idnits 2.17.1 draft-irtf-cfrg-re-keying-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 20 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 12, 2018) is 1962 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1321 == Missing Reference: '2t' is mentioned on line 1294, but not defined ** Obsolete normative reference: RFC 6347 (ref. 'DTLS') (Obsoleted by RFC 9147) ** Obsolete normative reference: RFC 5246 (ref. 'TLS') (Obsoleted by RFC 8446) Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational December 12, 2018 5 Expires: June 15, 2019 7 Re-keying Mechanisms for Symmetric Keys 8 draft-irtf-cfrg-re-keying-14 10 Abstract 12 A certain maximum amount of data can be safely encrypted when 13 encryption is performed under a single key. This amount is called 14 "key lifetime". This specification describes a variety of methods to 15 increase the lifetime of symmetric keys. It provides two types of 16 re-keying mechanisms based on hash functions and on block ciphers, 17 that can be used with modes of operations such as CTR, GCM, CBC, CFB 18 and OMAC. 20 This document is a product of the Crypto Forum Research Group (CFRG) 21 in the IRTF. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on June 15, 2019. 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions Used in This Document . . . . . . . . . . . . . . 6 59 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 6 60 4. Choosing Constructions and Security Parameters . . . . . . . 8 61 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 10 62 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 13 63 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 13 64 5.2.1. Parallel Construction Based on a KDF on a Block 65 Cipher . . . . . . . . . . . . . . . . . . . . . . . 14 66 5.2.2. Parallel Construction Based on a KDF on a Hash 67 Function . . . . . . . . . . . . . . . . . . . . . . 14 68 5.2.3. Tree-based Construction . . . . . . . . . . . . . . . 15 69 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 16 70 5.3.1. Serial Construction Based on a KDF on a Block Cipher 17 71 5.3.2. Serial Construction Based on a KDF on a Hash Function 18 72 5.4. Using Additional Entropy during Re-keying . . . . . . . . 18 73 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 19 74 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 21 75 6.2. Constructions that Do Not Require Master Key . . . . . . 22 76 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 22 77 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 78 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 79 6.3. Constructions that Require Master Key . . . . . . . . . . 28 80 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 29 81 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 31 82 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 33 83 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 35 84 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 38 85 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 40 86 7. Joint Usage of External and Internal Re-keying . . . . . . . 41 87 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 88 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 89 9.1. Normative References . . . . . . . . . . . . . . . . . . 43 90 9.2. Informative References . . . . . . . . . . . . . . . . . 44 91 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 46 92 A.1. Test Examples for External Re-keying . . . . . . . . . . 46 93 A.1.1. External Re-keying with a Parallel Construction . . . 46 94 A.1.2. External Re-keying with a Serial Construction . . . . 48 95 A.2. Test Examples for Internal Re-keying . . . . . . . . . . 51 96 A.2.1. Internal Re-keying Mechanisms that Do Not Require 97 Master Key . . . . . . . . . . . . . . . . . . . . . 51 98 A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 55 99 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 67 100 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 68 101 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 68 103 1. Introduction 105 A certain maximum amount of data can be safely encrypted when 106 encryption is performed under a single key. Hereinafter this amount 107 will be referred to as "key lifetime". The need for such a 108 limitation is dictated by the following methods of cryptanalysis: 110 1. Methods based on the combinatorial properties of the used block 111 cipher mode of operation 113 These methods do not depend on the underlying block cipher. 114 Common modes restrictions derived from such methods are of order 115 2^{n/2}, where n is a block size defined in Section 3. [Sweet32] 116 is an example of attack that is based on such methods. 118 2. Methods based on side-channel analysis issues 120 In most cases these methods do not depend on the used encryption 121 modes and weakly depend on the used block cipher features. 122 Limitations resulting from these considerations are usually the 123 most restrictive ones. [TEMPEST] is an example of attack that is 124 based on such methods. 126 3. Methods based on the properties of the used block cipher 128 The most common methods of this type are linear and differential 129 cryptanalysis [LDC]. In most cases these methods do not depend on 130 the used modes of operation. In case of secure block ciphers, 131 bounds resulting from such methods are roughly the same as the 132 natural bounds of 2^n, and are dominated by the other bounds 133 above. Therefore, they can be excluded from the considerations 134 here. 136 As a result, it is important to replace a key when the total size of 137 the processed plaintext under that key approaches the lifetime 138 limitation. A specific value of the key lifetime should be 139 determined in accordance with some safety margin for protocol 140 security and the methods outlined above. 142 Suppose L is a key lifetime limitation in some protocol P. For 143 simplicity, assume that all messages have the same length m. Hence, 144 the number of messages q that can be processed with a single key K 145 should be such that m * q <= L. This can be depicted graphically as 146 a rectangle with sides m and q which is enclosed by area L (see 147 Figure 1). 149 +------------------------+ 150 | L | 151 | +--------m---------+ | 152 | |==================| | 153 | |==================| | 154 | q==================| | m * q <= L 155 | |==================| | 156 | |==================| | 157 | +------------------+ | 158 +------------------------+ 160 Figure 1: Graphic display of the key lifetime limitation 162 In practice, such amount of data that corresponds to limitation L may 163 not be enough. The simplest and obvious way in this situation is a 164 regular renegotiation of an initial key after processing this 165 threshold amount of data L. However, this reduces the total 166 performance, since it usually entails termination of application data 167 transmission, additional service messages, the use of random number 168 generator and many other additional calculations, including resource- 169 intensive public key cryptography. 171 For the protocols based on block ciphers or stream ciphers a more 172 efficient way to increasing the key lifetime is to use various re- 173 keying mechanisms. This specification considers only the case of re- 174 keying mechanisms for block ciphers, while re-keying mechanisms 175 typical for stream ciphers (e.g., [Pietrzak2009], [FPS2012]) case go 176 beyond the scope of this document. 178 Re-keying mechanisms can be applied on the different protocol levels: 179 on the block cipher level (this approach is known as fresh re-keying 180 and is described, for instance, in [FRESHREKEYING]), on the block 181 cipher mode of operation level (see Section 6), on the protocol level 182 above the block cipher mode of operation (see Section 5). The usage 183 of the first approach is highly inefficient due to the key changing 184 after processing each message block. Moreover, fresh re-keying 185 mechanisms can change the block cipher internal structure, and, 186 consequently, can require the additional security analysis for each 187 particular block cipher. As a result, this approach depends on 188 particular primitive properties and can not be applied to any 189 arbitrary block cipher without additional security analysis, 190 therefore, fresh re-keying mechanisms go beyond the scope of this 191 document. 193 Thus, this document contains the list of recommended re-keying 194 mechanisms that can be used in the symmetric encryption schemes based 195 on the block ciphers. These mechanisms are independent from the 196 particular block cipher specification and their security properties 197 rely only on the standard block cipher security assumption. 199 This specification presents two basic approaches to extend the 200 lifetime of a key while avoiding renegotiation that were introduced 201 in [AAOS2017]: 203 1. External re-keying 205 External re-keying is performed by a protocol, and it is 206 independent of the underlying block cipher and the mode of 207 operation. External re-keying can use parallel and serial 208 constructions. In the parallel case, data processing keys K^1, 209 K^2, ... are generated directly from the initial key K 210 independently of each other. In the serial case, every data 211 processing key depends on the state that is updated after the 212 generation of each new data processing key. 214 As a generalization of external parallel re-keying an external 215 tree-based mechanism can be considered. It is specified in the 216 Section 5.2.3 and can be viewed as the [GGM] tree generalization. 217 Similar constructions are used in the one-way tree mechanism 218 ([OWT]) and [AESDUKPT] standard. 220 2. Internal re-keying 222 Internal re-keying is built into the mode, and it depends heavily 223 on the properties of the mode of operation and the block size. 225 The re-keying approaches extend the key lifetime for a single initial 226 key by providing the possibility to limit the leakages (via side 227 channels) and by improving combinatorial properties of the used block 228 cipher mode of operation. 230 In practical applications, re-keying can be useful for protocols that 231 need to operate in hostile environments or under restricted resource 232 conditions (e.g., that require lightweight cryptography, where 233 ciphers have a small block size, that imposes strict combinatorial 234 limitations). Moreover, mechanisms that use external or internal re- 235 keying may provide some protection against possible future attacks 236 (by limiting the number of plaintext-ciphertext pairs that an 237 adversary can collect) and some properties of forward or backward 238 security (meaning that past or future data processing keys remain 239 secure even if the current key is compromised, see for more details 240 [AbBell]). External or internal re-keying can be used in network 241 protocols as well as in the systems for data-at-rest encryption. 243 Depending on the concrete protocol characteristics there might be 244 situations in which both external and internal re-keying mechanisms 245 (see Section 7) can be applied. For example, the similar approach 246 was used in the Taha's tree construction (see [TAHA]). 248 Note that there are key updating (key regression) algorithms (e.g., 249 [FKK2005] and [KMNT2003]) which are called "re-keying" as well, but 250 they pursue the goal different from increasing key lifetime. 251 Therefore, key regression algorithms are excluded from the 252 considerations here. 254 2. Conventions Used in This Document 256 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 257 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 258 document are to be interpreted as described in [RFC2119]. 260 3. Basic Terms and Definitions 262 This document uses the following terms and definitions for the sets 263 and operations on the elements of these sets: 265 V* the set of all bit strings of a finite length (hereinafter 266 referred to as strings), including the empty string; 268 V_s the set of all bit strings of length s, where s is a non- 269 negative integer; 271 |X| the bit length of the bit string X; 273 A | B concatenation of strings A and B both belonging to V*, i.e., 274 a string in V_{|A|+|B|}, where the left substring in V_|A| is 275 equal to A, and the right substring in V_|B| is equal to B; 277 (xor) exclusive-or of two bit strings of the same length; 279 Z_{2^n} ring of residues modulo 2^n; 281 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 282 (a_s, ... , a_1) in V_s into the integer Int_s(a) = 2^{s-1} * 283 a_s + ... + 2 * a_2 + a_1 (the interpretation of the binary 284 string as an integer); 286 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 287 Int_s (the interpretation of an integer as a binary string); 289 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 290 ... , a_1) in V_s into the string MSB_i(a) = (a_s, ... , 291 a_{s-i+1}) in V_i (most significant bits); 293 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 294 ... , a_1) in V_s into the string LSB_i(a) = (a_i, ... , a_1) 295 in V_i (least significant bits); 297 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 298 ... , a_1) in V_s into the string Inc_c(a) = MSB_{|a|-c}(a) | 299 Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s (incrementing the 300 least significant c bits of the bit string, regarded as the 301 binary representation of an integer); 303 a^s the string in V_s that consists of s 'a' bits; 305 E_{K}: V_n -> V_n the block cipher permutation under the key K in 306 V_k; 308 ceil(x) the smallest integer that is greater than or equal to x; 310 floor(x) the biggest integer that is less than or equal to x; 312 k the bit-length of the K; k is assumed to be divisible by 8; 314 n the block size of the block cipher (in bits); n is assumed to 315 be divisible by 8; 317 b the number of data blocks in the plaintext P (b = 318 ceil(|P|/n)); 320 N the section size (the number of bits that are processed with 321 one section key before this key is transformed). 323 A plaintext message P and the corresponding ciphertext C are divided 324 into b = ceil(|P|/n) blocks, denoted P = P_1 | P_2 | ... | P_b and C 325 = C_1 | C_2 | ... | C_b, respectively. The first b-1 blocks P_i and 326 C_i are in V_n, for i = 1, 2, ... , b-1. The b-th blocks P_b, C_b 327 may be an incomplete blocks, i.e., in V_r, where r <= n if not 328 otherwise specified. 330 4. Choosing Constructions and Security Parameters 332 External re-keying is an approach assuming that a key is transformed 333 after encrypting a limited number of entire messages. External re- 334 keying method is chosen at the protocol level, regardless of the 335 underlying block cipher or the encryption mode. External re-keying 336 is recommended for protocols that process relatively short messages 337 or for protocols that have a way to divide a long message into 338 manageable pieces. Through external re-keying the number of messages 339 that can be securely processed with a single initial key K is 340 substantially increased without loss in message length. 342 External re-keying has the following advantages: 344 1. it increases the lifetime of an initial key by increasing the 345 number of messages processed with this key; 347 2. it has minimal impact on performance, when the number of messages 348 processed under one initial key is sufficiently large; 350 3. it provides forward and backward security of data processing 351 keys. 353 However, the use of external re-keying has the following 354 disadvantage: in case of restrictive key lifetime limitations the 355 message sizes can become inconvenient due to impossibility of 356 processing sufficiently large messages, so it could be necessary to 357 perform additional fragmentation at the protocol level. E.g. if the 358 key lifetime L is 1 GB and the message length m = 3 GB, then this 359 message cannot be processed as a whole and it should be divided into 360 three fragments that will be processed separately. 362 Internal re-keying is an approach assuming that a key is transformed 363 during each separate message processing. Such procedures are 364 integrated into the base modes of operations, so every internal re- 365 keying mechanism is defined for the particular operation mode and the 366 block size of the used cipher. Internal re-keying is recommended for 367 protocols that process long messages: the size of each single message 368 can be substantially increased without loss in number of messages 369 that can be securely processed with a single initial key. 371 Internal re-keying has the following advantages: 373 1. it increases the lifetime of an initial key by increasing the 374 size of the messages processed with one initial key; 376 2. it has minimal impact on performance; 377 3. internal re-keying mechanisms without a master key does not 378 affect short messages transformation at all; 380 4. it is transparent (works like any mode of operation): does not 381 require changes of IV's and restarting MACing. 383 However, the use of internal re-keying has the following 384 disadvantages: 386 1. a specific method must not be chosen independently of a mode of 387 operation; 389 2. internal re-keying mechanisms without a master key do not provide 390 backward security of data processing keys. 392 Any block cipher modes of operations with internal re-keying can be 393 jointly used with any external re-keying mechanisms. Such joint 394 usage increases both the number of messages processed with one 395 initial key and their maximum possible size. 397 If the adversary has access to the data processing interface the use 398 of the same cryptographic primitives both for data processing and re- 399 keying transformation decreases the code size but can lead to some 400 possible vulnerabilities (the possibility of mounting a chosen- 401 plaintext attack may lead to the compromise of the following keys). 402 This vulnerability can be eliminated by using different primitives 403 for data processing and re-keying, e.g., block cipher for data 404 processing and hash for re-keying (see Section 5.2.2 and 405 Section 5.3.2). However, in this case the security of the whole 406 scheme cannot be reduced to standard notions like PRF or PRP, so 407 security estimations become more difficult and unclear. 409 Summing up the above-mentioned issues briefly: 411 1. If a protocol assumes processing long records (e.g., [CMS]), 412 internal re-keying should be used. If a protocol assumes 413 processing a significant amount of ordered records, which can be 414 considered as a single data stream (e.g., [TLS], [SSH]), internal 415 re-keying may also be used. 417 2. For protocols which allow out-of-order delivery and lost records 418 (e.g., [DTLS], [ESP]) external re-keying should be used as in 419 this case records cannot be considered as a single data stream. 420 If at the same time records are long enough, internal re-keying 421 should be additionally used during each separate message 422 processing. 424 For external re-keying: 426 1. If it is desirable to separate transformations used for data 427 processing and for key update, hash function based re-keying 428 should be used. 430 2. If parallel data processing is required, then parallel external 431 re-keying should be used. 433 3. In case of restrictive key lifetime limitations external tree- 434 based re-keying should be used. 436 For internal re-keying: 438 1. If the property of forward and backward security is desirable for 439 data processing keys and if additional key material can be easily 440 obtained for the data processing stage, internal re-keying with a 441 master key should be used. 443 5. External Re-keying Mechanisms 445 This section presents an approach to increase the initial key 446 lifetime by using a transformation of a data processing key (frame 447 key) after processing a limited number of entire messages (frame). 448 It provides external parallel and serial re-keying mechanisms (see 449 [AbBell]). These mechanisms use initial key K only for frame keys 450 generation and never use it directly for data processing. Such 451 mechanisms operate outside of the base modes of operations and do not 452 change them at all, therefore they are called "external re-keying" 453 mechanisms in this document. 455 External re-keying mechanisms are recommended for usage in protocols 456 that process quite small messages, since the maximum gain in 457 increasing the initial key lifetime is achieved by increasing the 458 number of messages. 460 External re-keying increases the initial key lifetime through the 461 following approach. Suppose there is a protocol P with some mode of 462 operation (base encryption or authentication mode). Let L1 be a key 463 lifetime limitation induced by side-channel analysis methods (side- 464 channel limitation), let L2 be a key lifetime limitation induced by 465 methods based on the combinatorial properties of a used mode of 466 operation (combinatorial limitation) and let q1, q2 be the total 467 numbers of messages of length m, that can be safely processed with an 468 initial key K according to these limitations. 470 Let L = min(L1, L2), q = min (q1, q2), q * m <= L. As L1 limitation 471 is usually much stronger than L2 limitation (L1 < L2), the final key 472 lifetime restriction is equal to the most restrictive limitation L1. 474 Thus, as displayed in Figure 2, without re-keying only q1 (q1 * m <= 475 L1) messages can be safely processed. 477 <--------m-------> 478 +----------------+ ^ ^ 479 |================| | | 480 |================| | | 481 K-->|================| q1| 482 |================| | | 483 |==============L1| | | 484 +----------------+ v | 485 | | | 486 | | | 487 | | q2 488 | | | 489 | | | 490 | | | 491 | | | 492 | | | 493 | | | 494 | | | 495 | | | 496 | L2| | 497 +----------------+ v 499 Figure 2: Basic principles of message processing without external re-keying 501 Suppose that the safety margin for the protocol P is fixed and the 502 external re-keying approach is applied to the initial key K to 503 generate the sequence of frame keys. The frame keys are generated in 504 such a way that the leakage of a previous frame key does not have any 505 impact on the following one, so the side channel limitation L1 goes 506 off. Thus, the resulting key lifetime limitation of the initial key 507 K can be calculated on the basis of a new combinatorial limitation 508 L2'. It is proven (see [AbBell]) that the security of the mode of 509 operation that uses external re-keying leads to an increase when 510 compared to base mode without re-keying (thus, L2 < L2'). Hence, as 511 displayed in Figure 3, the resulting key lifetime limitation in case 512 of using external re-keying can be increased up to L2'. 514 <--------m-------> 515 K +----------------+ 516 | |================| 517 v |================| 518 K^1--> |================| 519 | |================| 520 | |==============L1| 521 | +----------------+ 522 | |================| 523 v |================| 524 K^2--> |================| 525 | |================| 526 | |==============L1| 527 | +----------------+ 528 | |================| 529 v |================| 530 ... | . . . | 531 | | 532 | | 533 | L2| 534 +----------------+ 535 | | 536 ... ... 537 | L2'| 538 +----------------+ 540 Figure 3: Basic principles of message processing with external re-keying 542 Note: the key transformation process is depicted in a simplified 543 form. A specific approach (parallel and serial) is described below. 545 Consider an example. Let the message size in a protocol P be equal 546 to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external 547 re-keying mechanism is not used, the initial key K must be 548 renegotiated after processing 128 MB / 1 KB = 131072 messages. 550 If an external re-keying mechanism is used, the key lifetime 551 limitation L1 goes off. Hence the resulting key lifetime limitation 552 L2' can be set to more then 1 TB. Thus if an external re-keying 553 mechanism is used, more then 1 TB / 1 KB = 2^30 messages can be 554 processed before the initial key K is renegotiated. This is 8192 555 times greater than the number of messages that can be processed, when 556 external re-keying mechanism is not used. 558 5.1. Methods of Key Lifetime Control 560 Suppose L is an amount of data that can be safely processed with one 561 frame key. For i in {1, 2, ... , t} the frame key K^i (see Figure 4 562 and Figure 5) should be transformed after processing q_i messages, 563 where q_i can be calculated in accordance with one of the following 564 approaches: 566 Explicit approach: 568 q_i is such that |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + 569 ... + |M^{i,q_i+1}| > L. 570 This approach allows to use the frame key K^i in almost optimal 571 way but it can be applied only in case when messages cannot be 572 lost or reordered (e.g., TLS records). 574 Implicit approach: 576 q_i = L / m_max, i = 1, ... , t. 577 The amount of data processed with one frame key K^i is calculated 578 under the assumption that every message has the maximum length 579 m_max. Hence this amount can be considerably less than the key 580 lifetime limitation L. On the other hand, this approach can be 581 applied in case when messages may be lost or reordered (e.g., DTLS 582 records). 584 Dynamic key changes: 586 We can organize the key change using the Protected Point to Point 587 ([P3]) solution by building a protected tunnel between the 588 endpoints in which the information about frame key updating can be 589 safely passed across. This can be useful, for example, when we 590 wish the adversary not to detect the key change during the 591 protocol evaluation. 593 5.2. Parallel Constructions 595 External parallel re-keying mechanisms generate frame keys K^1, K^2, 596 ... directly from the initial key K independently of each other. 598 The main idea behind external re-keying with a parallel construction 599 is presented in Figure 4: 601 Maximum message size = m_max. 602 _____________________________________________________________ 604 m_max 605 <----------------> 606 M^{1,1} |=== | 607 M^{1,2} |=============== | 608 +->K^1--> ... ... 609 | M^{1,q_1} |======== | 610 | 611 | 612 | M^{2,1} |================| 613 | M^{2,2} |===== | 614 K-----|->K^2--> ... ... 615 | M^{2,q_2} |========== | 616 | 617 ... 618 | M^{t,1} |============ | 619 | M^{t,2} |============= | 620 +->K^t--> ... ... 621 M^{t,q_t} |========== | 623 _____________________________________________________________ 625 Figure 4: External parallel re-keying mechanisms 627 The frame key K^i, i = 1, ... , t-1, is updated after processing a 628 certain amount of messages (see Section 5.1). 630 5.2.1. Parallel Construction Based on a KDF on a Block Cipher 632 ExtParallelC re-keying mechanism is based on the key derivation 633 function on a block cipher and is used to generate t frame keys as 634 follows: 636 K^1 | K^2 | ... | K^t = ExtParallelC(K, t * k) = MSB_{t * 637 k}(E_{K}(Vec_n(0)) | 638 E_{K}(Vec_n(1)) | ... | E_{K}(Vec_n(R - 1))), 640 where R = ceil(t * k/n). 642 5.2.2. Parallel Construction Based on a KDF on a Hash Function 644 ExtParallelH re-keying mechanism is based on the key derivation 645 function HKDF-Expand, described in [RFC5869], and is used to generate 646 t frame keys as follows: 648 K^1 | K^2 | ... | K^t = ExtParallelH(K, t * k) = HKDF-Expand(K, 649 label, t * k), 651 where label is a string (may be a zero-length string) that is defined 652 by a specific protocol. 654 5.2.3. Tree-based Construction 656 The application of external tree-based mechanism leads to the 657 construction of the key tree with the initial key K (root key) at the 658 0-level and the frame keys K^1, K^2, ... at the last level as 659 described in Figure 6. 661 K_root = K 662 ___________|___________ 663 | ... | 664 V V 665 K{1,1} K{1,W1} 666 ______|______ ______|______ 667 | ... | | ... | 668 V V V V 669 K{2,1} K{2,W2} K{2,(W1-1)*W2+1} K{2,W1*W2} 670 __|__ __|__ __|__ __|__ 671 | ... | | ... | | ... | | ... | 672 V V V V V V V V 673 K{3,1} ... ... ... ... ... ... K{3,W1*W2*W3} 675 ... ... 676 __|__ ... __|__ 677 | ... | | ... | 678 V V V V 679 K{h,1} K{h,Wh} K{h,(W1*...*W{h-1}-1)*Wh+1} K{h,W1*...*Wh} 680 // \\ // \\ 681 K^1 K^{Wh} K^{(W1*...*W{h-1}-1)*Wh+1} K^{W1*...*Wh} 682 _______________________________________________________________________ 684 Figure 6: External Tree-based Mechanism 686 The tree height h and the number of keys Wj, j in {1, ... , h}, which 687 can be partitioned from "parent" key, are defined in accordance with 688 a specific protocol and key lifetime limitations for the used 689 derivation functions. 691 Each j-level key K{j,w}, where j in {1, ... , h}, w in {1, ... , W1 * 692 ... * Wj}, is derived from the (j-1)-level "parent" key K{j-1,ceil(w/ 693 Wi)} (and other appropriate input data) using the j-th level 694 derivation function that can be based on the block cipher function or 695 on the hash function and that is defined in accordance with a 696 specific protocol. 698 The i-th frame K^i, i in {1, 2, ... , W1*...*Wh}, can be calculated 699 as follows: 701 K^i = ExtKeyTree(K, i) = KDF_h(KDF_{h-1}(... KDF_1(K, ceil(i / (W2 702 * ... * Wh)) ... , ceil(i / Wh)), i), 704 where KDF_j is the j-th level derivation function that takes two 705 arguments (the parent key value and the integer in range from 1 to W1 706 * ... * Wj) and outputs the j-th level key value. 708 The frame key K^i is updated after processing a certain amount of 709 messages (see Section 5.1). 711 In order to create an efficient implementation, during frame key K^i 712 generation the derivation functions KDF_j, j in {1, ... , h-1}, 713 should be used only in case when ceil(i / (W{j+1} * ... * Wh)) != 714 ceil((i - 1) / (W{j+1} * ... * Wh)); otherwise it is necessary to use 715 previously generated value. This approach also makes it possible to 716 take countermeasures against side channels attacks. 718 Consider an example. Suppose h = 3, W1 = W2 = W3 = W and KDF_1, 719 KDF_2, KDF_3 are key derivation functions based on the 720 KDF_GOSTR3411_2012_256 (hereafter simply KDF) function described in 721 [RFC7836]. The resulting ExtKeyTree function can be defined as 722 follows: 724 ExtKeyTree(K, i) = KDF(KDF(KDF(K, "level1", ceil(i / W^2)), 725 "level2", ceil(i / W)), "level3", i). 727 where i in {1, 2, ... , W^3}. 729 The structure similar to external tree-based mechanism can be found 730 in Section 6 of [NISTSP800-108]. 732 5.3. Serial Constructions 734 External serial re-keying mechanisms generate frame keys, each of 735 which depends on the secret state (K*_1, K*_2, ..., see Figure 5) 736 that is updated after the generation of each new frame key. Similar 737 approaches are used in the [SIGNAL] protocol, in the [TLSDraft] 738 updating traffic keys mechanism and were proposed for use in the 739 [U2F] protocol. 741 External serial re-keying mechanisms have the obvious disadvantage of 742 the impossibility to be implemented in parallel, but they can be 743 preferred if additional forward secrecy is desirable: in case all 744 keys are securely deleted after usage, compromise of a current secret 745 state at some time does not lead to a compromise of all previous 746 secret states and frame keys. In terms of [TLSDraft], compromise of 747 application_traffic_secret_N does not compromise all previous 748 application_traffic_secret_i, i < N. 750 The main idea behind external re-keying with a serial construction is 751 presented in Figure 5: 753 Maximum message size = m_max. 754 _____________________________________________________________ 755 m_max 756 <----------------> 757 M^{1,1} |=== | 758 M^{1,2} |=============== | 759 K*_1 = K --->K^1--> ... ... 760 | M^{1,q_1} |======== | 761 | 762 | 763 | M^{2,1} |================| 764 v M^{2,2} |===== | 765 K*_2 ------->K^2--> ... ... 766 | M^{2,q_2} |========== | 767 | 768 ... 769 | M^{t,1} |============ | 770 v M^{t,2} |============= | 771 K*_t ------->K^t--> ... ... 772 M^{t,q_t} |========== | 774 _____________________________________________________________ 776 Figure 5: External serial re-keying mechanisms 778 The frame key K^i, i = 1, ... , t - 1, is updated after processing a 779 certain amount of messages (see Section 5.1). 781 5.3.1. Serial Construction Based on a KDF on a Block Cipher 783 The frame key K^i is calculated using ExtSerialC transformation as 784 follows: 786 K^i = ExtSerialC(K, i) = 787 MSB_k(E_{K*_i}(Vec_n(0)) |E_{K*_i}(Vec_n(1)) | ... | 788 E_{K*_i}(Vec_n(J - 1))), 790 where J = ceil(k / n), i = 1, ... , t, K*_i is calculated as follows: 792 K*_1 = K, 794 K*_{j+1} = MSB_k(E_{K*_j}(Vec_n(J)) | E_{K*_j}(Vec_n(J + 1)) | 795 ... | 796 E_{K*_j}(Vec_n(2 * J - 1))), 798 where j = 1, ... , t - 1. 800 5.3.2. Serial Construction Based on a KDF on a Hash Function 802 The frame key K^i is calculated using ExtSerialH transformation as 803 follows: 805 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 807 where i = 1, ... , t, HKDF-Expand is the HMAC-based key derivation 808 function, described in [RFC5869], K*_i is calculated as follows: 810 K*_1 = K, 812 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t - 1, 814 where label1 and label2 are different strings from V* that are 815 defined by a specific protocol (see, for example, TLS 1.3 updating 816 traffic keys algorithm [TLSDraft]). 818 5.4. Using Additional Entropy during Re-keying 820 In many cases using additional entropy during re-keying won't 821 increase security, but may give a false sense of that, therefore one 822 can rely on additional entropy only after conducting a deep security 823 analysis. For example, good PRF constructions do not require 824 additional entropy for the quality of keys, so in most cases there is 825 no need for using additional entropy with external re-keying 826 mechanisms based on secure KDFs. However, in some situations mixed- 827 in entropy can still increase security in the case of a time-limited 828 but complete breach of the system, when an adversary can access the 829 frame keys generation interface, but cannot reveal master keys (e.g., 830 when master keys are stored in an HSM). 832 For example, an external parallel construction based on a KDF on a 833 Hash function with a mixed-in entropy can be described as follows: 835 K^i = HKDF-Expand(K, label_i, k), 837 where label_i is additional entropy that must be sent to the 838 recipient (e.g., be sent jointly with encrypted message). The 839 entropy label_i and the corresponding key K^i must be generated 840 directly before message processing. 842 6. Internal Re-keying Mechanisms 844 This section presents an approach to increase the key lifetime by 845 using a transformation of a data processing key (section key) during 846 each separate message processing. Each message is processed starting 847 with the same key (the first section key) and each section key is 848 updated after processing N bits of message (section). 850 This section provides internal re-keying mechanisms called ACPKM 851 (Advanced Cryptographic Prolongation of Key Material) and ACPKM- 852 Master that do not use a master key and use a master key 853 respectively. Such mechanisms are integrated into the base modes of 854 operation and actually form new modes of operation, therefore they 855 are called "internal re-keying" mechanisms in this document. 857 Internal re-keying mechanisms are recommended to be used in protocols 858 that process large single messages (e.g., CMS messages), since the 859 maximum gain in increasing the key lifetime is achieved by increasing 860 the length of a message, while it provides almost no increase in the 861 number of messages that can be processed with one initial key. 863 Internal re-keying increases the key lifetime through the following 864 approach. Suppose protocol P uses some base mode of operation. Let 865 L1 and L2 be a side channel and combinatorial limitations 866 respectively and for some fixed amount of messages q let m1, m2 be 867 the lengths of messages, that can be safely processed with a single 868 initial key K according to these limitations. 870 Thus, by analogy with the Section 5 without re-keying the final key 871 lifetime restriction, as displayed in Figure 7, is equal to L1 and 872 only q messages of the length m1 can be safely processed. 874 K 875 | 876 v 877 ^ +----------------+------------------------------------+ 878 | |==============L1| L2| 879 | |================| | 880 q |================| | 881 | |================| | 882 | |================| | 883 v +----------------+------------------------------------+ 884 <-------m1-------> 885 <----------------------------m2-----------------------> 887 Figure 7: Basic principles of message processing without internal re-keying 889 Suppose that the safety margin for the protocol P is fixed and 890 internal re-keying approach is applied to the base mode of operation. 891 Suppose further that every message is processed with a section key, 892 which is transformed after processing N bits of data, where N is a 893 parameter. If q * N does not exceed L1 then the side channel 894 limitation L1 goes off and the resulting key lifetime limitation of 895 the initial key K can be calculated on the basis of a new 896 combinatorial limitation L2'. The security of the mode of operation 897 that uses internal re-keying increases when compared to base mode of 898 operation without re-keying (thus, L2 < L2'). Hence, as displayed in 899 Figure 8, the resulting key lifetime limitation in case of using 900 internal re-keying can be increased up to L2'. 902 K-----> K^1-------------> K^2 -----------> . . . 903 | | 904 v v 905 ^ +----------------+----------------+-------------------+--...--+ 906 | |==============L1|==============L1|====== L2| L2'| 907 | |================|================|====== | | 908 q |================|================|====== . . . | | 909 | |================|================|====== | | 910 | |================|================|====== | | 911 v +----------------+----------------+-------------------+--...--+ 912 <-------N--------> 914 Figure 8: Basic principles of message processing with internal re-keying 915 Note: the key transformation process is depicted in a simplified 916 form. A specific approach (ACPKM and ACPKM-Master re-keying 917 mechanisms) is described below. 919 Since the performance of encryption can slightly decrease for rather 920 small values of N, the parameter N should be selected for a 921 particular protocol as maximum possible to provide necessary key 922 lifetime for the considered security models. 924 Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the 925 message size in the protocol be large/unlimited (may exhaust the 926 whole key lifetime L2). The most restrictive resulting key lifetime 927 limitation is equal to 128 MB. 929 Thus, there is a need to put a limit on the maximum message size 930 m_max. For example, if m_max = 32 MB, it may happen that the 931 renegotiation of initial key K would be required after processing 932 only four messages. 934 If an internal re-keying mechanism with section size N = 1 MB is 935 used, more than L1 / N = 128 MB / 1 MB = 128 messages can be 936 processed before the renegotiation of initial key K (instead of 4 937 messages in case when an internal re-keying mechanism is not used). 938 Note that only one section of each message is processed with the 939 section key K^i, and, consequently, the key lifetime limitation L1 940 goes off. Hence the resulting key lifetime limitation L2' can be set 941 to more then 10 TB (in the case when a single large message is 942 processed using the initial key K). 944 6.1. Methods of Key Lifetime Control 946 Suppose L is an amount of data that can be safely processed with one 947 section key, N is a section size (fixed parameter). Suppose M^{i}_1 948 is the first section of message M^{i}, i = 1, ... , q (see Figure 9 949 and Figure 10), then the parameter q can be calculated in accordance 950 with one of the following two approaches: 952 o Explicit approach: 953 q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... 954 + |M^{q+1}_1| > L 955 This approach allows to use the section key K^i in an almost 956 optimal way but it can be applied only in case when messages 957 cannot be lost or reordered (e.g., TLS records). 959 o Implicit approach: 960 q = L / N. 961 The amount of data processed with one section key K^i is 962 calculated under the assumption that the length of every message 963 is equal or greater than section size N and so it can be 964 considerably less than the key lifetime limitation L. On the 965 other hand, this approach can be applied in case when messages may 966 be lost or reordered (e.g., DTLS records). 968 6.2. Constructions that Do Not Require Master Key 970 This section describes the block cipher modes that use the ACPKM re- 971 keying mechanism, which does not use a master key: an initial key is 972 used directly for the data encryption. 974 6.2.1. ACPKM Re-keying Mechanisms 976 This section defines periodical key transformation without a master 977 key, which is called ACPKM re-keying mechanism. This mechanism can 978 be applied to one of the base encryption modes (CTR and GCM block 979 cipher modes) for getting an extension of this encryption mode that 980 uses periodical key transformation without a master key. This 981 extension can be considered as a new encryption mode. 983 An additional parameter that defines functioning of base encryption 984 modes with the ACPKM re-keying mechanism is the section size N. The 985 value of N is measured in bits and is fixed within a specific 986 protocol based on the requirements of the system capacity and the key 987 lifetime. The section size N MUST be divisible by the block size n. 989 The main idea behind internal re-keying without a master key is 990 presented in Figure 9: 992 Section size = const = N, 993 maximum message size = m_max. 994 ____________________________________________________________________ 996 ACPKM ACPKM ACPKM 997 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 998 | | | | 999 | | | | 1000 v v v v 1001 M^{1} |==========|==========| ... |==========|=======: | 1002 M^{2} |==========|==========| ... |=== | : | 1003 . . . . . . : 1004 : : : : : : : 1005 M^{q} |==========|==========| ... |==========|===== : | 1006 section : 1007 <----------> m_max 1008 N bit 1009 ___________________________________________________________________ 1010 l_max = ceil(m_max/N). 1012 Figure 9: Internal re-keying without a master key 1014 During the processing of the input message M with the length m in 1015 some encryption mode that uses ACPKM key transformation of the 1016 initial key K the message is divided into l = ceil(m / N) sections 1017 (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in 1018 {1, 2, ... , l - 1} and M_l is in V_r, r <= N). The first section of 1019 each message is processed with the section key K^1 = K. To process 1020 the (i + 1)-th section of each message the section key K^{i+1} is 1021 calculated using ACPKM transformation as follows: 1023 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)), 1025 where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are 1026 calculated as follows: 1028 D_1 | D_2 | ... | D_J = MSB_{J * n}(D), 1030 where D is the following constant in V_{1024}: 1032 D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 1033 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f 1034 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 1035 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f 1036 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7 1037 | a8 | a9 | aa | ab | ac | ad | ae | af 1038 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7 1039 | b8 | b9 | ba | bb | bc | bd | be | bf 1040 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7 1041 | c8 | c9 | ca | cb | cc | cd | ce | cf 1042 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7 1043 | d8 | d9 | da | db | dc | dd | de | df 1044 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7 1045 | e8 | e9 | ea | eb | ec | ed | ee | ef 1046 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7 1047 | f8 | f9 | fa | fb | fc | fd | fe | ff ) 1049 N o t e : The constant D is such that D_1, ... , D_J are pairwise 1050 different for any allowed n and k values. 1052 N o t e : The highest bit of each octet of the constant D is equal to 1053 1. This condition is important, as in conjunction with a certain 1054 mode message length limitation it allows to prevent collisions of 1055 block cipher permutation inputs in cases of key transformation and 1056 message processing (for more details see Section 4.4 of [AAOS2017]). 1058 6.2.2. CTR-ACPKM Encryption Mode 1060 This section defines a CTR-ACPKM encryption mode that uses the ACPKM 1061 internal re-keying mechanism for the periodical key transformation. 1063 The CTR-ACPKM mode can be considered as the base encryption mode CTR 1064 (see [MODES]) extended by the ACPKM re-keying mechanism. 1066 The CTR-ACPKM encryption mode can be used with the following 1067 parameters: 1069 o 64 <= n <= 512; 1071 o 128 <= k <= 512; 1073 o the number c of bits in a specific part of the block to be 1074 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1076 o the maximum message size m_max = n * 2^{c-1}. 1078 The CTR-ACPKM mode encryption and decryption procedures are defined 1079 as follows: 1081 +----------------------------------------------------------------+ 1082 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 1083 |----------------------------------------------------------------| 1084 | Input: | 1085 | - section size N, | 1086 | - initial key K, | 1087 | - initial counter nonce ICN in V_{n-c}, | 1088 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1089 | Output: | 1090 | - ciphertext C. | 1091 |----------------------------------------------------------------| 1092 | 1. CTR_1 = ICN | 0^c | 1093 | 2. For j = 2, 3, ... , b do | 1094 | CTR_{j} = Inc_c(CTR_{j-1}) | 1095 | 3. K^1 = K | 1096 | 4. For i = 2, 3, ... , ceil(|P| / N) | 1097 | K^i = ACPKM(K^{i-1}) | 1098 | 5. For j = 1, 2, ... , b do | 1099 | i = ceil(j * n / N), | 1100 | G_j = E_{K^i}(CTR_j) | 1101 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1102 | 7. Return C | 1103 +----------------------------------------------------------------+ 1105 +----------------------------------------------------------------+ 1106 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 1107 |----------------------------------------------------------------| 1108 | Input: | 1109 | - section size N, | 1110 | - initial key K, | 1111 | - initial counter nonce ICN in V_{n-c}, | 1112 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1113 | Output: | 1114 | - plaintext P. | 1115 |----------------------------------------------------------------| 1116 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 1117 | 2. Return P | 1118 +----------------------------------------------------------------+ 1120 The initial counter nonce ICN value for each message that is 1121 encrypted under the given initial key K must be chosen in a unique 1122 manner. 1124 6.2.3. GCM-ACPKM Authenticated Encryption Mode 1126 This section defines GCM-ACPKM authenticated encryption mode that 1127 uses the ACPKM internal re-keying mechanism for the periodical key 1128 transformation. 1130 The GCM-ACPKM mode can be considered as the base authenticated 1131 encryption mode GCM (see [GCM]) extended by the ACPKM re-keying 1132 mechanism. 1134 The GCM-ACPKM authenticated encryption mode can be used with the 1135 following parameters: 1137 o n in {128, 256}; 1139 o 128 <= k <= 512; 1141 o the number c of bits in a specific part of the block to be 1142 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1143 of 8; 1145 o authentication tag length t; 1147 o the maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} - 1148 1}. 1150 The GCM-ACPKM mode encryption and decryption procedures are defined 1151 as follows: 1153 +-------------------------------------------------------------------+ 1154 | GHASH(X, H) | 1155 |-------------------------------------------------------------------| 1156 | Input: | 1157 | - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n. | 1158 | Output: | 1159 | - block GHASH(X, H) in V_n. | 1160 |-------------------------------------------------------------------| 1161 | 1. Y_0 = 0^n | 1162 | 2. For i = 1, ... , m do | 1163 | Y_i = (Y_{i-1} (xor) X_i) * H | 1164 | 3. Return Y_m | 1165 +-------------------------------------------------------------------+ 1167 +-------------------------------------------------------------------+ 1168 | GCTR(N, K, ICB, X) | 1169 |-------------------------------------------------------------------| 1170 | Input: | 1171 | - section size N, | 1172 | - initial key K, | 1173 | - initial counter block ICB, | 1174 | - X = X_1 | ... | X_b. | 1175 | Output: | 1176 | - Y in V_{|X|}. | 1177 |-------------------------------------------------------------------| 1178 | 1. If X in V_0 then return Y, where Y in V_0 | 1179 | 2. GCTR_1 = ICB | 1180 | 3. For i = 2, ... , b do | 1181 | GCTR_i = Inc_c(GCTR_{i-1}) | 1182 | 4. K^1 = K | 1183 | 5. For j = 2, ... , ceil(|X| / N) | 1184 | K^j = ACPKM(K^{j-1}) | 1185 | 6. For i = 1, ... , b do | 1186 | j = ceil(i * n / N), | 1187 | G_i = E_{K_j}(GCTR_i) | 1188 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1189 | 8. Return Y | 1190 +-------------------------------------------------------------------+ 1192 +-------------------------------------------------------------------+ 1193 | GCM-ACPKM-Encrypt(N, K, ICN, P, A) | 1194 |-------------------------------------------------------------------| 1195 | Input: | 1196 | - section size N, | 1197 | - initial key K, | 1198 | - initial counter nonce ICN in V_{n-c}, | 1199 | - plaintext P = P_1 | ... | P_b, |P| <= m_max, | 1200 | - additional authenticated data A. | 1201 | Output: | 1202 | - ciphertext C, | 1203 | - authentication tag T. | 1204 |-------------------------------------------------------------------| 1205 | 1. H = E_{K}(0^n) | 1206 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1207 | 3. C = GCTR(N, K, Inc_c(ICB_0), P) | 1208 | 4. u = n * ceil(|C| / n) - |C| | 1209 | v = n * ceil(|A| / n) - |A| | 1210 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1211 | | Vec_{n/2}(|C|), H) | 1212 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 1213 | 7. Return C | T | 1214 +-------------------------------------------------------------------+ 1216 +-------------------------------------------------------------------+ 1217 | GCM-ACPKM-Decrypt(N, K, ICN, A, C, T) | 1218 |-------------------------------------------------------------------| 1219 | Input: | 1220 | - section size N, | 1221 | - initial key K, | 1222 | - initial counter block ICN, | 1223 | - additional authenticated data A, | 1224 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1225 | - authentication tag T. | 1226 | Output: | 1227 | - plaintext P or FAIL. | 1228 |-------------------------------------------------------------------| 1229 | 1. H = E_{K}(0^n) | 1230 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1231 | 3. P = GCTR(N, K, Inc_c(ICB_0), C) | 1232 | 4. u = n * ceil(|C| / n) - |C| | 1233 | v = n * ceil(|A| / n) - |A| | 1234 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1235 | | Vec_{n/2}(|C|), H) | 1236 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 1237 | 7. If T = T' then return P; else return FAIL | 1238 +-------------------------------------------------------------------+ 1240 The * operation on (pairs of) the 2^n possible blocks corresponds to 1241 the multiplication operation for the binary Galois (finite) field of 1242 2^n elements defined by the polynomial f as follows (by analogy with 1243 [GCM]): 1245 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1247 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1249 The initial vector IV value for each message that is encrypted under 1250 the given initial key K must be chosen in a unique manner. 1252 The key for computing values E_{K}(ICB_0) and H is not updated and is 1253 equal to the initial key K. 1255 6.3. Constructions that Require Master Key 1257 This section describes the block cipher modes that use the ACPKM- 1258 Master re-keying mechanism, which use the initial key K as a master 1259 key, so K is never used directly for data processing but is used for 1260 key derivation. 1262 6.3.1. ACPKM-Master Key Derivation from the Master Key 1264 This section defines periodical key transformation with a master key, 1265 which is called ACPKM-Master re-keying mechanism. This mechanism can 1266 be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, 1267 OMAC modes) for getting an extension that uses periodical key 1268 transformation with a master key. This extension can be considered 1269 as a new mode of operation. 1271 Additional parameters that define the functioning of modes of 1272 operation that use the ACPKM-Master re-keying mechanism are the 1273 section size N, the change frequency T* of the master keys K*_1, 1274 K*_2, ... (see Figure 10) and the size d of the section key material. 1275 The values of N and T* are measured in bits and are fixed within a 1276 specific protocol, based on the requirements of the system capacity 1277 and the key lifetime. The section size N MUST be divisible by the 1278 block size n. The master key frequency T* MUST be divisible by d and 1279 by n. 1281 The main idea behind internal re-keying with a master key is 1282 presented in Figure 10: 1284 Master key frequency T*, 1285 section size N, 1286 maximum message size = m_max. 1287 __________________________________________________________________________________ 1289 ACPKM ACPKM 1290 K*_1 = K--------------> K*_2 ---------...---------> K*_l_max 1291 ___|___ ___|___ ___|___ 1292 | | | | | | 1293 v ... v v ... v v ... v 1294 K[1] K[t] K[t+1] K[2t] K[(l_max-1)t+1] K[l_max*t] 1295 | | | | | | 1296 | | | | | | 1297 v v v v v v 1298 M^{1}||========|...|========||========|...|========||...||========|...|== : || 1299 M^{2}||========|...|========||========|...|========||...||========|...|======: || 1300 ... || | | || | | || || | | : || 1301 M^{q}||========|...|========||==== |...| ||...|| |...| : || 1302 section : 1303 <--------> : 1304 N bit m_max 1305 __________________________________________________________________________________ 1306 |K[i]| = d, 1307 t = T* / d, 1308 l_max = ceil(m_max / (N * t)). 1310 Figure 10: Internal re-keying with a master key 1312 During the processing of the input message M with the length m in 1313 some mode of operation that uses ACPKM-Master key transformation with 1314 the initial key K and the master key frequency T* the message M is 1315 divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 | 1316 ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l 1317 is in V_r, r <= N). The j-th section of each message is processed 1318 with the key material K[j], j in {1, ... , l}, |K[j]| = d, that is 1319 calculated with the ACPKM-Master algorithm as follows: 1321 K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt 1322 (T*, K, 1^{n/2}, 0^{d*l}). 1324 Note: the parameters d and l MUST be such that d * l <= n * 1325 2^{n/2-1}. 1327 6.3.2. CTR-ACPKM-Master Encryption Mode 1329 This section defines a CTR-ACPKM-Master encryption mode that uses the 1330 ACPKM-Master internal re-keying mechanism for the periodical key 1331 transformation. 1333 The CTR-ACPKM-Master encryption mode can be considered as the base 1334 encryption mode CTR (see [MODES]) extended by the ACPKM-Master re- 1335 keying mechanism. 1337 The CTR-ACPKM-Master encryption mode can be used with the following 1338 parameters: 1340 o 64 <= n <= 512; 1342 o 128 <= k <= 512; 1344 o the number c of bits in a specific part of the block to be 1345 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1347 o the maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 1348 2^c}. 1350 The key material K[j] that is used for one section processing is 1351 equal to K^j, |K^j| = k bits. 1353 The CTR-ACPKM-Master mode encryption and decryption procedures are 1354 defined as follows: 1356 +----------------------------------------------------------------+ 1357 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 1358 |----------------------------------------------------------------| 1359 | Input: | 1360 | - section size N, | 1361 | - initial key K, | 1362 | - master key frequency T*, | 1363 | - initial counter nonce ICN in V_{n-c}, | 1364 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1365 | Output: | 1366 | - ciphertext C. | 1367 |----------------------------------------------------------------| 1368 | 1. CTR_1 = ICN | 0^c | 1369 | 2. For j = 2, 3, ... , b do | 1370 | CTR_{j} = Inc_c(CTR_{j-1}) | 1371 | 3. l = ceil(|P| / N) | 1372 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1373 | 5. For j = 1, 2, ... , b do | 1374 | i = ceil(j * n / N), | 1375 | G_j = E_{K^i}(CTR_j) | 1376 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 1377 | 7. Return C | 1378 |----------------------------------------------------------------+ 1380 +----------------------------------------------------------------+ 1381 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 1382 |----------------------------------------------------------------| 1383 | Input: | 1384 | - section size N, | 1385 | - initial key K, | 1386 | - master key frequency T*, | 1387 | - initial counter nonce ICN in V_{n-c}, | 1388 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1389 | Output: | 1390 | - plaintext P. | 1391 |----------------------------------------------------------------| 1392 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 1393 | 1. Return P | 1394 +----------------------------------------------------------------+ 1396 The initial counter nonce ICN value for each message that is 1397 encrypted under the given initial key must be chosen in a unique 1398 manner. 1400 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode 1402 This section defines a GCM-ACPKM-Master authenticated encryption mode 1403 that uses the ACPKM-Master internal re-keying mechanism for the 1404 periodical key transformation. 1406 The GCM-ACPKM-Master authenticated encryption mode can be considered 1407 as the base authenticated encryption mode GCM (see [GCM]) extended by 1408 the ACPKM-Master re-keying mechanism. 1410 The GCM-ACPKM-Master authenticated encryption mode can be used with 1411 the following parameters: 1413 o n in {128, 256}; 1415 o 128 <= k <= 512; 1417 o the number c of bits in a specific part of the block to be 1418 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1419 of 8; 1421 o authentication tag length t; 1423 o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * 1424 (2^c - 2), 2^{n/2} - 1}. 1426 The key material K[j] that is used for the j-th section processing is 1427 equal to K^j, |K^j| = k bits. 1429 The GCM-ACPKM-Master mode encryption and decryption procedures are 1430 defined as follows: 1432 +-------------------------------------------------------------------+ 1433 | GHASH(X, H) | 1434 |-------------------------------------------------------------------| 1435 | Input: | 1436 | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 1437 | Output: | 1438 | - block GHASH(X, H) in V_n | 1439 |-------------------------------------------------------------------| 1440 | 1. Y_0 = 0^n | 1441 | 2. For i = 1, ... , m do | 1442 | Y_i = (Y_{i-1} (xor) X_i) * H | 1443 | 3. Return Y_m | 1444 +-------------------------------------------------------------------+ 1446 +-------------------------------------------------------------------+ 1447 | GCTR(N, K, T*, ICB, X) | 1448 |-------------------------------------------------------------------| 1449 | Input: | 1450 | - section size N, | 1451 | - initial key K, | 1452 | - master key frequency T*, | 1453 | - initial counter block ICB, | 1454 | - X = X_1 | ... | X_b. | 1455 | Output: | 1456 | - Y in V_{|X|}. | 1457 |-------------------------------------------------------------------| 1458 | 1. If X in V_0 then return Y, where Y in V_0 | 1459 | 2. GCTR_1 = ICB | 1460 | 3. For i = 2, ... , b do | 1461 | GCTR_i = Inc_c(GCTR_{i-1}) | 1462 | 4. l = ceil(|X| / N) | 1463 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1464 | 6. For j = 1, ... , b do | 1465 | i = ceil(j * n / N), | 1466 | G_j = E_{K^i}(GCTR_j) | 1467 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1468 | 8. Return Y | 1469 +-------------------------------------------------------------------+ 1471 +-------------------------------------------------------------------+ 1472 | GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A) | 1473 |-------------------------------------------------------------------| 1474 | Input: | 1475 | - section size N, | 1476 | - initial key K, | 1477 | - master key frequency T*, | 1478 | - initial counter nonce ICN in V_{n-c}, | 1479 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1480 | - additional authenticated data A. | 1481 | Output: | 1482 | - ciphertext C, | 1483 | - authentication tag T. | 1484 |-------------------------------------------------------------------| 1485 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1486 | 2. H = E_{K^1}(0^n) | 1487 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1488 | 4. C = GCTR(N, K, T*, Inc_c(ICB_0), P) | 1489 | 5. u = n * ceil(|C| / n) - |C| | 1490 | v = n * ceil(|A| / n) - |A| | 1491 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1492 | | Vec_{n/2}(|C|), H) | 1493 | 7. T = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1494 | 8. Return C | T | 1495 +-------------------------------------------------------------------+ 1497 +-------------------------------------------------------------------+ 1498 | GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T) | 1499 |-------------------------------------------------------------------| 1500 | Input: | 1501 | - section size N, | 1502 | - initial key K, | 1503 | - master key frequency T*, | 1504 | - initial counter nonce ICN in V_{n-c}, | 1505 | - additional authenticated data A. | 1506 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1507 | - authentication tag T. | 1508 | Output: | 1509 | - plaintext P or FAIL. | 1510 |-------------------------------------------------------------------| 1511 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1512 | 2. H = E_{K^1}(0^n) | 1513 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1514 | 4. P = GCTR(N, K, T*, Inc_c(ICB_0), C) | 1515 | 5. u = n * ceil(|C| / n) - |C| | 1516 | v = n * ceil(|A| / n) - |A| | 1517 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1518 | | Vec_{n/2}(|C|), H) | 1519 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1520 | 8. IF T = T' then return P; else return FAIL. | 1521 +-------------------------------------------------------------------+ 1523 The * operation on (pairs of) the 2^n possible blocks corresponds to 1524 the multiplication operation for the binary Galois (finite) field of 1525 2^n elements defined by the polynomial f as follows (by analogy with 1526 [GCM]): 1528 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1530 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1532 The initial vector IV value for each message that is encrypted under 1533 the given initial key must be chosen in a unique manner. 1535 6.3.4. CBC-ACPKM-Master Encryption Mode 1537 This section defines a CBC-ACPKM-Master encryption mode that uses the 1538 ACPKM-Master internal re-keying mechanism for the periodical key 1539 transformation. 1541 The CBC-ACPKM-Master encryption mode can be considered as the base 1542 encryption mode CBC (see [MODES]) extended by the ACPKM-Master re- 1543 keying mechanism. 1545 The CBC-ACPKM-Master encryption mode can be used with the following 1546 parameters: 1548 o 64 <= n <= 512; 1550 o 128 <= k <= 512; 1552 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1554 In the specification of the CBC-ACPKM-Master mode the plaintext and 1555 ciphertext must be a sequence of one or more complete data blocks. 1556 If the data string to be encrypted does not initially satisfy this 1557 property, then it MUST be padded to form complete data blocks. The 1558 padding methods are out of the scope of this document. An example of 1559 a padding method can be found in Appendix A of [MODES]. 1561 The key material K[j] that is used for the j-th section processing is 1562 equal to K^j, |K^j| = k bits. 1564 We will denote by D_{K} the decryption function which is a 1565 permutation inverse to E_{K}. 1567 The CBC-ACPKM-Master mode encryption and decryption procedures are 1568 defined as follows: 1570 +----------------------------------------------------------------+ 1571 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1572 |----------------------------------------------------------------| 1573 | Input: | 1574 | - section size N, | 1575 | - initial key K, | 1576 | - master key frequency T*, | 1577 | - initialization vector IV in V_n, | 1578 | - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max. | 1579 | Output: | 1580 | - ciphertext C. | 1581 |----------------------------------------------------------------| 1582 | 1. l = ceil(|P| / N) | 1583 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1584 | 3. C_0 = IV | 1585 | 4. For j = 1, 2, ... , b do | 1586 | i = ceil(j * n / N), | 1587 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 1588 | 5. Return C = C_1 | ... | C_b | 1589 |----------------------------------------------------------------+ 1591 +----------------------------------------------------------------+ 1592 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1593 |----------------------------------------------------------------| 1594 | Input: | 1595 | - section size N, | 1596 | - initial key K, | 1597 | - master key frequency T*, | 1598 | - initialization vector IV in V_n, | 1599 | - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max. | 1600 | Output: | 1601 | - plaintext P. | 1602 |----------------------------------------------------------------| 1603 | 1. l = ceil(|C| / N) | 1604 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1605 | 3. C_0 = IV | 1606 | 4. For j = 1, 2, ... , b do | 1607 | i = ceil(j * n / N) | 1608 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 1609 | 5. Return P = P_1 | ... | P_b | 1610 +----------------------------------------------------------------+ 1612 The initialization vector IV for any particular execution of the 1613 encryption process must be unpredictable. 1615 6.3.5. CFB-ACPKM-Master Encryption Mode 1617 This section defines a CFB-ACPKM-Master encryption mode that uses the 1618 ACPKM-Master internal re-keying mechanism for the periodical key 1619 transformation. 1621 The CFB-ACPKM-Master encryption mode can be considered as the base 1622 encryption mode CFB (see [MODES]) extended by the ACPKM-Master re- 1623 keying mechanism. 1625 The CFB-ACPKM-Master encryption mode can be used with the following 1626 parameters: 1628 o 64 <= n <= 512; 1630 o 128 <= k <= 512; 1632 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1634 The key material K[j] that is used for the j-th section processing is 1635 equal to K^j, |K^j| = k bits. 1637 The CFB-ACPKM-Master mode encryption and decryption procedures are 1638 defined as follows: 1640 +-------------------------------------------------------------+ 1641 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1642 |-------------------------------------------------------------| 1643 | Input: | 1644 | - section size N, | 1645 | - initial key K, | 1646 | - master key frequency T*, | 1647 | - initialization vector IV in V_n, | 1648 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1649 | Output: | 1650 | - ciphertext C. | 1651 |-------------------------------------------------------------| 1652 | 1. l = ceil(|P| / N) | 1653 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1654 | 3. C_0 = IV | 1655 | 4. For j = 1, 2, ... , b - 1 do | 1656 | i = ceil(j * n / N), | 1657 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1658 | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | 1659 | 6. Return C = C_1 | ... | C_b | 1660 |-------------------------------------------------------------+ 1662 +-------------------------------------------------------------+ 1663 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1664 |-------------------------------------------------------------| 1665 | Input: | 1666 | - section size N, | 1667 | - initial key K, | 1668 | - master key frequency T*, | 1669 | - initialization vector IV in V_n, | 1670 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1671 | Output: | 1672 | - plaintext P. | 1673 |-------------------------------------------------------------| 1674 | 1. l = ceil(|C| / N) | 1675 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1676 | 3. C_0 = IV | 1677 | 4. For j = 1, 2, ... , b - 1 do | 1678 | i = ceil(j * n / N), | 1679 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1680 | 5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b | 1681 | 6. Return P = P_1 | ... | P_b | 1682 +-------------------------------------------------------------+ 1684 The initialization vector IV for any particular execution of the 1685 encryption process must be unpredictable. 1687 6.3.6. OMAC-ACPKM-Master Authentication Mode 1689 This section defines an OMAC-ACPKM-Master message authentication code 1690 calculation mode that uses the ACPKM-Master internal re-keying 1691 mechanism for the periodical key transformation. 1693 The OMAC-ACPKM-Master mode can be considered as the base message 1694 authentication code calculation mode OMAC, which is also known as 1695 CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying 1696 mechanism. 1698 The OMAC-ACPKM-Master message authentication code calculation mode 1699 can be used with the following parameters: 1701 o n in {64, 128, 256}; 1703 o 128 <= k <= 512; 1705 o the maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)). 1707 The key material K[j] that is used for one section processing is 1708 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1710 The following is a specification of the subkey generation process of 1711 OMAC: 1713 +-------------------------------------------------------------------+ 1714 | Generate_Subkey(K1, r) | 1715 |-------------------------------------------------------------------| 1716 | Input: | 1717 | - key K1. | 1718 | Output: | 1719 | - key SK. | 1720 |-------------------------------------------------------------------| 1721 | 1. If r = n then return K1 | 1722 | 2. If r < n then | 1723 | if MSB_1(K1) = 0 | 1724 | return K1 << 1 | 1725 | else | 1726 | return (K1 << 1) (xor) R_n | 1727 | | 1728 +-------------------------------------------------------------------+ 1730 Here R_n takes the following values: 1732 o n = 64: R_{64} = 0^{59} | 11011; 1733 o n = 128: R_{128} = 0^{120} | 10000111; 1735 o n = 256: R_{256} = 0^{145} | 10000100101. 1737 The OMAC-ACPKM-Master message authentication code calculation mode is 1738 defined as follows: 1740 +----------------------------------------------------------------------+ 1741 | OMAC-ACPKM-Master(K, N, T*, M) | 1742 |----------------------------------------------------------------------| 1743 | Input: | 1744 | - section size N, | 1745 | - initial key K, | 1746 | - master key frequency T*, | 1747 | - plaintext M = M_1 | ... | M_b, |M| <= m_max. | 1748 | Output: | 1749 | - message authentication code T. | 1750 |----------------------------------------------------------------------| 1751 | 1. C_0 = 0^n | 1752 | 2. l = ceil(|M| / N) | 1753 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = ACPKM-Master(T*, K, (k + n), l) | 1754 | 4. For j = 1, 2, ... , b - 1 do | 1755 | i = ceil(j * n / N), | 1756 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1757 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1758 | 6. If |M_b| = n then M*_b = M_b | 1759 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1760 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1761 | 8. Return T | 1762 +----------------------------------------------------------------------+ 1764 7. Joint Usage of External and Internal Re-keying 1766 Both external re-keying and internal re-keying have their own 1767 advantages and disadvantages discussed in Section 1. For instance, 1768 using external re-keying can essentially limit the message length, 1769 while in the case of internal re-keying the section size, which can 1770 be chosen as the maximal possible for operational properties, limits 1771 the amount of separate messages. Therefore, the choice of re-keying 1772 mechanism (either external or internal) depends on particular 1773 protocol features. However, some protocols may have features that 1774 require to take advantages provided by both external and internal re- 1775 keying mechanisms: for example, the protocol mainly transmits 1776 messages of small length, but it must additionally support very long 1777 messages processing. In such situations it is necessary to use 1778 external and internal re-keying jointly, since these techniques 1779 negate each other's disadvantages. 1781 For composition of external and internal re-keying techniques any 1782 mechanism described in Section 5 can be used with any mechanism 1783 described in Section 6. 1785 For example, consider the GCM-ACPKM mode with external serial re- 1786 keying based on a KDF on a Hash function. Denote by a frame size the 1787 number of messages in each frame (in the case of implicit approach to 1788 the key lifetime control) for external re-keying. 1790 Let L be a key lifetime limitation. The section size N for internal 1791 re-keying and the frame size q for external re-keying must be chosen 1792 in such a way that q * N must not exceed L. 1794 Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce 1795 ICN_i, plaintext P_i and additional authenticated data A_i, will be 1796 processed before renegotiation. 1798 For authenticated encryption of each message (ICN_i, P_i, A_i), i = 1799 1, ..., t, the following algorithm can be applied: 1801 1. j = ceil(i / q), 1802 2. K^j = ExtSerialH(K, j), 1803 3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i). 1805 Note that nonces ICN_i, that are used under the same frame key, must 1806 be unique for each message. 1808 8. Security Considerations 1810 Re-keying should be used to increase "a priori" security properties 1811 of ciphers in hostile environments (e.g., with side-channel 1812 adversaries). If some efficient attacks are known for a cipher, it 1813 must not be used. So re-keying cannot be used as a patch for 1814 vulnerable ciphers. Base cipher properties must be well analyzed, 1815 because the security of re-keying mechanisms is based on the security 1816 of a block cipher as a pseudorandom function. 1818 Re-keying is not intended to solve any post-quantum security issues 1819 for symmetric cryptography, since the reduction of security caused by 1820 Grover's algorithm is not connected with a size of plaintext 1821 transformed by a cipher - only a negligible (sufficient for key 1822 uniqueness) material is needed; and the aim of re-keying is to limit 1823 a size of plaintext transformed under one initial key. 1825 Re-keying can provide backward security only if previous key material 1826 is securely deleted after usage by all parties. 1828 9. References 1830 9.1. Normative References 1832 [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1833 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1834 . 1836 [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1837 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1838 January 2012, . 1840 [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", 1841 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1842 . 1844 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 1845 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 1846 Special Publication 800-38D 1847 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ 1848 nistspecialpublication800-38d.pdf, November 2007. 1850 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1851 Operation: Methods and Techniques", NIST Special 1852 Publication 800-38A, December 2001. 1854 [NISTSP800-108] 1855 National Institute of Standards and Technology, 1856 "Recommendation for Key Derivation Using Pseudorandom 1857 Functions", NIST Special Publication 800-108, November 1858 2008, . 1861 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1862 Requirement Levels", BCP 14, RFC 2119, 1863 DOI 10.17487/RFC2119, March 1997, 1864 . 1866 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1867 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1868 2006, . 1870 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1871 Key Derivation Function (HKDF)", RFC 5869, 1872 DOI 10.17487/RFC5869, May 2010, 1873 . 1875 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1876 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1877 on the Cryptographic Algorithms to Accompany the Usage of 1878 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1879 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1880 . 1882 [SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 1883 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 1884 January 2006, . 1886 [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security 1887 (TLS) Protocol Version 1.2", RFC 5246, 1888 DOI 10.17487/RFC5246, August 2008, 1889 . 1891 [TLSDraft] 1892 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1893 Version 1.3", 2017, 1894 . 1896 9.2. Informative References 1898 [AAOS2017] 1899 Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. 1900 Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for 1901 the GCM Mode by Internal Re-keying", Cryptology ePrint 1902 Archive Report 2017/697, 2017, 1903 . 1905 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1906 of a Key: A Comparative Analysis of the Security of Re- 1907 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1908 2000. 1910 [AESDUKPT] 1911 ANSI, "Retail Financial Services Symmetric Key Management 1912 - Part 3: Derived Unique Key Per Transaction", ANSI 1913 X9.24-3-2017, 2017. 1915 [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: 1916 Enabling Efficient Key Distribution for Secure Distributed 1917 Storage", November 2005, 1918 . 1921 [FPS2012] Faust, S., Pietrzak, K., and j. Schipper, "Practical 1922 Leakage-Resilient Symmetric Cryptography", CHES2012 LNCS, 1923 vol. 7428, pp. 213-232,, 2012, 1924 . 1927 [FRESHREKEYING] 1928 Dziembowski, S., Faust, S., Herold, G., Journault, A., 1929 Masny, D., and F. Standaert, "Towards Sound Fresh Re- 1930 Keying with Hard (Physical) Learning Problems", Cryptology 1931 ePrint Archive Report 2016/573, June 2016, 1932 . 1934 [GGM] Goldreich, O., Goldwasser, S., and S. Micali, "How to 1935 Construct Random Functions", Journal of the Association 1936 for Computing Machinery Vol.33, No.4, pp. 792-807, October 1937 1986, . 1939 [KMNT2003] 1940 Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure 1941 Group Services for Storage Area Networks", 1942 IEEE Communication Magazine 41, pp. 92-99, 2003, 1943 . 1945 [LDC] Howard M. Heys, "A Tutorial on Linear and Differential 1946 Cryptanalysis", 2017, 1947 . 1949 [OWT] Joye, M. and S. Yen, "One-Way Cross-Trees and Their 1950 Applications", DOI 10.1007/3-540-45664-3_25, February 1951 2002, . 1954 [P3] Peter Alexander, "Dynamic Key Changes on Encrypted 1955 Sessions", CFRG mail archive , December 2017, 1956 . 1959 [Pietrzak2009] 1960 Pietrzak, K., "A Leakage-Resilient Mode of Operation", 1961 EUROCRYPT2009 LNCS, vol. 5479, pp. 462-482,, 2009, 1962 . 1965 [SIGNAL] Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet 1966 Algorithm", November 2016, 1967 . 1970 [Sweet32] Karthikeyan Bhargavan, Gaetan Leurent, "On the Practical 1971 (In-)Security of 64-bit Block Ciphers: Collision Attacks 1972 on HTTP over TLS and OpenVPN", Cryptology ePrint 1973 Archive Report 2016/798, 2016, 1974 . 1976 [TAHA] Taha, M. and P. Schaumont, "Key Updating for Leakage 1977 Resiliency With Application to AES Modes of Operation", 1978 DOI 10.1109/TIFS.2014.2383359, December 2014, 1979 . 1981 [TEMPEST] By Craig Ramsay, Jasper Lohuis, "TEMPEST attacks against 1982 AES. Covertly stealing keys for 200 euro", 2017, 1983 . 1986 [U2F] Chang, D., Mishra, S., Sanadhya, S., and A. Singhl, "On 1987 Making U2F Protocol Leakage-Resilient via Re-keying.", 1988 Cryptology ePrint Archive Report 2017/721, August 2017, 1989 . 1991 Appendix A. Test Examples 1993 A.1. Test Examples for External Re-keying 1995 A.1.1. External Re-keying with a Parallel Construction 1996 External re-keying with a parallel construction based on AES-256 1997 **************************************************************** 1998 k = 256 1999 t = 128 2001 Initial key: 2002 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2003 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2005 K^1: 2006 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2007 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2009 K^2: 2010 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2011 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD 2013 K^3: 2014 B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 2015 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC 2017 ... 2019 K^126: 2020 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 2021 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 2023 K^127: 2024 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 2025 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED 2027 K^128: 2028 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 2029 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 2030 External re-keying with a parallel construction based on SHA-256 2031 **************************************************************** 2032 k = 256 2033 t = 128 2035 label: 2036 SHA2label 2038 Initial key: 2039 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2040 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2042 K^1: 2043 C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57 2044 26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35 2046 K^2: 2047 03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E 2048 A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4 2050 K^3: 2051 2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80 2052 0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE 2054 ... 2056 K^126: 2057 55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76 2058 C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1 2060 K^127: 2061 77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A 2062 6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF 2064 K^128: 2065 E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E 2066 94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3 2068 A.1.2. External Re-keying with a Serial Construction 2070 External re-keying with a serial construction based on AES-256 2071 ************************************************************** 2072 AES 256 examples: 2073 k = 256 2074 t = 128 2075 Initial key: 2076 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2077 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2079 K*_1: 2080 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2081 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2083 K^1: 2084 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2085 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2087 K*_2: 2088 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2089 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2091 K^2: 2092 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2093 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2095 K*_3: 2096 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2097 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2099 K^3: 2100 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2101 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2103 ... 2105 K*_126: 2106 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2107 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2109 K^126: 2110 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2111 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2113 K*_127: 2114 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2115 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2117 K^127: 2118 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2119 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2121 K*_128: 2122 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2123 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2125 K^128: 2126 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2127 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2129 External re-keying with a serial construction based on SHA-256 2130 ************************************************************** 2131 k = 256 2132 t = 128 2134 Initial key: 2135 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2136 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2138 label1: 2139 SHA2label1 2141 label2: 2142 SHA2label2 2144 K*_1: 2145 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2146 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2148 K^1: 2149 2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B 2150 F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC 2152 K*_2: 2153 14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F 2154 52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04 2156 K^2: 2157 2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1 2158 84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF 2160 K*_3: 2161 18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D 2162 70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB 2164 K^3: 2165 53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF 2166 F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92 2167 ... 2169 K*_126: 2170 A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6 2171 5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA 2173 K^126: 2174 6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34 2175 23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A 2177 K*_127: 2178 84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1 2179 05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1 2181 K^127: 2182 57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0 2183 F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2 2185 K*_128: 2186 52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E 2187 7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09 2189 K^128: 2190 9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5 2191 C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4 2193 A.2. Test Examples for Internal Re-keying 2195 A.2.1. Internal Re-keying Mechanisms that Do Not Require Master Key 2197 CTR-ACPKM mode with AES-256 2198 *************************** 2199 k = 256 2200 n = 128 2201 c = 64 2202 N = 256 2204 Initial key K: 2205 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2206 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2208 Plain text P: 2209 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2210 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2211 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2212 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2213 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2214 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2215 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2217 ICN: 2218 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2219 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 2221 D_1: 2222 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 2224 D_2: 2225 00000: 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 2227 Section_1 2229 Section key K^1: 2230 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2231 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2233 Input block CTR_1: 2234 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2236 Output block G_1: 2237 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2239 Input block CTR_2: 2240 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2242 Output block G_2: 2243 00000: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2245 Section_2 2247 Section key K^2: 2248 00000: F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 2249 00010: 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 2251 Input block CTR_3: 2252 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2254 Output block G_3: 2255 00000: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2257 Input block CTR_4: 2258 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2259 Output block G_4: 2260 00000: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2262 Section_3 2264 Section key K^3: 2265 00000: 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 2266 00010: 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 2268 Input block CTR_5: 2269 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2271 Output block G_5: 2272 00000: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2274 Input block CTR_6: 2275 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2277 Output block G_6: 2278 00000: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2280 Section_4 2282 Section key K^4: 2283 00000: C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 2284 00010: E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 2286 Block number 7: 2288 Input block CTR_7: 2289 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2291 Output block G_7: 2292 00000: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2294 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2295 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2296 00010: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2297 00020: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2298 00030: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2299 00040: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2300 00050: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2301 00060: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2303 The result ciphertext C = P (xor) MSB_{|P|}(G): 2304 00000: EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 2305 00010: 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 2306 00020: F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 2307 00030: 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 2308 00040: 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 2309 00050: 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 2310 00060: 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 2312 GCM-ACPKM mode with AES-128 2313 *************************** 2314 k = 128 2315 n = 128 2316 c = 32 2317 N = 256 2319 Initilal Key K: 2320 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2322 Additional data A: 2323 00000: 11 22 33 2325 Plaintext: 2326 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2327 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2328 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2330 ICN: 2331 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2333 Number of sections: 2 2335 Section key K^1: 2336 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2338 Section key K^2: 2339 00000: 15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41 2341 Encrypted GCTR_1 | GCTR_2 | GCTR_3: 2342 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2343 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2344 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2346 Ciphertext C: 2347 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2348 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2349 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2351 GHASH input: 2353 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2354 00010: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2355 00020: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2356 00030: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2357 00040: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80 2359 GHASH output S: 2360 00000: E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C 2362 Authentication tag T: 2363 00000: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2365 The result C | T: 2366 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2367 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2368 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2369 00030: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2371 A.2.2. Internal Re-keying Mechanisms with a Master Key 2373 CTR-ACPKM-Master mode with AES-256 2374 ********************************** 2375 k = 256 2376 n = 128 2377 c for CTR-ACPKM mode = 64 2378 c for CTR-ACPKM-Master mode = 64 2379 N = 256 2380 T* = 512 2382 Initial key K: 2383 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2384 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2386 Initial vector ICN: 2387 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2389 Plaintext P: 2390 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2391 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2392 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2393 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2394 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2395 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2396 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2397 K^1 | K^2 | K^3 | K^4: 2398 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2399 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2400 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2401 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2402 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2403 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2404 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2405 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2407 Section_1 2409 K^1: 2410 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2411 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2413 Input block CTR_1: 2414 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2416 Output block G_1: 2417 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2419 Input block CTR_2: 2420 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2422 Output block G_2: 2423 00000: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2425 Section_2 2427 K^2: 2428 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2429 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2431 Input block CTR_3: 2432 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2434 Output block G_3: 2435 00000: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2437 Input block CTR_4: 2438 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2440 Output block G_4: 2441 00000: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2442 Section_3 2444 K^3: 2445 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2446 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2448 Input block CTR_5: 2449 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2451 Output block G_5: 2452 00000: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2454 Input block CTR_6: 2455 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2457 Output block G_6: 2458 00000: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2460 Section_4 2462 K^4: 2463 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2464 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2466 Input block CTR_7: 2467 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2469 Output block G_7: 2470 00000: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2472 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2473 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2474 00010: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2475 00020: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2476 00030: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2477 00040: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2478 00050: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2479 00060: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2481 The result ciphertext C = P (xor) MSB_{|P|}(G): 2482 00000: 9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4 2483 00010: F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB 2484 00020: 5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71 2485 00030: 01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6 2486 00040: 9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA 2487 00050: 82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC 2488 00060: D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66 2490 GCM-ACPKM-Master mode with AES-256 2491 ********************************** 2492 k = 192 2493 n = 128 2494 c for the CTR-ACPKM mode = 64 2495 c for the GCM-ACPKM-Master mode = 32 2496 T* = 384 2497 N = 256 2499 Initila Key K: 2500 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2501 00010: 00 00 00 00 00 00 00 00 2503 Additional data A: 2504 00000: 11 22 33 2506 Plaintext: 2507 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2508 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2509 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2510 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2511 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2513 ICN: 2514 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2516 Number of sections: 3 2518 K^1 | K^2 | K^3: 2519 00000: 93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F 2520 00010: 7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC 2521 00020: CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99 2522 00030: F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87 2523 00040: 5A 2D 3C BE F1 6E 67 3C 2525 Encrypted GCTR_1 | ... | GCTR_5 2526 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2527 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2528 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2529 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2530 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2532 Ciphertext C: 2534 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2535 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2536 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2537 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2538 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2540 GHASH input: 2541 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2542 00010: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2543 00020: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2544 00030: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2545 00040: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2546 00050: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2547 00060: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80 2549 GHASH output S: 2550 00000: 6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D 2552 Authentication tag T: 2553 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2555 The result C | T: 2556 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2557 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2558 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2559 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2560 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2561 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2563 CBC-ACPKM-Master mode with AES-256 2564 ********************************** 2565 k = 256 2566 n = 128 2567 c for the CTR-ACPKM mode = 64 2568 N = 256 2569 T* = 512 2571 Initial key K: 2572 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2573 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2575 Initial vector IV: 2576 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2578 Plaintext P: 2580 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2581 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2582 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2583 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2584 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2585 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2586 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2588 K^1 | K^2 | K^3 | K^4: 2589 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2590 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2591 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2592 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2593 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2594 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2595 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2596 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2598 Section_1 2600 K^1: 2601 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2602 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2604 Plaintext block P_1: 2605 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2607 Input block P_1 (xor) C_0: 2608 00000: 03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A 2610 Output block C_1: 2611 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2613 Plaintext block P_2: 2614 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2616 Input block P_2 (xor) C_1: 2617 00000: 59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76 2619 Output block C_2: 2620 00000: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2622 Section_2 2624 K^2: 2625 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2626 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2627 Plaintext block P_3: 2628 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2630 Input block P_3 (xor) C_2: 2631 00000: 91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42 2633 Output block C_3: 2634 00000: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2636 Plaintext block P_4: 2637 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2639 Input block P_4 (xor) C_3: 2640 00000: AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48 2642 Output block C_4: 2643 00000: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2645 Section_3 2647 K^3: 2648 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2649 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2651 Plaintext block P_5: 2652 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2654 Input block P_5 (xor) C_4: 2655 00000: 2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB 2657 Output block C_5: 2658 00000: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2660 Plaintext block P_6: 2661 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2663 Input block P_6 (xor) C_5: 2664 00000: 12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27 2666 Output block C_6: 2667 00000: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2669 Section_4 2671 K^4: 2672 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2673 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2674 Plaintext block P_7: 2675 00000: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2677 Input block P_7 (xor) C_6: 2678 00000: 33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01 2680 Output block C_7: 2681 00000: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2683 Cipher text C: 2684 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2685 00010: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2686 00020: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2687 00030: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2688 00040: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2689 00050: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2690 00060: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2692 CFB-ACPKM-Master mode with AES-256 2693 ********************************** 2694 k = 256 2695 n = 128 2696 c for the CTR-ACPKM mode = 64 2697 N = 256 2698 T* = 512 2700 Initial key K: 2701 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2702 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2704 Initial vector IV: 2705 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2707 Plaintext P: 2708 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2709 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2710 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2711 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2712 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2713 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2714 00060: 55 66 77 88 99 AA BB CC 2716 K^1 | K^2 | K^3 | K^4 2717 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2718 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2719 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2720 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2721 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2722 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2723 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2724 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2726 Section_1 2728 K^1: 2729 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2730 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2732 Plaintext block P_1: 2733 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2735 Encrypted block E_{K^1}(C_0): 2736 00000: 1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03 2738 Output block C_1 = E_{K^1}(C_0) (xor) P_1: 2739 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2741 Plaintext block P_2: 2742 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2744 Encrypted block E_{K^1}(C_1): 2745 00000: 6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E 2747 Output block C_2 = E_{K^1}(C_1) (xor) P_2: 2748 00000: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2750 Section_2 2752 K^2: 2753 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2754 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2756 Plaintext block P_3: 2757 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2759 Encrypted block E_{K^2}(C_2): 2760 00000: 95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88 2762 Output block C_3 = E_{K^2}(C_2) (xor) P_3: 2763 00000: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2765 Plaintext block P_4: 2766 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2767 Encrypted block E_{K^2}(C_3): 2768 00000: E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2 2770 Output block C_4 = E_{K^2}(C_3) (xor) P_4: 2771 00000: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2773 Section_3 2775 K^3: 2776 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2777 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2779 Plaintext block P_5: 2780 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2782 Encrypted block E_{K^3}(C_4): 2783 00000: FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89 2785 Output block C_5 = E_{K^3}(C_4) (xor) P_5: 2786 00000: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2788 Plaintext block P_6: 2789 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2791 Encrypted block E_{K^3}(C_5): 2792 00000: 01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3 2794 Output block C_6 = E_{K^3}(C_5) (xor) P_6: 2795 00000: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2797 Section_4 2799 K^4: 2800 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2801 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2803 Plaintext block P_7: 2804 00000: 55 66 77 88 99 AA BB CC 2806 Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)): 2807 00000: 97 5C 96 37 55 1E 8C 7F 2809 Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7 2810 00000: C2 3A E1 BF CC B4 37 B3 2812 Cipher text C: 2813 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2814 00010: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2815 00020: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2816 00030: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2817 00040: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2818 00050: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2819 00060: C2 3A E1 BF CC B4 37 B3 2821 OMAC-ACPKM-Master mode with AES-256 2822 *********************************** 2823 k = 256 2824 n = 128 2825 c for the CTR-ACPKM mode = 64 2826 N = 256 2827 T* = 768 2829 Initial key K: 2830 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2831 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2833 Plaintext M: 2834 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2835 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2836 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2837 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2838 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2840 K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1: 2841 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2842 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2843 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2844 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2845 00040: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2846 00050: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2847 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2848 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2849 00080: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2851 Section_1 2853 K^1: 2854 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2855 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2857 K^1_1: 2858 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2859 Plaintext block M_1: 2860 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2862 Input block M_1 (xor) C_0: 2863 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2865 Output block C_1: 2866 00000: 0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E 2868 Plaintext block M_2: 2869 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2871 Input block M_2 (xor) C_1: 2872 00000: 0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34 2874 Output block C_2: 2875 00000: 1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C 2877 Section_2 2879 K^2: 2880 00000: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2881 00010: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2883 K^2_1: 2884 00000: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2886 Plaintext block M_3: 2887 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2889 Input block M_3 (xor) C_2: 2890 00000: 0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C 2892 Output block C_3: 2893 00000: 4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75 2895 Plaintext block M_4: 2896 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2898 Input block M_4 (xor) C_3: 2899 00000: 6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64 2901 Output block C_4: 2902 00000: B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81 2904 Section_3 2906 K^3: 2908 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2909 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2911 K^3_1: 2912 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2914 MSB1(K1) == 0 -> K2 = K1 << 1 2916 K1: 2917 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2919 K2: 2920 00000: F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E 2922 Plaintext M_5: 2923 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2925 Using K1, padding is not required 2927 Input block M_5 (xor) C_4: 2928 00000: FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4 2930 Output block C_5: 2931 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2933 Message authentication code T: 2934 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2936 Appendix B. Contributors 2938 o Russ Housley 2939 Vigil Security, LLC 2940 housley@vigilsec.com 2942 o Evgeny Alekseev 2943 CryptoPro 2944 alekseev@cryptopro.ru 2946 o Ekaterina Smyshlyaeva 2947 CryptoPro 2948 ess@cryptopro.ru 2950 o Shay Gueron 2951 University of Haifa, Israel 2952 Intel Corporation, Israel Development Center, Israel 2953 shay.gueron@gmail.com 2955 o Daniel Fox Franke 2956 Akamai Technologies 2957 dfoxfranke@gmail.com 2959 o Lilia Ahmetzyanova 2960 CryptoPro 2961 lah@cryptopro.ru 2963 Appendix C. Acknowledgments 2965 We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim 2966 Schaad, Paul Hoffman, Dmitry Belyavsky, Yaron Sheffer, Alexey 2967 Melnikov and Spencer Dawkins for their useful comments. 2969 Author's Address 2971 Stanislav Smyshlyaev (editor) 2972 CryptoPro 2973 18, Suschevskiy val 2974 Moscow 127018 2975 Russian Federation 2977 Phone: +7 (495) 995-48-20 2978 Email: svs@cryptopro.ru