[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 RFC 3602

Network Working Group                                IPsec Working Group
INTERNET DRAFT                                          S. Frankel, NIST
November 2000                                         S. Kelly, RedCreek
Expiration Date: May 2001                                 R. Glenn, NIST

            The AES Cipher Algorithm and Its Use With IPsec

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working Groups. Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Drafts Shadow Directories can be accessed at

   This document is a submission to the IETF Internet Protocol Security
   (IPSEC) Working Group. Comments are solicited and should be addressed
   to the working group mailing list (ipsec@lists.tislabs.com) or to the

   Distribution of this memo is unlimited.


   This document describes the use of the AES Cipher Algorithm in Cipher
   Block Chaining Mode, with an explicit IV, as a confidentiality mecha-
   nism within the context of the IPsec Encapsulating Security Payload

   This Internet Draft also describes the use of the four other AES fi-
   nalist candidate algorithms in the ESP Header.

Frankel,Glenn,Kelly                                             [Page 1]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

                             Table of Contents

1.   Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .   3
1.1  Specification of Requirements . . . . . . . . . . . . . . . . .   3
2.   The AES Cipher Algorithm  . . . . . . . . . . . . . . . . . . .   3
2.1  Mode  . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
2.2  Key Size  . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
2.3  Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
2.4  Block Size and Padding  . . . . . . . . . . . . . . . . . . . .   5
2.5  Rounds  . . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
2.6  Cipher-specific Information . . . . . . . . . . . . . . . . . .   6
2.7  Performance . . . . . . . . . . . . . . . . . . . . . . . . . .   7
3.   ESP Payload . . . . . . . . . . . . . . . . . . . . . . . . . .   7
3.1  ESP Algorithmic Interactions  . . . . . . . . . . . . . . . . .   8
3.2  Keying Material . . . . . . . . . . . . . . . . . . . . . . . .   8
4.  IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . .   8
4.1  Phase 1 Identifiers . . . . . . . . . . . . . . . . . . . . . .   8
4.2  Phase 2 Identifiers . . . . . . . . . . . . . . . . . . . . . .   9
4.3  Key Length Attribute  . . . . . . . . . . . . . . . . . . . . .   9
4.4  Diffie-Hellman Groups . . . . . . . . . . . . . . . . . . . . .   9
4.4.1 Relative Strength  . . . . . . . . . . . . . . . . . . . . . .  10
4.5  Hash Algorithm Considerations . . . . . . . . . . . . . . . . .  11
5.   Security Considerations . . . . . . . . . . . . . . . . . . . .  11
6.   Intellectual Property Rights Statement  . . . . . . . . . . . .  12
7.   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . .  12
8.   References  . . . . . . . . . . . . . . . . . . . . . . . . . .  12
9.   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . .  15
10.   Full Copyright Statement . . . . . . . . . . . . . . . . . . .  15

Frankel,Glenn,Kelly                                             [Page 2]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

1.   Introduction

   As the culmination of a four-year competitive process, NIST (the Na-
   tional Institute of Standards and Technology) has selected the AES
   (Advanced Encryption Algorithm), the successor to the venerable DES.
   The competition was an open one, with public participation and com-
   ment solicited at each step of the process. The AES, formerly known
   as Rijndael, was chosen from the five finalists. The four other fi-
   nalists, MARS, RC6, Serpent and Twofish, were all adjudged to be suf-
   ficiently secure.

   The final AES selection was made on the basis of several additional

     +    computational efficiency and memory requirements on a variety
          of software and hardware, including smart cards

     +    flexibility, simplicity and ease of implementation

   The AES will be the government's designated encryption cipher, and
   will be definitively described in a FIPS (Federal Information Pro-
   cessing Standard), expected to be completed by summer 2001.  The
   expectation is that the AES will suffice to protect sensitive
   (unclassified) government information at least until the next cen-
   tury.  It is also expected to be widely adopted by businesses and
   financial institutions.

   It is the intention of the IETF IPsec Working Group that AES will
   eventually be adopted as the default IPsec ESP cipher and will obtain
   the status of MUST be included in compliant IPsec implementations.
   However, until there is more experience with regard to the crypto-
   graphic strengths and weaknesses of the algorithm, this document
   should be used to experiment with the AES algorithm and determine how
   it can best be used in IPsec implementations.  This document should
   be considered experimental.

   The remainder of this document specifies the use of the AES and the
   other four finalist AES candidate ciphers within the context of IPsec
   ESP.  For further information on how the various pieces of ESP fit
   together to provide security services, refer to [ARCH], [ESP], and

1.1  Specification of Requirements

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   appear in this document are to be interpreted as described in

2.   The AES Cipher Algorithm

   All symmetric block cipher algorithms share common characteristics
   and variables, including mode, key size, weak keys, block size, and

Frankel,Glenn,Kelly                                             [Page 3]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   rounds.  The following sections contain descriptions of the relevant
   characteristics of the AES cipher and the other finalists.

   The AES will be made available world-wide on a royalty-free basis.
   Some of the other finalists are covered by copyrights, patents or
   patent applications.

   The AES homepage, http://www.nist.gov/aes, contains a wealth of in-
   formation about the AES and the other finalists, including definitive
   descriptions of each algorithm, comparative analyses, performance
   statistics, test vectors and intellectual property information.  This
   site also contains information on how to obtain reference implementa-
   tions from NIST for each of the algorithms.

2.1  Mode

   No operational modes are currently defined for the AES cipher.  NIST
   is in the process of developing a modes of operation FIPS for AES
   [MODES].  However, the Cipher Block Chaining (CBC) mode is well-de-
   fined and well-understood for symmetric ciphers, and is currently re-
   quired for all other ESP ciphers.  This document specifies the use of
   the AES cipher and the other finalists in CBC mode within ESP.  This
   mode requires an Initialization Vector (IV) that is the same size as
   the block size.  Use of a randomly generated IV prevents generation
   of identical ciphertext from packets which have identical data that
   spans the first block of the cipher algorithm's block size.

   The IV is XOR'd with the first plaintext block before it is encrypt-
   ed.  Then for successive blocks, the previous ciphertext block is
   XOR'd with the current plaintext, before it is encrypted.

   More information on CBC mode can be obtained in [CRYPTO-S].  For the
   use of CBC mode in ESP with 64-bit ciphers, see [CBC].

2.2  Key Size

   Some cipher algorithms allow for variable sized keys, while others
   only allow specific, pre-defined key sizes.  The length of the key
   typically correlates with the strength of the algorithm; thus larger
   keys are usually harder to break than shorter ones.

   This document stipulates that all key sizes MUST be a multiple of 8

   This document specifies the default (i.e. MUST be supported) key size
   for the AES cipher algorithm.  The default key size that implementa-
   tions MUST support for IPsec is 128 bits.  In addition, all of the
   ciphers accept key sizes of 192 and 256 bits.

Frankel,Glenn,Kelly                                             [Page 4]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   | Algorithm  |  Key Sizes (bits)       |  Default  |
   | AES        |  128, 192, 256          |  128      |
   | MARS       |  128 - 448*             |  128      |
   | RC6        |  variable up to 2040    |  128      |
   | Serpent    |  variable up to 256**   |  128      |
   | Twofish    |  variable up to 256***  |  128      |

   *NOTE1: MARS key lengths must be multiples of 32 bits.
   **NOTE2: Serpent keys are always padded to 256 bits. The padding con-
   sists of a "1" bit followed by "0" bits.
   ***NOTE3: Twofish keys, other than the default sizes, are always
   padded with "0" bits up to the next default size.

2.3  Weak Keys

   At the time of writing this document there are no known weak keys for
   the AES or any of the other finalists.

   Some cipher algorithms have weak keys or keys that MUST not be used
   due to their interaction with some aspect of the cipher's definition.
   If weak keys are discovered for the AES or any of the other final-
   ists, then weak keys SHOULD be checked for and discarded when using
   manual key management.  When using dynamic key management, such as
   [IKE], weak key checks SHOULD NOT be performed as they are seen as an
   unnecessary added code complexity that could weaken the intended se-
   curity [EVALUATION].

2.4  Block Size and Padding

   All of the algorithms described in this document use a block size of
   sixteen octets (128 bits), mandatory for the AES.  Some of the algo-
   rithms can handle larger block sizes as well.

   Padding is required by the algorithms to maintain a 16-octet
   (128-bit) blocksize.  Padding MUST be added, as specified in [ESP],
   such that the data to be encrypted (which includes the ESP Pad Length
   and Next Header fields) has a length that is a multiple of 16 octets.

   Because of the algorithm specific padding requirement, no additional
   padding is required to ensure that the ciphertext terminates on a
   4-octet boundary (i.e. maintaining a 16-octet blocksize guarantees
   that the ESP Pad Length and Next Header fields will be right aligned
   within a 4-octet word).   Additional padding MAY be included, as
   specifed in [ESP], as long as the 16-octet blocksize is maintained.

Frankel,Glenn,Kelly                                             [Page 5]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

2.5  Rounds

   This variable determines how many times a block is encrypted.  While
   this variable MAY be negotiated, a default value MUST always exist
   when it is not negotiated. Within IPsec, the AES MUST support 10
   rounds, corresponding to the mandatory 128-bit keysize.

   | Algorithm  |  Negotiable?  |  Default # of Rounds  |
   | AES        |  Yes          |  10, 12, 14*          |
   | MARS       |  Yes          |  32                   |
   | RC6        |  Yes          |  20                   |
   | Serpent    |  Yes          |  32                   |
   | Twofish    |  Yes          |  16                   |

   *NOTE1: AES's Default # of Rounds is dependent on key size. Default #
   of Rounds = keylen/32 + 6.

2.6  Cipher-specific Information


   AES was invented by Joan Daemen from Banksys/PWI and Vincent Rijmen
   from ESAT-COSIC, both in Belgium.  It is not covered by any patents,
   and the Rijndael homepage contains the following statement: "Rijndael
   is available for free. You can use it for whatever purposes you want,
   irrespective of whether it is accepted as AES or not."  AES's de-
   scription can be found in [RIJNDAEL].  The Rijndael homepage is:


   MARS is IBM's submission to the AES competition. The inventors, who
   are from the US and Switzerland, are: Carolynn Burwick, Don Copper-
   smith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jut-
   la, Sstephen Matyas Jr., Luke O'Connor, Mohammad Peyravian, David
   Safford, and Nevenko Zunic, A patent application, IBM application
   CR99802, is pending.  However, the MARS homepage contains the follow-
   ing statement: "MARS is now available world-wide under a royalty-free
   license from Tivoli."  MARS is defined in [MARS-1] and [MARS-2]. A
   change to the key generation technique is described in [MARS-3].  The
   MARS homepage is: http://www.research.ibm.com/security/mars.html.


   RC6 was invented by Ronald Rivest of MIT, and by Matthew Robshaw, Ray
   Sidney, and Yiqun Lisa Yin, all from RSA Laboratories. The name RC6

Frankel,Glenn,Kelly                                             [Page 6]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   is protected by a copyright. The algorithm is covered by USA patent
   number 5,724,428 (granted March 3, 1998); two other US patents are
   pending: application serial numbers 08/854,210 (filed April 21, 1997)
   and 09/094,649 (filed June 15, 1998). The RC6 family of algorithms is
   defined in [RC6].  The RC6 homepage is:


   Serpent was invented by Ross Anderson of Cambridge University, Eli
   Biham of the Technion, Israel and Lars Knudsen of the University of
   Bergen, Norway. Two UK patent applications are pending: 9722789.7
   (filed October 29, 1997) and 9722798.9 (filed October 30, 1997).
   However, the Serpent homepage contains the following statement: "Ser-
   pent is now completely in the public domain, and we impose no re-
   strictions on its use."  Serpent is defined in [SERPENT-1] and [SER-
   PENT-2].  The Serpent homepage is:


   Twofish was invented by Bruce Schneier, John Kelsey, Chris Hall and
   Niels Ferguson, all from Counterpane Systems, Doug Whiting of Hi/fn,
   and David Wagner from the University of California Berkeley.  It is
   not covered by any patents, and the Twofish homepage contains the
   following statement: "Twofish is unpatented, and the source code is
   uncopyrighted and license-free; it is free for all uses."  Twofish is
   defined in [TWOFISH-1] and [TWOFISH-2].  The Twofish homepage is:

2.7  Performance

   For a comparison table of the estimated speeds of these and other ci-
   pher algorithms, please see [PERF-1], [PERF-2], [PERF-3], or
   [PERF-4]. The AES homepage, http://www.nist.gov/aes, has pointers to
   other analyses. The individual cypher documents, [MARS-1], [MARS-2],
   [RC6], [RIJNDAEL], [SERPENT-1], [SERPENT-2], [TWOFISH-1] and
   [TWOFISH-2] also contain performance statistics.

3.   ESP Payload

   The ESP payload is made up of the IV followed by raw cipher-text.
   Thus the payload field, as defined in [ESP], is broken down according
   to the following diagram:

    |                                                               |
    +               Initialization Vector (16 octets)               +
    |                                                               |
    |                                                               |
    ~ Encrypted Payload (variable length, a multiple of 16 octets)  ~
    |                                                               |

Frankel,Glenn,Kelly                                             [Page 7]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   The IV field MUST be the same size as the block size of the cipher
   algorithm being used.  The IV MUST be chosen at random.  Common prac-
   tice is to use random data for the first IV and the last block of en-
   crypted data from an encryption process as the IV for the next en-
   cryption process.

   Including the IV in each datagram ensures that decryption of each re-
   ceived datagram can be performed, even when some datagrams are
   dropped, or datagrams are re-ordered in transit.

   To avoid ECB encryption of very similar plaintext blocks in different
   packets, implementations MUST NOT use a counter or other low-Hamming
   distance source for IVs.

3.1  ESP Algorithmic Interactions

   Currently, there are no known issues regarding interactions between
   these algorithms and other aspects of ESP, such as use of certain au-
   thentication schemes.

3.2  Keying Material

   The minimum number of bits sent from the key exchange protocol to the
   ESP algorithm must be greater than or equal to the key size.

   The cipher's encryption and decryption key is taken from the first
   <x> bits of the keying material, where <x> represents the required
   key size.

4.  IKE Interactions

4.1  Phase 1 Identifiers

   For Phase 1 negotiations, IANA has already assigned an Encryption Al-
   gorithm ID of 7 for AES-CBC.  To facilitate the experimental use of
   the other finalist ciphers, it would be useful to temporarily define
   standard IKE Encryption Algorithm Identifiers for each of them as
   well.  [IKE] reserves the values 65001-65535 "for private use among
   mutually consenting parties".  The following IKE Encrytion Algorithm
   Identifiers are suggested for IKE interoperability using the finalist

   | Encryption Algorithm  |  Value  |
   | MARS-CBC              |  65001  |
   | RC6-CBC               |  65002  |
   | SERPENT-CBC           |  65004  |
   | TWOFISH-CBC           |  65005  |

Frankel,Glenn,Kelly                                             [Page 8]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

4.2  Phase 2 Identifiers

   For Phase 2 negotiations, IANA has already assigned an ESP Transform
   Identifier of 12 for ESP_AES.  To facilitate the experimental use of
   the other finalist ciphers, it would be useful to temporarily define
   standard IPsec ESP Transform Identifiers for each of them as well.
   [DOI] reserves the values 249-255 for "private use amongst cooperat-
   ing systems."  The following IPsec ESP Transform Identifiers are sug-
   gested for IKE interoperability using the finalist ciphers:

   | Transform ID  |  Value  |
   | ESP_MARS      |  249    |
   | ESP_RC6       |  250    |
   | ESP_SERPENT   |  252    |
   | ESP_TWOFISH   |  253    |

4.3  Key Length Attribute

   Since the AES and other finalist ciphers allow variable key lengths,
   the Key Length attribute MUST be specified in a Phase 2 exchange
   [DOI].  The Key Length attribute MAY be specified in a Phase 1 ex-
   change [IKE]; if it is not specified, the default key length is 128

4.4  Diffie-Hellman Groups

   The Diffie-Hellman algorithm is the basis of cryptographic key ex-
   change within IPsec. The algorithm may be implemented using either
   "MODP" (modulus-exponent) groups or "EC" (elliptic curve) groups. The
   general procedure is as follows: the initiator chooses a random expo-
   nent x with K bits of entropy that is 2K bits in length (the K bits
   may be hashed to produce 2K bits), and then computes g^x using the
   group operation:

                              X = g^x

   For MODP the group operation is modular multiplication, while for EC
   the operation is point addition on the curve.  The notation "g^x"
   means "iterate the group operation x times".  X is then sent to the
   responder. The responder chooses a secret number y, and similarly

                              Y = g^y

Frankel,Glenn,Kelly                                             [Page 9]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   which is in turn sent to the initiator. At this point, both the ini-
   tiator and responder may compute a shared secret value by combining
   their own secret value with the exponential and applying the group

                        Z = g^(xy) = Y^x = X^y

   From Z, both derive identical cryptographic keys.

   This description is simplified in the interest of brevity, and an in-
   depth description of this mechanism is beyond the scope of this memo.
   For further details, refer to the wealth of published literature on
   this topic.

4.4.1 Relative Strength

   The relative strength of the encryption keys derived via the Diffie-
   Hellman exchange may be characterized in terms the randomness of the
   participant's exponents and the strength of Diffie-Hellman group; if
   an exponent has at least 128 completely random bits,  it is said to
   have 128-bits of "entropy".  If the Diffie-Hellman group cannot be
   broken in less time than searching a 128-bit key space, then the de-
   rived 128-bit key is said to have 128 bits of "strength". For an in-
   depth discussion regarding relative strength of values derived from
   DH exchanges, see [KEYLEN-1].

   In some cases, one may choose to settle for an amount of entropy
   which is less than that of a completely random key of the given size.
   There are numerous reasons for making such a choice, among which
   might include a concern for the computational effort required to com-
   plete the key exchange. For example, the following table lists recom-
   mended modulus and exponent sizes for various key lengths using ei-
   ther MODP or EC groups.

   | Key Size  |  Exponent Size  |  Modulus Size  |  Group Type   |
   | 128       |  256            |  3240          |  MODP         |
   | 128       |  248            |  248           |  EC2N         |
   | 192       |  384            |  7945          |  MODP         |
   | 192       |  376            |  376           |  EC2N         |
   | 256       |  512            |  15430         |  MODP         |
   | 256       |  504            |  504           |  EC2N         |

Frankel,Glenn,Kelly                                            [Page 10]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   NOTE: This table is based on Section 4.5 in [KEYLEN-1] and on email
   communications with Hilarie Orman [KEYLEN-2].

   Note that the sizes of the moduli and exponents for the MODP groups
   in the table above are very large, and the computational effort re-
   quired to complete the exponentiation and modulo operations with such
   large values is quite significant using hardware commonly available
   in the year 2000. If such considerations are deemed important, then
   keys larger than 128 bits SHOULD NOT be used. Further, if it is de-
   termined that less than 128 bits of strength will suffice for the se-
   curity requirements of the given application, then smaller exponents
   and moduli may be used.

   [GROUPS] defines four additional Diffie-Hellman MODP groups for IKE.
   Two of these groups, a 3072-bit MODP group and a 4096-bit MODP group,
   could be used to establish 128-bit AES keys. [IKE-ECC] defines four
   additional Diffie-Hellman ECC groups for IKE.  Two of these groups,
   Group 8 and 9, both of which are 283-bit ECC groups, could be used to
   establish 128-bit AES keys.  Additional information about the rela-
   tionship between the group governing a Diffie-Hellman exchange and
   the symmetric keys derived from the exchange can be found in

4.5  Hash Algorithm Considerations

   A companion competition, to select the successor to SHA-1, the wide-
   ly-used hash algorithm, recently concluded.  The resulting hashes,
   called SHA-256, SHA-384 and SHA-512 [SHA2-1] are capable of producing
   output of three different lengths (256, 384 and 512 bits), sufficient
   for the generation of the three AES key sizes (128, 192 and 256
   bits).  IANA has already assigned Phase 1 Hash Algorithm values of 4,
   5 and 6 to SHA2-256, SHA2-384, and SHA2-512.  IANA has also assigned
   AH Transform Identifiers of 5, 6 and 7 to AH_SHA2_256, AH_SHA2_384,
   and AH_SHA2_512.)  The use of these hashes in ESP, AH and IKE is de-
   scribed in [SHA2-2].

5.   Security Considerations

   Implementations are encouraged to use the largest key sizes they can
   when taking into account performance considerations for their partic-
   ular hardware and software configuration.  Note that encryption nec-
   essarily impacts both sides of a secure channel, so such considera-
   tion must take into account not only the client side, but the server
   as well. However, a key size of 128 bits is considered secure for the
   foreseeable future.

   Because the AES algorithm is relatively new and has only undergone
   limited cryptographic analysis, its use in IPsec implementations
   should be considered experimental.  Once NIST has published the AES
   FIPS, and at the recommendation of cryptographic experts, AES should
   become a default and mandatory-to-implement cipher algorithm for

   For more information regarding the necessary use of random IV values,

Frankel,Glenn,Kelly                                            [Page 11]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   see [CRYPTO-B].

   For further security considerations, the reader is encouraged to read
   the documents that describe the actual cipher algorithms.

6.   Intellectual Property Rights Statement

   Pursuant to the provisions of [RFC-2026], the authors represent that
   they have disclosed the existence of any proprietary or intellectual
   property rights in the contribution that are reasonably and personal-
   ly known to the authors.  The authors do not represent that they per-
   sonally know of all potentially pertinent proprietary and intellectu-
   al property rights owned or claimed by the organizations they repre-
   sent or third parties.

   The IETF takes no position regarding the validity or scope of any in-
   tellectual property or other rights that might be claimed to pertain
   to the implementation or use of the technology described in this doc-
   ument or the extent to which any license under such rights might or
   might not be available; neither does it represent that it has made
   any effort to identify any such rights.  Information on the IETF's
   procedures with respect to rights in standards-track and standards-
   related documentation can be found in BCP-11.  Copies of claims of
   rights made available for publication and any assurances of licenses
   to be made available, or the result of an attempt made to obtain a
   general license or permission for the use of such proprietary rights
   by implementers or users of this specification can be obtained from
   the IETF Secretariat.

7.   Acknowledgments

   Portions of this text, as well as its general structure, were un-
   abashedly lifted from [CBC].

   The authors want to thank Hilarie Orman for providing expert advice
   (and a sanity check) on key sizes, requirements for Diffie-Hellman
   groups, and IKE interactions.

8.   References

     [ARCH]      Kent, S. and R. Atkinson, "Security Architecture for
                 the Internet Protocol", RFC 2401, November 1998.

     [CBC]       Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher
                 Algorithms," RFC 2451, November 1998.

     [CRYPTO-B]  Bellovin, S., "Probable Plaintext Cryptanalysis of the
                 IP Security Protocols", Proceedings of the Symposium on
                 Network and Distributed System Security, San Diego, CA,
                 pp. 155-160, February 1997.
   http://www.research.att.com/~smb/probtxt.{ps, pdf}).

Frankel,Glenn,Kelly                                            [Page 12]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

     [CRYPTO-M]  A. Menezes, P. Van Oorschot, S. Vanstone, "Handbook of
                 Applied Cryptography", CRC Press, 1997, ISBN

     [CRYPTO-S]  B. Schneier, "Applied Cryptography Second Edition",
                 John Wiley & Sons, New York, NY, 1995, ISBN

     [DOI]       Piper, D., "The Internet IP Security Domain of
                 Interpretation for ISAKMP," RFC 2407, November 1998.

     [ESP]       Kent, S. and R. Atkinson, "IP Encapsulating Security
                 Payload (ESP)", RFC 2406, November 1998.

                 Ferguson, N. and B. Schneier, "A Cryptographic
                 Evaluation of IPsec," Counterpane Internet Security,
                 Inc., January 2000.

     [GROUPS]    Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman
                 groups for IKE," draft-ietf-ipsec-ike-modp-
                 groups-00.txt, October 2000.

     [IKE]       Harkins, D. and D. Carrel, "The Internet Key Exchange
                 (IKE)", RFC 2409, November 1998.

     [IKE-ECC]   Panjwani, P. and Y. Poeluev, "Additional ECC Groups For
                 IKE," draft-ietf-ipsec-ike-ecc-groups-02.txt, May 2000.

     [ISAKMP]    Maughan, D., M. Schertler, M. Schneider, and J. Turner,
                 "The Internet Security Association and Key Management
                 Protocol (ISAKMP),"

     [KEYLEN-1]  Orman, H. and P. Hoffman, "Determining Strengths For
                 Public Keys Used For Exchanging Symmetric Keys," draft-
                 orman-public-key-lengths-01.txt, August 2000.

     [KEYLEN-2]  Orman, H., email communications, February 2000.

     [MARS-1]    Burwick, C., D. Coppersmith, E. D'Avignon, R. Gennaro,
                 S. Halevi, C. Jutla, S. Matyas Jr., L. O'Connor, M.
                 Peyravian, D. Safford, and N. Zunic, "MARS - a
                 candidate cipher for AES," NIST AES Proposal, Jun 1998.

     [MARS-2]    Burwick, C., D. Coppersmith, E. D'Avignon, R. Gennaro,
                 S. Halevi, C. Jutla, S. Matyas Jr., L. O'Connor, M.
                 Peyravian, D. Safford, and N. Zunic, "The MARS
                 Encryption Algorithm," NIST AES Proposal, Jun 1998.

     [MARS-3]    Zunic, N., "Suggested 'tweaks' for the MARS cipher,"
                 NIST AES Proposal, May 1999.

Frankel,Glenn,Kelly                                            [Page 13]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

     [MODES]     "Symmetric Key Block Cipher Modes of Operation,"

     [PERF-1]    Bassham, L. III, "Efficiency Testing of ANSI C
                 Implementations of Round1 Candidate Algorithms for the
                 Advanced Encryption Standard".

     [PERF-2]    Lipmaa, Helger, "Efficiency Testing Table."

     [PERF-3]    Nechvetal, J., E. Barker, D. Dodson, M. Dworkin, J.
                 Foti and E. Roback, "Status Report on the First Round
                 of the Development of the Advanced Encryption

     [PERF-4]    Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C.
                 Hall, and N. Ferguson, "Performance Comparison of the
                 AES Submissions."

     [RC6]       Rivest, R., M. Robshaw, R. Sidney, and Y. Yin, "The
                 RC6[TM] Block Cipher," NIST AES Proposal, Jun 1998.

     [RFC-2026]  Bradner, S., "The Internet Standards Process --
                 Revision 3", RFC2026, October 1996.

     [RFC-2119]  Bradner, S., "Key words for use in RFCs to Indicate
                 Requirement Levels", RFC-2119, March 1997.

     [RIJNDAEL]  Daemen, J. and V. Rijman, "AES Proposal: Rijndael,"
                 NIST AES Proposal, Jun 1998.

     [ROAD]      Thayer, R., N. Doraswamy and R. Glenn, "IP Security
                 Document Roadmap", RFC 2411, November 1998.

     [SERPENT-1] Anderson, R., E. Biham, and L. Knudsen, "Serpent: A
                 Proposal for the Advanced Encryption Standard," NIST
                 AES Proposal, Jun 1998.

     [SERPENT-2] Biham, E., R. Anderson, L. Knudsen, "Serpent: A New
                 Block Cipher Proposal," Fast Software Encryption -
                 FSE98, Springer LNCS, vol. 1372, pp. 222-238.

     [SHA2-1]    "Descriptions of SHA-256, SHA-384, and SHA-512,"

     [SHA2-2]    Frankel, S. and S. Kelly, "The Use of SHA-256, SHA-384,
                 and SHA-512 within ESP, AH and IKE," Work in progress.

Frankel,Glenn,Kelly                                            [Page 14]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

     [TWOFISH-1] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C.
                 Hall, and N. Ferguson, "Twofish: A 128-Bit Block
                 Cipher," NIST AES Proposal, Jun 1998.

     [TWOFISH-2] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C.
                 Hall, and N. Ferguson, "The Twofish Encryption
                 Algorithm: A 128-Bit Block Cipher," John Wiley & Sons,

9.   Authors' Addresses

        Sheila Frankel
        820 West Diamond Ave.
        Room 680
        Gaithersburg, MD 20899
        Phone: +1 (301) 975-3297
        Email: sheila.frankel@nist.gov

        Scott Kelly
        RedCreek Communications
        3900 Newpark Mall Road
        Newark, CA 94560
        Phone: +1 (510) 745-3969
        Email: skelly@redcreek.com

        Rob Glenn
        820 West Diamond Ave.
        Room 455
        Gaithersburg, MD 20899
        Phone: +1 (301) 975-3667
        Email: rob.glenn@nist.gov

   The IPsec working group can be contacted through the chair:

        Ted T'so
        Massachusetts Institute of Technology
        e-mail: tytso@mit.edu

10.   Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this doc-

Frankel,Glenn,Kelly                                            [Page 15]

INTERNET DRAFT   <draft-ietf-ipsec-ciph-aes-cbc-01.txt>    November 2000

   ument itself may not be modified in any way, such as by removing the
   copyright notice or references to the Internet Society or other In-
   ternet organizations, except as needed for the purpose of developing
   Internet standards in which case the procedures for copyrights de-
   fined in the Internet Standards process must be followed, or as re-
   quired to translate it into languages other than English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an

Frankel,Glenn,Kelly                                            [Page 16]

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/