The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)
RFC 4615
Document Type RFC - Proposed Standard (August 2006; No errata)
Was draft-songlee-aes-cmac-prf-128 (individual in sec area)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4615 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to santajunman@hanafos.com
Email authors IPR References Referenced by Nits 
Network Working Group                                            J. Song
Request for Comments: 4615                                 R. Poovendran
Category: Standards Track                       University of Washington
                                                                  J. Lee
                                                     Samsung Electronics
                                                                T. Iwata
                                                       Nagoya University
                                                             August 2006

             The Advanced Encryption Standard-Cipher-based
        Message Authentication Code-Pseudo-Random Function-128
                 (AES-CMAC-PRF-128) Algorithm for the
                  Internet Key Exchange Protocol (IKE)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   Some implementations of IP Security (IPsec) may want to use a
   pseudo-random function (PRF) based on the Advanced Encryption
   Standard (AES).  This memo describes such an algorithm, called
   AES-CMAC-PRF-128.  It supports fixed and variable key sizes.

Table of Contents

   1. Introduction ....................................................2
   2. Basic Definitions ...............................................2
   3. The AES-CMAC-PRF-128 Algorithm ..................................2
   4. Test Vectors ....................................................4
   5. Security Considerations .........................................4
   6. IANA Considerations .............................................5
   7. Acknowledgements ................................................5
   8. References ......................................................5
      8.1. Normative References .......................................5
      8.2. Informative References .....................................5

Song, et al.                Standards Track                     [Page 1]
RFC 4615                AES-CMAC-PRF-128 for IKE             August 2006

1.  Introduction

   [RFC4493] describes a method to use the Advanced Encryption Standard
   (AES) as a Message Authentication Code (MAC) that has a 128-bit
   output length.  The 128-bit output is useful as a long-lived pseudo-
   random function (PRF).  This document specifies a PRF that supports
   fixed and variable key sizes for IKEv2 [RFC4306] Key Derivation
   Function (KDF) and authentication.

2.  Basic Definitions

   VK         Variable-length key for AES-CMAC-PRF-128, denoted
              by VK.

   0^128      The string that consists of 128 zero-bits, which is
              equivalent to 0x00000000000000000000000000000000 in
              hexadecimal notation.

   AES-CMAC   The AES-CMAC algorithm with a 128-bit long key described
              in section 2.4 of [RFC4493].

3.  The AES-CMAC-PRF-128 Algorithm

   The AES-CMAC-PRF-128 algorithm is identical to AES-CMAC defined in
   [RFC4493] except that the 128-bit key length restriction is removed.

   IKEv2 [RFC4306] uses PRFs for multiple purposes, most notably for
   generating keying material and authentication of the IKE_SA.  The
   IKEv2 specification differentiates between PRFs with fixed key sizes
   and those with variable key sizes.

   When using AES-CMAC-PRF-128 as the PRF described in IKEv2, AES-CMAC-
   PRF-128 is considered to take fixed size (16 octets) keys for
   generating keying material but it takes variable key sizes for
   authentication.

   That is, when generating keying material, "half the bits must come
   from Ni and half from Nr, taking the first bits of each" as described
   in IKEv2, section 2.14; but for authenticating with shared secrets
   (IKEv2, section 2.16), the shared secret does not have to be 16
   octets and the length may vary.

Song, et al.                Standards Track                     [Page 2]
RFC 4615                AES-CMAC-PRF-128 for IKE             August 2006

   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
   +                        AES-CMAC-PRF-128                           +
   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
   +                                                                   +
   + Input  : VK (Variable-length key)                                 +
   +        : M (Message, i.e., the input data of the PRF)             +
   +        : VKlen (length of VK in octets)                           +
   +        : len (length of M in octets)                              +
   + Output : PRV (128-bit Pseudo-Random Variable)                     +
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA