Internet Draft IPsec Working Group
November 2001 S. Moriai, NTT
Expiration Date: May 2002 Y. L. Yin, NTT MCL
S. Okazaki, NTT MCL
The Camellia Cipher Algorithm and Its Use With IPsec
<draft-ietf-ipsec-ciph-camellia-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsolete by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Drafts Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@lists.tislabs.com) or to the
editors.
Distribution of this memo is unlimited.
Abstract
This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining Mode, with an explicit IV, as a
confidentiality mechanism within the context of the IPsec
Encapsulating Security Payload (ESP).
Moriai,Yin,Okazaki [Page 1]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Specification of Requirements . . . . . . . . . . . . . . . 3
2. The Camellia Cipher Algorithm . . . . . . . . . . . . . . . . . 4
2.1 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4 Block Size and Padding . . . . . . . . . . . . . . . . . . . 4
2.5 Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 Performance . . . . . . . . . . . . . . . . . . . . . . . . 5
3. ESP Payload . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Interaction with IKE . . . . . . . . . . . . . . . . . . . . . . 5
4.1 Phase 1 Identifiers . . . . . . . . . . . . . . . . . . . . 6
4.2 Phase 2 Identifiers . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
7. Intellectual Property Rights Statement . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9
Moriai,Yin,Okazaki [Page 2]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
1. Introduction
This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining Mode, with an explicit IV, as a
confidentiality mechanism within the context of the IPsec
Encapsulating Security Payload (ESP).
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
lengths, i.e. the same interface specifications as the Advanced
Encryption Standard (AES) [AES].
Camellia was jointly developed by NTT and Mitsubishi Electric
Corporation in 2000. It was carefully designed to withstand all known
cryptanalytic attacks and even to have a sufficiently large security
leeway for use of the next 10-20 years.
Camellia was also designed to have suitability for both software and
hardware implementations and to cover all possible encryption
applications that range from low-cost smart cards to high-speed
network systems. Compared to the AES finalists, i.e. MARS, RC6,
Rijndael, Serpent, and Twofish, Camellia offers at least comparable
encryption speed in software and hardware. An optimized
implementation of Camellia in assembly language can encrypt on a
Pentium III (1.13GHz) at the rate of 471 Mbits per second. In
addition, a distinguishing feature is its small hardware design. The
current smallest hardware implementation, which includes encryption,
decryption, and the key schedule for 128-bit keys, occupies only
8.12K gates using a 0.18um CMOS ASIC library [Camellia]. This is in
the smallest class among all existing 128-bit block ciphers. It
perfectly meets one of the current IPsec market requirements, where
low power consumption is a mandatory condition.
Camellia has been submitted to several standardization bodies such as
ISO (ISO/IEC 18033) and IETF (Transport Layer Security working group)
[Camellia-TLS] and it is under consideration. It has also been
submitted to several cryptographic techniques evaluation projects
such as NESSIE [NESSIE] and CRYPTREC [CRYPTREC], and scrutinized by
worldwide cryptographic experts. In particular, the NESSIE project
plans to develop by the end of 2002 a strong portfolio of crypto
algorithms and intends to input these algorithms to standardization
bodies such as ISO, IETF, and IEEE. In September 2001, the project
announced its selection of the algorithms for the 2nd phase of the
project. Camellia is one of the three 128-bit block cipher finalists
selected out of 8 candidates.
The remainder of this document specifies the use of Camellia within
the context of IPsec ESP. For further information on how the various
pieces of ESP fit together to provide security services, refer to
[ARCH], [ESP], and [ROAD].
1.1 Specification of Requirements
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
Moriai,Yin,Okazaki [Page 3]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
appear in this document are to be interpreted as described in
[RFC-2119].
2. The Camellia Cipher Algorithm
All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant
characteristics of Camellia.
The algorithm specification and object identifiers are described in
[Camellia-ID]. The Camellia homepage,
http://info.isl.ntt.co.jp/camellia/, contains a wealth of information
about camellia, including detailed specification, security analysis,
performance figures, reference implementation, test vectors, and
intellectual property information.
2.1 Mode
No operational modes are currently defined for Camellia. NIST is in
the process of developing a modes of operation FIPS for AES [MODES].
However, the Cipher Block Chaining (CBC) mode is well-defined and
well-understood for symmetric ciphers, and is currently required for
all other ESP ciphers. This document specifies the use of Camellia
in CBC mode within ESP. Additional modes may be specified based on
the discussion in the working group mailing list.
More information on CBC mode can be obtained in [CRYPTO-S]. For the
use of CBC mode in ESP with 64-bit ciphers, see [CBC].
2.2 Key Size
This document specifies the default (i.e. MUST be supported) key size
for Camellia. The default key size that implementations MUST support
for IPsec is 128 bits. In addition, Camellia accepts key sizes of
192 and 256 bits. This is the same as the AES cipher.
+============+=========================+===========+
| Algorithm | Key Sizes (bits) | Default |
+============+=========================+===========+
| Camellia | 128, 192, 256 | 128 |
+------------+-------------------------+-----------+
| AES | 128, 192, 256 | 128 |
+------------+-------------------------+-----------+
2.3 Weak Keys
At the time of writing this document there are no known weak keys for
Camellia.
2.4 Block Size and Padding
Camellia uses a block size of sixteen octets (128 bits), mandatory
Moriai,Yin,Okazaki [Page 4]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
for the AES.
Padding is required by the algorithms to maintain a 16-octet
(128-bit) blocksize. Padding MUST be added, as specified in [ESP],
such that the data to be encrypted (which includes the ESP Pad Length
and Next Header fields) has a length that is a multiple of 16 octets.
Because of the algorithm specific padding requirement, no additional
padding is required to ensure that the ciphertext terminates on a
4-octet boundary (i.e. maintaining a 16-octet blocksize guarantees
that the ESP Pad Length and Next Header fields will be right aligned
within a 4-octet word). Additional padding MAY be included, as
specified in [ESP], as long as the 16-octet blocksize is maintained.
2.5 Rounds
This variable determines how many times a block is encrypted. While
this variable MAY be negotiated, a default value MUST always exist
when it is not negotiated. Within IPsec, Camellia MUST support 18
rounds, corresponding to the mandatory 128-bit key size.
+============+===============+=======================+
| Algorithm | Negotiable? | Default # of Rounds |
+============+===============+=======================+
| Camellia | Yes | 18, 24, 24* |
+------------+---------------+-----------------------+
| AES | Yes | 10, 12, 14** |
+------------+---------------+-----------------------+
*NOTE1: Camellia's # of Rounds is dependent on key size.
Rounds = 18 when keylen=128, and
Rounds = 24 when keylen=192 or 256.
**NOTE2: AES's Default # of Rounds is dependent on key size.
Default # of Rounds = keylen/32 + 6.
2.6 Performance
Performance figures of Camellia are available at
http://info.isl.ntt.co.jp/camellia/. It also includes performance
comparison with the AES cipher and other AES finalists.
3. ESP Payload
Camellia was designed to follow the same API as the AES cipher.
Therefore, any consideration related to ESP payload is the same as
that of the AES cipher. Details can be found in [AES-IPSEC].
4. Interaction with IKE
Camellia was designed to follow the same API as the AES cipher.
Therefore, this section defines only Phase 1 Identifier and Phase 2
Identifier. Any other consideration related to interaction with IKE
is the same as that of the AES cipher. Details can be found in
[AES-IPSEC].
Moriai,Yin,Okazaki [Page 5]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
4.1 Phase 1 Identifier
For Phase 1 negotiations, we are asking IANA an assigned Encryption
Algorithm ID for Camellia-CBC. Before IANA assigns the ID, to
facilitate the experimental use of Camellia, it would be useful to
temporarily define a standard IKE Encryption Algorithm Identifier for
it. [IKE] reserves the values 65001-65535 "for private use among
mutually consenting parties". The values 65001-65005 are defined for
MARS, RC6, Serpent, and Twofish in [AES-IPSEC]. The following IKE
Encryption Algorithm Identifier is suggested for IKE interoperability
using Camellia:
+=======================+=========+
| Encryption Algorithm | Value |
+=======================+=========+
| Camellia-CBC | 65006 |
+-----------------------+---------+
4.2 Phase 2 Identifier
For Phase 2 negotiations, we are asking IANA an assigned ESP
Transform Identifier for ESP_Camellia. Before IANA assigns the ID,
to facilitate the experimental use of Camellia, it would be useful to
temporarily define a standard IPsec ESP Transform Identifier for it.
[DOI] reserves the values 249-255 for "private use amongst
cooperating systems." The values 249-253 are defined for MARS, RC6,
Serpent, and Twofish in [AES-IPSEC]. The following IPsec ESP
Transform Identifier is suggested for IKE interoperability using
Camellia:
+===============+=========+
| Transform ID | Value |
+===============+=========+
| ESP_Camellia | 254 |
+---------------+---------+
5. Security Considerations
Implementations are encouraged to use the largest key sizes they can
when taking into account performance considerations for their
particular hardware and software configuration. Note that encryption
necessarily impacts both sides of a secure channel, so such
consideration must take into account not only the client side, but
the server as well. However, a key size of 128 bits is considered
secure for the foreseeable future.
Camellia is relatively new and has only undergone limited
cryptographic analysis. However, it has been submitted to several
standardization bodies and cryptographic techniques evaluation
projects such as NESSIE [NESSIE] and CRYPTREC [CRYPTREC], and
scrutinized by worldwide cryptographic experts. In particular, the
NESSIE project plans to develop by the end of 2002 a strong portfolio
Moriai,Yin,Okazaki [Page 6]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
of crypto algorithms and intends to input these algorithms to
standardization bodies such as ISO, IETF, and IEEE. In September
2001, the project announced its selection of the algorithms for the
2nd phase of the project. Camellia is one of the three 128-bit block
cipher finalists selected out of 8 candidates.
6. IANA Considerations
We are asking IANA to assign an Encryption Algorithm ID for
Camellia-CBC and a Transform Identifier for ESP_Camellia.
7. Intellectual Property Rights Statement
Mitsubishi Electric Corporation and Nippon Telegraph and Telephone
Corporation have pending applications or filed patents which are
essential to Camellia. However, we are prepared to grant, on the the
basis of reciprocity and non-discriminatory, a loyalty-free license
under above patents to an unrestricted number of applicants to
manufacture, use and/or sell implementations of Camellia.
8. Acknowledgments
Portions of this text, as well as its general structure, were
unabashedly lifted from [AES-IPSEC].
9. References
[AES] Advanced Encryption Standard,
http://www.nist.gov/encryption/aes/.
[AES-IPSEC] Frankel, S., S. Kelly, and R. Glenn, "The AES Cipher
Algorithm and Its Use With IPsec," draft-ietf-ipsec-
ciph-aes-cbc-02.txt, October, 2001.
[ARCH] Kent, S. and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998.
[Camellia] Aoki, K, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita, "Camellia: A 128-Bit Block
Cipher Suitable for Multiple Platforms,'' September,
2001, http://info.isl.ntt.co.jp/camellia/CRYPTREC/
2001/01eeval.pdf.
[Camellia-ID]
Nakajima, J. and S. Moriai, "A Description of the
Camellia Encryption Algorithm," draft-nakajima-
camellia-02.txt, July, 2001.
[Camellia-TLS]
Moriai, S., "Addition of the Camellia Encryption
Algorithm to TLS," draft-ietf-tls-camellia-01.txt,
May, 2001.
[CBC] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher
Moriai,Yin,Okazaki [Page 7]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
Algorithms," RFC 2451, November 1998.
[CRYPTO-S] Schneier, B., "Applied Cryptography Second Edition",
John Wiley & Sons, New York, NY, 1995, ISBN
0-471-12845-7.
[CRYPTREC] Cryptographic Techniques Evaluation Project 2001,
http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html.
[DOI] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP," RFC 2407, November 1998.
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[MODES] Symmetric Key Block Cipher Modes of Operation,
http://www.nist.gov/modes/.
[NESSIE] The NESSIE project (New European Schemes for
Signatures, Integrity and Encryption),
http://www.cosic.esat.kuleuven.ac.be/nessie/.
[RFC-2026] Bradner, S., "The Internet Standards Process --
Revision 3", RFC2026, October 1996.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, March 1997.
[ROAD] Thayer, R., N. Doraswamy and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
10. Authors' Addresses
Shiho Moriai
Nippon Telegraph and Telephone Corporation
1-1 Hikarinooka, Yokosuka, 239-0847, Japan
Phone: +81-468-59-2007
FAX: +81-468-59-3858
Email: shiho@isl.ntt.co.jp
Yiqun Lisa Yin
NTT Multimedia Communications Laboratories, Inc.
250 Cambridge Avenue, Suite 300
Palo Alto, CA 94306, USA
Phone: +1-650-833-3612
FAX: +1-650-326-1878
Email: yiqun@nttmcl.com
Satomi Okazaki
NTT Multimedia Communications Laboratories, Inc.
Moriai,Yin,Okazaki [Page 8]
INTERNET DRAFT The Use of Camellia with IPsec November 2001
250 Cambridge Avenue, Suite 300
Palo Alto, CA 94306, USA
Phone: +1-650-833-3631
FAX: +1-650-326-1878
Email: satomi@nttmcl.com
The IPsec working group can be contacted through the chair:
Ted T'so
Massachusetts Institute of Technology
e-mail: tytso@mit.edu
11. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights de fined in the Internet Standards process must be
followed, or as re quired to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Moriai,Yin,Okazaki [Page 9]
