idnits 2.17.1 draft-irtf-cfrg-re-keying-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 18 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 17, 2018) is 2072 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1325 == Missing Reference: '2t' is mentioned on line 1298, but not defined ** Obsolete normative reference: RFC 6347 (ref. 'DTLS') (Obsoleted by RFC 9147) ** Obsolete normative reference: RFC 5246 (ref. 'TLS') (Obsoleted by RFC 8446) Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational August 17, 2018 5 Expires: February 18, 2019 7 Re-keying Mechanisms for Symmetric Keys 8 draft-irtf-cfrg-re-keying-13 10 Abstract 12 A certain maximum amount of data can be safely encrypted when 13 encryption is performed under a single key. This amount is called 14 "key lifetime". This specification describes a variety of methods to 15 increase the lifetime of symmetric keys. It provides two types of 16 re-keying mechanisms based on hash functions and on block ciphers, 17 that can be used with modes of operations such as CTR, GCM, CBC, CFB 18 and OMAC. 20 This document is a product of the Crypto Forum Research Group (CFRG) 21 in the IRTF. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 18, 2019. 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions Used in This Document . . . . . . . . . . . . . . 6 59 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 6 60 4. Choosing Constructions and Security Parameters . . . . . . . 8 61 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 10 62 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 13 63 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 13 64 5.2.1. Parallel Construction Based on a KDF on a Block 65 Cipher . . . . . . . . . . . . . . . . . . . . . . . 14 66 5.2.2. Parallel Construction Based on a KDF on a Hash 67 Function . . . . . . . . . . . . . . . . . . . . . . 14 68 5.2.3. Tree-based Construction . . . . . . . . . . . . . . . 15 69 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 16 70 5.3.1. Serial Construction Based on a KDF on a Block Cipher 17 71 5.3.2. Serial Construction Based on a KDF on a Hash Function 18 72 5.4. Using Additional Entropy during Re-keying . . . . . . . . 18 73 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 19 74 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 21 75 6.2. Constructions that Do Not Require Master Key . . . . . . 22 76 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 22 77 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 78 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 79 6.3. Constructions that Require Master Key . . . . . . . . . . 28 80 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 28 81 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 30 82 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 32 83 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 34 84 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 37 85 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 39 86 7. Joint Usage of External and Internal Re-keying . . . . . . . 40 87 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 88 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 89 9.1. Normative References . . . . . . . . . . . . . . . . . . 42 90 9.2. Informative References . . . . . . . . . . . . . . . . . 43 91 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 45 92 A.1. Test Examples for External Re-keying . . . . . . . . . . 45 93 A.1.1. External Re-keying with a Parallel Construction . . . 45 94 A.1.2. External Re-keying with a Serial Construction . . . . 47 95 A.2. Test Examples for Internal Re-keying . . . . . . . . . . 50 96 A.2.1. Internal Re-keying Mechanisms that Do Not Require 97 Master Key . . . . . . . . . . . . . . . . . . . . . 50 98 A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 54 99 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 66 100 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 67 101 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 67 103 1. Introduction 105 A certain maximum amount of data can be safely encrypted when 106 encryption is performed under a single key. Hereinafter this amount 107 will be referred to as "key lifetime". The key lifetime can be 108 calculated from the following considerations: 110 1. Methods based on the combinatorial properties of the used block 111 cipher mode of operation 113 These methods do not depend on the underlying block cipher. 114 Common modes restrictions derived from such methods are of order 115 2^{n/2}, where n is a block size defined in Section 3. [Sweet32] 116 is an example of attack that is based on such methods. 118 2. Methods based on side-channel analysis issues 120 In most cases these methods do not depend on the used encryption 121 modes and weakly depend on the used block cipher features. 122 Limitations resulting from these considerations are usually the 123 most restrictive ones. [TEMPEST] is an example of attack that is 124 based on such methods. 126 3. Methods based on the properties of the used block cipher 128 The most common methods of this type are linear and differential 129 cryptanalysis [LDC]. In most cases these methods do not depend on 130 the used modes of operation. In case of secure block ciphers, 131 bounds resulting from such methods are roughly the same as the 132 natural bounds of 2^n, and are dominated by the other bounds 133 above. Therefore, they can be excluded from the considerations 134 here. 136 As a result, it is important to replace a key as soon as the total 137 size of the processed plaintext under that key reaches the lifetime 138 limitation. A specific value of the key lifetime should be 139 determined in accordance with some safety margin for protocol 140 security and the methods outlined above. 142 Suppose L is a key lifetime limitation in some protocol P. For 143 simplicity, assume that all messages have the same length m. Hence, 144 the number of messages q that can be processed with a single key K 145 should be such that m * q <= L. This can be depicted graphically as 146 a rectangle with sides m and q which is enclosed by area L (see 147 Figure 1). 149 +------------------------+ 150 | L | 151 | +--------m---------+ | 152 | |==================| | 153 | |==================| | 154 | q==================| | m * q <= L 155 | |==================| | 156 | |==================| | 157 | +------------------+ | 158 +------------------------+ 160 Figure 1: Graphic display of the key lifetime limitation 162 In practice, such amount of data that corresponds to limitation L may 163 not be enough. The simplest and obvious way in this situation is a 164 regular renegotiation of an initial key after processing this 165 threshold amount of data L. However, this reduces the total 166 performance, since it usually entails termination of application data 167 transmission, additional service messages, the use of random number 168 generator and many other additional calculations, including resource- 169 intensive public key cryptography. 171 For the protocols based on block ciphers or stream ciphers a more 172 efficient way to increasing the key lifetime is to use various re- 173 keying mechanisms. This specification considers only the case of re- 174 keying mechanisms for block ciphers, while re-keying mechanisms 175 typical for stream ciphers (e.g., [Pietrzak2009], [FPS2012]) case go 176 beyond the scope of this document. 178 Re-keying mechanisms can be applied on the different protocol levels: 179 on the block cipher level (this approach is known as fresh re-keying 180 and is described, for instance, in [FRESHREKEYING]), on the block 181 cipher mode of operation level (see Section 6), on the protocol level 182 above the block cipher mode of operation (see Section 5). The usage 183 of the first approach is highly inefficient due to the key changing 184 after processing each message block. Moreover, fresh re-keying 185 mechanisms can change the block cipher internal structure, and, 186 consequently, can require the additional security analysis for each 187 particular block cipher. As a result, this approach depends on 188 particular primitive properties and can not be applied to any block 189 cipher, therefore, fresh re-keying mechanisms go beyond the scope of 190 this document. 192 Thus, this document contains the list of recommended re-keying 193 mechanisms that can be used in the symmetric encryption schemes based 194 on the block ciphers. These mechanisms are independent from the 195 particular block cipher specification and their security properties 196 rely only on the standard block cipher security assumption. 198 This specification presents two basic approaches to extend the 199 lifetime of a key while avoiding renegotiation that were introduced 200 in [AAOS2017]: 202 1. External re-keying 204 External re-keying is performed by a protocol, and it is 205 independent of the underlying block cipher and the mode of 206 operation. External re-keying can use parallel and serial 207 constructions. In the parallel case, data processing keys K^1, 208 K^2, ... are generated directly from the initial key K 209 independently of each other. In the serial case, every data 210 processing key depends on the state that is updated after the 211 generation of each new data processing key. 213 As a generalization of external parallel re-keying an external 214 tree-based mechanism can be considered. It is specified in the 215 Section 5.2.3 and can be viewed as the [GGM] tree generalization. 216 Similar constructions are used in the one-way tree mechanism 217 ([OWT]) and [AESDUKPT] standard. 219 2. Internal re-keying 221 Internal re-keying is built into the mode, and it depends heavily 222 on the properties of the mode of operation and the block size. 224 The re-keying approaches extend the key lifetime for a single initial 225 key by providing the possibility to limit the leakages (via side 226 channels) and by improving combinatorial properties of the used block 227 cipher mode of operation. 229 In practical applications, re-keying can be useful for protocols that 230 need to operate in hostile environments or under restricted resource 231 conditions (e.g., that require lightweight cryptography, where 232 ciphers have a small block size, that imposes strict combinatorial 233 limitations). Moreover, mechanisms that use external and internal 234 re-keying may provide some properties of forward security and 235 potentially some protection against future attacks (by limiting the 236 number of plaintext-ciphertext pairs that an adversary can collect). 238 External and internal re-keying can be used in network protocols as 239 well as in the systems for data-at-rest encryption. 241 Depending on the concrete protocol characteristics there might be 242 situations in which both external and internal re-keying mechanisms 243 (see Section 7) can be applied. For example, the similar approach 244 was used in the Taha's tree construction (see [TAHA]). 246 It is worthwhile to say that the re-keying mechanisms recommended in 247 this document are targeted to provide PFS property and are not 248 suitable for the cases when this property should be omitted in favor 249 of performance characteristics, side leakage resilience or some other 250 properties. The another re-keying approach is key updating (key 251 regression) algorithms (e.g., [FKK2005] and [KMNT2003]), but they 252 pursue the goal different from increasing key lifetime and the 253 absence of PFS property is the base claim of this approach. 254 Therefore, key regression algorithms are excluded from the 255 considerations here. 257 2. Conventions Used in This Document 259 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 260 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 261 document are to be interpreted as described in [RFC2119]. 263 3. Basic Terms and Definitions 265 This document uses the following terms and definitions for the sets 266 and operations on the elements of these sets: 268 V* the set of all bit strings of a finite length (hereinafter 269 referred to as strings), including the empty string; 271 V_s the set of all bit strings of length s, where s is a non- 272 negative integer; 274 |X| the bit length of the bit string X; 276 A | B concatenation of strings A and B both belonging to V*, i.e., 277 a string in V_{|A|+|B|}, where the left substring in V_|A| is 278 equal to A, and the right substring in V_|B| is equal to B; 280 (xor) exclusive-or of two bit strings of the same length; 282 Z_{2^n} ring of residues modulo 2^n; 284 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 285 (a_s, ... , a_1) in V_s into the integer Int_s(a) = 2^{s-1} * 286 a_s + ... + 2 * a_2 + a_1 (the interpretation of the binary 287 string as an integer); 289 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 290 Int_s (the interpretation of an integer as a binary string); 292 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 293 ... , a_1) in V_s into the string MSB_i(a) = (a_s, ... , 294 a_{s-i+1}) in V_i (most significant bits); 296 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 297 ... , a_1) in V_s into the string LSB_i(a) = (a_i, ... , a_1) 298 in V_i (least significant bits); 300 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 301 ... , a_1) in V_s into the string Inc_c(a) = MSB_{|a|-c}(a) | 302 Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s (incrementing the 303 least significant c bits of the bit string, regarded as the 304 binary representation of an integer); 306 a^s the string in V_s that consists of s 'a' bits; 308 E_{K}: V_n -> V_n the block cipher permutation under the key K in 309 V_k; 311 ceil(x) the smallest integer that is greater than or equal to x; 313 floor(x) the biggest integer that is less than or equal to x; 315 k the bit-length of the K; k is assumed to be divisible by 8; 317 n the block size of the block cipher (in bits); n is assumed to 318 be divisible by 8; 320 b the number of data blocks in the plaintext P (b = 321 ceil(|P|/n)); 323 N the section size (the number of bits that are processed with 324 one section key before this key is transformed). 326 A plaintext message P and the corresponding ciphertext C are divided 327 into b = ceil(|P|/n) blocks, denoted P = P_1 | P_2 | ... | P_b and C 328 = C_1 | C_2 | ... | C_b, respectively. The first b-1 blocks P_i and 329 C_i are in V_n, for i = 1, 2, ... , b-1. The b-th blocks P_b, C_b 330 may be an incomplete blocks, i.e., in V_r, where r <= n if not 331 otherwise specified. 333 4. Choosing Constructions and Security Parameters 335 External re-keying is an approach assuming that a key is transformed 336 after encrypting a limited number of entire messages. External re- 337 keying method is chosen at the protocol level, regardless of the 338 underlying block cipher or the encryption mode. External re-keying 339 is recommended for protocols that process relatively short messages 340 or for protocols that have a way to divide a long message into 341 manageable pieces. Through external re-keying the number of messages 342 that can be securely processed with a single initial key K is 343 substantially increased without loss in message length. 345 External re-keying has the following advantages: 347 1. it increases the lifetime of an initial key by increasing the 348 number of messages processed with this key; 350 2. it has negligible affect on the performance, when the number of 351 messages processed under one initial key is sufficiently large; 353 3. it provides forward and backward security of data processing 354 keys. 356 However, the use of external re-keying has the following 357 disadvantage: in case of restrictive key lifetime limitations the 358 message sizes can become inconvenient due to impossibility of 359 processing sufficiently large messages, so it could be necessary to 360 perform additional fragmentation at the protocol level. E.g. if the 361 key lifetime L is 1 GB and the message length m = 3 GB, then this 362 message cannot be processed as a whole and it should be divided into 363 three fragments that will be processed separately. 365 Internal re-keying is an approach assuming that a key is transformed 366 during each separate message processing. Such procedures are 367 integrated into the base modes of operations, so every internal re- 368 keying mechanism is defined for the particular operation mode and the 369 block size of the used cipher. Internal re-keying is recommended for 370 protocols that process long messages: the size of each single message 371 can be substantially increased without loss in number of messages 372 that can be securely processed with a single initial key. 374 Internal re-keying has the following advantages: 376 1. it increases the lifetime of an initial key by increasing the 377 size of the messages processed with one initial key; 379 2. it has minimal impact on performance; 380 3. internal re-keying mechanisms without a master key does not 381 affect short messages transformation at all; 383 4. it is transparent (works like any mode of operation): does not 384 require changes of IV's and restarting MACing. 386 However, the use of internal re-keying has the following 387 disadvantages: 389 1. a specific method must not be chosen independently of a mode of 390 operation; 392 2. internal re-keying mechanisms without a master key do not provide 393 backward security of data processing keys. 395 Any block cipher modes of operations with internal re-keying can be 396 jointly used with any external re-keying mechanisms. Such joint 397 usage increases both the number of messages processed with one 398 initial key and their maximum possible size. 400 If the adversary has access to the data processing interface the use 401 of the same cryptographic primitives both for data processing and re- 402 keying transformation decreases the code size but can lead to some 403 possible vulnerabilities (the possibility of mounting a chosen- 404 plaintext attack may lead to the compromise of the following keys). 405 This vulnerability can be eliminated by using different primitives 406 for data processing and re-keying, e.g., block cipher for data 407 processing and hash for re-keying (see Section 5.2.2 and 408 Section 5.3.2). However, in this case the security of the whole 409 scheme cannot be reduced to standard notions like PRF or PRP, so 410 security estimations become more difficult and unclear. 412 Summing up the above-mentioned issues briefly: 414 1. If a protocol assumes processing long records (e.g., [CMS]), 415 internal re-keying should be used. If a protocol assumes 416 processing a significant amount of ordered records, which can be 417 considered as a single data stream (e.g., [TLS], [SSH]), internal 418 re-keying may also be used. 420 2. For protocols which allow out-of-order delivery and lost records 421 (e.g., [DTLS], [ESP]) external re-keying should be used as in 422 this case records cannot be considered as a single data stream. 423 If at the same time records are long enough, internal re-keying 424 should be additionally used during each separate message 425 processing. 427 For external re-keying: 429 1. If it is desirable to separate transformations used for data 430 processing and for key update, hash function based re-keying 431 should be used. 433 2. If parallel data processing is required, then parallel external 434 re-keying should be used. 436 3. In case of restrictive key lifetime limitations external tree- 437 based re-keying should be used. 439 For internal re-keying: 441 1. If the property of forward and backward security is desirable for 442 data processing keys and if additional key material can be easily 443 obtained for the data processing stage, internal re-keying with a 444 master key should be used. 446 5. External Re-keying Mechanisms 448 This section presents an approach to increase the initial key 449 lifetime by using a transformation of a data processing key (frame 450 key) after processing a limited number of entire messages (frame). 451 It provides external parallel and serial re-keying mechanisms (see 452 [AbBell]). These mechanisms use initial key K only for frame keys 453 generation and never use it directly for data processing. Such 454 mechanisms operate outside of the base modes of operations and do not 455 change them at all, therefore they are called "external re-keying" 456 mechanisms in this document. 458 External re-keying mechanisms are recommended for usage in protocols 459 that process quite small messages, since the maximum gain in 460 increasing the initial key lifetime is achieved by increasing the 461 number of messages. 463 External re-keying increases the initial key lifetime through the 464 following approach. Suppose there is a protocol P with some mode of 465 operation (base encryption or authentication mode). Let L1 be a key 466 lifetime limitation induced by side-channel analysis methods (side- 467 channel limitation), let L2 be a key lifetime limitation induced by 468 methods based on the combinatorial properties of a used mode of 469 operation (combinatorial limitation) and let q1, q2 be the total 470 numbers of messages of length m, that can be safely processed with an 471 initial key K according to these limitations. 473 Let L = min(L1, L2), q = min (q1, q2), q * m <= L. As L1 limitation 474 is usually much stronger than L2 limitation (L1 < L2), the final key 475 lifetime restriction is equal to the most restrictive limitation L1. 477 Thus, as displayed in Figure 2, without re-keying only q1 (q1 * m <= 478 L1) messages can be safely processed. 480 <--------m-------> 481 +----------------+ ^ ^ 482 |================| | | 483 |================| | | 484 K-->|================| q1| 485 |================| | | 486 |==============L1| | | 487 +----------------+ v | 488 | | | 489 | | | 490 | | q2 491 | | | 492 | | | 493 | | | 494 | | | 495 | | | 496 | | | 497 | | | 498 | | | 499 | L2| | 500 +----------------+ v 502 Figure 2: Basic principles of message processing without external re-keying 504 Suppose that the safety margin for the protocol P is fixed and the 505 external re-keying approach is applied to the initial key K to 506 generate the sequence of frame keys. The frame keys are generated in 507 such a way that the leakage of a previous frame key does not have any 508 impact on the following one, so the side channel limitation L1 goes 509 off. Thus, the resulting key lifetime limitation of the initial key 510 K can be calculated on the basis of a new combinatorial limitation 511 L2'. It is proven (see [AbBell]) that the security of the mode of 512 operation that uses external re-keying leads to an increase when 513 compared to base mode without re-keying (thus, L2 < L2'). Hence, as 514 displayed in Figure 3, the resulting key lifetime limitation in case 515 of using external re-keying can be increased up to L2'. 517 <--------m-------> 518 K +----------------+ 519 | |================| 520 v |================| 521 K^1--> |================| 522 | |================| 523 | |==============L1| 524 | +----------------+ 525 | |================| 526 v |================| 527 K^2--> |================| 528 | |================| 529 | |==============L1| 530 | +----------------+ 531 | |================| 532 v |================| 533 ... | . . . | 534 | | 535 | | 536 | L2| 537 +----------------+ 538 | | 539 ... ... 540 | L2'| 541 +----------------+ 543 Figure 3: Basic principles of message processing with external re-keying 545 Note: the key transformation process is depicted in a simplified 546 form. A specific approach (parallel and serial) is described below. 548 Consider an example. Let the message size in a protocol P be equal 549 to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external 550 re-keying mechanism is not used, the initial key K must be 551 renegotiated after processing 128 MB / 1 KB = 131072 messages. 553 If an external re-keying mechanism is used, the key lifetime 554 limitation L1 goes off. Hence the resulting key lifetime limitation 555 L2' can be set to more then 1 TB. Thus if an external re-keying 556 mechanism is used, more then 1 TB / 1 KB = 2^30 messages can be 557 processed before the initial key K is renegotiated. This is 8192 558 times greater than the number of messages that can be processed, when 559 external re-keying mechanism is not used. 561 5.1. Methods of Key Lifetime Control 563 Suppose L is an amount of data that can be safely processed with one 564 frame key. For i in {1, 2, ... , t} the frame key K^i (see Figure 4 565 and Figure 5) should be transformed after processing q_i messages, 566 where q_i can be calculated in accordance with one of the following 567 approaches: 569 Explicit approach: 571 q_i is such that |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + 572 ... + |M^{i,q_i+1}| > L. 573 This approach allows to use the frame key K^i in almost optimal 574 way but it can be applied only in case when messages cannot be 575 lost or reordered (e.g., TLS records). 577 Implicit approach: 579 q_i = L / m_max, i = 1, ... , t. 580 The amount of data processed with one frame key K^i is calculated 581 under the assumption that every message has the maximum length 582 m_max. Hence this amount can be considerably less than the key 583 lifetime limitation L. On the other hand, this approach can be 584 applied in case when messages may be lost or reordered (e.g., DTLS 585 records). 587 Dynamic key changes: 589 We can organize the key change using the Protected Point to Point 590 ([P3]) solution by building a protected tunnel between the 591 endpoints in which the information about frame key updating can be 592 safely passed across. This can be useful, for example, when we 593 wish the adversary not to detect the key change during the 594 protocol evaluation. 596 5.2. Parallel Constructions 598 External parallel re-keying mechanisms generate frame keys K^1, K^2, 599 ... directly from the initial key K independently of each other. 601 The main idea behind external re-keying with a parallel construction 602 is presented in Figure 4: 604 Maximum message size = m_max. 605 _____________________________________________________________ 607 m_max 608 <----------------> 609 M^{1,1} |=== | 610 M^{1,2} |=============== | 611 +->K^1--> ... ... 612 | M^{1,q_1} |======== | 613 | 614 | 615 | M^{2,1} |================| 616 | M^{2,2} |===== | 617 K-----|->K^2--> ... ... 618 | M^{2,q_2} |========== | 619 | 620 ... 621 | M^{t,1} |============ | 622 | M^{t,2} |============= | 623 +->K^t--> ... ... 624 M^{t,q_t} |========== | 626 _____________________________________________________________ 628 Figure 4: External parallel re-keying mechanisms 630 The frame key K^i, i = 1, ... , t-1, is updated after processing a 631 certain amount of messages (see Section 5.1). 633 5.2.1. Parallel Construction Based on a KDF on a Block Cipher 635 ExtParallelC re-keying mechanism is based on the key derivation 636 function on a block cipher and is used to generate t frame keys as 637 follows: 639 K^1 | K^2 | ... | K^t = ExtParallelC(K, t * k) = MSB_{t * 640 k}(E_{K}(Vec_n(0)) | 641 E_{K}(Vec_n(1)) | ... | E_{K}(Vec_n(R - 1))), 643 where R = ceil(t * k/n). 645 5.2.2. Parallel Construction Based on a KDF on a Hash Function 647 ExtParallelH re-keying mechanism is based on the key derivation 648 function HKDF-Expand, described in [RFC5869], and is used to generate 649 t frame keys as follows: 651 K^1 | K^2 | ... | K^t = ExtParallelH(K, t * k) = HKDF-Expand(K, 652 label, t * k), 654 where label is a string (may be a zero-length string) that is defined 655 by a specific protocol. 657 5.2.3. Tree-based Construction 659 The application of external tree-based mechanism leads to the 660 construction of the key tree with the initial key K (root key) at the 661 0-level and the frame keys K^1, K^2, ... at the last level as 662 described in Figure 6. 664 K_root = K 665 ___________|___________ 666 | ... | 667 V V 668 K{1,1} K{1,W1} 669 ______|______ ______|______ 670 | ... | | ... | 671 V V V V 672 K{2,1} K{2,W2} K{2,(W1-1)*W2+1} K{2,W1*W2} 673 __|__ __|__ __|__ __|__ 674 | ... | | ... | | ... | | ... | 675 V V V V V V V V 676 K{3,1} ... ... ... ... ... ... K{3,W1*W2*W3} 678 ... ... 679 __|__ ... __|__ 680 | ... | | ... | 681 V V V V 682 K{h,1} K{h,Wh} K{h,(W1*...*W{h-1}-1)*Wh+1} K{h,W1*...*Wh} 683 // \\ // \\ 684 K^1 K^{Wh} K^{(W1*...*W{h-1}-1)*Wh+1} K^{W1*...*Wh} 685 _______________________________________________________________________ 687 Figure 6: External Tree-based Mechanism 689 The tree height h and the number of keys Wj, j in {1, ... , h}, which 690 can be partitioned from "parent" key, are defined in accordance with 691 a specific protocol and key lifetime limitations for the used 692 derivation functions. 694 Each j-level key K{j,w}, where j in {1, ... , h}, w in {1, ... , W1 * 695 ... * Wj}, is derived from the (j-1)-level "parent" key K{j-1,ceil(w/ 696 Wi)} (and other appropriate input data) using the j-th level 697 derivation function that can be based on the block cipher function or 698 on the hash function and that is defined in accordance with a 699 specific protocol. 701 The i-th frame K^i, i in {1, 2, ... , W1*...*Wh}, can be calculated 702 as follows: 704 K^i = ExtKeyTree(K, i) = KDF_h(KDF_{h-1}(... KDF_1(K, ceil(i / (W2 705 * ... * Wh)) ... , ceil(i / Wh)), i), 707 where KDF_j is the j-th level derivation function that takes two 708 arguments (the parent key value and the integer in range from 1 to W1 709 * ... * Wj) and outputs the j-th level key value. 711 The frame key K^i is updated after processing a certain amount of 712 messages (see Section 5.1). 714 In order to create an efficient implementation, during frame key K^i 715 generation the derivation functions KDF_j, j in {1, ... , h-1}, 716 should be used only in case when ceil(i / (W{j+1} * ... * Wh)) != 717 ceil((i - 1) / (W{j+1} * ... * Wh)); otherwise it is necessary to use 718 previously generated value. This approach also makes it possible to 719 take countermeasures against side channels attacks. 721 Consider an example. Suppose h = 3, W1 = W2 = W3 = W and KDF_1, 722 KDF_2, KDF_3 are key derivation functions based on the 723 KDF_GOSTR3411_2012_256 (hereafter simply KDF) function described in 724 [RFC7836]. The resulting ExtKeyTree function can be defined as 725 follows: 727 ExtKeyTree(K, i) = KDF(KDF(KDF(K, "level1", ceil(i / W^2)), 728 "level2", ceil(i / W)), "level3", i). 730 where i in {1, 2, ... , W^3}. 732 The structure similar to external tree-based mechanism can be found 733 in Section 6 of [NISTSP800-108]. 735 5.3. Serial Constructions 737 External serial re-keying mechanisms generate frame keys, each of 738 which depends on the secret state (K*_1, K*_2, ..., see Figure 5) 739 that is updated after the generation of each new frame key. Similar 740 approaches are used in the [SIGNAL] protocol, in the [TLSDraft] 741 updating traffic keys mechanism and were proposed for use in the 742 [U2F] protocol. 744 External serial re-keying mechanisms have the obvious disadvantage of 745 the impossibility to be implemented in parallel, but they can be 746 preferred if additional forward secrecy is desirable: in case all 747 keys are securely deleted after usage, compromise of a current secret 748 state at some time does not lead to a compromise of all previous 749 secret states and frame keys. In terms of [TLSDraft], compromise of 750 application_traffic_secret_N does not compromise all previous 751 application_traffic_secret_i, i < N. 753 The main idea behind external re-keying with a serial construction is 754 presented in Figure 5: 756 Maximum message size = m_max. 757 _____________________________________________________________ 758 m_max 759 <----------------> 760 M^{1,1} |=== | 761 M^{1,2} |=============== | 762 K*_1 = K --->K^1--> ... ... 763 | M^{1,q_1} |======== | 764 | 765 | 766 | M^{2,1} |================| 767 v M^{2,2} |===== | 768 K*_2 ------->K^2--> ... ... 769 | M^{2,q_2} |========== | 770 | 771 ... 772 | M^{t,1} |============ | 773 v M^{t,2} |============= | 774 K*_t ------->K^t--> ... ... 775 M^{t,q_t} |========== | 777 _____________________________________________________________ 779 Figure 5: External serial re-keying mechanisms 781 The frame key K^i, i = 1, ... , t - 1, is updated after processing a 782 certain amount of messages (see Section 5.1). 784 5.3.1. Serial Construction Based on a KDF on a Block Cipher 786 The frame key K^i is calculated using ExtSerialC transformation as 787 follows: 789 K^i = ExtSerialC(K, i) = 790 MSB_k(E_{K*_i}(Vec_n(0)) |E_{K*_i}(Vec_n(1)) | ... | 791 E_{K*_i}(Vec_n(J - 1))), 793 where J = ceil(k / n), i = 1, ... , t, K*_i is calculated as follows: 795 K*_1 = K, 797 K*_{j+1} = MSB_k(E_{K*_j}(Vec_n(J)) | E_{K*_j}(Vec_n(J + 1)) | 798 ... | 799 E_{K*_j}(Vec_n(2 * J - 1))), 801 where j = 1, ... , t - 1. 803 5.3.2. Serial Construction Based on a KDF on a Hash Function 805 The frame key K^i is calculated using ExtSerialH transformation as 806 follows: 808 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 810 where i = 1, ... , t, HKDF-Expand is the HMAC-based key derivation 811 function, described in [RFC5869], K*_i is calculated as follows: 813 K*_1 = K, 815 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t - 1, 817 where label1 and label2 are different strings from V* that are 818 defined by a specific protocol (see, for example, TLS 1.3 updating 819 traffic keys algorithm [TLSDraft]). 821 5.4. Using Additional Entropy during Re-keying 823 In many cases using additional entropy during re-keying won't 824 increase security, but may give a false sense of that, therefore one 825 can rely on additional entropy only after conducting a deep security 826 analysis. For example, good PRF constructions do not require 827 additional entropy for the quality of keys, so in most cases there is 828 no need for using additional entropy with external re-keying 829 mechanisms based on secure KDFs. However, in some situations mixed- 830 in entropy can still increase security in the case of a time-limited 831 but complete breach of the system, when an adversary can access the 832 frame keys generation interface, but cannot reveal master keys (e.g., 833 when master keys are stored in an HSM). 835 For example, an external parallel construction based on a KDF on a 836 Hash function with a mixed-in entropy can be described as follows: 838 K^i = HKDF-Expand(K, label_i, k), 840 where label_i is additional entropy that must be sent to the 841 recipient (e.g., be sent jointly with encrypted message). The 842 entropy label_i and the corresponding key K^i must be generated 843 directly before message processing. 845 6. Internal Re-keying Mechanisms 847 This section presents an approach to increase the key lifetime by 848 using a transformation of a data processing key (section key) during 849 each separate message processing. Each message is processed starting 850 with the same key (the first section key) and each section key is 851 updated after processing N bits of message (section). 853 This section provides internal re-keying mechanisms called ACPKM 854 (Advanced Cryptographic Prolongation of Key Material) and ACPKM- 855 Master that do not use a master key and use a master key 856 respectively. Such mechanisms are integrated into the base modes of 857 operation and actually form new modes of operation, therefore they 858 are called "internal re-keying" mechanisms in this document. 860 Internal re-keying mechanisms are recommended to be used in protocols 861 that process large single messages (e.g., CMS messages), since the 862 maximum gain in increasing the key lifetime is achieved by increasing 863 the length of a message, while it provides almost no increase in the 864 number of messages that can be processed with one initial key. 866 Internal re-keying increases the key lifetime through the following 867 approach. Suppose protocol P uses some base mode of operation. Let 868 L1 and L2 be a side channel and combinatorial limitations 869 respectively and for some fixed amount of messages q let m1, m2 be 870 the lengths of messages, that can be safely processed with a single 871 initial key K according to these limitations. 873 Thus, by analogy with the Section 5 without re-keying the final key 874 lifetime restriction, as displayed in Figure 7, is equal to L1 and 875 only q messages of the length m1 can be safely processed. 877 K 878 | 879 v 880 ^ +----------------+------------------------------------+ 881 | |==============L1| L2| 882 | |================| | 883 q |================| | 884 | |================| | 885 | |================| | 886 v +----------------+------------------------------------+ 887 <-------m1-------> 888 <----------------------------m2-----------------------> 890 Figure 7: Basic principles of message processing without internal re-keying 892 Suppose that the safety margin for the protocol P is fixed and 893 internal re-keying approach is applied to the base mode of operation. 894 Suppose further that every message is processed with a section key, 895 which is transformed after processing N bits of data, where N is a 896 parameter. If q * N does not exceed L1 then the side channel 897 limitation L1 goes off and the resulting key lifetime limitation of 898 the initial key K can be calculated on the basis of a new 899 combinatorial limitation L2'. The security of the mode of operation 900 that uses internal re-keying increases when compared to base mode of 901 operation without re-keying (thus, L2 < L2'). Hence, as displayed in 902 Figure 8, the resulting key lifetime limitation in case of using 903 internal re-keying can be increased up to L2'. 905 K-----> K^1-------------> K^2 -----------> . . . 906 | | 907 v v 908 ^ +----------------+----------------+-------------------+--...--+ 909 | |==============L1|==============L1|====== L2| L2'| 910 | |================|================|====== | | 911 q |================|================|====== . . . | | 912 | |================|================|====== | | 913 | |================|================|====== | | 914 v +----------------+----------------+-------------------+--...--+ 915 <-------N--------> 917 Figure 8: Basic principles of message processing with internal re-keying 918 Note: the key transformation process is depicted in a simplified 919 form. A specific approach (ACPKM and ACPKM-Master re-keying 920 mechanisms) is described below. 922 Since the performance of encryption can slightly decrease for rather 923 small values of N, the parameter N should be selected for a 924 particular protocol as maximum possible to provide necessary key 925 lifetime for the considered security models. 927 Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the 928 message size in the protocol be large/unlimited (may exhaust the 929 whole key lifetime L2). The most restrictive resulting key lifetime 930 limitation is equal to 128 MB. 932 Thus, there is a need to put a limit on the maximum message size 933 m_max. For example, if m_max = 32 MB, it may happen that the 934 renegotiation of initial key K would be required after processing 935 only four messages. 937 If an internal re-keying mechanism with section size N = 1 MB is 938 used, more than L1 / N = 128 MB / 1 MB = 128 messages can be 939 processed before the renegotiation of initial key K (instead of 4 940 messages in case when an internal re-keying mechanism is not used). 941 Note that only one section of each message is processed with the 942 section key K^i, and, consequently, the key lifetime limitation L1 943 goes off. Hence the resulting key lifetime limitation L2' can be set 944 to more then 10 TB (in the case when a single large message is 945 processed using the initial key K). 947 6.1. Methods of Key Lifetime Control 949 Suppose L is an amount of data that can be safely processed with one 950 section key, N is a section size (fixed parameter). Suppose M^{i}_1 951 is the first section of message M^{i}, i = 1, ... , q (see Figure 9 952 and Figure 10), then the parameter q can be calculated in accordance 953 with one of the following two approaches: 955 o Explicit approach: 956 q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... 957 + |M^{q+1}_1| > L 958 This approach allows to use the section key K^i in an almost 959 optimal way but it can be applied only in case when messages 960 cannot be lost or reordered (e.g., TLS records). 962 o Implicit approach: 963 q = L / N. 964 The amount of data processed with one section key K^i is 965 calculated under the assumption that the length of every message 966 is equal or greater than section size N and so it can be 967 considerably less than the key lifetime limitation L. On the 968 other hand, this approach can be applied in case when messages may 969 be lost or reordered (e.g., DTLS records). 971 6.2. Constructions that Do Not Require Master Key 973 This section describes the block cipher modes that use the ACPKM re- 974 keying mechanism, which does not use a master key: an initial key is 975 used directly for the data encryption. 977 6.2.1. ACPKM Re-keying Mechanisms 979 This section defines periodical key transformation without a master 980 key, which is called ACPKM re-keying mechanism. This mechanism can 981 be applied to one of the base encryption modes (CTR and GCM block 982 cipher modes) for getting an extension of this encryption mode that 983 uses periodical key transformation without a master key. This 984 extension can be considered as a new encryption mode. 986 An additional parameter that defines functioning of base encryption 987 modes with the ACPKM re-keying mechanism is the section size N. The 988 value of N is measured in bits and is fixed within a specific 989 protocol based on the requirements of the system capacity and the key 990 lifetime. The section size N MUST be divisible by the block size n. 992 The main idea behind internal re-keying without a master key is 993 presented in Figure 9: 995 Section size = const = N, 996 maximum message size = m_max. 997 ____________________________________________________________________ 999 ACPKM ACPKM ACPKM 1000 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 1001 | | | | 1002 | | | | 1003 v v v v 1004 M^{1} |==========|==========| ... |==========|=======: | 1005 M^{2} |==========|==========| ... |=== | : | 1006 . . . . . . : 1007 : : : : : : : 1008 M^{q} |==========|==========| ... |==========|===== : | 1009 section : 1010 <----------> m_max 1011 N bit 1012 ___________________________________________________________________ 1013 l_max = ceil(m_max/N). 1015 Figure 9: Internal re-keying without a master key 1017 During the processing of the input message M with the length m in 1018 some encryption mode that uses ACPKM key transformation of the 1019 initial key K the message is divided into l = ceil(m / N) sections 1020 (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in 1021 {1, 2, ... , l - 1} and M_l is in V_r, r <= N). The first section of 1022 each message is processed with the section key K^1 = K. To process 1023 the (i + 1)-th section of each message the section key K^{i+1} is 1024 calculated using ACPKM transformation as follows: 1026 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)), 1028 where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are 1029 calculated as follows: 1031 D_1 | D_2 | ... | D_J = MSB_{J * n}(D), 1033 where D is the following constant in V_{1024}: 1035 D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 1036 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f 1037 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 1038 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f 1039 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7 1040 | a8 | a9 | aa | ab | ac | ad | ae | af 1041 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7 1042 | b8 | b9 | ba | bb | bc | bd | be | bf 1043 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7 1044 | c8 | c9 | ca | cb | cc | cd | ce | cf 1045 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7 1046 | d8 | d9 | da | db | dc | dd | de | df 1047 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7 1048 | e8 | e9 | ea | eb | ec | ed | ee | ef 1049 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7 1050 | f8 | f9 | fa | fb | fc | fd | fe | ff ) 1052 N o t e : The constant D is such that D_1, ... , D_J are pairwise 1053 different for any allowed n and k values. 1055 N o t e : The constant D is such that the highest bit of its each 1056 octet is equal to 1. This condition is important, as in conjunction 1057 with a certain mode message length limitation it allows to prevent 1058 collisions of block cipher permutation inputs in cases of key 1059 transformation and message processing (for more details see 1060 Section 4.4 of [AAOS2017]). 1062 6.2.2. CTR-ACPKM Encryption Mode 1064 This section defines a CTR-ACPKM encryption mode that uses the ACPKM 1065 internal re-keying mechanism for the periodical key transformation. 1067 The CTR-ACPKM mode can be considered as the base encryption mode CTR 1068 (see [MODES]) extended by the ACPKM re-keying mechanism. 1070 The CTR-ACPKM encryption mode can be used with the following 1071 parameters: 1073 o 64 <= n <= 512; 1075 o 128 <= k <= 512; 1077 o the number c of bits in a specific part of the block to be 1078 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1080 o the maximum message size m_max = n * 2^{c-1}. 1082 The CTR-ACPKM mode encryption and decryption procedures are defined 1083 as follows: 1085 +----------------------------------------------------------------+ 1086 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 1087 |----------------------------------------------------------------| 1088 | Input: | 1089 | - section size N, | 1090 | - initial key K, | 1091 | - initial counter nonce ICN in V_{n-c}, | 1092 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1093 | Output: | 1094 | - ciphertext C. | 1095 |----------------------------------------------------------------| 1096 | 1. CTR_1 = ICN | 0^c | 1097 | 2. For j = 2, 3, ... , b do | 1098 | CTR_{j} = Inc_c(CTR_{j-1}) | 1099 | 3. K^1 = K | 1100 | 4. For i = 2, 3, ... , ceil(|P| / N) | 1101 | K^i = ACPKM(K^{i-1}) | 1102 | 5. For j = 1, 2, ... , b do | 1103 | i = ceil(j * n / N), | 1104 | G_j = E_{K^i}(CTR_j) | 1105 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1106 | 7. Return C | 1107 +----------------------------------------------------------------+ 1109 +----------------------------------------------------------------+ 1110 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 1111 |----------------------------------------------------------------| 1112 | Input: | 1113 | - section size N, | 1114 | - initial key K, | 1115 | - initial counter nonce ICN in V_{n-c}, | 1116 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1117 | Output: | 1118 | - plaintext P. | 1119 |----------------------------------------------------------------| 1120 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 1121 | 2. Return P | 1122 +----------------------------------------------------------------+ 1124 The initial counter nonce ICN value for each message that is 1125 encrypted under the given initial key K must be chosen in a unique 1126 manner. 1128 6.2.3. GCM-ACPKM Authenticated Encryption Mode 1130 This section defines GCM-ACPKM authenticated encryption mode that 1131 uses the ACPKM internal re-keying mechanism for the periodical key 1132 transformation. 1134 The GCM-ACPKM mode can be considered as the base authenticated 1135 encryption mode GCM (see [GCM]) extended by the ACPKM re-keying 1136 mechanism. 1138 The GCM-ACPKM authenticated encryption mode can be used with the 1139 following parameters: 1141 o n in {128, 256}; 1143 o 128 <= k <= 512; 1145 o the number c of bits in a specific part of the block to be 1146 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1147 of 8; 1149 o authentication tag length t; 1151 o the maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} - 1152 1}. 1154 The GCM-ACPKM mode encryption and decryption procedures are defined 1155 as follows: 1157 +-------------------------------------------------------------------+ 1158 | GHASH(X, H) | 1159 |-------------------------------------------------------------------| 1160 | Input: | 1161 | - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n. | 1162 | Output: | 1163 | - block GHASH(X, H) in V_n. | 1164 |-------------------------------------------------------------------| 1165 | 1. Y_0 = 0^n | 1166 | 2. For i = 1, ... , m do | 1167 | Y_i = (Y_{i-1} (xor) X_i) * H | 1168 | 3. Return Y_m | 1169 +-------------------------------------------------------------------+ 1171 +-------------------------------------------------------------------+ 1172 | GCTR(N, K, ICB, X) | 1173 |-------------------------------------------------------------------| 1174 | Input: | 1175 | - section size N, | 1176 | - initial key K, | 1177 | - initial counter block ICB, | 1178 | - X = X_1 | ... | X_b. | 1179 | Output: | 1180 | - Y in V_{|X|}. | 1181 |-------------------------------------------------------------------| 1182 | 1. If X in V_0 then return Y, where Y in V_0 | 1183 | 2. GCTR_1 = ICB | 1184 | 3. For i = 2, ... , b do | 1185 | GCTR_i = Inc_c(GCTR_{i-1}) | 1186 | 4. K^1 = K | 1187 | 5. For j = 2, ... , ceil(|X| / N) | 1188 | K^j = ACPKM(K^{j-1}) | 1189 | 6. For i = 1, ... , b do | 1190 | j = ceil(i * n / N), | 1191 | G_i = E_{K_j}(GCTR_i) | 1192 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1193 | 8. Return Y | 1194 +-------------------------------------------------------------------+ 1196 +-------------------------------------------------------------------+ 1197 | GCM-ACPKM-Encrypt(N, K, ICN, P, A) | 1198 |-------------------------------------------------------------------| 1199 | Input: | 1200 | - section size N, | 1201 | - initial key K, | 1202 | - initial counter nonce ICN in V_{n-c}, | 1203 | - plaintext P = P_1 | ... | P_b, |P| <= m_max, | 1204 | - additional authenticated data A. | 1205 | Output: | 1206 | - ciphertext C, | 1207 | - authentication tag T. | 1208 |-------------------------------------------------------------------| 1209 | 1. H = E_{K}(0^n) | 1210 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1211 | 3. C = GCTR(N, K, Inc_c(ICB_0), P) | 1212 | 4. u = n * ceil(|C| / n) - |C| | 1213 | v = n * ceil(|A| / n) - |A| | 1214 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1215 | | Vec_{n/2}(|C|), H) | 1216 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 1217 | 7. Return C | T | 1218 +-------------------------------------------------------------------+ 1220 +-------------------------------------------------------------------+ 1221 | GCM-ACPKM-Decrypt(N, K, ICN, A, C, T) | 1222 |-------------------------------------------------------------------| 1223 | Input: | 1224 | - section size N, | 1225 | - initial key K, | 1226 | - initial counter block ICN, | 1227 | - additional authenticated data A, | 1228 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1229 | - authentication tag T. | 1230 | Output: | 1231 | - plaintext P or FAIL. | 1232 |-------------------------------------------------------------------| 1233 | 1. H = E_{K}(0^n) | 1234 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1235 | 3. P = GCTR(N, K, Inc_c(ICB_0), C) | 1236 | 4. u = n * ceil(|C| / n) - |C| | 1237 | v = n * ceil(|A| / n) - |A| | 1238 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1239 | | Vec_{n/2}(|C|), H) | 1240 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 1241 | 7. If T = T' then return P; else return FAIL | 1242 +-------------------------------------------------------------------+ 1244 The * operation on (pairs of) the 2^n possible blocks corresponds to 1245 the multiplication operation for the binary Galois (finite) field of 1246 2^n elements defined by the polynomial f as follows (by analogy with 1247 [GCM]): 1249 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1251 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1253 The initial vector IV value for each message that is encrypted under 1254 the given initial key K must be chosen in a unique manner. 1256 The key for computing values E_{K}(ICB_0) and H is not updated and is 1257 equal to the initial key K. 1259 6.3. Constructions that Require Master Key 1261 This section describes the block cipher modes that use the ACPKM- 1262 Master re-keying mechanism, which use the initial key K as a master 1263 key, so K is never used directly for data processing but is used for 1264 key derivation. 1266 6.3.1. ACPKM-Master Key Derivation from the Master Key 1268 This section defines periodical key transformation with a master key, 1269 which is called ACPKM-Master re-keying mechanism. This mechanism can 1270 be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, 1271 OMAC modes) for getting an extension that uses periodical key 1272 transformation with a master key. This extension can be considered 1273 as a new mode of operation. 1275 Additional parameters that define the functioning of modes of 1276 operation that use the ACPKM-Master re-keying mechanism are the 1277 section size N, the change frequency T* of the master keys K*_1, 1278 K*_2, ... (see Figure 10) and the size d of the section key material. 1279 The values of N and T* are measured in bits and are fixed within a 1280 specific protocol, based on the requirements of the system capacity 1281 and the key lifetime. The section size N MUST be divisible by the 1282 block size n. The master key frequency T* MUST be divisible by d and 1283 by n. 1285 The main idea behind internal re-keying with a master key is 1286 presented in Figure 10: 1288 Master key frequency T*, 1289 section size N, 1290 maximum message size = m_max. 1291 __________________________________________________________________________________ 1293 ACPKM ACPKM 1294 K*_1 = K--------------> K*_2 ---------...---------> K*_l_max 1295 ___|___ ___|___ ___|___ 1296 | | | | | | 1297 v ... v v ... v v ... v 1298 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 1299 | | | | | | 1300 | | | | | | 1301 v v v v v v 1302 M^{1}||========|...|========||========|...|========||...||========|...|== : || 1303 M^{2}||========|...|========||========|...|========||...||========|...|======: || 1304 ... || | | || | | || || | | : || 1305 M^{q}||========|...|========||==== |...| ||...|| |...| : || 1306 section : 1307 <--------> : 1308 N bit m_max 1309 __________________________________________________________________________________ 1310 |K[i]| = d, 1311 t = T* / d, 1312 l_max = ceil(m_max / (N * t)). 1314 Figure 10: Internal re-keying with a master key 1316 During the processing of the input message M with the length m in 1317 some mode of operation that uses ACPKM-Master key transformation with 1318 the initial key K and the master key frequency T* the message M is 1319 divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 | 1320 ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l 1321 is in V_r, r <= N). The j-th section of each message is processed 1322 with the key material K[j], j in {1, ... , l}, |K[j]| = d, that is 1323 calculated with the ACPKM-Master algorithm as follows: 1325 K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt 1326 (T*, K, 1^{n/2}, 0^{d*l}). 1328 Note: the parameters d and l MUST be such that d * l <= n * 1329 2^{n/2-1}. 1331 6.3.2. CTR-ACPKM-Master Encryption Mode 1333 This section defines a CTR-ACPKM-Master encryption mode that uses the 1334 ACPKM-Master internal re-keying mechanism for the periodical key 1335 transformation. 1337 The CTR-ACPKM-Master encryption mode can be considered as the base 1338 encryption mode CTR (see [MODES]) extended by the ACPKM-Master re- 1339 keying mechanism. 1341 The CTR-ACPKM-Master encryption mode can be used with the following 1342 parameters: 1344 o 64 <= n <= 512; 1346 o 128 <= k <= 512; 1348 o the number c of bits in a specific part of the block to be 1349 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1351 o the maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 1352 2^c}. 1354 The key material K[j] that is used for one section processing is 1355 equal to K^j, |K^j| = k bits. 1357 The CTR-ACPKM-Master mode encryption and decryption procedures are 1358 defined as follows: 1360 +----------------------------------------------------------------+ 1361 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 1362 |----------------------------------------------------------------| 1363 | Input: | 1364 | - section size N, | 1365 | - initial key K, | 1366 | - master key frequency T*, | 1367 | - initial counter nonce ICN in V_{n-c}, | 1368 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1369 | Output: | 1370 | - ciphertext C. | 1371 |----------------------------------------------------------------| 1372 | 1. CTR_1 = ICN | 0^c | 1373 | 2. For j = 2, 3, ... , b do | 1374 | CTR_{j} = Inc_c(CTR_{j-1}) | 1375 | 3. l = ceil(|P| / N) | 1376 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1377 | 5. For j = 1, 2, ... , b do | 1378 | i = ceil(j * n / N), | 1379 | G_j = E_{K^i}(CTR_j) | 1380 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 1381 | 7. Return C | 1382 |----------------------------------------------------------------+ 1384 +----------------------------------------------------------------+ 1385 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 1386 |----------------------------------------------------------------| 1387 | Input: | 1388 | - section size N, | 1389 | - initial key K, | 1390 | - master key frequency T*, | 1391 | - initial counter nonce ICN in V_{n-c}, | 1392 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1393 | Output: | 1394 | - plaintext P. | 1395 |----------------------------------------------------------------| 1396 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 1397 | 1. Return P | 1398 +----------------------------------------------------------------+ 1400 The initial counter nonce ICN value for each message that is 1401 encrypted under the given initial key must be chosen in a unique 1402 manner. 1404 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode 1406 This section defines a GCM-ACPKM-Master authenticated encryption mode 1407 that uses the ACPKM-Master internal re-keying mechanism for the 1408 periodical key transformation. 1410 The GCM-ACPKM-Master authenticated encryption mode can be considered 1411 as the base authenticated encryption mode GCM (see [GCM]) extended by 1412 the ACPKM-Master re-keying mechanism. 1414 The GCM-ACPKM-Master authenticated encryption mode can be used with 1415 the following parameters: 1417 o n in {128, 256}; 1419 o 128 <= k <= 512; 1421 o the number c of bits in a specific part of the block to be 1422 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1423 of 8; 1425 o authentication tag length t; 1427 o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * 1428 (2^c - 2), 2^{n/2} - 1}. 1430 The key material K[j] that is used for the j-th section processing is 1431 equal to K^j, |K^j| = k bits. 1433 The GCM-ACPKM-Master mode encryption and decryption procedures are 1434 defined as follows: 1436 +-------------------------------------------------------------------+ 1437 | GHASH(X, H) | 1438 |-------------------------------------------------------------------| 1439 | Input: | 1440 | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 1441 | Output: | 1442 | - block GHASH(X, H) in V_n | 1443 |-------------------------------------------------------------------| 1444 | 1. Y_0 = 0^n | 1445 | 2. For i = 1, ... , m do | 1446 | Y_i = (Y_{i-1} (xor) X_i) * H | 1447 | 3. Return Y_m | 1448 +-------------------------------------------------------------------+ 1450 +-------------------------------------------------------------------+ 1451 | GCTR(N, K, T*, ICB, X) | 1452 |-------------------------------------------------------------------| 1453 | Input: | 1454 | - section size N, | 1455 | - initial key K, | 1456 | - master key frequency T*, | 1457 | - initial counter block ICB, | 1458 | - X = X_1 | ... | X_b. | 1459 | Output: | 1460 | - Y in V_{|X|}. | 1461 |-------------------------------------------------------------------| 1462 | 1. If X in V_0 then return Y, where Y in V_0 | 1463 | 2. GCTR_1 = ICB | 1464 | 3. For i = 2, ... , b do | 1465 | GCTR_i = Inc_c(GCTR_{i-1}) | 1466 | 4. l = ceil(|X| / N) | 1467 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1468 | 6. For j = 1, ... , b do | 1469 | i = ceil(j * n / N), | 1470 | G_j = E_{K^i}(GCTR_j) | 1471 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1472 | 8. Return Y | 1473 +-------------------------------------------------------------------+ 1475 +-------------------------------------------------------------------+ 1476 | GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A) | 1477 |-------------------------------------------------------------------| 1478 | Input: | 1479 | - section size N, | 1480 | - initial key K, | 1481 | - master key frequency T*, | 1482 | - initial counter nonce ICN in V_{n-c}, | 1483 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1484 | - additional authenticated data A. | 1485 | Output: | 1486 | - ciphertext C, | 1487 | - authentication tag T. | 1488 |-------------------------------------------------------------------| 1489 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1490 | 2. H = E_{K^1}(0^n) | 1491 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1492 | 4. C = GCTR(N, K, T*, Inc_c(ICB_0), P) | 1493 | 5. u = n * ceil(|C| / n) - |C| | 1494 | v = n * ceil(|A| / n) - |A| | 1495 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1496 | | Vec_{n/2}(|C|), H) | 1497 | 7. T = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1498 | 8. Return C | T | 1499 +-------------------------------------------------------------------+ 1501 +-------------------------------------------------------------------+ 1502 | GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T) | 1503 |-------------------------------------------------------------------| 1504 | Input: | 1505 | - section size N, | 1506 | - initial key K, | 1507 | - master key frequency T*, | 1508 | - initial counter nonce ICN in V_{n-c}, | 1509 | - additional authenticated data A. | 1510 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1511 | - authentication tag T. | 1512 | Output: | 1513 | - plaintext P or FAIL. | 1514 |-------------------------------------------------------------------| 1515 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1516 | 2. H = E_{K^1}(0^n) | 1517 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1518 | 4. P = GCTR(N, K, T*, Inc_c(ICB_0), C) | 1519 | 5. u = n * ceil(|C| / n) - |C| | 1520 | v = n * ceil(|A| / n) - |A| | 1521 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1522 | | Vec_{n/2}(|C|), H) | 1523 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1524 | 8. IF T = T' then return P; else return FAIL. | 1525 +-------------------------------------------------------------------+ 1527 The * operation on (pairs of) the 2^n possible blocks corresponds to 1528 the multiplication operation for the binary Galois (finite) field of 1529 2^n elements defined by the polynomial f as follows (by analogy with 1530 [GCM]): 1532 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1534 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1536 The initial vector IV value for each message that is encrypted under 1537 the given initial key must be chosen in a unique manner. 1539 6.3.4. CBC-ACPKM-Master Encryption Mode 1541 This section defines a CBC-ACPKM-Master encryption mode that uses the 1542 ACPKM-Master internal re-keying mechanism for the periodical key 1543 transformation. 1545 The CBC-ACPKM-Master encryption mode can be considered as the base 1546 encryption mode CBC (see [MODES]) extended by the ACPKM-Master re- 1547 keying mechanism. 1549 The CBC-ACPKM-Master encryption mode can be used with the following 1550 parameters: 1552 o 64 <= n <= 512; 1554 o 128 <= k <= 512; 1556 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1558 In the specification of the CBC-ACPKM-Master mode the plaintext and 1559 ciphertext must be a sequence of one or more complete data blocks. 1560 If the data string to be encrypted does not initially satisfy this 1561 property, then it MUST be padded to form complete data blocks. The 1562 padding methods are out of the scope of this document. An example of 1563 a padding method can be found in Appendix A of [MODES]. 1565 The key material K[j] that is used for the j-th section processing is 1566 equal to K^j, |K^j| = k bits. 1568 We will denote by D_{K} the decryption function which is a 1569 permutation inverse to E_{K}. 1571 The CBC-ACPKM-Master mode encryption and decryption procedures are 1572 defined as follows: 1574 +----------------------------------------------------------------+ 1575 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1576 |----------------------------------------------------------------| 1577 | Input: | 1578 | - section size N, | 1579 | - initial key K, | 1580 | - master key frequency T*, | 1581 | - initialization vector IV in V_n, | 1582 | - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max. | 1583 | Output: | 1584 | - ciphertext C. | 1585 |----------------------------------------------------------------| 1586 | 1. l = ceil(|P| / N) | 1587 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1588 | 3. C_0 = IV | 1589 | 4. For j = 1, 2, ... , b do | 1590 | i = ceil(j * n / N), | 1591 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 1592 | 5. Return C = C_1 | ... | C_b | 1593 |----------------------------------------------------------------+ 1595 +----------------------------------------------------------------+ 1596 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1597 |----------------------------------------------------------------| 1598 | Input: | 1599 | - section size N, | 1600 | - initial key K, | 1601 | - master key frequency T*, | 1602 | - initialization vector IV in V_n, | 1603 | - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max. | 1604 | Output: | 1605 | - plaintext P. | 1606 |----------------------------------------------------------------| 1607 | 1. l = ceil(|C| / N) | 1608 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1609 | 3. C_0 = IV | 1610 | 4. For j = 1, 2, ... , b do | 1611 | i = ceil(j * n / N) | 1612 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 1613 | 5. Return P = P_1 | ... | P_b | 1614 +----------------------------------------------------------------+ 1616 The initialization vector IV for each message that is encrypted under 1617 the given initial key does not need to be secret, but must be 1618 unpredictable. 1620 6.3.5. CFB-ACPKM-Master Encryption Mode 1622 This section defines a CFB-ACPKM-Master encryption mode that uses the 1623 ACPKM-Master internal re-keying mechanism for the periodical key 1624 transformation. 1626 The CFB-ACPKM-Master encryption mode can be considered as the base 1627 encryption mode CFB (see [MODES]) extended by the ACPKM-Master re- 1628 keying mechanism. 1630 The CFB-ACPKM-Master encryption mode can be used with the following 1631 parameters: 1633 o 64 <= n <= 512; 1635 o 128 <= k <= 512; 1637 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1639 The key material K[j] that is used for the j-th section processing is 1640 equal to K^j, |K^j| = k bits. 1642 The CFB-ACPKM-Master mode encryption and decryption procedures are 1643 defined as follows: 1645 +-------------------------------------------------------------+ 1646 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1647 |-------------------------------------------------------------| 1648 | Input: | 1649 | - section size N, | 1650 | - initial key K, | 1651 | - master key frequency T*, | 1652 | - initialization vector IV in V_n, | 1653 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1654 | Output: | 1655 | - ciphertext C. | 1656 |-------------------------------------------------------------| 1657 | 1. l = ceil(|P| / N) | 1658 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1659 | 3. C_0 = IV | 1660 | 4. For j = 1, 2, ... , b - 1 do | 1661 | i = ceil(j * n / N), | 1662 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1663 | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | 1664 | 6. Return C = C_1 | ... | C_b | 1665 |-------------------------------------------------------------+ 1667 +-------------------------------------------------------------+ 1668 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1669 |-------------------------------------------------------------| 1670 | Input: | 1671 | - section size N, | 1672 | - initial key K, | 1673 | - master key frequency T*, | 1674 | - initialization vector IV in V_n, | 1675 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1676 | Output: | 1677 | - plaintext P. | 1678 |-------------------------------------------------------------| 1679 | 1. l = ceil(|C| / N) | 1680 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1681 | 3. C_0 = IV | 1682 | 4. For j = 1, 2, ... , b - 1 do | 1683 | i = ceil(j * n / N), | 1684 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1685 | 5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b | 1686 | 6. Return P = P_1 | ... | P_b | 1687 +-------------------------------------------------------------+ 1689 The initialization vector IV for each message that is encrypted under 1690 the given initial key need not to be secret, but must be 1691 unpredictable. 1693 6.3.6. OMAC-ACPKM-Master Authentication Mode 1695 This section defines an OMAC-ACPKM-Master message authentication code 1696 calculation mode that uses the ACPKM-Master internal re-keying 1697 mechanism for the periodical key transformation. 1699 The OMAC-ACPKM-Master mode can be considered as the base message 1700 authentication code calculation mode OMAC, which is also known as 1701 CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying 1702 mechanism. 1704 The OMAC-ACPKM-Master message authentication code calculation mode 1705 can be used with the following parameters: 1707 o n in {64, 128, 256}; 1709 o 128 <= k <= 512; 1711 o the maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)). 1713 The key material K[j] that is used for one section processing is 1714 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1716 The following is a specification of the subkey generation process of 1717 OMAC: 1719 +-------------------------------------------------------------------+ 1720 | Generate_Subkey(K1, r) | 1721 |-------------------------------------------------------------------| 1722 | Input: | 1723 | - key K1. | 1724 | Output: | 1725 | - key SK. | 1726 |-------------------------------------------------------------------| 1727 | 1. If r = n then return K1 | 1728 | 2. If r < n then | 1729 | if MSB_1(K1) = 0 | 1730 | return K1 << 1 | 1731 | else | 1732 | return (K1 << 1) (xor) R_n | 1733 | | 1734 +-------------------------------------------------------------------+ 1736 Here R_n takes the following values: 1738 o n = 64: R_{64} = 0^{59} | 11011; 1739 o n = 128: R_{128} = 0^{120} | 10000111; 1741 o n = 256: R_{256} = 0^{145} | 10000100101. 1743 The OMAC-ACPKM-Master message authentication code calculation mode is 1744 defined as follows: 1746 +----------------------------------------------------------------------+ 1747 | OMAC-ACPKM-Master(K, N, T*, M) | 1748 |----------------------------------------------------------------------| 1749 | Input: | 1750 | - section size N, | 1751 | - initial key K, | 1752 | - master key frequency T*, | 1753 | - plaintext M = M_1 | ... | M_b, |M| <= m_max. | 1754 | Output: | 1755 | - message authentication code T. | 1756 |----------------------------------------------------------------------| 1757 | 1. C_0 = 0^n | 1758 | 2. l = ceil(|M| / N) | 1759 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K, (k + n), l) | 1760 | 4. For j = 1, 2, ... , b - 1 do | 1761 | i = ceil(j * n / N), | 1762 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1763 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1764 | 6. If |M_b| = n then M*_b = M_b | 1765 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1766 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1767 | 8. Return T | 1768 +----------------------------------------------------------------------+ 1770 7. Joint Usage of External and Internal Re-keying 1772 Both external re-keying and internal re-keying have their own 1773 advantages and disadvantages discussed in Section 1. For instance, 1774 using external re-keying can essentially limit the message length, 1775 while in the case of internal re-keying the section size, which can 1776 be chosen as the maximal possible for operational properties, limits 1777 the amount of separate messages. There is no more preferable 1778 technique because the choice of technique can depend on protocol 1779 features. However, some protocols may have features that require to 1780 take advantages provided by both external and internal re-keying 1781 mechanisms: for example, the protocol mainly transmits messages of 1782 small length, but it must additionally support very long messages 1783 processing. In such situations it is necessary to use external and 1784 internal re-keying jointly, since these techniques negate each 1785 other's disadvantages. 1787 For composition of external and internal re-keying techniques any 1788 mechanism described in Section 5 can be used with any mechanism 1789 described in Section 6. 1791 For example, consider the GCM-ACPKM mode with external serial re- 1792 keying based on a KDF on a Hash function. Denote by a frame size the 1793 number of messages in each frame (in the case of implicit approach to 1794 the key lifetime control) for external re-keying. 1796 Let L be a key lifetime limitation. The section size N for internal 1797 re-keying and the frame size q for external re-keying must be chosen 1798 in such a way that q * N must not exceed L. 1800 Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce 1801 ICN_i, plaintext P_i and additional authenticated data A_i, will be 1802 processed before renegotiation. 1804 For authenticated encryption of each message (ICN_i, P_i, A_i), i = 1805 1, ..., t, the following algorithm can be applied: 1807 1. j = ceil(i / q), 1808 2. K^j = ExtSerialH(K, j), 1809 3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i). 1811 Note that nonces ICN_i, that are used under the same frame key, must 1812 be unique for each message. 1814 8. Security Considerations 1816 Re-keying should be used to increase "a priori" security properties 1817 of ciphers in hostile environments (e.g., with side-channel 1818 adversaries). If some efficient attacks are known for a cipher, it 1819 must not be used. So re-keying cannot be used as a patch for 1820 vulnerable ciphers. Base cipher properties must be well analyzed, 1821 because the security of re-keying mechanisms is based on the security 1822 of a block cipher as a pseudorandom function. 1824 Re-keying is not intended to solve any post-quantum security issues 1825 for symmetric cryptography, since the reduction of security caused by 1826 Grover's algorithm is not connected with a size of plaintext 1827 transformed by a cipher - only a negligible (sufficient for key 1828 uniqueness) material is needed; and the aim of re-keying is to limit 1829 a size of plaintext transformed under one initial key. 1831 Re-keying can provide backward security only if previous key material 1832 is securely deleted after usage by all parties. 1834 9. References 1836 9.1. Normative References 1838 [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1839 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1840 . 1842 [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1843 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1844 January 2012, . 1846 [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", 1847 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1848 . 1850 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 1851 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 1852 Special Publication 800-38D 1853 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ 1854 nistspecialpublication800-38d.pdf, November 2007. 1856 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1857 Operation: Methods and Techniques", NIST Special 1858 Publication 800-38A, December 2001. 1860 [NISTSP800-108] 1861 National Institute of Standards and Technology, 1862 "Recommendation for Key Derivation Using Pseudorandom 1863 Functions", NIST Special Publication 800-108, November 1864 2008, . 1867 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1868 Requirement Levels", BCP 14, RFC 2119, 1869 DOI 10.17487/RFC2119, March 1997, 1870 . 1872 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1873 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1874 2006, . 1876 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1877 Key Derivation Function (HKDF)", RFC 5869, 1878 DOI 10.17487/RFC5869, May 2010, 1879 . 1881 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1882 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1883 on the Cryptographic Algorithms to Accompany the Usage of 1884 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1885 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1886 . 1888 [SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 1889 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 1890 January 2006, . 1892 [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security 1893 (TLS) Protocol Version 1.2", RFC 5246, 1894 DOI 10.17487/RFC5246, August 2008, 1895 . 1897 [TLSDraft] 1898 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1899 Version 1.3", 2017, 1900 . 1902 9.2. Informative References 1904 [AAOS2017] 1905 Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. 1906 Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for 1907 the GCM Mode by Internal Re-keying", Cryptology ePrint 1908 Archive Report 2017/697, 2017, 1909 . 1911 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1912 of a Key: A Comparative Analysis of the Security of Re- 1913 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1914 2000. 1916 [AESDUKPT] 1917 ANSI, "Retail Financial Services Symmetric Key Management 1918 - Part 3: Derived Unique Key Per Transaction", ANSI 1919 X9.24-3-2017, 2017. 1921 [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: 1922 Enabling Efficient Key Distribution for Secure Distributed 1923 Storage", November 2005, 1924 . 1927 [FPS2012] Faust, S., Pietrzak, K., and j. Schipper, "Practical 1928 Leakage-Resilient Symmetric Cryptography", CHES2012 LNCS, 1929 vol. 7428, pp. 213-232,, 2012, 1930 . 1933 [FRESHREKEYING] 1934 Dziembowski, S., Faust, S., Herold, G., Journault, A., 1935 Masny, D., and F. Standaert, "Towards Sound Fresh Re- 1936 Keying with Hard (Physical) Learning Problems", Cryptology 1937 ePrint Archive Report 2016/573, June 2016, 1938 . 1940 [GGM] Goldreich, O., Goldwasser, S., and S. Micali, "How to 1941 Construct Random Functions", Journal of the Association 1942 for Computing Machinery Vol.33, No.4, pp. 792-807, October 1943 1986, . 1945 [KMNT2003] 1946 Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure 1947 Group Services for Storage Area Networks", 1948 IEEE Communication Magazine 41, pp. 92-99, 2003, 1949 . 1951 [LDC] Howard M. Heys, "A Tutorial on Linear and Differential 1952 Cryptanalysis", 2017, 1953 . 1955 [OWT] Joye, M. and S. Yen, "One-Way Cross-Trees and Their 1956 Applications", DOI 10.1007/3-540-45664-3_25, February 1957 2002, . 1960 [P3] Peter Alexander, "Dynamic Key Changes on Encrypted 1961 Sessions", CFRG mail archive , December 2017, 1962 . 1965 [Pietrzak2009] 1966 Pietrzak, K., "A Leakage-Resilient Mode of Operation", 1967 EUROCRYPT2009 LNCS, vol. 5479, pp. 462-482,, 2009, 1968 . 1971 [SIGNAL] Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet 1972 Algorithm", November 2016, 1973 . 1976 [Sweet32] Karthikeyan Bhargavan, Gaetan Leurent, "On the Practical 1977 (In-)Security of 64-bit Block Ciphers: Collision Attacks 1978 on HTTP over TLS and OpenVPN", Cryptology ePrint 1979 Archive Report 2016/798, 2016, 1980 . 1982 [TAHA] Taha, M. and P. Schaumont, "Key Updating for Leakage 1983 Resiliency With Application to AES Modes of Operation", 1984 DOI 10.1109/TIFS.2014.2383359, December 2014, 1985 . 1987 [TEMPEST] By Craig Ramsay, Jasper Lohuis, "TEMPEST attacks against 1988 AES. Covertly stealing keys for 200 euro", 2017, 1989 . 1992 [U2F] Chang, D., Mishra, S., Sanadhya, S., and A. Singhl, "On 1993 Making U2F Protocol Leakage-Resilient via Re-keying.", 1994 Cryptology ePrint Archive Report 2017/721, August 2017, 1995 . 1997 Appendix A. Test Examples 1999 A.1. Test Examples for External Re-keying 2001 A.1.1. External Re-keying with a Parallel Construction 2002 External re-keying with a parallel construction based on AES-256 2003 **************************************************************** 2004 k = 256 2005 t = 128 2007 Initial key: 2008 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2009 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2011 K^1: 2012 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2013 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2015 K^2: 2016 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2017 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD 2019 K^3: 2020 B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 2021 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC 2023 ... 2025 K^126: 2026 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 2027 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 2029 K^127: 2030 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 2031 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED 2033 K^128: 2034 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 2035 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 2036 External re-keying with a parallel construction based on SHA-256 2037 **************************************************************** 2038 k = 256 2039 t = 128 2041 label: 2042 SHA2label 2044 Initial key: 2045 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2046 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2048 K^1: 2049 C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57 2050 26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35 2052 K^2: 2053 03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E 2054 A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4 2056 K^3: 2057 2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80 2058 0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE 2060 ... 2062 K^126: 2063 55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76 2064 C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1 2066 K^127: 2067 77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A 2068 6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF 2070 K^128: 2071 E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E 2072 94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3 2074 A.1.2. External Re-keying with a Serial Construction 2076 External re-keying with a serial construction based on AES-256 2077 ************************************************************** 2078 AES 256 examples: 2079 k = 256 2080 t = 128 2081 Initial key: 2082 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2083 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2085 K*_1: 2086 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2087 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2089 K^1: 2090 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2091 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2093 K*_2: 2094 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2095 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2097 K^2: 2098 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2099 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2101 K*_3: 2102 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2103 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2105 K^3: 2106 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2107 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2109 ... 2111 K*_126: 2112 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2113 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2115 K^126: 2116 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2117 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2119 K*_127: 2120 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2121 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2123 K^127: 2124 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2125 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2127 K*_128: 2128 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2129 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2131 K^128: 2132 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2133 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2135 External re-keying with a serial construction based on SHA-256 2136 ************************************************************** 2137 k = 256 2138 t = 128 2140 Initial key: 2141 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2142 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2144 label1: 2145 SHA2label1 2147 label2: 2148 SHA2label2 2150 K*_1: 2151 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2152 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2154 K^1: 2155 2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B 2156 F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC 2158 K*_2: 2159 14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F 2160 52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04 2162 K^2: 2163 2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1 2164 84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF 2166 K*_3: 2167 18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D 2168 70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB 2170 K^3: 2171 53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF 2172 F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92 2173 ... 2175 K*_126: 2176 A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6 2177 5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA 2179 K^126: 2180 6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34 2181 23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A 2183 K*_127: 2184 84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1 2185 05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1 2187 K^127: 2188 57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0 2189 F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2 2191 K*_128: 2192 52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E 2193 7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09 2195 K^128: 2196 9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5 2197 C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4 2199 A.2. Test Examples for Internal Re-keying 2201 A.2.1. Internal Re-keying Mechanisms that Do Not Require Master Key 2203 CTR-ACPKM mode with AES-256 2204 *************************** 2205 k = 256 2206 n = 128 2207 c = 64 2208 N = 256 2210 Initial key K: 2211 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2212 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2214 Plain text P: 2215 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2216 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2217 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2218 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2219 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2220 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2221 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2223 ICN: 2224 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2225 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 2227 D_1: 2228 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 2230 D_2: 2231 00000: 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 2233 Section_1 2235 Section key K^1: 2236 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2237 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2239 Input block CTR_1: 2240 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2242 Output block G_1: 2243 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2245 Input block CTR_2: 2246 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2248 Output block G_2: 2249 00000: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2251 Section_2 2253 Section key K^2: 2254 00000: F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 2255 00010: 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 2257 Input block CTR_3: 2258 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2260 Output block G_3: 2261 00000: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2263 Input block CTR_4: 2264 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2265 Output block G_4: 2266 00000: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2268 Section_3 2270 Section key K^3: 2271 00000: 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 2272 00010: 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 2274 Input block CTR_5: 2275 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2277 Output block G_5: 2278 00000: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2280 Input block CTR_6: 2281 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2283 Output block G_6: 2284 00000: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2286 Section_4 2288 Section key K^4: 2289 00000: C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 2290 00010: E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 2292 Block number 7: 2294 Input block CTR_7: 2295 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2297 Output block G_7: 2298 00000: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2300 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2301 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2302 00010: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2303 00020: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2304 00030: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2305 00040: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2306 00050: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2307 00060: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2309 The result ciphertext C = P (xor) MSB_{|P|}(G): 2310 00000: EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 2311 00010: 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 2312 00020: F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 2313 00030: 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 2314 00040: 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 2315 00050: 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 2316 00060: 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 2318 GCM-ACPKM mode with AES-128 2319 *************************** 2320 k = 128 2321 n = 128 2322 c = 32 2323 N = 256 2325 Initilal Key K: 2326 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2328 Additional data A: 2329 00000: 11 22 33 2331 Plaintext: 2332 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2333 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2334 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2336 ICN: 2337 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2339 Number of sections: 2 2341 Section key K^1: 2342 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2344 Section key K^2: 2345 00000: 15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41 2347 Encrypted GCTR_1 | GCTR_2 | GCTR_3: 2348 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2349 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2350 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2352 Ciphertext C: 2353 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2354 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2355 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2357 GHASH input: 2359 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2360 00010: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2361 00020: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2362 00030: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2363 00040: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80 2365 GHASH output S: 2366 00000: E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C 2368 Authentication tag T: 2369 00000: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2371 The result C | T: 2372 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2373 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2374 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2375 00030: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2377 A.2.2. Internal Re-keying Mechanisms with a Master Key 2379 CTR-ACPKM-Master mode with AES-256 2380 ********************************** 2381 k = 256 2382 n = 128 2383 c for CTR-ACPKM mode = 64 2384 c for CTR-ACPKM-Master mode = 64 2385 N = 256 2386 T* = 512 2388 Initial key K: 2389 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2390 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2392 Initial vector ICN: 2393 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2395 Plaintext P: 2396 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2397 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2398 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2399 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2400 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2401 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2402 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2403 K^1 | K^2 | K^3 | K^4: 2404 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2405 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2406 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2407 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2408 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2409 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2410 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2411 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2413 Section_1 2415 K^1: 2416 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2417 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2419 Input block CTR_1: 2420 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2422 Output block G_1: 2423 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2425 Input block CTR_2: 2426 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2428 Output block G_2: 2429 00000: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2431 Section_2 2433 K^2: 2434 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2435 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2437 Input block CTR_3: 2438 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2440 Output block G_3: 2441 00000: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2443 Input block CTR_4: 2444 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2446 Output block G_4: 2447 00000: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2448 Section_3 2450 K^3: 2451 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2452 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2454 Input block CTR_5: 2455 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2457 Output block G_5: 2458 00000: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2460 Input block CTR_6: 2461 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2463 Output block G_6: 2464 00000: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2466 Section_4 2468 K^4: 2469 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2470 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2472 Input block CTR_7: 2473 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2475 Output block G_7: 2476 00000: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2478 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2479 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2480 00010: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2481 00020: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2482 00030: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2483 00040: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2484 00050: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2485 00060: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2487 The result ciphertext C = P (xor) MSB_{|P|}(G): 2488 00000: 9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4 2489 00010: F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB 2490 00020: 5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71 2491 00030: 01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6 2492 00040: 9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA 2493 00050: 82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC 2494 00060: D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66 2496 GCM-ACPKM-Master mode with AES-256 2497 ********************************** 2498 k = 192 2499 n = 128 2500 c for the CTR-ACPKM mode = 64 2501 c for the GCM-ACPKM-Master mode = 32 2502 T* = 384 2503 N = 256 2505 Initila Key K: 2506 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2507 00010: 00 00 00 00 00 00 00 00 2509 Additional data A: 2510 00000: 11 22 33 2512 Plaintext: 2513 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2514 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2515 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2516 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2517 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2519 ICN: 2520 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2522 Number of sections: 3 2524 K^1 | K^2 | K^3: 2525 00000: 93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F 2526 00010: 7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC 2527 00020: CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99 2528 00030: F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87 2529 00040: 5A 2D 3C BE F1 6E 67 3C 2531 Encrypted GCTR_1 | ... | GCTR_5 2532 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2533 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2534 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2535 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2536 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2538 Ciphertext C: 2540 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2541 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2542 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2543 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2544 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2546 GHASH input: 2547 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2548 00010: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2549 00020: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2550 00030: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2551 00040: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2552 00050: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2553 00060: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80 2555 GHASH output S: 2556 00000: 6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D 2558 Authentication tag T: 2559 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2561 The result C | T: 2562 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2563 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2564 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2565 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2566 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2567 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2569 CBC-ACPKM-Master mode with AES-256 2570 ********************************** 2571 k = 256 2572 n = 128 2573 c for the CTR-ACPKM mode = 64 2574 N = 256 2575 T* = 512 2577 Initial key K: 2578 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2579 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2581 Initial vector IV: 2582 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2584 Plaintext P: 2586 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2587 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2588 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2589 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2590 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2591 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2592 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2594 K^1 | K^2 | K^3 | K^4: 2595 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2596 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2597 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2598 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2599 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2600 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2601 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2602 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2604 Section_1 2606 K^1: 2607 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2608 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2610 Plaintext block P_1: 2611 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2613 Input block P_1 (xor) C_0: 2614 00000: 03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A 2616 Output block C_1: 2617 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2619 Plaintext block P_2: 2620 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2622 Input block P_2 (xor) C_1: 2623 00000: 59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76 2625 Output block C_2: 2626 00000: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2628 Section_2 2630 K^2: 2631 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2632 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2633 Plaintext block P_3: 2634 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2636 Input block P_3 (xor) C_2: 2637 00000: 91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42 2639 Output block C_3: 2640 00000: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2642 Plaintext block P_4: 2643 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2645 Input block P_4 (xor) C_3: 2646 00000: AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48 2648 Output block C_4: 2649 00000: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2651 Section_3 2653 K^3: 2654 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2655 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2657 Plaintext block P_5: 2658 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2660 Input block P_5 (xor) C_4: 2661 00000: 2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB 2663 Output block C_5: 2664 00000: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2666 Plaintext block P_6: 2667 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2669 Input block P_6 (xor) C_5: 2670 00000: 12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27 2672 Output block C_6: 2673 00000: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2675 Section_4 2677 K^4: 2678 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2679 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2680 Plaintext block P_7: 2681 00000: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2683 Input block P_7 (xor) C_6: 2684 00000: 33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01 2686 Output block C_7: 2687 00000: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2689 Cipher text C: 2690 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2691 00010: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2692 00020: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2693 00030: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2694 00040: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2695 00050: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2696 00060: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2698 CFB-ACPKM-Master mode with AES-256 2699 ********************************** 2700 k = 256 2701 n = 128 2702 c for the CTR-ACPKM mode = 64 2703 N = 256 2704 T* = 512 2706 Initial key K: 2707 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2708 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2710 Initial vector IV: 2711 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2713 Plaintext P: 2714 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2715 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2716 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2717 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2718 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2719 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2720 00060: 55 66 77 88 99 AA BB CC 2722 K^1 | K^2 | K^3 | K^4 2723 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2724 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2725 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2726 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2727 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2728 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2729 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2730 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2732 Section_1 2734 K^1: 2735 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2736 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2738 Plaintext block P_1: 2739 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2741 Encrypted block E_{K^1}(C_0): 2742 00000: 1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03 2744 Output block C_1 = E_{K^1}(C_0) (xor) P_1: 2745 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2747 Plaintext block P_2: 2748 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2750 Encrypted block E_{K^1}(C_1): 2751 00000: 6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E 2753 Output block C_2 = E_{K^1}(C_1) (xor) P_2: 2754 00000: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2756 Section_2 2758 K^2: 2759 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2760 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2762 Plaintext block P_3: 2763 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2765 Encrypted block E_{K^2}(C_2): 2766 00000: 95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88 2768 Output block C_3 = E_{K^2}(C_2) (xor) P_3: 2769 00000: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2771 Plaintext block P_4: 2772 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2773 Encrypted block E_{K^2}(C_3): 2774 00000: E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2 2776 Output block C_4 = E_{K^2}(C_3) (xor) P_4: 2777 00000: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2779 Section_3 2781 K^3: 2782 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2783 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2785 Plaintext block P_5: 2786 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2788 Encrypted block E_{K^3}(C_4): 2789 00000: FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89 2791 Output block C_5 = E_{K^3}(C_4) (xor) P_5: 2792 00000: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2794 Plaintext block P_6: 2795 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2797 Encrypted block E_{K^3}(C_5): 2798 00000: 01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3 2800 Output block C_6 = E_{K^3}(C_5) (xor) P_6: 2801 00000: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2803 Section_4 2805 K^4: 2806 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2807 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2809 Plaintext block P_7: 2810 00000: 55 66 77 88 99 AA BB CC 2812 Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)): 2813 00000: 97 5C 96 37 55 1E 8C 7F 2815 Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7 2816 00000: C2 3A E1 BF CC B4 37 B3 2818 Cipher text C: 2819 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2820 00010: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2821 00020: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2822 00030: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2823 00040: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2824 00050: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2825 00060: C2 3A E1 BF CC B4 37 B3 2827 OMAC-ACPKM-Master mode with AES-256 2828 *********************************** 2829 k = 256 2830 n = 128 2831 c for the CTR-ACPKM mode = 64 2832 N = 256 2833 T* = 768 2835 Initial key K: 2836 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2837 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2839 Plaintext M: 2840 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2841 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2842 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2843 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2844 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2846 K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1: 2847 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2848 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2849 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2850 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2851 00040: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2852 00050: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2853 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2854 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2855 00080: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2857 Section_1 2859 K^1: 2860 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2861 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2863 K^1_1: 2864 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2865 Plaintext block M_1: 2866 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2868 Input block M_1 (xor) C_0: 2869 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2871 Output block C_1: 2872 00000: 0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E 2874 Plaintext block M_2: 2875 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2877 Input block M_2 (xor) C_1: 2878 00000: 0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34 2880 Output block C_2: 2881 00000: 1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C 2883 Section_2 2885 K^2: 2886 00000: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2887 00010: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2889 K^2_1: 2890 00000: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2892 Plaintext block M_3: 2893 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2895 Input block M_3 (xor) C_2: 2896 00000: 0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C 2898 Output block C_3: 2899 00000: 4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75 2901 Plaintext block M_4: 2902 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2904 Input block M_4 (xor) C_3: 2905 00000: 6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64 2907 Output block C_4: 2908 00000: B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81 2910 Section_3 2912 K^3: 2914 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2915 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2917 K^3_1: 2918 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2920 MSB1(K1) == 0 -> K2 = K1 << 1 2922 K1: 2923 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2925 K2: 2926 00000: F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E 2928 Plaintext M_5: 2929 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2931 Using K1, padding is not required 2933 Input block M_5 (xor) C_4: 2934 00000: FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4 2936 Output block C_5: 2937 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2939 Message authentication code T: 2940 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2942 Appendix B. Contributors 2944 o Russ Housley 2945 Vigil Security, LLC 2946 housley@vigilsec.com 2948 o Evgeny Alekseev 2949 CryptoPro 2950 alekseev@cryptopro.ru 2952 o Ekaterina Smyshlyaeva 2953 CryptoPro 2954 ess@cryptopro.ru 2956 o Shay Gueron 2957 University of Haifa, Israel 2958 Intel Corporation, Israel Development Center, Israel 2959 shay.gueron@gmail.com 2961 o Daniel Fox Franke 2962 Akamai Technologies 2963 dfoxfranke@gmail.com 2965 o Lilia Ahmetzyanova 2966 CryptoPro 2967 lah@cryptopro.ru 2969 Appendix C. Acknowledgments 2971 We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim 2972 Schaad, Paul Hoffman, Dmitry Belyavsky and Yaron Sheffer for their 2973 useful comments. 2975 Author's Address 2977 Stanislav Smyshlyaev (editor) 2978 CryptoPro 2979 18, Suschevskiy val 2980 Moscow 127018 2981 Russian Federation 2983 Phone: +7 (495) 995-48-20 2984 Email: svs@cryptopro.ru