Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)
RFC 5297
Document | Type |
RFC - Informational
(October 2008; No errata)
Was draft-dharkins-siv-aes (individual in sec area)
|
|
---|---|---|---|
Author | Dan Harkins | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5297 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | (None) |
Network Working Group D. Harkins Request for Comments: 5297 Aruba Networks Category: Informational October 2008 Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This memo describes SIV (Synthetic Initialization Vector), a block cipher mode of operation. SIV takes a key, a plaintext, and multiple variable-length octet strings that will be authenticated but not encrypted. It produces a ciphertext having the same length as the plaintext and a synthetic initialization vector. Depending on how it is used, SIV achieves either the goal of deterministic authenticated encryption or the goal of nonce-based, misuse-resistant authenticated encryption. Hawkins Informational [Page 1] RFC 5297 SIV-AES October 2008 Table of Contents 1. Introduction ....................................................3 1.1. Background .................................................3 1.2. Definitions ................................................4 1.3. Motivation .................................................4 1.3.1. Key Wrapping ........................................4 1.3.2. Resistance to Nonce Misuse/Reuse ....................4 1.3.3. Key Derivation ......................................5 1.3.4. Robustness versus Performance .......................6 1.3.5. Conservation of Cryptographic Primitives ............6 2. Specification of SIV ............................................6 2.1. Notation ...................................................6 2.2. Overview ...................................................7 2.3. Doubling ...................................................7 2.4. S2V ........................................................8 2.5. CTR .......................................................10 2.6. SIV Encrypt ...............................................10 2.7. SIV Decrypt ...............................................12 3. Nonce-Based Authenticated Encryption with SIV ..................14 4. Deterministic Authenticated Encryption with SIV ................15 5. Optimizations ..................................................15 6. IANA Considerations ............................................15 6.1. AEAD_AES_SIV_CMAC_256 .....................................17 6.2. AEAD_AES_SIV_CMAC_384 .....................................17 6.3. AEAD_AES_SIV_CMAC_512 .....................................18 7. Security Considerations ........................................18 8. Acknowledgments ................................................19 9. References .....................................................19 9.1. Normative References ......................................19 9.2. Informative References ....................................19 Appendix A. Test Vectors ....................................... 22 A.1. Deterministic Authenticated Encryption Example ........... 22 A.2. Nonce-Based Authenticated Encryption Example ............. 23 Hawkins Informational [Page 2] RFC 5297 SIV-AES October 2008 1. Introduction 1.1. Background Various attacks have been described (e.g., [BADESP]) when data is merely privacy protected and not additionally authenticated or integrity protected. Therefore, combined modes of encryption and authentication have been developed ([RFC5116], [RFC3610], [GCM], [JUTLA], [OCB]). These provide conventional authenticated encryption when used with a nonce ("a number used once") and typically accept additional inputs that are authenticated but not encrypted, hereinafter referred to as "associated data" or AD. A deterministic, nonce-less, form of authenticated encryption has been used to protect the transportation of cryptographic keys (e.g., [X9F1], [RFC3217], [RFC3394]). This is generally referred to as "Key Wrapping". This memo describes a new block cipher mode, SIV, that provides both nonce-based authenticated encryption as well as deterministic, nonce- less key wrapping. It contains a Pseudo-Random Function (PRF) construction called S2V and an encryption/decryption construction, called CTR. SIV was specified by Phillip Rogaway and Thomas Shrimpton in [DAE]. The underlying block cipher used herein for both S2V and CTR is AES with key lengths of 128 bits, 192 bits, or 256Show full document text