The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
RFC 3566

Document Type RFC - Proposed Standard (September 2003; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3566 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
IESG note Responsible: Russ Housley
Send notices to (None)
Network Working Group                                         S. Frankel
Request for Comments: 3566                                          NIST
Category: Standards Track                                     H. Herbert
                                                                   Intel
                                                          September 2003

          The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   A Message Authentication Code (MAC) is a key-dependent one way hash
   function.  One popular way to construct a MAC algorithm is to use a
   block cipher in conjunction with the Cipher-Block-Chaining (CBC) mode
   of operation.  The classic CBC-MAC algorithm, while secure for
   messages of a pre-selected fixed length, has been shown to be
   insecure across messages of varying lengths such as the type found in
   typical IP datagrams.  This memo specifies the use of AES in CBC mode
   with a set of extensions to overcome this limitation.  This new
   algorithm is named AES-XCBC-MAC-96.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Specification of Requirements  . . . . . . . . . . . . . .   2
   3.  Basic CBC-MAC with Obligatory 10* Padding  . . . . . . . .   3
   4.  AES-XCBC-MAC-96  . . . . . . . . . . . . . . . . . . . . .   3
       4.1.  Keying Material. . . . . . . . . . . . . . . . . . .   5
       4.2.  Padding  . . . . . . . . . . . . . . . . . . . . . .   6
       4.3.  Truncation . . . . . . . . . . . . . . . . . . . . .   6
       4.4.  Interaction with the ESP Cipher Mechanism. . . . . .   6
       4.5.  Performance. . . . . . . . . . . . . . . . . . . . .   6
       4.6.  Test Vectors . . . . . . . . . . . . . . . . . . . .   7
   5.  Security Considerations  . . . . . . . . . . . . . . . . .   8
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . .   8
   7.  Intellectual Property Rights Statement . . . . . . . . . .   8

Frankel & Herbert           Standards Track                     [Page 1]
RFC 3566               AES-XCBC-MAC-96 Algorithm          September 2003

   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . .   8
   9.  References . . . . . . . . . . . . . . . . . . . . . . . .   9
       9.1.  Normative References . . . . . . . . . . . . . . . .   9
       9.2.  Informative References . . . . . . . . . . . . . . .   9
   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . .  10
   11. Full Copyright Statement . . . . . . . . . . . . . . . . .  11

1.  Introduction

   Message authentication provides data integrity and data origin
   authentication with respect to the original message source.  A
   Message Authentication Code (MAC) is a key-dependent one way hash
   function.  One popular way to construct a MAC algorithm is to use a
   block cipher in conjunction with the Cipher-Block-Chaining (CBC) mode
   of operation.  The classic CBC-MAC algorithm, while secure for
   messages of a pre-selected fixed length [CBC-MAC-2], has been shown
   to be insecure across messages of varying lengths such as the type
   found in typical IP datagrams [CBC-MAC-2, section 5].  In fact, it is
   trivial to produce forgeries for a second message given the MAC of a
   prior message.  [HANDBOOK, section 9.62, p. 354]

   This memo specifies the use of AES [AES] in CBC mode [MODES] with a
   set of extensions [XCBC-MAC-1] to overcome this limitation.  This new
   algorithm is named AES-XCBC-MAC-96.  Using the AES block cipher, with
   its increased block size (128 bits) and increased key length (128
   bits), provides the new algorithm with the ability to withstand
   continuing advances in crypto-analytic techniques and computational
   capability.  AES-XCBC-MAC-96 is used as an authentication mechanism
   within the context of the IPsec Encapsulating Security Payload (ESP)
   and the Authentication Header (AH) protocols.  For further
   information on ESP, refer to [ESP] and [ROADMAP].  For further
   information on AH, refer to [AH] and [ROADMAP].

   The goal of AES-XCBC-MAC-96 is to ensure that the datagram is
   authentic and cannot be modified in transit.  Data integrity and data
   origin authentication as provided by AES-XCBC-MAC-96 are dependent
   upon the scope of the distribution of the secret key.  If the key is
   known only by the source and destination, this algorithm will provide
   both data origin authentication and data integrity for datagrams sent
   between the two parties.  In addition, only a party with the
Show full document text