Network Working Group K. Igoe
Request for Comments: 5647 J. Solinas
Category: Informational National Security Agency
August 2009
AES Galois Counter Mode for
the Secure Shell Transport Layer Protocol
Abstract
Secure shell (SSH) is a secure remote-login protocol. SSH provides
for algorithms that provide authentication, key agreement,
confidentiality, and data-integrity services. The purpose of this
document is to show how the AES Galois Counter Mode can be used to
provide both confidentiality and data integrity to the SSH Transport
Layer Protocol.
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Igoe & Solinas Informational [Page 1]RFC 5647 AES-GCM for Secure Shell August 2009Table of Contents
1. Introduction ....................................................2
2. Requirements Terminology ........................................2
3. Applicability Statement .........................................3
4. Properties of Galois Counter Mode ...............................3
4.1. AES GCM Authenticated Encryption ...........................3
4.2. AES GCM Authenticated Decryption ...........................3
5. Review of Secure Shell ..........................................4
5.1. Key Exchange ...............................................4
5.2. Secure Shell Binary Packets ................................5
6. AES GCM Algorithms for Secure Shell .............................6
6.1. AEAD_AES_128_GCM ...........................................6
6.2. AEAD_AES_256_GCM ...........................................6
6.3. Size of the Authentication Tag .............................6
7. Processing Binary Packets in AES-GCM Secure Shell ...............7
7.1. IV and Counter Management ..................................7
7.2. Formation of the Binary Packet .............................7
7.3. Treatment of the Packet Length Field .......................8
8. Security Considerations .........................................8
8.1. Use of the Packet Sequence Number in the AT ................8
8.2. Non-Encryption of Packet Length ............................8
9. IANA Considerations .............................................9
10. References ....................................................10
10.1. Normative References .....................................10
1. Introduction
Galois Counter Mode (GCM) is a block-cipher mode of operation that
provides both confidentiality and data-integrity services. GCM uses
counter mode to encrypt the data, an operation that can be
efficiently pipelined. Further, GCM authentication uses operations
that are particularly well suited to efficient implementation in
hardware, making it especially appealing for high-speed
implementations or for implementations in an efficient and compact
circuit. The purpose of this document is to show how GCM with either
AES-128 or AES-256 can be integrated into the Secure Shell Transport
Layer Protocol [RFC4253].
2. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Igoe & Solinas Informational [Page 2]RFC 5647 AES-GCM for Secure Shell August 20093. Applicability Statement
Using AES-GCM to provide both confidentiality and data integrity is
generally more efficient than using two separate algorithms to
provide these security services.
4. Properties of Galois Counter Mode
Galois Counter Mode (GCM) is a mode of operation for block ciphers
datatracker.ietf.org