Network Working Group S. Kanno
Internet-Draft NTT Software Corporation
Intended status: Standards Track M. Kanda
Expires: October 7, 2009 Nippon Telegraph and Telephone
Corporation
April 5, 2009
The Camellia-XCBC-96 and Camellia-XCBC-PRF-128 Algorithms and Its Use
with IPsec
draft-kanno-ipsecme-camellia-xcbc-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 7, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Kanno & Kanda Expires October 7, 2009 [Page 1]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
Abstract
This memo specifies two new algorithms. One is the usage of XCBC
mode with Camellia block cipher on the authentication mechanism of
the IPsec Encapsulating Security Payload and Authentication Header
protocols. This algorithm is called Camellia-XCBC-96. Latter is
pseudo-random function based on XCBC with Camellia block cipher for
Internet Key Exchange. This algorithm is called Camellia-XCBC-PRF-
128.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Camellia-XCBC-96 and Camellia-XCBC-PRF-128 . . . . . . . . . . 4
3. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Camellia-XCBC-96 . . . . . . . . . . . . . . . . . . . . . 5
3.2. Camellia-XCBC-PRF-128 . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 11
7.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Kanno & Kanda Expires October 7, 2009 [Page 2]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
1. Introduction
This document specifies two new algorithms. One is the usage of XCBC
based on Camellia block cipher on the authentication mechanism of the
IPsec Encapsulating Security Payload (ESP) [7] and Authentication
Header protocols (AH) [6]. This algorithm is called
Camellia-XCBC-96. Latter is Pseudo-Random Function (PRF) based on
XCBC with Camellia block cipher for Internet Key Exchange (IKEv2)
[8]. This algorithm is called Camellia-XCBC-PRF-128.
The Camellia algorithm specification and object identifiers are
described in [2].
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
Kanno & Kanda Expires October 7, 2009 [Page 3]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
2. Camellia-XCBC-96 and Camellia-XCBC-PRF-128
The Camellia-XCBC-96 comply with [3]. Also, The Camellia-XCBC-PRF-
128 comply with [4].
Kanno & Kanda Expires October 7, 2009 [Page 4]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
3. Test Vectors
3.1. Camellia-XCBC-96
This section contains seven test vectors(TV), which can be used to
confirm that an implementation has correctly implemented Camellia-
XCBC-96.
Kanno & Kanda Expires October 7, 2009 [Page 5]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
Test Case #1 : Camellia-XCBC-MAC-96 with 0-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : <empty string<
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Test Case #2 : Camellia-XCBC-MAC-96 with 3-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Test Case #3 : Camellia-XCBC-MAC-96 with 16-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 00102030405060708090a0b0c0d0e0f
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Test Case #4 : Camellia-XCBC-MAC-96 with 20-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f10111213
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Test Case #5 : Camellia-XCBC-MAC-96 with 32-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f1011121314151
61718191a1b1c1d1e1f
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Test Case #6 : Camellia-XCBC-MAC-96 with 34-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f1011121314151
61718191a1b1c1d1e1f2021
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Test Case #7 : Camellia-XCBC-MAC-96 with 1000-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 00000000000000000000 ... 00000000000000000000
[1000 bytes]
Camellia-XCBC-MAC : <TBD>
Camellia-XCBC-MAC-96: <TBD>
Kanno & Kanda Expires October 7, 2009 [Page 6]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
3.2. Camellia-XCBC-PRF-128
This section contains three test vectors(TV), which can be used to
confirm that an implementation has correctly implemented Camellia-
XCBC-PRF-128.
Test Case #1 : Camellia-XCBC-PRF-128 with 20-byte input
Key : 000102030405060708090a0b0c0d0e0f
Key Length : 16
Message : 000102030405060708090a0b0c0d0e0f10111213
PRF Output : <TBD>
Test Case #2 : Camellia-XCBC-PRF-128 with 20-byte input
Key : 00010203040506070809
Key Length : 10
Message : 000102030405060708090a0b0c0d0e0f10111213
PRF Output : <TBD>
Test Case #3 : Camellia-XCBC-PRF-128 with 20-byte input
Key : 000102030405060708090a0b0c0d0e0fedcb
Key Length : 18
Message : 000102030405060708090a0b0c0d0e0f10111213
PRF Output : <TBD>
Kanno & Kanda Expires October 7, 2009 [Page 7]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
4. Security Considerations
At the time of writing this document there are no known weak keys for
Camellia. And no security problem has been found on Camellia [10],
[11]
For other security considerations, please refer to the security
considerations of the previous use of XCBC mode document described in
[3] and [4].
Kanno & Kanda Expires October 7, 2009 [Page 8]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
5. IANA Considerations
IANA has assigned AH/ESP Authentication Algorithm Value <TBD2> for
IKEv2 Transform Type 3 (Integrity Algorithm) to CAMELLIA-XCBC-MAC.
IANA has assigned AH Transform Identifier <TBD1> for IKEv2 Transform
Type 2 (Pseudo-Random Function) to AH_CAMELLIA-XCBC-MAC.
Kanno & Kanda Expires October 7, 2009 [Page 9]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
6. Acknowledgements
This document unabashedly referred to [3] and [4].
Kanno & Kanda Expires October 7, 2009 [Page 10]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
7. References
7.1. Normative
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.
[3] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm and
Its Use With IPsec", RFC 3566, September 2003.
[4] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet
Key Exchange Protocol (IKE)", RFC 4434, February 2006.
[5] Black, J. and P. Rogaway, "Fast Encryption and Authentication:
XCBC Encryption and XECB Authentication Modes", August 2001, <h
ttp://csrc.nist.gov/groups/ST/toolkit/BCM/documents/
proposedmodes/xcbc-mac/xcbc-mac-spec.pdf>.
7.2. Informative
[6] Kent, S., "IP Authentication Header", RFC 4302, December 2005.
[7] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
[8] Kaufman, C., Hoffman, P., and P. Eronen, "Internet Key Exchange
Protocol: IKEv2", draft-hoffman-ikev2bis-03 (work in progress),
February 2008.
[9] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
Algorithm and Its Use With IPsec", RFC 4312, December 2005.
[10] "The NESSIE project (New European Schemes for Signatures,
Integrity and Encryption)",
<http://www.cosic.esat.kuleuven.ac.be/nessie/>.
[11] Information-technology Promotion Agency (IPA), "Cryptography
Research and Evaluation Committees",
<http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.
Kanno & Kanda Expires October 7, 2009 [Page 11]
Internet-Draft The Camellia XCBC-96 and XCBC-PRF-128 April 2009
Authors' Addresses
Satoru Kanno
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
Email: kanno-s@po.ntts.co.jp
Masayuki Kanda
Nippon Telegraph and Telephone Corporation
Phone: +81-422-59-3456
Fax: +81-422-59-4015
Email: kanda.masayuki@lab.ntt.co.jp
Kanno & Kanda Expires October 7, 2009 [Page 12]