Network Working Group M. Katagi
Internet-Draft Sony Corporation
Intended status: Informational April 24, 2012
Expires: October 26, 2012
The CLEFIA Cipher Algorithm and Its Use with IPsec
draft-katagi-ipsecme-clefia-01
Abstract
This document describes the use of the CLEFIA block cipher algorithm
in conjunction with several different modes of operation within IKE
and IPsec.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 26, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Katagi Expires October 26, 2012 [Page 1]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. CLEFIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Modes of Operation . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Message Authentication Codes (MACs) . . . . . . . . . . . 4
2.3. Authenticated Encryption . . . . . . . . . . . . . . . . . 4
2.4. Pseudo Random Functions (PRFs) . . . . . . . . . . . . . . 5
3. IKEv1 Conventions . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . 6
3.2. Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . 6
4. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Transform Type 1 . . . . . . . . . . . . . . . . . . . . . 7
4.2. Transform Type 2 . . . . . . . . . . . . . . . . . . . . . 7
4.3. Transform Type 3 . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
Katagi Expires October 26, 2012 [Page 2]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
1. Introduction
This document describes the use of the CLEFIA block cipher algorithm
[RFC6114] in conjunction with several different modes of operation
within IKEv1 [RFC2409], IKEv2 [RFC5996], IPsec-v2 ([RFC2401],
[RFC2402], [RFC2406]), and IPsec-v3 ([RFC4301], [RFC4302],
[RFC4303]).
1.1. CLEFIA
CLEFIA is a 128-bit blockcipher algorithm, with key lengths of 128,
192, and 256 bits. The algorithm of CLEFIA was published in 2007
[FSE07]. Since AES was designed, cryptographic technologies have
been advancing: new techniques on attack, design and implementation
are extensively studied. CLEFIA is designed based on the state-of-
the-art techniques on design and analysis of block ciphers. The
security of CLEFIA has been scrutinized in the public community, and
no security weaknesses have been reported so far.
CLEFIA is a general purpose blockcipher, and offers high performance
in software and hardware. Especially, CLEFIA has an advantage in
efficient hardware implementation over AES, Camellia, and SEED, which
can be used in IPsec. Its gate efficiency, which is defined as the
ratio of speed to gate size, is superior to these ciphers [ISCAS08].
CLEFIA is standardized in ISO/IEC 29192-2 [ISO29192-2]. ISO/IEC
29192 is a standardization project of "LightWeight Cryptography
(LWC)", which is a cryptographic algorithm or protocol tailored for
implementation in constrained environments including RFID tags,
sensors, contactless smart cards and so on. LWC contributes to the
security of the constrained devices connecting with IP. CLEFIA is
also proposed in the CRYPTREC project for the revision of the
e-Government recommended ciphers list in Japan [CRYPTREC].
The algorithm specification is described in RFC6114 [RFC6114].
Further information about CLEFIA, which includes design rationale,
security evaluations, implementation results, and a reference code,
is available from [CLEFIAWEB].
Katagi Expires October 26, 2012 [Page 3]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
2. Modes of Operation
CLEFIA is a 128-bit blockcipher algorithm, with key lengths of 128,
192, and 256 bits. CLEFIA has a common interface with the Advanced
Encryption Standard (AES) [FIPS-197] in terms of a block size and key
lengths. Therefore, CLEFIA modes of operation are easily defined by
replacing AES in modes of operation previously defined within IPsec/
IKE without any limitation. The only difference is that the
underlying encryption primitive is CLEFIA instead of AES.
2.1. Encryption
CBC mode and Counter mode are encryption modes that are based on a
block cipher algorithm.
The use of CLEFIA in CBC mode (CLEFIA-CBC) and Counter mode (CLEFIA-
CTR) for ESP is defined in the same manner as AES-CBC [RFC3602] and
AES-CTR [RFC3686].
The use of CLEFIA-CBC for IKEv1 and IKEv2 is also defined in the same
manner as [RFC3602] and [RFC5996], respectively. The use of CLEFIA-
CTR for IKEv2 is defined in the same manner as [RFC5930].
2.2. Message Authentication Codes (MACs)
Cipher-based Message Authentication Code (CMAC) and Galois Message
Authentication Code (GMAC) are message authentication codes that are
based on a block cipher algorithm. CMAC and GMAC provide integrity
protection of message.
The use of CLEFIA in CMAC mode (CLEFIA-CMAC) and GMAC mode (CLEFIA-
GMAC) for ESP is defined in the same manner as AES-CMAC [RFC4494] and
AES-GMAC [RFC4543]. The key size supported in CLEFIA-CMAC is 128
bits. CLEFIA-CMAC-96 is the CLEFIA-CMAC with 96-bit truncated output
[RFC4494]. The key sizes supported in CLEFIA-GMAC are 128 bits, 192
bits, and 256 bits.
2.3. Authenticated Encryption
CCM mode and Galois/Counter mode are authenticated encryption modes
that are based on a block cipher algorithm.
The use of CLEFIA in CCM mode (CLEFIA-CCM) and Galois/Counter mode
(CLEFIA-GCM) for ESP is defined in the same manner as AES-CCM
[RFC4309] and AES-GCM [RFC4106]. The use of CLEFIA-CCM and CLEFIA-
GCM for IKEv2 is defined in the same manner as [RFC5282].
Based on [RFC4309], the size of integrity check value (ICV) in
Katagi Expires October 26, 2012 [Page 4]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
CLEFIA-CCM also supports 8 octets, 12 octets, and 16 octets. In the
similar way, the size of ICV in CLEFIA-GCM supports 8 octets, 12
octets, and 16 octets.
2.4. Pseudo Random Functions (PRFs)
IKEv2 uses pseudo-random functions (PRFs) to generate the secret keys
that are used in IKE SAs and IPsec SAs.
In the same manner as AES-CMAC-PRF-128 [RFC4615], CLEFIA-CMAC-PRF-128
is identical to CLEFIA-CMAC defined in Section 2.2 except that the
128-bit key length restriction is removed.
Katagi Expires October 26, 2012 [Page 5]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
3. IKEv1 Conventions
As mentioned in Section 2, CLEFIA has a common interface with AES.
Identifiers in Phase 1 and Phase 2 are defined in Section 6.
3.1. Phase 1 Identifier
For IKE phase 1 negotiations, IANA is requested to assign an
Encryption Algorithm Identifier for CLEFIA-CBC. The assigned
identifier is shown in Section 6.
3.2. Phase 2 Identifier
For IKE phase 2 negotiations, IANA is requested to assign nine IPsec
ESP Transform Identifiers for CLEFIA-CBC, CLEFIA-CTR, CLEFIA-CCM, and
CLEFIA-GCM and three identifiers for CLEFIA-GMAC in the
Authentication Algorithms registry. The assigned identifiers are
shown in Section 6.
Katagi Expires October 26, 2012 [Page 6]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
4. IKEv2 Conventions
As mentioned in Section 2, CLEFIA has a common interface with AES.
Identifiers in IKEv2 Transform Types are defined in Section 6.
4.1. Transform Type 1
For IKEv2 negotiations, IANA is requested to assign Transform Type 1
identifiers for CLEFIA-CBC, CLEFIA-CTR, CLEFIA-CCM, and CLEFIA-GCM.
The assigned identifiers are shown in Section 6.
4.2. Transform Type 2
For IKEv2 negotiations, IANA is requested to assign Transform Type 2
identifiers for CLEFIA-CMAC. The assigned identifier is shown in
Section 6.
4.3. Transform Type 3
For IKEv2 negotiations, IANA is requested to assign Transform Type 3
identifiers for CLEFIA-CMAC and CLEFIA-GMAC. The assigned
identifiers are shown in Section 6.
Katagi Expires October 26, 2012 [Page 7]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
5. Security Considerations
The security of CLEFIA algorithm has been scrutinized in the public
community since the algorithm was proposed, and no security
weaknesses have been reported so far.
For other security considerations, please refer to the security
considerations in previous RFCs ([RFC3602], [RFC3686], [RFC4106],
[RFC4309], [RFC4494], [RFC4543], [RFC5930], and [RFC5996]). These
apply to this document as well.
Katagi Expires October 26, 2012 [Page 8]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
6. IANA Considerations
IANA is requested to allocate the Encryption Algorithm Class Values
(Value 1) in the "Internet Key Exchange (IKE) attributes" registry:
Number Name
<TBD1> CLEFIA-CBC
IANA is also requested to allocate the following values in the
"Internet Security Association and Key Management Protocol (ISAKMP)
Identifiers" registry:
IPsec ESP Transform Identifiers
Number Name
<TBD1> ESP_CLEFIA-CBC
<TBD2> ESP_CLEFIA-CTR
<TBD3> ESP_CLEFIA-CCM_8
<TBD4> ESP_CLEFIA-CCM_12
<TBD5> ESP_CLEFIA-CCM_16
<TBD6> ESP_CLEFIA-GCM_8
<TBD7> ESP_CLEFIA-GCM_12
<TBD8> ESP_CLEFIA-GCM_16
<TBD9> ESP_NULL_AUTH_CLEFIA-GMAC
Authentication Algorithms sub-registry
Number Name
<TBD1> CLEFIA-128-GMAC
<TBD2> CLEFIA-192-GMAC
<TBD3> CLEFIA-256-GMAC
IANA is also requested to allocate the following values in the
"Internet Key Exchange Version 2 (IKEv2) Parameters" registry:
Transform Type 1 - Encryption Algorithm Transform IDs
Number Name
<TBD1> ENCR_CLEFIA_CBC
<TBD2> ENCR_CLEFIA_CTR
<TBD3> ENCR_CLEFIA_CCM_8
<TBD4> ENCR_CLEFIA_CCM_12
<TBD5> ENCR_CLEFIA_CCM_16
<TBD6> ENCR_CLEFIA_GCM_8
<TBD7> ENCR_CLEFIA_GCM_12
<TBD8> ENCR_CLEFIA_GCM_16
<TBD9> ENCR_NULL_AUTH_CLEFIA_GMAC
Katagi Expires October 26, 2012 [Page 9]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
Transform Type 2 - Pseudo-random Function Transform IDs
Number Name
<TBD1> PRF_CLEFIA128_CMAC
Transform Type 3 - Integrity Algorithm Transform IDs
Number Name
<TBD1> AUTH_CLEFIA_128_CMAC_96
<TBD2> AUTH_CLEFIA_128_GMAC
<TBD3> AUTH_CLEFIA_192_GMAC
<TBD4> AUTH_CLEFIA_256_GMAC
Katagi Expires October 26, 2012 [Page 10]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
7. References
7.1. Normative References
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header",
RFC 2402, November 1998.
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher
Algorithm and Its Use with IPsec", RFC 3602,
September 2003.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)",
RFC 4309, December 2005.
[RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96
Algorithm and Its Use with IPsec", RFC 4494, June 2006.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
May 2006.
Katagi Expires October 26, 2012 [Page 11]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
[RFC4615] Song, J., Poovendran, R., Lee, J., and T. Iwata, "The
Advanced Encryption Standard-Cipher-based Message
Authentication Code-Pseudo-Random Function-128 (AES-CMAC-
PRF-128) Algorithm for the Internet Key Exchange Protocol
(IKE)", RFC 4615, August 2006.
[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption
Algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) Protocol", RFC 5282,
August 2008.
[RFC5930] Shen, S., Mao, Y., and NSS. Murthy, "Using Advanced
Encryption Standard Counter Mode (AES-CTR) with the
Internet Key Exchange version 02 (IKEv2) Protocol",
RFC 5930, July 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
[RFC6114] Katagi, M. and S. Moriai, "The 128-Bit Blockcipher
CLEFIA", RFC 6114, March 2011.
7.2. Informative References
[CLEFIAWEB]
Sony Corporation, "The 128-bit blockcipher CLEFIA",
<http://www.sony.net/clefia>.
[CRYPTREC]
Cryptography Research and Evaluation Committees, "the
revision of the e-Government Recommended Ciphers List",
<http://www.cryptrec.go.jp/>.
[FIPS-197]
National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001, <
http://csrc.nist.gov/publications/fips/fips197/
fips-197.pdf>.
[FSE07] Shirai, T., Shibutani, K., Akishita, T., Moriai, S., and
T. Iwata, "The 128-bit Blockcipher CLEFIA", proceedings of
Fast Software Encryption 2007 - FSE 2007,
LNCS4593, pp.181-195, Springer-Verlag, 2007.
[ISCAS08] Sugawara, T., Homma, N., Aoki, T., and A. Satoh, "High-
performance ASIC implementations of the 128-bit block
cipher CLEFIA", ISCAS 2008, pp.2925-2928, IEEE, 2008.
Katagi Expires October 26, 2012 [Page 12]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
[ISO29192-2]
ISO/IEC 29192-2, "Information technology - Security
techniques - Lightweight cryptography - Part 2: Block
ciphers", <http://www.iso.org/iso/iso_catalogue/
catalogue_tc/catalogue_detail.htm?csnumber=56552>.
Katagi Expires October 26, 2012 [Page 13]
Internet-Draft CLEFIA Cipher Algorithm Use with IPsec April 2012
Author's Address
Masanobu Katagi
Sony Corporation
Phone: +81-3-5448-3701
Fax: +81-3-5448-6438
Email: Masanobu.Katagi@jp.sony.com
Katagi Expires October 26, 2012 [Page 14]