The AES-CBC Cipher Algorithm and Its Use with IPsec
RFC 3602

Document Type RFC - Proposed Standard (September 2003; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 3602 (Proposed Standard)
Telechat date
Responsible AD Russ Housley
Send notices to <byfraser@cisco.com>, <tytso@mit.edu>
Network Working Group                                         S. Frankel
Request for Comments: 3602                                      R. Glenn
Category: Standards Track                                           NIST
                                                                S. Kelly
                                                               Airespace
                                                          September 2003

          The AES-CBC Cipher Algorithm and Its Use with IPsec

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document describes the use of the Advanced Encryption Standard
   (AES) Cipher Algorithm in Cipher Block Chaining (CBC) Mode, with an
   explicit Initialization Vector (IV), as a confidentiality mechanism
   within the context of the IPsec Encapsulating Security Payload (ESP).

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Specification of Requirements. . . . . . . . . . . . . .  3
   2.  The AES Cipher Algorithm . . . . . . . . . . . . . . . . . . .  3
       2.1.  Mode . . . . . . . . . . . . . . . . . . . . . . . . . .  3
       2.2.  Key Size and Number of Rounds. . . . . . . . . . . . . .  4
       2.3.  Weak Keys. . . . . . . . . . . . . . . . . . . . . . . .  4
       2.4.  Block Size and Padding . . . . . . . . . . . . . . . . .  4
       2.5.  Additional Information . . . . . . . . . . . . . . . . .  4
       2.6.  Performance. . . . . . . . . . . . . . . . . . . . . . .  5
   3.  ESP Payload  . . . . . . . . . . . . . . . . . . . . . . . . .  5
       3.1.  ESP Algorithmic Interactions . . . . . . . . . . . . . .  6
       3.2.  Keying Material. . . . . . . . . . . . . . . . . . . . .  6
   4.  Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . 10
       5.1.  Phase 1 Identifier . . . . . . . . . . . . . . . . . . . 10
       5.2.  Phase 2 Identifier . . . . . . . . . . . . . . . . . . . 10
       5.3.  Key Length Attribute . . . . . . . . . . . . . . . . . . 10

Frankel, et al.             Standards Track                     [Page 1]
RFC 3602        AES-CBC Cipher Algorithm Use with IPsec   September 2003

       5.4.  Hash Algorithm Considerations. . . . . . . . . . . . . . 10
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   8.  Intellectual Property Rights Statement . . . . . . . . . . . . 11
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       9.1.  Normative References . . . . . . . . . . . . . . . . . . 12
       9.2.  Informative References . . . . . . . . . . . . . . . . . 12
   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 13
   11. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
   12. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15

1.  Introduction

   As the culmination of a four-year competitive process, NIST (the
   National Institute of Standards and Technology) has selected the AES
   (Advanced Encryption Standard), the successor to the venerable DES
   (Data Encryption Standard).  The competition was an open one, with
   public participation and comment solicited at each step of the
   process.  The AES [AES], formerly known as Rijndael, was chosen from
   a field of five finalists.

   The AES selection was made on the basis of several characteristics:

      +  security

      +  unclassified

      +  publicly disclosed

      +  available royalty-free, worldwide

      +  capable of handling a block size of at least 128 bits

      +  at a minimum, capable of handling key sizes of 128, 192, and
         256 bits

      +  computational efficiency and memory requirements on a variety
         of software and hardware, including smart cards

      +  flexibility, simplicity and ease of implementation

   The AES will be the government's designated encryption cipher.  The
   expectation is that the AES will suffice to protect sensitive
   (unclassified) government information until at least the next
   century.  It is also expected to be widely adopted by businesses and
   financial institutions.

Frankel, et al.             Standards Track                     [Page 2]
RFC 3602        AES-CBC Cipher Algorithm Use with IPsec   September 2003
Show full document text