idnits 2.17.1 draft-kato-camellia-ctrccm-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1400. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1411. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1418. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1424. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 4 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Line 380 has weird spacing: '...encrypt l(m) ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 24, 2008) is 5756 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: '0001' is mentioned on line 1261, but not defined == Missing Reference: '0002' is mentioned on line 1262, but not defined -- Looks like a reference, but probably isn't: 'Encrypted' on line 1264 -- Obsolete informational reference (is this intentional?): RFC 4132 (ref. '5') (Obsoleted by RFC 5932) -- Obsolete informational reference (is this intentional?): RFC 4051 (ref. '7') (Obsoleted by RFC 6931) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Kato 3 Internet-Draft NTT Software Corporation 4 Intended status: Informational M. Kanda 5 Expires: December 26, 2008 Nippon Telegraph and Telephone 6 Corporation 7 June 24, 2008 9 Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms 10 draft-kato-camellia-ctrccm-02 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on December 26, 2008. 37 Abstract 39 This document describes the algorithms and test vectors of Camellia 40 block cipher algorithm in Counter mode and Counter with Cipher Block 41 Chaining MAC mode. The purpose of this document is to make the 42 Camellia-CTR and Camellia-CCM algorithm conveniently available to the 43 Internet Community. 45 Table of Contents 47 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 48 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 49 2. The Camellia Cipher Algorithm . . . . . . . . . . . . . . . . 5 50 2.1. Key Size . . . . . . . . . . . . . . . . . . . . . . . . . 5 51 2.2. Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . 5 52 2.3. Block Size and Padding . . . . . . . . . . . . . . . . . . 5 53 2.4. Performance . . . . . . . . . . . . . . . . . . . . . . . 5 54 3. Modes of Operation . . . . . . . . . . . . . . . . . . . . . . 6 55 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6 56 3.2. Counter . . . . . . . . . . . . . . . . . . . . . . . . . 7 57 3.2.1. Camellia-CTR . . . . . . . . . . . . . . . . . . . . . 7 58 3.3. Counter with CBC-MAC . . . . . . . . . . . . . . . . . . . 9 59 3.3.1. Two main parameters . . . . . . . . . . . . . . . . . 9 60 3.3.2. Inputs . . . . . . . . . . . . . . . . . . . . . . . . 9 61 3.3.3. Authentication . . . . . . . . . . . . . . . . . . . . 10 62 3.3.4. Encryption . . . . . . . . . . . . . . . . . . . . . . 12 63 3.3.5. Output . . . . . . . . . . . . . . . . . . . . . . . . 13 64 3.3.6. Decryption and Authentication Checking . . . . . . . . 13 65 4. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 14 66 4.1. Camellia-CTR . . . . . . . . . . . . . . . . . . . . . . . 14 67 4.2. Camellia-CCM . . . . . . . . . . . . . . . . . . . . . . . 16 68 5. Security Considerations . . . . . . . . . . . . . . . . . . . 29 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 70 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 72 8.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 32 73 8.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 32 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34 75 Intellectual Property and Copyright Statements . . . . . . . . . . 35 77 1. Introduction 79 This document describes the use of the Camellia block cipher 80 algorithm in Counter (CTR) mode and Counter with CBC-MAC (CCM) mode. 82 Camellia is a symmetric cipher with a Feistel structure. Camellia 83 was developed jointly by NTT and Mitsubishi Electric Corporation in 84 2000. It was designed to withstand all known cryptanalytic attacks, 85 and it has been scrutinized by worldwide cryptographic experts. 86 Camellia is suitable for implementation in software and hardware, 87 offering encryption speed in software and hardware implementations 88 that is comparable to Advanced Encryption Standard (AES) [3]. 90 Camellia supports 128-bit block size and 128-, 192-, and 256-bit key 91 lengths, i.e., the same interface specifications as the AES. 92 Therefore, it is easy to implement Camellia based algorithms by 93 replacing the AES block of AES based algorithms with a Camellia 94 block. 96 Camellia already has been adopted by the IETF and other international 97 standardization organizations; in particular, the IETF has published 98 specifications for the use of Camellia with IPsec [4], TLS [5], 99 S/MIME [6] and XML [7]. Camellia is one of the three ISO/IEC 100 international standard [8] 128-bit block ciphers (Camellia, AES, and 101 SEED). Camellia was selected as a recommended cryptographic 102 primitive by the EU NESSIE (New European Schemes for Signatures, 103 Integrity and Encryption) project [9] and was included in the list of 104 cryptographic techniques for Japanese e-Government systems that was 105 selected by the Japanese CRYPTREC (Cryptography Research and 106 Evaluation Committees) [10]. 108 Since optimized source code is provided under several open source 109 licenses [11], Camellia is also adopted by several open source 110 projects (OpenSSL, FreeBSD, Linux, and Firefox Gran Paradiso). 112 The algorithm specification and object identifiers are described in 113 [1]. The Camellia web site [12] contains a wealth of information 114 about Camellia, including detailed specification, security analysis, 115 performance figures, reference implementation, optimized 116 implementation, test vectors(TV), and intellectual property 117 information. 119 1.1. Terminology 121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 123 document are to be interpreted as described in [2]. 125 All multi-octet values in this document are encoded and represented 126 in network byte order, i.e., most significant octet first. 128 2. The Camellia Cipher Algorithm 130 All symmetric block cipher algorithms share common characteristics 131 and variables, including mode, key size, weak keys, block size, and 132 rounds. The following sections contain descriptions of the relevant 133 characteristics of Camellia. 135 The algorithm specification and object identifiers are described in 136 [1]. 138 2.1. Key Size 140 Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. 141 The default key size is 128 bits, and all implementations MUST 142 support this key size. Implementations MAY also support key sizes of 143 192 bits and 256 bits. 145 Camellia uses a different number of rounds for each of the defined 146 key sizes. When a 128-bit key is used, implementations MUST use 18 147 rounds. When 192- and 256-bit key are used, implementations MUST use 148 24 rounds. 150 2.2. Weak Keys 152 At the time of writing this document there are no known weak keys for 153 Camellia. 155 2.3. Block Size and Padding 157 Camellia uses a block size of 16 octets (128 bits). 159 Padding is required by the algorithm to maintain a 16-octet (128-bit) 160 block size. Padding MUST be added such that the data to be encrypted 161 (which includes the ESP Pad Length and Next Header fields) has a 162 length that is a multiple of 16 octets. 164 Because of the algorithm specific padding requirement, no additional 165 padding is required to ensure that the ciphertext terminates on a 166 4-octet boundary (i.e. maintaining a 16-octet block size guarantees 167 that the ESP Pad Length and Next Header fields will be right aligned 168 within a 4-octet word). Additional padding MAY be included as long 169 as the 16-octet block size is maintained. 171 2.4. Performance 173 Performance figures for Camellia are available at [12]. The NESSIE 174 project has reported on the performance of optimized implementations 175 independently [9]. 177 3. Modes of Operation 179 Camellia Counter (Camellia-CTR) mode and Camellia Counter with CBC- 180 MAC (Camellia-CCM) mode are discussed in this specification. 182 CTR mode [13] behaves like a stream cipher, but is based on a block 183 cipher primitive (that is, CTR mode operation of a block cipher 184 results in a stream cipher). 186 CCM mode [14][15] is a generic authenticate-and-encrypt block cipher 187 mode. In this specification, CCM is used with the Camellia [1] block 188 cipher. 190 3.1. Definitions 192 l(X) Octet length of variable X. 194 K Camellia key. Valid values of l(K) are 16, 24 and 32. 196 Camellia(K, X) 197 Output of the Camellia encryption algorithm under the fresh 198 key K applied to the data block X. 200 N Nonce. 202 PT[n] n-th plaintext block, obtained by splitting the plaintext 203 into 128-bit units. 205 CT[n] n-th ciphertext block, obtained by splitting the ciphertext 206 into 128-bit units. 208 X || Y Concatenation of two octet strings X and Y. 210 X XOR Y Bitwise exclusive-OR of two octet strings X and Y of the 211 same length. 213 M Number of octets in the authentication field. Valid values 214 of M are 4, 6, 8, 10, 12, 14, and 16. 216 M' 3-bit number calculated as M/2-1. 218 L Number of octets in the length field. Valid values are 219 from 2 to 8. This number limits the maximum length of the 220 message and the length of N. 222 L' 3-bit number calculated as L-1. 224 m Message to authenticate and encrypt. l(m) < 2^(8*L). 226 AAD Additional authenticated data. 0 =< l(AAD) < 2^64. 228 3.2. Counter 230 3.2.1. Camellia-CTR 232 Camellia-CTR requires the encryptor to generate a unique per-packet 233 value, and communicate this value to the decryptor. This 234 specification calls this per-packet value an initialization vector 235 (IV). The same IV and key combination MUST NOT be used more than 236 once. The encryptor can generate the IV in any manner that ensures 237 uniqueness. Common approaches to IV generation include incrementing 238 a counter for each packet and linear feedback shift registers 239 (LFSRs). 241 This specification calls for the use of a nonce for additional 242 protection against precomputation attacks. The nonce value need not 243 be secret. However, the nonce MUST be unpredictable prior to the 244 establishment of the IPsec security association that is making use of 245 Camellia-CTR. 247 Camellia-CTR has many properties that make it an attractive 248 encryption algorithm for use in high-speed networking. Camellia-CTR 249 uses the Camellia block cipher to behave like a stream cipher. Data 250 is encrypted and decrypted by XORing with the key stream produced by 251 Camellia encrypting sequential counter block values. Camellia-CTR is 252 easy to implement, and Camellia-CTR can be pipelined and 253 parallelized. Camellia-CTR also supports key stream precomputation. 255 Pipelining is possible because Camellia has multiple rounds (see 256 Section 2.). A hardware implementation (and some software 257 implementations) can create a pipeline by unwinding the loop implied 258 by this round structure. For example, after a 16-octet block has 259 been input, one round later another 16-octet block can be input, and 260 so on. In Camellia-CTR, these inputs are the sequential counter 261 block values used to generate the key stream. 263 Multiple independent Camellia encrypt implementations can also be 264 used to improve performance. For example, one could use two Camellia 265 encrypt implementations in parallel, to process a sequence of counter 266 block values, doubling the effective throughput. 268 The sender can precompute the key stream. Since the key stream does 269 not depend on any data in the packet, the key stream can be 270 precomputed once the nonce and IV are assigned. This precomputation 271 can reduce packet latency. The receiver cannot perform similar 272 precomputation because the IV will not be known before the packet 273 arrives. 275 When used correctly, Camellia-CTR provides a high level of 276 confidentiality. Unfortunately, Camellia-CTR is easy to use 277 incorrectly. Being a stream cipher, any reuse of the per-packet 278 value, called the IV, with the same nonce and key is catastrophic. 279 An IV collision immediately leaks information about the plaintext in 280 both packets. For this reason, it is inappropriate to use this mode 281 of operation with static keys. Extraordinary measures would be 282 needed to prevent reuse of an IV value with the static key across 283 power cycles. To be safe, implementations MUST use fresh keys with 284 Camellia-CTR. 286 With Camellia-CTR, it is trivial to use a valid ciphertext to forge 287 other (valid to the decryptor) ciphertexts. Thus, it is equally 288 catastrophic to use Camellia-CTR without a companion authentication 289 function. Implementations MUST use Camellia-CCM in such case. 291 To encrypt a payload with Camellia-CTR, the encryptor partitions the 292 plaintext, PT, into 128-bit blocks. The final block need not be 128 293 bits; it can be less. 295 PT = PT[1] || PT[2] || ... || PT[n] 297 Each PT block is XORed with a block of the key stream to generate the 298 ciphertext, CT. The Camellia encryption of each counter block 299 results in 128 bits of key stream. The most significant 96 bits of 300 the counter block are set to the nonce value, which is 32 bits, 301 followed by the per-packet IV value, which is 64 bits. The ONE 302 represents 32-bit the counter block of the only lastest bit of one. 303 This counter value is incremented by one to generate subsequent 304 counter blocks, each resulting in another 128 bits of key stream. 305 The encryption of n plaintext blocks can be summarized as: 307 CTRBLK := N || IV || ONE 308 FOR i := 1 to n-1 DO 309 CT[i] := PT[i] XOR Camellia(K, CTRBLK) 310 CTRBLK := CTRBLK + 1 311 END 312 CT[n] := PT[n] XOR TRUNC(Camellia(K, CTRBLK)) 314 The TRUNC() function truncates the output of the Camellia encrypt 315 operation to the same length as the final plaintext block, returning 316 the most significant bits. 318 Decryption is similar. The decryption of n ciphertext blocks can be 319 summarized as: 321 CTRBLK := N || IV || ONE 322 FOR i := 1 to n-1 DO 323 PT[i] := CT[i] XOR Camellia(K, CTRBLK) 324 CTRBLK := CTRBLK + 1 325 END 326 PT[n] := CT[n] XOR TRUNC(Camellia(K, CTRBLK)) 328 3.3. Counter with CBC-MAC 330 3.3.1. Two main parameters 332 For the generic CCM mode, there are two parameter choices. The first 333 choice is M, the size of the authentication field. The choice of the 334 value for M involves a trade-off between message expansion and the 335 probability that an attacker can undetectably modify a message. 336 Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second 337 choice is L, the size of the length field. This value requires a 338 trade-off between the maximum message size and the size of the Nonce. 339 Different applications require different trade-offs, so L is a 340 parameter. Valid values of L range from 2 to 8 (the value L=1 is 341 reserved). 343 Name Description Size Encoding 344 ---- ---------------------------------------- ------ -------- 345 M Number of octets in authentication field 3 bits M/2-1 346 L Number of octets in length field 3 bits L-1 348 3.3.2. Inputs 350 To authenticate and encrypt a message, the following information is 351 required: 353 1. An encryption key K suitable for the block cipher. 355 2. A nonce N of 15-L octets. Within the scope of any encryption 356 key K, the nonce value MUST be unique. That is, the set of 357 nonce values used with any given key MUST NOT contain any 358 duplicate values. Using the same nonce for two different 359 messages encrypted with the same key destroys the security 360 properties of this mode. 362 3. The message m, consisting of a string of l(m) octets where 0 <= 363 l(m) < 2^(8*L). The length restriction ensures that l(m) can be 364 encoded in a field of L octets. 366 4. The additional authenticated data AAD where 0 <= l(AAD) < 2^64. 367 This additional data is authenticated but not encrypted, and is 368 not included in the output of this mode. It can be used to 369 authenticate plaintext packet headers, or contextual information 370 that affects the interpretation of the message. Users who do 371 not wish to authenticate additional data can provide a string of 372 length zero. 374 The inputs are summarized as: 376 Name Description Size 377 ---- ----------------------------------- ----------------------- 378 K Block cipher key Depends on block cipher 379 N Nonce 15-L octets 380 m Message to authenticate and encrypt l(m) octets 381 AAD Additional authenticated data l(AAD) octets 383 3.3.3. Authentication 385 The first step is to compute the authentication field T. This is done 386 using CBC-MAC [16]. We first define a sequence of blocks B_0, B_1, 387 ..., B_n and then apply CBC-MAC to these blocks. 389 The first block B_0 is formatted as follows: 391 Octet Number Contents 392 ------------ --------- 393 0 Flags 394 1 ... 15-L Nonce N 395 16-L ... 15 l(m) 397 Within the first block B_0, the Flags field is formatted as follows: 399 Bit Number Contents 400 ---------- ---------------------- 401 7 Reserved (always zero) 402 6 Adata 403 5 ... 3 M' 404 2 ... 0 L' 406 Another way to say the same thing is: Flags = 64*Adata + 8*M' + L'. 408 The Reserved bit is reserved for future expansions and should always 409 be set to zero. The Adata bit is set to zero if l(AAD) = 0, and set 410 to one if l(AAD) > 0. The M' field is set to M/2-1. As M can take 411 on the even values from 4 to 16, the 3-bit M' field can take on the 412 values from one to seven. The 3-bit field MUST NOT have a value of 413 zero, which would correspond to a 16-bit integrity check value. The 414 L' field encodes the size of the length field used to store l(m). 415 The parameter L can take on the values from 2 to 8 (recall, the value 416 L=1 is reserved). This value is encoded in the 3-bit L' field using 417 the values from one to seven by choosing L' = L-1 (the zero value is 418 reserved). 420 If l(AAD) > 0 (as indicated by the Adata field), then one or more 421 blocks of authentication data are added. These blocks contain AAD 422 and a encoded in are reversible manner. We first construct a string 423 that encodes l(AAD). 425 If 0 < l(AAD) < (2^16 - 2^8), then the length field is encoded as two 426 octets which contain the value l(AAD). 428 If (2^16 - 2^8) <= l(AAD) < 2^32, then the length field is encoded as 429 six octets, consisting of the fixed octets 0xff, 0xfe, and four 430 octets encoding l(AAD). 432 If 2^32 <= l(AAD) < 2^64, then the length field is encoded as ten 433 octets, consisting of the octets 0xff, 0xff, and eight octets 434 encoding l(AAD). 436 The length encoding conventions are summarized in the following 437 table. 439 First two octets Followed by Comment 440 ----------------- ------------------ ------------------------------- 441 0x0000 Nothing Reserved 442 0x0001 ... 0xFEFF Nothing 2 octets of l(AAD), 443 for 0 < l(AAD) < (2^16 - 2^8) 444 0xFF00 ... 0xFFFD Nothing Reserved 445 0xFFFE 4 octets of l(AAD) For (2^16 - 2^8) <= l(AAD) < 2^32 446 0xFFFF 8 octets of l(AAD) For 2^32 <= l(AAD) < 2^64 448 The blocks encoding the AAD are formed by concatenating this string 449 that encodes l(AAD) with AAD itself, and splitting the result into 450 16-octet blocks, and then padding the last block with zeroes if 451 necessary. These blocks are appended to the first block B_0. 453 After the (optional) additional authentication blocks have been 454 added, we add the message blocks. The message blocks are formed by 455 splitting the message m into 16-octet blocks, and then padding the 456 last block with zeroes if necessary. If the message m consists of 457 the empty string, then no blocks are added in this step. 459 The result is a sequence of blocks B_0, B_1, ..., B_n. The CBC-MAC 460 is computed by: 462 X_1 := Camellia( K, B_0 ) 463 FOR i:=1 to n DO 464 X_i+1 := Camellia( K, X_i XOR B_i ) 465 END 466 T := first-M-bytes( X_n+1 ) 468 where T is the MAC value. Note that the last block B_n is XORed with 469 X_n, and the result is encrypted with the block cipher. If needed, 470 the ciphertext is truncated to give T. 472 3.3.4. Encryption 474 To encrypt the message data we use CTR mode. We first define the key 475 stream blocks by: 477 S_i := Camellia( K, A_i ) for i=0, 1, 2, ... 479 The values A_i are formatted as follows, where the Counter field i is 480 encoded: 482 Octet Number Contents 483 ------------ --------- 484 0 Flags 485 1 ... 15-L Nonce N 486 16-L ... 15 Counter i 488 The Flags field is formatted as follows: 490 Bit Number Contents 491 ---------- ---------------------- 492 7 Reserved (always zero) 493 6 Reserved (always zero) 494 5 ... 3 Zeroes 495 2 ... 0 L' 497 Another way say the same thing is: Flags = L'. 499 The Reserved bits are reserved for future expansions and MUST be set 500 to zero. Bit 6 corresponds to the Adata bit in the B_0 block, but as 501 this bit is not used here, it is reserved and MUST be set to zero. 502 Bits 3, 4, and 5 are also set to zero, ensuring that all the A blocks 503 are distinct from B_0, which has the non-zero encoding of M in this 504 position. Bits 0, 1, and 2 contain L', using the same encoding as in 505 B_0. 507 The message is encrypted by XORing the octets of message m with the 508 first l(m) octets of the concatenation of S_1, S_2, S_3, ... . Note 509 that S_0 is not used to encrypt the message. 511 The authentication value U is computed by encrypting T with the key 512 stream block S_0 and truncating it to the desired length. 514 U := T XOR first-M-bytes( S_0 ) 516 3.3.5. Output 518 The final result c, consists of the encrypted message followed by the 519 encrypted authentication value U. 521 3.3.6. Decryption and Authentication Checking 523 To decrypt a message the following information is required: 525 1. The encryption key K. 527 2. The nonce N. 529 3. The additional authenticated data AAD. 531 4. The encrypted and authenticated message c. 533 Decryption starts by recomputing the key stream to recover the 534 message m and the MAC value T. The message and additional 535 authentication data is then used to recompute the CBC-MAC value and 536 check T. 538 If the T value is not correct, the receiver MUST NOT reveal any 539 information except for the fact that T is incorrect. The receiver 540 MUST NOT reveal the decrypted message, the value T, or any other 541 information. 543 4. Test Vectors 545 4.1. Camellia-CTR 547 This section contains nine TVs, which can be used to confirm that an 548 implementation has correctly implemented Camellia-CTR. The first 549 three TVs use Camellia with a 128-bit key; the next three TVs use 550 Camellia with a 192-bit key; and the last three TVs use Camellia with 551 a 256-bit key. 553 TV #1: Encrypting 16 octets using Camellia-CTR with 128-bit key 554 Camellia Key : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E 555 Camellia-CTR IV : 00 00 00 00 00 00 00 00 556 Nonce : 00 00 00 30 557 Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67 558 Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01 559 Key Stream (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58 560 Ciphertext : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F 562 TV #2: Encrypting 32 octets using Camellia-CTR with 128-bit key 563 Camellia Key : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63 564 Camellia-CTR IV : C0 54 3B 59 DA 48 D9 0B 565 Nonce : 00 6C B6 DB 566 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 567 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 568 Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01 569 Key Stream (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B 570 Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02 571 Key Stream (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57 572 Ciphertext : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44 573 : 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48 575 TV #3: Encrypting 36 octets using Camellia-CTR with 128-bit key 576 Camellia Key : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC 577 Camellia-CTR IV : 27 77 7F 3F 4A 17 86 F0 578 Nonce : 00 E0 01 7B 579 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 580 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 581 : 20 21 22 23 582 Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01 583 Key Stream (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C 584 Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02 585 Key Stream (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2 586 Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03 587 Key Stream (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8 588 Ciphertext : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73 589 : 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD 590 : DF 50 86 96 592 TV #4: Encrypting 16 octets using Camellia-CTR with 192-bit key 593 Camellia Key : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED 594 : 86 3D 06 CC FD B7 85 15 595 Camellia-CTR IV : 36 73 3C 14 7D 6D 93 CB 596 Nonce : 00 00 00 48 597 Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67 598 Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01 599 Key Stream (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1 600 Ciphertext : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96 602 TV #5: Encrypting 32 octets using Camellia-CTR with 192-bit key 603 Camellia Key : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C 604 : 67 8C 3D B8 E6 F6 A9 1A 605 Camellia-CTR IV : 02 0C 6E AD C2 CB 50 0D 606 Nonce : 00 96 B0 3B 607 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 608 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 609 Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01 610 Key Stream (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52 611 Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02 612 Key Stream (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2 613 Ciphertext : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D 614 : D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED 616 TV #6: Encrypting 36 octets using Camellia-CTR with 192-bit key 617 Camellia Key : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B 618 : F5 9B 60 A7 86 D3 E0 FE 619 Camellia-CTR IV : 5C BD 60 27 8D CC 09 12 620 Nonce : 00 07 BD FD 621 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 622 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 623 : 20 21 22 23 624 Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01 625 Key Stream (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77 626 Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02 627 Key Stream (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11 628 Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03 629 Key Stream (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34 630 Ciphertext : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78 631 : 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E 632 : D5 57 AB 57 634 TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key 635 Camellia Key : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C 636 : 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04 637 Camellia-CTR IV : DB 56 72 C9 7A A8 F0 B2 638 Nonce : 00 00 00 60 639 Plaintext : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67 640 Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01 641 Key Stream (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76 642 Ciphertext : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11 644 TV #8: Encrypting 32 octets using Camellia-CTR with 256-bit key 645 Camellia Key : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86 646 : C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84 647 Camellia-CTR IV : C1 58 5E F1 5A 43 D8 75 648 Nonce : 00 FA AC 24 649 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 650 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 651 Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01 652 Key Stream (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A 653 Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02 654 Key Stream (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17 655 Ciphertext : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45 656 : E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08 658 TV #9: Encrypting 36 octets using Camellia-CTR with 256-bit key 659 Camellia Key : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2 660 : AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D 661 Camellia-CTR IV : 51 A5 1D 70 A1 C1 11 48 662 Nonce : 00 1C C5 B7 663 Plaintext : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 664 : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 665 : 20 21 22 23 666 Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01 667 Key Stream (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23 668 Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02 669 Key Stream (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70 670 Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03 671 Key Stream (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF 672 Ciphertext : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C 673 : D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F 674 : 15 EF 0D 8D 676 4.2. Camellia-CCM 678 This section contains twenty four TVs, which can be used to confirm 679 that an implementation has correctly implemented Camellia-CCM. In 680 each of these TVs, the least significant sixteen bits of the counter 681 block is used for the block counter, and the nonce is 13 octets. 682 Some of the TVs include an eight octet authentication value, and 683 others include a ten octet authentication value. 685 =============== Packet Vector #1 ================== 686 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 687 Nonce = 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 688 Total packet length = 31. [Input (8 cleartext header octets)] 689 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 690 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 691 CBC IV in: 59 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 17 692 CBC IV out:D4 DB CD 92 A8 96 41 56 1D 0D BB D0 D5 7F 7E 1D 693 After xor: D4 D3 CD 93 AA 95 45 53 1B 0A BB D0 D5 7F 7E 1D [hdr] 694 After CAM: BD 84 03 80 73 59 37 B7 CE F5 E4 BA 1B 18 54 DC 695 After xor: B5 8D 09 8B 7F 54 39 B8 DE E4 F6 A9 0F 0D 42 CB [msg] 696 After CAM: CE 21 82 9C F6 F2 4D A2 CB 35 D1 FD 81 27 63 EC 697 After xor: D6 38 98 87 EA EF 53 A2 CB 35 D1 FD 81 27 63 EC [msg] 698 After CAM: 20 11 FE E2 53 B1 A7 DB 02 77 FA 37 6D 78 EE 10 699 MIC tag : 20 11 FE E2 53 B1 A7 DB 700 CTR Start: 01 00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5 00 01 701 CTR[0001]: B2 7A 7B 8E EB 14 3F 0B 82 E2 98 4C 06 44 CC 42 702 CTR[0002]: E2 E2 D3 52 98 97 13 45 D1 63 22 90 E7 F8 15 4A 703 CTR[MIC ]: DC BF 30 96 38 8C 1E 76 704 Total packet length = 39. [Encrypted] 705 00 01 02 03 04 05 06 07 BA 73 71 85 E7 19 31 04 706 92 F3 8A 5F 12 51 DA 55 FA FB C9 49 84 8A 0D FC 707 AE CE 74 6B 3D B9 AD 709 =============== Packet Vector #2 ================== 710 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 711 Nonce = 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 712 Total packet length = 32. [Input (8 cleartext header octets)] 713 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 714 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 715 CBC IV in: 59 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 18 716 CBC IV out:07 0B 22 50 8A 24 3C DD 5B BA 54 DB 60 52 88 06 717 After xor: 07 03 22 51 88 27 38 D8 5D BD 54 DB 60 52 88 06 [hdr] 718 After CAM: 10 FD C2 F2 90 4A 9F 96 B0 4F 62 A4 A1 A9 31 1E 719 After xor: 18 F4 C8 F9 9C 47 91 99 A0 5E 70 B7 B5 BC 27 09 [msg] 720 After CAM: E4 C8 82 02 89 55 5C 15 CE 7F E4 60 B1 B9 5A 08 721 After xor: FC D1 98 19 95 48 42 0A CE 7F E4 60 B1 B9 5A 08 [msg] 722 After CAM: D2 96 BA 4F 83 DE B5 DF A2 19 08 F7 47 4E 3C 40 723 MIC tag : D2 96 BA 4F 83 DE B5 DF 724 CTR Start: 01 00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5 00 01 725 CTR[0001]: 55 2C 6E B4 82 A2 EF D6 85 37 FE 12 79 0E E6 55 726 CTR[0002]: 54 E2 C8 D6 7E 99 91 2C F2 8A D7 8E 83 04 10 36 727 CTR[MIC ]: B2 24 93 12 71 9C 36 37 728 Total packet length = 40. [Encrypted] 729 00 01 02 03 04 05 06 07 5D 25 64 BF 8E AF E1 D9 730 95 26 EC 01 6D 1B F0 42 4C FB D2 CD 62 84 8F 33 731 60 B2 29 5D F2 42 83 E8 733 =============== Packet Vector #3 ================== 734 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 735 Nonce = 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 736 Total packet length = 33. [Input (8 cleartext header octets)] 737 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 738 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 739 20 740 CBC IV in: 59 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 19 741 CBC IV out:6F 69 15 DF A6 A0 DF 24 84 A7 37 88 A3 65 F9 2E 742 After xor: 6F 61 15 DE A4 A3 DB 21 82 A0 37 88 A3 65 F9 2E [hdr] 743 After CAM: 59 5D 99 48 79 04 DA C9 13 93 36 C9 11 A8 09 1D 744 After xor: 51 54 93 43 75 09 D4 C6 03 82 24 DA 05 BD 1F 0A [msg] 745 After CAM: 1A 43 D7 19 65 43 97 C1 43 6F 4F 11 A7 6C 6B ED 746 After xor: 02 5A CD 02 79 5E 89 DE 63 6F 4F 11 A7 6C 6B ED [msg] 747 After CAM: 30 0B 06 8A A0 D1 4D C5 9E 44 22 84 82 45 42 0B 748 MIC tag : 30 0B 06 8A A0 D1 4D C5 749 CTR Start: 01 00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5 00 01 750 CTR[0001]: 89 FF 69 DD CB 75 76 18 E9 31 24 1B AD 97 BB 02 751 CTR[0002]: C4 32 A7 9C CB 4B E9 8D 24 A8 F0 AB C6 87 16 11 752 CTR[MIC ]: C5 5A D0 E2 8F F2 E7 83 753 Total packet length = 41. [Encrypted] 754 00 01 02 03 04 05 06 07 81 F6 63 D6 C7 78 78 17 755 F9 20 36 08 B9 82 AD 15 DC 2B BD 87 D7 56 F7 92 756 04 F5 51 D6 68 2F 23 AA 46 758 =============== Packet Vector #4 ================== 759 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 760 Nonce = 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 761 Total packet length = 31. [Input (12 cleartext header octets)] 762 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 763 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 764 CBC IV in: 59 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 13 765 CBC IV out:F5 51 CF 6C 7C F7 D4 0B 2B 76 F1 6B 57 F0 19 FE 766 After xor: F5 5D CF 6D 7E F4 D0 0E 2D 71 F9 62 5D FB 19 FE [hdr] 767 After CAM: 02 2B 21 1B EB 97 02 3B F8 10 7D CC 62 14 E5 7C 768 After xor: 0E 26 2F 14 FB 86 10 28 EC 05 6B DB 7A 0D FF 67 [msg] 769 After CAM: 48 14 A4 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42 770 After xor: 54 09 BA 2D 31 25 1C 37 19 C5 6F DD 5A 37 81 42 [msg] 771 After CAM: CF 85 25 D2 80 D5 F0 09 53 2C 9D 43 4E F3 04 47 772 MIC tag : CF 85 25 D2 80 D5 F0 09 773 CTR Start: 01 00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5 00 01 774 CTR[0001]: C6 E2 10 8D 62 00 A2 9C 6F CC 19 1F DF 6B 92 DB 775 CTR[0002]: 6C B9 BE EE 1E A2 E9 B3 2D D6 C2 9A E8 26 D5 C2 776 CTR[MIC ]: 44 BF B6 E8 E3 31 67 A9 777 Total packet length = 39. [Encrypted] 778 00 01 02 03 04 05 06 07 08 09 0A 0B CA EF 1E 82 779 72 11 B0 8F 7B D9 0F 08 C7 72 88 C0 70 A4 A0 8B 780 3A 93 3A 63 E4 97 A0 782 =============== Packet Vector #5 ================== 783 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 784 Nonce = 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 785 Total packet length = 32. [Input (12 cleartext header octets)] 786 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 787 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 788 CBC IV in: 59 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 14 789 CBC IV out:73 72 9D 76 7A BD B9 82 60 3A 12 7B EF 26 FB 80 790 After xor: 73 7E 9D 77 78 BE BD 87 66 3D 1A 72 E5 2D FB 80 [hdr] 791 After CAM: E1 B7 A6 72 E2 5C 87 75 91 21 22 A4 07 13 CD 5B 792 After xor: ED BA A8 7D F2 4D 95 66 85 34 34 B3 1F 0A D7 40 [msg] 793 After CAM: 13 2F 58 D9 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7 794 After xor: 0F 32 46 C6 5D 0F 95 B8 90 BF 6F 1D 31 84 54 C7 [msg] 795 After CAM: 47 8F 1E B0 71 24 8B 13 AF C8 C8 44 E6 0F 88 B6 796 MIC tag : 47 8F 1E B0 71 24 8B 13 797 CTR Start: 01 00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5 00 01 798 CTR[0001]: 26 DE B4 D6 5F D4 3C 81 AA 56 98 95 64 09 39 A2 799 CTR[0002]: 76 97 69 3A 21 13 0C 39 2E 4E EB BF 48 7B 24 BE 800 CTR[MIC ]: C8 2E 65 17 82 15 50 1A 801 Total packet length = 40. [Encrypted] 802 00 01 02 03 04 05 06 07 08 09 0A 0B 2A D3 BA D9 803 4F C5 2E 92 BE 43 8E 82 7C 10 23 B9 6A 8A 77 25 804 8F A1 7B A7 F3 31 DB 09 806 =============== Packet Vector #6 ================== 807 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 808 Nonce = 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 809 Total packet length = 33. [Input (12 cleartext header octets)] 810 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 811 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 812 20 813 CBC IV in: 59 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 15 814 CBC IV out:EB 59 05 CC 3F 52 61 10 26 24 75 93 DD B9 A0 F4 815 After xor: EB 55 05 CD 3D 51 65 15 20 23 7D 9A D7 B2 A0 F4 [hdr] 816 After CAM: 18 A9 AE A4 3D D2 A9 11 6C 0A E5 4F 40 D1 4D 9F 817 After xor: 14 A4 A0 AB 2D C3 BB 02 78 1F F3 58 58 C8 57 84 [msg] 818 After CAM: FA C4 13 18 98 54 1B 54 93 9C 64 B8 CB FD 5B 18 819 After xor: E6 D9 0D 07 B8 54 1B 54 93 9C 64 B8 CB FD 5B 18 [msg] 820 After CAM: 49 E6 E8 ED 32 FB CA 2F 2E 55 CD AF D0 F2 B3 05 821 MIC tag : 49 E6 E8 ED 32 FB CA 2F 822 CTR Start: 01 00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5 00 01 823 CTR[0001]: F2 A8 46 04 B5 2E BA C0 D7 51 34 BD D6 54 FC 64 824 CTR[0002]: E6 26 A9 24 8B E6 86 CB 92 D6 FB FC 2E F2 91 98 825 CTR[MIC ]: E2 D0 49 03 7D 1B 34 07 826 Total packet length = 41. [Encrypted] 827 00 01 02 03 04 05 06 07 08 09 0A 0B FE A5 48 0B 828 A5 3F A8 D3 C3 44 22 AA CE 4D E6 7F FA 3B B7 3B 829 AB AB 36 A1 EE 4F E0 FE 28 831 =============== Packet Vector #7 ================== 832 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 833 Nonce = 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 834 Total packet length = 31. [Input (8 cleartext header octets)] 835 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 836 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 837 CBC IV in: 61 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 17 838 CBC IV out:AC F1 5D 79 99 1A 15 BF 5C DC F6 C4 45 AE 1F CB 839 After xor: AC F9 5D 78 9B 19 11 BA 5A DB F6 C4 45 AE 1F CB [hdr] 840 After CAM: E9 C0 AC FD C7 E8 E7 1D FA E8 8B 66 95 9E 01 45 841 After xor: E1 C9 A6 F6 CB E5 E9 12 EA F9 99 75 81 8B 17 52 [msg] 842 After CAM: 9C FF ED 72 09 A6 7D 2A 48 B7 29 BF D8 BE 39 59 843 After xor: 84 E6 F7 69 15 BB 63 2A 48 B7 29 BF D8 BE 39 59 [msg] 844 After CAM: 4F 41 FA DE B2 58 F3 32 54 0A 55 7A 80 4A A3 F5 845 MIC tag : 4F 41 FA DE B2 58 F3 32 54 0A 846 CTR Start: 01 00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5 00 01 847 CTR[0001]: 5C 5A 2A 2D E9 41 1F 95 9D 27 CB FF 7A 0B CF 63 848 CTR[0002]: 0E D1 6A 97 57 41 32 4F 33 1B 4A 42 B1 4A 54 63 849 CTR[MIC ]: E3 EE 59 62 7D 22 BD 8D C1 79 850 Total packet length = 41. [Encrypted] 851 00 01 02 03 04 05 06 07 54 53 20 26 E5 4C 11 9A 852 8D 36 D9 EC 6E 1E D9 74 16 C8 70 8C 4B 5C 2C AC 853 AF A3 BC CF 7A 4E BF 95 73 855 =============== Packet Vector #8 ================== 856 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 857 Nonce = 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 858 Total packet length = 32. [Input (8 cleartext header octets)] 859 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 860 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 861 CBC IV in: 61 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 18 862 CBC IV out:AD CA 1C 1D 45 E7 E2 62 58 D5 DA 46 D8 2F 69 3A 863 After xor: AD C2 1C 1C 47 E4 E6 67 5E D2 DA 46 D8 2F 69 3A [hdr] 864 After CAM: FA DE 0E B4 3E CA C1 E9 69 BB 8C A4 7C 0D 80 8F 865 After xor: F2 D7 04 BF 32 C7 CF E6 79 AA 9E B7 68 18 96 98 [msg] 866 After CAM: D2 87 35 C2 D0 E4 AE 4E BC C2 99 FF B3 77 F8 A1 867 After xor: CA 9E 2F D9 CC F9 B0 51 BC C2 99 FF B3 77 F8 A1 [msg] 868 After CAM: BD F6 FB 55 9E 90 C0 E7 DF 4B 0C 37 DC 42 32 A2 869 MIC tag : BD F6 FB 55 9E 90 C0 E7 DF 4B 870 CTR Start: 01 00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5 00 01 871 CTR[0001]: 82 D8 91 0B 16 8A DF 47 E4 C8 39 FC 20 47 4A DB 872 CTR[0002]: FB BF 26 7E 0E BB EB 6A 07 4E 29 CF 3D 12 E6 DB 873 CTR[MIC ]: CE 7E 1F C4 A0 61 87 E6 2B 0A 874 Total packet length = 42. [Encrypted] 875 00 01 02 03 04 05 06 07 8A D1 9B 00 1A 87 D1 48 876 F4 D9 2B EF 34 52 5C CC E3 A6 3C 65 12 A6 F5 75 877 73 88 E4 91 3E F1 47 01 F4 41 879 =============== Packet Vector #9 ================== 880 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 881 Nonce = 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 882 Total packet length = 33. [Input (8 cleartext header octets)] 883 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 884 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 885 20 886 CBC IV in: 61 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 19 887 CBC IV out:D0 A9 A5 94 00 63 86 40 11 0D DB 40 CA F8 4A 9C 888 After xor: D0 A1 A5 95 02 60 82 45 17 0A DB 40 CA F8 4A 9C [hdr] 889 After CAM: 7B CA 4E 2D 79 82 0D 1E 15 22 DD E8 37 B9 B1 F0 890 After xor: 73 C3 44 26 75 8F 03 11 05 33 CF FB 23 AC A7 E7 [msg] 891 After CAM: 6B 75 9F 83 C0 8F 56 64 F2 FA D5 7F 67 01 B8 21 892 After xor: 73 6C 85 98 DC 92 48 7B D2 FA D5 7F 67 01 B8 21 [msg] 893 After CAM: 7D B7 BE FF 72 F3 26 74 9E 20 07 28 1E 5B 1A 8A 894 MIC tag : 7D B7 BE FF 72 F3 26 74 9E 20 895 CTR Start: 01 00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5 00 01 896 CTR[0001]: 55 B9 87 69 4C 73 60 3E C6 1E 8E B1 D2 11 62 36 897 CTR[0002]: 82 D9 A4 4B DC C9 BB 68 A7 FE 15 A5 19 51 57 87 898 CTR[MIC ]: E9 61 5C CF BF D6 EF 8A 21 A7 899 Total packet length = 43. [Encrypted] 900 00 01 02 03 04 05 06 07 5D B0 8D 62 40 7E 6E 31 901 D6 0F 9C A2 C6 04 74 21 9A C0 BE 50 C0 D4 A5 77 902 87 94 D6 E2 30 CD 25 C9 FE BF 87 904 =============== Packet Vector #10 ================== 905 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 906 Nonce = 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 907 Total packet length = 31. [Input (12 cleartext header octets)] 908 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 909 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 910 CBC IV in: 61 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 13 911 CBC IV out:B1 85 73 A3 1C 6F EC 01 90 E3 CE 94 27 11 04 B9 912 After xor: B1 89 73 A2 1E 6C E8 04 96 E4 C6 9D 2D 1A 04 B9 [hdr] 913 After CAM: A6 AD EA 9C FA 3F 76 78 4C 17 8A F3 DC 69 F0 82 914 After xor: AA A0 E4 93 EA 2E 64 6B 58 02 9C E4 C4 70 EA 99 [msg] 915 After CAM: 35 50 B7 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED 916 After xor: 29 4D A9 27 78 F8 C6 BF 02 4B 65 60 05 C0 E1 ED [msg] 917 After CAM: 3D B5 A6 E6 85 AF 1C 58 80 B0 32 2E 01 74 91 FC 918 MIC tag : 3D B5 A6 E6 85 AF 1C 58 80 B0 919 CTR Start: 01 00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5 00 01 920 CTR[0001]: D7 1C 82 C1 D1 A9 64 0F 93 69 CE 81 22 7E CC E8 921 CTR[0002]: A7 A1 42 44 32 4E 69 FE 4C D0 36 65 A5 31 0B AB 922 CTR[MIC ]: ED 27 3F 0D 94 5C 0E AA B2 87 923 Total packet length = 41. [Encrypted] 924 00 01 02 03 04 05 06 07 08 09 0A 0B DB 11 8C CE 925 C1 B8 76 1C 87 7C D8 96 3A 67 D6 F3 BB BC 5C D0 926 92 99 EB 11 F3 12 F2 32 37 928 =============== Packet Vector #11 ================== 929 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 930 Nonce = 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 931 Total packet length = 32. [Input (12 cleartext header octets)] 932 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 933 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 934 CBC IV in: 61 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 14 935 CBC IV out:45 DF B5 07 6F BB 10 EA F1 15 15 AD 21 4F B0 0E 936 After xor: 45 D3 B5 06 6D B8 14 EF F7 12 1D A4 2B 44 B0 0E [hdr] 937 After CAM: 17 52 F9 6D DD BC 5B 1C 1E EB 80 FC F6 10 AC 03 938 After xor: 1B 5F F7 62 CD AD 49 0F 0A FE 96 EB EE 09 B6 18 [msg] 939 After CAM: BE F0 A0 B9 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87 940 After xor: A2 ED BE A6 EC 94 B6 B3 E8 EC 1B 82 14 14 09 87 [msg] 941 After CAM: 70 16 E4 F9 C4 2C 30 10 84 BF EC 69 34 89 91 FD 942 MIC tag : 70 16 E4 F9 C4 2C 30 10 84 BF 943 CTR Start: 01 00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5 00 01 944 CTR[0001]: 70 C5 33 82 D4 80 11 41 4F 5D 2B D2 D2 67 B3 B0 945 CTR[0002]: 9D 36 6E 49 39 C5 16 76 5C 1C 25 12 81 79 94 70 946 CTR[MIC ]: 77 8B 4B 03 1E 3A FC DF A8 F1 947 Total packet length = 42. [Encrypted] 948 00 01 02 03 04 05 06 07 08 09 0A 0B 7C C8 3D 8D 949 C4 91 03 52 5B 48 3D C5 CA 7E A9 AB 81 2B 70 56 950 07 9D AF FA DA 16 CC CF 2C 4E 952 =============== Packet Vector #12 ================== 953 CAM Key: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 954 Nonce = 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 955 Total packet length = 33. [Input (12 cleartext header octets)] 956 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 957 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 958 20 959 CBC IV in: 61 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 15 960 CBC IV out:81 E4 EB 1E 50 A9 70 CE 18 CA 1A 4B 68 39 80 2E 961 After xor: 81 E8 EB 1F 52 AA 74 CB 1E CD 12 42 62 32 80 2E [hdr] 962 After CAM: 04 AB D9 62 34 B9 8F 32 8C 0F 08 3F 3D 87 9D 57 963 After xor: 08 A6 D7 6D 24 A8 9D 21 98 1A 1E 28 25 9E 87 4C [msg] 964 After CAM: BD A2 EA CB 3A DA 6A E7 9F BB C2 2C E6 4C 98 89 965 After xor: A1 BF F4 D4 1A DA 6A E7 9F BB C2 2C E6 4C 98 89 [msg] 966 After CAM: B6 FC E1 46 D3 EA DC 91 E0 AB 10 AD D8 55 E7 03 967 MIC tag : B6 FC E1 46 D3 EA DC 91 E0 AB 968 CTR Start: 01 00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5 00 01 969 CTR[0001]: 20 DE 55 87 30 C3 2C 69 B7 44 A6 FE 37 DE 89 7C 970 CTR[0002]: 3F 96 32 D8 68 6D C2 B5 22 97 42 27 EB F9 26 5E 971 CTR[MIC ]: 7D 45 AD 6F 94 93 E1 F5 4F DE 972 Total packet length = 43. [Encrypted] 973 00 01 02 03 04 05 06 07 08 09 0A 0B 2C D3 5B 88 974 20 D2 3E 7A A3 51 B0 E9 2F C7 93 67 23 8B 2C C7 975 48 CB B9 4C 29 47 79 3D 64 AF 75 977 =============== Packet Vector #13 ================== 978 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 979 Nonce = 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 980 Total packet length = 31. [Input (8 cleartext header octets)] 981 6B 7F 46 45 07 FA E4 96 C6 B5 F3 E6 CA 23 11 AE 982 F7 47 2B 20 3E 73 5E A5 61 AD B1 7D 56 C5 A3 983 CBC IV in: 59 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 17 984 CBC IV out:D7 24 B0 0F B1 87 04 C6 C1 4E 90 37 AA F2 F1 F9 985 After xor: D7 2C DB 70 F7 C2 03 3C 25 D8 90 37 AA F2 F1 F9 [hdr] 986 After CAM: 9B 13 6D E3 D9 9F C3 6D 7D 0D B7 D8 A1 BF E9 BD 987 After xor: 5D A6 9E 05 13 BC D2 C3 8A 4A 9C F8 9F CC B7 18 [msg] 988 After CAM: F8 BF 25 7D 23 F8 D9 B5 82 E6 C9 3E C8 9B 85 73 989 After xor: 99 12 94 00 75 3D 7A B5 82 E6 C9 3E C8 9B 85 73 [msg] 990 After CAM: D9 D6 62 21 6D B2 CA FD 1F C6 FE 9D 2C AF 5B 69 991 MIC tag : D9 D6 62 21 6D B2 CA FD 992 CTR Start: 01 00 A9 70 11 0E 19 27 B1 60 B6 A3 1C 1C 00 01 993 CTR[0001]: 62 80 24 C1 FE AE CC 8C 67 38 55 98 CB 8E E5 E8 994 CTR[0002]: F2 30 17 2F 1B 71 55 9F 8B CE 79 E5 13 01 FC 6A 995 CTR[MIC ]: 9C 8E A2 0C 48 03 ED 13 996 Total packet length = 39. [Encrypted] 997 6B 7F 46 45 07 FA E4 96 A4 35 D7 27 34 8D DD 22 998 90 7F 7E B8 F5 FD BB 4D 93 9D A6 52 4D B4 F6 45 999 58 C0 2D 25 B1 27 EE 1001 =============== Packet Vector #14 ================== 1002 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1003 Nonce = 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 1004 Total packet length = 32. [Input (8 cleartext header octets)] 1005 98 66 05 B4 3D F1 5D E7 01 F6 CE 67 64 C5 74 48 1006 3B B0 2E 6B BF 1E 0A BD 26 A2 25 72 B4 D8 0E E7 1007 CBC IV in: 59 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 18 1008 CBC IV out:A0 8A 29 78 36 23 1D 84 96 76 93 FF 0A 4C 92 7A 1009 After xor: A0 82 B1 1E 33 97 20 75 CB 91 93 FF 0A 4C 92 7A [hdr] 1010 After CAM: 8C F5 F4 23 BF 09 1C 74 CD 47 00 C1 32 5D 5C 92 1011 After xor: 8D 03 3A 44 DB CC 68 3C F6 F7 2E AA 8D 43 56 2F [msg] 1012 After CAM: 69 DA 48 24 41 1E AC 8E A9 0A CD 8B DD 00 2B 9A 1013 After xor: 4F 78 6D 56 F5 C6 A2 69 A9 0A CD 8B DD 00 2B 9A [msg] 1014 After CAM: C2 03 3B 08 6D B3 CB 3B 2C C8 5D E7 76 A1 C0 44 1015 MIC tag : C2 03 3B 08 6D B3 CB 3B 1016 CTR Start: 01 00 83 CD 8C E0 CB 42 B1 60 B6 A3 1C 1C 00 01 1017 CTR[0001]: 8B 16 9C 37 EB 7B BE DB 15 84 41 6E 5F C2 07 46 1018 CTR[0002]: E9 31 BB DD 4E E6 56 9B 68 95 13 5F AB A4 DF EF 1019 CTR[MIC ]: 44 7E 55 14 25 C3 F3 3D 1020 Total packet length = 40. [Encrypted] 1021 98 66 05 B4 3D F1 5D E7 8A E0 52 50 8F BE CA 93 1022 2E 34 6F 05 E0 DC 0D FB CF 93 9E AF FA 3E 58 7C 1023 86 7D 6E 1C 48 70 38 06 1025 =============== Packet Vector #15 ================== 1026 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1027 Nonce = 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 1028 Total packet length = 33. [Input (8 cleartext header octets)] 1029 48 F2 E7 E1 A7 67 1A 51 CD F1 D8 40 6F C2 E9 01 1030 49 53 89 70 05 FB FB 8B A5 72 76 F9 24 04 60 8E 1031 08 1032 CBC IV in: 59 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 19 1033 CBC IV out:76 74 53 37 95 23 3C F0 EB 77 CE 93 73 06 99 A8 1034 After xor: 76 7C 1B C5 72 C2 9B 97 F1 26 CE 93 73 06 99 A8 [hdr] 1035 After CAM: EF 79 8B 70 34 E4 D5 6B 57 3A F9 44 F0 AF D6 9A 1036 After xor: 22 88 53 30 5B 26 3C 6A 1E 69 70 34 F5 54 2D 11 [msg] 1037 After CAM: 63 BF 4E 10 01 79 38 0B E4 EC C1 39 B2 B4 3B 8C 1038 After xor: C6 CD 38 E9 25 7D 58 85 EC EC C1 39 B2 B4 3B 8C [msg] 1039 After CAM: 39 E1 0E FA BD 2F 43 00 50 9E E7 EB A4 FF 6B 8F 1040 MIC tag : 39 E1 0E FA BD 2F 43 00 1041 CTR Start: 01 00 5F 54 95 0B 18 F2 B1 60 B6 A3 1C 1C 00 01 1042 CTR[0001]: C5 47 A6 A2 73 49 1B 6F 0E 6D C9 F5 9C 12 3B 08 1043 CTR[0002]: C8 18 86 42 3C DB 35 C8 64 4D 8C 4C 58 01 47 27 1044 CTR[MIC ]: 91 E9 76 5D 2D 68 2E E5 1045 Total packet length = 41. [Encrypted] 1046 48 F2 E7 E1 A7 67 1A 51 08 B6 7E E2 1C 8B F2 6E 1047 47 3E 40 85 99 E9 C0 83 6D 6A F0 BB 18 DF 55 46 1048 6C A8 08 78 A7 90 47 6D E5 1050 =============== Packet Vector #16 ================== 1051 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1052 Nonce = 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 1053 Total packet length = 31. [Input (12 cleartext header octets)] 1054 DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C B0 05 DC FA 1055 0B 59 18 14 26 A9 61 68 5A 99 3D 8C 43 18 5B 1056 CBC IV in: 59 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 13 1057 CBC IV out:78 EE 05 5A 88 48 E3 5B 8A 45 46 8F 35 4F 0C A2 1058 After xor: 78 E2 DB CD 57 73 6F E6 E7 CB 16 BF EF 03 0C A2 [hdr] 1059 After CAM: A9 C6 7F 15 00 1A C6 92 81 67 BD EC DF D2 35 C9 1060 After xor: 19 C3 A3 EF 0B 43 DE 86 A7 CE DC 84 85 4B 08 45 [msg] 1061 After CAM: 7C A8 9C 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18 1062 After xor: 3F B0 C7 90 46 42 4B E2 4D 96 DF CF BA 12 FD 18 [msg] 1063 After CAM: 89 C7 B4 E8 A4 24 8C 6C 52 ED 34 50 E3 53 AD F5 1064 MIC tag : 89 C7 B4 E8 A4 24 8C 6C 1065 CTR Start: 01 00 EC 60 08 63 31 9A B1 60 B6 A3 1C 1C 00 01 1066 CTR[0001]: D3 B2 57 B3 6C E8 86 CF 91 9A AC 79 4E 6F 73 3E 1067 CTR[0002]: 65 10 C8 72 39 AF 0F 52 9F D0 A4 DF 54 BF D6 EB 1068 CTR[MIC ]: E1 04 E0 6A 29 B1 80 A9 1069 Total packet length = 39. [Encrypted] 1070 DE 97 DF 3B 8C BD 6D 8E 50 30 DA 4C 63 B7 8B 49 1071 67 B1 9E DB B7 33 CD 11 14 F6 4E B2 26 08 93 68 1072 C3 54 82 8D 95 0C C5 1074 =============== Packet Vector #17 ================== 1075 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1076 Nonce = 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 1077 Total packet length = 32. [Input (12 cleartext header octets)] 1078 A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 2E 20 21 12 1079 98 10 5F 12 9D 5E D9 5B 93 F7 2D 30 B2 FA CC D7 1080 CBC IV in: 59 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 14 1081 CBC IV out:C3 34 69 7D 11 38 73 06 BD 34 E2 10 1F 66 17 E8 1082 After xor: C3 38 CC 93 82 DC 24 D9 B8 72 8C 68 32 A9 17 E8 [hdr] 1083 After CAM: 43 6F 37 74 AB 94 3B 41 EA AD 00 CA C3 99 13 7B 1084 After xor: 6D 4F 16 66 33 84 64 53 77 F3 D9 91 50 6E 3E 4B [msg] 1085 After CAM: 2D 28 FB 62 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE 1086 After xor: 9F D2 37 B5 DA 06 97 A7 4C D4 31 B8 B5 AE AE EE [msg] 1087 After CAM: F3 DE 10 CD 91 4D B1 B6 CC 37 F0 A2 4A 5A B7 A1 1088 MIC tag : F3 DE 10 CD 91 4D B1 B6 1089 CTR Start: 01 00 60 CF F1 A3 1E A1 B1 60 B6 A3 1C 1C 00 01 1090 CTR[0001]: 25 E6 9A F0 30 A9 56 E6 FF C0 3F 87 87 7A 89 74 1091 CTR[0002]: A2 1B 46 23 76 A2 1E DD F2 AC 4B EC 42 95 3D D3 1092 CTR[MIC ]: C2 99 28 FF E7 BB DB 29 1093 Total packet length = 40. [Encrypted] 1094 A5 EE 93 E4 57 DF 05 46 6E 78 2D CF 0B C6 BB E2 1095 A8 B9 09 F4 62 9E E6 DC 14 8D A4 44 10 E1 8A F4 1096 31 47 38 32 76 F6 6A 9F 1098 =============== Packet Vector #18 ================== 1099 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1100 Nonce = 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 1101 Total packet length = 33. [Input (12 cleartext header octets)] 1102 24 AA 1B F9 A5 CD 87 61 82 A2 50 74 26 45 94 1E 1103 75 63 2D 34 91 AF 0F C0 C9 87 6C 3B E4 AA 74 68 1104 C9 1105 CBC IV in: 59 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 15 1106 CBC IV out:72 0A 46 75 0F 40 59 53 F2 3B D2 1F 6A 11 60 F6 1107 After xor: 72 06 62 DF 14 B9 FC 9E 75 5A 50 BD 3A 65 60 F6 [hdr] 1108 After CAM: 67 73 A0 FD D5 7E D3 5E E8 24 06 D0 A1 8B 0E 18 1109 After xor: 41 36 34 E3 A0 1D FE 6A 79 8B 09 10 68 0C 62 23 [msg] 1110 After CAM: BB 1E D8 9F 60 29 D0 99 09 14 06 A5 E3 8B 72 7B 1111 After xor: 5F B4 AC F7 A9 29 D0 99 09 14 06 A5 E3 8B 72 7B [msg] 1112 After CAM: 3E 4F 40 73 D1 31 E9 B8 02 C8 99 BC FD AC 19 4B 1113 MIC tag : 3E 4F 40 73 D1 31 E9 B8 1114 CTR Start: 01 00 0F 85 CD 99 5C 97 B1 60 B6 A3 1C 1C 00 01 1115 CTR[0001]: 04 6F 42 2C 8F 52 FB 9B 06 A3 3B 9F B7 F0 A6 00 1116 CTR[0002]: 34 76 51 DB 89 10 FB E6 73 E8 56 6E DB 66 47 5D 1117 CTR[MIC ]: 9F EC 93 6C 5C 7A AD 0F 1118 Total packet length = 41. [Encrypted] 1119 24 AA 1B F9 A5 CD 87 61 82 A2 50 74 22 2A D6 32 1120 FA 31 D6 AF 97 0C 34 5F 7E 77 CA 3B D0 DC 25 B3 1121 40 A1 A3 D3 1F 8D 4B 44 B7 1123 =============== Packet Vector #19 ================== 1124 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1125 Nonce = 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 1126 Total packet length = 31. [Input (8 cleartext header octets)] 1127 69 19 46 B9 CA 07 BE 87 07 01 35 A6 43 7C 9D B1 1128 20 CD 61 D8 F6 C3 9C 3E A1 25 FD 95 A0 D2 3D 1129 CBC IV in: 61 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 17 1130 CBC IV out:74 AD F8 04 05 2A 48 E7 46 97 38 D5 BA A1 27 79 1131 After xor: 74 A5 91 1D 43 93 82 E0 F8 10 38 D5 BA A1 27 79 [hdr] 1132 After CAM: BD C3 B1 41 1C 64 C8 B3 A9 DC 6A 94 78 97 88 E2 1133 After xor: BA C2 84 E7 5F 18 55 02 89 11 0B 4C 8E 54 14 DC [msg] 1134 After CAM: 7D 6C 8A BF AD 68 48 D8 C5 FB CD 1E AF F2 44 99 1135 After xor: DC 49 77 2A 0D BA 75 D8 C5 FB CD 1E AF F2 44 99 [msg] 1136 After CAM: 19 99 AB 92 5E 30 46 96 3D EF FB 1B 4C 87 F7 76 1137 MIC tag : 19 99 AB 92 5E 30 46 96 3D EF 1138 CTR Start: 01 00 C2 9B 2C AA C4 CD B1 60 B6 A3 1C 1C 00 01 1139 CTR[0001]: 02 B9 D4 1F 87 E0 60 E7 EF DE 6B 7E D3 DE 5E D2 1140 CTR[0002]: 61 49 31 C5 2F 34 AA 47 A3 E4 D3 2C 0B 36 41 C6 1141 CTR[MIC ]: B9 9F C6 C5 96 7B AA 8E 1A 87 1142 Total packet length = 41. [Encrypted] 1143 69 19 46 B9 CA 07 BE 87 05 B8 E1 B9 C4 9C FD 56 1144 CF 13 0A A6 25 1D C2 EC C0 6C CC 50 8F E6 97 A0 1145 06 6D 57 C8 4B EC 18 27 68 1147 =============== Packet Vector #20 ================== 1148 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1149 Nonce = 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 1150 Total packet length = 32. [Input (8 cleartext header octets)] 1151 D0 C5 4E CB 84 62 7D C4 C8 C0 88 0E 6C 63 6E 20 1152 09 3D D6 59 42 17 D2 E1 88 77 DB 26 4E 71 A5 CC 1153 CBC IV in: 61 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 18 1154 CBC IV out:35 A9 48 70 F9 B0 C7 85 FB 32 1A D1 3C 8C A4 9A 1155 After xor: 35 A1 98 B5 B7 7B 43 E7 86 F6 1A D1 3C 8C A4 9A [hdr] 1156 After CAM: 0A 3C E3 0F AC 09 DC 5C 00 10 5C 69 AC 19 F7 19 1157 After xor: C2 FC 6B 01 C0 6A B2 7C 09 2D 8A 30 EE 0E 25 F8 [msg] 1158 After CAM: 61 CD 80 D0 72 E6 84 E1 BF E1 4A 00 27 2A 4D 96 1159 After xor: E9 BA 5B F6 3C 97 21 2D BF E1 4A 00 27 2A 4D 96 [msg] 1160 After CAM: E5 F9 F2 AB 47 FD 7B 8D 6F 72 F4 72 74 D7 69 BB 1161 MIC tag : E5 F9 F2 AB 47 FD 7B 8D 6F 72 1162 CTR Start: 01 00 2C 6B 75 95 EE 62 B1 60 B6 A3 1C 1C 00 01 1163 CTR[0001]: 9C 0E 31 66 B2 81 58 31 5E 63 16 5A 9D BD CE 35 1164 CTR[0002]: 00 3E 66 D3 E0 5F 7E A7 EF C8 9A 5F DD 39 E3 54 1165 CTR[MIC ]: 9A 5E 87 1A 17 10 38 0E AA DB 1166 Total packet length = 42. [Encrypted] 1167 D0 C5 4E CB 84 62 7D C4 54 CE B9 68 DE E2 36 11 1168 57 5E C0 03 DF AA 1C D4 88 49 BD F5 AE 2E DB 6B 1169 7F A7 75 B1 50 ED 43 83 C5 A9 1171 =============== Packet Vector #21 ================== 1172 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1173 Nonce = 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 1174 Total packet length = 33. [Input (8 cleartext header octets)] 1175 E2 85 E0 E4 80 8C DA 3D F7 5D AA 07 10 C4 E6 42 1176 97 79 4D C2 B7 D2 A2 07 57 B1 AA 4E 44 80 02 FF 1177 AB 1178 CBC IV in: 61 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 19 1179 CBC IV out:2A 3C 23 B2 43 F5 1C 35 F7 79 5A CB 3B 20 21 2F 1180 After xor: 2A 34 C1 37 A3 11 9C B9 2D 44 5A CB 3B 20 21 2F [hdr] 1181 After CAM: A1 7E AD 4C EE AB 51 21 1D 2A 32 F2 D4 45 A6 D6 1182 After xor: 56 23 07 4B FE 6F B7 63 8A 53 7F 30 63 97 04 D1 [msg] 1183 After CAM: A9 A1 32 55 8F C6 9B 98 A9 CC 23 96 FE CA 84 EB 1184 After xor: FE 10 98 1B CB 46 99 67 02 CC 23 96 FE CA 84 EB [msg] 1185 After CAM: 6A 5E 04 42 D1 A5 7E 17 9A 6C 8B 56 F7 19 80 C5 1186 MIC tag : 6A 5E 04 42 D1 A5 7E 17 9A 6C 1187 CTR Start: 01 00 C5 3C D4 C2 AA 24 B1 60 B6 A3 1C 1C 00 01 1188 CTR[0001]: 46 1D EF 41 AF A2 94 52 5D 51 AE CB 04 49 74 CD 1189 CTR[0002]: 29 2E 62 66 1B 66 9A 2B 97 72 6B 77 32 A8 DC 35 1190 CTR[MIC ]: B8 54 06 A2 6C 6F 93 37 8A BF 1191 Total packet length = 43. [Encrypted] 1192 E2 85 E0 E4 80 8C DA 3D B1 40 45 46 BF 66 72 10 1193 CA 28 E3 09 B3 9B D6 CA 7E 9F C8 28 5F E6 98 D4 1194 3C D2 0A 02 E0 BD CA ED 20 10 D3 1196 =============== Packet Vector #22 ================== 1197 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1198 Nonce = 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 1199 Total packet length = 31. [Input (12 cleartext header octets)] 1200 6C AE F9 94 11 41 57 0D 7C 81 34 05 C2 38 82 2F 1201 AC 5F 98 FF 92 94 05 B0 AD 12 7A 4E 41 85 4E 1202 CBC IV in: 61 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 13 1203 CBC IV out:20 60 6A D1 E1 A0 84 52 2F A3 8B F4 88 1D D6 8B 1204 After xor: 20 6C 06 7F 18 34 95 13 78 AE F7 75 BC 18 D6 8B [hdr] 1205 After CAM: 71 FD FF E7 D9 C8 95 75 D3 EC 0B 7E 7B 8B BE E7 1206 After xor: B3 C5 7D C8 75 97 0D 8A 41 78 0E CE D6 99 C4 A9 [msg] 1207 After CAM: CA AD 93 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65 1208 After xor: 8B 28 DD 9C 59 BA 40 AA 1A 0B 88 1B EE 3D 3C 65 [msg] 1209 After CAM: DC 48 8F AA 9C 75 E7 03 17 56 C2 C7 48 48 8D 1B 1210 MIC tag : DC 48 8F AA 9C 75 E7 03 17 56 1211 CTR Start: 01 00 BE E9 26 7F BA DC B1 60 B6 A3 1C 1C 00 01 1212 CTR[0001]: 56 F0 17 B3 BD 09 02 D6 EA A5 A2 91 AD 4A 2D E5 1213 CTR[0002]: 20 3D 34 21 EF 5B F8 FC 7B 21 5C 76 7B A5 21 A6 1214 CTR[MIC ]: F1 A2 86 9C 2A 9E B8 61 48 0B 1215 Total packet length = 41. [Encrypted] 1216 6C AE F9 94 11 41 57 0D 7C 81 34 05 94 C8 95 9C 1217 11 56 9A 29 78 31 A7 21 00 58 57 AB 61 B8 7A 2D 1218 EA 09 36 B6 EB 5F 62 5F 5D 1220 =============== Packet Vector #23 ================== 1221 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1222 Nonce = 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 1223 Total packet length = 32. [Input (12 cleartext header octets)] 1224 36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 4D BF 3E 77 1225 4A D2 45 E5 D5 89 1F 9D 1C 32 A0 AE 02 2C 85 D7 1226 CBC IV in: 61 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 14 1227 CBC IV out:78 FD B6 AF 61 9E 1C 8D 82 41 17 A8 73 60 1B 70 1228 After xor: 78 F1 80 0A 4D 6F 77 94 20 42 6D 1F 72 7E 1B 70 [hdr] 1229 After CAM: 62 2E 28 65 92 43 DB 82 88 79 09 1E A7 24 54 67 1230 After xor: 2F 91 16 12 D8 91 9E 67 5D F0 16 83 BB 16 F4 C9 [msg] 1231 After CAM: 95 0E 52 08 FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF 1232 After xor: 97 22 D7 DF FF 16 70 8C 1E D9 BB 06 3E 1E 41 CF [msg] 1233 After CAM: BA CD 51 FC 77 F4 02 8D 47 D5 7D 54 7D 46 33 4B 1234 MIC tag : BA CD 51 FC 77 F4 02 8D 47 D5 1235 CTR Start: 01 00 DF A8 B1 24 50 07 B1 60 B6 A3 1C 1C 00 01 1236 CTR[0001]: 15 D6 DD DD 98 96 39 91 35 75 1A 64 B8 D8 D4 F9 1237 CTR[0002]: 7D 61 6D 1D EB 92 00 2B 6F FA AB 53 BC AF 69 89 1238 CTR[MIC ]: 33 E9 27 BE E1 59 06 9C DB 32 1239 Total packet length = 42. [Encrypted] 1240 36 A5 2C F1 6B 19 A2 03 7A B7 01 1E 58 69 E3 AA 1241 D2 44 7C 74 E0 FC 05 F9 A4 EA 74 57 7F 4D E8 CA 1242 89 24 76 42 96 AD 04 11 9C E7 1244 =============== Packet Vector #24 ================== 1245 CAM Key: D7 5C 27 78 07 8C A9 3D 97 1F 96 FD E7 20 F4 CD 1246 Nonce = 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 1247 Total packet length = 33. [Input (12 cleartext header octets)] 1248 A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 9D C9 ED AE 1249 2F F5 DF 86 36 E8 C6 DE 0E ED 55 F7 86 7E 33 33 1250 7D 1251 CBC IV in: 61 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 15 1252 CBC IV out:84 E6 CF DD 6A 37 68 5D E6 71 AD 54 B3 BE FE B9 1253 After xor: 84 EA 6B 09 F3 C0 EC 44 94 FD B4 43 38 B2 FE B9 [hdr] 1254 After CAM: C5 0F A0 62 20 18 F1 21 0E BC 3D 2E 47 B7 B8 C3 1255 After xor: 58 C6 4D CC 0F ED 2E A7 38 54 FB F0 49 5A ED 34 [msg] 1256 After CAM: C4 6F 6D C3 17 3C 2A 7A 81 FC 2D DA 7F B7 C6 60 1257 After xor: 42 11 5E F0 6A 3C 2A 7A 81 FC 2D DA 7F B7 C6 60 [msg] 1258 After CAM: DF AB 2E 76 B0 67 50 B3 7C DD 9A AC F3 79 17 71 1259 MIC tag : DF AB 2E 76 B0 67 50 B3 7C DD 1260 CTR Start: 01 00 3B 8F D8 D3 A9 37 B1 60 B6 A3 1C 1C 00 01 1261 CTR[0001]: D6 D0 6C F8 16 CE D0 F1 A0 E0 AC 71 BA B9 AD 34 1262 CTR[0002]: 76 4A FF 9A 1B F8 55 1F 68 54 39 0A EE 37 24 28 1263 CTR[MIC ]: 4B F4 31 B8 17 86 4B 5D 16 F2 1264 Total packet length = 43. [Encrypted] 1265 A4 D4 99 F7 84 19 72 8C 19 17 8B 0C 4B 19 81 56 1266 39 3B 0F 77 96 08 6A AF B4 54 F8 C3 F0 34 CC A9 1267 66 94 5F 1F CE A7 E1 1B EE 6A 2F 1269 5. Security Considerations 1271 Camellia-CTR and Camellia-CCM employ CTR mode for confidentiality. 1272 If a counter value is ever used for more that one packet with the 1273 same key, then the same key stream will be used to encrypt both 1274 packets, and the confidentiality guarantees are voided. 1276 What happens if the encryptor XORs the same key stream with two 1277 different packet plaintexts? Suppose two packets are defined by two 1278 plaintext byte sequences P_1, P_2, P_3 and Q_1, Q_2, Q_3, then both 1279 are encrypted with key stream K_1, K_2, K_3. The two corresponding 1280 ciphertexts are: 1282 (P_1 XOR K_1), (P_2 XOR K_2), (P_3 XOR K_3) 1284 (Q_1 XOR K_1), (Q_2 XOR K_2), (Q_3 XOR K_3) 1286 If both of these two ciphertext streams are exposed to an attacker, 1287 then a catastrophic failure of confidentiality results, because: 1289 (P_1 XOR K_1) XOR (Q_1 XOR K_1) = P_1 XOR Q_1 1290 (P_2 XOR K_2) XOR (Q_2 XOR K_2) = P_2 XOR Q_2 1291 (P_3 XOR K_3) XOR (Q_3 XOR K_3) = P_3 XOR Q_3 1293 Once the attacker obtains the two plaintexts XORed together, it is 1294 relatively straightforward to separate them. Thus, using any stream 1295 cipher, including Camellia-CTR, to encrypt two plaintexts under the 1296 same key stream leaks the plaintext. 1298 6. IANA Considerations 1300 There are no IANA assignments to be performed. 1302 7. Acknowledgments 1304 This document includes text borrowed from RFC 3610 [14]. 1306 8. References 1308 8.1. Normative 1310 [1] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the 1311 Camellia Encryption Algorithm", RFC 3713, April 2004. 1313 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1314 Levels", BCP 14, RFC 2119, March 1997. 1316 8.2. Informative 1318 [3] National Institute of Standards and Technology, "Advanced 1319 Encryption Standard (AES)", FIPS PUB 197, November 2001, 1320 . 1322 [4] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher 1323 Algorithm and Its Use With IPsec", RFC 4312, December 2005. 1325 [5] Moriai, S., Kato, A., and M. Kanda, "Addition of Camellia 1326 Cipher Suites to Transport Layer Security (TLS)", RFC 4132, 1327 July 2005. 1329 [6] Moriai, S. and A. Kato, "Use of the Camellia Encryption 1330 Algorithm in Cryptographic Message Syntax (CMS)", RFC 3657, 1331 January 2004. 1333 [7] Eastlake, D., "Additional XML Security Uniform Resource 1334 Identifiers (URIs)", RFC 4051, April 2005. 1336 [8] International Organization for Standardization, "Information 1337 technology - Security techniques - Encryption algorithms - Part 1338 3: Block ciphers", ISO/IEC 18033-3, July 2005. 1340 [9] "The NESSIE project (New European Schemes for Signatures, 1341 Integrity and Encryption)", 1342 . 1344 [10] Information-technology Promotion Agency (IPA), "Cryptography 1345 Research and Evaluation Committees", 1346 . 1348 [11] "Camellia open source software", 1349 . 1351 [12] "Camellia web site", . 1353 [13] Dworkin, M., "Recommendation for Block Cipher Modes of 1354 Operation - Methods and Techniques", NIST Special 1355 Publication 800-38A, December 2001, . 1358 [14] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC- 1359 MAC (CCM)", RFC 3610, September 2003. 1361 [15] National Institute of Standards and Technology, "Recommendation 1362 for Block Cipher Modes Operation : The CCM Mode for 1363 Authentication and Confidentiality", May 2004, . 1366 [16] National Institute of Standards and Technology, "Computer Data 1367 Authentication", FIPS PUB 113, May 1985, 1368 . 1370 Authors' Addresses 1372 Akihiro Kato 1373 NTT Software Corporation 1375 Phone: +81-45-212-7577 1376 Fax: +81-45-212-9800 1377 Email: akato@po.ntts.co.jp 1379 Masayuki Kanda 1380 Nippon Telegraph and Telephone Corporation 1382 Phone: +81-422-59-3456 1383 Fax: +81-422-59-4015 1384 Email: kanda.masayuki@lab.ntt.co.jp 1386 Full Copyright Statement 1388 Copyright (C) The IETF Trust (2008). 1390 This document is subject to the rights, licenses and restrictions 1391 contained in BCP 78, and except as set forth therein, the authors 1392 retain all their rights. 1394 This document and the information contained herein are provided on an 1395 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1396 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1397 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1398 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1399 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1400 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1402 Intellectual Property 1404 The IETF takes no position regarding the validity or scope of any 1405 Intellectual Property Rights or other rights that might be claimed to 1406 pertain to the implementation or use of the technology described in 1407 this document or the extent to which any license under such rights 1408 might or might not be available; nor does it represent that it has 1409 made any independent effort to identify any such rights. Information 1410 on the procedures with respect to rights in RFC documents can be 1411 found in BCP 78 and BCP 79. 1413 Copies of IPR disclosures made to the IETF Secretariat and any 1414 assurances of licenses to be made available, or the result of an 1415 attempt made to obtain a general license or permission for the use of 1416 such proprietary rights by implementers or users of this 1417 specification can be obtained from the IETF on-line IPR repository at 1418 http://www.ietf.org/ipr. 1420 The IETF invites any interested party to bring to its attention any 1421 copyrights, patents or patent applications, or other proprietary 1422 rights that may cover technology that may be required to implement 1423 this standard. Please address the information to the IETF at 1424 ietf-ipr@ietf.org.