| TOC |
|
Test Cases for the use of
Galois/Counter Mode (GCM) and Galois Message Authentication Code (GMAC) in
IPsec ESP
draft-mcgrew-gcm-test-01.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 11, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
Abstract
This note provides test cases for the use of AES GCM and GMAC in ESP, as defined in RFC4106 and RFC4543, and clarifies some points in the latter specification.
Table of Contents
1.
Introduction
1.1.
Conventions Used In This Document
2.
AES-GCM in ESP
3.
AES-GMAC in ESP
4.
Test Cases
5.
Security Considerations
6.
IANA Considerations
7.
Acknowledgements
8.
References
8.1.
Normative References
8.2.
Informative References
§
Author's Address
| TOC |
1. Introduction
This document reviews the use of the Galois/Counter Mode (GCM) and Galois Message Authentication Code (GMAC) modes of operation for the Advanced Encryption Standard as they are used in the Encapsulating Security Payload (ESP) [RFC4303] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.).
| TOC |
1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
| TOC |
2. AES-GCM in ESP
We briefly review the AES-GCM-ESP and AES-GMAC-ESP definitions and establish the notation used in the test cases. The GCM encryption operation takes as input a key, a nonce, a plaintext, and an additional authenticated data (AAD) value. It outputs a ciphertext and an authentication tag, or "tag" for short. Here we follow [RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.) and refer to the GCM initialization vector (IV) as a nonce in order to differentiate it from the IV that is carried in the ESP packet. The eight-byte ESP IV forms part of the 12-byte GCM nonce.
In [RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.), "The Use of Galois/Counter Mode (GCM) in IPsec ESP", the GCM inputs and ESP fields are as follows:
nonce = Salt || IV
aad = SPI || SequenceNumber
plaintext = RestOfPayloadData || TFCpadding || Padding ||
PadLength || NextHeader
PayloadData = IV || ciphertext
ICV = tag
| Figure 1: The format of the GCM inputs and ESP fields for
AES-GCM-ESP, where the symbol || denotes concatenation. |
Here the fields RestOfPayloadData, TFCpadding, Padding, PadLength, NextHeader, SPI, SequenceNumber, and ICV are as defined in [RFC4303] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.) and the fields Salt and IV are as defined in [RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.). The field RestOfPayloadData contains the plaintext data that is described by the NextHeader field, and no other data. (Recall that the PayloadData field contains both the IV and the RestOfPayloadData; see [RFC4303] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.) for an illustration.)
[RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.) defines the tag as the ICV, instead of defining it as the final part of the Payload Data. However, the two definitions are functionally equivalent.
| TOC |
3. AES-GMAC in ESP
In RFC 4543, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", the GMAC inputs and ESP fields are as follows:
nonce = Salt || IV
aad = SPI || SequenceNumber || IV ||
RestOfPayloadData || TFCpadding || Padding ||
PadLength || NextHeader
plaintext = {}
Payload = IV || PayloadData || TFCpadding || Padding ||
PadLength || NextHeader
ICV = tag
| Figure 2: The format of the GMAC inputs for ESP. |
Here the symbol {} refers to the zero-length octet string.
The "Payload Data" is called the "Authenticated Payload" in one part of RFC 4543. It consists of the eight-octet IV, followed by the data encapsulated by ESP, that is, the data referred to by the Next Header field.
RFC 4543, Section 7 (Security Considerations), second sentence, should read "In AES-GCM-ESP, the IV is not included in either the plaintext or the additional authenticated data." It currently contains a typographical error, and reads "In ENCR_NULL_AUTH_AES_GMAC, the IV is not included in either the plaintext or the additional authenticated data."
| TOC |
4. Test Cases
Here are the test cases.
- algorithm -
- The algorithm used in the test case.
- key -
- The secret key used by AES-GCM or AES-GMAC.
- spi -
- The ESP SPI field.
- seq -
- The ESP Sequence Number field, if the length is four octets, or the ESP Extended Sequence Number, if the length is eight octets.
- nonce -
- The AES-GCM or AES-GMAC nonce; it is an input to the algorithm.
- plaintext -
- The AES-GCM plaintext, which is an input to that algorithm.
- aad -
- The AES-GCM or AES-GMAC additional authenticated data; it is an input to that algorithm.
- ctext+tag -
- The AES-GCM ciphertext and authentication tag, or the AES-GMAC authentication tag; this is an output from the algorithm.
- packet -
- The complete ESP packet.
algorithm = AES-GCM-ESP
key = 4c80cdefbb5d10da906ac73c3613a634
(16 octets)
spi = 00004321
seq = 8765432100000000
(8 octets)
nonce = 2e443b684956ed7e3b244cfe
plaintext = 45000048699a000080114db7c0a80102
c0a801010a9bf15638d3010000010000
00000000045f736970045f7564700373
69700963796265726369747902646b00
0021000101020201
(72 octets)
aad = 000043218765432100000000
(12 octets)
ctext+tag = fecf537e729d5b07dc30df528dd22b76
8d1b98736696a6fd348509fa13ceac34
cfa2436f14a3f3cf65925bf1f4a13c5d
15b21e1884f5ff6247aeabb786b93bce
61bc17d768fd9732459018148f6cbe72
2fd04796562dfdb4
(88 octets)
packet = 00004321000000004956ed7e3b244cfe
fecf537e729d5b07dc30df528dd22b76
8d1b98736696a6fd348509fa13ceac34
cfa2436f14a3f3cf65925bf1f4a13c5d
15b21e1884f5ff6247aeabb786b93bce
61bc17d768fd9732459018148f6cbe72
2fd04796562dfdb4
(104 octets)
algorithm = AES-GCM-ESP
key = feffe9928665731c6d6a8f9467308308
(16 octets)
spi = 0000a5f8
seq = 0000000a
(4 octets)
nonce = cafebabefacedbaddecaf888
plaintext = 4500003e698f000080114dccc0a80102
c0a801010a980035002a2343b2d00100
00010000000000000373697009637962
65726369747902646b00000100010001
(64 octets)
aad = 0000a5f80000000a
(8 octets)
ctext+tag = deb22cd9b07c72c16e3a65beeb8df304
a5a5897d33ae530f1ba76d5d114d2a5c
3de81827c10e9a4f51330d0eec416642
cfbb85a5b47e48a4ec3b9ba95d918bd1
83b70d3aa8bc6ee4c309e9d85a41ad4a
(80 octets)
packet = 0000a5f80000000afacedbaddecaf888
deb22cd9b07c72c16e3a65beeb8df304
a5a5897d33ae530f1ba76d5d114d2a5c
3de81827c10e9a4f51330d0eec416642
cfbb85a5b47e48a4ec3b9ba95d918bd1
83b70d3aa8bc6ee4c309e9d85a41ad4a
(96 octets)
algorithm = AES-GCM-ESP
key = abbccddef00112233445566778899aab
abbccddef00112233445566778899aab
(32 octets)
spi = 4a2cbfe3
seq = 00000002
(4 octets)
nonce = 112233440102030405060708
plaintext = 4500003069a6400080062690c0a80102
9389155e0a9e008b2dc57ee000000000
7002400020bf0000020405b401010402
01020201
(52 octets)
aad = 4a2cbfe300000002
(8 octets)
ctext+tag = ff425c9b724599df7a3bcd510194e00d
6a78107f1b0b1cbf06efae9d65a5d763
748a637985771d347f0545659f14e99d
ef842d8eb335f4eecfdbf831824b4c49
15956c96
(68 octets)
packet = 4a2cbfe3000000020102030405060708
ff425c9b724599df7a3bcd510194e00d
6a78107f1b0b1cbf06efae9d65a5d763
748a637985771d347f0545659f14e99d
ef842d8eb335f4eecfdbf831824b4c49
15956c96
(84 octets)
algorithm = AES-GCM-ESP
key = 00000000000000000000000000000000
(16 octets)
spi = 00000000
seq = 00000001
(4 octets)
nonce = 000000000000000000000000
plaintext = 4500003c99c500008001cb7a40679318
010101010800075c0200440061626364
65666768696a6b6c6d6e6f7071727374
75767761626364656667686901020201
(64 octets)
aad = 0000000000000001
(8 octets)
ctext+tag = 4688daf2f973a392732909c331d56d60
f694abaa414b5e7ff5fdcdfff5e9a284
456476492719ffb64de7d9dca1e1d894
bc3bd57873ed4d181d19d4d5c8c18af3
f821d496eeb096e98ad2b69e4799c71d
(80 octets)
packet = 00000000000000010000000000000000
4688daf2f973a392732909c331d56d60
f694abaa414b5e7ff5fdcdfff5e9a284
456476492719ffb64de7d9dca1e1d894
bc3bd57873ed4d181d19d4d5c8c18af3
f821d496eeb096e98ad2b69e4799c71d
(96 octets)
algorithm = AES-GCM-ESP
key = 3de09874b388e6491988d0c3607eae1f
(16 octets)
spi = 42f67e3f
seq = 1010101010101010
(8 octets)
nonce = 57690e434e280000a2fca1a3
plaintext = 4500003c99c300008001cb7c40679318
010101010800085c0200430061626364
65666768696a6b6c6d6e6f7071727374
75767761626364656667686901020201
(64 octets)
aad = 42f67e3f1010101010101010
(12 octets)
ctext+tag = fba2caa4853cf9f0f22cb10d86dd83b0
fec75691cf1a04b00d1138ec9c357917
65acbd8701ad79845bf9fe3fba487bc9
1755e6662b4c8d0d1f5e22739530320a
e0d731cc978ecafaeae88f00e80d6e48
(80 octets)
packet = 42f67e3f101010104e280000a2fca1a3
fba2caa4853cf9f0f22cb10d86dd83b0
fec75691cf1a04b00d1138ec9c357917
65acbd8701ad79845bf9fe3fba487bc9
1755e6662b4c8d0d1f5e22739530320a
e0d731cc978ecafaeae88f00e80d6e48
(96 octets)
algorithm = AES-GCM-ESP
key = 3de09874b388e6491988d0c3607eae1f
(16 octets)
spi = 42f67e3f
seq = 1010101010101010
(8 octets)
nonce = 57690e434e280000a2fca1a3
plaintext = 4500001c42a200008001441f406793b6
e00000020a00f5ff01020201
(28 octets)
aad = 42f67e3f1010101010101010
(12 octets)
ctext+tag = fba2ca845e5df9f0f22c3e6e86dd831e
1fc65792cd1af9130e1379ed369f071f
35e034be95f112e4e7d05d35
(44 octets)
packet = 42f67e3f101010104e280000a2fca1a3
fba2ca845e5df9f0f22c3e6e86dd831e
1fc65792cd1af9130e1379ed369f071f
35e034be95f112e4e7d05d35
(60 octets)
algorithm = AES-GCM-ESP
key = feffe9928665731c6d6a8f9467308308
feffe9928665731c
(24 octets)
spi = 0000a5f8
seq = 0000000a
(4 octets)
nonce = cafebabefacedbaddecaf888
plaintext = 45000028a4ad4000400678800a01038f
0a010612802306b8cb712602dd6bb03e
501016d075680001
(40 octets)
aad = 0000a5f80000000a
(8 octets)
ctext+tag = a5b1f8066029aea40e598b8122de0242
0938b3ab33f828e687b8858b5bfbdbd0
315b27452144cc7795457b9652037f53
18027b5b4cd7a636
(56 octets)
packet = 0000a5f80000000afacedbaddecaf888
a5b1f8066029aea40e598b8122de0242
0938b3ab33f828e687b8858b5bfbdbd0
315b27452144cc7795457b9652037f53
18027b5b4cd7a636
(72 octets)
algorithm = AES-GCM-ESP
key = abbccddef00112233445566778899aab
(16 octets)
spi = 00000100
seq = 0000000000000001
(8 octets)
nonce = decaf888cafedebaceface74
plaintext = 4500004933ba00007f119106c3fb1d10
c2b1d326c02831ce0035dd7b800302d5
00004e20001e8c18d75b81dc91baa047
6b91b924b280389d92c963bac046ec95
9b6266c04722b14923010101
(76 octets)
aad = 000001000000000000000001
(12 octets)
ctext+tag = 18a6fd42f72cbf4ab2a2ea901f73d814
e3e7f243d95412e1c349c1d2fbec168f
9190feebaf2cb01984e65863965d7472
b79da345e0e780191f0d2f0e0f496c22
6f2127b27db35724e7845d68651f57e6
5f354f75ff17015769623436
(92 octets)
packet = 0000010000000001cafedebaceface74
18a6fd42f72cbf4ab2a2ea901f73d814
e3e7f243d95412e1c349c1d2fbec168f
9190feebaf2cb01984e65863965d7472
b79da345e0e780191f0d2f0e0f496c22
6f2127b27db35724e7845d68651f57e6
5f354f75ff17015769623436
(108 octets)
algorithm = AES-GCM-ESP
key = abbccddef00112233445566778899aab
abbccddef00112233445566778899aab
(32 octets)
spi = 17405e67
seq = 156f3126dd0db99b
(8 octets)
nonce = 73616c74616e640169766563
plaintext = 45080028732c00004006e9f90a010612
0a01038f06b88023dd6bafbecb712602
50101f646d540001
(40 octets)
aad = 17405e67156f3126dd0db99b
(12 octets)
ctext+tag = f2d69ecdbd5a0d5b8d5ef38bad4da58d
1f278fde98ef67549d524a3018d9a57f
f4d3a31ce673119e451626c2415771e3
b7eebca614c89b35
(56 octets)
packet = 17405e67dd0db99b616e640169766563
f2d69ecdbd5a0d5b8d5ef38bad4da58d
1f278fde98ef67549d524a3018d9a57f
f4d3a31ce673119e451626c2415771e3
b7eebca614c89b35
(72 octets)
algorithm = AES-GCM-ESP
key = 3de09874b388e6491988d0c3607eae1f
(16 octets)
spi = 42f67e3f
seq = 1010101010101010
(8 octets)
nonce = 57690e434e280000a2fca1a3
plaintext = 45000049333e00007f119182c3fb1d10
c2b1d326c02831ce0035cb458003025b
000001e0001e8c18d65759d52284a035
2c71475c8880391c764d6e5ee0496b32
5ae270c03899493915010101
(76 octets)
aad = 42f67e3f1010101010101010
(12 octets)
ctext+tag = fba2cad12fc1f9f00d3cebf305410db8
3d7784b607323d220f24b0a97d541828
00cadb0f68d99ef0e0c0c89ae9bea888
4e52d65bc1afd0740f742444747b5b39
ab533163aad4550ee5160975cdb608c5
769189609763b8e18caa81e2
(92 octets)
packet = 42f67e3f101010104e280000a2fca1a3
fba2cad12fc1f9f00d3cebf305410db8
3d7784b607323d220f24b0a97d541828
00cadb0f68d99ef0e0c0c89ae9bea888
4e52d65bc1afd0740f742444747b5b39
ab533163aad4550ee5160975cdb608c5
769189609763b8e18caa81e2
(108 octets)
algorithm = AES-GCM-ESP
key = abbccddef00112233445566778899aab
abbccddef00112233445566778899aab
(32 octets)
spi = 17405e67
seq = 156f3126dd0db99b
(8 octets)
nonce = 73616c74616e640169766563
plaintext = 636973636f0172756c65730174686501
6e6574776501646566696e6501746865
746563686e6f6c6f6769657301746861
7477696c6c01646566696e65746f6d6f
72726f7701020201
(72 octets)
aad = 17405e67156f3126dd0db99b
(12 octets)
ctext+tag = d4b7ed86a1777f2ea13d6973d324c69e
7b43f826fb56831226508bebd2dceb18
d0a6df10e5487df074113e14c641024e
3e6773d91a62ee429b043a10e3efe6b0
12a49363412364f8c0cac587f249e56b
11e24f30e44ccc76
(88 octets)
packet = 17405e67dd0db99b616e640169766563
d4b7ed86a1777f2ea13d6973d324c69e
7b43f826fb56831226508bebd2dceb18
d0a6df10e5487df074113e14c641024e
3e6773d91a62ee429b043a10e3efe6b0
12a49363412364f8c0cac587f249e56b
11e24f30e44ccc76
(104 octets)
algorithm = AES-GCM-ESP
key = 7d773d00c144c525ac619d18c84a3f47
(16 octets)
spi = 335467ae
seq = ffffffff
(4 octets)
nonce = d966426743457e9182443bc6
plaintext = 01020201
(4 octets)
aad = 335467aeffffffff
(8 octets)
ctext+tag = 437f866bcb3f699fe9b0822bac961c45
04bef270
(20 octets)
packet = 335467aeffffffff43457e9182443bc6
437f866bcb3f699fe9b0822bac961c45
04bef270
(36 octets)
algorithm = AES-GCM-ESP
key = abbccddef00112233445566778899aab
(16 octets)
spi = 00000100
seq = 0000000000000001
(8 octets)
nonce = decaf888cafedebaceface74
plaintext = 746f016265016f72016e6f7401746f01
62650001
(20 octets)
aad = 000001000000000000000001
(12 octets)
ctext+tag = 29c9fc69a197d038ccdd14e2ddfcaa05
43332164412503524303ed3c6c5f2838
43af8c3e
(36 octets)
packet = 0000010000000001cafedebaceface74
29c9fc69a197d038ccdd14e2ddfcaa05
43332164412503524303ed3c6c5f2838
43af8c3e
(52 octets)
algorithm = AES-GCM-ESP
key = 6c6567616c697a656d6172696a75616e
61616e64646f69746265666f72656961
(32 octets)
spi = 796b6963
seq = ffffffffffffffff
(8 octets)
nonce = 7475726e333021696765746d
plaintext = 45000030da3a00008001df3bc0a80005
c0a800010800c6cd0200070061626364
65666768696a6b6c6d6e6f7071727374
01020201
(52 octets)
aad = 796b6963ffffffffffffffff
(12 octets)
ctext+tag = f97ab2aa356d8edce17644ac8c78e25d
d24dedbb29ebf1b64a274b39b49c3a86
4cd3d78ca4ae68a32b42458fb57dbe82
1dcc63b9d0937ba2945f669368661a32
9fb4c053
(68 octets)
packet = 796b6963ffffffff333021696765746d
f97ab2aa356d8edce17644ac8c78e25d
d24dedbb29ebf1b64a274b39b49c3a86
4cd3d78ca4ae68a32b42458fb57dbe82
1dcc63b9d0937ba2945f669368661a32
9fb4c053
(84 octets)
algorithm = AES-GMAC-ESP
key = 4c80cdefbb5d10da906ac73c3613a634
(16 octets)
spi = 00004321
seq = 00000007
(4 octets)
nonce = 22433c640000000000000000
plaintext = (0 octets)
aad = 00004321000000070000000000000000
45000030da3a00008001df3bc0a80005
c0a800010800c6cd0200070061626364
65666768696a6b6c6d6e6f7071727374
01020201
(68 octets)
ctext+tag = (16 octets)
packet = 00004321000000070000000000000000
45000030da3a00008001df3bc0a80005
c0a800010800c6cd0200070061626364
65666768696a6b6c6d6e6f7071727374
01020201f2a9a836e155106aa8dcd618
e4099aaa
(84 octets)
algorithm = AES-GCM-ESP
key = 3de09874b388e6491988d0c3607eae1f
(16 octets)
spi = 3f7ef642
seq = 1010101010101010
(8 octets)
nonce = 57690e434e280000a2fca1a3
plaintext = 45000030da3a00008001df3bc0a80005
c0a800010800c6cd0200070061626364
65666768696a6b6c6d6e6f7071727374
01020201
(52 octets)
aad = 3f7ef6421010101010101010
(12 octets)
ctext+tag = fba2caa8c6c5f9f0f22ca54a061210ad
3f6e5791cf1aca210d117cec9c357917
65acbd8701ad79845bf9fe3fba487bc9
6321930684eecadb56912546e7a95c97
40d7cb05
(68 octets)
packet = 3f7ef642101010104e280000a2fca1a3
fba2caa8c6c5f9f0f22ca54a061210ad
3f6e5791cf1aca210d117cec9c357917
65acbd8701ad79845bf9fe3fba487bc9
6321930684eecadb56912546e7a95c97
40d7cb05
(84 octets)
algorithm = AES-GCM-ESP
key = 4c80cdefbb5d10da906ac73c3613a634
(16 octets)
spi = 00004321
seq = 8765432100000007
(8 octets)
nonce = 22433c644855ec7d3a234bfd
plaintext = 0800c6cd020007006162636465666768
696a6b6c6d6e6f707172737401020201
(32 octets)
aad = 000043218765432100000007
(12 octets)
ctext+tag = 74752e8aeb5d873cd7c0f4acc36c4bff
84b7d7b98f0ca8b6acda6894bc619069
ef9cbc28fe1b56a7c4e0d58c86cd2bc0
(48 octets)
packet = 00004321000000074855ec7d3a234bfd
74752e8aeb5d873cd7c0f4acc36c4bff
84b7d7b98f0ca8b6acda6894bc619069
ef9cbc28fe1b56a7c4e0d58c86cd2bc0
(64 octets)
| TOC |
5. Security Considerations
An improperly implemented crypto algorithm may be insecure.
| TOC |
6. IANA Considerations
This document has no actions for IANA.
| TOC |
7. Acknowledgements
Thanks to Arpan Srivastava and Aravindhan P. for generating and validating test cases.
| TOC |
8. References
| TOC |
8.1. Normative References
| [RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
| TOC |
8.2. Informative References
| [RFC4106] | Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” RFC 4106, June 2005 (TXT). |
| [RFC4303] | Kent, S., “IP Encapsulating Security Payload (ESP),” RFC 4303, December 2005 (TXT). |
| TOC |
Author's Address
| David A. McGrew | |
| Cisco Systems, Inc. | |
| 510 McCarthy Blvd. | |
| Milpitas, CA 95035 | |
| US | |
| Phone: | (408) 525 8651 |
| Email: | mcgrew@cisco.com |
| URI: | http://www.mindspring.com/~dmcgrew/dam.htm |