698 K^i = ExtKeyTree(K, i) = KDF_h(KDF_{h-1}(... KDF_1(K, ceil(i / (W2 699 * ... * Wh)) ... , ceil(i / Wh)), i), 701 where KDF_j is the j-th level derivation function that takes two 702 arguments (the parent key value and the integer in range from 1 to W1 703 * ... * Wj) and outputs the j-th level key value. 705 The frame key K^i is updated after processing a certain amount of 706 messages (see Section 5.1). 708 In order to create an efficient implementation, during frame key K^i 709 generation the derivation functions KDF_j, j in {1, ... , h-1}, 710 should be used only in case when ceil(i / (W{j+1} * ... * Wh)) != 711 ceil((i - 1) / (W{j+1} * ... * Wh)); otherwise it is necessary to use 712 previously generated value. This approach also makes it possible to 713 take countermeasures against side channels attacks. 715 Consider an example. Suppose h = 3, W1 = W2 = W3 = W and KDF_1, 716 KDF_2, KDF_3 are key derivation functions based on the 717 KDF_GOSTR3411_2012_256 (hereafter simply KDF) function described in 718 [RFC7836]. The resulting ExtKeyTree function can be defined as 719 follows: 721 ExtKeyTree(K, i) = KDF(KDF(KDF(K, "level1", ceil(i / W^2)), 722 "level2", ceil(i / W)), "level3", i). 724 where i in {1, 2, ... , W^3}. 726 The structure similar to external tree-based mechanism can be found 727 in Section 6 of [NISTSP800-108]. 729 5.3. Serial Constructions 731 External serial re-keying mechanisms generate frame keys, each of 732 which depends on the secret state (K*_1, K*_2, ..., see Figure 5) 733 that is updated after the generation of each new frame key. Similar 734 approaches are used in the [SIGNAL] protocol, in the [TLSDraft] 735 updating traffic keys mechanism and were proposed for use in the 736 [U2F] protocol. 738 External serial re-keying mechanisms have the obvious disadvantage of 739 the impossibility to be implemented in parallel, but they can be 740 preferred if additional forward secrecy is desirable: in case all 741 keys are securely deleted after usage, compromise of a current secret 742 state at some time does not lead to a compromise of all previous 743 secret states and frame keys. In terms of [TLSDraft], compromise of 744 application_traffic_secret_N does not compromise all previous 745 application_traffic_secret_i, i < N. 747 The main idea behind external re-keying with a serial construction is 748 presented in Figure 5: 750 Maximum message size = m_max. 751 _____________________________________________________________ 752 m_max 753 <----------------> 754 M^{1,1} |=== | 755 M^{1,2} |=============== | 756 K*_1 = K --->K^1--> ... ... 757 | M^{1,q_1} |======== | 758 | 759 | 760 | M^{2,1} |================| 761 v M^{2,2} |===== | 762 K*_2 ------->K^2--> ... ... 763 | M^{2,q_2} |========== | 764 | 765 ... 766 | M^{t,1} |============ | 767 v M^{t,2} |============= | 768 K*_t ------->K^t--> ... ... 769 M^{t,q_t} |========== | 771 _____________________________________________________________ 773 Figure 5: External serial re-keying mechanisms 775 The frame key K^i, i = 1, ... , t - 1, is updated after processing a 776 certain amount of messages (see Section 5.1). 778 5.3.1. Serial Construction Based on a KDF on a Block Cipher 780 The frame key K^i is calculated using ExtSerialC transformation as 781 follows: 783 K^i = ExtSerialC(K, i) = 784 MSB_k(E_{K*_i}(Vec_n(0)) |E_{K*_i}(Vec_n(1)) | ... | 785 E_{K*_i}(Vec_n(J - 1))), 787 where J = ceil(k / n), i = 1, ... , t, K*_i is calculated as follows: 789 K*_1 = K, 791 K*_{j+1} = MSB_k(E_{K*_j}(Vec_n(J)) | E_{K*_j}(Vec_n(J + 1)) | 792 ... | 793 E_{K*_j}(Vec_n(2 * J - 1))), 795 where j = 1, ... , t - 1. 797 5.3.2. Serial Construction Based on a KDF on a Hash Function 799 The frame key K^i is calculated using ExtSerialH transformation as 800 follows: 802 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 804 where i = 1, ... , t, HKDF-Expand is the HMAC-based key derivation 805 function, described in [RFC5869], K*_i is calculated as follows: 807 K*_1 = K, 809 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t - 1, 811 where label1 and label2 are different strings from V* that are 812 defined by a specific protocol (see, for example, TLS 1.3 updating 813 traffic keys algorithm [TLSDraft]). 815 5.4. Exploiting Additional Entropy on Re-keying 817 In many cases exploiting additional entropy on re-keying won't 818 increase security, but may give a false sense of that, therefore 819 relying on additional entropy must be done with deep studying 820 security in various security models. For example, good PRF 821 constructions do not require additional entropy for the quality of 822 keys so in the most cases there is no need for exploiting additional 823 entropy on external re-keying mechanisms based on secure KDF. 824 However, in some situations mixed-in entropy can still increase 825 security in the case of a time-limited but complete breach of the 826 system, when adversary can access to the frame keys generation 827 interface, but cannot reveal master keys (master keys are stored in 828 an HSM). 830 For example, an external parallel construction based on a KDF on a 831 Hash function with a mixed-in entropy can be described as follows: 833 K^i = HKDF-Expand(K, label_i, k), 835 where label_i is additional entropy that must be sent to the 836 recipient (e.g., be sent jointly with encrypted message). The 837 entropy label_i and the corresponding key K^i must be generated 838 directly before message processing. 840 6. Internal Re-keying Mechanisms 842 This section presents an approach to increase the key lifetime by 843 using a transformation of a data processing key (section key) during 844 each separate message processing. Each message is processed starting 845 with the same key (the first section key) and each section key is 846 updated after processing N bits of message (section). 848 This section provides internal re-keying mechanisms called ACPKM 849 (Advanced Cryptographic Prolongation of Key Material) and ACPKM- 850 Master that do not use a master key and use a master key 851 respectively. Such mechanisms are integrated into the base modes of 852 operation and actually form new modes of operation, therefore they 853 are called "internal re-keying" mechanisms in this document. 855 Internal re-keying mechanisms are recommended to be used in protocols 856 that process large single messages (e.g., CMS messages), since the 857 maximum gain in increasing the key lifetime is achieved by increasing 858 the length of a message, while it provides almost no increase in the 859 number of messages that can be processed with one initial key. 861 Internal re-keying increases the key lifetime through the following 862 approach. Suppose protocol P uses some base mode of operation. Let 863 L1 and L2 be a side channel and combinatorial limitations 864 respectively and for some fixed amount of messages q let m1, m2 be 865 the lengths of messages, that can be safely processed with a single 866 initial key K according to these limitations. 868 Thus, by analogy with the Section 5 without re-keying the final key 869 lifetime restriction, as displayed in Figure 7, is equal to L1 and 870 only q messages of the length m1 can be safely processed. 872 K 873 | 874 v 875 ^ +----------------+------------------------------------+ 876 | |==============L1| L2| 877 | |================| | 878 q |================| | 879 | |================| | 880 | |================| | 881 v +----------------+------------------------------------+ 882 <-------m1-------> 883 <----------------------------m2-----------------------> 885 Figure 7: Basic principles of message processing without internal re-keying 887 Suppose that the safety margin for the protocol P is fixed and 888 internal re-keying approach is applied to the base mode of operation. 889 Suppose further that every message is processed with a section key, 890 which is transformed after processing N bits of data, where N is a 891 parameter. If q * N does not exceed L1 then the side channel 892 limitation L1 goes off and the resulting key lifetime limitation of 893 the initial key K can be calculated on the basis of a new 894 combinatorial limitation L2'. The security of the mode of operation 895 that uses internal re-keying increases when compared to base mode of 896 operation without re-keying (thus, L2 < L2'). Hence, as displayed in 897 Figure 8, the resulting key lifetime limitation in case of using 898 internal re-keying can be increased up to L2'. 900 K-----> K^1-------------> K^2 -----------> . . . 901 | | 902 v v 903 ^ +----------------+----------------+-------------------+--...--+ 904 | |==============L1|==============L1|====== L2| L2'| 905 | |================|================|====== | | 906 q |================|================|====== . . . | | 907 | |================|================|====== | | 908 | |================|================|====== | | 909 v +----------------+----------------+-------------------+--...--+ 910 <-------N--------> 912 Figure 8: Basic principles of message processing with internal re-keying 913 Note: the key transformation process is depicted in a simplified 914 form. A specific approach (ACPKM and ACPKM-Master re-keying 915 mechanisms) is described below. 917 Since the performance of encryption can slightly decrease for rather 918 small values of N, the parameter N should be selected for a 919 particular protocol as maximum possible to provide necessary key 920 lifetime for the considered security models. 922 Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the 923 message size in the protocol be large/unlimited (may exhaust the 924 whole key lifetime L2). The most restrictive resulting key lifetime 925 limitation is equal to 128 MB. 927 Thus, there is a need to put a limit on the maximum message size 928 m_max. For example, if m_max = 32 MB, it may happen that the 929 renegotiation of initial key K would be required after processing 930 only four messages. 932 If an internal re-keying mechanism with section size N = 1 MB is 933 used, more than L1 / N = 128 MB / 1 MB = 128 messages can be 934 processed before the renegotiation of initial key K (instead of 4 935 messages in case when an internal re-keying mechanism is not used). 936 Note that only one section of each message is processed with the 937 section key K^i, and, consequently, the key lifetime limitation L1 938 goes off. Hence the resulting key lifetime limitation L2' can be set 939 to more then 10 TB (in the case when a single large message is 940 processed using the initial key K). 942 6.1. Methods of Key Lifetime Control 944 Suppose L is an amount of data that can be safely processed with one 945 section key, N is a section size (fixed parameter). Suppose M^{i}_1 946 is the first section of message M^{i}, i = 1, ... , q (see Figure 9 947 and Figure 10), then the parameter q can be calculated in accordance 948 with one of the following two approaches: 950 o Explicit approach: 951 q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... 952 + |M^{q+1}_1| > L 953 This approach allows to use the section key K^i in an almost 954 optimal way but it can be applied only in case when messages 955 cannot be lost or reordered (e.g., TLS records). 957 o Implicit approach: 958 q = L / N. 959 The amount of data processed with one section key K^i is 960 calculated under the assumption that the length of every message 961 is equal or greater than section size N and so it can be 962 considerably less than the key lifetime limitation L. On the 963 other hand, this approach can be applied in case when messages may 964 be lost or reordered (e.g., DTLS records). 966 6.2. Constructions that Do Not Require Master Key 968 This section describes the block cipher modes that use the ACPKM re- 969 keying mechanism, which does not use a master key: an initial key is 970 used directly for the data encryption. 972 6.2.1. ACPKM Re-keying Mechanisms 974 This section defines periodical key transformation without a master 975 key, which is called ACPKM re-keying mechanism. This mechanism can 976 be applied to one of the base encryption modes (CTR and GCM block 977 cipher modes) for getting an extension of this encryption mode that 978 uses periodical key transformation without a master key. This 979 extension can be considered as a new encryption mode. 981 An additional parameter that defines functioning of base encryption 982 modes with the ACPKM re-keying mechanism is the section size N. The 983 value of N is measured in bits and is fixed within a specific 984 protocol based on the requirements of the system capacity and the key 985 lifetime. The section size N MUST be divisible by the block size n. 987 The main idea behind internal re-keying without a master key is 988 presented in Figure 9: 990 Section size = const = N, 991 maximum message size = m_max. 992 ____________________________________________________________________ 994 ACPKM ACPKM ACPKM 995 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 996 | | | | 997 | | | | 998 v v v v 999 M^{1} |==========|==========| ... |==========|=======: | 1000 M^{2} |==========|==========| ... |=== | : | 1001 . . . . . . : 1002 : : : : : : : 1003 M^{q} |==========|==========| ... |==========|===== : | 1004 section : 1005 <----------> m_max 1006 N bit 1007 ___________________________________________________________________ 1008 l_max = ceil(m_max/N). 1010 Figure 9: Internal re-keying without a master key 1012 During the processing of the input message M with the length m in 1013 some encryption mode that uses ACPKM key transformation of the 1014 initial key K the message is divided into l = ceil(m / N) sections 1015 (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in 1016 {1, 2, ... , l - 1} and M_l is in V_r, r <= N). The first section of 1017 each message is processed with the section key K^1 = K. To process 1018 the (i + 1)-th section of each message the section key K^{i+1} is 1019 calculated using ACPKM transformation as follows: 1021 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)), 1023 where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are 1024 calculated as follows: 1026 D_1 | D_2 | ... | D_J = MSB_{J * n}(D), 1028 where D is the following constant in V_{1024}: 1030 D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 1031 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f 1032 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 1033 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f 1034 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7 1035 | a8 | a9 | aa | ab | ac | ad | ae | af 1036 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7 1037 | b8 | b9 | ba | bb | bc | bd | be | bf 1038 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7 1039 | c8 | c9 | ca | cb | cc | cd | ce | cf 1040 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7 1041 | d8 | d9 | da | db | dc | dd | de | df 1042 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7 1043 | e8 | e9 | ea | eb | ec | ed | ee | ef 1044 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7 1045 | f8 | f9 | fa | fb | fc | fd | fe | ff ) 1047 N o t e : The constant D is such that D_1, ... , D_J are pairwise 1048 different for any allowed n and k values. 1050 N o t e : The constant D is such that the highest bit of its each 1051 octet is equal to 1. This condition is important, as in conjunction 1052 with a certain mode message length limitation it allows to prevent 1053 collisions of block cipher permutation inputs in cases of key 1054 transformation and message processing (for more details see 1055 Section 4.4 of [AAOS2017]). 1057 6.2.2. CTR-ACPKM Encryption Mode 1059 This section defines a CTR-ACPKM encryption mode that uses the ACPKM 1060 internal re-keying mechanism for the periodical key transformation. 1062 The CTR-ACPKM mode can be considered as the base encryption mode CTR 1063 (see [MODES]) extended by the ACPKM re-keying mechanism. 1065 The CTR-ACPKM encryption mode can be used with the following 1066 parameters: 1068 o 64 <= n <= 512; 1070 o 128 <= k <= 512; 1072 o the number c of bits in a specific part of the block to be 1073 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1075 o the maximum message size m_max = n * 2^{c-1}. 1077 The CTR-ACPKM mode encryption and decryption procedures are defined 1078 as follows: 1080 +----------------------------------------------------------------+ 1081 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 1082 |----------------------------------------------------------------| 1083 | Input: | 1084 | - section size N, | 1085 | - initial key K, | 1086 | - initial counter nonce ICN in V_{n-c}, | 1087 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1088 | Output: | 1089 | - ciphertext C. | 1090 |----------------------------------------------------------------| 1091 | 1. CTR_1 = ICN | 0^c | 1092 | 2. For j = 2, 3, ... , b do | 1093 | CTR_{j} = Inc_c(CTR_{j-1}) | 1094 | 3. K^1 = K | 1095 | 4. For i = 2, 3, ... , ceil(|P| / N) | 1096 | K^i = ACPKM(K^{i-1}) | 1097 | 5. For j = 1, 2, ... , b do | 1098 | i = ceil(j * n / N), | 1099 | G_j = E_{K^i}(CTR_j) | 1100 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1101 | 7. Return C | 1102 +----------------------------------------------------------------+ 1104 +----------------------------------------------------------------+ 1105 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 1106 |----------------------------------------------------------------| 1107 | Input: | 1108 | - section size N, | 1109 | - initial key K, | 1110 | - initial counter nonce ICN in V_{n-c}, | 1111 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1112 | Output: | 1113 | - plaintext P. | 1114 |----------------------------------------------------------------| 1115 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 1116 | 2. Return P | 1117 +----------------------------------------------------------------+ 1119 The initial counter nonce ICN value for each message that is 1120 encrypted under the given initial key K must be chosen in a unique 1121 manner. 1123 6.2.3. GCM-ACPKM Authenticated Encryption Mode 1125 This section defines GCM-ACPKM authenticated encryption mode that 1126 uses the ACPKM internal re-keying mechanism for the periodical key 1127 transformation. 1129 The GCM-ACPKM mode can be considered as the base authenticated 1130 encryption mode GCM (see [GCM]) extended by the ACPKM re-keying 1131 mechanism. 1133 The GCM-ACPKM authenticated encryption mode can be used with the 1134 following parameters: 1136 o n in {128, 256}; 1138 o 128 <= k <= 512; 1140 o the number c of bits in a specific part of the block to be 1141 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1142 of 8; 1144 o authentication tag length t; 1146 o the maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} - 1147 1}. 1149 The GCM-ACPKM mode encryption and decryption procedures are defined 1150 as follows: 1152 +-------------------------------------------------------------------+ 1153 | GHASH(X, H) | 1154 |-------------------------------------------------------------------| 1155 | Input: | 1156 | - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n. | 1157 | Output: | 1158 | - block GHASH(X, H) in V_n. | 1159 |-------------------------------------------------------------------| 1160 | 1. Y_0 = 0^n | 1161 | 2. For i = 1, ... , m do | 1162 | Y_i = (Y_{i-1} (xor) X_i) * H | 1163 | 3. Return Y_m | 1164 +-------------------------------------------------------------------+ 1166 +-------------------------------------------------------------------+ 1167 | GCTR(N, K, ICB, X) | 1168 |-------------------------------------------------------------------| 1169 | Input: | 1170 | - section size N, | 1171 | - initial key K, | 1172 | - initial counter block ICB, | 1173 | - X = X_1 | ... | X_b. | 1174 | Output: | 1175 | - Y in V_{|X|}. | 1176 |-------------------------------------------------------------------| 1177 | 1. If X in V_0 then return Y, where Y in V_0 | 1178 | 2. GCTR_1 = ICB | 1179 | 3. For i = 2, ... , b do | 1180 | GCTR_i = Inc_c(GCTR_{i-1}) | 1181 | 4. K^1 = K | 1182 | 5. For j = 2, ... , ceil(|X| / N) | 1183 | K^j = ACPKM(K^{j-1}) | 1184 | 6. For i = 1, ... , b do | 1185 | j = ceil(i * n / N), | 1186 | G_i = E_{K_j}(GCTR_i) | 1187 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1188 | 8. Return Y | 1189 +-------------------------------------------------------------------+ 1191 +-------------------------------------------------------------------+ 1192 | GCM-ACPKM-Encrypt(N, K, ICN, P, A) | 1193 |-------------------------------------------------------------------| 1194 | Input: | 1195 | - section size N, | 1196 | - initial key K, | 1197 | - initial counter nonce ICN in V_{n-c}, | 1198 | - plaintext P = P_1 | ... | P_b, |P| <= m_max, | 1199 | - additional authenticated data A. | 1200 | Output: | 1201 | - ciphertext C, | 1202 | - authentication tag T. | 1203 |-------------------------------------------------------------------| 1204 | 1. H = E_{K}(0^n) | 1205 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1206 | 3. C = GCTR(N, K, Inc_c(ICB_0), P) | 1207 | 4. u = n * ceil(|C| / n) - |C| | 1208 | v = n * ceil(|A| / n) - |A| | 1209 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1210 | | Vec_{n/2}(|C|), H) | 1211 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 1212 | 7. Return C | T | 1213 +-------------------------------------------------------------------+ 1215 +-------------------------------------------------------------------+ 1216 | GCM-ACPKM-Decrypt(N, K, ICN, A, C, T) | 1217 |-------------------------------------------------------------------| 1218 | Input: | 1219 | - section size N, | 1220 | - initial key K, | 1221 | - initial counter block ICN, | 1222 | - additional authenticated data A, | 1223 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1224 | - authentication tag T. | 1225 | Output: | 1226 | - plaintext P or FAIL. | 1227 |-------------------------------------------------------------------| 1228 | 1. H = E_{K}(0^n) | 1229 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1230 | 3. P = GCTR(N, K, Inc_c(ICB_0), C) | 1231 | 4. u = n * ceil(|C| / n) - |C| | 1232 | v = n * ceil(|A| / n) - |A| | 1233 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1234 | | Vec_{n/2}(|C|), H) | 1235 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 1236 | 7. If T = T' then return P; else return FAIL | 1237 +-------------------------------------------------------------------+ 1239 The * operation on (pairs of) the 2^n possible blocks corresponds to 1240 the multiplication operation for the binary Galois (finite) field of 1241 2^n elements defined by the polynomial f as follows (by analogy with 1242 [GCM]): 1244 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1246 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1248 The initial vector IV value for each message that is encrypted under 1249 the given initial key K must be chosen in a unique manner. 1251 The key for computing values E_{K}(ICB_0) and H is not updated and is 1252 equal to the initial key K. 1254 6.3. Constructions that Require Master Key 1256 This section describes the block cipher modes that use the ACPKM- 1257 Master re-keying mechanism, which use the initial key K as a master 1258 key, so K is never used directly for data processing but is used for 1259 key derivation. 1261 6.3.1. ACPKM-Master Key Derivation from the Master Key 1263 This section defines periodical key transformation with a master key, 1264 which is called ACPKM-Master re-keying mechanism. This mechanism can 1265 be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, 1266 OMAC modes) for getting an extension that uses periodical key 1267 transformation with a master key. This extension can be considered 1268 as a new mode of operation. 1270 Additional parameters that define the functioning of modes of 1271 operation that use the ACPKM-Master re-keying mechanism are the 1272 section size N, the change frequency T* of the master keys K*_1, 1273 K*_2, ... (see Figure 10) and the size d of the section key material. 1274 The values of N and T* are measured in bits and are fixed within a 1275 specific protocol, based on the requirements of the system capacity 1276 and the key lifetime. The section size N MUST be divisible by the 1277 block size n. The master key frequency T* MUST be divisible by d and 1278 by n. 1280 The main idea behind internal re-keying with a master key is 1281 presented in Figure 10: 1283 Master key frequency T*, 1284 section size N, 1285 maximum message size = m_max. 1286 __________________________________________________________________________________ 1288 ACPKM ACPKM 1289 K*_1 = K--------------> K*_2 ---------...---------> K*_l_max 1290 ___|___ ___|___ ___|___ 1291 | | | | | | 1292 v ... v v ... v v ... v 1293 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 1294 | | | | | | 1295 | | | | | | 1296 v v v v v v 1297 M^{1}||========|...|========||========|...|========||...||========|...|== : || 1298 M^{2}||========|...|========||========|...|========||...||========|...|======: || 1299 ... || | | || | | || || | | : || 1300 M^{q}||========|...|========||==== |...| ||...|| |...| : || 1301 section : 1302 <--------> : 1303 N bit m_max 1304 __________________________________________________________________________________ 1305 |K[i]| = d, 1306 t = T* / d, 1307 l_max = ceil(m_max / (N * t)). 1309 Figure 10: Internal re-keying with a master key 1311 During the processing of the input message M with the length m in 1312 some mode of operation that uses ACPKM-Master key transformation with 1313 the initial key K and the master key frequency T* the message M is 1314 divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 | 1315 ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l 1316 is in V_r, r <= N). The j-th section of each message is processed 1317 with the key material K[j], j in {1, ... , l}, |K[j]| = d, that is 1318 calculated with the ACPKM-Master algorithm as follows: 1320 K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt 1321 (T*, K, 1^{n/2}, 0^{d*l}). 1323 Note: the parameters d and l MUST be such that d * l <= n * 1324 2^{n/2-1}. 1326 6.3.2. CTR-ACPKM-Master Encryption Mode 1328 This section defines a CTR-ACPKM-Master encryption mode that uses the 1329 ACPKM-Master internal re-keying mechanism for the periodical key 1330 transformation. 1332 The CTR-ACPKM-Master encryption mode can be considered as the base 1333 encryption mode CTR (see [MODES]) extended by the ACPKM-Master re- 1334 keying mechanism. 1336 The CTR-ACPKM-Master encryption mode can be used with the following 1337 parameters: 1339 o 64 <= n <= 512; 1341 o 128 <= k <= 512; 1343 o the number c of bits in a specific part of the block to be 1344 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1346 o the maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 1347 2^c}. 1349 The key material K[j] that is used for one section processing is 1350 equal to K^j, |K^j| = k bits. 1352 The CTR-ACPKM-Master mode encryption and decryption procedures are 1353 defined as follows: 1355 +----------------------------------------------------------------+ 1356 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 1357 |----------------------------------------------------------------| 1358 | Input: | 1359 | - section size N, | 1360 | - initial key K, | 1361 | - master key frequency T*, | 1362 | - initial counter nonce ICN in V_{n-c}, | 1363 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1364 | Output: | 1365 | - ciphertext C. | 1366 |----------------------------------------------------------------| 1367 | 1. CTR_1 = ICN | 0^c | 1368 | 2. For j = 2, 3, ... , b do | 1369 | CTR_{j} = Inc_c(CTR_{j-1}) | 1370 | 3. l = ceil(|P| / N) | 1371 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1372 | 5. For j = 1, 2, ... , b do | 1373 | i = ceil(j * n / N), | 1374 | G_j = E_{K^i}(CTR_j) | 1375 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 1376 | 7. Return C | 1377 |----------------------------------------------------------------+ 1379 +----------------------------------------------------------------+ 1380 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 1381 |----------------------------------------------------------------| 1382 | Input: | 1383 | - section size N, | 1384 | - initial key K, | 1385 | - master key frequency T*, | 1386 | - initial counter nonce ICN in V_{n-c}, | 1387 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1388 | Output: | 1389 | - plaintext P. | 1390 |----------------------------------------------------------------| 1391 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 1392 | 1. Return P | 1393 +----------------------------------------------------------------+ 1395 The initial counter nonce ICN value for each message that is 1396 encrypted under the given initial key must be chosen in a unique 1397 manner. 1399 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode 1401 This section defines a GCM-ACPKM-Master authenticated encryption mode 1402 that uses the ACPKM-Master internal re-keying mechanism for the 1403 periodical key transformation. 1405 The GCM-ACPKM-Master authenticated encryption mode can be considered 1406 as the base authenticated encryption mode GCM (see [GCM]) extended by 1407 the ACPKM-Master re-keying mechanism. 1409 The GCM-ACPKM-Master authenticated encryption mode can be used with 1410 the following parameters: 1412 o n in {128, 256}; 1414 o 128 <= k <= 512; 1416 o the number c of bits in a specific part of the block to be 1417 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1418 of 8; 1420 o authentication tag length t; 1422 o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * 1423 (2^c - 2), 2^{n/2} - 1}. 1425 The key material K[j] that is used for the j-th section processing is 1426 equal to K^j, |K^j| = k bits. 1428 The GCM-ACPKM-Master mode encryption and decryption procedures are 1429 defined as follows: 1431 +-------------------------------------------------------------------+ 1432 | GHASH(X, H) | 1433 |-------------------------------------------------------------------| 1434 | Input: | 1435 | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 1436 | Output: | 1437 | - block GHASH(X, H) in V_n | 1438 |-------------------------------------------------------------------| 1439 | 1. Y_0 = 0^n | 1440 | 2. For i = 1, ... , m do | 1441 | Y_i = (Y_{i-1} (xor) X_i) * H | 1442 | 3. Return Y_m | 1443 +-------------------------------------------------------------------+ 1445 +-------------------------------------------------------------------+ 1446 | GCTR(N, K, T*, ICB, X) | 1447 |-------------------------------------------------------------------| 1448 | Input: | 1449 | - section size N, | 1450 | - initial key K, | 1451 | - master key frequency T*, | 1452 | - initial counter block ICB, | 1453 | - X = X_1 | ... | X_b. | 1454 | Output: | 1455 | - Y in V_{|X|}. | 1456 |-------------------------------------------------------------------| 1457 | 1. If X in V_0 then return Y, where Y in V_0 | 1458 | 2. GCTR_1 = ICB | 1459 | 3. For i = 2, ... , b do | 1460 | GCTR_i = Inc_c(GCTR_{i-1}) | 1461 | 4. l = ceil(|X| / N) | 1462 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1463 | 6. For j = 1, ... , b do | 1464 | i = ceil(j * n / N), | 1465 | G_j = E_{K^i}(GCTR_j) | 1466 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1467 | 8. Return Y | 1468 +-------------------------------------------------------------------+ 1470 +-------------------------------------------------------------------+ 1471 | GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A) | 1472 |-------------------------------------------------------------------| 1473 | Input: | 1474 | - section size N, | 1475 | - initial key K, | 1476 | - master key frequency T*, | 1477 | - initial counter nonce ICN in V_{n-c}, | 1478 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1479 | - additional authenticated data A. | 1480 | Output: | 1481 | - ciphertext C, | 1482 | - authentication tag T. | 1483 |-------------------------------------------------------------------| 1484 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1485 | 2. H = E_{K^1}(0^n) | 1486 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1487 | 4. C = GCTR(N, K, T*, Inc_c(ICB_0), P) | 1488 | 5. u = n * ceil(|C| / n) - |C| | 1489 | v = n * ceil(|A| / n) - |A| | 1490 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1491 | | Vec_{n/2}(|C|), H) | 1492 | 7. T = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1493 | 8. Return C | T | 1494 +-------------------------------------------------------------------+ 1496 +-------------------------------------------------------------------+ 1497 | GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T) | 1498 |-------------------------------------------------------------------| 1499 | Input: | 1500 | - section size N, | 1501 | - initial key K, | 1502 | - master key frequency T*, | 1503 | - initial counter nonce ICN in V_{n-c}, | 1504 | - additional authenticated data A. | 1505 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1506 | - authentication tag T. | 1507 | Output: | 1508 | - plaintext P or FAIL. | 1509 |-------------------------------------------------------------------| 1510 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1511 | 2. H = E_{K^1}(0^n) | 1512 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1513 | 4. P = GCTR(N, K, T*, Inc_c(ICB_0), C) | 1514 | 5. u = n * ceil(|C| / n) - |C| | 1515 | v = n * ceil(|A| / n) - |A| | 1516 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1517 | | Vec_{n/2}(|C|), H) | 1518 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1519 | 8. IF T = T' then return P; else return FAIL. | 1520 +-------------------------------------------------------------------+ 1522 The * operation on (pairs of) the 2^n possible blocks corresponds to 1523 the multiplication operation for the binary Galois (finite) field of 1524 2^n elements defined by the polynomial f as follows (by analogy with 1525 [GCM]): 1527 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1529 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1531 The initial vector IV value for each message that is encrypted under 1532 the given initial key must be chosen in a unique manner. 1534 6.3.4. CBC-ACPKM-Master Encryption Mode 1536 This section defines a CBC-ACPKM-Master encryption mode that uses the 1537 ACPKM-Master internal re-keying mechanism for the periodical key 1538 transformation. 1540 The CBC-ACPKM-Master encryption mode can be considered as the base 1541 encryption mode CBC (see [MODES]) extended by the ACPKM-Master re- 1542 keying mechanism. 1544 The CBC-ACPKM-Master encryption mode can be used with the following 1545 parameters: 1547 o 64 <= n <= 512; 1549 o 128 <= k <= 512; 1551 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1553 In the specification of the CBC-ACPKM-Master mode the plaintext and 1554 ciphertext must be a sequence of one or more complete data blocks. 1555 If the data string to be encrypted does not initially satisfy this 1556 property, then it MUST be padded to form complete data blocks. The 1557 padding methods are out of the scope of this document. An example of 1558 a padding method can be found in Appendix A of [MODES]. 1560 The key material K[j] that is used for the j-th section processing is 1561 equal to K^j, |K^j| = k bits. 1563 We will denote by D_{K} the decryption function which is a 1564 permutation inverse to E_{K}. 1566 The CBC-ACPKM-Master mode encryption and decryption procedures are 1567 defined as follows: 1569 +----------------------------------------------------------------+ 1570 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1571 |----------------------------------------------------------------| 1572 | Input: | 1573 | - section size N, | 1574 | - initial key K, | 1575 | - master key frequency T*, | 1576 | - initialization vector IV in V_n, | 1577 | - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max. | 1578 | Output: | 1579 | - ciphertext C. | 1580 |----------------------------------------------------------------| 1581 | 1. l = ceil(|P| / N) | 1582 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1583 | 3. C_0 = IV | 1584 | 4. For j = 1, 2, ... , b do | 1585 | i = ceil(j * n / N), | 1586 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 1587 | 5. Return C = C_1 | ... | C_b | 1588 |----------------------------------------------------------------+ 1590 +----------------------------------------------------------------+ 1591 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1592 |----------------------------------------------------------------| 1593 | Input: | 1594 | - section size N, | 1595 | - initial key K, | 1596 | - master key frequency T*, | 1597 | - initialization vector IV in V_n, | 1598 | - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max. | 1599 | Output: | 1600 | - plaintext P. | 1601 |----------------------------------------------------------------| 1602 | 1. l = ceil(|C| / N) | 1603 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1604 | 3. C_0 = IV | 1605 | 4. For j = 1, 2, ... , b do | 1606 | i = ceil(j * n / N) | 1607 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 1608 | 5. Return P = P_1 | ... | P_b | 1609 +----------------------------------------------------------------+ 1611 The initialization vector IV for each message that is encrypted under 1612 the given initial key does not need to be secret, but must be 1613 unpredictable. 1615 6.3.5. CFB-ACPKM-Master Encryption Mode 1617 This section defines a CFB-ACPKM-Master encryption mode that uses the 1618 ACPKM-Master internal re-keying mechanism for the periodical key 1619 transformation. 1621 The CFB-ACPKM-Master encryption mode can be considered as the base 1622 encryption mode CFB (see [MODES]) extended by the ACPKM-Master re- 1623 keying mechanism. 1625 The CFB-ACPKM-Master encryption mode can be used with the following 1626 parameters: 1628 o 64 <= n <= 512; 1630 o 128 <= k <= 512; 1632 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1634 The key material K[j] that is used for the j-th section processing is 1635 equal to K^j, |K^j| = k bits. 1637 The CFB-ACPKM-Master mode encryption and decryption procedures are 1638 defined as follows: 1640 +-------------------------------------------------------------+ 1641 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1642 |-------------------------------------------------------------| 1643 | Input: | 1644 | - section size N, | 1645 | - initial key K, | 1646 | - master key frequency T*, | 1647 | - initialization vector IV in V_n, | 1648 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1649 | Output: | 1650 | - ciphertext C. | 1651 |-------------------------------------------------------------| 1652 | 1. l = ceil(|P| / N) | 1653 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1654 | 3. C_0 = IV | 1655 | 4. For j = 1, 2, ... , b - 1 do | 1656 | i = ceil(j * n / N), | 1657 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1658 | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | 1659 | 6. Return C = C_1 | ... | C_b | 1660 |-------------------------------------------------------------+ 1662 +-------------------------------------------------------------+ 1663 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1664 |-------------------------------------------------------------| 1665 | Input: | 1666 | - section size N, | 1667 | - initial key K, | 1668 | - master key frequency T*, | 1669 | - initialization vector IV in V_n, | 1670 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1671 | Output: | 1672 | - plaintext P. | 1673 |-------------------------------------------------------------| 1674 | 1. l = ceil(|C| / N) | 1675 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1676 | 3. C_0 = IV | 1677 | 4. For j = 1, 2, ... , b - 1 do | 1678 | i = ceil(j * n / N), | 1679 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1680 | 5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b | 1681 | 6. Return P = P_1 | ... | P_b | 1682 +-------------------------------------------------------------+ 1684 The initialization vector IV for each message that is encrypted under 1685 the given initial key need not to be secret, but must be 1686 unpredictable. 1688 6.3.6. OMAC-ACPKM-Master Authentication Mode 1690 This section defines an OMAC-ACPKM-Master message authentication code 1691 calculation mode that uses the ACPKM-Master internal re-keying 1692 mechanism for the periodical key transformation. 1694 The OMAC-ACPKM-Master mode can be considered as the base message 1695 authentication code calculation mode OMAC, which is also known as 1696 CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying 1697 mechanism. 1699 The OMAC-ACPKM-Master message authentication code calculation mode 1700 can be used with the following parameters: 1702 o n in {64, 128, 256}; 1704 o 128 <= k <= 512; 1706 o the maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)). 1708 The key material K[j] that is used for one section processing is 1709 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1711 The following is a specification of the subkey generation process of 1712 OMAC: 1714 +-------------------------------------------------------------------+ 1715 | Generate_Subkey(K1, r) | 1716 |-------------------------------------------------------------------| 1717 | Input: | 1718 | - key K1. | 1719 | Output: | 1720 | - key SK. | 1721 |-------------------------------------------------------------------| 1722 | 1. If r = n then return K1 | 1723 | 2. If r < n then | 1724 | if MSB_1(K1) = 0 | 1725 | return K1 << 1 | 1726 | else | 1727 | return (K1 << 1) (xor) R_n | 1728 | | 1729 +-------------------------------------------------------------------+ 1731 Here R_n takes the following values: 1733 o n = 64: R_{64} = 0^{59} | 11011; 1734 o n = 128: R_{128} = 0^{120} | 10000111; 1736 o n = 256: R_{256} = 0^{145} | 10000100101. 1738 The OMAC-ACPKM-Master message authentication code calculation mode is 1739 defined as follows: 1741 +----------------------------------------------------------------------+ 1742 | OMAC-ACPKM-Master(K, N, T*, M) | 1743 |----------------------------------------------------------------------| 1744 | Input: | 1745 | - section size N, | 1746 | - initial key K, | 1747 | - master key frequency T*, | 1748 | - plaintext M = M_1 | ... | M_b, |M| <= m_max. | 1749 | Output: | 1750 | - message authentication code T. | 1751 |----------------------------------------------------------------------| 1752 | 1. C_0 = 0^n | 1753 | 2. l = ceil(|M| / N) | 1754 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K, (k + n), l) | 1755 | 4. For j = 1, 2, ... , b - 1 do | 1756 | i = ceil(j * n / N), | 1757 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1758 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1759 | 6. If |M_b| = n then M*_b = M_b | 1760 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1761 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1762 | 8. Return T | 1763 +----------------------------------------------------------------------+ 1765 7. Joint Usage of External and Internal Re-keying 1767 Both external re-keying and internal re-keying have their own 1768 advantages and disadvantages discussed in Section 1. For instance, 1769 using external re-keying can essentially limit the message length, 1770 while in the case of internal re-keying the section size, which can 1771 be chosen as the maximal possible for operational properties, limits 1772 the amount of separate messages. There is no more preferable 1773 technique because the choice of technique can depend on protocol 1774 features. However, some protocols may have features that require to 1775 take advantages provided by both external and internal re-keying 1776 mechanisms: for example, the protocol mainly transmits messages of 1777 small length, but it must additionally support very long messages 1778 processing. In such situations it is necessary to use external and 1779 internal re-keying jointly, since these techniques negate each 1780 other's disadvantages. 1782 For composition of external and internal re-keying techniques any 1783 mechanism described in Section 5 can be used with any mechanism 1784 described in Section 6. 1786 For example, consider the GCM-ACPKM mode with external serial re- 1787 keying based on a KDF on a Hash function. Denote by a frame size the 1788 number of messages in each frame (in the case of implicit approach to 1789 the key lifetime control) for external re-keying. 1791 Let L be a key lifetime limitation. The section size N for internal 1792 re-keying and the frame size q for external re-keying must be chosen 1793 in such a way that q * N must not exceed L. 1795 Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce 1796 ICN_i, plaintext P_i and additional authenticated data A_i, will be 1797 processed before renegotiation. 1799 For authenticated encryption of each message (ICN_i, P_i, A_i), i = 1800 1, ..., t, the following algorithm can be applied: 1802 1. j = ceil(i / q), 1803 2. K^j = ExtSerialH(K, j), 1804 3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i). 1806 Note that nonces ICN_i, that are used under the same frame key, must 1807 be unique for each message. 1809 8. Security Considerations 1811 Re-keying should be used to increase "a priori" security properties 1812 of ciphers in hostile environments (e.g., with side-channel 1813 adversaries). If some efficient attacks are known for a cipher, it 1814 must not be used. So re-keying cannot be used as a patch for 1815 vulnerable ciphers. Base cipher properties must be well analyzed, 1816 because the security of re-keying mechanisms is based on the security 1817 of a block cipher as a pseudorandom function. 1819 Re-keying is not intended to solve any post-quantum security issues 1820 for symmetric cryptography, since the reduction of security caused by 1821 Grover's algorithm is not connected with a size of plaintext 1822 transformed by a cipher - only a negligible (sufficient for key 1823 uniqueness) material is needed; and the aim of re-keying is to limit 1824 a size of plaintext transformed under one initial key. 1826 Re-keying can provide backward security only if previous key material 1827 is securely deleted after usage by all parties. 1829 9. References 1831 9.1. Normative References 1833 [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1834 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1835 . 1837 [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1838 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1839 January 2012, . 1841 [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", 1842 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1843 . 1845 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 1846 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 1847 Special Publication 800-38D 1848 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ 1849 nistspecialpublication800-38d.pdf, November 2007. 1851 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1852 Operation: Methods and Techniques", NIST Special 1853 Publication 800-38A, December 2001. 1855 [NISTSP800-108] 1856 National Institute of Standards and Technology, 1857 "Recommendation for Key Derivation Using Pseudorandom 1858 Functions", NIST Special Publication 800-108, November 1859 2008, . 1862 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1863 Requirement Levels", BCP 14, RFC 2119, 1864 DOI 10.17487/RFC2119, March 1997, 1865 . 1867 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1868 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1869 2006, . 1871 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1872 Key Derivation Function (HKDF)", RFC 5869, 1873 DOI 10.17487/RFC5869, May 2010, 1874 . 1876 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1877 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1878 on the Cryptographic Algorithms to Accompany the Usage of 1879 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1880 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1881 . 1883 [SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 1884 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 1885 January 2006, . 1887 [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security 1888 (TLS) Protocol Version 1.2", RFC 5246, 1889 DOI 10.17487/RFC5246, August 2008, 1890 . 1892 [TLSDraft] 1893 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1894 Version 1.3", 2017, 1895 . 1897 9.2. Informative References 1899 [AAOS2017] 1900 Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. 1901 Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for 1902 the GCM Mode by Internal Re-keying", Cryptology ePrint 1903 Archive Report 2017/697, 2017, 1904 . 1906 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1907 of a Key: A Comparative Analysis of the Security of Re- 1908 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1909 2000. 1911 [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: 1912 Enabling Efficient Key Distribution for Secure Distributed 1913 Storage", November 2005, 1914 . 1917 [FPS2012] Faust, S., Pietrzak, K., and j. Schipper, "Practical 1918 Leakage-Resilient Symmetric Cryptography", CHES2012 LNCS, 1919 vol. 7428, pp. 213-232,, 2012, 1920 . 1923 [FRESHREKEYING] 1924 Dziembowski, S., Faust, S., Herold, G., Journault, A., 1925 Masny, D., and F. Standaert, "Towards Sound Fresh Re- 1926 Keying with Hard (Physical) Learning Problems", Cryptology 1927 ePrint Archive Report 2016/573, June 2016, 1928 . 1930 [GGM] Goldreich, O., Goldwasser, S., and S. Micali, "How to 1931 Construct Random Functions", Journal of the Association 1932 for Computing Machinery Vol.33, No.4, pp. 792-807, October 1933 1986, . 1935 [KMNT2003] 1936 Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure 1937 Group Services for Storage Area Networks", 1938 IEEE Communication Magazine 41, pp. 92-99, 2003, 1939 . 1941 [LDC] Howard M. Heys, "A Tutorial on Linear and Differential 1942 Cryptanalysis", 2017, 1943 . 1945 [OWT] Joye, M. and S. Yen, "One-Way Cross-Trees and Their 1946 Applications", DOI 10.1007/3-540-45664-3_25, February 1947 2002, . 1950 [P3] Peter Alexander, "Dynamic Key Changes on Encrypted 1951 Sessions", CFRG mail archive , December 2017, 1952 . 1955 [Pietrzak2009] 1956 Pietrzak, K., "A Leakage-Resilient Mode of Operation", 1957 EUROCRYPT2009 LNCS, vol. 5479, pp. 462-482,, 2009, 1958 . 1961 [SIGNAL] Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet 1962 Algorithm", November 2016, 1963 . 1966 [Sweet32] Karthikeyan Bhargavan, Gaetan Leurent, "On the Practical 1967 (In-)Security of 64-bit Block Ciphers: Collision Attacks 1968 on HTTP over TLS and OpenVPN", Cryptology ePrint 1969 Archive Report 2016/798, 2016, 1970 . 1972 [TAHA] Taha, M. and P. Schaumont, "Key Updating for Leakage 1973 Resiliency With Application to AES Modes of Operation", 1974 DOI 10.1109/TIFS.2014.2383359, December 2014, 1975 . 1977 [TEMPEST] By Craig Ramsay, Jasper Lohuis, "TEMPEST attacks against 1978 AES. Covertly stealing keys for 200 euro", 2017, 1979 . 1982 [U2F] Chang, D., Mishra, S., Sanadhya, S., and A. Singhl, "On 1983 Making U2F Protocol Leakage-Resilient via Re-keying.", 1984 Cryptology ePrint Archive Report 2017/721, August 2017, 1985 . 1987 Appendix A. Test Examples 1989 A.1. Test Examples for External Re-keying 1991 A.1.1. External Re-keying with a Parallel Construction 1992 External re-keying with a parallel construction based on AES-256 1993 **************************************************************** 1994 k = 256 1995 t = 128 1997 Initial key: 1998 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 1999 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2001 K^1: 2002 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2003 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2005 K^2: 2006 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2007 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD 2009 K^3: 2010 B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 2011 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC 2013 ... 2015 K^126: 2016 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 2017 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 2019 K^127: 2020 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 2021 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED 2023 K^128: 2024 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 2025 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 2026 External re-keying with a parallel construction based on SHA-256 2027 **************************************************************** 2028 k = 256 2029 t = 128 2031 label: 2032 SHA2label 2034 Initial key: 2035 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2036 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2038 K^1: 2039 C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57 2040 26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35 2042 K^2: 2043 03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E 2044 A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4 2046 K^3: 2047 2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80 2048 0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE 2050 ... 2052 K^126: 2053 55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76 2054 C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1 2056 K^127: 2057 77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A 2058 6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF 2060 K^128: 2061 E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E 2062 94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3 2064 A.1.2. External Re-keying with a Serial Construction 2066 External re-keying with a serial construction based on AES-256 2067 ************************************************************** 2068 AES 256 examples: 2069 k = 256 2070 t = 128 2071 Initial key: 2072 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2073 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2075 K*_1: 2076 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2077 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2079 K^1: 2080 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2081 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2083 K*_2: 2084 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2085 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2087 K^2: 2088 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2089 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2091 K*_3: 2092 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2093 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2095 K^3: 2096 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2097 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2099 ... 2101 K*_126: 2102 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2103 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2105 K^126: 2106 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2107 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2109 K*_127: 2110 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2111 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2113 K^127: 2114 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2115 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2117 K*_128: 2118 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2119 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2121 K^128: 2122 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2123 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2125 External re-keying with a serial construction based on SHA-256 2126 ************************************************************** 2127 k = 256 2128 t = 128 2130 Initial key: 2131 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2132 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2134 label1: 2135 SHA2label1 2137 label2: 2138 SHA2label2 2140 K*_1: 2141 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2142 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2144 K^1: 2145 2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B 2146 F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC 2148 K*_2: 2149 14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F 2150 52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04 2152 K^2: 2153 2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1 2154 84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF 2156 K*_3: 2157 18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D 2158 70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB 2160 K^3: 2161 53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF 2162 F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92 2163 ... 2165 K*_126: 2166 A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6 2167 5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA 2169 K^126: 2170 6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34 2171 23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A 2173 K*_127: 2174 84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1 2175 05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1 2177 K^127: 2178 57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0 2179 F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2 2181 K*_128: 2182 52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E 2183 7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09 2185 K^128: 2186 9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5 2187 C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4 2189 A.2. Test Examples for Internal Re-keying 2191 A.2.1. Internal Re-keying Mechanisms that Do Not Require Master Key 2193 CTR-ACPKM mode with AES-256 2194 *************************** 2195 k = 256 2196 n = 128 2197 c = 64 2198 N = 256 2200 Initial key K: 2201 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2202 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2204 Plain text P: 2205 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2206 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2207 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2208 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2209 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2210 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2211 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2213 ICN: 2214 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2215 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 2217 D_1: 2218 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 2220 D_2: 2221 00000: 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 2223 Section 1 2225 Section key K^1: 2226 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2227 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2229 Input block CTR_1: 2230 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2232 Output block G_1: 2233 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2235 Input block CTR_2: 2236 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2238 Output block G_2: 2239 00000: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2241 Section 2 2243 Section key K^2: 2244 00000: F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 2245 00010: 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 2247 Input block CTR_3: 2248 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2250 Output block G_3: 2251 00000: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2253 Input block CTR_4: 2254 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2255 Output block G_4: 2256 00000: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2258 Section 3 2260 Section key K^3: 2261 00000: 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 2262 00010: 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 2264 Input block CTR_5: 2265 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2267 Output block G_5: 2268 00000: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2270 Input block CTR_6: 2271 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2273 Output block G_6: 2274 00000: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2276 Section 4 2278 Section key K^4: 2279 00000: C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 2280 00010: E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 2282 Block number 7: 2284 Input block CTR_7: 2285 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2287 Output block G_7: 2288 00000: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2290 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2291 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2292 00010: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2293 00020: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2294 00030: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2295 00040: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2296 00050: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2297 00060: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2299 The result ciphertext C = P (xor) MSB_{|P|}(G): 2300 00000: EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 2301 00010: 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 2302 00020: F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 2303 00030: 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 2304 00040: 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 2305 00050: 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 2306 00060: 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 2308 GCM-ACPKM mode with AES-128 2309 *************************** 2310 k = 128 2311 n = 128 2312 c = 32 2313 N = 256 2315 Initilal Key K: 2316 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2318 Additional data A: 2319 00000: 11 22 33 2321 Plaintext: 2322 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2323 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2324 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2326 ICN: 2327 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2329 Number of sections: 2 2331 Section key K^1: 2332 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2334 Section key K^2: 2335 00000: 15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41 2337 Encrypted GCTR_1 | GCTR_2 | GCTR_3: 2338 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2339 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2340 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2342 Ciphertext C: 2343 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2344 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2345 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2347 GHASH input: 2349 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2350 00010: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2351 00020: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2352 00030: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2353 00040: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80 2355 GHASH output S: 2356 00000: E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C 2358 Authentication tag T: 2359 00000: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2361 The result C | T: 2362 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2363 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2364 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2365 00030: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2367 A.2.2. Internal Re-keying Mechanisms with a Master Key 2369 CTR-ACPKM-Master mode with AES-256 2370 ********************************** 2371 k = 256 2372 n = 128 2373 c for CTR-ACPKM mode = 64 2374 c for CTR-ACPKM-Master mode = 64 2375 N = 256 2376 T* = 512 2378 Initial key K: 2379 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2380 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2382 Initial vector ICN: 2383 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2385 Plaintext P: 2386 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2387 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2388 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2389 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2390 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2391 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2392 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2393 K^1 | K^2 | K^3 | K^4: 2394 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2395 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2396 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2397 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2398 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2399 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2400 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2401 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2403 Section 1 2405 K^1: 2406 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2407 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2409 Input block CTR_1: 2410 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2412 Output block G_1: 2413 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2415 Input block CTR_2: 2416 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2418 Output block G_2: 2419 00000: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2421 Section 2 2423 K^2: 2424 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2425 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2427 Input block CTR_3: 2428 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2430 Output block G_3: 2431 00000: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2433 Input block CTR_4: 2434 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2436 Output block G_4: 2437 00000: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2438 Section 3 2440 K^3: 2441 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2442 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2444 Input block CTR_5: 2445 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2447 Output block G_5: 2448 00000: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2450 Input block CTR_6: 2451 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2453 Output block G_6: 2454 00000: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2456 Section 4 2458 K^4: 2459 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2460 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2462 Input block CTR_7: 2463 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2465 Output block G_7: 2466 00000: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2468 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2469 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2470 00010: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2471 00020: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2472 00030: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2473 00040: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2474 00050: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2475 00060: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2477 The result ciphertext C = P (xor) MSB_{|P|}(G): 2478 00000: 9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4 2479 00010: F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB 2480 00020: 5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71 2481 00030: 01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6 2482 00040: 9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA 2483 00050: 82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC 2484 00060: D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66 2486 GCM-ACPKM-Master mode with AES-256 2487 ********************************** 2488 k = 192 2489 n = 128 2490 c for the CTR-ACPKM mode = 64 2491 c for the GCM-ACPKM-Master mode = 32 2492 T* = 384 2493 N = 256 2495 Initila Key K: 2496 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2497 00010: 00 00 00 00 00 00 00 00 2499 Additional data A: 2500 00000: 11 22 33 2502 Plaintext: 2503 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2504 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2505 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2506 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2507 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2509 ICN: 2510 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2512 Number of sections: 3 2514 K^1 | K^2 | K^3: 2515 00000: 93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F 2516 00010: 7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC 2517 00020: CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99 2518 00030: F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87 2519 00040: 5A 2D 3C BE F1 6E 67 3C 2521 Encrypted GCTR_1 | ... | GCTR_5 2522 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2523 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2524 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2525 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2526 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2528 Ciphertext C: 2530 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2531 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2532 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2533 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2534 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2536 GHASH input: 2537 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2538 00010: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2539 00020: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2540 00030: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2541 00040: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2542 00050: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2543 00060: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80 2545 GHASH output S: 2546 00000: 6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D 2548 Authentication tag T: 2549 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2551 The result C | T: 2552 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2553 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2554 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2555 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2556 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2557 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2559 CBC-ACPKM-Master mode with AES-256 2560 ********************************** 2561 k = 256 2562 n = 128 2563 c for the CTR-ACPKM mode = 64 2564 N = 256 2565 T* = 512 2567 Initial key K: 2568 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2569 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2571 Initial vector IV: 2572 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2574 Plaintext P: 2576 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2577 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2578 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2579 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2580 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2581 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2582 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2584 K^1 | K^2 | K^3 | K^4: 2585 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2586 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2587 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2588 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2589 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2590 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2591 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2592 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2594 Section 1 2596 K^1: 2597 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2598 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2600 Plaintext block P_1: 2601 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2603 Input block P_1 (xor) C_0: 2604 00000: 03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A 2606 Output block C_1: 2607 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2609 Plaintext block P_2: 2610 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2612 Input block P_2 (xor) C_1: 2613 00000: 59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76 2615 Output block C_2: 2616 00000: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2618 Section 2 2620 K^2: 2621 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2622 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2623 Plaintext block P_3: 2624 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2626 Input block P_3 (xor) C_2: 2627 00000: 91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42 2629 Output block C_3: 2630 00000: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2632 Plaintext block P_4: 2633 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2635 Input block P_4 (xor) C_3: 2636 00000: AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48 2638 Output block C_4: 2639 00000: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2641 Section 3 2643 K^3: 2644 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2645 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2647 Plaintext block P_5: 2648 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2650 Input block P_5 (xor) C_4: 2651 00000: 2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB 2653 Output block C_5: 2654 00000: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2656 Plaintext block P_6: 2657 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2659 Input block P_6 (xor) C_5: 2660 00000: 12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27 2662 Output block C_6: 2663 00000: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2665 Section 4 2667 K^4: 2668 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2669 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2670 Plaintext block P_7: 2671 00000: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2673 Input block P_7 (xor) C_6: 2674 00000: 33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01 2676 Output block C_7: 2677 00000: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2679 Cipher text C: 2680 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2681 00010: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2682 00020: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2683 00030: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2684 00040: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2685 00050: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2686 00060: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2688 CFB-ACPKM-Master mode with AES-256 2689 ********************************** 2690 k = 256 2691 n = 128 2692 c for the CTR-ACPKM mode = 64 2693 N = 256 2694 T* = 512 2696 Initial key K: 2697 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2698 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2700 Initial vector IV: 2701 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2703 Plaintext P: 2704 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2705 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2706 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2707 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2708 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2709 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2710 00060: 55 66 77 88 99 AA BB CC 2712 K^1 | K^2 | K^3 | K^4 2713 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2714 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2715 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2716 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2717 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2718 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2719 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2720 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2722 Section 1 2724 K^1: 2725 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2726 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2728 Plaintext block P_1: 2729 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2731 Encrypted block E_{K^1}(C_0): 2732 00000: 1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03 2734 Output block C_1 = E_{K^1}(C_0) (xor) P_1: 2735 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2737 Plaintext block P_2: 2738 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2740 Encrypted block E_{K^1}(C_1): 2741 00000: 6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E 2743 Output block C_2 = E_{K^1}(C_1) (xor) P_2: 2744 00000: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2746 Section 2 2748 K^2: 2749 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2750 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2752 Plaintext block P_3: 2753 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2755 Encrypted block E_{K^2}(C_2): 2756 00000: 95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88 2758 Output block C_3 = E_{K^2}(C_2) (xor) P_3: 2759 00000: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2761 Plaintext block P_4: 2762 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2763 Encrypted block E_{K^2}(C_3): 2764 00000: E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2 2766 Output block C_4 = E_{K^2}(C_3) (xor) P_4: 2767 00000: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2769 Section 3 2771 K^3: 2772 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2773 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2775 Plaintext block P_5: 2776 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2778 Encrypted block E_{K^3}(C_4): 2779 00000: FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89 2781 Output block C_5 = E_{K^3}(C_4) (xor) P_5: 2782 00000: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2784 Plaintext block P_6: 2785 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2787 Encrypted block E_{K^3}(C_5): 2788 00000: 01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3 2790 Output block C_6 = E_{K^3}(C_5) (xor) P_6: 2791 00000: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2793 Section 4 2795 K^4: 2796 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2797 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2799 Plaintext block P_7: 2800 00000: 55 66 77 88 99 AA BB CC 2802 Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)): 2803 00000: 97 5C 96 37 55 1E 8C 7F 2805 Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7 2806 00000: C2 3A E1 BF CC B4 37 B3 2808 Cipher text C: 2809 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2810 00010: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2811 00020: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2812 00030: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2813 00040: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2814 00050: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2815 00060: C2 3A E1 BF CC B4 37 B3 2817 OMAC-ACPKM-Master mode with AES-256 2818 *********************************** 2819 k = 256 2820 n = 128 2821 c for the CTR-ACPKM mode = 64 2822 N = 256 2823 T* = 768 2825 Initial key K: 2826 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2827 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2829 Plaintext M: 2830 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2831 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2832 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2833 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2834 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2836 K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1: 2837 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2838 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2839 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2840 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2841 00040: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2842 00050: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2843 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2844 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2845 00080: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2847 Section 1 2849 K^1: 2850 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2851 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2853 K^1_1: 2854 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2855 Plaintext block M_1: 2856 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2858 Input block M_1 (xor) C_0: 2859 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2861 Output block C_1: 2862 00000: 0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E 2864 Plaintext block M_2: 2865 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2867 Input block M_2 (xor) C_1: 2868 00000: 0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34 2870 Output block C_2: 2871 00000: 1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C 2873 Section 2 2875 K^2: 2876 00000: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2877 00010: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2879 K^2_1: 2880 00000: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2882 Plaintext block M_3: 2883 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2885 Input block M_3 (xor) C_2: 2886 00000: 0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C 2888 Output block C_3: 2889 00000: 4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75 2891 Plaintext block M_4: 2892 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2894 Input block M_4 (xor) C_3: 2895 00000: 6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64 2897 Output block C_4: 2898 00000: B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81 2900 Section 3 2902 K^3: 2904 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2905 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2907 K^3_1: 2908 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2910 MSB1(K1) == 0 -> K2 = K1 << 1 2912 K1: 2913 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2915 K2: 2916 00000: F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E 2918 Plaintext M_5: 2919 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2921 Using K1, padding is not required 2923 Input block M_5 (xor) C_4: 2924 00000: FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4 2926 Output block C_5: 2927 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2929 Message authentication code T: 2930 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2932 Appendix B. Contributors 2934 o Russ Housley 2935 Vigil Security, LLC 2936 housley@vigilsec.com 2938 o Evgeny Alekseev 2939 CryptoPro 2940 alekseev@cryptopro.ru 2942 o Ekaterina Smyshlyaeva 2943 CryptoPro 2944 ess@cryptopro.ru 2946 o Shay Gueron 2947 University of Haifa, Israel 2948 Intel Corporation, Israel Development Center, Israel 2949 shay.gueron@gmail.com 2951 o Daniel Fox Franke 2952 Akamai Technologies 2953 dfoxfranke@gmail.com 2955 o Lilia Ahmetzyanova 2956 CryptoPro 2957 lah@cryptopro.ru 2959 Appendix C. Acknowledgments 2961 We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim 2962 Schaad, Paul Hoffman and Dmitry Belyavsky for their useful comments. 2964 Author's Address 2966 Stanislav Smyshlyaev (editor) 2967 CryptoPro 2968 18, Suschevsky val 2969 Moscow 127018 2970 Russian Federation 2972 Phone: +7 (495) 995-48-20 2973 Email: svs@cryptopro.ru