Internet Draft IPsec Working Group
November 2001 S. Frankel, NIST
Expiration Date: May 2002 H. Herbert, Intel
The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
<draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Drafts Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This document is a submission to the IETF Internet Protocol Security
(IPsec) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@lists.tislabs.com) or to the
editors.
Distribution of this memo is unlimited.
Frankel,Herbert [Page 1]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
Table of Contents
1. Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Specification of Requirements . . . . . . . . . . . . . . . . . 3
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. The Classic CBC-MAC Algorithm . . . . . . . . . . . . . . . . . 4
5. The AES-XCBC-MAC-96 Algorithm . . . . . . . . . . . . . . . . . 4
5.1 Keying Material . . . . . . . . . . . . . . . . . . . . . . 5
5.2 Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.3 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.4 Interaction with the ESP Cipher Mechanism . . . . . . . . . 7
5.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . 7
5.6 Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
8. Intellectual Property Rights Statement . . . . . . . . . . . . . 7
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
11. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
12. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 10
Frankel,Herbert [Page 2]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
1. Abstract
A Message Authentication Code (MAC) is a key-dependent one way hash
function. One popular way to construct a MAC algorithm is to use a
block cipher in conjunction with the Cipher-Block-Chaining (CBC) mode
of operation. The classic CBC-MAC algorithm, while secure for mes-
sages of a pre-selected fixed length, has been shown to be insecure
across messages of varying lengths such as the type found in typical
IP datagrams. This memo specifies the use of AES in CBC mode with a
set of extensions to overcome this limitation. This new algorithm is
named AES-XCBC-MAC-96.
2. Specification of Requirements
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
appear in this document are to be interpreted as described in
[RFC-2119].
3. Introduction
Message authentication provides data integrity and data origin au-
thentication with respect to the original message source. A Message
Authentication Code (MAC) is a key-dependent one way hash function.
One popular way to construct a MAC algorithm is to use a block cipher
in conjunction with the Cipher-Block-Chaining (CBC) mode of opera-
tion. The classic CBC-MAC algorithm, while secure for messages of a
pre-selected fixed length, has been shown to be insecure across mes-
sages of varying lengths such as the type found in typical IP data-
grams. In fact, it is trivial to produce forgeries for a second mes-
sage given the MAC of a prior message.
This memo specifies the use of AES [AES] in CBC mode [MODES] with a
set of extensions [XCBC-MAC-1] to overcome this limitation. This new
algorithm is named AES-XCBC-MAC-96. Using the AES block cipher, with
its increased block size (128 bits) and increased key length (128
bits), provides the new algorithm with the ability to withstand con-
tinuing advances in crypto-analytic techniques and computational ca-
pability. AES-XCBC-MAC-96 is used as an authentication mechanism
within the context of the IPsec Encapsulating Security Payload (ESP)
and the Authentication Header (AH) protocols. For further informa-
tion on ESP, refer to [ESP] and [ROADMAP]. For further information
on AH, refer to [AH] and [ROADMAP].
The goal of AES-XCBC-MAC-96 is to ensure that the datagram is authen-
tic and cannot be modified in transit. Data integrity and data ori-
gin authentication as provided by AES-XCBC-MAC-96 are dependent upon
the scope of the distribution of the secret key. If the key is known
only by the source and destination, this algorithm will provide both
data origin authentication and data integrity for datagrams sent be-
tween the two parties. In addition, only a party with the identical
key can verify the hash.
Frankel,Herbert [Page 3]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
4. The Classic CBC-MAC Algorithm
The classic CBC-MAC [CBC-MAC-1, CBC-MAC-2] is calculated as follows
for a message M that consists of n blocks, M[1] ... M[n], in which
the blocksize of blocks M[1] ... M[n-1] is b bits and the blocksize
of block M[n] is no greater than b bits:
(1) For block M[1]:
Encrypt M[1] with Key K, yielding E[1].
(2) For each block M[i], where i = 2 ... n-1:
XOR M[i] with E[i-1], then encrypt the result with Key K,
yielding E[i].
(3) For block M[n]:
(a) If the blocksize of M[n] is less than b bytes:
Pad M[n] with a single "1" bit, followed by the number
of "0" bits required to increase M[n]'s blocksize to b
bits.
[NOTE: This is 1 of several padding schemes that can
be used for CBC-MAC. Several others are described in
[MODES].]
(b) XOR M[n] (including padding) with E[n-1], then encrypt
the result with Key K, yielding E[n].
(4) E[n] is the b-bit authenticator.
The classic CBC-MAC algorithm has been shown to be secure for mes-
sages of a pre-selected fixed length, in which the length is a multi-
ple of the blocksize. This algorithm is not suitable for IPsec for
the following reasons:
+ Any IPsec authenticator must be able to handle messages of
arbitrary length. However, the classic CBC-MAC cannot
securely handle messages that exceed the pre-selected fixed
length.
+ For messages shorter than the selected length, padding the
message to the selected length may necessitate additional
encryption operations, adding an unacceptable computational
penalty.
5. The AES-XCBC-MAC-96 Algorithm
[AES] describes the underlying AES algorithm, while [CBC-MAC-2] and
[XCBC-MAC-1] describe the AES-XCBC-MAC algorithm.
The AES-XCBC-MAC-96 algorithm is a variant of the classic CBC-MAC
that is secure for messages of arbitrary length. The AES-XCBC-MAC-96
Frankel,Herbert [Page 4]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
calculations require numerous encryption operations; this encryption
MUST be accomplished using AES with a 128-bit key. AES-XCBC-MAC-96
is calculated as follows for a message M that consists of n blocks,
M[1] ... M[n], in which the blocksize of blocks M[1] ... M[n-1] is
128 bits and the blocksize of block M[n] is no greater than 128 bits:
(1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
key K, as follows:
K1 = 0x01010101010101010101010101010101 encrypted with Key K
K2 = 0x02020202020202020202020202020202 encrypted with Key K
K3 = 0x03030303030303030303030303030303 encrypted with Key K
(2) For block M[1]:
Encrypt M[1] with Key K1, yielding E[1].
(3) For each block M[i], where i = 2 ... n-1:
XOR M[i] with E[i-1], then encrypt the result with Key K1,
yielding E[i].
(4) For block M[n]:
(a) If the blocksize of M[n] is 128 bytes:
XOR M[n] with E[n-1] and Key K2, then encrypt the
result with Key K1, yielding E[n].
(b) If the blocksize of M[n] is less than 128 bytes:
(i) Pad M[n] with a single "1" bit, followed by the num-
ber of "0" bits required to increase M[n]'s block-
size to 128 bits.
(ii) XOR M[n] with E[n-1] and Key K3, then encrypt the
result with Key K1, yielding E[n].
(5) The authenticator value is the leftmost 96 bits of the 128-bit
E[n].
NOTE: [CBC-MAC-2] defines K1 as follows:
K1 = Constant1A encrypted with Key K |
Constant1B encrypted with Key K.
However, the second encryption operation is only needed for
AES-XCBC-MAC with keys greater than 128 bits; thus, it is not
included in the definition of AES-XCBC-MAC-96.
5.1 Keying Material
AES-XCBC-MAC-96 is a secret key algorithm. For use with either ESP or
AH a fixed key length of 128-bits MUST be supported. Key lengths
other than 128-bits MUST NOT be supported (i.e. only 128-bit keys are
to be used by AES-XCBC-MAC-96).
AES-XCBC-MAC-96 actually requires 384 bits of keying material (128
Frankel,Herbert [Page 5]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
bits for the AES keysize + 2 times the blocksize). This keying mate-
rial can either be provided through the key generation mechanism or
it can be generated from a single 128-bit key. The latter approach
has been selected for AES-XCBC-MAC-96, since it is analogous to other
authenticators used within IPsec.
A strong pseudo-random function MUST be used to generate the required
128-bit key.
At the time of this writing there are no specified weak keys for use
with AES-XCBC-MAC-96. This does not mean to imply that weak keys do
not exist. If, at some point, a set of weak keys for AES-XCBC-MAC-96
are identified, the use of these weak keys MUST be rejected followed
by a request for replacement keys or a newly negotiated Security
Association.
[ARCH] describes the general mechanism for obtaining keying material
when multiple keys are required for a single SA (e.g. when an ESP SA
requires a key for confidentiality and a key for authentication).
In order to provide data origin authentication, the key distribution
mechanism must ensure that unique keys are allocated and that they
are distributed only to the parties participating in the communica-
tion.
Current attacks do not necessitate a specific recommended frequency
for key changes. However, periodic key refreshment is a fundamental
security practice that helps against potential weaknesses of the
function and the keys, reduces the information available to a crypt-
analyst, and limits the damage resulting from a compromised key.
5.2 Padding
AES-XCBC-MAC-96 operates on 128-bit blocks of data. Padding require-
ments are specified in [CBC-MAC-2] and are part of the XCBC algo-
rithm. If you build AES-XCBC-MAC-96 according to [CBC-MAC-2] you do
not need to add any additional padding as far as AES-XCBC-MAC-96 is
concerned. With regard to "implicit packet padding" as defined in
[AH], no implicit packet padding is required.
5.3 Truncation
AES-XCBC-MAC-96 produces a 128-bit authenticator value. This 128-bit
value can be truncated as described in [HMAC] and verified in [XCBC-
MAC-2]. For use with either ESP or AH, a truncated value using the
first 96 bits MUST be supported. Upon sending, the truncated value
is stored within the authenticator field. Upon receipt, the entire
128-bit value is computed and the first 96 bits are compared to the
value stored in the authenticator field. No other authenticator value
lengths are supported by AES-XCBC-MAC-96.
The length of 96 bits was selected because it is the default authen-
ticator length as specified in [AH] and meets the security
Frankel,Herbert [Page 6]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
requirements described in [XCBC-MAC-2].
5.4 Interaction with the ESP Cipher Mechanism
As of this writing, there are no known issues which preclude the use
of the AES-XCBC-MAC-96 with any specific cipher algorithm.
5.5 Performance
For any CBC MAC variant, the major computational effort is expended
in computing the underlying block cipher. This algorithm uses a min-
imum number of AES invocations, one for each block of the message or
fraction thereof, resulting in performance equivalent to classic CBC-
MAC.
The key expansion requires 3 additional AES encryption operations,
but these can be performed once in advance for each secret key.
5.6 Test Vectors
TBD
6. Security Considerations
The security provided by AES-XCBC-MAC-96 is based upon the strength
of AES. At the time of this writing there are no practical crypto-
graphic attacks against AES or AES-XCBC-MAC-96.
As is true with any cryptographic algorithm, part of its strength
lies in the correctness of the algorithm implementation, the security
of the key management mechanism and its implementation, the strength
of the associated secret key, and upon the correctness of the imple-
mentation in all of the participating systems. This draft contains
test vectors to assist in verifying the correctness of AES-XCBC-
MAC-96 code.
7. IANA Considerations
IANA has assigned AH transform number XX to AH_AES_XCBC_MAC_96.
IANA has assigned AH/ESP authentication algorithm number XX to AES-
XCBC-MAC-96.
8. Intellectual Property Rights Statement
Pursuant to the provisions of [RFC-2026], the authors represent that
they have disclosed the existence of any proprietary or intellectual
property rights in the contribution that are reasonably and person-
ally known to the authors. The authors do not represent that they
personally know of all potentially pertinent proprietary and intel-
lectual property rights owned or claimed by the organizations they
represent or third parties.
The IETF takes no position regarding the validity or scope of any
Frankel,Herbert [Page 7]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
intellectual property or other rights that might be claimed to per-
tain to the implementation or use of the technology described in this
document or the extent to which any license under such rights might
or might not be available; neither does it represent that it has made
any effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses
to be made available, or the result of an attempt made to obtain a
general license or permission for the use of such proprietary rights
by implementers or users of this specification can be obtained from
the IETF Secretariat.
9. Acknowledgments
Portions of this text were unabashedly borrowed from [HMAC-SHA].
Thanks to Phil Rogaway for expert advice (including suggested values
for the XCBC-MAC constants) and rapid response to our queries.
10. References
[AES] Daemen, J. and V. Rijman, "AES Proposal: Rijndael,"
NIST AES Proposal, Jun 1998.
http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf
[AH] Kent, S. and R. Atkinson, "IP Authentication Header",
RFC 2402, November 1998.
[ARCH] Kent, S. and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998.
[CBC-MAC-1] Bellare, M., J. Kilian and P. Rogaway, "The Security of
the Cipher Block Chaining Message Authentication Code,"
Journal of Computer and System Sciences (JCSS), Vol.
61, No. 3, December 2000, pp. 362-399.
http://www-cse.ucsd.edu/users/mihir/papers/cbc.{ps,pdf}
[CBC-MAC-2] Black, J. and P. Rogaway, "CBC MACs for Arbitrary-
Length Messages: The Three-Key Constructions," in M.
Bellare, editor, Advances in Cryptology -- CRYPTO '00,
volume 1880 of Lecture Notes in Computer Science, p.
0197, August 2000, Springer-Verlag.
http://www.cs.ucdavis.edu/~rogaway/papers/3k.ps
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[HMAC] Krawczyk, H., M. Bellare and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication," RFC 2104, February
1997.
Frankel,Herbert [Page 8]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
[HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96
within ESP and AH," RFC 2404, November 1998.
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation," NIST Special Publication 800-XX, 2001.
http://csrc.nist.gov/encryption/modes/Modes01.pdf
[RFC-2026] Bradner, S., "The Internet Standards Process --
Revision 3", RFC2026, October 1996.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, March 1997.
[ROADMAP] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
[XCBC-MAC-1]
Black, J. and P. Rogaway, "A Suggestion for Handling
Arbitrary-Length Messages with the CBC MAC," NIST
Second Modes of Operation Workshop, August 2001.
http://csrc.nist.gov/encryption/modes/proposed-modes/
xcbc-mac/xcbc-mac-spec.pdf
[XCBC-MAC-2]
Rogaway, Phil, email communications, October 2001.
11. Authors' Addresses
Sheila Frankel
NIST
820 West Diamond Ave.
Room 680
Gaithersburg, MD 20899
Phone: +1 (301) 975-3297
Email: sheila.frankel@nist.gov
Howard C. Herbert
Intel Corporation
Lan Access Division
5000 West Chandler Blvd.
MS-CH7-404
Chandler, Arizona 85226
Phone: +1 (480) 554-3116
Email: howard.c.herbert@intel.com
The IPsec working group can be contacted through the chairs:
Barbara Fraser
Cisco Systems Inc.
Email: byfraser@cisco.com
Theodore T'so
Frankel,Herbert [Page 9]
INTERNET DRAFT <draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt> November 2001
Massachusetts Institute of Technology
Email: tytso@mit.edu
12. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this doc-
ument itself may not be modified in any way, such as by removing the
copyright notice or references to the Internet Society or other In-
ternet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights de-
fined in the Internet Standards process must be followed, or as re-
quired to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HERE-
IN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER-
CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Frankel,Herbert [Page 10]
