AES Galois Counter Mode for the Secure Shell Transport Layer Protocol
RFC 5647
Document Type RFC - Informational (August 2009; No errata)
Was draft-igoe-secsh-aes-gcm (individual in sec area)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5647 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                            K. Igoe
Request for Comments: 5647                                    J. Solinas
Category: Informational                         National Security Agency
                                                             August 2009

                      AES Galois Counter Mode for
               the Secure Shell Transport Layer Protocol

Abstract

   Secure shell (SSH) is a secure remote-login protocol.  SSH provides
   for algorithms that provide authentication, key agreement,
   confidentiality, and data-integrity services.  The purpose of this
   document is to show how the AES Galois Counter Mode can be used to
   provide both confidentiality and data integrity to the SSH Transport
   Layer Protocol.

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Igoe & Solinas               Informational                      [Page 1]
RFC 5647                AES-GCM for Secure Shell             August 2009

Table of Contents

   1. Introduction ....................................................2
   2. Requirements Terminology ........................................2
   3. Applicability Statement .........................................3
   4. Properties of Galois Counter Mode ...............................3
      4.1. AES GCM Authenticated Encryption ...........................3
      4.2. AES GCM Authenticated Decryption ...........................3
   5. Review of Secure Shell ..........................................4
      5.1. Key Exchange ...............................................4
      5.2. Secure Shell Binary Packets ................................5
   6. AES GCM Algorithms for Secure Shell .............................6
      6.1. AEAD_AES_128_GCM ...........................................6
      6.2. AEAD_AES_256_GCM ...........................................6
      6.3. Size of the Authentication Tag .............................6
   7. Processing Binary Packets in AES-GCM Secure Shell ...............7
      7.1. IV and Counter Management ..................................7
      7.2. Formation of the Binary Packet .............................7
      7.3. Treatment of the Packet Length Field .......................8
   8. Security Considerations .........................................8
      8.1. Use of the Packet Sequence Number in the AT ................8
      8.2. Non-Encryption of Packet Length ............................8
   9. IANA Considerations .............................................9
   10. References ....................................................10
      10.1. Normative References .....................................10

1.  Introduction

   Galois Counter Mode (GCM) is a block-cipher mode of operation that
   provides both confidentiality and data-integrity services.  GCM uses
   counter mode to encrypt the data, an operation that can be
   efficiently pipelined.  Further, GCM authentication uses operations
   that are particularly well suited to efficient implementation in
   hardware, making it especially appealing for high-speed
   implementations or for implementations in an efficient and compact
   circuit.  The purpose of this document is to show how GCM with either
   AES-128 or AES-256 can be integrated into the Secure Shell Transport
   Layer Protocol [RFC4253].

2.  Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Igoe & Solinas               Informational                      [Page 2]
RFC 5647                AES-GCM for Secure Shell             August 2009

3.  Applicability Statement

   Using AES-GCM to provide both confidentiality and data integrity is
   generally more efficient than using two separate algorithms to
   provide these security services.

4.  Properties of Galois Counter Mode

   Galois Counter Mode (GCM) is a mode of operation for block ciphers
   that provides both confidentiality and data integrity.  National
   Institute of Standards and Technology (NIST) Special Publication SP
   800 38D [GCM] gives an excellent explanation of Galois Counter Mode.
   In this document, we shall focus on AES GCM, the use of the Advanced
   Encryption Algorithm (AES) in Galois Counter Mode.  AES-GCM is an
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools