The OCB Authenticated-Encryption Algorithm
RFC 7253

Document Type RFC - Informational (May 2014; No errata)
Was draft-irtf-cfrg-ocb (cfrg RG)
Last updated 2014-05-29
Replaces draft-krovetz-ocb
Stream IRTF
Formats plain text pdf html
IETF conflict review conflict-review-irtf-cfrg-ocb
Stream IRTF state Published RFC
Consensus Yes
Document shepherd David McGrew
IESG IESG state RFC 7253 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
Internet Research Task Force (IRTF)                           T. Krovetz
Request for Comments: 7253                              Sacramento State
Category: Informational                                       P. Rogaway
ISSN: 2070-1721                                                 UC Davis
                                                                May 2014

               The OCB Authenticated-Encryption Algorithm

Abstract

   This document specifies OCB, a shared-key blockcipher-based
   encryption scheme that provides confidentiality and authenticity for
   plaintexts and authenticity for associated data.  This document is a
   product of the Crypto Forum Research Group (CFRG).

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Crypto Forum
   Research Group of the Internet Research Task Force (IRTF).  Documents
   approved for publication by the IRSG are not a candidate for any
   level of Internet Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7253.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Krovetz & Rogaway             Informational                     [Page 1]
RFC 7253              OCB Authenticated Encryption              May 2014

Table of Contents

   1. Introduction ....................................................2
   2. Notation and Basic Operations ...................................4
   3. OCB Global Parameters ...........................................5
      3.1. Named OCB Parameter Sets and RFC 5116 Constants ............6
   4. OCB Algorithms ..................................................6
      4.1. Processing Associated Data: HASH ...........................6
      4.2. Encryption: OCB-ENCRYPT ....................................8
      4.3. Decryption: OCB-DECRYPT ....................................9
   5. Security Considerations ........................................11
      5.1. Nonce Requirements ........................................12
   6. IANA Considerations ............................................13
   7. Acknowledgements ...............................................13
   8. References .....................................................14
      8.1. Normative References ......................................14
      8.2. Informative References ....................................14
   Appendix A.  Sample Results .......................................15

1.  Introduction

   Schemes for authenticated encryption (AE) simultaneously provide for
   confidentiality and authentication.  While this goal would
   traditionally be achieved by melding separate encryption and
   authentication mechanisms, each using its own key, integrated AE
   schemes intertwine what is needed for confidentiality and what is
   needed for authenticity.  By conceptualizing AE as a single
   cryptographic goal, AE schemes are less likely to be misused than
   conventional encryption schemes.  Also, integrated AE schemes can be
   significantly faster than what one sees from composing separate
   confidentiality and authenticity means.

   When an AE scheme allows for the authentication of unencrypted data
   at the same time that a plaintext is being encrypted and
   authenticated, the scheme is an authenticated encryption with
   associated data (AEAD) scheme.  Associated data can be useful when,
   for example, a network packet has unencrypted routing information and
   an encrypted payload.

   OCB is an AEAD scheme that depends on a blockcipher.  This document
   fully defines OCB encryption and decryption except for the choice of
   the blockcipher and the length of authentication tag that is part of
   the ciphertext.  The blockcipher must have a 128-bit blocksize.  Each
   choice of blockcipher and tag length specifies a different variant of
   OCB.  Several AES-based variants are defined in Section 3.1.

Krovetz & Rogaway             Informational                     [Page 2]
Show full document text