Network Working Group A. Kato
Internet-Draft S. Kanno
Intended status: Standards Track NTT Software Corporation
Expires: September 7, 2009 M. Kanda
Nippon Telegraph and Telephone
Corporation
T. Iwata
Nagoya University
March 6, 2009
The Camellia-CMAC-96 and Camellia-CMAC-PRF-128 Algorithms and Its Use
with IPsec
draft-kato-ipsec-camellia-cmac96and128-03
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2009.
Kato, et al. Expires September 7, 2009 [Page 1]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Kato, et al. Expires September 7, 2009 [Page 2]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
Abstract
This memo specifies two new algorithms. One is the usage of Cipher-
based Message Authentication Code (CMAC) with Camellia block cipher
on the authentication mechanism of the IPsec Encapsulating Security
Payload and Authentication Header protocols. This algorithm is
called Camellia-CMAC-96. Latter is pseudo-random function based on
CMAC with Camellia block cipher for Internet Key Exchange. This
algorithm is called Camellia-CMAC-PRF-128.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Camellia-CMAC . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Camellia-CMAC-96 . . . . . . . . . . . . . . . . . . . . . . . 8
5. Camellia-CMAC-PRF-128 . . . . . . . . . . . . . . . . . . . . 9
6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Camellia-CMAC-96 . . . . . . . . . . . . . . . . . . . . . 11
6.2. Camellia-CMAC-PRF-128 . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
10.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 18
10.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
Kato, et al. Expires September 7, 2009 [Page 3]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
1. Introduction
This memo specifies two new algorithms. One is the usage of CMAC
based on Camellia block cipher on the authentication mechanism of the
IPsec Encapsulating Security Payload (ESP) [6] and Authentication
Header protocols (AH) [5]. This algorithm is called
Camellia-CMAC-96. Latter is Pseudo-Random Function (PRF) based on
CMAC with Camellia block cipher for Internet Key Exchange (IKEv2)
[7]. This algorithm is called Camellia-CMAC-PRF-128.
The algorithm specification and object identifiers are described in
[3].
This document specifies the usage of CMAC with Camellia Block cipher
on the authentication mechanism of the IPsec Encapsulating Security
Payload [6] and Authentication Header [5] protocols. This new
algorithm is named Camellia-CMAC-96.
NIST CMAC specification document [1] describes a method to use the
Advanced Encryption Standard (AES) as a Message Authentication Code
(MAC) that has a 128-bit output length. The 128-bit output is useful
as a long-lived PRF. This document also specifies a PRF based on
CMAC with Camellia block cipher that supports fixed and variable key
sizes for IKEv2 [7] Key Derivation Function (KDF) and authentication.
This new algorithm is named Camellia-CMAC-PRF-128. For further
information on IKE, AH and ESP, refer to [7], [5], [6], and [4].
This document does not cover implementation details of CMAC. Those
details can be found in [1].
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [2].
Kato, et al. Expires September 7, 2009 [Page 4]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
2. Definitions
CBC
Cipher Block Chaining mode of operation for message
authentication code.
MAC
Message Authentication Code. A bit string of a fixed
length, computed by the MAC generation algorithm, that is
used to establish the authority and, hence, the integrity
of a message.
CMAC
Cipher-based MAC based on a symmetric key block cipher.
Key (K)
128-bit (16-octet) key for Camellia cipher block. Denoted
by K.
Variable-length Key (VK)
Variable-length key for Camellia-CMAC-PRF-128, denoted by
VK.
Message (M)
Message to be authenticated. Denoted by M.
Length (len)
The length of message M in octets. Denoted by len. The
minimum value is 0. The maximum value is not specified in
this document.
VKlen
The length of VK in octets.
truncate(T,l)
Truncate T (MAC) in most-significant-bit-first (MSB-first)
order to a length of l octets.
T
The output of Camellia-CMAC.
Camellia-CMAC
CMAC generation function based on Camellia block cipher
with 128-bit key.
Kato, et al. Expires September 7, 2009 [Page 5]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
Camellia-CMAC-96
IPsec AH and ESP MAC generation function based on Camellia-
CMAC, which truncates the 96 most significant bits of the
128-bit output.
Camellia-CMAC-PRF-128
IPsec AH and ESP PRF based on Camellia-CMAC, which removes
128-bit key length restriction.
SKEYSEED Seed of shared key calculated from the nonces exchanged
during the IKE_SA_INIT exchange and the Diffie-Hellman
shared secret in IKEv2 specification.
Kato, et al. Expires September 7, 2009 [Page 6]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
3. Camellia-CMAC
The National Institute of Standards and Technology (NIST) has
recently specified the Cipher-based Message Authentication Code
(CMAC). CMAC [1] is a keyed hash function that is based on a
symmetric key block cipher, such as the Advanced Encryption Standard
[9]. The CMAC algorithm provides a framework for inserting various
block cipher algorithm.
Camellia-CMAC uses the Camellia block cipher [3] as a building block
in CMAC [1]. To generate a MAC, Camellia-CMAC(K, M, len) takes a
secret key 'K', a message of variable length 'M', and the length of
the message in octets 'len' as inputs and returns a fixed-bit string.
In this specification, Camellia-CMAC is always used with 128-bit
length key.
Kato, et al. Expires September 7, 2009 [Page 7]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
4. Camellia-CMAC-96
For IPsec message authentication on AH and ESP, Camellia-CMAC-96 MAY
be used. Camellia-CMAC-96 is a Camellia-CMAC with 96-bit truncated
output in MSB-first order. The output is a 96-bit MAC that will meet
the default authenticator length as specified in [5]. The result of
truncation is taken in MSB-first order.
Figure 1 describes Camellia-CMAC-96 algorithm:
In step 1, Camellia-CMAC is applied to the message M in length len
with key K.
In step 2, the output block T is truncated to 12 octets in MSB-first
order, and Truncated T (TT) is returned.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Algorithm Camellia-CMAC-96 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ +
+ Input : K (128-bit Key) +
+ : M (message to be authenticated) +
+ : len (length of message in octets) +
+ Output : Truncated T (truncated output to length 12 octets) +
+ +
+-------------------------------------------------------------------+
+ +
+ Step 1. T := Camellia-CMAC (K,M,len); +
+ Step 2. TT := truncate (T, 12); +
+ return TT; +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Figure 1: Algorithm Camellia-CMAC-96
Kato, et al. Expires September 7, 2009 [Page 8]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
5. Camellia-CMAC-PRF-128
The Camellia-CMAC-PRF-128 algorithm is identical to Camellia-CMAC
except that the 128-bit key length restriction is removed.
IKEv2 [7] uses PRFs for multiple purposes, most notably for
generating keying material and authentication of the IKE_SA.
When using Camellia-CMAC-PRF-128 as the PRF described in IKEv2,
Camellia-CMAC-PRF-128 is considered to take variable key length in
all places, and the number of bits of keying material generated when
new keys are generated is 128 bits (i.e. preferred key length when
generating keying material of SK_d, SK_pi, and SK_pr is 128 bits).
When generating SKEYSEED the full of Ni and Nr are used as key for
the PRF.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Camellia-CMAC-PRF-128 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ +
+ Input : VK (Variable-length key) +
+ : M (Message, i.e., the input data of the PRF) +
+ : VKlen (length of VK in octets) +
+ : len (length of M in octets) +
+ Output : PRV (128-bit Pseudo-Random Variable) +
+ +
+-------------------------------------------------------------------+
+ Variable: K (128-bit key for Camellia-CMAC) +
+ +
+ Step 1. If VKlen is equal to 16 +
+ Step 1a. then +
+ K := VK; +
+ Step 1b. else +
+ K := Camellia-CMAC(0^128, VK, VKlen); +
+ Step 2. PRV := Camellia-CMAC(K, M, len); +
+ return PRV; +
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Figure 2: Algorithm Camellia-CMAC-PRF-128
In step 1, the 128-bit key, K, for Camellia-CMAC is derived as
follows:
Kato, et al. Expires September 7, 2009 [Page 9]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
o If the key, VK, is exactly 128 bits, then we use it as-is.
o If it is longer or shorter than 128 bits, then we derive the key,
K, by applying the Camellia-CMAC algorithm using the 128-bit all-
zero string as the key and VK as the input message. This step is
described in step 1b.
In step 2, we apply the Camellia-CMAC algorithm using K as the key
and M as the input message. The output of this algorithm is
returned.
Kato, et al. Expires September 7, 2009 [Page 10]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
6. Test Vectors
6.1. Camellia-CMAC-96
This section contains four test vectors(TV), which can be used to
confirm that an implementation has correctly implemented Camellia-
CMAC-96.
----------------
K 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 0
M <empty string>
T ba925782 aaa1f5d9 a00f8964
----------------
K 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 16
M 6bc1bee2 2e409f96 e93d7e11 7393172a
T 6d962854 a3b9fda5 6d7d45a9
----------------
K 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 40
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411
T 5c18d119 ccd67661 44ac1866
----------------
K 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 64
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411 e5fbc119 1a0a52ef
f69f2445 df4f9b17 ad2b417b e66c3710
T c2699a6e ba55ce9d 939a8a4e
6.2. Camellia-CMAC-PRF-128
This section contains twelve test vectors(TV), which can be used to
confirm that an implementation has correctly implemented Camellia-
CMAC-PRF-128. The first four test vectors use 128 bit VK; the next
four test vectors use 192 bit VK; and the last four test vectors use
Kato, et al. Expires September 7, 2009 [Page 11]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
256 bit VK.
VKlen = 16
----------------
VK 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 0
M <empty string>
T ba925782 aaa1f5d9 a00f8964 8094fc71
----------------
VK 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 16
M 6bc1bee2 2e409f96 e93d7e11 7393172a
T 6d962854 a3b9fda5 6d7d45a9 5ee17993
----------------
VK 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 40
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411
T 5c18d119 ccd67661 44ac1866 131d9f22
----------------
VK 2b7e1516 28aed2a6 abf71588 09cf4f3c
Mlen = 64
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411 e5fbc119 1a0a52ef
f69f2445 df4f9b17 ad2b417b e66c3710
T c2699a6e ba55ce9d 939a8a4e 19466ee9
------------------------------------------------------------
VKlen = 24
----------------
VK 8e73b0f7 da0e6452 c810f32b 809079e5
62f8ead2 522c6b7b
K abddaa68 e8b9f0af 2fb4db53 41cf1d91
Kato, et al. Expires September 7, 2009 [Page 12]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
Mlen = 0
M <empty string>
T f4739892 c70bd23e 891f66c0 5fefbf27
----------------
VK 8e73b0f7 da0e6452 c810f32b 809079e5
62f8ead2 522c6b7b
K abddaa68 e8b9f0af 2fb4db53 41cf1d91
Mlen = 16
M 6bc1bee2 2e409f96 e93d7e11 7393172a
T 60a33814 53babaed 1a11dfd3 d24c1410
----------------
VK 8e73b0f7 da0e6452 c810f32b 809079e5
62f8ead2 522c6b7b
K abddaa68 e8b9f0af 2fb4db53 41cf1d91
Mlen = 40
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411
T 42b9d47f 4f58bc29 85b6f82c 23b121cb
----------------
VK 8e73b0f7 da0e6452 c810f32b 809079e5
62f8ead2 522c6b7b
K abddaa68 e8b9f0af 2fb4db53 41cf1d91
Mlen = 64
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411 e5fbc119 1a0a52ef
f69f2445 df4f9b17 ad2b417b e66c3710
T d078729f dcae9abc ff1ea4d6 18ed4501
------------------------------------------------------------
VKlen = 32
----------------
VK 603deb10 15ca71be 2b73aef0 857d7781
1f352c07 3b6108d7 2d9810a3 0914dff4
K b5aeeae9 2c23bed7 167af194 2e831597
Mlen = 0
Kato, et al. Expires September 7, 2009 [Page 13]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
M <empty string>
T c96d7d40 d4aaab78 ac906b91 c82bd690
----------------
VK 603deb10 15ca71be 2b73aef0 857d7781
1f352c07 3b6108d7 2d9810a3 0914dff4
K b5aeeae9 2c23bed7 167af194 2e831597
Mlen = 16
M 6bc1bee2 2e409f96 e93d7e11 7393172a
T 104de4b9 0da6baf1 fa73945b e614f032
----------------
VK 603deb10 15ca71be 2b73aef0 857d7781
1f352c07 3b6108d7 2d9810a3 0914dff4
K b5aeeae9 2c23bed7 167af194 2e831597
Mlen = 40
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411
T 2d3684e9 1cb1b303 a7db8648 f25ee16c
----------------
VK 603deb10 15ca71be 2b73aef0 857d7781
1f352c07 3b6108d7 2d9810a3 0914dff4
K b5aeeae9 2c23bed7 167af194 2e831597
Mlen = 64
M 6bc1bee2 2e409f96 e93d7e11 7393172a
ae2d8a57 1e03ac9c 9eb76fac 45af8e51
30c81c46 a35ce411 e5fbc119 1a0a52ef
f69f2445 df4f9b17 ad2b417b e66c3710
T d6b0f1b7 dda2b62a eca6d51d da63fdda
Kato, et al. Expires September 7, 2009 [Page 14]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
7. Security Considerations
The security provided by Camellia-CMAC-96 Camellia-CMAC-PRF-128 is
built on the strong cryptographic algorithm Camellia and CMAC. At
the time of this writing, there are no known practical cryptographic
attacks against Camellia or CMAC.
However, as is true with any cryptographic algorithm, part of its
strength lies in the secret key, K, and the correctness of the
implementation in all of the participating systems. If the secret
key is compromised or inappropriately shared, it guarantees neither
authentication nor integrity of message at all. The secret key shall
be generated in a way that meets the pseudo randomness requirement of
RFC 4086 [8] and should be kept safe. If and only if
Camellia-CMAC-96 Camellia-CMAC-PRF-128 are used properly it provides
the authentication and integrity that meet the best current practice
of message authentication.
Kato, et al. Expires September 7, 2009 [Page 15]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
8. IANA Considerations
The IANA has allocated value <TBD1> for IKEv2 Transform Type 3
(Integrity Algorithm) to the AUTH_CAMELLIA_CMAC_96 algorithm, and has
allocated a value of <TBD2> for IKEv2 Transform Type 2 (Pseudo-Random
Function) to the PRF_CAMELLIA128_CMAC algorithm.
Kato, et al. Expires September 7, 2009 [Page 16]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
9. Acknowledgements
We thank Tim Polk and Tero Kivinen for their initial review of this
document.
Kato, et al. Expires September 7, 2009 [Page 17]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
10. References
10.1. Normative
[1] National Institute of Standards and Technology, "Recommendation
for Block Cipher Modes of Operation:The CMAC Mode for
Authentication", Special Publication 800-38B, May 2005.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.
10.2. Informative
[4] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
Roadmap", RFC 2411, November 1998.
[5] Kent, S., "IP Authentication Header", RFC 4302, December 2005.
[6] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
[7] Kaufman, C., Hoffman, P., and P. Eronen, "Internet Key Exchange
Protocol: IKEv2", draft-hoffman-ikev2bis-03 (work in progress),
February 2008.
[8] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005.
[9] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001,
<http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.
Kato, et al. Expires September 7, 2009 [Page 18]
Internet-Draft The Camellia CMAC-96 and CMAC-PRF-128 March 2009
Authors' Addresses
Akihiro Kato
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
Email: akato@po.ntts.co.jp
Satoru Kanno
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
Email: kanno-s@po.ntts.co.jp
Masayuki Kanda
Nippon Telegraph and Telephone Corporation
Phone: +81-422-59-3456
Fax: +81-422-59-4015
Email: kanda.masayuki@lab.ntt.co.jp
Tetsu Iwata
Nagoya University
Email: iwata@cse.nagoya-u.ac.jp
Kato, et al. Expires September 7, 2009 [Page 19]