idnits 2.17.1 draft-irtf-cfrg-re-keying-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 31, 2019) is 1792 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1330 ** Obsolete normative reference: RFC 6347 (ref. 'DTLS') (Obsoleted by RFC 9147) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational May 31, 2019 5 Expires: December 2, 2019 7 Re-keying Mechanisms for Symmetric Keys 8 draft-irtf-cfrg-re-keying-17 10 Abstract 12 A certain maximum amount of data can be safely encrypted when 13 encryption is performed under a single key. This amount is called 14 "key lifetime". This specification describes a variety of methods to 15 increase the lifetime of symmetric keys. It provides two types of 16 re-keying mechanisms based on hash functions and on block ciphers, 17 that can be used with modes of operations such as CTR, GCM, CBC, CFB 18 and OMAC. 20 This document is a product of the Crypto Forum Research Group (CFRG) 21 in the IRTF. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on December 2, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions Used in This Document . . . . . . . . . . . . . . 6 59 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 6 60 4. Choosing Constructions and Security Parameters . . . . . . . 8 61 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 10 62 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 13 63 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 13 64 5.2.1. Parallel Construction Based on a KDF on a Block 65 Cipher . . . . . . . . . . . . . . . . . . . . . . . 14 66 5.2.2. Parallel Construction Based on a KDF on a Hash 67 Function . . . . . . . . . . . . . . . . . . . . . . 14 68 5.2.3. Tree-based Construction . . . . . . . . . . . . . . . 15 69 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 16 70 5.3.1. Serial Construction Based on a KDF on a Block Cipher 17 71 5.3.2. Serial Construction Based on a KDF on a Hash Function 18 72 5.4. Using Additional Entropy during Re-keying . . . . . . . . 18 73 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 19 74 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 21 75 6.2. Constructions that Do Not Require Master Key . . . . . . 22 76 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 22 77 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 78 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 79 6.3. Constructions that Require Master Key . . . . . . . . . . 28 80 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 29 81 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 31 82 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 33 83 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 35 84 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 38 85 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 40 86 7. Joint Usage of External and Internal Re-keying . . . . . . . 41 87 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 88 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 89 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 90 10.1. Normative References . . . . . . . . . . . . . . . . . . 43 91 10.2. Informative References . . . . . . . . . . . . . . . . . 44 92 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 46 93 A.1. Test Examples for External Re-keying . . . . . . . . . . 46 94 A.1.1. External Re-keying with a Parallel Construction . . . 46 95 A.1.2. External Re-keying with a Serial Construction . . . . 48 96 A.2. Test Examples for Internal Re-keying . . . . . . . . . . 51 97 A.2.1. Internal Re-keying Mechanisms that Do Not Require 98 Master Key . . . . . . . . . . . . . . . . . . . . . 51 99 A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 55 100 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 67 101 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 68 102 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 68 104 1. Introduction 106 A certain maximum amount of data can be safely encrypted when 107 encryption is performed under a single key. Hereinafter this amount 108 will be referred to as "key lifetime". The need for such a 109 limitation is dictated by the following methods of cryptanalysis: 111 1. Methods based on the combinatorial properties of the used block 112 cipher mode of operation 114 These methods do not depend on the underlying block cipher. 115 Common modes restrictions derived from such methods are of order 116 2^{n/2}, where n is a block size defined in Section 3. [Sweet32] 117 is an example of attack that is based on such methods. 119 2. Methods based on side-channel analysis issues 121 In most cases these methods do not depend on the used encryption 122 modes and weakly depend on the used block cipher features. 123 Limitations resulting from these considerations are usually the 124 most restrictive ones. [TEMPEST] is an example of attack that is 125 based on such methods. 127 3. Methods based on the properties of the used block cipher 129 The most common methods of this type are linear and differential 130 cryptanalysis [LDC]. In most cases these methods do not depend on 131 the used modes of operation. In case of secure block ciphers, 132 bounds resulting from such methods are roughly the same as the 133 natural bounds of 2^n, and are dominated by the other bounds 134 above. Therefore, they can be excluded from the considerations 135 here. 137 As a result, it is important to replace a key when the total size of 138 the processed plaintext under that key approaches the lifetime 139 limitation. A specific value of the key lifetime should be 140 determined in accordance with some safety margin for protocol 141 security and the methods outlined above. 143 Suppose L is a key lifetime limitation in some protocol P. For 144 simplicity, assume that all messages have the same length m. Hence, 145 the number of messages q that can be processed with a single key K 146 should be such that m * q <= L. This can be depicted graphically as 147 a rectangle with sides m and q which is enclosed by area L (see 148 Figure 1). 150 +------------------------+ 151 | L | 152 | +--------m---------+ | 153 | |==================| | 154 | |==================| | 155 | q==================| | m * q <= L 156 | |==================| | 157 | |==================| | 158 | +------------------+ | 159 +------------------------+ 161 Figure 1: Graphic display of the key lifetime limitation 163 In practice, such amount of data that corresponds to limitation L may 164 not be enough. The simplest and obvious way in this situation is a 165 regular renegotiation of an initial key after processing this 166 threshold amount of data L. However, this reduces the total 167 performance, since it usually entails termination of application data 168 transmission, additional service messages, the use of random number 169 generator and many other additional calculations, including resource- 170 intensive public key cryptography. 172 For the protocols based on block ciphers or stream ciphers a more 173 efficient way to increasing the key lifetime is to use various re- 174 keying mechanisms. This specification considers only the case of re- 175 keying mechanisms for block ciphers, while re-keying mechanisms 176 typical for stream ciphers (e.g., [Pietrzak2009], [FPS2012]) case go 177 beyond the scope of this document. 179 Re-keying mechanisms can be applied on the different protocol levels: 180 on the block cipher level (this approach is known as fresh re-keying 181 and is described, for instance, in [FRESHREKEYING]), on the block 182 cipher mode of operation level (see Section 6), on the protocol level 183 above the block cipher mode of operation (see Section 5). The usage 184 of the first approach is highly inefficient due to the key changing 185 after processing each message block. Moreover, fresh re-keying 186 mechanisms can change the block cipher internal structure, and, 187 consequently, can require the additional security analysis for each 188 particular block cipher. As a result, this approach depends on 189 particular primitive properties and can not be applied to any 190 arbitrary block cipher without additional security analysis, 191 therefore, fresh re-keying mechanisms go beyond the scope of this 192 document. 194 Thus, this document contains the list of recommended re-keying 195 mechanisms that can be used in the symmetric encryption schemes based 196 on the block ciphers. These mechanisms are independent from the 197 particular block cipher specification and their security properties 198 rely only on the standard block cipher security assumption. 200 This specification presents two basic approaches to extend the 201 lifetime of a key while avoiding renegotiation that were introduced 202 in [AAOS2017]: 204 1. External re-keying 206 External re-keying is performed by a protocol, and it is 207 independent of the underlying block cipher and the mode of 208 operation. External re-keying can use parallel and serial 209 constructions. In the parallel case, data processing keys K^1, 210 K^2, ... are generated directly from the initial key K 211 independently of each other. In the serial case, every data 212 processing key depends on the state that is updated after the 213 generation of each new data processing key. 215 As a generalization of external parallel re-keying an external 216 tree-based mechanism can be considered. It is specified in the 217 Section 5.2.3 and can be viewed as the [GGM] tree generalization. 218 Similar constructions are used in the one-way tree mechanism 219 ([OWT]) and [AESDUKPT] standard. 221 2. Internal re-keying 223 Internal re-keying is built into the mode, and it depends heavily 224 on the properties of the mode of operation and the block size. 226 The re-keying approaches extend the key lifetime for a single initial 227 key by providing the possibility to limit the leakages (via side 228 channels) and by improving combinatorial properties of the used block 229 cipher mode of operation. 231 In practical applications, re-keying can be useful for protocols that 232 need to operate in hostile environments or under restricted resource 233 conditions (e.g., that require lightweight cryptography, where 234 ciphers have a small block size, that imposes strict combinatorial 235 limitations). Moreover, mechanisms that use external or internal re- 236 keying may provide some protection against possible future attacks 237 (by limiting the number of plaintext-ciphertext pairs that an 238 adversary can collect) and some properties of forward or backward 239 security (meaning that past or future data processing keys remain 240 secure even if the current key is compromised, see for more details 241 [AbBell]). External or internal re-keying can be used in network 242 protocols as well as in the systems for data-at-rest encryption. 244 Depending on the concrete protocol characteristics there might be 245 situations in which both external and internal re-keying mechanisms 246 (see Section 7) can be applied. For example, the similar approach 247 was used in the Taha's tree construction (see [TAHA]). 249 Note that there are key updating (key regression) algorithms (e.g., 250 [FKK2005] and [KMNT2003]) which are called "re-keying" as well, but 251 they pursue the goal different from increasing key lifetime. 252 Therefore, key regression algorithms are excluded from the 253 considerations here. 255 This document represents the consensus of the Crypto Forum Research 256 Group (CFRG). 258 2. Conventions Used in This Document 260 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 261 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 262 document are to be interpreted as described in [RFC2119]. 264 3. Basic Terms and Definitions 266 This document uses the following terms and definitions for the sets 267 and operations on the elements of these sets: 269 V* the set of all bit strings of a finite length (hereinafter 270 referred to as strings), including the empty string; 272 V_s the set of all bit strings of length s, where s is a non- 273 negative integer; 275 |X| the bit length of the bit string X; 277 A | B concatenation of strings A and B both belonging to V*, i.e., 278 a string in V_{|A|+|B|}, where the left substring in V_|A| is 279 equal to A, and the right substring in V_|B| is equal to B; 281 (xor) exclusive-or of two bit strings of the same length; 283 Z_{2^n} ring of residues modulo 2^n; 284 Int_s: V_s -> Z_{2^s} the transformation that maps a string a = 285 (a_s, ... , a_1) in V_s into the integer Int_s(a) = 2^{s-1} * 286 a_s + ... + 2 * a_2 + a_1 (the interpretation of the binary 287 string as an integer); 289 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 290 Int_s (the interpretation of an integer as a binary string); 292 MSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 293 ... , a_1) in V_s into the string MSB_i(a) = (a_s, ... , 294 a_{s-i+1}) in V_i (most significant bits); 296 LSB_i: V_s -> V_i the transformation that maps the string a = (a_s, 297 ... , a_1) in V_s into the string LSB_i(a) = (a_i, ... , a_1) 298 in V_i (least significant bits); 300 Inc_c: V_s -> V_s the transformation that maps the string a = (a_s, 301 ... , a_1) in V_s into the string Inc_c(a) = MSB_{|a|-c}(a) | 302 Vec_c(Int_c(LSB_c(a)) + 1(mod 2^c)) in V_s (incrementing the 303 least significant c bits of the bit string, regarded as the 304 binary representation of an integer); 306 a^s the string in V_s that consists of s 'a' bits; 308 E_{K}: V_n -> V_n the block cipher permutation under the key K in 309 V_k; 311 ceil(x) the smallest integer that is greater than or equal to x; 313 floor(x) the biggest integer that is less than or equal to x; 315 k the bit-length of the K; k is assumed to be divisible by 8; 317 n the block size of the block cipher (in bits); n is assumed to 318 be divisible by 8; 320 b the number of data blocks in the plaintext P (b = 321 ceil(|P|/n)); 323 N the section size (the number of bits that are processed with 324 one section key before this key is transformed). 326 A plaintext message P and the corresponding ciphertext C are divided 327 into b = ceil(|P|/n) blocks, denoted P = P_1 | P_2 | ... | P_b and C 328 = C_1 | C_2 | ... | C_b, respectively. The first b-1 blocks P_i and 329 C_i are in V_n, for i = 1, 2, ... , b-1. The b-th blocks P_b, C_b 330 may be an incomplete blocks, i.e., in V_r, where r <= n if not 331 otherwise specified. 333 4. Choosing Constructions and Security Parameters 335 External re-keying is an approach assuming that a key is transformed 336 after encrypting a limited number of entire messages. External re- 337 keying method is chosen at the protocol level, regardless of the 338 underlying block cipher or the encryption mode. External re-keying 339 is recommended for protocols that process relatively short messages 340 or for protocols that have a way to divide a long message into 341 manageable pieces. Through external re-keying the number of messages 342 that can be securely processed with a single initial key K is 343 substantially increased without loss in message length. 345 External re-keying has the following advantages: 347 1. it increases the lifetime of an initial key by increasing the 348 number of messages processed with this key; 350 2. it has minimal impact on performance, when the number of messages 351 processed under one initial key is sufficiently large; 353 3. it provides forward and backward security of data processing 354 keys. 356 However, the use of external re-keying has the following 357 disadvantage: in case of restrictive key lifetime limitations the 358 message sizes can become inconvenient due to impossibility of 359 processing sufficiently large messages, so it could be necessary to 360 perform additional fragmentation at the protocol level. E.g. if the 361 key lifetime L is 1 GB and the message length m = 3 GB, then this 362 message cannot be processed as a whole and it should be divided into 363 three fragments that will be processed separately. 365 Internal re-keying is an approach assuming that a key is transformed 366 during each separate message processing. Such procedures are 367 integrated into the base modes of operations, so every internal re- 368 keying mechanism is defined for the particular operation mode and the 369 block size of the used cipher. Internal re-keying is recommended for 370 protocols that process long messages: the size of each single message 371 can be substantially increased without loss in number of messages 372 that can be securely processed with a single initial key. 374 Internal re-keying has the following advantages: 376 1. it increases the lifetime of an initial key by increasing the 377 size of the messages processed with one initial key; 379 2. it has minimal impact on performance; 380 3. internal re-keying mechanisms without a master key does not 381 affect short messages transformation at all; 383 4. it is transparent (works like any mode of operation): does not 384 require changes of IV's and restarting MACing. 386 However, the use of internal re-keying has the following 387 disadvantages: 389 1. a specific method must not be chosen independently of a mode of 390 operation; 392 2. internal re-keying mechanisms without a master key do not provide 393 backward security of data processing keys. 395 Any block cipher modes of operations with internal re-keying can be 396 jointly used with any external re-keying mechanisms. Such joint 397 usage increases both the number of messages processed with one 398 initial key and their maximum possible size. 400 If the adversary has access to the data processing interface the use 401 of the same cryptographic primitives both for data processing and re- 402 keying transformation decreases the code size but can lead to some 403 possible vulnerabilities (the possibility of mounting a chosen- 404 plaintext attack may lead to the compromise of the following keys). 405 This vulnerability can be eliminated by using different primitives 406 for data processing and re-keying, e.g., block cipher for data 407 processing and hash for re-keying (see Section 5.2.2 and 408 Section 5.3.2). However, in this case the security of the whole 409 scheme cannot be reduced to standard notions like PRF or PRP, so 410 security estimations become more difficult and unclear. 412 Summing up the above-mentioned issues briefly: 414 1. If a protocol assumes processing long records (e.g., [CMS]), 415 internal re-keying should be used. If a protocol assumes 416 processing a significant amount of ordered records, which can be 417 considered as a single data stream (e.g., [TLS], [SSH]), internal 418 re-keying may also be used. 420 2. For protocols which allow out-of-order delivery and lost records 421 (e.g., [DTLS], [ESP]) external re-keying should be used as in 422 this case records cannot be considered as a single data stream. 423 If at the same time records are long enough, internal re-keying 424 should be additionally used during each separate message 425 processing. 427 For external re-keying: 429 1. If it is desirable to separate transformations used for data 430 processing and for key update, hash function based re-keying 431 should be used. 433 2. If parallel data processing is required, then parallel external 434 re-keying should be used. 436 3. In case of restrictive key lifetime limitations external tree- 437 based re-keying should be used. 439 For internal re-keying: 441 1. If the property of forward and backward security is desirable for 442 data processing keys and if additional key material can be easily 443 obtained for the data processing stage, internal re-keying with a 444 master key should be used. 446 5. External Re-keying Mechanisms 448 This section presents an approach to increase the initial key 449 lifetime by using a transformation of a data processing key (frame 450 key) after processing a limited number of entire messages (frame). 451 It provides external parallel and serial re-keying mechanisms (see 452 [AbBell]). These mechanisms use initial key K only for frame keys 453 generation and never use it directly for data processing. Such 454 mechanisms operate outside of the base modes of operations and do not 455 change them at all, therefore they are called "external re-keying" 456 mechanisms in this document. 458 External re-keying mechanisms are recommended for usage in protocols 459 that process quite small messages, since the maximum gain in 460 increasing the initial key lifetime is achieved by increasing the 461 number of messages. 463 External re-keying increases the initial key lifetime through the 464 following approach. Suppose there is a protocol P with some mode of 465 operation (base encryption or authentication mode). Let L1 be a key 466 lifetime limitation induced by side-channel analysis methods (side- 467 channel limitation), let L2 be a key lifetime limitation induced by 468 methods based on the combinatorial properties of a used mode of 469 operation (combinatorial limitation) and let q1, q2 be the total 470 numbers of messages of length m, that can be safely processed with an 471 initial key K according to these limitations. 473 Let L = min(L1, L2), q = min (q1, q2), q * m <= L. As L1 limitation 474 is usually much stronger than L2 limitation (L1 < L2), the final key 475 lifetime restriction is equal to the most restrictive limitation L1. 477 Thus, as displayed in Figure 2, without re-keying only q1 (q1 * m <= 478 L1) messages can be safely processed. 480 <--------m-------> 481 +----------------+ ^ ^ 482 |================| | | 483 |================| | | 484 K-->|================| q1| 485 |================| | | 486 |==============L1| | | 487 +----------------+ v | 488 | | | 489 | | | 490 | | q2 491 | | | 492 | | | 493 | | | 494 | | | 495 | | | 496 | | | 497 | | | 498 | | | 499 | L2| | 500 +----------------+ v 502 Figure 2: Basic principles of message processing without 503 external re-keying 505 Suppose that the safety margin for the protocol P is fixed and the 506 external re-keying approach is applied to the initial key K to 507 generate the sequence of frame keys. The frame keys are generated in 508 such a way that the leakage of a previous frame key does not have any 509 impact on the following one, so the side channel limitation L1 goes 510 off. Thus, the resulting key lifetime limitation of the initial key 511 K can be calculated on the basis of a new combinatorial limitation 512 L2'. It is proven (see [AbBell]) that the security of the mode of 513 operation that uses external re-keying leads to an increase when 514 compared to base mode without re-keying (thus, L2 < L2'). Hence, as 515 displayed in Figure 3, the resulting key lifetime limitation in case 516 of using external re-keying can be increased up to L2'. 518 <--------m-------> 519 K +----------------+ 520 | |================| 521 v |================| 522 K^1--> |================| 523 | |================| 524 | |==============L1| 525 | +----------------+ 526 | |================| 527 v |================| 528 K^2--> |================| 529 | |================| 530 | |==============L1| 531 | +----------------+ 532 | |================| 533 v |================| 534 ... | . . . | 535 | | 536 | | 537 | L2| 538 +----------------+ 539 | | 540 ... ... 541 | L2'| 542 +----------------+ 544 Figure 3: Basic principles of message processing 545 with external re-keying 547 Note: the key transformation process is depicted in a simplified 548 form. A specific approach (parallel and serial) is described below. 550 Consider an example. Let the message size in a protocol P be equal 551 to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external 552 re-keying mechanism is not used, the initial key K must be 553 renegotiated after processing 128 MB / 1 KB = 131072 messages. 555 If an external re-keying mechanism is used, the key lifetime 556 limitation L1 goes off. Hence the resulting key lifetime limitation 557 L2' can be set to more then 1 TB. Thus if an external re-keying 558 mechanism is used, more then 1 TB / 1 KB = 2^30 messages can be 559 processed before the initial key K is renegotiated. This is 8192 560 times greater than the number of messages that can be processed, when 561 external re-keying mechanism is not used. 563 5.1. Methods of Key Lifetime Control 565 Suppose L is an amount of data that can be safely processed with one 566 frame key. For i in {1, 2, ... , t} the frame key K^i (see Figure 4 567 and Figure 6) should be transformed after processing q_i messages, 568 where q_i can be calculated in accordance with one of the following 569 approaches: 571 Explicit approach: 573 q_i is such that |M^{i,1}| + ... + |M^{i,q_i}| <= L, |M^{i,1}| + 574 ... + |M^{i,q_i+1}| > L. 575 This approach allows to use the frame key K^i in almost optimal 576 way but it can be applied only in case when messages cannot be 577 lost or reordered (e.g., TLS records). 579 Implicit approach: 581 q_i = L / m_max, i = 1, ... , t. 582 The amount of data processed with one frame key K^i is calculated 583 under the assumption that every message has the maximum length 584 m_max. Hence this amount can be considerably less than the key 585 lifetime limitation L. On the other hand, this approach can be 586 applied in case when messages may be lost or reordered (e.g., DTLS 587 records). 589 Dynamic key changes: 591 We can organize the key change using the Protected Point to Point 592 ([P3]) solution by building a protected tunnel between the 593 endpoints in which the information about frame key updating can be 594 safely passed across. This can be useful, for example, when we 595 wish the adversary not to detect the key change during the 596 protocol evaluation. 598 5.2. Parallel Constructions 600 External parallel re-keying mechanisms generate frame keys K^1, K^2, 601 ... directly from the initial key K independently of each other. 603 The main idea behind external re-keying with a parallel construction 604 is presented in Figure 4: 606 Maximum message size = m_max. 607 _____________________________________________________________ 609 m_max 610 <----------------> 611 M^{1,1} |=== | 612 M^{1,2} |=============== | 613 +->K^1--> ... ... 614 | M^{1,q_1} |======== | 615 | 616 | 617 | M^{2,1} |================| 618 | M^{2,2} |===== | 619 K-----|->K^2--> ... ... 620 | M^{2,q_2} |========== | 621 | 622 ... 623 | M^{t,1} |============ | 624 | M^{t,2} |============= | 625 +->K^t--> ... ... 626 M^{t,q_t} |========== | 628 _____________________________________________________________ 630 Figure 4: External parallel re-keying mechanisms 632 The frame key K^i, i = 1, ... , t-1, is updated after processing a 633 certain amount of messages (see Section 5.1). 635 5.2.1. Parallel Construction Based on a KDF on a Block Cipher 637 ExtParallelC re-keying mechanism is based on the key derivation 638 function on a block cipher and is used to generate t frame keys as 639 follows: 641 K^1 | K^2 | ... | K^t = ExtParallelC(K, t * k) = MSB_{t * 642 k}(E_{K}(Vec_n(0)) | 643 E_{K}(Vec_n(1)) | ... | E_{K}(Vec_n(R - 1))), 645 where R = ceil(t * k/n). 647 5.2.2. Parallel Construction Based on a KDF on a Hash Function 649 ExtParallelH re-keying mechanism is based on the key derivation 650 function HKDF-Expand, described in [RFC5869], and is used to generate 651 t frame keys as follows: 653 K^1 | K^2 | ... | K^t = ExtParallelH(K, t * k) = HKDF-Expand(K, 654 label, t * k), 656 where label is a string (may be a zero-length string) that is defined 657 by a specific protocol. 659 5.2.3. Tree-based Construction 661 The application of external tree-based mechanism leads to the 662 construction of the key tree with the initial key K (root key) at the 663 0-level and the frame keys K^1, K^2, ... at the last level as 664 described in Figure 5. 666 K_root = K 667 ___________|___________ 668 | ... | 669 V V 670 K{1,1} K{1,W1} 671 ______|______ ______|______ 672 | ... | | ... | 673 V V V V 674 K{2,1} K{2,W2} K{2,(W1-1)*W2+1} K{2,W1*W2} 675 __|__ __|__ __|__ __|__ 676 | ... | | ... | | ... | | ... | 677 V V V V V V V V 678 K{3,1} ... ... ... ... ... ... K{3,W1*W2*W3} 680 ... ... 681 __|__ ... __|__ 682 | ... | | ... | 683 V V V V 684 K{h,1} K{h,Wh} K{h,(W1*...*W{h-1}-1)*Wh+1} K{h,W1*...*Wh} 685 // \\ // \\ 686 K^1 K^{Wh} K^{(W1*...*W{h-1}-1)*Wh+1} K^{W1*...*Wh} 687 ____________________________________________________________________ 689 Figure 5: External Tree-based Mechanism 691 The tree height h and the number of keys Wj, j in {1, ... , h}, which 692 can be partitioned from "parent" key, are defined in accordance with 693 a specific protocol and key lifetime limitations for the used 694 derivation functions. 696 Each j-level key K{j,w}, where j in {1, ... , h}, w in {1, ... , W1 * 697 ... * Wj}, is derived from the (j-1)-level "parent" key K{j-1,ceil(w/ 698 Wi)} (and other appropriate input data) using the j-th level 699 derivation function that can be based on the block cipher function or 700 on the hash function and that is defined in accordance with a 701 specific protocol. 703 The i-th frame K^i, i in {1, 2, ... , W1*...*Wh}, can be calculated 704 as follows: 706 K^i = ExtKeyTree(K, i) = KDF_h(KDF_{h-1}(... KDF_1(K, ceil(i / (W2 707 * ... * Wh)) ... , ceil(i / Wh)), i), 709 where KDF_j is the j-th level derivation function that takes two 710 arguments (the parent key value and the integer in range from 1 to W1 711 * ... * Wj) and outputs the j-th level key value. 713 The frame key K^i is updated after processing a certain amount of 714 messages (see Section 5.1). 716 In order to create an efficient implementation, during frame key K^i 717 generation the derivation functions KDF_j, j in {1, ... , h-1}, 718 should be used only in case when ceil(i / (W{j+1} * ... * Wh)) != 719 ceil((i - 1) / (W{j+1} * ... * Wh)); otherwise it is necessary to use 720 previously generated value. This approach also makes it possible to 721 take countermeasures against side channels attacks. 723 Consider an example. Suppose h = 3, W1 = W2 = W3 = W and KDF_1, 724 KDF_2, KDF_3 are key derivation functions based on the 725 KDF_GOSTR3411_2012_256 (hereafter simply KDF) function described in 726 [RFC7836]. The resulting ExtKeyTree function can be defined as 727 follows: 729 ExtKeyTree(K, i) = KDF(KDF(KDF(K, "level1", ceil(i / W^2)), 730 "level2", ceil(i / W)), "level3", i). 732 where i in {1, 2, ... , W^3}. 734 The structure similar to external tree-based mechanism can be found 735 in Section 6 of [NISTSP800-108]. 737 5.3. Serial Constructions 739 External serial re-keying mechanisms generate frame keys, each of 740 which depends on the secret state (K*_1, K*_2, ..., see Figure 6) 741 that is updated after the generation of each new frame key. Similar 742 approaches are used in the [SIGNAL] protocol, in the [TLS] updating 743 traffic keys mechanism and were proposed for use in the [U2F] 744 protocol. 746 External serial re-keying mechanisms have the obvious disadvantage of 747 the impossibility to be implemented in parallel, but they can be 748 preferred if additional forward secrecy is desirable: in case all 749 keys are securely deleted after usage, compromise of a current secret 750 state at some time does not lead to a compromise of all previous 751 secret states and frame keys. In terms of [TLS], compromise of 752 application_traffic_secret_N does not compromise all previous 753 application_traffic_secret_i, i < N. 755 The main idea behind external re-keying with a serial construction is 756 presented in Figure 6: 758 Maximum message size = m_max. 759 _____________________________________________________________ 760 m_max 761 <----------------> 762 M^{1,1} |=== | 763 M^{1,2} |=============== | 764 K*_1 = K --->K^1--> ... ... 765 | M^{1,q_1} |======== | 766 | 767 | 768 | M^{2,1} |================| 769 v M^{2,2} |===== | 770 K*_2 ------->K^2--> ... ... 771 | M^{2,q_2} |========== | 772 | 773 ... 774 | M^{t,1} |============ | 775 v M^{t,2} |============= | 776 K*_t ------->K^t--> ... ... 777 M^{t,q_t} |========== | 779 _____________________________________________________________ 781 Figure 6: External serial re-keying mechanisms 783 The frame key K^i, i = 1, ... , t - 1, is updated after processing a 784 certain amount of messages (see Section 5.1). 786 5.3.1. Serial Construction Based on a KDF on a Block Cipher 788 The frame key K^i is calculated using ExtSerialC transformation as 789 follows: 791 K^i = ExtSerialC(K, i) = 792 MSB_k(E_{K*_i}(Vec_n(0)) |E_{K*_i}(Vec_n(1)) | ... | 793 E_{K*_i}(Vec_n(J - 1))), 795 where J = ceil(k / n), i = 1, ... , t, K*_i is calculated as follows: 797 K*_1 = K, 799 K*_{j+1} = MSB_k(E_{K*_j}(Vec_n(J)) | E_{K*_j}(Vec_n(J + 1)) | 800 ... | 801 E_{K*_j}(Vec_n(2 * J - 1))), 803 where j = 1, ... , t - 1. 805 5.3.2. Serial Construction Based on a KDF on a Hash Function 807 The frame key K^i is calculated using ExtSerialH transformation as 808 follows: 810 K^i = ExtSerialH(K, i) = HKDF-Expand(K*_i, label1, k), 812 where i = 1, ... , t, HKDF-Expand is the HMAC-based key derivation 813 function, described in [RFC5869], K*_i is calculated as follows: 815 K*_1 = K, 817 K*_{j+1} = HKDF-Expand(K*_j, label2, k), where j = 1, ... , t - 1, 819 where label1 and label2 are different strings from V* that are 820 defined by a specific protocol (see, for example, TLS 1.3 updating 821 traffic keys algorithm [TLS]). 823 5.4. Using Additional Entropy during Re-keying 825 In many cases using additional entropy during re-keying won't 826 increase security, but may give a false sense of that, therefore one 827 can rely on additional entropy only after conducting a deep security 828 analysis. For example, good PRF constructions do not require 829 additional entropy for the quality of keys, so in most cases there is 830 no need for using additional entropy with external re-keying 831 mechanisms based on secure KDFs. However, in some situations mixed- 832 in entropy can still increase security in the case of a time-limited 833 but complete breach of the system, when an adversary can access the 834 frame keys generation interface, but cannot reveal master keys (e.g., 835 when master keys are stored in an HSM). 837 For example, an external parallel construction based on a KDF on a 838 Hash function with a mixed-in entropy can be described as follows: 840 K^i = HKDF-Expand(K, label_i, k), 842 where label_i is additional entropy that must be sent to the 843 recipient (e.g., be sent jointly with encrypted message). The 844 entropy label_i and the corresponding key K^i must be generated 845 directly before message processing. 847 6. Internal Re-keying Mechanisms 849 This section presents an approach to increase the key lifetime by 850 using a transformation of a data processing key (section key) during 851 each separate message processing. Each message is processed starting 852 with the same key (the first section key) and each section key is 853 updated after processing N bits of message (section). 855 This section provides internal re-keying mechanisms called ACPKM 856 (Advanced Cryptographic Prolongation of Key Material) and ACPKM- 857 Master that do not use a master key and use a master key 858 respectively. Such mechanisms are integrated into the base modes of 859 operation and actually form new modes of operation, therefore they 860 are called "internal re-keying" mechanisms in this document. 862 Internal re-keying mechanisms are recommended to be used in protocols 863 that process large single messages (e.g., CMS messages), since the 864 maximum gain in increasing the key lifetime is achieved by increasing 865 the length of a message, while it provides almost no increase in the 866 number of messages that can be processed with one initial key. 868 Internal re-keying increases the key lifetime through the following 869 approach. Suppose protocol P uses some base mode of operation. Let 870 L1 and L2 be a side channel and combinatorial limitations 871 respectively and for some fixed amount of messages q let m1, m2 be 872 the lengths of messages, that can be safely processed with a single 873 initial key K according to these limitations. 875 Thus, by analogy with the Section 5 without re-keying the final key 876 lifetime restriction, as displayed in Figure 7, is equal to L1 and 877 only q messages of the length m1 can be safely processed. 879 K 880 | 881 v 882 ^ +----------------+------------------------------------+ 883 | |==============L1| L2| 884 | |================| | 885 q |================| | 886 | |================| | 887 | |================| | 888 v +----------------+------------------------------------+ 889 <-------m1-------> 890 <----------------------------m2-----------------------> 892 Figure 7: Basic principles of message processing 893 without internal re-keying 895 Suppose that the safety margin for the protocol P is fixed and 896 internal re-keying approach is applied to the base mode of operation. 897 Suppose further that every message is processed with a section key, 898 which is transformed after processing N bits of data, where N is a 899 parameter. If q * N does not exceed L1 then the side channel 900 limitation L1 goes off and the resulting key lifetime limitation of 901 the initial key K can be calculated on the basis of a new 902 combinatorial limitation L2'. The security of the mode of operation 903 that uses internal re-keying increases when compared to base mode of 904 operation without re-keying (thus, L2 < L2'). Hence, as displayed in 905 Figure 8, the resulting key lifetime limitation in case of using 906 internal re-keying can be increased up to L2'. 908 K-----> K^1-------------> K^2 -----------> . . . 909 | | 910 v v 911 ^ +---------------+---------------+------------------+--...--+ 912 | |=============L1|=============L1|====== L2| L2'| 913 | |===============|===============|====== | | 914 q |===============|===============|====== . . . | | 915 | |===============|===============|====== | | 916 | |===============|===============|====== | | 917 v +---------------+---------------+------------------+--...--+ 918 <-------N-------> 920 Figure 8: Basic principles of message processing 921 with internal re-keying 923 Note: the key transformation process is depicted in a simplified 924 form. A specific approach (ACPKM and ACPKM-Master re-keying 925 mechanisms) is described below. 927 Since the performance of encryption can slightly decrease for rather 928 small values of N, the parameter N should be selected for a 929 particular protocol as maximum possible to provide necessary key 930 lifetime for the considered security models. 932 Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the 933 message size in the protocol be large/unlimited (may exhaust the 934 whole key lifetime L2). The most restrictive resulting key lifetime 935 limitation is equal to 128 MB. 937 Thus, there is a need to put a limit on the maximum message size 938 m_max. For example, if m_max = 32 MB, it may happen that the 939 renegotiation of initial key K would be required after processing 940 only four messages. 942 If an internal re-keying mechanism with section size N = 1 MB is 943 used, more than L1 / N = 128 MB / 1 MB = 128 messages can be 944 processed before the renegotiation of initial key K (instead of 4 945 messages in case when an internal re-keying mechanism is not used). 946 Note that only one section of each message is processed with the 947 section key K^i, and, consequently, the key lifetime limitation L1 948 goes off. Hence the resulting key lifetime limitation L2' can be set 949 to more then 10 TB (in the case when a single large message is 950 processed using the initial key K). 952 6.1. Methods of Key Lifetime Control 954 Suppose L is an amount of data that can be safely processed with one 955 section key, N is a section size (fixed parameter). Suppose M^{i}_1 956 is the first section of message M^{i}, i = 1, ... , q (see Figure 9 957 and Figure 10), then the parameter q can be calculated in accordance 958 with one of the following two approaches: 960 o Explicit approach: 961 q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... 962 + |M^{q+1}_1| > L 963 This approach allows to use the section key K^i in an almost 964 optimal way but it can be applied only in case when messages 965 cannot be lost or reordered (e.g., TLS records). 967 o Implicit approach: 968 q = L / N. 969 The amount of data processed with one section key K^i is 970 calculated under the assumption that the length of every message 971 is equal or greater than section size N and so it can be 972 considerably less than the key lifetime limitation L. On the 973 other hand, this approach can be applied in case when messages may 974 be lost or reordered (e.g., DTLS records). 976 6.2. Constructions that Do Not Require Master Key 978 This section describes the block cipher modes that use the ACPKM re- 979 keying mechanism, which does not use a master key: an initial key is 980 used directly for the data encryption. 982 6.2.1. ACPKM Re-keying Mechanisms 984 This section defines periodical key transformation without a master 985 key, which is called ACPKM re-keying mechanism. This mechanism can 986 be applied to one of the base encryption modes (CTR and GCM block 987 cipher modes) for getting an extension of this encryption mode that 988 uses periodical key transformation without a master key. This 989 extension can be considered as a new encryption mode. 991 An additional parameter that defines functioning of base encryption 992 modes with the ACPKM re-keying mechanism is the section size N. The 993 value of N is measured in bits and is fixed within a specific 994 protocol based on the requirements of the system capacity and the key 995 lifetime. The section size N MUST be divisible by the block size n. 997 The main idea behind internal re-keying without a master key is 998 presented in Figure 9: 1000 Section size = const = N, 1001 maximum message size = m_max. 1002 ____________________________________________________________________ 1004 ACPKM ACPKM ACPKM 1005 K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} 1006 | | | | 1007 | | | | 1008 v v v v 1009 M^{1} |==========|==========| ... |==========|=======: | 1010 M^{2} |==========|==========| ... |=== | : | 1011 . . . . . . : 1012 : : : : : : : 1013 M^{q} |==========|==========| ... |==========|===== : | 1014 section : 1015 <----------> m_max 1016 N bit 1017 ___________________________________________________________________ 1018 l_max = ceil(m_max/N). 1020 Figure 9: Internal re-keying without a master key 1022 During the processing of the input message M with the length m in 1023 some encryption mode that uses ACPKM key transformation of the 1024 initial key K the message is divided into l = ceil(m / N) sections 1025 (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in 1026 {1, 2, ... , l - 1} and M_l is in V_r, r <= N). The first section of 1027 each message is processed with the section key K^1 = K. To process 1028 the (i + 1)-th section of each message the section key K^{i+1} is 1029 calculated using ACPKM transformation as follows: 1031 K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)), 1033 where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are 1034 calculated as follows: 1036 D_1 | D_2 | ... | D_J = MSB_{J * n}(D), 1038 where D is the following constant in V_{1024}: 1040 D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 1041 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f 1042 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 1043 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f 1044 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7 1045 | a8 | a9 | aa | ab | ac | ad | ae | af 1046 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7 1047 | b8 | b9 | ba | bb | bc | bd | be | bf 1048 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7 1049 | c8 | c9 | ca | cb | cc | cd | ce | cf 1050 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7 1051 | d8 | d9 | da | db | dc | dd | de | df 1052 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7 1053 | e8 | e9 | ea | eb | ec | ed | ee | ef 1054 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7 1055 | f8 | f9 | fa | fb | fc | fd | fe | ff) 1057 N o t e : The constant D is such that D_1, ... , D_J are pairwise 1058 different for any allowed n and k values. 1060 N o t e : The highest bit of each octet of the constant D is equal to 1061 1. This condition is important, as in conjunction with a certain 1062 mode message length limitation it allows to prevent collisions of 1063 block cipher permutation inputs in cases of key transformation and 1064 message processing (for more details see Section 4.4 of [AAOS2017]). 1066 6.2.2. CTR-ACPKM Encryption Mode 1068 This section defines a CTR-ACPKM encryption mode that uses the ACPKM 1069 internal re-keying mechanism for the periodical key transformation. 1071 The CTR-ACPKM mode can be considered as the base encryption mode CTR 1072 (see [MODES]) extended by the ACPKM re-keying mechanism. 1074 The CTR-ACPKM encryption mode can be used with the following 1075 parameters: 1077 o 64 <= n <= 512; 1079 o 128 <= k <= 512; 1081 o the number c of bits in a specific part of the block to be 1082 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1084 o the maximum message size m_max = n * 2^{c-1}. 1086 The CTR-ACPKM mode encryption and decryption procedures are defined 1087 as follows: 1089 +----------------------------------------------------------------+ 1090 | CTR-ACPKM-Encrypt(N, K, ICN, P) | 1091 |----------------------------------------------------------------| 1092 | Input: | 1093 | - section size N, | 1094 | - initial key K, | 1095 | - initial counter nonce ICN in V_{n-c}, | 1096 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1097 | Output: | 1098 | - ciphertext C. | 1099 |----------------------------------------------------------------| 1100 | 1. CTR_1 = ICN | 0^c | 1101 | 2. For j = 2, 3, ... , b do | 1102 | CTR_{j} = Inc_c(CTR_{j-1}) | 1103 | 3. K^1 = K | 1104 | 4. For i = 2, 3, ... , ceil(|P| / N) | 1105 | K^i = ACPKM(K^{i-1}) | 1106 | 5. For j = 1, 2, ... , b do | 1107 | i = ceil(j * n / N), | 1108 | G_j = E_{K^i}(CTR_j) | 1109 | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | 1110 | 7. Return C | 1111 +----------------------------------------------------------------+ 1113 +----------------------------------------------------------------+ 1114 | CTR-ACPKM-Decrypt(N, K, ICN, C) | 1115 |----------------------------------------------------------------| 1116 | Input: | 1117 | - section size N, | 1118 | - initial key K, | 1119 | - initial counter nonce ICN in V_{n-c}, | 1120 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1121 | Output: | 1122 | - plaintext P. | 1123 |----------------------------------------------------------------| 1124 | 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) | 1125 | 2. Return P | 1126 +----------------------------------------------------------------+ 1128 The initial counter nonce ICN value for each message that is 1129 encrypted under the given initial key K must be chosen in a unique 1130 manner. 1132 6.2.3. GCM-ACPKM Authenticated Encryption Mode 1134 This section defines GCM-ACPKM authenticated encryption mode that 1135 uses the ACPKM internal re-keying mechanism for the periodical key 1136 transformation. 1138 The GCM-ACPKM mode can be considered as the base authenticated 1139 encryption mode GCM (see [GCM]) extended by the ACPKM re-keying 1140 mechanism. 1142 The GCM-ACPKM authenticated encryption mode can be used with the 1143 following parameters: 1145 o n in {128, 256}; 1147 o 128 <= k <= 512; 1149 o the number c of bits in a specific part of the block to be 1150 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1151 of 8; 1153 o authentication tag length t; 1155 o the maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} - 1156 1}. 1158 The GCM-ACPKM mode encryption and decryption procedures are defined 1159 as follows: 1161 +-------------------------------------------------------------------+ 1162 | GHASH(X, H) | 1163 |-------------------------------------------------------------------| 1164 | Input: | 1165 | - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n. | 1166 | Output: | 1167 | - block GHASH(X, H) in V_n. | 1168 |-------------------------------------------------------------------| 1169 | 1. Y_0 = 0^n | 1170 | 2. For i = 1, ... , m do | 1171 | Y_i = (Y_{i-1} (xor) X_i) * H | 1172 | 3. Return Y_m | 1173 +-------------------------------------------------------------------+ 1175 +-------------------------------------------------------------------+ 1176 | GCTR(N, K, ICB, X) | 1177 |-------------------------------------------------------------------| 1178 | Input: | 1179 | - section size N, | 1180 | - initial key K, | 1181 | - initial counter block ICB, | 1182 | - X = X_1 | ... | X_b. | 1183 | Output: | 1184 | - Y in V_{|X|}. | 1185 |-------------------------------------------------------------------| 1186 | 1. If X in V_0 then return Y, where Y in V_0 | 1187 | 2. GCTR_1 = ICB | 1188 | 3. For i = 2, ... , b do | 1189 | GCTR_i = Inc_c(GCTR_{i-1}) | 1190 | 4. K^1 = K | 1191 | 5. For j = 2, ... , ceil(|X| / N) | 1192 | K^j = ACPKM(K^{j-1}) | 1193 | 6. For i = 1, ... , b do | 1194 | j = ceil(i * n / N), | 1195 | G_i = E_{K_j}(GCTR_i) | 1196 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1197 | 8. Return Y | 1198 +-------------------------------------------------------------------+ 1200 +-------------------------------------------------------------------+ 1201 | GCM-ACPKM-Encrypt(N, K, ICN, P, A) | 1202 |-------------------------------------------------------------------| 1203 | Input: | 1204 | - section size N, | 1205 | - initial key K, | 1206 | - initial counter nonce ICN in V_{n-c}, | 1207 | - plaintext P = P_1 | ... | P_b, |P| <= m_max, | 1208 | - additional authenticated data A. | 1209 | Output: | 1210 | - ciphertext C, | 1211 | - authentication tag T. | 1212 |-------------------------------------------------------------------| 1213 | 1. H = E_{K}(0^n) | 1214 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1215 | 3. C = GCTR(N, K, Inc_c(ICB_0), P) | 1216 | 4. u = n * ceil(|C| / n) - |C| | 1217 | v = n * ceil(|A| / n) - |A| | 1218 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1219 | | Vec_{n/2}(|C|), H) | 1220 | 6. T = MSB_t(E_{K}(ICB_0) (xor) S) | 1221 | 7. Return C | T | 1222 +-------------------------------------------------------------------+ 1224 +-------------------------------------------------------------------+ 1225 | GCM-ACPKM-Decrypt(N, K, ICN, A, C, T) | 1226 |-------------------------------------------------------------------| 1227 | Input: | 1228 | - section size N, | 1229 | - initial key K, | 1230 | - initial counter block ICN, | 1231 | - additional authenticated data A, | 1232 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1233 | - authentication tag T. | 1234 | Output: | 1235 | - plaintext P or FAIL. | 1236 |-------------------------------------------------------------------| 1237 | 1. H = E_{K}(0^n) | 1238 | 2. ICB_0 = ICN | 0^{c-1} | 1 | 1239 | 3. P = GCTR(N, K, Inc_c(ICB_0), C) | 1240 | 4. u = n * ceil(|C| / n) - |C| | 1241 | v = n * ceil(|A| / n) - |A| | 1242 | 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1243 | | Vec_{n/2}(|C|), H) | 1244 | 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) | 1245 | 7. If T = T' then return P; else return FAIL | 1246 +-------------------------------------------------------------------+ 1248 The * operation on (pairs of) the 2^n possible blocks corresponds to 1249 the multiplication operation for the binary Galois (finite) field of 1250 2^n elements defined by the polynomial f as follows (by analogy with 1251 [GCM]): 1253 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1255 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1257 The initial counter nonce ICN value for each message that is 1258 encrypted under the given initial key K must be chosen in a unique 1259 manner. 1261 The key for computing values E_{K}(ICB_0) and H is not updated and is 1262 equal to the initial key K. 1264 6.3. Constructions that Require Master Key 1266 This section describes the block cipher modes that use the ACPKM- 1267 Master re-keying mechanism, which use the initial key K as a master 1268 key, so K is never used directly for data processing but is used for 1269 key derivation. 1271 6.3.1. ACPKM-Master Key Derivation from the Master Key 1273 This section defines periodical key transformation with a master key, 1274 which is called ACPKM-Master re-keying mechanism. This mechanism can 1275 be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, 1276 OMAC modes) for getting an extension that uses periodical key 1277 transformation with a master key. This extension can be considered 1278 as a new mode of operation. 1280 Additional parameters that define the functioning of modes of 1281 operation that use the ACPKM-Master re-keying mechanism are the 1282 section size N, the change frequency T* of the master keys K*_1, 1283 K*_2, ... (see Figure 10) and the size d of the section key material. 1284 The values of N and T* are measured in bits and are fixed within a 1285 specific protocol, based on the requirements of the system capacity 1286 and the key lifetime. The section size N MUST be divisible by the 1287 block size n. The master key frequency T* MUST be divisible by d and 1288 by n. 1290 The main idea behind internal re-keying with a master key is 1291 presented in Figure 10: 1293 Master key frequency T*, 1294 section size N, 1295 maximum message size = m_max. 1296 _____________________________________________________________________ 1298 ACPKM ACPKM 1299 K*_1 = K----------> K*_2 ---------...-----> K*_l_max 1300 ___|___ ___|___ ___|___ 1301 | | | | | | 1302 v ... v v ... v v ... v 1303 K[1] K[t] K[t+1] K[2*t] K[(l_max-1)t+1] K[l_max*t] 1304 | | | | | | 1305 | | | | | | 1306 v v v v v v 1307 M^{1}||======|...|======||======|...|======||...||======|...|== : || 1308 M^{2}||======|...|======||======|...|======||...||======|...|====: || 1309 ... || | | || | | || || | | : || 1310 M^{q}||======|...|======||==== |...| ||...|| |...| : || 1311 section : 1312 <------> : 1313 N bit m_max 1314 _____________________________________________________________________ 1315 |K[i]| = d, 1316 t = T* / d, 1317 l_max = ceil(m_max / (N * t)). 1319 Figure 10: Internal re-keying with a master key 1321 During the processing of the input message M with the length m in 1322 some mode of operation that uses ACPKM-Master key transformation with 1323 the initial key K and the master key frequency T* the message M is 1324 divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 | 1325 ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l 1326 is in V_r, r <= N). The j-th section of each message is processed 1327 with the key material K[j], j in {1, ... , l}, |K[j]| = d, that is 1328 calculated with the ACPKM-Master algorithm as follows: 1330 K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt 1331 (T*, K, 1^{n/2}, 0^{d*l}). 1333 Note: the parameters d and l MUST be such that d * l <= n * 1334 2^{n/2-1}. 1336 6.3.2. CTR-ACPKM-Master Encryption Mode 1338 This section defines a CTR-ACPKM-Master encryption mode that uses the 1339 ACPKM-Master internal re-keying mechanism for the periodical key 1340 transformation. 1342 The CTR-ACPKM-Master encryption mode can be considered as the base 1343 encryption mode CTR (see [MODES]) extended by the ACPKM-Master re- 1344 keying mechanism. 1346 The CTR-ACPKM-Master encryption mode can be used with the following 1347 parameters: 1349 o 64 <= n <= 512; 1351 o 128 <= k <= 512; 1353 o the number c of bits in a specific part of the block to be 1354 incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8; 1356 o the maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 1357 2^c}. 1359 The key material K[j] that is used for one section processing is 1360 equal to K^j, |K^j| = k bits. 1362 The CTR-ACPKM-Master mode encryption and decryption procedures are 1363 defined as follows: 1365 +----------------------------------------------------------------+ 1366 | CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) | 1367 |----------------------------------------------------------------| 1368 | Input: | 1369 | - section size N, | 1370 | - initial key K, | 1371 | - master key frequency T*, | 1372 | - initial counter nonce ICN in V_{n-c}, | 1373 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1374 | Output: | 1375 | - ciphertext C. | 1376 |----------------------------------------------------------------| 1377 | 1. CTR_1 = ICN | 0^c | 1378 | 2. For j = 2, 3, ... , b do | 1379 | CTR_{j} = Inc_c(CTR_{j-1}) | 1380 | 3. l = ceil(|P| / N) | 1381 | 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1382 | 5. For j = 1, 2, ... , b do | 1383 | i = ceil(j * n / N), | 1384 | G_j = E_{K^i}(CTR_j) | 1385 | 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) | 1386 | 7. Return C | 1387 |----------------------------------------------------------------+ 1389 +----------------------------------------------------------------+ 1390 | CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) | 1391 |----------------------------------------------------------------| 1392 | Input: | 1393 | - section size N, | 1394 | - initial key K, | 1395 | - master key frequency T*, | 1396 | - initial counter nonce ICN in V_{n-c}, | 1397 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1398 | Output: | 1399 | - plaintext P. | 1400 |----------------------------------------------------------------| 1401 | 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) | 1402 | 1. Return P | 1403 +----------------------------------------------------------------+ 1405 The initial counter nonce ICN value for each message that is 1406 encrypted under the given initial key must be chosen in a unique 1407 manner. 1409 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode 1411 This section defines a GCM-ACPKM-Master authenticated encryption mode 1412 that uses the ACPKM-Master internal re-keying mechanism for the 1413 periodical key transformation. 1415 The GCM-ACPKM-Master authenticated encryption mode can be considered 1416 as the base authenticated encryption mode GCM (see [GCM]) extended by 1417 the ACPKM-Master re-keying mechanism. 1419 The GCM-ACPKM-Master authenticated encryption mode can be used with 1420 the following parameters: 1422 o n in {128, 256}; 1424 o 128 <= k <= 512; 1426 o the number c of bits in a specific part of the block to be 1427 incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple 1428 of 8; 1430 o authentication tag length t; 1432 o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * 1433 (2^c - 2), 2^{n/2} - 1}. 1435 The key material K[j] that is used for the j-th section processing is 1436 equal to K^j, |K^j| = k bits. 1438 The GCM-ACPKM-Master mode encryption and decryption procedures are 1439 defined as follows: 1441 +-------------------------------------------------------------------+ 1442 | GHASH(X, H) | 1443 |-------------------------------------------------------------------| 1444 | Input: | 1445 | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| 1446 | Output: | 1447 | - block GHASH(X, H) in V_n | 1448 |-------------------------------------------------------------------| 1449 | 1. Y_0 = 0^n | 1450 | 2. For i = 1, ... , m do | 1451 | Y_i = (Y_{i-1} (xor) X_i) * H | 1452 | 3. Return Y_m | 1453 +-------------------------------------------------------------------+ 1455 +-------------------------------------------------------------------+ 1456 | GCTR(N, K, T*, ICB, X) | 1457 |-------------------------------------------------------------------| 1458 | Input: | 1459 | - section size N, | 1460 | - initial key K, | 1461 | - master key frequency T*, | 1462 | - initial counter block ICB, | 1463 | - X = X_1 | ... | X_b. | 1464 | Output: | 1465 | - Y in V_{|X|}. | 1466 |-------------------------------------------------------------------| 1467 | 1. If X in V_0 then return Y, where Y in V_0 | 1468 | 2. GCTR_1 = ICB | 1469 | 3. For i = 2, ... , b do | 1470 | GCTR_i = Inc_c(GCTR_{i-1}) | 1471 | 4. l = ceil(|X| / N) | 1472 | 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1473 | 6. For j = 1, ... , b do | 1474 | i = ceil(j * n / N), | 1475 | G_j = E_{K^i}(GCTR_j) | 1476 | 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) | 1477 | 8. Return Y | 1478 +-------------------------------------------------------------------+ 1480 +-------------------------------------------------------------------+ 1481 | GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A) | 1482 |-------------------------------------------------------------------| 1483 | Input: | 1484 | - section size N, | 1485 | - initial key K, | 1486 | - master key frequency T*, | 1487 | - initial counter nonce ICN in V_{n-c}, | 1488 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1489 | - additional authenticated data A. | 1490 | Output: | 1491 | - ciphertext C, | 1492 | - authentication tag T. | 1493 |-------------------------------------------------------------------| 1494 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1495 | 2. H = E_{K^1}(0^n) | 1496 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1497 | 4. C = GCTR(N, K, T*, Inc_c(ICB_0), P) | 1498 | 5. u = n * ceil(|C| / n) - |C| | 1499 | v = n * ceil(|A| / n) - |A| | 1500 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1501 | | Vec_{n/2}(|C|), H) | 1502 | 7. T = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1503 | 8. Return C | T | 1504 +-------------------------------------------------------------------+ 1506 +-------------------------------------------------------------------+ 1507 | GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T) | 1508 |-------------------------------------------------------------------| 1509 | Input: | 1510 | - section size N, | 1511 | - initial key K, | 1512 | - master key frequency T*, | 1513 | - initial counter nonce ICN in V_{n-c}, | 1514 | - additional authenticated data A. | 1515 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max, | 1516 | - authentication tag T. | 1517 | Output: | 1518 | - plaintext P or FAIL. | 1519 |-------------------------------------------------------------------| 1520 | 1. K^1 = ACPKM-Master(T*, K, k, 1) | 1521 | 2. H = E_{K^1}(0^n) | 1522 | 3. ICB_0 = ICN | 0^{c-1} | 1 | 1523 | 4. P = GCTR(N, K, T*, Inc_c(ICB_0), C) | 1524 | 5. u = n * ceil(|C| / n) - |C| | 1525 | v = n * ceil(|A| / n) - |A| | 1526 | 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | | 1527 | | Vec_{n/2}(|C|), H) | 1528 | 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) | 1529 | 8. IF T = T' then return P; else return FAIL. | 1530 +-------------------------------------------------------------------+ 1532 The * operation on (pairs of) the 2^n possible blocks corresponds to 1533 the multiplication operation for the binary Galois (finite) field of 1534 2^n elements defined by the polynomial f as follows (by analogy with 1535 [GCM]): 1537 n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, 1539 n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. 1541 The initial counter nonce ICN value for each message that is 1542 encrypted under the given initial key must be chosen in a unique 1543 manner. 1545 6.3.4. CBC-ACPKM-Master Encryption Mode 1547 This section defines a CBC-ACPKM-Master encryption mode that uses the 1548 ACPKM-Master internal re-keying mechanism for the periodical key 1549 transformation. 1551 The CBC-ACPKM-Master encryption mode can be considered as the base 1552 encryption mode CBC (see [MODES]) extended by the ACPKM-Master re- 1553 keying mechanism. 1555 The CBC-ACPKM-Master encryption mode can be used with the following 1556 parameters: 1558 o 64 <= n <= 512; 1560 o 128 <= k <= 512; 1562 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1564 In the specification of the CBC-ACPKM-Master mode the plaintext and 1565 ciphertext must be a sequence of one or more complete data blocks. 1566 If the data string to be encrypted does not initially satisfy this 1567 property, then it MUST be padded to form complete data blocks. The 1568 padding methods are out of the scope of this document. An example of 1569 a padding method can be found in Appendix A of [MODES]. 1571 The key material K[j] that is used for the j-th section processing is 1572 equal to K^j, |K^j| = k bits. 1574 We will denote by D_{K} the decryption function which is a 1575 permutation inverse to E_{K}. 1577 The CBC-ACPKM-Master mode encryption and decryption procedures are 1578 defined as follows: 1580 +----------------------------------------------------------------+ 1581 | CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1582 |----------------------------------------------------------------| 1583 | Input: | 1584 | - section size N, | 1585 | - initial key K, | 1586 | - master key frequency T*, | 1587 | - initialization vector IV in V_n, | 1588 | - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max. | 1589 | Output: | 1590 | - ciphertext C. | 1591 |----------------------------------------------------------------| 1592 | 1. l = ceil(|P| / N) | 1593 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1594 | 3. C_0 = IV | 1595 | 4. For j = 1, 2, ... , b do | 1596 | i = ceil(j * n / N), | 1597 | C_j = E_{K^i}(P_j (xor) C_{j-1}) | 1598 | 5. Return C = C_1 | ... | C_b | 1599 |----------------------------------------------------------------+ 1601 +----------------------------------------------------------------+ 1602 | CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1603 |----------------------------------------------------------------| 1604 | Input: | 1605 | - section size N, | 1606 | - initial key K, | 1607 | - master key frequency T*, | 1608 | - initialization vector IV in V_n, | 1609 | - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max. | 1610 | Output: | 1611 | - plaintext P. | 1612 |----------------------------------------------------------------| 1613 | 1. l = ceil(|C| / N) | 1614 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1615 | 3. C_0 = IV | 1616 | 4. For j = 1, 2, ... , b do | 1617 | i = ceil(j * n / N) | 1618 | P_j = D_{K^i}(C_j) (xor) C_{j-1} | 1619 | 5. Return P = P_1 | ... | P_b | 1620 +----------------------------------------------------------------+ 1622 The initialization vector IV for any particular execution of the 1623 encryption process must be unpredictable. 1625 6.3.5. CFB-ACPKM-Master Encryption Mode 1627 This section defines a CFB-ACPKM-Master encryption mode that uses the 1628 ACPKM-Master internal re-keying mechanism for the periodical key 1629 transformation. 1631 The CFB-ACPKM-Master encryption mode can be considered as the base 1632 encryption mode CFB (see [MODES]) extended by the ACPKM-Master re- 1633 keying mechanism. 1635 The CFB-ACPKM-Master encryption mode can be used with the following 1636 parameters: 1638 o 64 <= n <= 512; 1640 o 128 <= k <= 512; 1642 o the maximum message size m_max = N * (n * 2^{n/2-1} / k). 1644 The key material K[j] that is used for the j-th section processing is 1645 equal to K^j, |K^j| = k bits. 1647 The CFB-ACPKM-Master mode encryption and decryption procedures are 1648 defined as follows: 1650 +-------------------------------------------------------------+ 1651 | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | 1652 |-------------------------------------------------------------| 1653 | Input: | 1654 | - section size N, | 1655 | - initial key K, | 1656 | - master key frequency T*, | 1657 | - initialization vector IV in V_n, | 1658 | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | 1659 | Output: | 1660 | - ciphertext C. | 1661 |-------------------------------------------------------------| 1662 | 1. l = ceil(|P| / N) | 1663 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1664 | 3. C_0 = IV | 1665 | 4. For j = 1, 2, ... , b - 1 do | 1666 | i = ceil(j * n / N), | 1667 | C_j = E_{K^i}(C_{j-1}) (xor) P_j | 1668 | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | 1669 | 6. Return C = C_1 | ... | C_b | 1670 |-------------------------------------------------------------+ 1672 +-------------------------------------------------------------+ 1673 | CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) | 1674 |-------------------------------------------------------------| 1675 | Input: | 1676 | - section size N, | 1677 | - initial key K, | 1678 | - master key frequency T*, | 1679 | - initialization vector IV in V_n, | 1680 | - ciphertext C = C_1 | ... | C_b, |C| <= m_max. | 1681 | Output: | 1682 | - plaintext P. | 1683 |-------------------------------------------------------------| 1684 | 1. l = ceil(|C| / N) | 1685 | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | 1686 | 3. C_0 = IV | 1687 | 4. For j = 1, 2, ... , b - 1 do | 1688 | i = ceil(j * n / N), | 1689 | P_j = E_{K^i}(C_{j-1}) (xor) C_j | 1690 | 5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b | 1691 | 6. Return P = P_1 | ... | P_b | 1692 +-------------------------------------------------------------+ 1694 The initialization vector IV for any particular execution of the 1695 encryption process must be unpredictable. 1697 6.3.6. OMAC-ACPKM-Master Authentication Mode 1699 This section defines an OMAC-ACPKM-Master message authentication code 1700 calculation mode that uses the ACPKM-Master internal re-keying 1701 mechanism for the periodical key transformation. 1703 The OMAC-ACPKM-Master mode can be considered as the base message 1704 authentication code calculation mode OMAC, which is also known as 1705 CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying 1706 mechanism. 1708 The OMAC-ACPKM-Master message authentication code calculation mode 1709 can be used with the following parameters: 1711 o n in {64, 128, 256}; 1713 o 128 <= k <= 512; 1715 o the maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)). 1717 The key material K[j] that is used for one section processing is 1718 equal to K^j | K^j_1, where |K^j| = k and |K^j_1| = n. 1720 The following is a specification of the subkey generation process of 1721 OMAC: 1723 +-------------------------------------------------------------------+ 1724 | Generate_Subkey(K1, r) | 1725 |-------------------------------------------------------------------| 1726 | Input: | 1727 | - key K1. | 1728 | Output: | 1729 | - key SK. | 1730 |-------------------------------------------------------------------| 1731 | 1. If r = n then return K1 | 1732 | 2. If r < n then | 1733 | if MSB_1(K1) = 0 | 1734 | return K1 << 1 | 1735 | else | 1736 | return (K1 << 1) (xor) R_n | 1737 | | 1738 +-------------------------------------------------------------------+ 1740 Here R_n takes the following values: 1742 o n = 64: R_{64} = 0^{59} | 11011; 1743 o n = 128: R_{128} = 0^{120} | 10000111; 1745 o n = 256: R_{256} = 0^{145} | 10000100101. 1747 The OMAC-ACPKM-Master message authentication code calculation mode is 1748 defined as follows: 1750 +-------------------------------------------------------------------+ 1751 | OMAC-ACPKM-Master(K, N, T*, M) | 1752 |-------------------------------------------------------------------| 1753 | Input: | 1754 | - section size N, | 1755 | - initial key K, | 1756 | - master key frequency T*, | 1757 | - plaintext M = M_1 | ... | M_b, |M| <= m_max. | 1758 | Output: | 1759 | - message authentication code T. | 1760 |-------------------------------------------------------------------| 1761 | 1. C_0 = 0^n | 1762 | 2. l = ceil(|M| / N) | 1763 | 3. K^1 | K^1_1 | ... | K^l | K^l_1 = | 1764 = ACPKM-Master(T*, K, (k + n), l) | 1765 | 4. For j = 1, 2, ... , b - 1 do | 1766 | i = ceil(j * n / N), | 1767 | C_j = E_{K^i}(M_j (xor) C_{j-1}) | 1768 | 5. SK = Generate_Subkey(K^l_1, |M_b|) | 1769 | 6. If |M_b| = n then M*_b = M_b | 1770 | else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} | 1771 | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) | 1772 | 8. Return T | 1773 +-------------------------------------------------------------------+ 1775 7. Joint Usage of External and Internal Re-keying 1777 Both external re-keying and internal re-keying have their own 1778 advantages and disadvantages discussed in Section 1. For instance, 1779 using external re-keying can essentially limit the message length, 1780 while in the case of internal re-keying the section size, which can 1781 be chosen as the maximal possible for operational properties, limits 1782 the amount of separate messages. Therefore, the choice of re-keying 1783 mechanism (either external or internal) depends on particular 1784 protocol features. However, some protocols may have features that 1785 require to take advantages provided by both external and internal re- 1786 keying mechanisms: for example, the protocol mainly transmits 1787 messages of small length, but it must additionally support very long 1788 messages processing. In such situations it is necessary to use 1789 external and internal re-keying jointly, since these techniques 1790 negate each other's disadvantages. 1792 For composition of external and internal re-keying techniques any 1793 mechanism described in Section 5 can be used with any mechanism 1794 described in Section 6. 1796 For example, consider the GCM-ACPKM mode with external serial re- 1797 keying based on a KDF on a Hash function. Denote by a frame size the 1798 number of messages in each frame (in the case of implicit approach to 1799 the key lifetime control) for external re-keying. 1801 Let L be a key lifetime limitation. The section size N for internal 1802 re-keying and the frame size q for external re-keying must be chosen 1803 in such a way that q * N must not exceed L. 1805 Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce 1806 ICN_i, plaintext P_i and additional authenticated data A_i, will be 1807 processed before renegotiation. 1809 For authenticated encryption of each message (ICN_i, P_i, A_i), i = 1810 1, ..., t, the following algorithm can be applied: 1812 1. j = ceil(i / q), 1813 2. K^j = ExtSerialH(K, j), 1814 3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i). 1816 Note that nonces ICN_i, that are used under the same frame key, must 1817 be unique for each message. 1819 8. Security Considerations 1821 Re-keying should be used to increase "a priori" security properties 1822 of ciphers in hostile environments (e.g., with side-channel 1823 adversaries). If some efficient attacks are known for a cipher, it 1824 must not be used. So re-keying cannot be used as a patch for 1825 vulnerable ciphers. Base cipher properties must be well analyzed, 1826 because the security of re-keying mechanisms is based on the security 1827 of a block cipher as a pseudorandom function. 1829 Re-keying is not intended to solve any post-quantum security issues 1830 for symmetric cryptography, since the reduction of security caused by 1831 Grover's algorithm is not connected with a size of plaintext 1832 transformed by a cipher - only a negligible (sufficient for key 1833 uniqueness) material is needed; and the aim of re-keying is to limit 1834 a size of plaintext transformed under one initial key. 1836 Re-keying can provide backward security only if previous key material 1837 is securely deleted after usage by all parties. 1839 9. IANA Considerations 1841 This document does not require any IANA actions. 1843 10. References 1845 10.1. Normative References 1847 [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1848 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1849 . 1851 [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 1852 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 1853 January 2012, . 1855 [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", 1856 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1857 . 1859 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 1860 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 1861 Special Publication 800-38D 1862 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ 1863 nistspecialpublication800-38d.pdf, November 2007. 1865 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1866 Operation: Methods and Techniques", NIST Special 1867 Publication 800-38A, December 2001. 1869 [NISTSP800-108] 1870 National Institute of Standards and Technology, 1871 "Recommendation for Key Derivation Using Pseudorandom 1872 Functions", NIST Special Publication 800-108, November 1873 2008, . 1876 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1877 Requirement Levels", BCP 14, RFC 2119, 1878 DOI 10.17487/RFC2119, March 1997, 1879 . 1881 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1882 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1883 2006, . 1885 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1886 Key Derivation Function (HKDF)", RFC 5869, 1887 DOI 10.17487/RFC5869, May 2010, 1888 . 1890 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1891 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1892 on the Cryptographic Algorithms to Accompany the Usage of 1893 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1894 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1895 . 1897 [SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) 1898 Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, 1899 January 2006, . 1901 [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1902 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1903 . 1905 10.2. Informative References 1907 [AAOS2017] 1908 Ahmetzyanova, L., Alekseev, E., Oshkin, I., and S. 1909 Smyshlyaev, "Increasing the Lifetime of Symmetric Keys for 1910 the GCM Mode by Internal Re-keying", Cryptology ePrint 1911 Archive Report 2017/697, 2017, 1912 . 1914 [AbBell] Michel Abdalla and Mihir Bellare, "Increasing the Lifetime 1915 of a Key: A Comparative Analysis of the Security of Re- 1916 keying Techniques", ASIACRYPT2000, LNCS 1976, pp. 546-559, 1917 2000. 1919 [AESDUKPT] 1920 ANSI, "Retail Financial Services Symmetric Key Management 1921 - Part 3: Derived Unique Key Per Transaction", ANSI 1922 X9.24-3-2017, 2017. 1924 [FKK2005] Fu, K., Kamara, S., and T. Kohno, "Key Regression: 1925 Enabling Efficient Key Distribution for Secure Distributed 1926 Storage", November 2005, 1927 . 1930 [FPS2012] Faust, S., Pietrzak, K., and j. Schipper, "Practical 1931 Leakage-Resilient Symmetric Cryptography", CHES2012 LNCS, 1932 vol. 7428, pp. 213-232,, 2012, 1933 . 1936 [FRESHREKEYING] 1937 Dziembowski, S., Faust, S., Herold, G., Journault, A., 1938 Masny, D., and F. Standaert, "Towards Sound Fresh Re- 1939 Keying with Hard (Physical) Learning Problems", Cryptology 1940 ePrint Archive Report 2016/573, June 2016, 1941 . 1943 [GGM] Goldreich, O., Goldwasser, S., and S. Micali, "How to 1944 Construct Random Functions", Journal of the Association 1945 for Computing Machinery Vol.33, No.4, pp. 792-807, October 1946 1986, . 1948 [KMNT2003] 1949 Kim, Y., Maino, F., Narasimha, M., and G. Tsudik, "Secure 1950 Group Services for Storage Area Networks", 1951 IEEE Communication Magazine 41, pp. 92-99, 2003, 1952 . 1954 [LDC] Howard M. Heys, "A Tutorial on Linear and Differential 1955 Cryptanalysis", 2017, 1956 . 1958 [OWT] Joye, M. and S. Yen, "One-Way Cross-Trees and Their 1959 Applications", DOI 10.1007/3-540-45664-3_25, February 1960 2002, . 1963 [P3] Peter Alexander, "Dynamic Key Changes on Encrypted 1964 Sessions", CFRG mail archive , December 2017, 1965 . 1968 [Pietrzak2009] 1969 Pietrzak, K., "A Leakage-Resilient Mode of Operation", 1970 EUROCRYPT2009 LNCS, vol. 5479, pp. 462-482,, 2009, 1971 . 1974 [SIGNAL] Perrin, T., Ed. and M. Marlinspike, "The Double Ratchet 1975 Algorithm", November 2016, 1976 . 1979 [Sweet32] Karthikeyan Bhargavan, Gaetan Leurent, "On the Practical 1980 (In-)Security of 64-bit Block Ciphers: Collision Attacks 1981 on HTTP over TLS and OpenVPN", Cryptology ePrint 1982 Archive Report 2016/798, 2016, 1983 . 1985 [TAHA] Taha, M. and P. Schaumont, "Key Updating for Leakage 1986 Resiliency With Application to AES Modes of Operation", 1987 DOI 10.1109/TIFS.2014.2383359, December 2014, 1988 . 1990 [TEMPEST] By Craig Ramsay, Jasper Lohuis, "TEMPEST attacks against 1991 AES. Covertly stealing keys for 200 euro", 2017, 1992 . 1995 [U2F] Chang, D., Mishra, S., Sanadhya, S., and A. Singhl, "On 1996 Making U2F Protocol Leakage-Resilient via Re-keying.", 1997 Cryptology ePrint Archive Report 2017/721, August 2017, 1998 . 2000 Appendix A. Test Examples 2002 A.1. Test Examples for External Re-keying 2004 A.1.1. External Re-keying with a Parallel Construction 2005 External re-keying with a parallel construction based on AES-256 2006 **************************************************************** 2007 k = 256 2008 t = 128 2010 Initial key: 2011 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2012 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2014 K^1: 2015 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2016 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2018 K^2: 2019 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2020 B8 02 92 32 D8 D3 8D 73 FE DC DD C6 C8 36 78 BD 2022 K^3: 2023 B6 40 24 85 A4 24 BD 35 B4 26 43 13 76 26 70 B6 2024 5B F3 30 3D 3B 20 EB 14 D1 3B B7 91 74 E3 DB EC 2026 ... 2028 K^126: 2029 2F 3F 15 1B 53 88 23 CD 7D 03 FC 3D FD B3 57 5E 2030 23 E4 1C 4E 46 FF 6B 33 34 12 27 84 EF 5D 82 23 2032 K^127: 2033 8E 51 31 FB 0B 64 BB D0 BC D4 C5 7B 1C 66 EF FD 2034 97 43 75 10 6C AF 5D 5E 41 E0 17 F4 05 63 05 ED 2036 K^128: 2037 77 4F BF B3 22 60 C5 3B A3 8E FE B1 96 46 76 41 2038 94 49 AF 84 2D 84 65 A7 F4 F7 2C DC A4 9D 84 F9 2039 External re-keying with a parallel construction based on SHA-256 2040 **************************************************************** 2041 k = 256 2042 t = 128 2044 label: 2045 SHA2label 2047 Initial key: 2048 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2049 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2051 K^1: 2052 C1 A1 4C A0 30 29 BE 43 9F 35 3C 79 1A 51 48 57 2053 26 7A CD 5A E8 7D E7 D1 B2 E2 C7 AF A4 29 BD 35 2055 K^2: 2056 03 68 BB 74 41 2A 98 ED C4 7B 94 CC DF 9C F4 9E 2057 A9 B8 A9 5F 0E DC 3C 1E 3B D2 59 4D D1 75 82 D4 2059 K^3: 2060 2F D3 68 D3 A7 8F 91 E6 3B 68 DC 2B 41 1D AC 80 2061 0A C3 14 1D 80 26 3E 61 C9 0D 24 45 2A BD B1 AE 2063 ... 2065 K^126: 2066 55 AC 2B 25 00 78 3E D4 34 2B 65 0E 75 E5 8B 76 2067 C8 04 E9 D3 B6 08 7D C0 70 2A 99 A4 B5 85 F1 A1 2069 K^127: 2070 77 4D 15 88 B0 40 90 E5 8C 6A D7 5D 0F CF 0A 4A 2071 6C 23 F1 B3 91 B1 EF DF E5 77 64 CD 09 F5 BC AF 2073 K^128: 2074 E5 81 FF FB 0C 90 88 CD E5 F4 A5 57 B6 AB D2 2E 2075 94 C3 42 06 41 AB C1 72 66 CC 2F 59 74 9C 86 B3 2077 A.1.2. External Re-keying with a Serial Construction 2079 External re-keying with a serial construction based on AES-256 2080 ************************************************************** 2081 AES 256 examples: 2082 k = 256 2083 t = 128 2084 Initial key: 2085 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2086 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2088 K*_1: 2089 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2090 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2092 K^1: 2093 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2094 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2096 K*_2: 2097 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2098 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2100 K^2: 2101 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2102 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2104 K*_3: 2105 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2106 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2108 K^3: 2109 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2110 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2112 ... 2114 K*_126: 2115 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2116 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2118 K^126: 2119 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2120 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2122 K*_127: 2123 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2124 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2126 K^127: 2127 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2128 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2130 K*_128: 2131 64 7D 5C D5 1C 3D 62 98 BC 09 B1 D8 64 EC D9 B1 2132 6F ED F5 D3 77 57 48 75 35 2B 5F 4D B6 5B E0 15 2134 K^128: 2135 66 B8 BD E5 90 6C EC DF FA 8A B2 FD 92 84 EB F0 2136 51 16 8A B6 C8 A8 38 65 54 85 31 A5 D2 BA C3 86 2138 External re-keying with a serial construction based on SHA-256 2139 ************************************************************** 2140 k = 256 2141 t = 128 2143 Initial key: 2144 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2145 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2147 label1: 2148 SHA2label1 2150 label2: 2151 SHA2label2 2153 K*_1: 2154 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2155 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 2157 K^1: 2158 2D A8 D1 37 6C FD 52 7F F7 36 A4 E2 81 C6 0A 9B 2159 F3 8E 66 97 ED 70 4F B5 FB 10 33 CC EC EE D5 EC 2161 K*_2: 2162 14 65 5A D1 7C 19 86 24 9B D3 56 DF CC BE 73 6F 2163 52 62 4A 9D E3 CC 40 6D A9 48 DA 5C D0 68 8A 04 2165 K^2: 2166 2F EA 8D 57 2B EF B8 89 42 54 1B 8C 1B 3F 8D B1 2167 84 F9 56 C7 FE 01 11 99 1D FB 98 15 FE 65 85 CF 2169 K*_3: 2170 18 F0 B5 2A D2 45 E1 93 69 53 40 55 43 70 95 8D 2171 70 F0 20 8C DF B0 5D 67 CD 1B BF 96 37 D3 E3 EB 2173 K^3: 2174 53 C7 4E 79 AE BC D1 C8 24 04 BF F6 D7 B1 AC BF 2175 F9 C0 0E FB A8 B9 48 29 87 37 E1 BA E7 8F F7 92 2176 ... 2178 K*_126: 2179 A3 6D BF 02 AA 0B 42 4A F2 C0 46 52 68 8B C7 E6 2180 5E F1 62 C3 B3 2F DD EF E4 92 79 5D BB 45 0B CA 2182 K^126: 2183 6C 4B D6 22 DC 40 48 0F 29 C3 90 B8 E5 D7 A7 34 2184 23 4D 34 65 2C CE 4A 76 2C FE 2A 42 C8 5B FE 9A 2186 K*_127: 2187 84 5F 49 3D B8 13 1D 39 36 2B BE D3 74 8F 80 A1 2188 05 A7 07 37 BA 15 72 E0 73 49 C2 67 5D 0A 28 A1 2190 K^127: 2191 57 F0 BD 5A B8 2A F3 6B 87 33 CF F7 22 62 B4 D0 2192 F0 EE EF E1 50 74 E5 BA 13 C1 23 68 87 36 29 A2 2194 K*_128: 2195 52 F2 0F 56 5C 9C 56 84 AF 69 AD 45 EE B8 DA 4E 2196 7A A6 04 86 35 16 BA 98 E4 CB 46 D2 E8 9A C1 09 2198 K^128: 2199 9B DD 24 7D F3 25 4A 75 E0 22 68 25 68 DA 9D D5 2200 C1 6D 2D 2B 4F 3F 1F 2B 5E 99 82 7F 15 A1 4F A4 2202 A.2. Test Examples for Internal Re-keying 2204 A.2.1. Internal Re-keying Mechanisms that Do Not Require Master Key 2206 CTR-ACPKM mode with AES-256 2207 *************************** 2208 k = 256 2209 n = 128 2210 c = 64 2211 N = 256 2213 Initial key K: 2214 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2215 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2217 Plain text P: 2218 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2219 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2220 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2221 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2222 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2223 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2224 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2226 ICN: 2227 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2228 23 34 45 56 67 78 89 90 12 13 14 15 16 17 18 19 2230 D_1: 2231 00000: 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 2233 D_2: 2234 00000: 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 2236 Section_1 2238 Section key K^1: 2239 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2240 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2242 Input block CTR_1: 2243 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2245 Output block G_1: 2246 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2248 Input block CTR_2: 2249 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2251 Output block G_2: 2252 00000: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2254 Section_2 2256 Section key K^2: 2257 00000: F6 80 D1 21 2F A4 3D F4 EC 3A 91 DE 2A B1 6F 1B 2258 00010: 36 B0 48 8A 4F C1 2E 09 98 D2 E4 A8 88 E8 4F 3D 2260 Input block CTR_3: 2261 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2263 Output block G_3: 2264 00000: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2266 Input block CTR_4: 2267 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2268 Output block G_4: 2269 00000: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2271 Section_3 2273 Section key K^3: 2274 00000: 8E B9 7E 43 27 1A 42 F1 CA 8E E2 5F 5C C7 C8 3B 2275 00010: 1A CE 9E 5E D0 6A A5 3B 57 B9 6A CF 36 5D 24 B8 2277 Input block CTR_5: 2278 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2280 Output block G_5: 2281 00000: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2283 Input block CTR_6: 2284 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2286 Output block G_6: 2287 00000: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2289 Section_4 2291 Section key K^4: 2292 00000: C5 71 6C C9 67 98 BC 2D 4A 17 87 B7 8A DF 94 AC 2293 00010: E8 16 F8 0B DB BC AD 7D 60 78 12 9C 0C B4 02 F5 2295 Block number 7: 2297 Input block CTR_7: 2298 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2300 Output block G_7: 2301 00000: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2303 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2304 00000: FD 7E F8 9A D9 7E A4 B8 8D B8 B5 1C 1C 9D 6D D0 2305 00010: 19 98 C5 71 76 37 FB 17 11 E4 48 F0 0C 0D 60 B2 2306 00020: E4 88 89 4F B6 02 87 DB 77 5A 07 D9 2C 89 46 EA 2307 00030: BC 4F 87 23 DB F0 91 50 DD B4 06 C3 1D A9 7C A4 2308 00040: 68 6F 22 7D 8F B2 9C BD 05 C8 C3 7D 22 FE 3B B7 2309 00050: C0 1B F9 7F 75 6E 12 2F 80 59 55 BD DE 2D 45 87 2310 00060: 03 DE 34 74 AB 9B 65 8A 3B 54 1E F8 BD 2B F4 7D 2312 The result ciphertext C = P (xor) MSB_{|P|}(G): 2313 00000: EC 5C CB DE 8C 18 D3 B8 72 56 68 D0 A7 37 F4 58 2314 00010: 19 89 E7 42 32 62 9D 60 99 7D E2 4B C0 E3 9F B8 2315 00020: F5 AA BA 0B E3 64 F0 53 EE F0 BC 15 C2 76 4C EA 2316 00030: 9E 7C C3 76 BD 87 19 C9 77 0F CA 2D E2 A3 7C B5 2317 00040: 5B 2B 77 1B F8 3A 05 17 BE 04 2D 82 28 FE 2A 95 2318 00050: 84 4E 9F 08 FD F7 B8 94 4C B7 AA B7 DE 3C 67 B4 2319 00060: 56 B8 43 FC 32 31 DE 46 D5 AB 14 F8 AC 09 C7 39 2321 GCM-ACPKM mode with AES-128 2322 *************************** 2323 k = 128 2324 n = 128 2325 c = 32 2326 N = 256 2328 Initilal Key K: 2329 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2331 Additional data A: 2332 00000: 11 22 33 2334 Plaintext: 2335 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2336 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2337 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2339 ICN: 2340 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2342 Number of sections: 2 2344 Section key K^1: 2345 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2347 Section key K^2: 2348 00000: 15 1A 9F B0 B6 AC C5 97 6A FB 50 31 D1 DE C8 41 2350 Encrypted GCTR_1 | GCTR_2 | GCTR_3: 2351 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2352 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2353 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2355 Ciphertext C: 2356 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2357 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2358 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2360 GHASH input: 2362 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2363 00010: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2364 00020: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2365 00030: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2366 00040: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 01 80 2368 GHASH output S: 2369 00000: E8 ED E9 94 9A DD 55 30 B0 F4 4E F5 00 FC 3E 3C 2371 Authentication tag T: 2372 00000: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2374 The result C | T: 2375 00000: 03 88 DA CE 60 B6 A3 92 F3 28 C2 B9 71 B2 FE 78 2376 00010: F7 95 AA AB 49 4B 59 23 F7 FD 89 FF 94 8B C1 E0 2377 00020: D6 B3 12 46 E9 CE 9F F1 3A B3 42 7E E8 91 96 AD 2378 00030: B0 0F 15 5A 60 A3 65 51 86 8B 53 A2 A4 1B 7B 66 2380 A.2.2. Internal Re-keying Mechanisms with a Master Key 2382 CTR-ACPKM-Master mode with AES-256 2383 ********************************** 2384 k = 256 2385 n = 128 2386 c for CTR-ACPKM mode = 64 2387 c for CTR-ACPKM-Master mode = 64 2388 N = 256 2389 T* = 512 2391 Initial key K: 2392 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2393 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2395 Initial vector ICN: 2396 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2398 Plaintext P: 2399 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2400 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2401 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2402 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2403 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2404 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2405 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2406 K^1 | K^2 | K^3 | K^4: 2407 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2408 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2409 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2410 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2411 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2412 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2413 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2414 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2416 Section_1 2418 K^1: 2419 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2420 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2422 Input block CTR_1: 2423 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 00 2425 Output block G_1: 2426 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2428 Input block CTR_2: 2429 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 01 2431 Output block G_2: 2432 00000: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2434 Section_2 2436 K^2: 2437 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2438 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2440 Input block CTR_3: 2441 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 02 2443 Output block G_3: 2444 00000: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2446 Input block CTR_4: 2447 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 03 2449 Output block G_4: 2450 00000: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2451 Section_3 2453 K^3: 2454 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2455 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2457 Input block CTR_5: 2458 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 04 2460 Output block G_5: 2461 00000: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2463 Input block CTR_6: 2464 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 05 2466 Output block G_6: 2467 00000: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2469 Section_4 2471 K^4: 2472 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2473 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2475 Input block CTR_7: 2476 00000: 12 34 56 78 90 AB CE F0 00 00 00 00 00 00 00 06 2478 Output block G_7: 2479 00000: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2481 The result G = G_1 | G_2 | G_3 | G_4 | G_5 | G_6 | G_7: 2482 00000: 8C A2 B6 82 A7 50 65 3F 8E BF 08 E7 9F 99 4D 5C 2483 00010: F6 A6 A5 BA 58 14 1E ED 23 DC 31 68 D2 35 89 A1 2484 00020: 4A 07 5F 86 05 87 72 94 1D 8E 7D F8 32 F4 23 71 2485 00030: 23 35 66 AF 61 DD FE A7 B1 68 3F BA B0 52 4A D7 2486 00040: A8 09 6D BC E8 BB 52 FC DE 6E 03 70 C1 66 95 E8 2487 00050: C6 E3 6E 8E 5B 82 AA C4 A6 6C 14 8D B1 F6 9B EF 2488 00060: 82 2B E9 07 96 37 44 95 75 36 3F A7 07 F8 40 22 2490 The result ciphertext C = P (xor) MSB_{|P|}(G): 2491 00000: 9D 80 85 C6 F2 36 12 3F 71 51 D5 2B 24 33 D4 D4 2492 00010: F6 B7 87 89 1C 41 78 9A AB 45 9B D3 1E DB 76 AB 2493 00020: 5B 25 6C C2 50 E1 05 1C 84 24 C6 34 DC 0B 29 71 2494 00030: 01 06 22 FA 07 AA 76 3E 1B D3 F3 54 4F 58 4A C6 2495 00040: 9B 4D 38 DA 9F 33 CB 56 65 A2 ED 8F CB 66 84 CA 2496 00050: 82 B6 08 F9 D3 1B 00 7F 6A 82 EB 87 B1 E7 B9 DC 2497 00060: D7 4D 9E 8F 0F 9D FF 59 9B C9 35 A7 16 DA 73 66 2499 GCM-ACPKM-Master mode with AES-256 2500 ********************************** 2501 k = 192 2502 n = 128 2503 c for the CTR-ACPKM mode = 64 2504 c for the GCM-ACPKM-Master mode = 32 2505 T* = 384 2506 N = 256 2508 Initila Key K: 2509 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2510 00010: 00 00 00 00 00 00 00 00 2512 Additional data A: 2513 00000: 11 22 33 2515 Plaintext: 2516 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2517 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2518 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2519 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2520 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2522 ICN: 2523 00000: 00 00 00 00 00 00 00 00 00 00 00 00 2525 Number of sections: 3 2527 K^1 | K^2 | K^3: 2528 00000: 93 BA AF FB 35 FB E7 39 C1 7C 6A C2 2E EC F1 8F 2529 00010: 7B 89 F0 BF 8B 18 07 05 96 48 68 9F 36 A7 65 CC 2530 00020: CD 5D AC E2 0D 47 D9 18 D7 86 D0 41 A8 3B AB 99 2531 00030: F5 F8 B1 06 D2 71 78 B1 B0 08 C9 99 0B 72 E2 87 2532 00040: 5A 2D 3C BE F1 6E 67 3C 2534 Encrypted GCTR_1 | ... | GCTR_5 2535 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2536 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2537 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2538 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2539 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2541 Ciphertext C: 2543 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2544 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2545 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2546 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2547 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2549 GHASH input: 2550 00000: 11 22 33 00 00 00 00 00 00 00 00 00 00 00 00 00 2551 00010: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2552 00020: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2553 00030: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2554 00040: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2555 00050: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2556 00060: 00 00 00 00 00 00 00 18 00 00 00 00 00 00 02 80 2558 GHASH output S: 2559 00000: 6E A3 4B D5 6A C5 40 B7 3E 55 D5 86 D1 CC 09 7D 2561 Authentication tag T: 2562 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2564 The result C | T: 2565 00000: 43 FA 71 81 64 B1 E3 D7 1E 7B 65 39 A7 02 1D 52 2566 00010: 69 9B 9E 1B 43 24 B7 52 95 74 E7 90 F2 BE 60 E8 2567 00020: 11 62 C9 90 2A 2B 77 7F D9 6A D6 1A 99 E0 C6 DE 2568 00030: 4B 91 D4 29 E3 1A 8C 11 AF F0 BC 47 F6 80 AF 14 2569 00040: 40 1C C1 18 14 63 8E 76 24 83 37 75 16 34 70 08 2570 00050: CC 3A BA 11 8C E7 85 FD 77 78 94 D4 B5 20 69 F8 2572 CBC-ACPKM-Master mode with AES-256 2573 ********************************** 2574 k = 256 2575 n = 128 2576 c for the CTR-ACPKM mode = 64 2577 N = 256 2578 T* = 512 2580 Initial key K: 2581 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2582 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2584 Initial vector IV: 2585 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2587 Plaintext P: 2589 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2590 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2591 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2592 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2593 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2594 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2595 00060: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2597 K^1 | K^2 | K^3 | K^4: 2598 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2599 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2600 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2601 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2602 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2603 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2604 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2605 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2607 Section_1 2609 K^1: 2610 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2611 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2613 Plaintext block P_1: 2614 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2616 Input block P_1 (xor) C_0: 2617 00000: 03 16 65 3C C5 CD B9 F0 5E 5C 1E 18 5E 5A 98 9A 2619 Output block C_1: 2620 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2622 Plaintext block P_2: 2623 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2625 Input block P_2 (xor) C_1: 2626 00000: 59 DA 79 F9 86 3C 4A 17 85 DF A9 1B 0B AE 36 76 2628 Output block C_2: 2629 00000: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2631 Section_2 2633 K^2: 2634 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2635 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2636 Plaintext block P_3: 2637 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2639 Input block P_3 (xor) C_2: 2640 00000: 91 94 31 30 01 ED 80 41 E1 B5 1A C9 65 09 81 42 2642 Output block C_3: 2643 00000: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2645 Plaintext block P_4: 2646 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2648 Input block P_4 (xor) C_3: 2649 00000: AE 17 BF 9A 0E 62 39 36 CF 45 8B 9B 6A BE 97 48 2651 Output block C_4: 2652 00000: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2654 Section_3 2656 K^3: 2657 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2658 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2660 Plaintext block P_5: 2661 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2663 Input block P_5 (xor) C_4: 2664 00000: 2A 21 F0 66 2F 85 C9 89 C9 D7 07 6F EB 83 21 CB 2666 Output block C_5: 2667 00000: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2669 Plaintext block P_6: 2670 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2672 Input block P_6 (xor) C_5: 2673 00000: 12 8D 52 83 E7 96 E7 5D EC BD 56 56 B5 E7 1E 27 2675 Output block C_6: 2676 00000: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2678 Section_4 2680 K^4: 2681 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2682 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2683 Plaintext block P_7: 2684 00000: 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 44 2686 Input block P_7 (xor) C_6: 2687 00000: 33 0E 5C 03 44 C4 09 B2 30 38 5B D6 3E 67 96 01 2689 Output block C_7: 2690 00000: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2692 Cipher text C: 2693 00000: 59 CB 5B CA C2 69 2C 60 0D 46 03 A0 C7 40 C9 7C 2694 00010: 80 B6 02 74 54 8B F7 C9 78 1F A1 05 8B F6 8B 42 2695 00020: 8C 24 FB CF 68 15 B1 AF 65 FE 47 75 95 B4 97 59 2696 00030: 19 65 A5 00 58 0D 50 23 72 1B E9 90 E1 83 30 E9 2697 00040: 56 D8 34 F4 6F 0F 4D E6 20 53 A9 5C B5 F6 3C 14 2698 00050: 66 68 2B 8B DD 6E B2 7E DE C7 51 D6 2F 45 A5 45 2699 00060: 7F 4D 87 F9 CA E9 56 09 79 C4 FA FE 34 0B 45 34 2701 CFB-ACPKM-Master mode with AES-256 2702 ********************************** 2703 k = 256 2704 n = 128 2705 c for the CTR-ACPKM mode = 64 2706 N = 256 2707 T* = 512 2709 Initial key K: 2710 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2711 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2713 Initial vector IV: 2714 00000: 12 34 56 78 90 AB CE F0 A1 B2 C3 D4 E5 F0 01 12 2716 Plaintext P: 2717 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2718 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2719 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2720 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2721 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2722 00050: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2723 00060: 55 66 77 88 99 AA BB CC 2725 K^1 | K^2 | K^3 | K^4 2726 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2727 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2728 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2729 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2730 00040: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2731 00050: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2732 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2733 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2735 Section_1 2737 K^1: 2738 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2739 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2741 Plaintext block P_1: 2742 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2744 Encrypted block E_{K^1}(C_0): 2745 00000: 1C 39 9D 59 F8 5D 91 91 A9 D2 12 9F 63 15 90 03 2747 Output block C_1 = E_{K^1}(C_0) (xor) P_1: 2748 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2750 Plaintext block P_2: 2751 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2753 Encrypted block E_{K^1}(C_1): 2754 00000: 6B A2 C5 42 52 69 C6 0B 15 14 06 87 90 46 F6 2E 2756 Output block C_2 = E_{K^1}(C_1) (xor) P_2: 2757 00000: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2759 Section_2 2761 K^2: 2762 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2763 00010: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2765 Plaintext block P_3: 2766 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2768 Encrypted block E_{K^2}(C_2): 2769 00000: 95 45 5F DB C3 9E 0A 13 9F CB 10 F5 BD 79 A3 88 2771 Output block C_3 = E_{K^2}(C_2) (xor) P_3: 2772 00000: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2774 Plaintext block P_4: 2775 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2776 Encrypted block E_{K^2}(C_3): 2777 00000: E0 AA 32 5D 80 A4 47 95 BA 42 BF 63 F8 4A C8 B2 2779 Output block C_4 = E_{K^2}(C_3) (xor) P_4: 2780 00000: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2782 Section_3 2784 K^3: 2785 00000: E8 76 2B 30 8B 08 EB CE 3E 93 9A C2 C0 3E 76 D4 2786 00010: 60 9A AB D9 15 33 13 D3 CF D3 94 E7 75 DF 3A 94 2788 Plaintext block P_5: 2789 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2791 Encrypted block E_{K^3}(C_4): 2792 00000: FE 42 8C 70 C2 51 CE 13 36 C1 BF 44 F8 49 66 89 2794 Output block C_5 = E_{K^3}(C_4) (xor) P_5: 2795 00000: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2797 Plaintext block P_6: 2798 00000: 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 33 2800 Encrypted block E_{K^3}(C_5): 2801 00000: 01 24 80 87 86 18 A5 43 11 0A CC B5 0A E5 02 A3 2803 Output block C_6 = E_{K^3}(C_5) (xor) P_6: 2804 00000: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2806 Section_4 2808 K^4: 2809 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2810 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2812 Plaintext block P_7: 2813 00000: 55 66 77 88 99 AA BB CC 2815 Encrypted block MSB_{|P_7|}(E_{K^4}(C_6)): 2816 00000: 97 5C 96 37 55 1E 8C 7F 2818 Output block C_7 = MSB_{|P_7|}(E_{K^4}(C_6)) (xor) P_7 2819 00000: C2 3A E1 BF CC B4 37 B3 2821 Cipher text C: 2822 00000: 0D 1B AE 1D AD 3B E6 91 56 3C CF 53 D8 BF 09 8B 2823 00010: 6B B3 E7 71 16 3C A0 7C 9D 8D AC 3C 5C A8 09 24 2824 00020: 84 67 6C 9F 96 F8 7D 9B 06 61 AB 39 53 86 A9 88 2825 00030: C2 99 76 08 E6 D3 CF 0C 10 F9 73 8D 07 40 C8 A3 2826 00040: CD 06 D9 16 B5 D9 57 B9 8D 0D 51 BB F2 49 77 AB 2827 00050: 45 71 E6 F0 0E 81 0F F8 DD E4 33 BF 0A F4 20 90 2828 00060: C2 3A E1 BF CC B4 37 B3 2830 OMAC-ACPKM-Master mode with AES-256 2831 *********************************** 2832 k = 256 2833 n = 128 2834 c for the CTR-ACPKM mode = 64 2835 N = 256 2836 T* = 768 2838 Initial key K: 2839 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 2840 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2842 Plaintext M: 2843 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2844 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2845 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2846 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2847 00040: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2849 K^1 | K^1_1 | K^2 | K^2_1 | K^3 | K^3_1: 2850 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2851 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2852 00020: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2853 00030: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2854 00040: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2855 00050: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2856 00060: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2857 00070: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2858 00080: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2860 Section_1 2862 K^1: 2863 00000: 9F 10 BB F1 3A 79 FB BD 4A 4C A8 64 C4 90 74 64 2864 00010: 39 FE 50 6D 4B 86 9B 21 03 A3 B6 A4 79 28 3C 60 2866 K^1_1: 2867 00000: 77 91 17 50 E0 D1 77 E5 9A 13 78 2B F1 89 08 D0 2868 Plaintext block M_1: 2869 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2871 Input block M_1 (xor) C_0: 2872 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 2874 Output block C_1: 2875 00000: 0B A5 89 BF 55 C1 15 42 53 08 89 76 A0 FE 24 3E 2877 Plaintext block M_2: 2878 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 2880 Input block M_2 (xor) C_1: 2881 00000: 0B B4 AB 8C 11 94 73 35 DB 91 23 CD 6C 10 DB 34 2883 Output block C_2: 2884 00000: 1C 53 DD A3 6D DC E1 17 ED 1F 14 09 D8 6A F3 2C 2886 Section_2 2888 K^2: 2889 00000: AB 6B 59 EE 92 49 05 B3 AB C7 A4 E3 69 65 76 C3 2890 00010: 9D CC 66 42 0D FF 45 5B 21 F3 93 F0 D4 D6 6E 67 2892 K^2_1: 2893 00000: BB 1B 06 0B 87 66 6D 08 7A 9D A7 49 55 C3 5B 48 2895 Plaintext block M_3: 2896 00000: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 2898 Input block M_3 (xor) C_2: 2899 00000: 0D 71 EE E7 38 BA 96 9F 74 B5 AF C5 36 95 F9 2C 2901 Output block C_3: 2902 00000: 4E D4 BC A6 CE 6D 6D 16 F8 63 85 13 E0 48 59 75 2904 Plaintext block M_4: 2905 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 2907 Input block M_4 (xor) C_3: 2908 00000: 6C E7 F8 F3 A8 1A E5 8F 52 D8 49 FD 1F 42 59 64 2910 Output block C_4: 2911 00000: B6 83 E3 96 FD 30 CD 46 79 C1 8B 24 03 82 1D 81 2913 Section_3 2915 K^3: 2917 00000: F2 EE 91 45 6B DC 3D E4 91 2C 87 C3 29 CF 31 A9 2918 00010: 2F 20 2E 5A C4 9A 2A 65 31 33 D6 74 8C 4F F9 12 2920 K^3_1: 2921 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2923 MSB1(K1) == 0 -> K2 = K1 << 1 2925 K1: 2926 00000: 78 21 C7 C7 6C BD 79 63 56 AC F8 8E 69 6A 00 07 2928 K2: 2929 00000: F0 43 8F 8E D9 7A F2 C6 AD 59 F1 1C D2 D4 00 0E 2931 Plaintext M_5: 2932 00000: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 2934 Using K1, padding is not required 2936 Input block M_5 (xor) C_4: 2937 00000: FD E6 71 37 E6 05 2D 8F 94 A1 9D 55 60 E8 0C A4 2939 Output block C_5: 2940 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2942 Message authentication code T: 2943 00000: B3 AD B8 92 18 32 05 4C 09 21 E7 B8 08 CF A0 B8 2945 Appendix B. Contributors 2947 o Russ Housley 2948 Vigil Security, LLC 2949 housley@vigilsec.com 2951 o Evgeny Alekseev 2952 CryptoPro 2953 alekseev@cryptopro.ru 2955 o Ekaterina Smyshlyaeva 2956 CryptoPro 2957 ess@cryptopro.ru 2959 o Shay Gueron 2960 University of Haifa, Israel 2961 Intel Corporation, Israel Development Center, Israel 2962 shay.gueron@gmail.com 2964 o Daniel Fox Franke 2965 Akamai Technologies 2966 dfoxfranke@gmail.com 2968 o Lilia Ahmetzyanova 2969 CryptoPro 2970 lah@cryptopro.ru 2972 Appendix C. Acknowledgments 2974 We thank Mihir Bellare, Scott Fluhrer, Dorothy Cooley, Yoav Nir, Jim 2975 Schaad, Paul Hoffman, Dmitry Belyavsky, Yaron Sheffer, Alexey 2976 Melnikov and Spencer Dawkins for their useful comments. 2978 Author's Address 2980 Stanislav Smyshlyaev (editor) 2981 CryptoPro 2982 18, Suschevskiy val 2983 Moscow 127018 2984 Russian Federation 2986 Phone: +7 (495) 995-48-20 2987 Email: svs@cryptopro.ru