datatracker.ietf.org
Sign in
Version 5.6.2.p3, 2014-07-31
Report a bug

An Interface and Algorithms for Authenticated Encryption
RFC 5116

Document type: RFC - Proposed Standard (January 2008; Errata)
Was draft-mcgrew-auth-enc (individual in gen area)
Document stream: IETF
Last updated: 2014-06-10
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5116 (Proposed Standard)
Responsible AD: Tim Polk
Send notices to: mcgrew@cisco.com

Network Working Group                                          D. McGrew
Request for Comments: 5116                           Cisco Systems, Inc.
Category: Standards Track                                   January 2008

        An Interface and Algorithms for Authenticated Encryption

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document defines algorithms for Authenticated Encryption with
   Associated Data (AEAD), and defines a uniform interface and a
   registry for such algorithms.  The interface and registry can be used
   as an application-independent set of cryptoalgorithm suites.  This
   approach provides advantages in efficiency and security, and promotes
   the reuse of crypto implementations.

McGrew                      Standards Track                     [Page 1]
RFC 5116                Authenticated Encryption            January 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Background . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Scope  . . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.3.  Benefits . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.4.  Conventions Used in This Document  . . . . . . . . . . . .  4
   2.  AEAD Interface . . . . . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Authenticated Encryption . . . . . . . . . . . . . . . . .  5
     2.2.  Authenticated Decryption . . . . . . . . . . . . . . . . .  7
     2.3.  Data Formatting  . . . . . . . . . . . . . . . . . . . . .  7
   3.  Guidance on the Use of AEAD Algorithms . . . . . . . . . . . .  8
     3.1.  Requirements on Nonce Generation . . . . . . . . . . . . .  8
     3.2.  Recommended Nonce Formation  . . . . . . . . . . . . . . .  9
       3.2.1.  Partially Implicit Nonces  . . . . . . . . . . . . . . 10
     3.3.  Construction of AEAD Inputs  . . . . . . . . . . . . . . . 11
     3.4.  Example Usage  . . . . . . . . . . . . . . . . . . . . . . 11
   4.  Requirements on AEAD Algorithm Specifications  . . . . . . . . 12
   5.  AEAD Algorithms  . . . . . . . . . . . . . . . . . . . . . . . 14
     5.1.  AEAD_AES_128_GCM . . . . . . . . . . . . . . . . . . . . . 14
       5.1.1.  Nonce Reuse  . . . . . . . . . . . . . . . . . . . . . 14
     5.2.  AEAD_AES_256_GCM . . . . . . . . . . . . . . . . . . . . . 15
     5.3.  AEAD_AES_128_CCM . . . . . . . . . . . . . . . . . . . . . 15
       5.3.1.  Nonce Reuse  . . . . . . . . . . . . . . . . . . . . . 16
     5.4.  AEAD_AES_256_CCM . . . . . . . . . . . . . . . . . . . . . 16
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   7.  Other Considerations . . . . . . . . . . . . . . . . . . . . . 17
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 18
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 18
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
     10.2. Informative References . . . . . . . . . . . . . . . . . . 19

McGrew                      Standards Track                     [Page 2]
RFC 5116                Authenticated Encryption            January 2008

1.  Introduction

   Authenticated encryption [BN00] is a form of encryption that, in
   addition to providing confidentiality for the plaintext that is
   encrypted, provides a way to check its integrity and authenticity.
   Authenticated Encryption with Associated Data, or AEAD [R02], adds
   the ability to check the integrity and authenticity of some
   Associated Data (AD), also called "additional authenticated data",
   that is not encrypted.

1.1.  Background

   Many cryptographic applications require both confidentiality and
   message authentication.  Confidentiality is a security service that
   ensures that data is available only to those authorized to obtain it;
   usually it is realized through encryption.  Message authentication is
   the service that ensures that data has not been altered or forged by
   unauthorized entities; it can be achieved by using a Message
   Authentication Code (MAC).  This service is also called data
   integrity.  Many applications use an encryption method and a MAC
   together to provide both of those security services, with each
   algorithm using an independent key.  More recently, the idea of
   providing both security services using a single cryptoalgorithm has

[include full document text]