IPSECME Working Group                                             B. Han
INTERNET-DRAFT                                                   S. Yoon
Intended Status: Informational                                  H. Jeong
Expires: December 12, 2011                                        Y. Won
                                      (Korea Internet & Security Agency)
                                                           June 10, 2011




             Using SEED CTR, CCM, GCM modes with IPsec ESP
               draft-seokung-ipsecme-seed-ipsec-modes-01


Abstract

   This document describes the use of the SEED block cipher algorithm in
   Counter (CTR) Mode, Counter with CBC-MAC (CCM) Mode and
   Galois/Counter Mode (GCM) as an IPsec Encapsulation Security Payload
   (ESP) mechanism to provide confidentiality and data origin
   authentication, and connectionless integrity.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 12, 2011.

Copyright and License Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents



Han, et al.            Expires December 12, 2011                [Page 1]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1  Conventions Used in This Documents  . . . . . . . . . . . .  3
   2.  SEED Modes of Operation for Use with IPsec ESP . . . . . . . .  3
     2.1. SEED-CTR Mode . . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.2. Initialization Vector . . . . . . . . . . . . . . . . .  4
       2.1.3. Authentication Data . . . . . . . . . . . . . . . . . .  4
       2.1.4. Counter Block Format  . . . . . . . . . . . . . . . . .  4
     2.2. SEED-CCM Mode . . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.2. Parameters  . . . . . . . . . . . . . . . . . . . . . .  5
       2.2.3. Counter Block . . . . . . . . . . . . . . . . . . . . .  5
       2.2.4. AAD Construction  . . . . . . . . . . . . . . . . . . .  5
     2.3. SEED-GCM Mode . . . . . . . . . . . . . . . . . . . . . . .  5
       2.3.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . .  6
       2.3.2. Counter Block . . . . . . . . . . . . . . . . . . . . .  6
       2.3.3. AAD Construction  . . . . . . . . . . . . . . . . . . .  6
   3. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . .  6
     3.1. Keying Material and Nonce Values  . . . . . . . . . . . . .  6
     3.2. Transform Type 1  . . . . . . . . . . . . . . . . . . . . .  7
     3.3. Key Length Attribute  . . . . . . . . . . . . . . . . . . .  7
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   6. Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . . .  8
     6.1. Test Vectors for ENCR_SEED_CTR  . . . . . . . . . . . . . .  8
     6.2. Test Vectors for ENCR_SEED_CCM  . . . . . . . . . . . . . . 10
     6.3. Test Vectors for ENCR_SEED_GCM  . . . . . . . . . . . . . . 13
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 15
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 16
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17











Han, et al.            Expires December 12, 2011                [Page 2]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


1  Introduction

   The SEED [RFC4269] is a block cipher, and it can be used in many
   different modes. This document describes the use of the SEED block
   cipher algorithm in Counter Mode (CTR), Counter with CBC-MAC (CCM)
   Mode and Galois/Counter Mode (GCM), as an IPsec Encapsulation
   Security Payload (ESP) [RFC4303] mechanism to provide confidentiality
   and data origin authentication, and connectionless integrity.

   This document does not provide an overview of IPsec. However,
   information about how the various components of IPsec and the way in
   which they collectively provide security services is available in
   [RFC4301] and [RFC2411].

1.1  Conventions Used in This Documents

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


2.  SEED Modes of Operation for Use with IPsec ESP

   This document describes three modes of operation for the use of SEED
   with IPsec: CTR (Counter), CCM (Counter with CBC-MAC), and GCM
   (Galois/Counter Mode).

   SEED in CTR, CCM, and GCM modes is used in IPsec ESP as AES in
   [RFC3686], [RFC4309], and [RFC4106].

2.1. SEED-CTR Mode

   SEED Counter mode (SEED-CTR) uses the only SEED encrypt operation
   (for both encryption and decryption).

2.1.1. ESP Payload

   The ESP payload of SEED-CTR is composed of IV followed by payload and
   authentication data.

      ESP Payload := IV (8 octets) || Encrypted Payload (variable)
                                   || Authentication Data (variable)









Han, et al.            Expires December 12, 2011                [Page 3]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


2.1.2. Initialization Vector


   SEED-CTR requires the encryptor to generate a unique initialization
   vector (IV). The same IV and key combination MUST NOT be used more
   than once. The SEED-CTR IV field MUST be eight octets. The encryptor
   can generate the IV in any manner that ensures uniqueness.

2.1.3. Authentication Data

   SEED-CTR implementations MUST employ a non-NULL ESP authentication
   method. HMAC-SHA-1-96 [RFC2404] is a likely choice.

2.1.4. Counter Block Format

   The counter block used to generate the key stream necessary to
   encrypt/decrypt the payload. The SEED counter block is 128 bits. The
   components of the counter block are as follows

      Counter Block := Nonce || IV || Block Counter
      Nonce
         The Nonce field is 32 bits. It MUST be assigned at the
         beginning of the security association.
      IV
         The IV field is 64 bits.
      Block Counter
         The block counter field is the least significant 32 bits of
         the counter block. The block counter begins with the value
         of one (big-endian).

2.2. SEED-CCM Mode

   SEED Counter with CBC-MAC mode (SEED-CCM) uses the only SEED encrypt
   operation (for both encryption and decryption).

2.2.1. ESP Payload

   The ESP payload of SEED-CCM is composed of IV followed by payload and
   authentication data.

      ESP Payload := IV (8 octets) || Encrypted Payload (variable)
                                   || Authentication Data (variable)









Han, et al.            Expires December 12, 2011                [Page 4]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


2.2.2. Parameters

   SEED-CCM has two parameters:

      M
         M indicates the size of the integrity check value (ICV).
         Implementations MUST support M values of 8 octets and 16
         octets, and implementations MAY support M values of 12 octets.
      L
         L indicates the size of the length field in octets. This
         specification only support L = 4.

2.2.3. Counter Block

   The SEED-CCM counter block is 16 octets. The most significant one
   octet is used for the CCM flags, and the least significant 4 octets
   are used for the block counter, as specified by the CCM L parameter.
   The remaining octets are the nonce. The nonce consists of salt and
   IV, and the size of nonce depends on the value selected for the
   parameter L. It is 15-L octets.

      Counter Block := CCM flags(1) || Nonce(15-L) || Block counter(L)
      Nonce := Salt(3) || IV(8)

      Salt
         The salt field is 24 bits. It must be assigned at the
         beginning of security association.
      IV
         The IV field is 64 bits.

2.2.4. AAD Construction

   For the AAD, the Security Parameter Index (SPI) and (Extended)
   Sequence Number field are used.

      a) AAD (64 bits) := SPI (32 bits) || Seq. No. (32 bits)
      b) AAD (96 bits) := SPI (32 bits) || Extended Seq. No. (64 bits)

2.3. SEED-GCM Mode

   SEED Galois/Counter mode (SEED-GCM) uses the only SEED encrypt
   operation (for both encryption and decryption).









Han, et al.            Expires December 12, 2011                [Page 5]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


2.3.1. ESP Payload

   The ESP payload of SEED-GCM is composed of IV followed by payload.
   The ICV associated with payload.

      ESP Payload := IV (8 octets) || Encrypted Payload (variable)

2.3.2. Counter Block

   The SEED-GCM counter block (GCTR Block) is 16 octets. In this
   specification, the 12 octets are the nonce, and the least significant
   4 octets are used for the block counter. The nonce consists of salt
   and IV.

      GCTR Block := Nonce (12) || Block counter (4)
      Nonce := Salt (4) || IV (8)

      Salt
         The salt field is 32 bits. It must be assigned at the
         beginning of security association.
      IV
         The IV field is 64 bits.

2.3.3. AAD Construction

   For the AAD, the Security Parameter Index (SPI) and (Extended)
   Sequence Number field are used.

      a) AAD (64 bits) := SPI (32 bits) || Seq. No. (32 bits)
      b) AAD (96 bits) := SPI (32 bits) || Extended Seq. No. (64 bits)

3. IKEv2 Conventions

   This section describes the conventions used to generate keying
   material and nonce values (nonce, salt) for use with SEED-CTR, SEED-
   CCM, and SEED-GCM using the Internet Key Exchange version 2 (IKEv2)
   [RFC4306] protocol. The identifiers and attributes needed to
   negotiate a security association that uses SEED-CTR, SEED-CCM, and
   SEED-GCM are also defined.

3.1. Keying Material and Nonce Values

   IKEv2 makes use of a pseudo-random function (PRF) to derive keying
   material.  The PRF is used iteratively to derive keying material of
   arbitrary size, called KEYMAT.  Keying material is extracted from the
   output string without regard to boundaries.

   The keying material is used as follows:



Han, et al.            Expires December 12, 2011                [Page 6]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      SEED-CTR

         The KEYMAT requested for each SEED-CTR key is 20 octets. The
         first 16 octets are the 128-bit SEED key, and the remaining
         four octets are used as the nonce value in the counter block.

      SEED-CCM

         The KEYMAT requested for each SEED-CCM key is 19 octets. The
         first 16 octets are the 128-bit SEED key, and the remaining
         three octets are used as the salt value in the counter block.

      SEED-GCM

         The KEYMAT requested for each SEED-GCM key is 20 octets. The
         first 16 octets are the 128-bit SEED key, and the remaining
         four octets are used as the salt value in the nonce.

3.2. Transform Type 1

   For IKEv2 negotiations, IANA has assigned ESP Transform Identifiers
   for SEED-CTR, SEED-CCM and SEED-GCM, as recorded in Section 5.

3.3. Key Length Attribute

   Since SEED only supports one key length, the Key Length attribute
   MUST NOT be used in the IKE exchange version 2.

4.  Security Considerations

   No security problem has been found on SEED. SEED is secure against
   all known attacks including Differential cryptanalysis, linear
   cryptanalysis, and related key attacks. The only known attack is an
   exhaustive search for the key. For further security considerations,
   the reader is encouraged to read [SEED-EVAL].

   See [CCM] and [RFC4106] for security considerations, regarding the
   CCM and GCM modes of operation, respectively.













Han, et al.            Expires December 12, 2011                [Page 7]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


5.  IANA Considerations

   IANA has assigned Transform Type 1 (Encryption Algorithm) Identifiers
   for SEED-CTR, SEED-CCM, and SEED-GCM with an explicit IV in the
   "IKEv2 Parameters" registry:

         Number       Name
         --------     ---------------------------------
         <TBD1>       ENCR_SEED_CTR;
         <TBD2>       ENCR_SEED_CCM_8_ICV;
         <TBD3>       ENCR_SEED_CCM_12_ICV;
         <TBD4>       ENCR_SEED_CCM_16_ICV;
         <TBD5>       ENCR_SEED_GCM_8_ICV;
         <TBD6>       ENCR_SEED_GCM_12_ICV; and
         <TBD7>       ENCR_SEED_GCM_16_ICV.

6. Test Vectors

   [SEED] provides algorithm specification of SEED, and [SEED-TEST]
   provides test vectors that will assist implementers with SEED
   algorithm.

6.1. Test Vectors for ENCR_SEED_CTR

   IV=8 octets, Nonce=4 octets, Blockcounter=4 octets, Payload=64 octets

   1) Encryption

      1-1) Input data for CTR mode
      =====================================================
      Key               88E34F8F 081779F1 E9F39437 0AD40589
      IV                00000000 00000000
      Nonce             00000000
      Initial CTR       000000FE
      Plaintext         D76D0D18 327EC562 B15E6BC3 65AC0C0F
                        8D41E0BB 938568AE EBFD92ED 1AFFA096
                        394D20FC 5277DDFC 4DE8B0FC E1EB2B93
                        D4AE40EF 4768C613 B50B8942 F7D4B9B3
      =====================================================

      1-2) Encryption
      =====================================================
      CTR Block 1       00000000 00000000 00000000 000000FE
      Key Stream 1      837311DC 65D8CD5C 58A5E15F 578B4DE2
      Ciphertext 1      541E1CC4 57A6083E E9FB8A9C 322741ED
      -----------------------------------------------------





Han, et al.            Expires December 12, 2011                [Page 8]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      CTR Block 2       00000000 00000000 00000000 000000FF
      Key Stream 2      197BCC56 B6DFF49E 132CACFD 287555D3
      Ciphertext 2      943A2CED 255A9C30 F8D13E10 328AF545
      -----------------------------------------------------
      CTR Block 3       00000000 00000000 00000000 00000100
      Key Stream 3      151FFD7E 39932C79 5B0F8D05 FE2730C8
      Ciphertext 3      2C52DD82 6BE4F185 16E73DF9 1FCC1B5B
      -----------------------------------------------------
      CTR Block 4       00000000 00000000 00000000 00000101
      Key Stream 4      0FA34018 624C971B 9677E251 A7314CB6
      Ciphertext 4      DB0D00F7 25245108 237C6B13 50E5F505
      =====================================================

      1-3) Result - Ciphertext
      =====================================================
      Ciphertext        541E1CC4 57A6083E E9FB8A9C 322741ED
                        943A2CED 255A9C30 F8D13E10 328AF545
                        2C52DD82 6BE4F185 16E73DF9 1FCC1B5B
                        DB0D00F7 25245108 237C6B13 50E5F505
      =====================================================

   2) Encryption

      2-1) Input data for CTR mode
      =====================================================
      Key               88E34F8F 081779F1 E9F39437 0AD40589
      IV                00000000 00000000
      Nonce             00000000
      Initial CTR       000000FE
      Ciphertext        541E1CC4 57A6083E E9FB8A9C 322741ED
                        943A2CED 255A9C30 F8D13E10 328AF545
                        2C52DD82 6BE4F185 16E73DF9 1FCC1B5B
                        DB0D00F7 25245108 237C6B13 50E5F505
      =====================================================

      2-2) Decryption
      =====================================================
      CTR Block 1       00000000 00000000 00000000 000000FE
      Key Stream 1      837311DC 65D8CD5C 58A5E15F 578B4DE2
      Plaintext 1       D76D0D18 327EC562 B15E6BC3 65AC0C0F
      -----------------------------------------------------
      CTR Block 2       00000000 00000000 00000000 000000FF
      Key Stream 2      197BCC56 B6DFF49E 132CACFD 287555D3
      Plaintext 2       8D41E0BB 938568AE EBFD92ED 1AFFA096
      -----------------------------------------------------
      CTR Block 3       00000000 00000000 00000000 00000100
      Key Stream 3      151FFD7E 39932C79 5B0F8D05 FE2730C8
      Plaintext 3       394D20FC 5277DDFC 4DE8B0FC E1EB2B93



Han, et al.            Expires December 12, 2011                [Page 9]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      -----------------------------------------------------
      CTR Block 4       00000000 00000000 00000000 00000101
      Key Stream 4      0FA34018 624C971B 9677E251 A7314CB6
      Plaintext 4       D4AE40EF 4768C613 B50B8942 F7D4B9B3
      =====================================================

      2-3) Result - Plaintext
      =====================================================
      Plaintext         D76D0D18 327EC562 B15E6BC3 65AC0C0F
                        8D41E0BB 938568AE EBFD92ED 1AFFA096
                        394D20FC 5277DDFC 4DE8B0FC E1EB2B93
                        D4AE40EF 4768C613 B50B8942 F7D4B9B3
      =====================================================

6.2. Test Vectors for ENCR_SEED_CCM

   M=8 octets, L=3 octets, AAD=20 octets, Payload=24 octets

   1)   Encryption

      1-1) Input data for CCM mode
      =====================================================
      Key               40414243 44454647 48494a4b 4c4d4e4f
      Nonce             10111213 14151617 18191a1b
      AAD               00010203 04050607 08090a0b 0c0d0e0f
                        10111213
      Payload           20212223 24252627 28292a2b 2c2d2e2f
                        30313233 34353600
      =====================================================

      1-2) Formatted input data
      =====================================================
      Formatted         5a101112 13141516 1718191a 1b000018
      Input             00140001 02030405 06070809 0a0b0c0d
      (B)               0e0f1011 12130000 00000000 00000000
                        20212223 24252627 28292a2b 2c2d2e2f
                        30313233 34353600 00000000 00000000
      =====================================================

      1-3) Calculating CBC-MAC
      =====================================================
      B-0               5a101112 13141516 1718191a 1b000018
      SEED input        5a101112 13141516 1718191a 1b000018
      SEED output       b60c31dd 0c1090a7 190fcd82 47ceb3c2
      -----------------------------------------------------
      B-1               00140001 02030405 06070809 0a0b0c0d
      SEED input        b61831dc 0e1394a2 1f08c58b 4dc5bfcf
      SEED output       5d0996a2 13f6a0aa 22e77daf d4419eff



Han, et al.            Expires December 12, 2011               [Page 10]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      -----------------------------------------------------
      B-2               0e0f1011 12130000 00000000 00000000
      SEED input        530686b3 01e5a0aa 22e77daf d4419eff
      SEED output       ebfa0c15 771190f6 0b8d365c c093e097
      -----------------------------------------------------
      B-3               20212223 24252627 28292a2b 2c2d2e2f
      SEED input        cbdb2e36 5334b6d1 23a41c77 ecbeceb8
      SEED output       27892df2 babdeda5 83fc0481 97b68309
      -----------------------------------------------------
      B-4               30313233 34353600 00000000 00000000
      SEED input        17b81fc1 8e88dba5 83fc0481 97b68309
      SEED output       dcdcea6a b82c5dbe 56de3bfe 5631aa65
      =====================================================
      CBC-MAC           dcdcea6a b82c5dbe
      =====================================================

      1-4) Formatted counter block and its encryption result
      =====================================================
      CTR Block 0       02101112 13141516 1718191a 1b000000
      Key Stream 0      682b1a22 ba0164d5 c4987a1a b7e087cb
      -----------------------------------------------------
      CTR Block 1       02101112 13141516 1718191a 1b000001
      Key Stream 1      81318ba2 70d0a16f 3ec7c2cf 76f16b56
      -----------------------------------------------------
      CTR Block 2       02101112 13141516 1718191a 1b000002
      Key Stream 2      ad4ac71d 7fcacbaf a0a6f9f7 fe3e2997
      =====================================================

      1-5) Result of CCM encryption
      =====================================================
      Encrypted         a110a981 54f58748 16eee8e4 5adc4579
      Payload           9d7bf52e 4bfffdaf
      -----------------------------------------------------
      ICV(Enc-MAC)      b4f7f048 022d396b
      =====================================================

   2) Decryption

      2-1) Input data for CCM mode
      =====================================================
      Key               40414243 44454647 48494a4b 4c4d4e4f
      Nonce             10111213 14151617 18191a1b
      AAD               00010203 04050607 08090a0b 0c0d0e0f
                        10111213
      Encrypted         a110a981 54f58748 16eee8e4 5adc4579
      Payload           9d7bf52e 4bfffdaf
      ICV(Enc-MAC)      b4f7f048 022d396b
      =====================================================



Han, et al.            Expires December 12, 2011               [Page 11]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      2-2) Formatted counter block and its encryption result
      =====================================================
      CTR Block 0       02101112 13141516 1718191a 1b000000
      Key Stream 0      682b1a22 ba0164d5 c4987a1a b7e087cb
      -----------------------------------------------------
      CTR Block 1       02101112 13141516 1718191a 1b000001
      Key Stream 1      81318ba2 70d0a16f 3ec7c2cf 76f16b56
      -----------------------------------------------------
      CTR Block 2       02101112 13141516 1718191a 1b000002
      Key Stream 2      ad4ac71d 7fcacbaf a0a6f9f7 fe3e2997
      =====================================================

      2-3) Result of CCM Decryption
      =====================================================
      Payload           20212223 24252627 28292a2b 2c2d2e2f
                        30313233 34353600
      CBC-MAC           dcdcea6a b82c5dbe
      =====================================================

      2-4) Decrypt the payload and getting formatted input data
      =====================================================
      Formatted         5a101112 13141516 1718191a 1b000018
      Input             00140001 02030405 06070809 0a0b0c0d
      (B)               0e0f1011 12130000 00000000 00000000
                        20212223 24252627 28292a2b 2c2d2e2f
                        30313233 34353600 00000000 00000000
      =====================================================

      2-5) Calculating CBC-MAC and check integrity
      =====================================================
      B-0               5a101112 13141516 1718191a 1b000018
      SEED input        5a101112 13141516 1718191a 1b000018
      SEED output       b60c31dd 0c1090a7 190fcd82 47ceb3c2
      -----------------------------------------------------
      B-1               00140001 02030405 06070809 0a0b0c0d
      SEED input        b61831dc 0e1394a2 1f08c58b 4dc5bfcf
      SEED output       5d0996a2 13f6a0aa 22e77daf d4419eff
      -----------------------------------------------------
      B-2               0e0f1011 12130000 00000000 00000000
      SEED input        530686b3 01e5a0aa 22e77daf d4419eff
      SEED output       ebfa0c15 771190f6 0b8d365c c093e097
      -----------------------------------------------------
      B-3               20212223 24252627 28292a2b 2c2d2e2f
      SEED input        cbdb2e36 5334b6d1 23a41c77 ecbeceb8
      SEED output       27892df2 babdeda5 83fc0481 97b68309
      -----------------------------------------------------





Han, et al.            Expires December 12, 2011               [Page 12]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      B-4               30313233 34353600 00000000 00000000
      SEED input        17b81fc1 8e88dba5 83fc0481 97b68309
      SEED output       dcdcea6a b82c5dbe 56de3bfe 5631aa65
      =====================================================
      CBC-MAC           dcdcea6a b82c5dbe
      =====================================================

6.3. Test Vectors for ENCR_SEED_GCM

   ICV=16 octets, IV=12 octets, AAD=20 octet, Payload=60 octets

   1) Encryption

      1-1) Input data for GCM mode
      =====================================================
      Key               feffe992 8665731c 6d6a8f94 67308308
      Nonce             cafebabe facedbad decaf888
      AAD               3ad77bb4 0d7a3660 a89ecaf3 2466ef97
                        f5d3d585
      Payload           d9313225 f88406e5 a55909c5 aff5269a
                        86a7a953 1534f7da 2e4c303d 8a318a72
                        1c3c0c95 95680953 2fcf0e24 49a6b525
                        b16aedf5 aa0de657 ba637b39
      =====================================================

      1-2) Encrypt payload with GCTR
      =====================================================
      J-0               cafebabe facedbad decaf888 00000001
      =====================================================
      GCTR Block 0      cafebabe facedbad decaf888 00000002
      Key Stream 0      c37299fe f385d702 7d593194 7919d14c
      Enc-Pay 0         1a43abdb 0b01d1e7 d8003851 d6ecf7d6
      -----------------------------------------------------
      GCTR Block 1      cafebabe facedbad decaf888 00000003
      Key Stream 1      f8995257 0f856564 afa8ce5a 3b7f0c4d
      Enc-Pay-1         7e3efb04 1ab192be 81e4fe67 b14e863f
      -----------------------------------------------------
      GCTR Block 2      cafebabe facedbad decaf888 00000004
      Key Stream 2      6ba45d2a 4cfbcbf2 b043d026 56cfd780
      Enc-Pay-2         779851bf d993c2a1 9f8cde02 1f6962a5
      -----------------------------------------------------
      GCTR Block 3      cafebabe facedbad decaf888 00000005
      Key Stream 3      75b89720 f450f0b7 47100a49 e12cfbbf
      Enc-Pay-3         c4d27ad5 5e5d16e0 fd737170
      =====================================================






Han, et al.            Expires December 12, 2011               [Page 13]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      1-3) Calculate Hash-subkey, H = SEED(0^128)
      =====================================================
      SEED input        00000000 00000000 00000000 00000000
      SEED output(H)    addab0a6 958b6567 19702b91 73e3dbb4
      =====================================================

      1-4) Calculate ICV using AAD and Encrypted payload
      ==============================================================
      (a)GHASH-H(AAD,Enc-Pay)    371f5691 eb6587df b91a5eef c7472e68
      ==============================================================
         GCTR Block (J-0)        cafebabe facedbad decaf888 00000001
      (b)Key Stream (J-0)        cb99d743 4d4d1962 7026c832 4d5523f9
      ==============================================================
      ICV = (a) XOR (b)          fc8681d2 a6289ebd c93c96dd 8a120d91
      ==============================================================

      1-5) Result of GCM encryption
      =====================================================
      Encrypted         1a43abdb 0b01d1e7 d8003851 d6ecf7d6
      Payload           7e3efb04 1ab192be 81e4fe67 b14e863f
                        779851bf d993c2a1 9f8cde02 1f6962a5
                        c4d27ad5 5e5d16e0 fd737170
      -----------------------------------------------------
      ICV               fc8681d2 a6289ebd c93c96dd 8a120d91
      =====================================================

   2) Decryption

      2-1) Input data for GCM mode
      =====================================================
      Key               feffe992 8665731c 6d6a8f94 67308308
      Nonce             cafebabe facedbad decaf888
      AAD               3ad77bb4 0d7a3660 a89ecaf3 2466ef97
                        f5d3d585
      Encrypted         1a43abdb 0b01d1e7 d8003851 d6ecf7d6
      Payload           7e3efb04 1ab192be 81e4fe67 b14e863f
                        779851bf d993c2a1 9f8cde02 1f6962a5
                        c4d27ad5 5e5d16e0 fd737170
      -----------------------------------------------------
      ICV               fc8681d2 a6289ebd c93c96dd 8a120d91
      =====================================================

      2-2) Decrypt payload with GCTR
      =====================================================
      J-0               cafebabe facedbad decaf888 00000001
      =====================================================





Han, et al.            Expires December 12, 2011               [Page 14]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


      GCTR Block 0      cafebabe facedbad decaf888 00000002
      Key Stream 0      c37299fe f385d702 7d593194 7919d14c
      Payload 0         d9313225 f88406e5 a55909c5 aff5269a
      -----------------------------------------------------
      GCTR Block 1      cafebabe facedbad decaf888 00000003
      Key Stream 1      f8995257 0f856564 afa8ce5a 3b7f0c4d
      Payload 1         86a7a953 1534f7da 2e4c303d 8a318a72
      -----------------------------------------------------
      GCTR Block 2      cafebabe facedbad decaf888 00000004
      Key Stream 1      6ba45d2a 4cfbcbf2 b043d026 56cfd780
      Payload 2         1c3c0c95 95680953 2fcf0e24 49a6b525
      -----------------------------------------------------
      GCTR Block 3      cafebabe facedbad decaf888 00000005
      Key Stream 3      75b89720 f450f0b7 47100a49 e12cfbbf
      Payload 3         b16aedf5 aa0de657 ba637b39
      =====================================================

      2-3) Result of GCM Decryption
      =====================================================
      Payload           d9313225 f88406e5 a55909c5 aff5269a
                        86a7a953 1534f7da 2e4c303d 8a318a72
                        1c3c0c95 95680953 2fcf0e24 49a6b525
                        b16aedf5 aa0de657 ba637b39
      =====================================================

7.  References

7.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2404]  Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
              ESP and AH", RFC 2404, November 1998.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, January 2004.

   [RFC4106]  Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
              (GCM) in IPsec Encapsulating Security Payload (ESP)",
              RFC 4106, June 2005.

   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)",
              RFC 4303, December 2005.

   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
              "Internet Key Exchange Protocol Version 2 (IKEv2)",



Han, et al.            Expires December 12, 2011               [Page 15]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


              RFC 5996, September 2010.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, December 2005.

   [CCM]      Whiting, D., Housley, R., and N. Ferguson, "Counter with
              CBC-MAC (CCM)", RFC 3610, September 2003.

   [SEED]     Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The
              SEED Encryption Algorithm", RFC 4269, December 2005.

   [SEED-CBC] Lee, H., Yoon, J., Lee, S., and J. Lee, "The SEED Cipher
              Algorithm and Its Use with IPsec", RFC 4196, October 2005.

   [GCM]      Dworkin, M., "NIST Special Publication 800-38D:
              Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", U.S. National
              Institute of Standards and Technology
              http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-
              38D.pdf.


7.2.  Informative References

   [RFC2411]  Thayer, R., Doraswamy, N., and R. Glenn, "IP Security
              Document Roadmap", RFC 2411, November 1998.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.


   [SEED-EVAL] KISA, "Self Evaluation Report",
              http://seed.kisa.or.kr/seed/down/SEED_Evaluation_Report_
              by_CRYPTREC.pdf

   [SEED-TEST] KISA, "Test Vectors for Modified SEED",
              http://seed.kisa.or.kr/seed/down/SEED_Test_Vectors_for_
              Modified_SEED.pdf












Han, et al.            Expires December 12, 2011               [Page 16]


INTERNET DRAFT  SEED CTR, CCM, GCM modes with IPsec ESP    June 10, 2011


Authors' Addresses


   Byoungjin Han
   Korea Internet & Security Agency
   IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
   Email: bjhan@kisa.or.kr

   Seokung Yoon
   Korea Internet & Security Agency
   IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
   Email: seokung@kisa.or.kr

   Hyuncheol Jeong
   Korea Internet & Security Agency
   IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
   Email: hcjung@kisa.or.kr

   Yoojae Won
   Korea Internet & Security Agency
   IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
   Email: yjwon@kisa.or.kr





























Han, et al.            Expires December 12, 2011               [Page 17]