Internet Draft Paul Hoffman draft-ietf-ipsec-aes-xcbc-prf-00.txt VPN Consortium July 21, 2003 Expires in six months The AES-XCBC-PRF-128 algorithm for IKE Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract Some implementations of IPsec may want to use a pseudo-random function derived from AES. This document describes such an algorithm, called AES-XCBC-PRF-128. 1. Introduction [AES-XCBC-MAC] describes a method to use AES (the Advanced Encryption Standard) as a message authentication code (MAC) whose output is 96 bits long. While 96 bits is considered appropriate for a MAC, it is too short to be useful as a long-lived pseudo-random (PRF) in either IKE version 1 or version 2. Both versions of IKE use the PRF to create keys in a fashion that is dependent on the length of the output of the PRF. Using a PRF that has 96 bits of output creates keys that are easier to attack with brute force than a PRF that uses 128 bits of output. Fortunately, there is a very simple method to use much of [AES-XCBC-MAC] as a PRF whose output is 128 bits: omit the step that truncates the 128-bit value to 96 bits. 2. The AES-XCBC-PRF-128 algorithm The AES-XCBC-PRF-128 algorithm is identical to [AES-XCBC-MAC] except that the truncation step in section 4.3 of [AES-XCBC-MAC] is *not* performed. That is, there is no processing after section 4.2 of [AES-XCBC-MAC]. The test vectors in section 4.6 can be used for AES-XCBC-PRF-128, but only those listed as "AES-XCBC-MAC", not "AES-XCBC-MAC-96". 3. Security considerations The security considerations are the same as those in [AES-XCBC-MAC]. 4. References 4.1 Normative references [AES-XCBC-MAC] "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", draft-ietf-ipsec-ciph-aes-xcbc-mac. This document is currently in the RFC Editor's queue for publication. 5. Author's address Paul Hoffman VPN Consortium 127 Segre Place Santa Cruz, CA 95060 USA paul.hoffman@vpnc.org