draft-ietf-kitten-aes-cts-hmac-sha2-01.txt | draft-ietf-kitten-aes-cts-hmac-sha2-02.txt | |||
---|---|---|---|---|

Network Working Group K. Burgin | Network Working Group M. Jenkins | |||

Internet Draft National Security Agency | Internet Draft National Security Agency | |||

Intended Status: Informational M. Peck | Intended Status: Informational M. Peck | |||

Expires: December 30, 2013 The MITRE Corporation | Expires: November 7, 2014 The MITRE Corporation | |||

June 28, 2013 | K. Burgin | |||

May 6, 2014 | ||||

AES Encryption with HMAC-SHA2 for Kerberos 5 | AES Encryption with HMAC-SHA2 for Kerberos 5 | |||

draft-ietf-kitten-aes-cts-hmac-sha2-01 | draft-ietf-kitten-aes-cts-hmac-sha2-02 | |||

Abstract | Abstract | |||

This document specifies two encryption types and two corresponding | This document specifies two encryption types and two corresponding | |||

checksum types for Kerberos 5. The new types use AES in CTS mode | checksum types for Kerberos 5. The new types use AES in CTS mode | |||

(CBC mode with ciphertext stealing) for confidentiality and HMAC with | (CBC mode with ciphertext stealing) for confidentiality and HMAC with | |||

a SHA-2 hash for integrity. | a SHA-2 hash for integrity. | |||

Status of this Memo | Status of this Memo | |||

skipping to change at page 1, line 34 | skipping to change at page 1, line 35 | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on December 30, 2013. | This Internet-Draft will expire on January 20, 2014. | |||

Copyright and License Notice | Copyright and License Notice | |||

Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||

to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||

include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||

the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||

described in the Simplified BSD License. | described in the Simplified BSD License. | |||

Table of Contents | Table of Contents | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||

2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 | 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 | |||

3. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 3 | 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 | |||

4. Key Derivation Function . . . . . . . . . . . . . . . . . . . 4 | 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 | |||

5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 | 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 | |||

6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 8 | 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 | |||

7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||

8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||

8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 9 | 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 7 | |||

9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||

9.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||

9.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 | |||

Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 | 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||

Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 | ||||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||

1. Introduction | 1. Introduction | |||

This document defines two encryption types and two corresponding | This document defines two encryption types and two corresponding | |||

checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. | checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. | |||

To avoid ciphertext expansion, we use the CBC-CS3 variant to CBC mode | ||||

defined in [SP800-38A+] (this mode is also referred to as CTS). The | ||||

new types conform to the framework specified in [RFC3961], but do not | ||||

use the simplified profile. | ||||

Note that [SP800-38A+] requires the plaintext length to be greater | To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode | |||

than the block size, so the encryption types have two cases. | defined in [SP800-38A+], also referred to as ciphertext stealing or | |||

CTS mode. The new types conform to the framework specified in | ||||

[RFC3961], but do not use the simplified profile. | ||||

The encryption and checksum types defined in this document are | The encryption and checksum types defined in this document are | |||

intended to support NSA's Suite B Profile for Kerberos [suiteb- | intended to support environments that desire to use SHA-256 or SHA- | |||

kerberos] which requires the use of SHA-256 or SHA-384 as the hash | 384 as the hash algorithm. Differences between the encryption and | |||

algorithm. Differences between the encryption and checksum types | checksum types defined in this document and the pre-existing Kerberos | |||

defined in this document and existing Kerberos encryption and | AES encryption and checksum types specified in [RFC3962] are: | |||

checksum types are: | ||||

* The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- | * The pseudorandom function used by PBKDF2 is HMAC-SHA-256 or HMAC- | |||

SHA-384. | SHA-384. | |||

* A key derivation function from [SP800-108] which uses the SHA-256 | * A key derivation function from [SP800-108] using the SHA-256 or | |||

or SHA-384 hash algorithm is used to produce keys for encryption, | SHA-384 hash algorithm is used to produce keys for encryption, | |||

integrity protection, and checksum operations. | integrity protection, and checksum operations. | |||

* The IV used during content encryption is sent as part of the | * The HMAC is calculated over the cipherstate concatenated with the | |||

ciphertext, instead of using a confounder. This saves one | AES output, instead of being calculated over the confounder and | |||

encryption and decryption operation per message. | plaintext. This allows the message receiver to verify the | |||

integrity of the message before decrypting the message. | ||||

* The HMAC is calculated over the AES output, instead of being | ||||

calculated over the plaintext. This allows the message receiver | ||||

to verify the integrity of the message before decrypting the | ||||

message. | ||||

* The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for | * The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for | |||

integrity protection and checksum operations. | integrity protection and checksum operations. | |||

2. Protocol Key Representation | 2. Protocol Key Representation | |||

The AES key space is dense, so we can use random or pseudorandom | The AES key space is dense, so we can use random or pseudorandom | |||

octet strings directly as keys. The byte representation for the key | octet strings directly as keys. The byte representation for the key | |||

is described in [FIPS197], where the first bit of the bit string is | is described in [FIPS197], where the first bit of the bit string is | |||

the high bit of the first byte of the byte string (octet string). | the high bit of the first byte of the byte string (octet string). | |||

3. Key Generation from Pass Phrases | 3. Key Derivation Function | |||

The pseudorandom function used by PBKDF2 will be the SHA-256 or SHA- | ||||

384 HMAC of the passphrase and salt. If the enctype is "aes128-cts- | ||||

hmac-sha256-128", then HMAC-SHA-256 is used as the PRF. If the | ||||

enctype is "aes256-cts-hmac-sha384-192", then HMAC-SHA-384 is used as | ||||

the PRF. | ||||

The final key derivation step uses the algorithm KDF-HMAC-SHA2 | ||||

defined below in Section 4. | ||||

If no string-to-key parameters are specified, the default number of | ||||

iterations is raised to 32,768. | ||||

To ensure that different long-term keys are used with different | ||||

enctypes, we prepend the enctype name to the salt string, separated | ||||

by a null byte. The enctype name is "aes128-cts-hmac-sha256-128" or | ||||

"aes256-cts-hmac-sha384-192" (without the quotes). The user's long- | ||||

term key is derived as follows | ||||

saltp = enctype-name | 0x00 | salt | ||||

tkey = random-to-key(PBKDF2(passphrase, saltp, | ||||

iter_count, keylength)) | ||||

key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the | ||||

byte string {0x6b65726265726f73}. | ||||

where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when | ||||

the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the | ||||

enctype is "aes256-cts-hmac-sha384-192", the value for keylength is | ||||

the AES key length, and the algorithm KDF-HMAC-SHA2 is defined in | ||||

Section 4. | ||||

4. Key Derivation Function | ||||

We use a key derivation function from Section 5.1 of [SP800-108] | We use a key derivation function from Section 5.1 of [SP800-108] | |||

which uses the HMAC algorithm as the PRF. The counter i is expressed | which uses the HMAC algorithm as the PRF. The counter i is expressed | |||

as four octets in big-endian order. The length of the output key in | as four octets in big-endian order. The length of the output key in | |||

bits (denoted as k) is also represented as four octets in big-endian | bits (denoted as k) is also represented as four octets in big-endian | |||

order. The "Label" input to the KDF is the usage constant supplied | order. The "Label" input to the KDF is the usage constant supplied | |||

to the key derivation function, and the "Context" input is null. | to the key derivation function, and the "Context" input is null. | |||

Each application of the KDF only requires a single iteration of the | Each application of the KDF only requires a single iteration of the | |||

PRF, so n = 1 in the notation of [SP800-108]. | PRF, so n = 1 in the notation of [SP800-108]. | |||

In the following summary, | indicates concatenation. The random-to- | In the following summary, | indicates concatenation. The random-to- | |||

key function is the identity function, as defined in Section 3. The | key function is the identity function. The k-truncate function is | |||

k-truncate function is defined in [RFC3961], Section 5.1. | defined in [RFC3961], Section 5.1. | |||

When the encryption type is aes128-cts-hmac-sha256-128, the output | When the encryption type is aes128-cts-hmac-sha256-128, the output | |||

key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, | key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, | |||

constant) which is computed as follows: | constant) which is computed as follows: | |||

K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 0x00 | 00 00 00 80) | K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | |||

When the encryption type is aes256-cts-hmac-sha384-192, the output | When the encryption type is aes256-cts-hmac-sha384-192, the output | |||

key length k is 256 bits when computing the base-key and Ke, and the | key length k is 256 bits when deriving the base-key (from a | |||

output key length k is 192 bits when deriving Kc and Ki. KDF-HMAC- | passphrase as described in Section 4) and Ke, and the output key | |||

SHA2(key, constant) is computed as follows: | length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, | |||

constant) is computed as follows: | ||||

If deriving Kc or Ki (the constant ends with 0x99 or 0x55): | If deriving Kc or Ki (the constant ends with 0x99 or 0x55): | |||

k = 192 | k = 192 | |||

K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 0x00 | 00 00 00 C0) | K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | |||

Otherwise (if deriving Ke or deriving the base-key from a | If deriving the base-key (the constant is "kerberos", the byte | |||

passphrase as described in Section 3): | string 0x6B65726265726F73) or Ke (the constant ends with 0xAA): | |||

k = 256 | k = 256 | |||

K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 0x00 | 00 00 01 00) | K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | |||

The constants used for key derivation are the same as those used in | 4. Key Generation from Pass Phrases | |||

the simplified profile. | ||||

5. Kerberos Algorithm Protocol Parameters | ||||

In cases where the plaintext length is greater than the block size: | PBKDF2 [RFC2898] is used to derive the base-key from a passphrase | |||

and salt. | ||||

Each encryption will use a 16-octet nonce generated at random by | If no string-to-key parameters are specified, the default number of | |||

the message originator. The initialization vector (IV) used by | iterations is 32,768. | |||

AES is obtained by xoring the random nonce with the cipherstate. | ||||

The ciphertext is the concatenation of the random nonce, the | To ensure that different long-term base-keys are used with | |||

output of AES in CBC-CS3 mode, and the HMAC of the nonce | different enctypes, we prepend the enctype name to the salt, | |||

concatenated with the AES output. The HMAC is computed using | separated by a null byte. The enctype-name is "aes128-cts-hmac- | |||

either SHA-256 or SHA-384. The output of SHA-256 is truncated to | sha256-128" or "aes256-cts-hmac-sha384-192" (without the quotes). | |||

128 bits and the output of SHA-384 is truncated to 192 bits. | The user's long-term base-key is derived as follows | |||

Sample test vectors are given in Appendix A. | ||||

Decryption is performed by removing the HMAC, verifying the HMAC | saltp = enctype-name | 0x00 | salt | |||

against the remainder, and then decrypting the remainder if the | tkey = random-to-key(PBKDF2(passphrase, saltp, | |||

HMAC is correct. | iter_count, keylength)) | |||

base-key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the | ||||

byte string {0x6B65726265726F73}. | ||||

In cases where the plaintext length is less than or equal to the | where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when | |||

block size, a different algorithm is specified. | the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the | |||

enctype is "aes256-cts-hmac-sha384-192", the value for keylength is | ||||

the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 | ||||

is defined in Section 3. | ||||

Each encryption will use a 16-octet nonce generated at random by | 5. Kerberos Algorithm Protocol Parameters | |||

the message originator. The initialization vector (IV) used by | ||||

AES is obtained by xoring the random nonce with the cipherstate. | ||||

The plaintext is padded with zeros so the length of the result is | The cipherstate is used as the formal initialization vector (IV) | |||

one block length (no zeros are added if the plaintext length | input into CBC-CS3. The plaintext is prepended with a 16-octet | |||

equals the block length). The padded plaintext is xored with the | random nonce generated by the message originator, known as a | |||

IV, then encrypted using AES in ECB mode. The output of AES is | confounder. | |||

split into two parts, so that the length of the first part equals | ||||

the length of the unpadded plaintext. The nonce is also split | ||||

into two parts, so that the length of the first part equals the | ||||

length of the unpadded plaintext. | ||||

The ciphertext is the concatenation of the first part of the | The ciphertext is a concatenation of the output of AES in CBC-CS3 | |||

random nonce, the second part of the AES output followed by the | mode and the HMAC of the cipherstate concatenated with the AES | |||

first part of the AES output, and the HMAC of the concatenation of | output. The HMAC is computed using either SHA-256 or SHA-384 | |||

the first part of the random nonce, the second part of the AES | depending on the encryption type. The output of HMAC-SHA-256 is | |||

output followed by the first part of the AES output. The HMAC is | truncated to 128 bits and the output of HMAC-SHA-384 is truncated to | |||

computed using either SHA-256 or SHA-384. The output of SHA-256 | 192 bits. Sample test vectors are given in Appendix A. | |||

is truncated to 128 bits and the output of SHA-384 is truncated to | ||||

192 bits. Sample test vectors are given in Appendix A. | ||||

Decryption is performed by first removing the HMAC, and verifying | Decryption is performed by removing the HMAC, verifying the HMAC | |||

the HMAC against the remainder. If the HMAC is correct, separate | against the cipherstate concatenated with the ciphertext, and then | |||

the remainder into N' and C' by taking the first 16 bytes as N', | decrypting the ciphertext if the HMAC is correct. Finally, the first | |||

and the following bytes as C'. Split N' into two parts, so that | 16 octets of the decryption output (the confounder) is discarded, and | |||

the length of the first part equals the length of C'. Decrypt the | the remainder is returned as the plaintext decryption output. | |||

concatenation of C' with the second part of N' using ECB mode to | ||||

get a value P' whose length is one block length. The nonce is | ||||

recovered by taking the concatenation of the first part of N' with | ||||

the second part of P' xored with the cipherState (where again, the | ||||

length of the first part equals the length of C'). The IV is | ||||

recovered as the nonce xored with cipherState, and the plaintext | ||||

is recovered as the first part of P' xored with the IV. | ||||

The following parameters apply to the encryption types aes128-cts- | The following parameters apply to the encryption types aes128-cts- | |||

hmac-sha256-128 and aes256-cts-hmac-sha384-192. | hmac-sha256-128 and aes256-cts-hmac-sha384-192. | |||

protocol key format: as defined in Section 2. | protocol key format: as defined in Section 2. | |||

specific key structure: three protocol-format keys: { Kc, Ke, Ki }. | specific key structure: three protocol-format keys: { Kc, Ke, Ki }. | |||

required checksum mechanism: as defined in Section 6. | required checksum mechanism: as defined in Section 6. | |||

key-generation seed length: key size (128 or 256 bits). | key-generation seed length: key size (128 or 256 bits). | |||

string-to-key function: as defined in Section 3. | string-to-key function: as defined in Section 4. | |||

default string-to-key parameters: 00 00 80 00. | default string-to-key parameters: 00 00 80 00. | |||

random-to-key function: identity function. | random-to-key function: identity function. | |||

key-derivation function: KDF-HMAC-SHA2 as defined in Section 4. The | key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The | |||

key usage number is expressed as four octets in big-endian order. | key usage number is expressed as four octets in big-endian order. | |||

Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) | Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) | |||

Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) | Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) | |||

Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) | Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) | |||

cipherState: a 128-bit random nonce. | cipherstate: a 128-bit CBC initialization vector. | |||

initial cipherState: all bits zero. | initial cipherstate: all bits zero. | |||

encryption function: as follows. When the plaintext length is | encryption function: as follows, where E() is AES encryption in | |||

greater than the block size, CTS mode is used. When the plaintext | CBC-CS3 mode, h is the size of truncated HMAC, and c is the AES | |||

is less than or equal to the block size, ECB mode is used. | block size. | |||

h = size of truncated HMAC | N = random nonce of length c (128 bits) | |||

E() = encryption function | IV = cipherstate | |||

D() = decryption function | C = E(Ke, N | plaintext, IV) | |||

c = block size of the encryption algorithm | H = HMAC(Ki, IV | C) | |||

L(x) = length of x | ciphertext = C | H[1..h] | |||

< = less-than operator; true == 1, false == 0 | cipherstate = next-to-last 128-bit block of C | |||

zeroblock = one block (length c) of zeros | Note: if C is only a single block, then cipherstate = C | |||

o[start:len] = sub-string operation returning the substring of | ||||

length len of string o starting at byte start | ||||

(zero-based) | ||||

encryption function: | decryption function: as follows, where D() is AES encryption in | |||

N = random nonce of length 128 bits | CBC-CS3 mode, and h is the size of truncated HMAC. | |||

IV = N XOR cipherState | ||||

if (L(P) > c) | ||||

PC = 0 | ||||

P' = P | ||||

C = E(Ke, P', IV) | ||||

// using CBC-CS3-Encrypt defined | ||||

// in [SP800-38A+] | ||||

N' = N | ||||

C' = C | ||||

else | ||||

PC = c - L(P) | ||||

P' = P | zeroblock[0:PC] | ||||

C = E(Ke, P' XOR IV) | ||||

// using ECB mode | ||||

N' = N[0:c - PC] | C[c - PC:PC] | ||||

C' = C[0:c - PC] | ||||

H = HMAC(Ki, N' | C') | ||||

ciphertext = N' | C' | H[1..h] | ||||

cipherState = N | ||||

decryption function: | (C, H) = ciphertext | |||

(N', C', H) = ciphertext | IV = cipherstate | |||

if (H != HMAC(Ki, N' | C')[1..h]) | if H != HMAC(Ki, IV | C)[1..h] | |||

stop, report error | stop, report error | |||

(N, P) = D(Ke, C, IV) | ||||

if (L(C') > c) | Note: N is set to the first block of the decryption output, | |||

// Not short-plaintext | P is set to the rest of the output. | |||

IV = N' XOR cipherState | cipherstate = next-to-last 128-bit block of C | |||

P = D(Ke, C', IV) | Note: if C is only a single block, then cipherstate = C | |||

// using CBC-CS3-Decrypt defined | ||||

// in [SP800-38A+] | ||||

cipherState = N' | ||||

stop, output P, success | ||||

else | ||||

// Short plaintext | ||||

PC = c - L(C') | ||||

C = C' | N'[c - PC:PC] | ||||

P' = D(Ke, C) | ||||

// using ECB mode | ||||

// P' here == (P | zeroblock[0:PC]) XOR IV | ||||

// so IV[c - PC:PC] == P'[c - PC:PC] | ||||

// In the non-short-pt case we'd recover | ||||

// IV as N XOR cipherState, but here we only know | ||||

// a head of N and tail of IV. | ||||

N = N'[0:c -PC] | (P' XOR cipherState)[c - PC:PC] | ||||

IV = N XOR cipherState | ||||

P = (P' XOR IV)[0:PC] | ||||

cipherState = N | ||||

stop, output P, success | ||||

pseudo-random function: | pseudo-random function: | |||

Kp = KDF-HMAC-SHA2(protocol-key, "prf") | Kp = KDF-HMAC-SHA2(protocol-key, "prf") | |||

PRF = HMAC(Kp, octet-string) | PRF = HMAC(Kp, octet-string) | |||

6. Checksum Parameters | 6. Checksum Parameters | |||

The following parameters apply to the checksum types hmac-sha256-128- | The following parameters apply to the checksum types hmac-sha256-128- | |||

aes128 and hmac-sha384-192-aes256, which are the associated checksums | aes128 and hmac-sha384-192-aes256, which are the associated checksums | |||

for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, | for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, | |||

respectively. | respectively. | |||

associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate | associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. | |||

get_mic: HMAC(Kc, message)[1..h] | get_mic: HMAC(Kc, message)[1..h]. | |||

verify_mic: get_mic and compare | verify_mic: get_mic and compare. | |||

7. IANA Considerations | 7. IANA Considerations | |||

IANA is requested to assign: | IANA is requested to assign: | |||

Encryption type numbers for aes128-cts-hmac-sha256-128 and | Encryption type numbers for aes128-cts-hmac-sha256-128 and | |||

aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers | aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers | |||

registry. | registry. | |||

Etype encryption type Reference | Etype encryption type Reference | |||

skipping to change at page 9, line 31 | skipping to change at page 7, line 31 | |||

Sumtype Checksum type Size Reference | Sumtype Checksum type Size Reference | |||

------- ------------- ---- --------- | ------- ------------- ---- --------- | |||

TBD3 hmac-sha256-128-aes128 16 [this document] | TBD3 hmac-sha256-128-aes128 16 [this document] | |||

TBD4 hmac-sha384-192-aes256 24 [this document] | TBD4 hmac-sha384-192-aes256 24 [this document] | |||

8. Security Considerations | 8. Security Considerations | |||

This specification requires implementations to generate random | This specification requires implementations to generate random | |||

values. The use of inadequate pseudo-random number generators | values. The use of inadequate pseudo-random number generators | |||

(PRNGs) can result in little or no security. The generation of | (PRNGs) can result in little or no security. The generation of | |||

quality random numbers is difficult. NIST Special Publication 800-90 | quality random numbers is difficult. [RFC4086] offers random number | |||

[SP800-90] and [RFC4086] offer random number generation guidance. | generation guidance. | |||

This document specifies a mechanism for generating keys from pass | This document specifies a mechanism for generating keys from pass | |||

phrases or passwords. The salt and iteration count resist brute | phrases or passwords. The salt and iteration count resist brute | |||

force and dictionary attacks, however, it is still important to | force and dictionary attacks, however, it is still important to | |||

choose or generate strong passphrases. | choose or generate strong passphrases. | |||

NIST guidance in section 5.3 of [SP800-38A] requires CBC | ||||

initialization vectors be unpredictable. This specification does not | ||||

formally comply with that guidance. However, the use of a confounder | ||||

as the first block of plaintext fills the cryptographic role | ||||

typically played by an initialization vector. This approach was | ||||

chosen to align with other Kerberos cryptosystem approaches. | ||||

8.1. Random Values in Salt Strings | 8.1. Random Values in Salt Strings | |||

NIST guidance in Section 5.1 of [SP800-132] requires the salt used as | NIST guidance in Section 5.1 of [SP800-132] requires the salt used as | |||

input to the PBKDF to contain at least 128 bits of random. Some | input to the PBKDF to contain at least 128 bits of random. Some | |||

known issues with including random values in Kerberos encryption type | known issues with including random values in Kerberos encryption type | |||

salt strings are: | salt strings are: | |||

* Cross-realm TGTs are currently managed by entering the same | * Cross-realm TGTs are currently managed by entering the same | |||

password at two KDCs to get the same keys. If each KDC uses a | password at two KDCs to get the same keys. If each KDC uses a | |||

random salt, they won't have the same keys. | random salt, they won't have the same keys. | |||

* The string-to-key function as defined in [RFC3961] requires the | * The string-to-key function as defined in [RFC3961] requires the | |||

salt to be valid UTF-8 strings. Not every 128-bit random string | salt to be valid UTF-8 strings. Not every 128-bit random string | |||

will be valid UTF-8. | will be valid UTF-8. | |||

* Current implementations of password history checking will not | * Current implementations of password history checking will not | |||

work. | work. | |||

* ktutil's add_entry command assumes the default salt. | * ktutil's add_entry command assumes the default salt. | |||

9. References | 9. Acknowledgements | |||

9.1. Normative References | Kelley Burgin was employed at the National Security Agency during | |||

much of the work on this document. | ||||

10. References | ||||

10.1. Normative References | ||||

[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography | ||||

Specification Version 2.0", RFC 2898, September 2000. | ||||

[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | |||

Kerberos 5", RFC 3961, February 2005. | Kerberos 5", RFC 3961, February 2005. | |||

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) | |||

"Randomness Requirements for Security", BCP 106, | Encryption for Kerberos 5", RFC 3962, February 2005. | |||

RFC 4086, June 2005. | ||||

[FIPS197] National Institute of Standards and Technology, | [FIPS197] National Institute of Standards and Technology, | |||

"Advanced Encryption Standard (AES)", FIPS PUB 197, | "Advanced Encryption Standard (AES)", FIPS PUB 197, | |||

November 2001. | November 2001. | |||

9.2. Informative References | ||||

[SP800-38A+] National Institute of Standards and Technology, | [SP800-38A+] National Institute of Standards and Technology, | |||

"Recommendation for Block Cipher Modes of Operation: | "Recommendation for Block Cipher Modes of Operation: | |||

Three Variants of Ciphertext Stealing for CBC Mode", | Three Variants of Ciphertext Stealing for CBC Mode", | |||

Addendum to NIST Special Publication 800-38A, October | NIST Special Publication 800-38A Addendum, October 2010. | |||

2010. | ||||

[SP800-90] National Institute of Standards and Technology, | ||||

Recommendation for Random Number Generation Using | ||||

Deterministic Random Bit Generators (Revised), NIST | ||||

Special Publication 800-90, March 2007. | ||||

[SP800-108] National Institute of Standards and Technology, | [SP800-108] National Institute of Standards and Technology, | |||

"Recommendation for Key Derivation Using Pseudorandom | "Recommendation for Key Derivation Using Pseudorandom | |||

Functions", NIST Special Publication 800-108, October | Functions", NIST Special Publication 800-108, October | |||

2009. | 2009. | |||

10.2. Informative References | ||||

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | ||||

"Randomness Requirements for Security", BCP 106, RFC | ||||

4086, June 2005. | ||||

[SP800-38A] National Institute of Standards and Technology, | ||||

"Recommendation for Block Cipher Modes of Operation: | ||||

Methods and Techniques", NIST Special Publication | ||||

800-38A, December 2001. | ||||

[SP800-132] National Institute of Standards and Technology, | [SP800-132] National Institute of Standards and Technology, | |||

"Recommendation for Password-Based Key Derivation, Part | "Recommendation for Password-Based Key Derivation, Part | |||

1: Storage Applications", NIST Special Publication 800- | 1: Storage Applications", NIST Special Publication 800- | |||

132, June 2010. | 132, June 2010. | |||

[suiteb-kerberos] | ||||

Burgin, K. and K. Igoe, "Suite B Profile for | ||||

Kerberos 5", internet-draft draft-burgin-kerberos- | ||||

suiteb-01, 2012. | ||||

Appendix A. Test Vectors | Appendix A. Test Vectors | |||

Sample results for string-to-key conversion: | Sample results for string-to-key conversion: | |||

-------------------------------------------- | -------------------------------------------- | |||

Iteration count = 32768 | Iteration count = 32768 | |||

Pass phrase = "password" | Pass phrase = "password" | |||

Saltp for creating 128-bit master key: | Saltp for creating 128-bit base-key: | |||

61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D | 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D | |||

73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 | 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 | |||

E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E | E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E | |||

41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E | 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E | |||

(The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | | (The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | | |||

random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") | random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") | |||

128-bit master key: | 128-bit base-key: | |||

3C 44 03 85 28 06 BF 5C EE E6 36 48 6C 29 2F D6 | 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7 | |||

Saltp for creating 256-bit master key: | Saltp for creating 256-bit base-key: | |||

61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D | 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D | |||

73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 | 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 | |||

E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E | E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E | |||

41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E | 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E | |||

(The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | | (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | | |||

random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") | random 16 byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") | |||

256-bit master key: | 256-bit base-key: | |||

53 96 0C AF 44 D5 57 4D FF 4D 44 37 38 75 22 B0 | 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 | |||

7F 5B 02 5C 5E 65 BF EF 29 C2 B4 28 98 3B 37 08 | 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 | |||

Sample results for key derivation: | Sample results for key derivation: | |||

---------------------------------- | ---------------------------------- | |||

enctype aes128-cts-hmac-sha256-128: | enctype aes128-cts-hmac-sha256-128: | |||

128-bit master key: | 128-bit base-key: | |||

37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C | 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C | |||

Kc value for key usage 2 (constant = 0x0000000299): | Kc value for key usage 2 (constant = 0x0000000299): | |||

B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | |||

Ke value for key usage 2 (constant = 0x00000002AA): | Ke value for key usage 2 (constant = 0x00000002AA): | |||

9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

Ki value for key usage 2 (constant = 0x0000000255): | Ki value for key usage 2 (constant = 0x0000000255): | |||

9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

enctype aes256-cts-hmac-sha384-192: | enctype aes256-cts-hmac-sha384-192: | |||

256-bit master key: | 256-bit base-key: | |||

6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 | 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 | |||

00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | |||

Kc value for key usage 2 (constant = 0x0000000299): | Kc value for key usage 2 (constant = 0x0000000299): | |||

EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | |||

BA 41 F2 8F AF 69 E7 3D | BA 41 F2 8F AF 69 E7 3D | |||

Ke value for key usage 2 (constant = 0x00000002AA): | Ke value for key usage 2 (constant = 0x00000002AA): | |||

56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

Ki value for key usage 2 (constant = 0x0000000255): | Ki value for key usage 2 (constant = 0x0000000255): | |||

69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

22 C4 D0 0F FC 23 ED 1F | 22 C4 D0 0F FC 23 ED 1F | |||

Sample encryptions (using the default cipher state): | Sample encryptions (all using the default cipher state): | |||

---------------------------------------------------- | ---------------------------------------------------- | |||

The following test vectors are for | ||||

enctype aes128-cts-hmac-sha256-128: | ||||

Plaintext: (empty) | ||||

Confounder: | ||||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | ||||

128-bit AES key: | 128-bit AES key: | |||

2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

128-bit HMAC key: | 128-bit HMAC key: | |||

67 C3 31 A4 D7 AB 52 EF 3A A9 73 E0 39 AD D3 32 | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

Nonce: | AES Output: | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D | |||

Truncated HMAC Output: | ||||

AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 | ||||

Ciphertext (AES Output | HMAC Output): | ||||

EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D | ||||

AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 | ||||

Plaintext: (length less than block size) | Plaintext: (length less than block size) | |||

49 6E 63 6F 6E 63 65 69 76 61 62 6C 65 | 00 01 02 03 04 05 | |||

Confounder: | ||||

7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 | ||||

128-bit AES key: | ||||

4E FD A6 52 4E 6B 56 B4 F2 12 61 FB FC 93 21 AB | ||||

128-bit HMAC key: | ||||

29 1B 0C 37 73 D7 6E E6 BA 2C CF 1E 03 93 F6 3E | ||||

AES Output: | AES Output: | |||

1C 17 3E AD FC 67 C8 BC B3 A5 93 02 98 CB FC 60 | AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 | |||

HMAC Output (truncated): | F1 4B 93 65 9D 1B | |||

35 E8 32 B2 EB F4 6A 46 C2 E6 50 D2 50 AB 84 43 | Truncated HMAC Output: | |||

Ciphertext: (Nonce* | AES Output** | Truncated HMAC Output) | A0 C5 F4 7C AA 84 42 19 F9 08 AD ED EF 52 5B 71 | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 CB FC 60 | Ciphertext: | |||

1C 17 3E AD FC 67 C8 BC B3 A5 93 02 98 35 E8 32 | AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 | |||

B2 EB F4 6A 46 C2 E6 50 D2 50 AB 84 43 | F1 4B 93 65 9D 1B A0 C5 F4 7C AA 84 42 19 F9 08 | |||

AD ED EF 52 5B 71 | ||||

* Only the first 13 bytes of Nonce are sent. | Plaintext: (length equals block size) | |||

** The AES Output is split and rearranged as described in Section 5 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

since the plaintext length is less than the block size. | Confounder: | |||

56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F | ||||

128-bit AES key: | ||||

FF 82 40 42 4B CC BA 05 56 50 C0 39 3B 83 DF 3B | ||||

128-bit HMAC key: | ||||

ED 15 62 8B 45 35 8C BF 7F 50 E7 64 C2 6B 8A 1A | ||||

AES Output: | ||||

E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 | ||||

78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC | ||||

Truncated HMAC Output: | ||||

C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 | ||||

Ciphertext: | ||||

E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 | ||||

78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC | ||||

C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 | ||||

Plaintext: (length greater than block size) | ||||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||||

10 11 12 13 14 | ||||

Confounder: | ||||

A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC | ||||

128-bit AES key: | 128-bit AES key: | |||

2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C | B5 9B 88 75 AD 5D CA FF F7 79 4D 93 F8 19 9D 79 | |||

128-bit HMAC key: | 128-bit HMAC key: | |||

67 C3 31 A4 D7 AB 52 EF 3A A9 73 E0 39 AD D3 32 | 0A 42 1D 72 2F 8F C2 D6 84 8B 1C DA D1 5A 49 C9 | |||

Nonce: | ||||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | ||||

Plaintext: (length equals block size) | ||||

67 61 73 74 72 6F 69 6E 74 65 73 74 69 6E 61 6C | ||||

AES Output: | AES Output: | |||

F6 71 0B 75 0C 60 65 E8 2E BF F8 9D DC E0 C9 B9 | C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D | |||

HMAC Output (truncated): | 52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A | |||

7B 2C D9 70 E6 DF 18 F5 E0 3D 8B 8E 40 02 F4 C0 | 79 3E 21 09 7D | |||

Ciphertext: (Nonce | AES Output | Truncated HMAC Output) | Truncated HMAC Output: | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | 5B 03 5D 78 A7 E9 84 75 EC 91 0C E3 7A A0 2A 7D | |||

F6 71 0B 75 0C 60 65 E8 2E BF F8 9D DC E0 C9 B9 | Ciphertext: | |||

7B 2C D9 70 E6 DF 18 F5 E0 3D 8B 8E 40 02 F4 C0 | C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D | |||

52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A | ||||

79 3E 21 09 7D 5B 03 5D 78 A7 E9 84 75 EC 91 0C | ||||

E3 7A A0 2A 7D | ||||

The following test vectors are for enctype | ||||

aes256-cts-hmac-sha384-192: | ||||

Plaintext: (empty) | ||||

Confounder: | ||||

F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 | ||||

256-bit AES key: | 256-bit AES key: | |||

60 3D EB 10 15 CA 71 BE 2B 73 AE F0 85 7D 77 81 | 0F A2 0D 7D 03 33 EE 65 16 2C DA 67 E7 AD 0D 3C | |||

1F 35 2C 07 3B 61 08 D7 2D 98 10 A3 09 14 DF F4 | 5E 03 1F 3B 66 70 E0 31 28 2F AC C2 87 9C 21 C7 | |||

192-bit HMAC key: | 192-bit HMAC key: | |||

37 16 14 EB 62 24 E1 F0 C4 72 6E E6 BE A7 A3 D2 | 53 BF 30 6A 68 33 A3 25 18 FC B8 5F 63 1D 03 D5 | |||

F4 62 C6 AC 66 42 A6 AC | 2E E3 1B 39 75 2F 57 ED | |||

Nonce: | ||||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | ||||

Plaintext: (length less than block size) | ||||

49 6E 63 6F 6E 63 65 69 76 61 62 6C 65 | ||||

AES Output: | AES Output: | |||

BD AE EC 5C F9 C9 B6 3C 9D DB A2 B7 9D 5C 6C 0B | FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D | |||

HMAC Output (truncated): | Truncated HMAC Output: | |||

65 D4 C7 07 8E 14 65 8B C9 B3 C4 EA F5 F7 C2 6F | 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 | |||

ED 36 AC 7A CD 59 19 2B | AC 3A AB 06 97 FC E8 5A | |||

Ciphertext: (Nonce* | AES Output* | Truncated HMAC Output) | Ciphertext: | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 5C 6C 0B | FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D | |||

BD AE EC 5C F9 C9 B6 3C 9D DB A2 B7 9D 65 D4 C7 | 81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 | |||

07 8E 14 65 8B C9 B3 C4 EA F5 F7 C2 6F ED 36 AC | AC 3A AB 06 97 FC E8 5A | |||

7A CD 59 19 2B | ||||

* Only the first 13 bytes of Nonce are sent. | ||||

** The AES Output is split and rearranged as described in Section 5 | ||||

since the plaintext length is less than the block size. | ||||

Plaintext: (length less than block size) | ||||

00 01 02 03 04 05 | ||||

Confounder: | ||||

B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A | ||||

256-bit AES key: | 256-bit AES key: | |||

60 3D EB 10 15 CA 71 BE 2B 73 AE F0 85 7D 77 81 | 47 DA 4C A2 8B D1 C1 14 D5 50 7E 55 81 86 CA 4F | |||

1F 35 2C 07 3B 61 08 D7 2D 98 10 A3 09 14 DF F4 | DB A0 DA E5 B2 4F 6D 68 89 D5 3A FB F1 D0 B8 36 | |||

192-bit HMAC key: | 192-bit HMAC key: | |||

37 16 14 EB 62 24 E1 F0 C4 72 6E E6 BE A7 A3 D2 | 13 6B 5C 83 C9 53 AE 29 E2 C2 31 6A 7B 34 B8 C2 | |||

F4 62 C6 AC 66 42 A6 AC | AD 26 E4 66 7F AB 42 6E | |||

Nonce: | ||||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | ||||

Plaintext: (length equals block size) | ||||

67 61 73 74 72 6F 69 6E 74 65 73 74 69 6E 61 6C | ||||

AES Output: | AES Output: | |||

5D E5 49 BE D6 50 23 18 78 8F 14 D2 E1 17 E0 5A | 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C | |||

HMAC Output (truncated): | 74 3B D4 BC 22 EC | |||

2C EA DF D5 B0 60 38 DE A9 22 29 2D 7C 56 50 10 | Truncated HMAC Output: | |||

C5 D6 D2 8D F6 21 E9 7A | 17 2A B2 BB 12 B0 0D BE C2 BF E6 29 CF DD 62 EC | |||

Ciphertext: (Nonce | AES Output | Truncated HMAC Output) | 3E 45 83 8F A9 FB AE 6E | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | Ciphertext: | |||

5D E5 49 BE D6 50 23 18 78 8F 14 D2 E1 17 E0 5A | 14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C | |||

2C EA DF D5 B0 60 38 DE A9 22 29 2D 7C 56 50 10 | 74 3B D4 BC 22 EC 17 2A B2 BB 12 B0 0D BE C2 BF | |||

C5 D6 D2 8D F6 21 E9 7A | E6 29 CF DD 62 EC 3E 45 83 8F A9 FB AE 6E | |||

128-bit AES key: | ||||

9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | ||||

128-bit HMAC key: | Plaintext: (length equals block size) | |||

9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | ||||

Nonce: | ||||

8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 | ||||

Plaintext: (length greater than the block size) | ||||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | ||||

AES Output: | ||||

13 64 FB 39 DC C0 E3 D9 83 A7 DB 5B 4B 9F FB CA | ||||

42 F6 65 88 29 | ||||

HMAC Output (truncated): | ||||

F2 1F C8 95 75 AE 93 C7 57 18 AB 3C 7C FB 28 E1 | ||||

Ciphertext: (Nonce | AES Output | HMAC Output) | ||||

8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 | ||||

13 64 FB 39 DC C0 E3 D9 83 A7 DB 5B 4B 9F FB CA | ||||

42 F6 65 88 29 F2 1F C8 95 75 AE 93 C7 57 18 AB | ||||

3C 7C FB 28 E1 | ||||

Confounder: | ||||

53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 | ||||

256-bit AES key: | 256-bit AES key: | |||

56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | 5E A6 16 D8 FD A2 33 F1 B4 99 79 A4 B9 FA 01 D3 | |||

A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | 21 B1 3D 6F BD 6E 3B B7 2E 54 B4 85 E2 36 AF 23 | |||

192-bit HMAC key: | 192-bit HMAC key: | |||

69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | AD D3 8D C9 86 83 C5 CC 14 E3 C7 37 EA A7 06 47 | |||

22 C4 D0 0F FC 23 ED 1F | B3 19 71 0E 87 6A 38 77 | |||

Nonce: | AES Output: | |||

8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 | B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 | |||

Plaintext: (length greater than the block size) | FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 | |||

Truncated HMAC Output: | ||||

2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 | ||||

B3 C9 6F 4B 45 C1 9B 77 | ||||

Ciphertext: | ||||

B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 | ||||

FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 | ||||

2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 | ||||

B3 C9 6F 4B 45 C1 9B 77 | ||||

Plaintext: (length greater than block size) | ||||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Confounder: | ||||

76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 | ||||

256-bit AES key: | ||||

B3 A8 02 E3 40 61 3E F1 E0 EC E9 1A 15 7C 59 12 | ||||

6F BD C4 B8 C2 4C 8D 0B 2E 5A 30 F0 1E 7E 34 88 | ||||

192-bit HMAC key: | ||||

FC 0B 49 9B 83 55 A3 2A C3 C9 AC B6 64 93 63 EB | ||||

5D BB A4 25 1A 75 B2 0A | ||||

AES Output: | AES Output: | |||

50 CB FF DC DF 38 69 D7 0B EA FF C3 2C 47 0B C6 | 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 | |||

5B 72 C3 37 2D | 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B | |||

HMAC Output (truncated): | E0 55 F5 69 EB | |||

6E D7 B3 47 E9 0B BD 8F 31 F5 79 58 F9 69 50 BA | Truncated HMAC Output: | |||

A1 41 64 6E 65 6C F6 7C | 7C F8 36 70 75 8C BF DA 31 3C FE F8 74 2B 11 74 | |||

Ciphertext: (Nonce | AES Output | HMAC Output) | 14 A7 DD 12 B4 96 64 2E | |||

8D 32 50 F6 36 AB 81 02 BE 6F AB 1E 57 D8 F8 17 | Ciphertext: | |||

50 CB FF DC DF 38 69 D7 0B EA FF C3 2C 47 0B C6 | 4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 | |||

5B 72 C3 37 2D 6E D7 B3 47 E9 0B BD 8F 31 F5 79 | 46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B | |||

58 F9 69 50 BA A1 41 64 6E 65 6C F6 7C | E0 55 F5 69 EB 7C F8 36 70 75 8C BF DA 31 3C FE | |||

F8 74 2B 11 74 14 A7 DD 12 B4 96 64 2E | ||||

Sample checksums: | Sample checksums: | |||

----------------- | ----------------- | |||

Checksum type: hmac-sha256-128-aes128 | Checksum type: hmac-sha256-128-aes128 | |||

128-bit master key: | 128-bit HMAC key: | |||

37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C | ||||

128-bit HMAC key (Kc, key usage 2): | ||||

B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | |||

Plaintext: | Plaintext: | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Checksum: | Checksum: | |||

D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE | D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE | |||

Checksum type: hmac-sha384-192-aes256 | Checksum type: hmac-sha384-192-aes256 | |||

256-bit master key: | 192-bit HMAC key: | |||

6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 | ||||

00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | ||||

192-bit HMAC key (Kc, key usage 2): | ||||

EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | |||

BA 41 F2 8F AF 69 E7 3D | BA 41 F2 8F AF 69 E7 3D | |||

Plaintext: | Plaintext: | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Checksum: | Checksum: | |||

45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D | 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D | |||

43 C3 BF A0 66 99 67 2A | 43 C3 BF A0 66 99 67 2A | |||

Authors' Addresses | Authors' Addresses | |||

Kelley W. Burgin | Michael J. Jenkins | |||

National Security Agency | National Security Agency | |||

EMail: kwburgi@tycho.ncsc.mil | EMail: mjjenki@tycho.ncsc.mil | |||

Michael A. Peck | Michael A. Peck | |||

The MITRE Corporation | The MITRE Corporation | |||

EMail: mpeck@mitre.org | EMail: mpeck@mitre.org | |||

Kelley W. Burgin | ||||

Email: kelley.burgin@gmail.com | ||||

End of changes. 91 change blocks. | ||||

346 lines changed or deleted | | 296 lines changed or added | ||

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |