An Interface and Algorithms for Authenticated Encryption
RFC 5116
Document | Type |
RFC - Proposed Standard
(January 2008; Errata)
Was draft-mcgrew-auth-enc (individual in gen area)
|
|
---|---|---|---|
Author | David McGrew | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5116 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | (None) |
Network Working Group D. McGrew Request for Comments: 5116 Cisco Systems, Inc. Category: Standards Track January 2008 An Interface and Algorithms for Authenticated Encryption Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. McGrew Standards Track [Page 1] RFC 5116 Authenticated Encryption January 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4. Conventions Used in This Document . . . . . . . . . . . . 4 2. AEAD Interface . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Authenticated Encryption . . . . . . . . . . . . . . . . . 5 2.2. Authenticated Decryption . . . . . . . . . . . . . . . . . 7 2.3. Data Formatting . . . . . . . . . . . . . . . . . . . . . 7 3. Guidance on the Use of AEAD Algorithms . . . . . . . . . . . . 8 3.1. Requirements on Nonce Generation . . . . . . . . . . . . . 8 3.2. Recommended Nonce Formation . . . . . . . . . . . . . . . 9 3.2.1. Partially Implicit Nonces . . . . . . . . . . . . . . 10 3.3. Construction of AEAD Inputs . . . . . . . . . . . . . . . 11 3.4. Example Usage . . . . . . . . . . . . . . . . . . . . . . 11 4. Requirements on AEAD Algorithm Specifications . . . . . . . . 12 5. AEAD Algorithms . . . . . . . . . . . . . . . . . . . . . . . 14 5.1. AEAD_AES_128_GCM . . . . . . . . . . . . . . . . . . . . . 14 5.1.1. Nonce Reuse . . . . . . . . . . . . . . . . . . . . . 14 5.2. AEAD_AES_256_GCM . . . . . . . . . . . . . . . . . . . . . 15 5.3. AEAD_AES_128_CCM . . . . . . . . . . . . . . . . . . . . . 15 5.3.1. Nonce Reuse . . . . . . . . . . . . . . . . . . . . . 16 5.4. AEAD_AES_256_CCM . . . . . . . . . . . . . . . . . . . . . 16 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. Other Considerations . . . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19 10.2. Informative References . . . . . . . . . . . . . . . . . . 19 McGrew Standards Track [Page 2] RFC 5116 Authenticated Encryption January 2008 1. Introduction Authenticated encryption [BN00] is a form of encryption that, in addition to providing confidentiality for the plaintext that is encrypted, provides a way to check its integrity and authenticity. Authenticated Encryption with Associated Data, or AEAD [R02], adds the ability to check the integrity and authenticity of some Associated Data (AD), also called "additional authenticated data", that is not encrypted. 1.1. Background Many cryptographic applications require both confidentiality and message authentication. Confidentiality is a security service that ensures that data is available only to those authorized to obtain it; usually it is realized through encryption. Message authentication is the service that ensures that data has not been altered or forged by unauthorized entities; it can be achieved by using a Message Authentication Code (MAC). This service is also called data integrity. Many applications use an encryption method and a MAC together to provide both of those security services, with each algorithm using an independent key. More recently, the idea of providing both security services using a single cryptoalgorithm has become accepted. In this concept, the cipher and MAC are replaced by an Authenticated Encryption with Associated Data (AEAD) algorithm. Several crypto algorithms that implement AEAD algorithms have beenShow full document text