idnits 2.17.1 draft-irtf-cfrg-re-keying-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 18 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 28, 2018) is 2247 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1320 == Missing Reference: '2t' is mentioned on line 1293, but not defined ** Obsolete normative reference: RFC 6347 (ref. 'DTLS') (Obsoleted by RFC 9147) ** Obsolete normative reference: RFC 5246 (ref. 'TLS') (Obsoleted by RFC 8446) Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational February 28, 2018 5 Expires: September 1, 2018 7 Re-keying Mechanisms for Symmetric Keys 8 draft-irtf-cfrg-re-keying-12 10 Abstract 12 A certain maximum amount of data can be safely encrypted when 13 encryption is performed under a single key. This amount is called 14 "key lifetime". This specification describes a variety of methods to 15 increase the lifetime of symmetric keys. It provides two types of 16 re-keying mechanisms based on hash functions and on block ciphers, 17 that can be used with modes of operations such as CTR, GCM, CBC, CFB 18 and OMAC. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 1, 2018. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 6 56 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 6 57 4. Choosing Constructions and Security Parameters . . . . . . . 7 58 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 10 59 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 13 60 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 13 61 5.2.1. Parallel Construction Based on a KDF on a Block 62 Cipher . . . . . . . . . . . . . . . . . . . . . . . 14 63 5.2.2. Parallel Construction Based on a KDF on a Hash 64 Function . . . . . . . . . . . . . . . . . . . . . . 14 65 5.2.3. Tree-based Construction . . . . . . . . . . . . . . . 15 66 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 16 67 5.3.1. Serial Construction Based on a KDF on a Block Cipher 17 68 5.3.2. Serial Construction Based on a KDF on a Hash Function 18 69 5.4. Exploiting Additional Entropy on Re-keying . . . . . . . 18 70 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 19 71 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 21 72 6.2. Constructions that Do Not Require Master Key . . . . . . 22 73 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 22 74 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 75 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 76 6.3. Constructions that Require Master Key . . . . . . . . . . 28 77 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 28 78 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 30 79 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 32 80 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 34 81 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 37 82 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 39 83 7. Joint Usage of External and Internal Re-keying . . . . . . . 40 84 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 85 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 86 9.1. Normative References . . . . . . . . . . . . . . . . . . 42 87 9.2. Informative References . . . . . . . . . . . . . . . . . 43 88 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 45 89 A.1. Test Examples for External Re-keying . . . . . . . . . . 45 90 A.1.1. External Re-keying with a Parallel Construction . . . 45 91 A.1.2. External Re-keying with a Serial Construction . . . . 47 92 A.2. Test Examples for Internal Re-keying . . . . . . . . . . 50 93 A.2.1. Internal Re-keying Mechanisms that Do Not Require 94 Master Key . . . . . . . . . . . . . . . . . . . . . 50 95 A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 54 96 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 66 97 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 67 98 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 67 100 1. Introduction 102 A certain maximum amount of data can be safely encrypted when 103 encryption is performed under a single key. Hereinafter this amount 104 will be referred to as "key lifetime". The key lifetime can be 105 calculated from the following considerations: 107 1. Methods based on the combinatorial properties of the used block 108 cipher mode of operation 110 These methods do not depend on the underlying block cipher. 111 Common modes restrictions derived from such methods are of order 112 2^{n/2}, where n is a block size defined in Section 3. [Sweet32] 113 is an example of attack that is based on such methods. 115 2. Methods based on side-channel analysis issues 117 In most cases these methods do not depend on the used encryption 118 modes and weakly depend on the used block cipher features. 119 Limitations resulting from these considerations are usually the 120 most restrictive ones. [TEMPEST] is an example of attack that is 121 based on such methods. 123 3. Methods based on the properties of the used block cipher 125 The most common methods of this type are linear and differential 126 cryptanalysis [LDC]. In most cases these methods do not depend on 127 the used modes of operation. In case of secure block ciphers, 128 bounds resulting from such methods are roughly the same as the 129 natural bounds of 2^n, and are dominated by the other bounds 130 above. Therefore, they can be excluded from the considerations 131 here. 133 As a result, it is important to replace a key as soon as the total 134 size of the processed plaintext under that key reaches the lifetime 135 limitation. A specific value of the key lifetime should be 136 determined in accordance with some safety margin for protocol 137 security and the methods outlined above. 139 Suppose L is a key lifetime limitation in some protocol P. For 140 simplicity, assume that all messages have the same length m. Hence, 141 the number of messages q that can be processed with a single key K 142 should be such that m * q <= L. This can be depicted graphically as 143 a rectangle with sides m and q which is enclosed by area L (see 144 Figure 1). 146 +------------------------+ 147 | L | 148 | +--------m---------+ | 149 | |==================| | 150 | |==================| | 151 | q==================| | m * q <= L 152 | |==================| | 153 | |==================| | 154 | +------------------+ | 155 +------------------------+ 157 Figure 1: Graphic display of the key lifetime limitation 159 In practice, such amount of data that corresponds to limitation L may 160 not be enough. The simplest and obvious way in this situation is a 161 regular renegotiation of an initial key after processing this 162 threshold amount of data L. However, this reduces the total 163 performance, since it usually entails termination of application data 164 transmission, additional service messages, the use of random number 165 generator and many other additional calculations, including resource- 166 intensive public key cryptography. 168 For the protocols based on block ciphers or stream ciphers a more 169 efficient way to increasing the key lifetime is to use various re- 170 keying mechanisms. This specification considers only the case of re- 171 keying mechanisms for block ciphers, while re-keying mechanisms 172 typical for stream ciphers (e.g., [Pietrzak2009], [FPS2012]) case go 173 beyond the scope of this document. 175 Re-keying mechanisms can be applied on the different protocol levels: 176 on the block cipher level (this approach is known as fresh re-keying 177 and is described, for instance, in [FRESHREKEYING]), on the block 178 cipher mode of operation level (see Section 6), on the protocol level 179 above the block cipher mode of operation (see Section 5). The usage 180 of the first approach is highly inefficient due to the key changing 181 after processing each message block. Moreover, fresh re-keying 182 mechanisms can change the block cipher internal structure, and, 183 consequently, can require the additional security analysis for each 184 particular block cipher. As a result, this approach depends on 185 particular primitive properties and can not be applied to any block 186 cipher, therefore, fresh re-keying mechanisms go beyond the scope of 187 this document. 189 Thus, this document contains the list of recommended re-keying 190 mechanisms that can be used in the symmetric encryption schemes based 191 on the block ciphers. These mechanisms are independent from the 192 particular block cipher specification and their security properties 193 rely only on the standard block cipher security assumption. 195 This specification presents two basic approaches to extend the 196 lifetime of a key while avoiding renegotiation that were introduced 197 in [AAOS2017]: 199 1. External re-keying 201 External re-keying is performed by a protocol, and it is 202 independent of the underlying block cipher and the mode of 203 operation. External re-keying can use parallel and serial 204 constructions. In the parallel case, data processing keys K^1, 205 K^2, ... are generated directly from the initial key K 206 independently of each other. In the serial case, every data 207 processing key depends on the state that is updated after the 208 generation of each new data processing key. 210 As a generalization of external parallel re-keying an external 211 tree-based mechanism can be considered. It is specified in the 212 Section 5.2.3 and can be viewed as the [GGM] tree generalization. 213 Similar constructions are used in the one-way tree mechanism 214 ([OWT]) and [AESDUKPT] standard. 216 2. Internal re-keying 218 Internal re-keying is built into the mode, and it depends heavily 219 on the properties of the mode of operation and the block size. 221 The re-keying approaches extend the key lifetime for a single initial 222 key by providing the possibility to limit the leakages (via side 223 channels) and by improving combinatorial properties of the used block 224 cipher mode of operation. 226 In practical applications, re-keying can be useful for protocols that 227 need to operate in hostile environments or under restricted resource 228 conditions (e.g., that require lightweight cryptography, where 229 ciphers have a small block size, that imposes strict combinatorial 230 limitations). Moreover, mechanisms that use external and internal 231 re-keying may provide some properties of forward security and 232 potentially some protection against future attacks (by limiting the 233 number of plaintext-ciphertext pairs that an adversary can collect). 234 External and internal re-keying can be used in network protocols as 235 well as in the systems for data-at-rest encryption. 237 Depending on the concrete protocol characteristics there might be 238 situations in which both external and internal re-keying mechanisms 239 (see Section 7) can be applied. For example, the similar approach 240 was used in the Taha's tree construction (see [TAHA]). 242 It is worthwhile to say that the re-keying mechanisms recommended in 243 this document are targeted to provide PFS property and are not 244 suitable for the cases when this property should be omitted in favor 245 of performance characteristics, side leakage resilience or some other 246 properties. The another re-keying approach is key updating (key 247 regression) algorithms (e.g., [FKK2005] and [KMNT2003]), but they 248 pursue the goal different from increasing key lifetime and the 249 absence of PFS property is the base claim of this approach. 250 Therefore, key regression algorithms are excluded from the 251 considerations here. 253 2. Conventions Used in This Document 255 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 256 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 257 document are to be interpreted as described in [RFC2119]. 259 3. Basic Terms and Definitions 261 This document uses the following terms and definitions for the sets 262 and operations on the elements of these sets: 264 V* the set of all bit strings of a finite length (hereinafter 265 referred to as strings), including the empty string; 266 substrings and string components are enumerated from right to 267 left starting from one; 269 V_s the set of all bit strings of length s, where s is a non- 270 negative integer; 272 |X| the bit length of the bit string X; 274 A | B concatenation of strings A and B both belonging to V*, i.e., 275 a string in V_{|A|+|B|}, where the left substring in V_|A| is 276 equal to A, and the right substring in V_|B| is equal to B; 278 (xor) exclusive-or of two bit strings of the same length; 280 Z_{2^n} ring of residues modulo 2^n; 282 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 283 (a_s, ... , a_1) in V_s into the integer Int_s(a) = 2^{s-1} * 284 a_s + ... + 2 * a_2 + a_1 (the interpretation of the binary 285 string as an integer); 287 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 288 Int_s (the interpretation of an integer as a binary string); 290 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 291 ... , a_1) in V_s into the string MSB_i(a) = (a_s, ... , 292 a_{s-i+1}) in V_i (most significant bits); 294 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 295 ... , a_1) in V_s into the string LSB_i(a) = (a_i, ... , a_1) 296 in V_i (least significant bits); 298 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 299 ... , a_1) in V_s into the string Inc_c(a) = MSB_{|a|-c}(a) | 300 Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s; 302 a^s denotes the string in V_s that consists of s 'a' bits; 304 E_{K}: V_n -> V_n the block cipher permutation under the key K in 305 V_k; 307 ceil(x) the smallest integer that is greater than or equal to x; 309 floor(x) the biggest integer that is less than or equal to x; 311 k the bit-length of the K; k is assumed to be divisible by 8; 313 n the block size of the block cipher (in bits); n is assumed to 314 be divisible by 8; 316 b the number of data blocks in the plaintext P (b = 317 ceil(|P|/n)); 319 N the section size (the number of bits that are processed with 320 one section key before this key is transformed). 322 A plaintext message P and the corresponding ciphertext C are divided 323 into b = ceil(|P|/n) blocks, denoted P = P_1 | P_2 | ... | P_b and C 324 = C_1 | C_2 | ... | C_b, respectively. The first b-1 blocks P_i and 325 C_i are in V_n, for i = 1, 2, ... , b-1. The b-th blocks P_b, C_b 326 may be an incomplete blocks, i.e., in V_r, where r <= n if not 327 otherwise specified. 329 4. Choosing Constructions and Security Parameters 331 External re-keying is an approach assuming that a key is transformed 332 after encrypting a limited number of entire messages. External re- 333 keying method is chosen at the protocol level, regardless of the 334 underlying block cipher or the encryption mode. External re-keying 335 is recommended for protocols that process relatively short messages 336 or for protocols that have a way to divide a long message into 337 manageable pieces. Through external re-keying the number of messages 338 that can be securely processed with a single initial key K is 339 substantially increased without loss in message length. 341 External re-keying has the following advantages: 343 1. it increases the lifetime of an initial key by increasing the 344 number of messages processed with this key; 346 2. it has negligible affect on the performance, when the number of 347 messages processed under one initial key is sufficiently large; 349 3. it provides forward and backward security of data processing 350 keys. 352 However, the use of external re-keying has the following 353 disadvantage: in case of restrictive key lifetime limitations the 354 message sizes can become inconvenient due to impossibility of 355 processing sufficiently large messages, so it could be necessary to 356 perform additional fragmentation at the protocol level. E.g. if the 357 key lifetime L is 1 GB and the message length m = 3 GB, then this 358 message cannot be processed as a whole and it should be divided into 359 three fragments that will be processed separately. 361 Internal re-keying is an approach assuming that a key is transformed 362 during each separate message processing. Such procedures are 363 integrated into the base modes of operations, so every internal re- 364 keying mechanism is defined for the particular operation mode and the 365 block size of the used cipher. Internal re-keying is recommended for 366 protocols that process long messages: the size of each single message 367 can be substantially increased without loss in number of messages 368 that can be securely processed with a single initial key. 370 Internal re-keying has the following advantages: 372 1. it increases the lifetime of an initial key by increasing the 373 size of the messages processed with one initial key; 375 2. it has minimal impact on performance; 377 3. internal re-keying mechanisms without a master key does not 378 affect short messages transformation at all; 380 4. it is transparent (works like any mode of operation): does not 381 require changes of IV's and restarting MACing. 383 However, the use of internal re-keying has the following 384 disadvantages: 386 1. a specific method must not be chosen independently of a mode of 387 operation; 389 2. internal re-keying mechanisms without a master key do not provide 390 backward security of data processing keys. 392 Any block cipher modes of operations with internal re-keying can be 393 jointly used with any external re-keying mechanisms. Such joint 394 usage increases both the number of messages processed with one 395 initial key and their maximum possible size. 397 If the adversary has access to the data processing interface the use 398 of the same cryptographic primitives both for data processing and re- 399 keying transformation decreases the code size but can lead to some 400 possible vulnerabilities. This vulnerability can be eliminated by 401 using different primitives for data processing and re-keying, e.g., 402 block cipher for data processing and hash for re-keying (see 403 Section 5.2.2 and Section 5.3.2). However, in this case the security 404 of the whole scheme cannot be reduced to standard notions like PRF or 405 PRP, so security estimations become more difficult and unclear. 407 Summing up the above-mentioned issues briefly: 409 1. If a protocol assumes processing long records (e.g., [CMS]), 410 internal re-keying should be used. If a protocol assumes 411 processing a significant amount of ordered records, which can be 412 considered as a single data stream (e.g., [TLS], [SSH]), internal 413 re-keying may also be used. 415 2. For protocols which allow out-of-order delivery and lost records 416 (e.g., [DTLS], [ESP]) external re-keying should be used as in 417 this case records cannot be considered as a single data stream. 418 If at the same time records are long enough, internal re-keying 419 should be additionally used during each separate message 420 processing. 422 For external re-keying: 424 1. If it is desirable to separate transformations used for data 425 processing and for key update, hash function based re-keying 426 should be used. 428 2. If parallel data processing is required, then parallel external 429 re-keying should be used. 431 3. In case of restrictive key lifetime limitations external tree- 432 based re-keying should be used. 434 For internal re-keying: 436 1. If the property of forward and backward security is desirable for 437 data processing keys and if additional key material can be easily 438 obtained for the data processing stage, internal re-keying with a 439 master key should be used. 441 5. External Re-keying Mechanisms 443 This section presents an approach to increase the initial key 444 lifetime by using a transformation of a data processing key (frame 445 key) after processing a limited number of entire messages (frame). 446 It provides external parallel and serial re-keying mechanisms (see 447 [AbBell]). These mechanisms use initial key K only for frame keys 448 generation and never use it directly for data processing. Such 449 mechanisms operate outside of the base modes of operations and do not 450 change them at all, therefore they are called "external re-keying" 451 mechanisms in this document. 453 External re-keying mechanisms are recommended for usage in protocols 454 that process quite small messages, since the maximum gain in 455 increasing the initial key lifetime is achieved by increasing the 456 number of messages. 458 External re-keying increases the initial key lifetime through the 459 following approach. Suppose there is a protocol P with some mode of 460 operation (base encryption or authentication mode). Let L1 be a key 461 lifetime limitation induced by side-channel analysis methods (side- 462 channel limitation), let L2 be a key lifetime limitation induced by 463 methods based on the combinatorial properties of a used mode of 464 operation (combinatorial limitation) and let q1, q2 be the total 465 numbers of messages of length m, that can be safely processed with an 466 initial key K according to these limitations. 468 Let L = min(L1, L2), q = min (q1, q2), q * m <= L. As L1 limitation 469 is usually much stronger than L2 limitation (L1 < L2), the final key 470 lifetime restriction is equal to the most restrictive limitation L1. 471 Thus, as displayed in Figure 2, without re-keying only q1 (q1 * m <= 472 L1) messages can be safely processed. 474 <--------m-------> 475 +----------------+ ^ ^ 476 |================| | | 477 |================| | | 478 K-->|================| q1| 479 |================| | | 480 |==============L1| | | 481 +----------------+ v | 482 | | | 483 | | | 484 | | q2 485 | | | 486 | | | 487 | | | 488 | | | 489 | | | 490 | | | 491 | | | 492 | | | 493 | L2| | 494 +----------------+ v 496 Figure 2: Basic principles of message processing without external re-keying 498 Suppose that the safety margin for the protocol P is fixed and the 499 external re-keying approach is applied to the initial key K to 500 generate the sequence of frame keys. The frame keys are generated in 501 such a way that the leakage of a previous frame key does not have any 502 impact on the following one, so the side channel limitation L1 goes 503 off. Thus, the resulting key lifetime limitation of the initial key 504 K can be calculated on the basis of a new combinatorial limitation 505 L2'. It is proven (see [AbBell]) that the security of the mode of 506 operation that uses external re-keying leads to an increase when 507 compared to base mode without re-keying (thus, L2 < L2'). Hence, as 508 displayed in Figure 3, the resulting key lifetime limitation in case 509 of using external re-keying can be increased up to L2'. 511 <--------m-------> 512 K +----------------+ 513 | |================| 514 v |================| 515 K^1--> |================| 516 | |================| 517 | |==============L1| 518 | +----------------+ 519 | |================| 520 v |================| 521 K^2--> |================| 522 | |================| 523 | |==============L1| 524 | +----------------+ 525 | |================| 526 v |================| 527 ... | . . . | 528 | | 529 | | 530 | L2| 531 +----------------+ 532 | | 533 ... ... 534 | L2'| 535 +----------------+ 537 Figure 3: Basic principles of message processing with external re-keying 539 Note: the key transformation process is depicted in a simplified 540 form. A specific approach (parallel and serial) is described below. 542 Consider an example. Let the message size in a protocol P be equal 543 to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external 544 re-keying mechanism is not used, the initial key K must be 545 renegotiated after processing 128 MB / 1 KB = 131072 messages. 547 If an external re-keying mechanism is used, the key lifetime 548 limitation L1 goes off. Hence the resulting key lifetime limitation 549 L2' can be set to more then 1 TB. Thus if an external re-keying 550 mechanism is used, more then 1 TB / 1 KB = 2^30 messages can be 551 processed before the initial key K is renegotiated. This is 8192 552 times greater than the number of messages that can be processed, when 553 external re-keying mechanism is not used. 555 5.1. Methods of Key Lifetime Control 557 Suppose L is an amount of data that can be safely processed with one 558 frame key. For i in {1, 2, ... , t} the frame key K^i (see Figure 4 559 and Figure 5) should be transformed after processing q_i messages, 560 where q_i can be calculated in accordance with one of the following 561 approaches: 563 Explicit approach: 565 q_i is such that |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + 566 ... + |M^{i,q_i+1}| > L. 567 This approach allows to use the frame key K^i in almost optimal 568 way but it can be applied only in case when messages cannot be 569 lost or reordered (e.g., TLS records). 571 Implicit approach: 573 q_i = L / m_max, i = 1, ... , t. 574 The amount of data processed with one frame key K^i is calculated 575 under the assumption that every message has the maximum length 576 m_max. Hence this amount can be considerably less than the key 577 lifetime limitation L. On the other hand, this approach can be 578 applied in case when messages may be lost or reordered (e.g., DTLS 579 records). 581 Dynamic key changes: 583 We can organize the key change using the Protected Point to Point 584 ([P3]) solution by building a protected tunnel between the 585 endpoints in which the information about frame key updating can be 586 safely passed across. This can be useful, for example, when we 587 wish the adversary not to detect the key change during the 588 protocol evaluation. 590 5.2. Parallel Constructions 592 External parallel re-keying mechanisms generate frame keys K^1, K^2, 593 ... directly from the initial key K independently of each other. 595 The main idea behind external re-keying with a parallel construction 596 is presented in Figure 4: 598 Maximum message size = m_max. 599 _____________________________________________________________ 601 m_max 602 <----------------> 603 M^{1,1} |=== | 604 M^{1,2} |=============== | 605 +->K^1--> ... ... 606 | M^{1,q_1} |======== | 607 | 608 | 609 | M^{2,1} |================| 610 | M^{2,2} |===== | 611 K-----|->K^2--> ... ... 612 | M^{2,q_2} |========== | 613 | 614 ... 615 | M^{t,1} |============ | 616 | M^{t,2} |============= | 617 +->K^t--> ... ... 618 M^{t,q_t} |========== | 620 _____________________________________________________________ 622 Figure 4: External parallel re-keying mechanisms 624 The frame key K^i, i = 1, ... , t-1, is updated after processing a 625 certain amount of messages (see Section 5.1). 627 5.2.1. Parallel Construction Based on a KDF on a Block Cipher 629 ExtParallelC re-keying mechanism is based on the key derivation 630 function on a block cipher and is used to generate t frame keys as 631 follows: 633 K^1 | K^2 | ... | K^t = ExtParallelC(K, t * k) = MSB_{t * 634 k}(E_{K}(Vec_n(0)) | 635 E_{K}(Vec_n(1)) | ... | E_{K}(Vec_n(R - 1))), 637 where R = ceil(t * k/n). 639 5.2.2. Parallel Construction Based on a KDF on a Hash Function 641 ExtParallelH re-keying mechanism is based on the key derivation 642 function HKDF-Expand, described in [RFC5869], and is used to generate 643 t frame keys as follows: 645 K^1 | K^2 | ... | K^t = ExtParallelH(K, t * k) = HKDF-Expand(K, 646 label, t * k), 648 where label is a string (may be a zero-length string) that is defined 649 by a specific protocol. 651 5.2.3. Tree-based Construction 653 The application of external tree-based mechanism leads to the 654 construction of the key tree with the initial key K (root key) at the 655 0-level and the frame keys K^1, K^2, ... at the last level as 656 described in Figure 6. 658 K_root = K 659 ___________|___________ 660 | ... | 661 V V 662 K{1,1} K{1,W1} 663 ______|______ ______|______ 664 | ... | | ... | 665 V V V V 666 K{2,1} K{2,W2} K{2,(W1-1)*W2+1} K{2,W1*W2} 667 __|__ __|__ __|__ __|__ 668 | ... | | ... | | ... | | ... | 669 V V V V V V V V 670 K{3,1} ... ... ... ... ... ... K{3,W1*W2*W3} 672 ... ... 673 __|__ ... __|__ 674 | ... | | ... | 675 V V V V 676 K{h,1} K{h,Wh} K{h,(W1*...*W{h-1}-1)*Wh+1} K{h,W1*...*Wh} 677 // \\ // \\ 678 K^1 K^{Wh} K^{(W1*...*W{h-1}-1)*Wh+1} K^{W1*...*Wh} 679 _______________________________________________________________________ 681 Figure 6: External Tree-based Mechanism 683 The tree height h and the number of keys Wj, j in {1, ... , h}, which 684 can be partitioned from "parent" key, are defined in accordance with 685 a specific protocol and key lifetime limitations for the used 686 derivation functions. 688 Each j-level key K{j,w}, where j in {1, ... , h}, w in {1, ... , W1 * 689 ... * Wj}, is derived from the (j-1)-level "parent" key K{j-1,ceil(w/ 690 Wi)} (and other appropriate input data) using the j-th level 691 derivation function that can be based on the block cipher function or 692 on the hash function and that is defined in accordance with a 693 specific protocol. 695 The i-th frame K^i, i in {1, 2, ... , W1*...*Wh}, can be calculated 696 as follows: 698 K^i = ExtKeyTree(K, i) = KDF_h(KDF_{h-1}(... KDF_1(K, ceil(i / (W2 699 * ... * Wh)) ... , ceil(i / Wh)), i), 701 where KDF_j is the j-th level derivation function that takes two 702 arguments (the parent key value and the integer in range from 1 to W1 703 * ... * Wj) and outputs the j-th level key value. 705 The frame key K^i is updated after processing a certain amount of 706 messages (see Section 5.1). 708 In order to create an efficient implementation, during frame key K^i 709 generation the derivation functions KDF_j, j in {1, ... , h-1}, 710 should be used only in case when ceil(i / (W{j+1} * ... * Wh)) != 711 ceil((i - 1) / (W{j+1} * ... * Wh)); otherwise it is necessary to use 712 previously generated value. This approach also makes it possible to 713 take countermeasures against side channels attacks. 715 Consider an example. Suppose h = 3, W1 = W2 = W3 = W and KDF_1, 716 KDF_2, KDF_3 are key derivation functions based on the 717 KDF_GOSTR3411_2012_256 (hereafter simply KDF) function described in 718 [RFC7836]. The resulting ExtKeyTree function can be defined as 719 follows: 721 ExtKeyTree(K, i) = KDF(KDF(KDF(K, "level1", ceil(i / W^2)), 722 "level2", ceil(i / W)), "level3", i). 724 where i in {1, 2, ... , W^3}. 726 The structure similar to external tree-based mechanism can be found 727 in Section 6 of [NISTSP800-108]. 729 5.3. Serial Constructions 731 External serial re-keying mechanisms generate frame keys, each of 732 which depends on the secret state (K*_1, K*_2, ..., see Figure 5) 733 that is updated after the generation of each new frame key. Similar 734 approaches are used in the [SIGNAL] protocol, in the [TLSDraft] 735 updating traffic keys mechanism and were proposed for use in the 736 [U2F] protocol. 738 External serial re-keying mechanisms have the obvious disadvantage of 739 the impossibility to be implemented in parallel, but they can be 740 preferred if additional forward secrecy is desirable: in case all 741 keys are securely deleted after usage, compromise of a current secret 742 state at some time does not lead to a compromise of all previous 743 secret states and frame keys. In terms of [TLSDraft], compromise of 744 application_traffic_secret_N does not compromise all previous 745 application_traffic_secret_i, i < N. 747 The main idea behind external re-keying with a serial construction is 748 presented in Figure 5: 750 Maximum message size = m_max. 751 _____________________________________________________________ 752 m_max 753 <----------------> 754 M^{1,1} |=== | 755 M^{1,2} |=============== | 756 K*_1 = K --->K^1--> ... ... 757 | M^{1,q_1} |======== | 758 | 759 | 760 | M^{2,1} |================| 761 v M^{2,2} |===== | 762 K*_2 ------->K^2--> ... ... 763 | M^{2,q_2} |========== | 764 | 765 ... 766 | M^{t,1} |============ | 767 v M^{t,2} |============= | 768 K*_t ------->K^t--> ... ... 769 M^{t,q_t} |========== | 771 _____________________________________________________________ 773 Figure 5: External serial re-keying mechanisms 775 The frame key K^i, i = 1, ... , t - 1, is updated after processing a 776 certain amount of messages (see Section 5.1). 778 5.3.1. Serial Construction Based on a KDF on a Block Cipher 780 The frame key K^i is calculated using ExtSerialC transformation as 781 follows: 783 K^i = ExtSerialC(K, i) = 784 MSB_k(E_{K*_i}(Vec_n(0)) |E_{K*_i}(Vec_n(1)) | ... | 785 E_{K*_i}(Vec_n(J - 1))), 787 where J = ceil(k / n), i = 1, ... , t, K*_i is calculated as follows: 789 K*_1 = K, 791 K*_{j+1} = MSB_k(E_{K*_j}(Vec_n(J)) | E_{K*_j}(Vec_n(J + 1)) | 792 ... | 793 E_{K*_j}(Vec_n(2 * J - 1))), 795 where j = 1, ... , t - 1. 797 5.3.2. Serial Construction Based on a KDF on a Hash Function 799 The frame key K^i is calculated using ExtSerialH transformation as 800 follows: 802 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 804 where i = 1, ... , t, HKDF-Expand is the HMAC-based key derivation 805 function, described in [RFC5869], K*_i is calculated as follows: 807 K*_1 = K, 809 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t - 1, 811 where label1 and label2 are different strings from V* that are 812 defined by a specific protocol (see, for example, TLS 1.3 updating 813 traffic keys algorithm [TLSDraft]). 815 5.4. Exploiting Additional Entropy on Re-keying 817 In many cases exploiting additional entropy on re-keying won't 818 increase security, but may give a false sense of that, therefore 819 relying on additional entropy must be done with deep studying 820 security in various security models. For example, good PRF 821 constructions do not require additional entropy for the quality of 822 keys so in the most cases there is no need for exploiting additional 823 entropy on external re-keying mechanisms based on secure KDF. 824 However, in some situations mixed-in entropy can still increase 825 security in the case of a time-limited but complete breach of the 826 system, when adversary can access to the frame keys generation 827 interface, but cannot reveal master keys (master keys are stored in 828 an HSM). 830 For example, an external parallel construction based on a KDF on a 831 Hash function with a mixed-in entropy can be described as follows: 833 K^i = HKDF-Expand(K, label_i, k), 835 where label_i is additional entropy that must be sent to the 836 recipient (e.g., be sent jointly with encrypted message). The 837 entropy label_i and the corresponding key K^i must be generated 838 directly before message processing. 840 6. Internal Re-keying Mechanisms 842 This section presents an approach to increase the key lifetime by 843 using a transformation of a data processing key (section key) during 844 each separate message processing. Each message is processed starting 845 with the same key (the first section key) and each section key is 846 updated after processing N bits of message (section). 848 This section provides internal re-keying mechanisms called ACPKM 849 (Advanced Cryptographic Prolongation of Key Material) and ACPKM- 850 Master that do not use a master key and use a master key 851 respectively. Such mechanisms are integrated into the base modes of 852 operation and actually form new modes of operation, therefore they 853 are called "internal re-keying" mechanisms in this document. 855 Internal re-keying mechanisms are recommended to be used in protocols 856 that process large single messages (e.g., CMS messages), since the 857 maximum gain in increasing the key lifetime is achieved by increasing 858 the length of a message, while it provides almost no increase in the 859 number of messages that can be processed with one initial key. 861 Internal re-keying increases the key lifetime through the following 862 approach. Suppose protocol P uses some base mode of operation. Let 863 L1 and L2 be a side channel and combinatorial limitations 864 respectively and for some fixed amount of messages q let m1, m2 be 865 the lengths of messages, that can be safely processed with a single 866 initial key K according to these limitations. 868 Thus, by analogy with the Section 5 without re-keying the final key 869 lifetime restriction, as displayed in Figure 7, is equal to L1 and 870 only q messages of the length m1 can be safely processed. 872 K 873 | 874 v 875 ^ +----------------+------------------------------------+ 876 | |==============L1| L2| 877 | |================| | 878 q |================| | 879 | |================| | 880 | |================| | 881 v +----------------+------------------------------------+ 882 <-------m1-------> 883 <----------------------------m2-----------------------> 885 Figure 7: Basic principles of message processing without internal re-keying 887 Suppose that the safety margin for the protocol P is fixed and 888 internal re-keying approach is applied to the base mode of operation. 889 Suppose further that every message is processed with a section key, 890 which is transformed after processing N bits of data, where N is a 891 parameter. If q * N does not exceed L1 then the side channel 892 limitation L1 goes off and the resulting key lifetime limitation of 893 the initial key K can be calculated on the basis of a new 894 combinatorial limitation L2'. The security of the mode of operation 895 that uses internal re-keying increases when compared to base mode of 896 operation without re-keying (thus, L2 < L2'). Hence, as displayed in 897 Figure 8, the resulting key lifetime limitation in case of using 898 internal re-keying can be increased up to L2'. 900 K-----> K^1-------------> K^2 -----------> . . . 901 | | 902 v v 903 ^ +----------------+----------------+-------------------+--...--+ 904 | |==============L1|==============L1|====== L2| L2'| 905 | |================|================|====== | | 906 q |================|================|====== . . . | | 907 | |================|================|====== | | 908 | |================|================|====== | | 909 v +----------------+----------------+-------------------+--...--+ 910 <-------N--------> 912 Figure 8: Basic principles of message processing with internal re-keying 913 Note: the key transformation process is depicted in a simplified 914 form. A specific approach (ACPKM and ACPKM-Master re-keying 915 mechanisms) is described below. 917 Since the performance of encryption can slightly decrease for rather 918 small values of N, the parameter N should be selected for a 919 particular protocol as maximum possible to provide necessary key 920 lifetime for the considered security models. 922 Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the 923 message size in the protocol be large/unlimited (may exhaust the 924 whole key lifetime L2). The most restrictive resulting key lifetime 925 limitation is equal to 128 MB. 927 Thus, there is a need to put a limit on the maximum message size 928 m_max. For example, if m_max = 32 MB, it may happen that the 929 renegotiation of initial key K would be required after processing 930 only four messages. 932 If an internal re-keying mechanism with section size N = 1 MB is 933 used, more than L1 / N = 128 MB / 1 MB = 128 messages can be 934 processed before the renegotiation of initial key K (instead of 4 935 messages in case when an internal re-keying mechanism is not used). 936 Note that only one section of each message is processed with the 937 section key K^i, and, consequently, the key lifetime limitation L1 938 goes off. Hence the resulting key lifetime limitation L2' can be set 939 to more then 10 TB (in the case when a single large message is 940 processed using the initial key K). 942 6.1. Methods of Key Lifetime Control 944 Suppose L is an amount of data that can be safely processed with one 945 section key, N is a section size (fixed parameter). Suppose M^{i}_1 946 is the first section of message M^{i}, i = 1, ... , q (see Figure 9 947 and Figure 10), then the parameter q can be calculated in accordance 948 with one of the following two approaches: 950 o Explicit approach: 951 q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... 952 + |M^{q+1}_1| > L 953 This approach allows to use the section key K^i in an almost 954 optimal way but it can be applied only in case when messages 955 cannot be lost or reordered (e.g., TLS records). 957 o Implicit approach: 958 q = L / N. 959 The amount of data processed with one section key K^i is 960 calculated under the assumption that the length of every message 961 is equal or greater than section size N and so it can be 962 considerably less than the key lifetime limitation L. On the 963 other hand, this approach can be applied in case when messages may 964 be lost or reordered (e.g., DTLS records). 966 6.2. Constructions that Do Not Require Master Key 968 This section describes the block cipher modes that use the ACPKM re- 969 keying mechanism, which does not use a master key: an initial key is 970 used directly for the data encryption. 972 6.2.1. ACPKM Re-keying Mechanisms 974 This section defines periodical key transformation without a master 975 key, which is called ACPKM re-keying mechanism. This mechanism can 976 be applied to one of the base encryption modes (CTR and GCM block 977 cipher modes) for getting an extension of this encryption mode that 978 uses periodical key transformation without a master key. This 979 extension can be considered as a new encryption mode. 981 An additional parameter that defines functioning of base encryption 982 modes with the ACPKM re-keying mechanism is the section size N. The 983 value of N is measured in bits and is fixed within a specific 984 protocol based on the requirements of the system capacity and the key 985 lifetime. The section size N MUST be divisible by the block size n. 987 The main idea behind internal re-keying without a master key is 988 presented in Figure 9: 990 Section size = const = N, 991 maximum message size = m_max. 992 ____________________________________________________________________ 994 ACPKM ACPKM ACPKM 995 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 996 | | | | 997 | | | | 998 v v v v 999 M^{1} |==========|==========| ... |==========|=======: | 1000 M^{2} |==========|==========| ... |=== | : | 1001 . . . . . . : 1002 : : : : : : : 1003 M^{q} |==========|==========| ... |==========|===== : | 1004 section : 1005 <----------> m_max 1006 N bit 1007 ___________________________________________________________________ 1008 l_max = ceil(m_max/N). 1010 Figure 9: Internal re-keying without a master key 1012 During the processing of the input message M with the length m in 1013 some encryption mode that uses ACPKM key transformation of the 1014 initial key K the message is divided into l = ceil(m / N) sections 1015 (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in 1016 {1, 2, ... , l - 1} and M_l is in V_r, r <= N). The first section of 1017 each message is processed with the section key K^1 = K. To process 1018 the (i + 1)-th section of each message the section key K^{i+1} is 1019 calculated using ACPKM transformation as follows: 1021 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)), 1023 where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are 1024 calculated as follows: 1026 D_1 | D_2 | ... | D_J = MSB_{J * n}(D), 1028 where D is the following constant in V_{1024}: 1030 D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 1031 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f 1032 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 1033 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f 1034 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7 1035 | a8 | a9 | aa | ab | ac | ad | ae | af 1036 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7 1037 | b8 | b9 | ba | bb | bc | bd | be | bf 1038 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7 1039 | c8 | c9 | ca | cb | cc | cd | ce | cf 1040 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7 1041 | d8 | d9 | da | db | dc | dd | de | df 1042 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7 1043 | e8 | e9 | ea | eb | ec | ed | ee | ef 1044 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7 1045 | f8 | f9 | fa | fb | fc | fd | fe | ff ) 1047 N o t e : The constant D is such that D_1, ... , D_J are pairwise 1048 different for any allowed n and k values. 1050 N o t e : The constant D is such that the highest bit of its each 1051 octet is equal to 1. This condition is important, as in conjunction 1052 with a certain mode message length limitation it allows to prevent 1053 collisions of block cipher permutation inputs in cases of key 1054 transformation and message processing (for more details see 1055 Section 4.4 of [AAOS2017]). 1057 6.2.2. CTR-ACPKM Encryption Mode 1059 This section defines a CTR-ACPKM encryption mode that uses the ACPKM 1060 internal re-keying mechanism for the periodical key transformation. 1062 The CTR-ACPKM mode can be considered as the base encryption mode CTR 1063 (see [MODES]) extended by the ACPKM re-keying mechanism. 1065 The CTR-ACPKM encryption mode can be used with the following 1066 parameters: 1068 o 64 <= n <= 512; 1070 o 128 <= k <= 512; 1072 o the number c of bits in a specific part of the block to be 1073 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1075 o the maximum message size m_max = n * 2^{c-1}. 1077 The CTR-ACPKM mode encryption and decryption procedures are defined 1078 as follows: 1080 +----------------------------------------------------------------+ 1081 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 1082 |----------------------------------------------------------------| 1083 | Input: | 1084 | - section size N, | 1085 | - initial key K, | 1086 | - initial counter nonce ICN in V_{n-c}, | 1087 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1088 | Output: | 1089 | - ciphertext C. | 1090 |----------------------------------------------------------------| 1091 | 1. CTR_1 = ICN | 0^c | 1092 | 2. For j = 2, 3, ... , b do | 1093 | CTR_{j} = Inc_c(CTR_{j-1}) | 1094 | 3. K^1 = K | 1095 | 4. For i = 2, 3, ... , ceil(|P| / N) | 1096 | K^i = ACPKM(K^{i-1}) | 1097 | 5. For j = 1, 2, ... , b do | 1098 | i = ceil(j * n / N), | 1099 | G_j = E_{K^i}(CTR_j) | 1100 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1101 | 7. Return C | 1102 +----------------------------------------------------------------+ 1104 +----------------------------------------------------------------+ 1105 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 1106 |----------------------------------------------------------------| 1107 | Input: | 1108 | - section size N, | 1109 | - initial key K, | 1110 | - initial counter nonce ICN in V_{n-c}, | 1111 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1112 | Output: | 1113 | - plaintext P. | 1114 |----------------------------------------------------------------| 1115 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 1116 | 2. Return P | 1117 +----------------------------------------------------------------+ 1119 The initial counter nonce ICN value for each message that is 1120 encrypted under the given initial key K must be chosen in a unique 1121 manner. 1123 6.2.3. GCM-ACPKM Authenticated Encryption Mode 1125 This section defines GCM-ACPKM authenticated encryption mode that 1126 uses the ACPKM internal re-keying mechanism for the periodical key 1127 transformation. 1129 The GCM-ACPKM mode can be considered as the base authenticated 1130 encryption mode GCM (see [GCM]) extended by the ACPKM re-keying 1131 mechanism. 1133 The GCM-ACPKM authenticated encryption mode can be used with the 1134 following parameters: 1136 o n in {128, 256}; 1138 o 128 <= k <= 512; 1140 o the number c of bits in a specific part of the block to be 1141 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1142 of 8; 1144 o authentication tag length t; 1146 o the maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} - 1147 1}. 1149 The GCM-ACPKM mode encryption and decryption procedures are defined 1150 as follows: 1152 +-------------------------------------------------------------------+ 1153 | GHASH(X, H) | 1154 |-------------------------------------------------------------------| 1155 | Input: | 1156 | - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n. | 1157 | Output: | 1158 | - block GHASH(X, H) in V_n. | 1159 |-------------------------------------------------------------------| 1160 | 1. Y_0 = 0^n | 1161 | 2. For i = 1, ... , m do | 1162 | Y_i = (Y_{i-1} (xor) X_i) * H | 1163 | 3. Return Y_m | 1164 +-------------------------------------------------------------------+ 1166 +-------------------------------------------------------------------+ 1167 | GCTR(N, K, ICB, X) | 1168 |-------------------------------------------------------------------| 1169 | Input: | 1170 | - section size N, | 1171 | - initial key K, | 1172 | - initial counter block ICB, | 1173 | - X = X_1 | ... | X_b. | 1174 | Output: | 1175 | - Y in V_{|X|}. | 1176 |-------------------------------------------------------------------| 1177 | 1. If X in V_0 then return Y, where Y in V_0 | 1178 | 2. GCTR_1 = ICB | 1179 | 3. For i = 2, ... , b do | 1180 | GCTR_i = Inc_c(GCTR_{i-1}) | 1181 | 4. K^1 = K | 1182 | 5. For j = 2, ... , ceil(|X| / N) | 1183 | K^j = ACPKM(K^{j-1}) | 1184 | 6. For i = 1, ... , b do | 1185 | j = ceil(i * n / N), | 1186 | G_i = E_{K_j}(GCTR_i) | 1187 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1188 | 8. Return Y | 1189 +-------------------------------------------------------------------+ 1191 +-------------------------------------------------------------------+ 1192 | GCM-ACPKM-Encrypt(N, K, ICN, P, A) | 1193 |-------------------------------------------------------------------| 1194 | Input: | 1195 | - section size N, | 1196 | - initial key K, | 1197 | - initial counter nonce ICN in V_{n-c}, | 1198 | - plaintext P = P_1 | ... | P_b, |P| <= m_max, | 1199 | - additional authenticated data A. | 1200 | Output: | 1201 | - ciphertext C, | 1202 | - authentication tag T. | 1203 |-------------------------------------------------------------------| 1204 | 1. H = E_{K}(0^n) | 1205 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1206 | 3. C = GCTR(N, K, Inc_c(ICB_0), P) | 1207 | 4. u = n * ceil(|C| / n) - |C| | 1208 | v = n * ceil(|A| / n) - |A| | 1209 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1210 | | Vec_{n/2}(|C|), H) | 1211 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 1212 | 7. Return C | T | 1213 +-------------------------------------------------------------------+ 1215 +-------------------------------------------------------------------+ 1216 | GCM-ACPKM-Decrypt(N, K, ICN, A, C, T) | 1217 |-------------------------------------------------------------------| 1218 | Input: | 1219 | - section size N, | 1220 | - initial key K, | 1221 | - initial counter block ICN, | 1222 | - additional authenticated data A, | 1223 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1224 | - authentication tag T. | 1225 | Output: | 1226 | - plaintext P or FAIL. | 1227 |-------------------------------------------------------------------| 1228 | 1. H = E_{K}(0^n) | 1229 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1230 | 3. P = GCTR(N, K, Inc_c(ICB_0), C) | 1231 | 4. u = n * ceil(|C| / n) - |C| | 1232 | v = n * ceil(|A| / n) - |A| | 1233 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1234 | | Vec_{n/2}(|C|), H) | 1235 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 1236 | 7. If T = T' then return P; else return FAIL | 1237 +-------------------------------------------------------------------+ 1239 The * operation on (pairs of) the 2^n possible blocks corresponds to 1240 the multiplication operation for the binary Galois (finite) field of 1241 2^n elements defined by the polynomial f as follows (by analogy with 1242 [GCM]): 1244 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1246 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1248 The initial vector IV value for each message that is encrypted under 1249 the given initial key K must be chosen in a unique manner. 1251 The key for computing values E_{K}(ICB_0) and H is not updated and is 1252 equal to the initial key K. 1254 6.3. Constructions that Require Master Key 1256 This section describes the block cipher modes that use the ACPKM- 1257 Master re-keying mechanism, which use the initial key K as a master 1258 key, so K is never used directly for data processing but is used for 1259 key derivation. 1261 6.3.1. ACPKM-Master Key Derivation from the Master Key 1263 This section defines periodical key transformation with a master key, 1264 which is called ACPKM-Master re-keying mechanism. This mechanism can 1265 be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, 1266 OMAC modes) for getting an extension that uses periodical key 1267 transformation with a master key. This extension can be considered 1268 as a new mode of operation. 1270 Additional parameters that define the functioning of modes of 1271 operation that use the ACPKM-Master re-keying mechanism are the 1272 section size N, the change frequency T* of the master keys K*_1, 1273 K*_2, ... (see Figure 10) and the size d of the section key material. 1274 The values of N and T* are measured in bits and are fixed within a 1275 specific protocol, based on the requirements of the system capacity 1276 and the key lifetime. The section size N MUST be divisible by the 1277 block size n. The master key frequency T* MUST be divisible by d and 1278 by n. 1280 The main idea behind internal re-keying with a master key is 1281 presented in Figure 10: 1283 Master key frequency T*, 1284 section size N, 1285 maximum message size = m_max. 1286 __________________________________________________________________________________ 1288 ACPKM ACPKM 1289 K*_1 = K--------------> K*_2 ---------...---------> K*_l_max 1290 ___|___ ___|___ ___|___ 1291 | | | | | | 1292 v ... v v ... v v ... v 1293 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 1294 | | | | | | 1295 | | | | | | 1296 v v v v v v 1297 M^{1}||========|...|========||========|...|========||...||========|...|== : || 1298 M^{2}||========|...|========||========|...|========||...||========|...|======: || 1299 ... || | | || | | || || | | : || 1300 M^{q}||========|...|========||==== |...| ||...|| |...| : || 1301 section : 1302 <--------> : 1303 N bit m_max 1304 __________________________________________________________________________________ 1305 |K[i]| = d, 1306 t = T* / d, 1307 l_max = ceil(m_max / (N * t)). 1309 Figure 10: Internal re-keying with a master key 1311 During the processing of the input message M with the length m in 1312 some mode of operation that uses ACPKM-Master key transformation with 1313 the initial key K and the master key frequency T* the message M is 1314 divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 | 1315 ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l 1316 is in V_r, r <= N). The j-th section of each message is processed 1317 with the key material K[j], j in {1, ... , l}, |K[j]| = d, that is 1318 calculated with the ACPKM-Master algorithm as follows: 1320 K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt 1321 (T*, K, 1^{n/2}, 0^{d*l}). 1323 Note: the parameters d and l MUST be such that d * l <= n * 1324 2^{n/2-1}. 1326 6.3.2. CTR-ACPKM-Master Encryption Mode 1328 This section defines a CTR-ACPKM-Master encryption mode that uses the 1329 ACPKM-Master internal re-keying mechanism for the periodical key 1330 transformation. 1332 The CTR-ACPKM-Master encryption mode can be considered as the base 1333 encryption mode CTR (see [MODES]) extended by the ACPKM-Master re- 1334 keying mechanism. 1336 The CTR-ACPKM-Master encryption mode can be used with the following 1337 parameters: 1339 o 64 <= n <= 512; 1341 o 128 <= k <= 512; 1343 o the number c of bits in a specific part of the block to be 1344 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1346 o the maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 1347 2^c}. 1349 The key material K[j] that is used for one section processing is 1350 equal to K^j, |K^j| = k bits. 1352 The CTR-ACPKM-Master mode encryption and decryption procedures are 1353 defined as follows: 1355 +----------------------------------------------------------------+ 1356 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 1357 |----------------------------------------------------------------| 1358 | Input: | 1359 | - section size N, | 1360 | - initial key K, | 1361 | - master key frequency T*, | 1362 | - initial counter nonce ICN in V_{n-c}, | 1363 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1364 | Output: | 1365 | - ciphertext C. | 1366 |----------------------------------------------------------------| 1367 | 1. CTR_1 = ICN | 0^c | 1368 | 2. For j = 2, 3, ... , b do | 1369 | CTR_{j} = Inc_c(CTR_{j-1}) | 1370 | 3. l = ceil(|P| / N) | 1371 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1372 | 5. For j = 1, 2, ... , b do | 1373 | i = ceil(j * n / N), | 1374 | G_j = E_{K^i}(CTR_j) | 1375 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 1376 | 7. Return C | 1377 |----------------------------------------------------------------+ 1379 +----------------------------------------------------------------+ 1380 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 1381 |----------------------------------------------------------------| 1382 | Input: | 1383 | - section size N, | 1384 | - initial key K, | 1385 | - master key frequency T*, | 1386 | - initial counter nonce ICN in V_{n-c}, | 1387 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1388 | Output: | 1389 | - plaintext P. | 1390 |----------------------------------------------------------------| 1391 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 1392 | 1. Return P | 1393 +----------------------------------------------------------------+ 1395 The initial counter nonce ICN value for each message that is 1396 encrypted under the given initial key must be chosen in a unique 1397 manner. 1399 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode 1401 This section defines a GCM-ACPKM-Master authenticated encryption mode 1402 that uses the ACPKM-Master internal re-keying mechanism for the 1403 periodical key transformation. 1405 The GCM-ACPKM-Master authenticated encryption mode can be considered 1406 as the base authenticated encryption mode GCM (see [GCM]) extended by 1407 the ACPKM-Master re-keying mechanism. 1409 The GCM-ACPKM-Master authenticated encryption mode can be used with 1410 the following parameters: 1412 o n in {128, 256}; 1414 o 128 <= k <= 512; 1416 o the number c of bits in a specific part of the block to be 1417 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1418 of 8; 1420 o authentication tag length t; 1422 o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * 1423 (2^c - 2), 2^{n/2} - 1}. 1425 The key material K[j] that is used for the j-th section processing is 1426 equal to K^j, |K^j| = k bits. 1428 The GCM-ACPKM-Master mode encryption and decryption procedures are 1429 defined as follows: 1431 +-------------------------------------------------------------------+ 1432 | GHASH(X, H) | 1433 |-------------------------------------------------------------------| 1434 | Input: | 1435 | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 1436 | Output: | 1437 | - block GHASH(X, H) in V_n | 1438 |-------------------------------------------------------------------| 1439 | 1. Y_0 = 0^n | 1440 | 2. For i = 1, ... , m do | 1441 | Y_i = (Y_{i-1} (xor) X_i) * H | 1442 | 3. Return Y_m | 1443 +-------------------------------------------------------------------+ 1445 +-------------------------------------------------------------------+ 1446 | GCTR(N, K, T*, ICB, X) | 1447 |-------------------------------------------------------------------| 1448 | Input: | 1449 | - section size N, | 1450 | - initial key K, | 1451 | - master key frequency T*, | 1452 | - initial counter block ICB, | 1453 | - X = X_1 | ... | X_b. | 1454 | Output: | 1455 | - Y in V_{|X|}. | 1456 |-------------------------------------------------------------------| 1457 | 1. If X in V_0 then return Y, where Y in V_0 | 1458 | 2. GCTR_1 = ICB | 1459 | 3. For i = 2, ... , b do | 1460 | GCTR_i = Inc_c(GCTR_{i-1}) | 1461 | 4. l = ceil(|X| / N) | 1462 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1463 | 6. For j = 1, ... , b do | 1464 | i = ceil(j * n / N), | 1465 | G_j = E_{K^i}(GCTR_j) | 1466 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1467 | 8. Return Y | 1468 +-------------------------------------------------------------------+ 1470 +-------------------------------------------------------------------+ 1471 | GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A) | 1472 |-------------------------------------------------------------------| 1473 | Input: | 1474 | - section size N, | 1475 | - initial key K, | 1476 | - master key frequency T*, | 1477 | - initial counter nonce ICN in V_{n-c}, | 1478 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1479 | - additional authenticated data A. | 1480 | Output: | 1481 | - ciphertext C, | 1482 | - authentication tag T. | 1483 |-------------------------------------------------------------------| 1484 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1485 | 2. H = E_{K^1}(0^n) | 1486 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1487 | 4. C = GCTR(N, K, T*, Inc_c(ICB_0), P) | 1488 | 5. u = n * ceil(|C| / n) - |C| | 1489 | v = n * ceil(|A| / n) - |A| | 1490 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1491 | | Vec_{n/2}(|C|), H) | 1492 | 7. T = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1493 | 8. Return C | T | 1494 +-------------------------------------------------------------------+ 1496 +-------------------------------------------------------------------+ 1497 | GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T) | 1498 |-------------------------------------------------------------------| 1499 | Input: | 1500 | - section size N, | 1501 | - initial key K, | 1502 | - master key frequency T*, | 1503 | - initial counter nonce ICN in V_{n-c}, | 1504 | - additional authenticated data A. | 1505 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1506 | - authentication tag T. | 1507 | Output: | 1508 | - plaintext P or FAIL. | 1509 |-------------------------------------------------------------------| 1510 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1511 | 2. H = E_{K^1}(0^n) | 1512 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1513 | 4. P = GCTR(N, K, T*, Inc_c(ICB_0), C) | 1514 | 5. u = n * ceil(|C| / n) - |C| | 1515 | v = n * ceil(|A| / n) - |A| | 1516 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1517 | | Vec_{n/2}(|C|), H) | 1518 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1519 | 8. IF T = T' then return P; else return FAIL. | 1520 +-------------------------------------------------------------------+ 1522 The * operation on (pairs of) the 2^n possible blocks corresponds to 1523 the multiplication operation for the binary Galois (finite) field of 1524 2^n elements defined by the polynomial f as follows (by analogy with 1525 [GCM]): 1527 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1529 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1531 The initial vector IV value for each message that is encrypted under 1532 the given initial key must be chosen in a unique manner. 1534 6.3.4. CBC-ACPKM-Master Encryption Mode 1536 This section defines a CBC-ACPKM-Master encryption mode that uses the 1537 ACPKM-Master internal re-keying mechanism for the periodical key 1538 transformation. 1540 The CBC-ACPKM-Master encryption mode can be considered as the base 1541 encryption mode CBC (see [MODES]) extended by the ACPKM-Master re- 1542 keying mechanism. 1544 The CBC-ACPKM-Master encryption mode can be used with the following 1545 parameters: 1547 o 64 <= n <= 512; 1549 o 128 <= k <= 512; 1551 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1553 In the specification of the CBC-ACPKM-Master mode the plaintext and 1554 ciphertext must be a sequence of one or more complete data blocks. 1555 If the data string to be encrypted does not initially satisfy this 1556 property, then it MUST be padded to form complete data blocks. The 1557 padding methods are out of the scope of this document. An example of 1558 a padding method can be found in Appendix A of [MODES]. 1560 The key material K[j] that is used for the j-th section processing is 1561 equal to K^j, |K^j| = k bits. 1563 We will denote by D_{K} the decryption function which is a 1564 permutation inverse to E_{K}. 1566 The CBC-ACPKM-Master mode encryption and decryption procedures are 1567 defined as follows: 1569 +----------------------------------------------------------------+ 1570 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1571 |----------------------------------------------------------------| 1572 | Input: | 1573 | - section size N, | 1574 | - initial key K, | 1575 | - master key frequency T*, | 1576 | - initialization vector IV in V_n, | 1577 | - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max. | 1578 | Output: | 1579 | - ciphertext C. | 1580 |----------------------------------------------------------------| 1581 | 1. l = ceil(|P| / N) | 1582 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1583 | 3. C_0 = IV | 1584 | 4. For j = 1, 2, ... , b do | 1585 | i = ceil(j * n / N), | 1586 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 1587 | 5. Return C = C_1 | ... | C_b | 1588 |----------------------------------------------------------------+ 1590 +----------------------------------------------------------------+ 1591 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1592 |----------------------------------------------------------------| 1593 | Input: | 1594 | - section size N, | 1595 | - initial key K, | 1596 | - master key frequency T*, | 1597 | - initialization vector IV in V_n, | 1598 | - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max. | 1599 | Output: | 1600 | - plaintext P. | 1601 |----------------------------------------------------------------| 1602 | 1. l = ceil(|C| / N) | 1603 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1604 | 3. C_0 = IV | 1605 | 4. For j = 1, 2, ... , b do | 1606 | i = ceil(j * n / N) | 1607 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 1608 | 5. Return P = P_1 | ... | P_b | 1609 +----------------------------------------------------------------+ 1611 The initialization vector IV for each message that is encrypted under 1612 the given initial key does not need to be secret, but must be 1613 unpredictable. 1615 6.3.5. CFB-ACPKM-Master Encryption Mode 1617 This section defines a CFB-ACPKM-Master encryption mode that uses the 1618 ACPKM-Master internal re-keying mechanism for the periodical key 1619 transformation. 1621 The CFB-ACPKM-Master encryption mode can be considered as the base 1622 encryption mode CFB (see [MODES]) extended by the ACPKM-Master re- 1623 keying mechanism. 1625 The CFB-ACPKM-Master encryption mode can be used with the following 1626 parameters: 1628 o 64 <= n <= 512; 1630 o 128 <= k <= 512; 1632 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1634 The key material K[j] that is used for the j-th section processing is 1635 equal to K^j, |K^j| = k bits. 1637 The CFB-ACPKM-Master mode encryption and decryption procedures are 1638 defined as follows: 1640 +-------------------------------------------------------------+ 1641 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1642 |-------------------------------------------------------------| 1643 | Input: | 1644 | - section size N, | 1645 | - initial key K, | 1646 | - master key frequency T*, | 1647 | - initialization vector IV in V_n, | 1648 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1649 | Output: | 1650 | - ciphertext C. | 1651 |-------------------------------------------------------------| 1652 | 1. l = ceil(|P| / N) | 1653 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1654 | 3. C_0 = IV | 1655 | 4. For j = 1, 2, ... , b - 1 do | 1656 | i = ceil(j * n / N), | 1657 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1658 | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | 1659 | 6. Return C = C_1 | ... | C_b | 1660 |-------------------------------------------------------------+ 1662 +-------------------------------------------------------------+ 1663 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1664 |-------------------------------------------------------------| 1665 | Input: | 1666 | - section size N, | 1667 | - initial key K, | 1668 | - master key frequency T*, | 1669 | - initialization vector IV in V_n, | 1670 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1671 | Output: | 1672 | - plaintext P. | 1673 |-------------------------------------------------------------| 1674 | 1. l = ceil(|C| / N) | 1675 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1676 | 3. C_0 = IV | 1677 | 4. For j = 1, 2, ... , b - 1 do | 1678 | i = ceil(j * n / N), | 1679 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1680 | 5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b | 1681 | 6. Return P = P_1 | ... | P_b | 1682 +-------------------------------------------------------------+ 1684 The initialization vector IV for each message that is encrypted under 1685 the given initial key need not to be secret, but must be 1686 unpredictable. 1688 6.3.6. OMAC-ACPKM-Master Authentication Mode 1690 This section defines an OMAC-ACPKM-Master message authentication code 1691 calculation mode that uses the ACPKM-Master internal re-keying 1692 mechanism for the periodical key transformation. 1694 The OMAC-ACPKM-Master mode can be considered as the base message 1695 authentication code calculation mode OMAC, which is also known as 1696 CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying 1697 mechanism. 1699 The OMAC-ACPKM-Master message authentication code calculation mode 1700 can be used with the following parameters: 1702 o n in {64, 128, 256}; 1704 o 128 <= k <= 512; 1706 o the maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)). 1708 The key material K[j] that is used for one section processing is 1709 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1711 The following is a specification of the subkey generation process of 1712 OMAC: 1714 +-------------------------------------------------------------------+ 1715 | Generate_Subkey(K1, r) | 1716 |-------------------------------------------------------------------| 1717 | Input: | 1718 | - key K1. | 1719 | Output: | 1720 | - key SK. | 1721 |-------------------------------------------------------------------| 1722 | 1. If r = n then return K1 | 1723 | 2. If r < n then | 1724 | if MSB_1(K1) = 0 | 1725 | return K1 << 1 | 1726 | else | 1727 | return (K1 << 1) (xor) R_n | 1728 | | 1729 +-------------------------------------------------------------------+ 1731 Here R_n takes the following values: 1733 o n = 64: R_{64} = 0^{59} | 11011; 1734 o n = 128: R_{128} = 0^{120} | 10000111; 1736 o n = 256: R_{256} = 0^{145} | 10000100101. 1738 The OMAC-ACPKM-Master message authentication code calculation mode is 1739 defined as follows: 1741 +----------------------------------------------------------------------+ 1742 | OMAC-ACPKM-Master(K, N, T*, M) | 1743 |----------------------------------------------------------------------| 1744 | Input: | 1745 | - section size N, | 1746 | - initial key K, | 1747 | - master key frequency T*, | 1748 | - plaintext M = M_1 | ... | M_b, |M| <= m_max. | 1749 | Output: | 1750 | - message authentication code T. | 1751 |----------------------------------------------------------------------| 1752 | 1. C_0 = 0^n | 1753 | 2. l = ceil(|M| / N) | 1754 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K, (k + n), l) | 1755 | 4. For j = 1, 2, ... , b - 1 do | 1756 | i = ceil(j * n / N), | 1757 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1758 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1759 | 6. If |M_b| = n then M*_b = M_b | 1760 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1761 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1762 | 8. Return T | 1763 +----------------------------------------------------------------------+ 1765 7. Joint Usage of External and Internal Re-keying 1767 Both external re-keying and internal re-keying have their own 1768 advantages and disadvantages discussed in Section 1. For instance, 1769 using external re-keying can essentially limit the message length, 1770 while in the case of internal re-keying the section size, which can 1771 be chosen as the maximal possible for operational properties, limits 1772 the amount of separate messages. There is no more preferable 1773 technique because the choice of technique can depend on protocol 1774 features. However, some protocols may have features that require to 1775 take advantages provided by both external and internal re-keying 1776 mechanisms: for example, the protocol mainly transmits messages of 1777 small length, but it must additionally support very long messages 1778 processing. In such situations it is necessary to use external and 1779 internal re-keying jointly, since these techniques negate each 1780 other's disadvantages. 1782 For composition of external and internal re-keying techniques any 1783 mechanism described in Section 5 can be used with any mechanism 1784 described in Section 6. 1786 For example, consider the GCM-ACPKM mode with external serial re- 1787 keying based on a KDF on a Hash function. Denote by a frame size the 1788 number of messages in each frame (in the case of implicit approach to 1789 the key lifetime control) for external re-keying. 1791 Let L be a key lifetime limitation. The section size N for internal 1792 re-keying and the frame size q for external re-keying must be chosen 1793 in such a way that q * N must not exceed L. 1795 Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce 1796 ICN_i, plaintext P_i and additional authenticated data A_i, will be 1797 processed before renegotiation. 1799 For authenticated encryption of each message (ICN_i, P_i, A_i), i = 1800 1, ..., t, the following algorithm can be applied: 1802 1. j = ceil(i / q), 1803 2. K^j = ExtSerialH(K, j), 1804 3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i). 1806 Note that nonces ICN_i, that are used under the same frame key, must 1807 be unique for each message. 1809 8. Security Considerations 1811 Re-keying should be used to increase "a priori" security properties 1812 of ciphers in hostile environments (e.g., with side-channel 1813 adversaries). If some efficient attacks are known for a cipher, it 1814 must not be used. So re-keying cannot be used as a patch for 1815 vulnerable ciphers. Base cipher properties must be well analyzed, 1816 because the security of re-keying mechanisms is based on the security 1817 of a block cipher as a pseudorandom function. 1819 Re-keying is not intended to solve any post-quantum security issues 1820 for symmetric cryptography, since the reduction of security caused by 1821 Grover's algorithm is not connected with a size of plaintext 1822 transformed by a cipher - only a negligible (sufficient for key 1823 uniqueness) material is needed; and the aim of re-keying is to limit 1824 a size of plaintext transformed under one initial key. 1826 Re-keying can provide backward security only if previous key material 1827 is securely deleted after usage by all parties. 1829 9. References 1831 9.1. Normative References 1833 [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1834 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1835 . 1837 [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1838 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1839 January 2012, . 1841 [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", 1842 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1843 . 1845 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 1846 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 1847 Special Publication 800-38D 1848 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ 1849 nistspecialpublication800-38d.pdf, November 2007. 1851 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1852 Operation: Methods and Techniques", NIST Special 1853 Publication 800-38A, December 2001. 1855 [NISTSP800-108] 1856 National Institute of Standards and Technology, 1857 "Recommendation for Key Derivation Using Pseudorandom 1858 Functions", NIST Special Publication 800-108, November 1859 2008, . 1862 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1863 Requirement Levels", BCP 14, RFC 2119, 1864 DOI 10.17487/RFC2119, March 1997, 1865 . 1867 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1868 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1869 2006, . 1871 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1872 Key Derivation Function (HKDF)", RFC 5869, 1873 DOI 10.17487/RFC5869, May 2010, 1874 . 1876 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1877 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1878 on the Cryptographic Algorithms to Accompany the Usage of 1879 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1880 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1881 . 1883 [SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 1884 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 1885 January 2006, . 1887 [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security 1888 (TLS) Protocol Version 1.2", RFC 5246, 1889 DOI 10.17487/RFC5246, August 2008, 1890 . 1892 [TLSDraft] 1893 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1894 Version 1.3", 2017, 1895 . 1897 9.2. Informative References 1899 [AAOS2017] 1900 Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. 1901 Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for 1902 the GCM Mode by Internal Re-keying", Cryptology ePrint 1903 Archive Report 2017/697, 2017, 1904 . 1906 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1907 of a Key: A Comparative Analysis of the Security of Re- 1908 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1909 2000. 1911 [AESDUKPT] 1912 ANSI, "Retail Financial Services Symmetric Key Management 1913 - Part 3: Derived Unique Key Per Transaction", ANSI 1914 X9.24-3-2017, 2017. 1916 [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: 1917 Enabling Efficient Key Distribution for Secure Distributed 1918 Storage", November 2005, 1919 . 1922 [FPS2012] Faust, S., Pietrzak, K., and j. Schipper, "Practical 1923 Leakage-Resilient Symmetric Cryptography", CHES2012 LNCS, 1924 vol. 7428, pp. 213-232,, 2012, 1925 . 1928 [FRESHREKEYING] 1929 Dziembowski, S., Faust, S., Herold, G., Journault, A., 1930 Masny, D., and F. Standaert, "Towards Sound Fresh Re- 1931 Keying with Hard (Physical) Learning Problems", Cryptology 1932 ePrint Archive Report 2016/573, June 2016, 1933 . 1935 [GGM] Goldreich, O., Goldwasser, S., and S. Micali, "How to 1936 Construct Random Functions", Journal of the Association 1937 for Computing Machinery Vol.33, No.4, pp. 792-807, October 1938 1986, . 1940 [KMNT2003] 1941 Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure 1942 Group Services for Storage Area Networks", 1943 IEEE Communication Magazine 41, pp. 92-99, 2003, 1944 . 1946 [LDC] Howard M. Heys, "A Tutorial on Linear and Differential 1947 Cryptanalysis", 2017, 1948 . 1950 [OWT] Joye, M. and S. Yen, "One-Way Cross-Trees and Their 1951 Applications", DOI 10.1007/3-540-45664-3_25, February 1952 2002, . 1955 [P3] Peter Alexander, "Dynamic Key Changes on Encrypted 1956 Sessions", CFRG mail archive , December 2017, 1957 . 1960 [Pietrzak2009] 1961 Pietrzak, K., "A Leakage-Resilient Mode of Operation", 1962 EUROCRYPT2009 LNCS, vol. 5479, pp. 462-482,, 2009, 1963 . 1966 [SIGNAL] Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet 1967 Algorithm", November 2016, 1968 . 1971 [Sweet32] Karthikeyan Bhargavan, Gaetan Leurent, "On the Practical 1972 (In-)Security of 64-bit Block Ciphers: Collision Attacks 1973 on HTTP over TLS and OpenVPN", Cryptology ePrint 1974 Archive Report 2016/798, 2016, 1975 . 1977 [TAHA] Taha, M. and P. Schaumont, "Key Updating for Leakage 1978 Resiliency With Application to AES Modes of Operation", 1979 DOI 10.1109/TIFS.2014.2383359, December 2014, 1980 . 1982 [TEMPEST] By Craig Ramsay, Jasper Lohuis, "TEMPEST attacks against 1983 AES. Covertly stealing keys for 200 euro", 2017, 1984 . 1987 [U2F] Chang, D., Mishra, S., Sanadhya, S., and A. Singhl, "On 1988 Making U2F Protocol Leakage-Resilient via Re-keying.", 1989 Cryptology ePrint Archive Report 2017/721, August 2017, 1990 . 1992 Appendix A. Test Examples 1994 A.1. Test Examples for External Re-keying 1996 A.1.1. External Re-keying with a Parallel Construction 1997 External re-keying with a parallel construction based on AES-256 1998 **************************************************************** 1999 k = 256 2000 t = 128 2002 Initial key: 2003 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2004 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2006 K^1: 2007 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2008 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2010 K^2: 2011 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2012 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD 2014 K^3: 2015 B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 2016 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC 2018 ... 2020 K^126: 2021 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 2022 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 2024 K^127: 2025 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 2026 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED 2028 K^128: 2029 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 2030 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 2031 External re-keying with a parallel construction based on SHA-256 2032 **************************************************************** 2033 k = 256 2034 t = 128 2036 label: 2037 SHA2label 2039 Initial key: 2040 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2041 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2043 K^1: 2044 C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57 2045 26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35 2047 K^2: 2048 03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E 2049 A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4 2051 K^3: 2052 2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80 2053 0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE 2055 ... 2057 K^126: 2058 55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76 2059 C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1 2061 K^127: 2062 77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A 2063 6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF 2065 K^128: 2066 E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E 2067 94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3 2069 A.1.2. External Re-keying with a Serial Construction 2071 External re-keying with a serial construction based on AES-256 2072 ************************************************************** 2073 AES 256 examples: 2074 k = 256 2075 t = 128 2076 Initial key: 2077 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2078 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2080 K*_1: 2081 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2082 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2084 K^1: 2085 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2086 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2088 K*_2: 2089 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2090 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2092 K^2: 2093 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2094 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2096 K*_3: 2097 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2098 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2100 K^3: 2101 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2102 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2104 ... 2106 K*_126: 2107 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2108 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2110 K^126: 2111 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2112 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2114 K*_127: 2115 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2116 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2118 K^127: 2119 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2120 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2122 K*_128: 2123 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2124 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2126 K^128: 2127 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2128 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2130 External re-keying with a serial construction based on SHA-256 2131 ************************************************************** 2132 k = 256 2133 t = 128 2135 Initial key: 2136 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2137 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2139 label1: 2140 SHA2label1 2142 label2: 2143 SHA2label2 2145 K*_1: 2146 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2147 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2149 K^1: 2150 2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B 2151 F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC 2153 K*_2: 2154 14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F 2155 52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04 2157 K^2: 2158 2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1 2159 84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF 2161 K*_3: 2162 18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D 2163 70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB 2165 K^3: 2166 53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF 2167 F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92 2168 ... 2170 K*_126: 2171 A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6 2172 5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA 2174 K^126: 2175 6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34 2176 23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A 2178 K*_127: 2179 84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1 2180 05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1 2182 K^127: 2183 57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0 2184 F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2 2186 K*_128: 2187 52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E 2188 7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09 2190 K^128: 2191 9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5 2192 C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4 2194 A.2. Test Examples for Internal Re-keying 2196 A.2.1. Internal Re-keying Mechanisms that Do Not Require Master Key 2198 CTR-ACPKM mode with AES-256 2199 *************************** 2200 k = 256 2201 n = 128 2202 c = 64 2203 N = 256 2205 Initial key K: 2206 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2207 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2209 Plain text P: 2210 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2211 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2212 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2213 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2214 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2215 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2216 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2218 ICN: 2219 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2220 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 2222 D_1: 2223 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 2225 D_2: 2226 00000: 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 2228 Section_1 2230 Section key K^1: 2231 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2232 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2234 Input block CTR_1: 2235 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2237 Output block G_1: 2238 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2240 Input block CTR_2: 2241 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2243 Output block G_2: 2244 00000: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2246 Section_2 2248 Section key K^2: 2249 00000: F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 2250 00010: 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 2252 Input block CTR_3: 2253 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2255 Output block G_3: 2256 00000: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2258 Input block CTR_4: 2259 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2260 Output block G_4: 2261 00000: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2263 Section_3 2265 Section key K^3: 2266 00000: 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 2267 00010: 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 2269 Input block CTR_5: 2270 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2272 Output block G_5: 2273 00000: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2275 Input block CTR_6: 2276 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2278 Output block G_6: 2279 00000: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2281 Section_4 2283 Section key K^4: 2284 00000: C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 2285 00010: E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 2287 Block number 7: 2289 Input block CTR_7: 2290 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2292 Output block G_7: 2293 00000: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2295 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2296 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2297 00010: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2298 00020: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2299 00030: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2300 00040: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2301 00050: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2302 00060: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2304 The result ciphertext C = P (xor) MSB_{|P|}(G): 2305 00000: EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 2306 00010: 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 2307 00020: F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 2308 00030: 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 2309 00040: 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 2310 00050: 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 2311 00060: 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 2313 GCM-ACPKM mode with AES-128 2314 *************************** 2315 k = 128 2316 n = 128 2317 c = 32 2318 N = 256 2320 Initilal Key K: 2321 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2323 Additional data A: 2324 00000: 11 22 33 2326 Plaintext: 2327 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2328 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2329 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2331 ICN: 2332 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2334 Number of sections: 2 2336 Section key K^1: 2337 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2339 Section key K^2: 2340 00000: 15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41 2342 Encrypted GCTR_1 | GCTR_2 | GCTR_3: 2343 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2344 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2345 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2347 Ciphertext C: 2348 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2349 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2350 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2352 GHASH input: 2354 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2355 00010: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2356 00020: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2357 00030: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2358 00040: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80 2360 GHASH output S: 2361 00000: E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C 2363 Authentication tag T: 2364 00000: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2366 The result C | T: 2367 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2368 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2369 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2370 00030: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2372 A.2.2. Internal Re-keying Mechanisms with a Master Key 2374 CTR-ACPKM-Master mode with AES-256 2375 ********************************** 2376 k = 256 2377 n = 128 2378 c for CTR-ACPKM mode = 64 2379 c for CTR-ACPKM-Master mode = 64 2380 N = 256 2381 T* = 512 2383 Initial key K: 2384 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2385 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2387 Initial vector ICN: 2388 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2390 Plaintext P: 2391 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2392 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2393 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2394 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2395 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2396 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2397 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2398 K^1 | K^2 | K^3 | K^4: 2399 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2400 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2401 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2402 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2403 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2404 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2405 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2406 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2408 Section_1 2410 K^1: 2411 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2412 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2414 Input block CTR_1: 2415 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2417 Output block G_1: 2418 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2420 Input block CTR_2: 2421 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2423 Output block G_2: 2424 00000: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2426 Section_2 2428 K^2: 2429 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2430 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2432 Input block CTR_3: 2433 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2435 Output block G_3: 2436 00000: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2438 Input block CTR_4: 2439 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2441 Output block G_4: 2442 00000: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2443 Section_3 2445 K^3: 2446 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2447 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2449 Input block CTR_5: 2450 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2452 Output block G_5: 2453 00000: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2455 Input block CTR_6: 2456 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2458 Output block G_6: 2459 00000: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2461 Section_4 2463 K^4: 2464 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2465 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2467 Input block CTR_7: 2468 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2470 Output block G_7: 2471 00000: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2473 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2474 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2475 00010: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2476 00020: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2477 00030: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2478 00040: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2479 00050: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2480 00060: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2482 The result ciphertext C = P (xor) MSB_{|P|}(G): 2483 00000: 9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4 2484 00010: F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB 2485 00020: 5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71 2486 00030: 01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6 2487 00040: 9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA 2488 00050: 82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC 2489 00060: D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66 2491 GCM-ACPKM-Master mode with AES-256 2492 ********************************** 2493 k = 192 2494 n = 128 2495 c for the CTR-ACPKM mode = 64 2496 c for the GCM-ACPKM-Master mode = 32 2497 T* = 384 2498 N = 256 2500 Initila Key K: 2501 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2502 00010: 00 00 00 00 00 00 00 00 2504 Additional data A: 2505 00000: 11 22 33 2507 Plaintext: 2508 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2509 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2510 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2511 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2512 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2514 ICN: 2515 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2517 Number of sections: 3 2519 K^1 | K^2 | K^3: 2520 00000: 93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F 2521 00010: 7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC 2522 00020: CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99 2523 00030: F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87 2524 00040: 5A 2D 3C BE F1 6E 67 3C 2526 Encrypted GCTR_1 | ... | GCTR_5 2527 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2528 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2529 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2530 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2531 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2533 Ciphertext C: 2535 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2536 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2537 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2538 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2539 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2541 GHASH input: 2542 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2543 00010: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2544 00020: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2545 00030: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2546 00040: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2547 00050: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2548 00060: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80 2550 GHASH output S: 2551 00000: 6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D 2553 Authentication tag T: 2554 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2556 The result C | T: 2557 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2558 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2559 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2560 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2561 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2562 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2564 CBC-ACPKM-Master mode with AES-256 2565 ********************************** 2566 k = 256 2567 n = 128 2568 c for the CTR-ACPKM mode = 64 2569 N = 256 2570 T* = 512 2572 Initial key K: 2573 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2574 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2576 Initial vector IV: 2577 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2579 Plaintext P: 2581 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2582 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2583 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2584 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2585 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2586 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2587 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2589 K^1 | K^2 | K^3 | K^4: 2590 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2591 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2592 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2593 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2594 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2595 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2596 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2597 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2599 Section_1 2601 K^1: 2602 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2603 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2605 Plaintext block P_1: 2606 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2608 Input block P_1 (xor) C_0: 2609 00000: 03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A 2611 Output block C_1: 2612 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2614 Plaintext block P_2: 2615 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2617 Input block P_2 (xor) C_1: 2618 00000: 59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76 2620 Output block C_2: 2621 00000: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2623 Section_2 2625 K^2: 2626 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2627 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2628 Plaintext block P_3: 2629 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2631 Input block P_3 (xor) C_2: 2632 00000: 91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42 2634 Output block C_3: 2635 00000: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2637 Plaintext block P_4: 2638 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2640 Input block P_4 (xor) C_3: 2641 00000: AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48 2643 Output block C_4: 2644 00000: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2646 Section_3 2648 K^3: 2649 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2650 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2652 Plaintext block P_5: 2653 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2655 Input block P_5 (xor) C_4: 2656 00000: 2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB 2658 Output block C_5: 2659 00000: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2661 Plaintext block P_6: 2662 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2664 Input block P_6 (xor) C_5: 2665 00000: 12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27 2667 Output block C_6: 2668 00000: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2670 Section_4 2672 K^4: 2673 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2674 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2675 Plaintext block P_7: 2676 00000: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2678 Input block P_7 (xor) C_6: 2679 00000: 33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01 2681 Output block C_7: 2682 00000: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2684 Cipher text C: 2685 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2686 00010: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2687 00020: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2688 00030: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2689 00040: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2690 00050: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2691 00060: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2693 CFB-ACPKM-Master mode with AES-256 2694 ********************************** 2695 k = 256 2696 n = 128 2697 c for the CTR-ACPKM mode = 64 2698 N = 256 2699 T* = 512 2701 Initial key K: 2702 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2703 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2705 Initial vector IV: 2706 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2708 Plaintext P: 2709 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2710 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2711 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2712 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2713 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2714 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2715 00060: 55 66 77 88 99 AA BB CC 2717 K^1 | K^2 | K^3 | K^4 2718 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2719 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2720 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2721 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2722 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2723 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2724 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2725 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2727 Section_1 2729 K^1: 2730 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2731 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2733 Plaintext block P_1: 2734 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2736 Encrypted block E_{K^1}(C_0): 2737 00000: 1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03 2739 Output block C_1 = E_{K^1}(C_0) (xor) P_1: 2740 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2742 Plaintext block P_2: 2743 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2745 Encrypted block E_{K^1}(C_1): 2746 00000: 6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E 2748 Output block C_2 = E_{K^1}(C_1) (xor) P_2: 2749 00000: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2751 Section_2 2753 K^2: 2754 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2755 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2757 Plaintext block P_3: 2758 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2760 Encrypted block E_{K^2}(C_2): 2761 00000: 95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88 2763 Output block C_3 = E_{K^2}(C_2) (xor) P_3: 2764 00000: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2766 Plaintext block P_4: 2767 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2768 Encrypted block E_{K^2}(C_3): 2769 00000: E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2 2771 Output block C_4 = E_{K^2}(C_3) (xor) P_4: 2772 00000: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2774 Section_3 2776 K^3: 2777 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2778 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2780 Plaintext block P_5: 2781 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2783 Encrypted block E_{K^3}(C_4): 2784 00000: FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89 2786 Output block C_5 = E_{K^3}(C_4) (xor) P_5: 2787 00000: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2789 Plaintext block P_6: 2790 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2792 Encrypted block E_{K^3}(C_5): 2793 00000: 01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3 2795 Output block C_6 = E_{K^3}(C_5) (xor) P_6: 2796 00000: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2798 Section_4 2800 K^4: 2801 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2802 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2804 Plaintext block P_7: 2805 00000: 55 66 77 88 99 AA BB CC 2807 Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)): 2808 00000: 97 5C 96 37 55 1E 8C 7F 2810 Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7 2811 00000: C2 3A E1 BF CC B4 37 B3 2813 Cipher text C: 2814 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2815 00010: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2816 00020: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2817 00030: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2818 00040: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2819 00050: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2820 00060: C2 3A E1 BF CC B4 37 B3 2822 OMAC-ACPKM-Master mode with AES-256 2823 *********************************** 2824 k = 256 2825 n = 128 2826 c for the CTR-ACPKM mode = 64 2827 N = 256 2828 T* = 768 2830 Initial key K: 2831 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2832 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2834 Plaintext M: 2835 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2836 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2837 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2838 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2839 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2841 K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1: 2842 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2843 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2844 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2845 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2846 00040: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2847 00050: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2848 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2849 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2850 00080: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2852 Section_1 2854 K^1: 2855 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2856 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2858 K^1_1: 2859 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2860 Plaintext block M_1: 2861 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2863 Input block M_1 (xor) C_0: 2864 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2866 Output block C_1: 2867 00000: 0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E 2869 Plaintext block M_2: 2870 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2872 Input block M_2 (xor) C_1: 2873 00000: 0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34 2875 Output block C_2: 2876 00000: 1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C 2878 Section_2 2880 K^2: 2881 00000: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2882 00010: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2884 K^2_1: 2885 00000: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2887 Plaintext block M_3: 2888 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2890 Input block M_3 (xor) C_2: 2891 00000: 0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C 2893 Output block C_3: 2894 00000: 4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75 2896 Plaintext block M_4: 2897 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2899 Input block M_4 (xor) C_3: 2900 00000: 6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64 2902 Output block C_4: 2903 00000: B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81 2905 Section_3 2907 K^3: 2909 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2910 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2912 K^3_1: 2913 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2915 MSB1(K1) == 0 -> K2 = K1 << 1 2917 K1: 2918 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2920 K2: 2921 00000: F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E 2923 Plaintext M_5: 2924 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2926 Using K1, padding is not required 2928 Input block M_5 (xor) C_4: 2929 00000: FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4 2931 Output block C_5: 2932 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2934 Message authentication code T: 2935 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2937 Appendix B. Contributors 2939 o Russ Housley 2940 Vigil Security, LLC 2941 housley@vigilsec.com 2943 o Evgeny Alekseev 2944 CryptoPro 2945 alekseev@cryptopro.ru 2947 o Ekaterina Smyshlyaeva 2948 CryptoPro 2949 ess@cryptopro.ru 2951 o Shay Gueron 2952 University of Haifa, Israel 2953 Intel Corporation, Israel Development Center, Israel 2954 shay.gueron@gmail.com 2956 o Daniel Fox Franke 2957 Akamai Technologies 2958 dfoxfranke@gmail.com 2960 o Lilia Ahmetzyanova 2961 CryptoPro 2962 lah@cryptopro.ru 2964 Appendix C. Acknowledgments 2966 We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim 2967 Schaad, Paul Hoffman, Dmitry Belyavsky and Yaron Sheffer for their 2968 useful comments. 2970 Author's Address 2972 Stanislav Smyshlyaev (editor) 2973 CryptoPro 2974 18, Suschevsky val 2975 Moscow 127018 2976 Russian Federation 2978 Phone: +7 (495) 995-48-20 2979 Email: svs@cryptopro.ru