[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00

Internet Engineering Task Force                            Roy Pereira
IP Security Working Group                         TimeStep Corporation
Internet Draft                                               G. Carter
Expires in six months                             Entrust Technologies
                                                           May 1, 1997



                    The ESP CAST-128-CBC Algorithm
              <draft-ietf-ipsec-esp-cast-128-cbc-00.txt>



Status of this Memo

   This document is a submission to the IETF Internet Protocol
   Security (IPSEC) Working Group. Comments are solicited and should
   be addressed to the working group mailing list (ipsec@tis.com) or
   to the editor.

   This document is an Internet-Draft.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working Groups. Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet-Drafts draft documents are valid for a maximum of six
   months and may be updated, replaced, or obsolete by other documents
   at any time. It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in
   progress."

   To learn the current status of any Internet-Draft, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
   ftp.isi.edu (US West Coast).

   Distribution of this memo is unlimited.

Abstract

   This draft describes the CAST-128 block cipher algorithm as to be
   used with the IPSec Encapsulating Security Payload (ESP).











R. Pereira, G. Carter                                         [Page 1]

Internet Draft      The ESP CAST-128-CBC Algorithm         May 1, 1997


Table of Contents

   1. Introduction...................................................2
   2. Cipher Algorithm...............................................2
     2.1 Key Size....................................................2
     2.2 Block Size and Padding......................................3
     2.3 Payload.....................................................3
     2.4 Weak Keys...................................................3
     2.5 Rounds......................................................3
     2.6 Background on CAST-128......................................3
     2.7 Performance.................................................3
   3. Key Exchange Protocol Identifiers..............................4
   4. Keying Material................................................4
   5. Security Considerations........................................4
   6. References.....................................................4
   7. Acknowledgments................................................5
   8. Editors' Address...............................................5

1. Introduction

   This draft describes how the CAST5-128 cipher algorithm may be used
   with the IPSec ESP protocol.  CAST5-128 and  CAST-128 are used
   synonymously to refer to an implementation of CAST5 which supports
   key sizes to 128 bits.

   It is assumed that the reader is familiar with the terms and
   concepts described in the document "Security Architecture for the
   Internet Protocol" [Atkinson95] and "IP Encapsulating Security
   Payload (ESP)" [Kent97].

   Furthermore, this document is a companion to [Kent97] and MUST be
   read in its context.

2. Cipher Algorithm

   The symmetric block cipher algorithm used to secure ESP is CAST-128
   in CBC mode with a block size of 64 bits as described in [Adams97].

2.1 Key Size

   The CAST-128 encryption algorithm [Adams97] has been designed to
   allow a key size which can vary from 40 bits to 128 bits, in 8-bit
   increments (that is, the allowable key sizes are 40, 48, 56, 64,
   ..., 112, 120, and 128 bits. To facilitate interoperability, it is
   recommended that key sizes SHOULD be chosen from the set of 40, 64,
   80 and 128.




R. Pereira, G. Carter                                         [Page 2]

Internet Draft      The ESP CAST-128-CBC Algorithm         May 1, 1997


   For key sizes less than 128 bits, the key is padded with zero (in
   the rightmost, or least significant, positions) out to 128 bits
   (since the CAST-128 key schedule assumes an input key of 128 bits).

2.2 Block Size and Padding

   The ESP CAST-128 algorithm described in this document MUST use a
   block size of 8 octets (64 bits).

   When padding is required, it MUST be done according to the
   conventions specified in [Kent97].

2.3 Payload

   CAST-128-CBC requires an explicit Initialization Vector (IV) of 8
   octets (64 bits).  Thus the payload is made up of the 8 octet IV
   followed by the cipher-text.  A new IV MUST be pseudo-randomly
   generated for each packet and then used to encrypt that plain-text.
   When decrypting, the first 8 octets of the payload are used as an
   IV to decrypt the remaining payload octets.

2.4 Weak Keys

   CAST-128 no known weak keys.

2.5 Rounds

   For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64,
   72, and 80 bits), the algorithm is exactly as specified but MUST
   use 12 rounds instead of 16.

   For key sizes greater than 80 bits, the algorithm MUST use the full
   16 rounds.

2.6 Background on CAST-128

   The CAST design was developed by Carlisle Adams with input from
   Serge Mister and Michael Wiener of Entrust Technologies
   Incorporated.  CAST-128 is the result of applying the CAST Design
   Procedure as outlined in [Adams97].

2.7 Performance

   CAST-128 runs approximately 3 times faster than a highly optimized
   DES implementation and runs 5-6 times faster than the DES
   implementations found in typical applications.  This is based on a
   non optimized C++ implementation of CAST-128.  It can therefore be
   tuned to give even higher performance, if this is required.


R. Pereira, G. Carter                                         [Page 3]

Internet Draft      The ESP CAST-128-CBC Algorithm         May 1, 1997



   The following performance tests were run on a Pentium 90 MHz
   running the Windows NT operating system using 20 Kbyte buffers and
   do not include file I/O.  The DES-CBC implementation was not
   optimized for a 32 bit environment.

   CAST-128 64 bit key CBC encryption ........... 2,640,000 bytes/sec
   DES CBC encryption ............................. 504,000 bytes/sec

3. Key Exchange Protocol Identifiers

   For Oakley/ISAKMP [Harkins97] to negotiate ESP CAST-128 as
   described in this draft, the transform id MUST be 5, which is
   stated in [Piper97].

4. Keying Material

   The minimum number of bits sent from the Key Exchange Protocol to
   this ESP algorithm must be greater or equal to the key size plus
   the key size of the negotiated authentication algorithm.

   For example, if we are using a CAST-128 key size of 80 bits and we
   are using HMAC-MD5 [Oehler97] as the authentication algorithm, then
   the required number of bits of keying material would be:

     Bits Required = Encryption Key Size + Authentication Key Size
     Bits Required = 80 + 128
     Bits Required = 208

   The CAST-128 key is taken from the first <x> bits of the keying
   material.  Where <x> represents the required key size.  The
   remaining bits are truncated to equate the key size of the
   authentication algorithm and used as its key.

5. Security Considerations

   The ESP CAST-128 algorithm described in this draft has the same
   security considerations as in [Adams97].

6. References

   [Adams97] Adams, C., "Constructing Symmetric Ciphers using the CAST
   Design Procedure", draft-adams-cast-128-00.tx

   [CMA97] Adams, C., "CAST Design Procedure Addendum",
   http://www.entrust.com/library.htm




R. Pereira, G. Carter                                         [Page 4]

Internet Draft      The ESP CAST-128-CBC Algorithm         May 1, 1997


   [Atkinson95] Atkinson, R., "Security Architecture for the Internet
   Protocol", rfc1825.txt, August 1995

   [Kent97] Kent, S., Atkinson, R., "IP Encapsulating Security Payload
   (ESP)", draft-ietf-ipsec-new-esp-01.txt

   [Piper97] Derrel, P., "The Internet IP Domain of Interpretation for
   ISAKMP", draft-ietf-ipsec-ipsec-doi-03.txt

   [Harkins97] Harkins, D. , Carrel, D., "The resolution of ISAKMP
   with Oakley", draft-ietf-ipsec-isakmp-oakley-03.txt, February 1997

   [Oehler97] Oehler, M., Glenn, R., "HMAC-MD5 IP Authentication with
   Replay Prevention", rfc2085.txt, February 1997

7. Acknowledgments

   This document is based on suggestions from Stephen Kent and
   discussions from the IPSec mailing list as well as other IPSec
   drafts.

   Special thanks for Carlisle Adams and Paul Van Oorschot both of
   Entrust Technologies who provided additional input and review with
   respect to CAST-128.

8. Editors' Address

     Roy Pereira
     <rpereira@timestep.com>
     TimeStep Corporation
     (613) 599-3610 x 4808

     Greg Carter
     <carterg@entrust.com>
     Entrust Technologies
     (613) 763-1358

   The IPSec working group can be contacted through its chairs:

     Paul Lambert
     <PALAMBER@us.oracle.com>
     Oracle Corporation

   or via the IPSec working group's mailing list (ipsec@tis.com)






R. Pereira, G. Carter                                         [Page 5]


Html markup produced by rfcmarkup 1.111, available from https://tools.ietf.org/tools/rfcmarkup/