IPSECME Working Group B. Han
INTERNET-DRAFT S. Yoon
Intended Status: Informational H. Jeong
Expires: December 12, 2011 Y. Won
(Korea Internet & Security Agency)
June 10, 2011
Using SEED CTR, CCM, GCM modes with IPsec ESP
draft-seokung-ipsecme-seed-ipsec-modes-01
Abstract
This document describes the use of the SEED block cipher algorithm in
Counter (CTR) Mode, Counter with CBC-MAC (CCM) Mode and
Galois/Counter Mode (GCM) as an IPsec Encapsulation Security Payload
(ESP) mechanism to provide confidentiality and data origin
authentication, and connectionless integrity.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 12, 2011.
Copyright and License Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Han, et al. Expires December 12, 2011 [Page 1]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Conventions Used in This Documents . . . . . . . . . . . . 3
2. SEED Modes of Operation for Use with IPsec ESP . . . . . . . . 3
2.1. SEED-CTR Mode . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2. Initialization Vector . . . . . . . . . . . . . . . . . 4
2.1.3. Authentication Data . . . . . . . . . . . . . . . . . . 4
2.1.4. Counter Block Format . . . . . . . . . . . . . . . . . 4
2.2. SEED-CCM Mode . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . . 4
2.2.2. Parameters . . . . . . . . . . . . . . . . . . . . . . 5
2.2.3. Counter Block . . . . . . . . . . . . . . . . . . . . . 5
2.2.4. AAD Construction . . . . . . . . . . . . . . . . . . . 5
2.3. SEED-GCM Mode . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . . 6
2.3.2. Counter Block . . . . . . . . . . . . . . . . . . . . . 6
2.3.3. AAD Construction . . . . . . . . . . . . . . . . . . . 6
3. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Keying Material and Nonce Values . . . . . . . . . . . . . 6
3.2. Transform Type 1 . . . . . . . . . . . . . . . . . . . . . 7
3.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Test Vectors for ENCR_SEED_CTR . . . . . . . . . . . . . . 8
6.2. Test Vectors for ENCR_SEED_CCM . . . . . . . . . . . . . . 10
6.3. Test Vectors for ENCR_SEED_GCM . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.1. Normative References . . . . . . . . . . . . . . . . . . . 15
7.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
Han, et al. Expires December 12, 2011 [Page 2]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
1 Introduction
The SEED [RFC4269] is a block cipher, and it can be used in many
different modes. This document describes the use of the SEED block
cipher algorithm in Counter Mode (CTR), Counter with CBC-MAC (CCM)
Mode and Galois/Counter Mode (GCM), as an IPsec Encapsulation
Security Payload (ESP) [RFC4303] mechanism to provide confidentiality
and data origin authentication, and connectionless integrity.
This document does not provide an overview of IPsec. However,
information about how the various components of IPsec and the way in
which they collectively provide security services is available in
[RFC4301] and [RFC2411].
1.1 Conventions Used in This Documents
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. SEED Modes of Operation for Use with IPsec ESP
This document describes three modes of operation for the use of SEED
with IPsec: CTR (Counter), CCM (Counter with CBC-MAC), and GCM
(Galois/Counter Mode).
SEED in CTR, CCM, and GCM modes is used in IPsec ESP as AES in
[RFC3686], [RFC4309], and [RFC4106].
2.1. SEED-CTR Mode
SEED Counter mode (SEED-CTR) uses the only SEED encrypt operation
(for both encryption and decryption).
2.1.1. ESP Payload
The ESP payload of SEED-CTR is composed of IV followed by payload and
authentication data.
ESP Payload := IV (8 octets) || Encrypted Payload (variable)
|| Authentication Data (variable)
Han, et al. Expires December 12, 2011 [Page 3]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
2.1.2. Initialization Vector
SEED-CTR requires the encryptor to generate a unique initialization
vector (IV). The same IV and key combination MUST NOT be used more
than once. The SEED-CTR IV field MUST be eight octets. The encryptor
can generate the IV in any manner that ensures uniqueness.
2.1.3. Authentication Data
SEED-CTR implementations MUST employ a non-NULL ESP authentication
method. HMAC-SHA-1-96 [RFC2404] is a likely choice.
2.1.4. Counter Block Format
The counter block used to generate the key stream necessary to
encrypt/decrypt the payload. The SEED counter block is 128 bits. The
components of the counter block are as follows
Counter Block := Nonce || IV || Block Counter
Nonce
The Nonce field is 32 bits. It MUST be assigned at the
beginning of the security association.
IV
The IV field is 64 bits.
Block Counter
The block counter field is the least significant 32 bits of
the counter block. The block counter begins with the value
of one (big-endian).
2.2. SEED-CCM Mode
SEED Counter with CBC-MAC mode (SEED-CCM) uses the only SEED encrypt
operation (for both encryption and decryption).
2.2.1. ESP Payload
The ESP payload of SEED-CCM is composed of IV followed by payload and
authentication data.
ESP Payload := IV (8 octets) || Encrypted Payload (variable)
|| Authentication Data (variable)
Han, et al. Expires December 12, 2011 [Page 4]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
2.2.2. Parameters
SEED-CCM has two parameters:
M
M indicates the size of the integrity check value (ICV).
Implementations MUST support M values of 8 octets and 16
octets, and implementations MAY support M values of 12 octets.
L
L indicates the size of the length field in octets. This
specification only support L = 4.
2.2.3. Counter Block
The SEED-CCM counter block is 16 octets. The most significant one
octet is used for the CCM flags, and the least significant 4 octets
are used for the block counter, as specified by the CCM L parameter.
The remaining octets are the nonce. The nonce consists of salt and
IV, and the size of nonce depends on the value selected for the
parameter L. It is 15-L octets.
Counter Block := CCM flags(1) || Nonce(15-L) || Block counter(L)
Nonce := Salt(3) || IV(8)
Salt
The salt field is 24 bits. It must be assigned at the
beginning of security association.
IV
The IV field is 64 bits.
2.2.4. AAD Construction
For the AAD, the Security Parameter Index (SPI) and (Extended)
Sequence Number field are used.
a) AAD (64 bits) := SPI (32 bits) || Seq. No. (32 bits)
b) AAD (96 bits) := SPI (32 bits) || Extended Seq. No. (64 bits)
2.3. SEED-GCM Mode
SEED Galois/Counter mode (SEED-GCM) uses the only SEED encrypt
operation (for both encryption and decryption).
Han, et al. Expires December 12, 2011 [Page 5]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
2.3.1. ESP Payload
The ESP payload of SEED-GCM is composed of IV followed by payload.
The ICV associated with payload.
ESP Payload := IV (8 octets) || Encrypted Payload (variable)
2.3.2. Counter Block
The SEED-GCM counter block (GCTR Block) is 16 octets. In this
specification, the 12 octets are the nonce, and the least significant
4 octets are used for the block counter. The nonce consists of salt
and IV.
GCTR Block := Nonce (12) || Block counter (4)
Nonce := Salt (4) || IV (8)
Salt
The salt field is 32 bits. It must be assigned at the
beginning of security association.
IV
The IV field is 64 bits.
2.3.3. AAD Construction
For the AAD, the Security Parameter Index (SPI) and (Extended)
Sequence Number field are used.
a) AAD (64 bits) := SPI (32 bits) || Seq. No. (32 bits)
b) AAD (96 bits) := SPI (32 bits) || Extended Seq. No. (64 bits)
3. IKEv2 Conventions
This section describes the conventions used to generate keying
material and nonce values (nonce, salt) for use with SEED-CTR, SEED-
CCM, and SEED-GCM using the Internet Key Exchange version 2 (IKEv2)
[RFC4306] protocol. The identifiers and attributes needed to
negotiate a security association that uses SEED-CTR, SEED-CCM, and
SEED-GCM are also defined.
3.1. Keying Material and Nonce Values
IKEv2 makes use of a pseudo-random function (PRF) to derive keying
material. The PRF is used iteratively to derive keying material of
arbitrary size, called KEYMAT. Keying material is extracted from the
output string without regard to boundaries.
The keying material is used as follows:
Han, et al. Expires December 12, 2011 [Page 6]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
SEED-CTR
The KEYMAT requested for each SEED-CTR key is 20 octets. The
first 16 octets are the 128-bit SEED key, and the remaining
four octets are used as the nonce value in the counter block.
SEED-CCM
The KEYMAT requested for each SEED-CCM key is 19 octets. The
first 16 octets are the 128-bit SEED key, and the remaining
three octets are used as the salt value in the counter block.
SEED-GCM
The KEYMAT requested for each SEED-GCM key is 20 octets. The
first 16 octets are the 128-bit SEED key, and the remaining
four octets are used as the salt value in the nonce.
3.2. Transform Type 1
For IKEv2 negotiations, IANA has assigned ESP Transform Identifiers
for SEED-CTR, SEED-CCM and SEED-GCM, as recorded in Section 5.
3.3. Key Length Attribute
Since SEED only supports one key length, the Key Length attribute
MUST NOT be used in the IKE exchange version 2.
4. Security Considerations
No security problem has been found on SEED. SEED is secure against
all known attacks including Differential cryptanalysis, linear
cryptanalysis, and related key attacks. The only known attack is an
exhaustive search for the key. For further security considerations,
the reader is encouraged to read [SEED-EVAL].
See [CCM] and [RFC4106] for security considerations, regarding the
CCM and GCM modes of operation, respectively.
Han, et al. Expires December 12, 2011 [Page 7]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
5. IANA Considerations
IANA has assigned Transform Type 1 (Encryption Algorithm) Identifiers
for SEED-CTR, SEED-CCM, and SEED-GCM with an explicit IV in the
"IKEv2 Parameters" registry:
Number Name
-------- ---------------------------------
<TBD1> ENCR_SEED_CTR;
<TBD2> ENCR_SEED_CCM_8_ICV;
<TBD3> ENCR_SEED_CCM_12_ICV;
<TBD4> ENCR_SEED_CCM_16_ICV;
<TBD5> ENCR_SEED_GCM_8_ICV;
<TBD6> ENCR_SEED_GCM_12_ICV; and
<TBD7> ENCR_SEED_GCM_16_ICV.
6. Test Vectors
[SEED] provides algorithm specification of SEED, and [SEED-TEST]
provides test vectors that will assist implementers with SEED
algorithm.
6.1. Test Vectors for ENCR_SEED_CTR
IV=8 octets, Nonce=4 octets, Blockcounter=4 octets, Payload=64 octets
1) Encryption
1-1) Input data for CTR mode
=====================================================
Key 88E34F8F 081779F1 E9F39437 0AD40589
IV 00000000 00000000
Nonce 00000000
Initial CTR 000000FE
Plaintext D76D0D18 327EC562 B15E6BC3 65AC0C0F
8D41E0BB 938568AE EBFD92ED 1AFFA096
394D20FC 5277DDFC 4DE8B0FC E1EB2B93
D4AE40EF 4768C613 B50B8942 F7D4B9B3
=====================================================
1-2) Encryption
=====================================================
CTR Block 1 00000000 00000000 00000000 000000FE
Key Stream 1 837311DC 65D8CD5C 58A5E15F 578B4DE2
Ciphertext 1 541E1CC4 57A6083E E9FB8A9C 322741ED
-----------------------------------------------------
Han, et al. Expires December 12, 2011 [Page 8]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
CTR Block 2 00000000 00000000 00000000 000000FF
Key Stream 2 197BCC56 B6DFF49E 132CACFD 287555D3
Ciphertext 2 943A2CED 255A9C30 F8D13E10 328AF545
-----------------------------------------------------
CTR Block 3 00000000 00000000 00000000 00000100
Key Stream 3 151FFD7E 39932C79 5B0F8D05 FE2730C8
Ciphertext 3 2C52DD82 6BE4F185 16E73DF9 1FCC1B5B
-----------------------------------------------------
CTR Block 4 00000000 00000000 00000000 00000101
Key Stream 4 0FA34018 624C971B 9677E251 A7314CB6
Ciphertext 4 DB0D00F7 25245108 237C6B13 50E5F505
=====================================================
1-3) Result - Ciphertext
=====================================================
Ciphertext 541E1CC4 57A6083E E9FB8A9C 322741ED
943A2CED 255A9C30 F8D13E10 328AF545
2C52DD82 6BE4F185 16E73DF9 1FCC1B5B
DB0D00F7 25245108 237C6B13 50E5F505
=====================================================
2) Encryption
2-1) Input data for CTR mode
=====================================================
Key 88E34F8F 081779F1 E9F39437 0AD40589
IV 00000000 00000000
Nonce 00000000
Initial CTR 000000FE
Ciphertext 541E1CC4 57A6083E E9FB8A9C 322741ED
943A2CED 255A9C30 F8D13E10 328AF545
2C52DD82 6BE4F185 16E73DF9 1FCC1B5B
DB0D00F7 25245108 237C6B13 50E5F505
=====================================================
2-2) Decryption
=====================================================
CTR Block 1 00000000 00000000 00000000 000000FE
Key Stream 1 837311DC 65D8CD5C 58A5E15F 578B4DE2
Plaintext 1 D76D0D18 327EC562 B15E6BC3 65AC0C0F
-----------------------------------------------------
CTR Block 2 00000000 00000000 00000000 000000FF
Key Stream 2 197BCC56 B6DFF49E 132CACFD 287555D3
Plaintext 2 8D41E0BB 938568AE EBFD92ED 1AFFA096
-----------------------------------------------------
CTR Block 3 00000000 00000000 00000000 00000100
Key Stream 3 151FFD7E 39932C79 5B0F8D05 FE2730C8
Plaintext 3 394D20FC 5277DDFC 4DE8B0FC E1EB2B93
Han, et al. Expires December 12, 2011 [Page 9]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
-----------------------------------------------------
CTR Block 4 00000000 00000000 00000000 00000101
Key Stream 4 0FA34018 624C971B 9677E251 A7314CB6
Plaintext 4 D4AE40EF 4768C613 B50B8942 F7D4B9B3
=====================================================
2-3) Result - Plaintext
=====================================================
Plaintext D76D0D18 327EC562 B15E6BC3 65AC0C0F
8D41E0BB 938568AE EBFD92ED 1AFFA096
394D20FC 5277DDFC 4DE8B0FC E1EB2B93
D4AE40EF 4768C613 B50B8942 F7D4B9B3
=====================================================
6.2. Test Vectors for ENCR_SEED_CCM
M=8 octets, L=3 octets, AAD=20 octets, Payload=24 octets
1) Encryption
1-1) Input data for CCM mode
=====================================================
Key 40414243 44454647 48494a4b 4c4d4e4f
Nonce 10111213 14151617 18191a1b
AAD 00010203 04050607 08090a0b 0c0d0e0f
10111213
Payload 20212223 24252627 28292a2b 2c2d2e2f
30313233 34353600
=====================================================
1-2) Formatted input data
=====================================================
Formatted 5a101112 13141516 1718191a 1b000018
Input 00140001 02030405 06070809 0a0b0c0d
(B) 0e0f1011 12130000 00000000 00000000
20212223 24252627 28292a2b 2c2d2e2f
30313233 34353600 00000000 00000000
=====================================================
1-3) Calculating CBC-MAC
=====================================================
B-0 5a101112 13141516 1718191a 1b000018
SEED input 5a101112 13141516 1718191a 1b000018
SEED output b60c31dd 0c1090a7 190fcd82 47ceb3c2
-----------------------------------------------------
B-1 00140001 02030405 06070809 0a0b0c0d
SEED input b61831dc 0e1394a2 1f08c58b 4dc5bfcf
SEED output 5d0996a2 13f6a0aa 22e77daf d4419eff
Han, et al. Expires December 12, 2011 [Page 10]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
-----------------------------------------------------
B-2 0e0f1011 12130000 00000000 00000000
SEED input 530686b3 01e5a0aa 22e77daf d4419eff
SEED output ebfa0c15 771190f6 0b8d365c c093e097
-----------------------------------------------------
B-3 20212223 24252627 28292a2b 2c2d2e2f
SEED input cbdb2e36 5334b6d1 23a41c77 ecbeceb8
SEED output 27892df2 babdeda5 83fc0481 97b68309
-----------------------------------------------------
B-4 30313233 34353600 00000000 00000000
SEED input 17b81fc1 8e88dba5 83fc0481 97b68309
SEED output dcdcea6a b82c5dbe 56de3bfe 5631aa65
=====================================================
CBC-MAC dcdcea6a b82c5dbe
=====================================================
1-4) Formatted counter block and its encryption result
=====================================================
CTR Block 0 02101112 13141516 1718191a 1b000000
Key Stream 0 682b1a22 ba0164d5 c4987a1a b7e087cb
-----------------------------------------------------
CTR Block 1 02101112 13141516 1718191a 1b000001
Key Stream 1 81318ba2 70d0a16f 3ec7c2cf 76f16b56
-----------------------------------------------------
CTR Block 2 02101112 13141516 1718191a 1b000002
Key Stream 2 ad4ac71d 7fcacbaf a0a6f9f7 fe3e2997
=====================================================
1-5) Result of CCM encryption
=====================================================
Encrypted a110a981 54f58748 16eee8e4 5adc4579
Payload 9d7bf52e 4bfffdaf
-----------------------------------------------------
ICV(Enc-MAC) b4f7f048 022d396b
=====================================================
2) Decryption
2-1) Input data for CCM mode
=====================================================
Key 40414243 44454647 48494a4b 4c4d4e4f
Nonce 10111213 14151617 18191a1b
AAD 00010203 04050607 08090a0b 0c0d0e0f
10111213
Encrypted a110a981 54f58748 16eee8e4 5adc4579
Payload 9d7bf52e 4bfffdaf
ICV(Enc-MAC) b4f7f048 022d396b
=====================================================
Han, et al. Expires December 12, 2011 [Page 11]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
2-2) Formatted counter block and its encryption result
=====================================================
CTR Block 0 02101112 13141516 1718191a 1b000000
Key Stream 0 682b1a22 ba0164d5 c4987a1a b7e087cb
-----------------------------------------------------
CTR Block 1 02101112 13141516 1718191a 1b000001
Key Stream 1 81318ba2 70d0a16f 3ec7c2cf 76f16b56
-----------------------------------------------------
CTR Block 2 02101112 13141516 1718191a 1b000002
Key Stream 2 ad4ac71d 7fcacbaf a0a6f9f7 fe3e2997
=====================================================
2-3) Result of CCM Decryption
=====================================================
Payload 20212223 24252627 28292a2b 2c2d2e2f
30313233 34353600
CBC-MAC dcdcea6a b82c5dbe
=====================================================
2-4) Decrypt the payload and getting formatted input data
=====================================================
Formatted 5a101112 13141516 1718191a 1b000018
Input 00140001 02030405 06070809 0a0b0c0d
(B) 0e0f1011 12130000 00000000 00000000
20212223 24252627 28292a2b 2c2d2e2f
30313233 34353600 00000000 00000000
=====================================================
2-5) Calculating CBC-MAC and check integrity
=====================================================
B-0 5a101112 13141516 1718191a 1b000018
SEED input 5a101112 13141516 1718191a 1b000018
SEED output b60c31dd 0c1090a7 190fcd82 47ceb3c2
-----------------------------------------------------
B-1 00140001 02030405 06070809 0a0b0c0d
SEED input b61831dc 0e1394a2 1f08c58b 4dc5bfcf
SEED output 5d0996a2 13f6a0aa 22e77daf d4419eff
-----------------------------------------------------
B-2 0e0f1011 12130000 00000000 00000000
SEED input 530686b3 01e5a0aa 22e77daf d4419eff
SEED output ebfa0c15 771190f6 0b8d365c c093e097
-----------------------------------------------------
B-3 20212223 24252627 28292a2b 2c2d2e2f
SEED input cbdb2e36 5334b6d1 23a41c77 ecbeceb8
SEED output 27892df2 babdeda5 83fc0481 97b68309
-----------------------------------------------------
Han, et al. Expires December 12, 2011 [Page 12]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
B-4 30313233 34353600 00000000 00000000
SEED input 17b81fc1 8e88dba5 83fc0481 97b68309
SEED output dcdcea6a b82c5dbe 56de3bfe 5631aa65
=====================================================
CBC-MAC dcdcea6a b82c5dbe
=====================================================
6.3. Test Vectors for ENCR_SEED_GCM
ICV=16 octets, IV=12 octets, AAD=20 octet, Payload=60 octets
1) Encryption
1-1) Input data for GCM mode
=====================================================
Key feffe992 8665731c 6d6a8f94 67308308
Nonce cafebabe facedbad decaf888
AAD 3ad77bb4 0d7a3660 a89ecaf3 2466ef97
f5d3d585
Payload d9313225 f88406e5 a55909c5 aff5269a
86a7a953 1534f7da 2e4c303d 8a318a72
1c3c0c95 95680953 2fcf0e24 49a6b525
b16aedf5 aa0de657 ba637b39
=====================================================
1-2) Encrypt payload with GCTR
=====================================================
J-0 cafebabe facedbad decaf888 00000001
=====================================================
GCTR Block 0 cafebabe facedbad decaf888 00000002
Key Stream 0 c37299fe f385d702 7d593194 7919d14c
Enc-Pay 0 1a43abdb 0b01d1e7 d8003851 d6ecf7d6
-----------------------------------------------------
GCTR Block 1 cafebabe facedbad decaf888 00000003
Key Stream 1 f8995257 0f856564 afa8ce5a 3b7f0c4d
Enc-Pay-1 7e3efb04 1ab192be 81e4fe67 b14e863f
-----------------------------------------------------
GCTR Block 2 cafebabe facedbad decaf888 00000004
Key Stream 2 6ba45d2a 4cfbcbf2 b043d026 56cfd780
Enc-Pay-2 779851bf d993c2a1 9f8cde02 1f6962a5
-----------------------------------------------------
GCTR Block 3 cafebabe facedbad decaf888 00000005
Key Stream 3 75b89720 f450f0b7 47100a49 e12cfbbf
Enc-Pay-3 c4d27ad5 5e5d16e0 fd737170
=====================================================
Han, et al. Expires December 12, 2011 [Page 13]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
1-3) Calculate Hash-subkey, H = SEED(0^128)
=====================================================
SEED input 00000000 00000000 00000000 00000000
SEED output(H) addab0a6 958b6567 19702b91 73e3dbb4
=====================================================
1-4) Calculate ICV using AAD and Encrypted payload
==============================================================
(a)GHASH-H(AAD,Enc-Pay) 371f5691 eb6587df b91a5eef c7472e68
==============================================================
GCTR Block (J-0) cafebabe facedbad decaf888 00000001
(b)Key Stream (J-0) cb99d743 4d4d1962 7026c832 4d5523f9
==============================================================
ICV = (a) XOR (b) fc8681d2 a6289ebd c93c96dd 8a120d91
==============================================================
1-5) Result of GCM encryption
=====================================================
Encrypted 1a43abdb 0b01d1e7 d8003851 d6ecf7d6
Payload 7e3efb04 1ab192be 81e4fe67 b14e863f
779851bf d993c2a1 9f8cde02 1f6962a5
c4d27ad5 5e5d16e0 fd737170
-----------------------------------------------------
ICV fc8681d2 a6289ebd c93c96dd 8a120d91
=====================================================
2) Decryption
2-1) Input data for GCM mode
=====================================================
Key feffe992 8665731c 6d6a8f94 67308308
Nonce cafebabe facedbad decaf888
AAD 3ad77bb4 0d7a3660 a89ecaf3 2466ef97
f5d3d585
Encrypted 1a43abdb 0b01d1e7 d8003851 d6ecf7d6
Payload 7e3efb04 1ab192be 81e4fe67 b14e863f
779851bf d993c2a1 9f8cde02 1f6962a5
c4d27ad5 5e5d16e0 fd737170
-----------------------------------------------------
ICV fc8681d2 a6289ebd c93c96dd 8a120d91
=====================================================
2-2) Decrypt payload with GCTR
=====================================================
J-0 cafebabe facedbad decaf888 00000001
=====================================================
Han, et al. Expires December 12, 2011 [Page 14]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
GCTR Block 0 cafebabe facedbad decaf888 00000002
Key Stream 0 c37299fe f385d702 7d593194 7919d14c
Payload 0 d9313225 f88406e5 a55909c5 aff5269a
-----------------------------------------------------
GCTR Block 1 cafebabe facedbad decaf888 00000003
Key Stream 1 f8995257 0f856564 afa8ce5a 3b7f0c4d
Payload 1 86a7a953 1534f7da 2e4c303d 8a318a72
-----------------------------------------------------
GCTR Block 2 cafebabe facedbad decaf888 00000004
Key Stream 1 6ba45d2a 4cfbcbf2 b043d026 56cfd780
Payload 2 1c3c0c95 95680953 2fcf0e24 49a6b525
-----------------------------------------------------
GCTR Block 3 cafebabe facedbad decaf888 00000005
Key Stream 3 75b89720 f450f0b7 47100a49 e12cfbbf
Payload 3 b16aedf5 aa0de657 ba637b39
=====================================================
2-3) Result of GCM Decryption
=====================================================
Payload d9313225 f88406e5 a55909c5 aff5269a
86a7a953 1534f7da 2e4c303d 8a318a72
1c3c0c95 95680953 2fcf0e24 49a6b525
b16aedf5 aa0de657 ba637b39
=====================================================
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, November 1998.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
Han, et al. Expires December 12, 2011 [Page 15]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
RFC 5996, September 2010.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)",
RFC 4309, December 2005.
[CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter with
CBC-MAC (CCM)", RFC 3610, September 2003.
[SEED] Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The
SEED Encryption Algorithm", RFC 4269, December 2005.
[SEED-CBC] Lee, H., Yoon, J., Lee, S., and J. Lee, "The SEED Cipher
Algorithm and Its Use with IPsec", RFC 4196, October 2005.
[GCM] Dworkin, M., "NIST Special Publication 800-38D:
Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", U.S. National
Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-
38D.pdf.
7.2. Informative References
[RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[SEED-EVAL] KISA, "Self Evaluation Report",
http://seed.kisa.or.kr/seed/down/SEED_Evaluation_Report_
by_CRYPTREC.pdf
[SEED-TEST] KISA, "Test Vectors for Modified SEED",
http://seed.kisa.or.kr/seed/down/SEED_Test_Vectors_for_
Modified_SEED.pdf
Han, et al. Expires December 12, 2011 [Page 16]
INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011
Authors' Addresses
Byoungjin Han
Korea Internet & Security Agency
IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
Email: bjhan@kisa.or.kr
Seokung Yoon
Korea Internet & Security Agency
IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
Email: seokung@kisa.or.kr
Hyuncheol Jeong
Korea Internet & Security Agency
IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
Email: hcjung@kisa.or.kr
Yoojae Won
Korea Internet & Security Agency
IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950
Email: yjwon@kisa.or.kr
Han, et al. Expires December 12, 2011 [Page 17]