Internet Draft Vladimir Popov, CRYPTO-PRO
Igor Kurepkin, CRYPTO-PRO
Expires August 15, 2004 Serguei Leontiev, CRYPTO-PRO
Intended Category: Informational February 15, 2004
Additional cryptographic algorithms for use with GOST 28147-89,
GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 algorithms.
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This document describes cryprographic algorithms and parameters,
supplementary to GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001
and GOST R 34.11-94, for use in internet applications.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Terminology. . . . . . . . . . . . . . . . . . . . . . . 3
2 Cipher algorithms. . . . . . . . . . . . . . . . . . . . 3
2.1 GOST 28147-89 CBC mode . . . . . . . . . . . . . . . . . 3
2.2 Key meshing algorithms . . . . . . . . . . . . . . . . . 3
3 HMAC_GOSTR3411 . . . . . . . . . . . . . . . . . . . . . 4
4 PRF_GOSTR3411. . . . . . . . . . . . . . . . . . . . . . 4
5 Key establishment algorithms . . . . . . . . . . . . . . 4
5.1 Creating exchange key using GOST R 34.10-94 keys . . . . 4
Popov,Kurepkin,Leontiev Informational [Page 1]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
5.2 Creating exchange key using GOST R 34.10-2001 keys . . . 4
5.3 Generating export key from exchange key. . . . . . . . . 4
5.4 Key export using export key. . . . . . . . . . . . . . . 4
5.5 Key export using exchange key. . . . . . . . . . . . . . 4
5.6 Key Diversification. . . . . . . . . . . . . . . . . . . 4
5.7 VKO GOST R 34.10-94 and VKO GOST R 34.10-2001 algorithms 4
5.7.1 'Simple export' mode . . . . . . . . . . . . . . . . . . 4
5.7.2 'CryptoPro' mode . . . . . . . . . . . . . . . . . . . . 4
6 Algorithm parameters . . . . . . . . . . . . . . . . . . 4
6.1 Encryption algorithm parameters . . . . . . . . . . . . 4
6.2 Digest algorithm parameters. . . . . . . . . . . . . . . 4
6.3 GOST R 34.10-94 public key algorithm parameters . . . . 4
6.4 GOST R 34.10-2001 public key algorithm parameters. . . . 4
7 Security Considerations. . . . . . . . . . . . . . . . . 11
8 Appendix ASN.1 Modules . . . . . . . . . . . . . . . . . 27
9 References . . . . . . . . . . . . . . . . . . . . . . . 27
10 Acknowledgments. . . . . . . . . . . . . . . . . . . . . 29
Author's Address. . . . . . . . . . . . . . . . . . . . . . . . 29
Full Copyright Statement. . . . . . . . . . . . . . . . . . . . 30
1 Introduction
This document describes cryprographic algorithms, used in supplement
to GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001 and GOST R
34.11-94, proposed by CRYPTO-PRO Company for "Russian Cryptographic
Software Compatibility Agreement" community. GOST 28147-89, GOST R
34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 are defined in
corresponding national standards - [GOST28147], [GOSTR341094],
[GOSTR34102001] and [GOSTR341194]. Their brief technical description
in english can be found in [Schneier95].
1.2 Terminology
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described
in [RFC 2119].
The following functions and operators are also used in this document:
encryptECB (K, D) - is D, encrypted with key K using GOST 28147-89 in
"prostaya zamena" (ECB) mode
decryptECB (K, D) - is D, decrypted with key K using GOST 28147-89 in
ECB mode
encryptCFB (I, K, D) - is D, encrypted with key K using GOST 28147-89
in "gammirovanie s obratnoj svyaziyu" (64-bit CFB) mode, and I as
Popov,Kurepkin,Leontiev Informational [Page 2]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
initialization vector.
encryptOFB (I, K, D) - is D, encrypted with key K using GOST 28147-89
in "gammirovanie" (64-bit OFB) mode, and I as initialization vector.
gostR3411 (D) - is the 256-bit result of GOST R 34.11-94 hash
function, used with zero intitialization vector, and UZ parameter,
defined by gostR3411CryptoProParamSetAI (see Appendix,
GostR3411-94-ParamSetSyntax module).
gost28147IMIT (I, K, D) - is the 32-bit result of GOST 28147-89 in
"imitovstavka" (MAC) mode, used with D as plaintext, K as key and I
as initialization vector. Note, that standard specifies it's use in
this mode only with zero initialization vector.
2 Cipher parameters
[GOST28147] defines only the basic cryptographic operations, which
can be used to encrypt or decrypt data. This document defines an
additional cipher mode GOST 28147-89 CBC, and key meshing algorithm,
which can be used to protect a symmetric key, when it is used to
process large amounts of data.
The cipher mode, key meshing algorithm, padding mode and S-box are
specified by algorithm parameters.
2.1 GOST 28147-89 CBC mode
Algorithm GOST 28147-89 CBC mode is a block cipher with block
chaining, based on GOST 28147-89 in ECB mode.
Before each plaintext block is encrypted, it is combined with the
cipher text of the previous block by a bitwise exclusive OR
operation. This ensures that even if the plaintext contains many
identical blocks, they will each encrypt to a different cipher text
block. The initialization vector is combined with the first
plaintext block by a bitwise exclusive OR operation before the block
is encrypted.
Let x (0 < x < 8) be the number of bytes in the last (possibly,
incomplete) block of data. There are three padding modes:
* Zero padding: 8-x remaining bytes are filled with zero
* PKCS#5 padding: 8-x remaining bytes are filled with value of 8-x.
If there's no incomplete block, one extra block filled with value
8 is added.
* Random padding: 8-x remaining bytes of the last block are set to
random.
Popov,Kurepkin,Leontiev Informational [Page 3]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
2.2 Key meshing algorithms
When there is a need to limit the amount of data, enciphered with the
same key, several key meshing algorithms can be used.
id-Gost28147-89-None-KeyMeshing OBJECT IDENTIFIER ::=
{ id-CryptoPro-algorithms keyMeshing(14) none(0) }
This is a zero key meshing algorithm - key is never changed.
id-Gost28147-89-CryptoPro-KeyMeshing OBJECT IDENTIFIER ::=
{ id-CryptoPro-algorithms keyMeshing(14) cryptoPro(1) }
This algorithm transforms the key and initialization vector every 1KB
of plaintext data, using the following rule:
Let K[i] be the previous key, and S[i] be the previous initialization
vector.
K[i+1] = decryptECB (K[i], C); S[i+1] = encryptECB (K[i+1],S[i])
Where C = {0x22720069L, 0x2304C964L, 0x96DB3A8DL, 0xC42AE946L,
0x94ACFE18L, 0x1207ED00L, 0xC2DC86C0L, 0x2BA94CEFL};
3 HMAC_GOSTR3411
HMAC_GOSTR3411 (K,text) function is based on hash function GOST R
34.11-94, as defined in [HMAC], with the following parameter values:
B = 32, L = 32.
4 PRF_GOSTR3411
PRF_GOSTR3411 is a pseudorandom function, based on HMAC_GOSTR3411.
It is calculated as P_hash, defined in section 5 of [TLS].
PRF_GOSTR3411(K,D) = P_GOSTR3411 (K,D)
5 Key establishment algorithms
Standards [GOSTR341094] and [GOSTR34102001] do not define any key
establishment algorithms.
Section 5.7 specifies algorithms VKO GOST R 34.10-94 and VKO GOST R
34.10-2001, which can be used to export/import session key using a
one-time exchange key (symmetric key, shared by sender and
recipient), based on sender's private key and recipient public key,
or vice versa.
Sections 5.1 and 5.2 describe how to create an exchange key from
Popov,Kurepkin,Leontiev Informational [Page 4]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
sender's private key and recipient public key, or vice versa.
Section 5.3 describes how to create an export key from an exchange
key or symmetric key.
Sections 5.4 and 5.5 describe, how a session key can be exported
(encrypted) using export key, or using exchange key directly.
Section 5.6 describes, how to create session keys, using secret key
and diversification data.
5.1 Creating exchange key using GOST R 34.10-94 keys
This algorithm creates an exchange key using sender's private key and
recipient public key, or vice versa, using GOST R 34.10-94 public key
algorithm and GOST R 34.11-94 hash function.
Exchange key EK is a 256-bit hash of 1024-bit Diffie-Hellman key
K(x,y);
EK = gostR3411 (K(x,y))
K(x,y) = a^(x*y) (mod p), where
x - sender's private key, a^x - sender's public key
y - recipient's private key, a^y - recipient's public key
Keys x and y MUST comply with [GOSTR341094].
This algorithm MUST NOT be used, when a^x = a (mod p) or a^y = a (mod
p).
5.2 Creating exchange key using GOST R 34.10-2001 keys
This algorithm creates an exchange key using sender's private key and
recipient public key, or vice versa, using GOST R 34.10-2001 public
key algorithm and GOST R 34.11-94 hash function.
Exchange key EK is a 256-bit hash of K(x,y,a);
EK(x,y,a) = gostR3411 (K(x,y,a))
K(x,y,a) = ((a*x)(mod q)) . (y.P) (512 bit), where
x - sender's private key (256 bit)
x.P - sender's public key (512 bit)
y - recipient's private key (256 bit)
y.P - recipient's public key (512 bit)
a - synchrovector (64 bit)
P - base point on the elliptic curve (two 256-bit coordinates)
a*x - x multiplied by a as integers
Popov,Kurepkin,Leontiev Informational [Page 5]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
x.P - a multiple point
Keys x and y MUST comply with [GOSTR34102001].
This algorithm MUST NOT be used, when x.P = P, y.P = P
5.3 Generating export key from exchange key
Given a random 64-bit synchrovector A, and an exchange key K,
produced by algorithms from sections 5.1 and 5.2 (or other shared
symmetric key K), this algorithm creates an export key K(A), which
can be used to export (encrypt) session key.
KA = K[8]. K[0]..K[8] are calculated with following algorithm:
K[0] = K;
K[i+1] = encryptCFB (S[i], K[i], K[i])
S[i] = ((a[i,0]*k[i,0] + ... + a[i,7]*k[i,7]) mod 2^32)
| ((~a[i,0]*k[i,0] + ... + ~a[i,7]*k[i,7]) mod 2^32);
Here a[i,j] and k[i,j] are components of A and K[i] respectively:
K[i] = k[i,0]|k[i,1]|...|k[i,7] (k[i,j] - 32-bit integer)
A = a[0]|...|a[7] (a[i] - byte, a[i,0]..a[i,7] - it's bits)
5.4 Key export using export key
This algorithm exports session key SK using key K and random 64-bit
synchrovector A. Outputs of this algorithm are 32-bit SK_mac and
256-bit SK_enc.
First, export key KA is created using algorithm, specified in 5.3,
from the key K and vector A.
Then SK_mac is calculated: SK_mac = gost28147IMIT (A, KA, SK).
Then SK is encrypted in ECB mode, using key KA:
SK_enc = encryptECB (KA, SK);
5.5 Key export using exchange key
This algorithm exports session key SK using exchange key K and random
64-bit synchrovector A. Outputs of this algorithm are 32-bit SK_mac
and 256-bit SK_enc.
First, SK_mac is calculated: SK_mac = gost28147IMIT (A, K, SK).
Then SK is encrypted in ECB mode, using K for key:
Popov,Kurepkin,Leontiev Informational [Page 6]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
SK_enc = encryptECB (K, SK);
5.6 Key Diversification
This algorithm creates a session key SK, given secret key K and
diversification data D of size 4..40 bytes.
1) 40-byte blob B is created from D by cloning it enough to fill all
40 bytes. For example, if D is 40-bytes long, B = D; If D is 4-bytes
long, B = D|D|D|D|D|D|D|D|D|D.
2) B is split into 8-byte SV and 32-byte SRCKEY (B = SV|SRCKEY).
3) Algorithm from section 5.3 is used to create KA from key K and
synchrovector SV, with two differences. Instead of S[i], vector
(0,0,0,SV[i],ff,ff,ff,ff XOR SV[i]) is used, and during each
encryption step, only 8 out of 32 GOST 28147-89 steps are done.
4) SK is calculated:
SK = encryptCFB (A, KA, SRCKEY).
5.7 VKO GOST R 34.10-94 and VKO GOST R 34.10-2001 algorithms. VKO GOST
R 34.10-94 and VKO GOST R 34.10-2001 are key establishment algorithms
for GOST R 34.10-94 and GOST R 34.10-2001 keys accordingly.
There are two modes they can be used in.
5.7.1 'Simple export' mode
Identifier for this mode:
id-Gost28147-89-None-KeyWrap OBJECT IDENTIFIER ::=
{ id-CryptoPro-algorithms keyWrap(13) none(0) }
The first step is calculating an exchange key, using algorithms,
defined in sections 5.1 or 5.2, depending on key type.
Then, session key can be exported on this exchange key, using
algorithm from section 5.5
5.7.2 'CryptoPro' mode
Identifier for this mode:
id-Gost28147-89-CryptoPro-KeyWrap OBJECT IDENTIFIER ::=
{ id-CryptoPro-algorithms keyWrap(13) cryptoPro(1) }
The first step is calculating an exchange key, using algorithms,
Popov,Kurepkin,Leontiev Informational [Page 7]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
defined in sections 5.1 or 5.2, depending on key type.
Then, session key is exported on the export key (computed from this
exchange key) using algorithm from section 5.4;
6 Algorithm parameters
Standards [GOST28147], [GOST341194], [GOSTR341094] and
[GOSTR34102001] do not define specific values for algorithm
parameters.
This document introduces the use of OIDs to specify algorithm
parameters.
Identifiers and corresponding parameter values for all of the
proposed parameter sets can be found in Appendix in the form of ASN.1
modules [X.660].
6.1 Encryption algorithm parameters
GOST 28147-89 can be used in several modes, additional CBC mode is
defined in section 2.1 this document. It also has an S-Box parameter
(see Algorithm Parameters part in [GOST28147] in Russian, description
in English see in [Schneier95] ch. 14.1, p. 331).
This table contains the list of proposed parameter sets for GOST
28147-89:
Gost28147-89-ParamSetAlgorithms ALGORITHM-IDENTIFIER ::= {
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-TestParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-A-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-B-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-C-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-D-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-Simple-A-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-Simple-B-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-Simple-C-ParamSet } |
{ Gost28147-89-ParamSetParameters IDENTIFIED BY
id-Gost28147-89-CryptoPro-Simple-D-ParamSet }
}
Popov,Kurepkin,Leontiev Informational [Page 8]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
Identifier values can be found in Appendix.
Parameters for GOST 28147-89 are presented in the following form:
Gost28147-89-ParamSetParameters ::= SEQUENCE {
eUZ Gost28147-89-UZ,
mode INTEGER {
gost28147-89-OFB(0),
gost28147-89-CFB(1),
cryptoPro-CBC(2)
},
shiftBits INTEGER { gost28147-89-block(64) },
keyWrap AlgorithmIdentifier {{
Gost28147-89-KeyWrapAlgorithms
}},
keyMeshing AlgorithmIdentifier {{
Gost28147-89-KeyMixAlgorithms
}}
}
Gost28147-89-UZ ::= OCTET STRING (SIZE (64))
Gost28147-89-KeyMixAlgorithms ALGORITHM-IDENTIFIER ::= {
{ NULL IDENTIFIED BY id-Gost28147-89-CryptoPro-KeyMix } |
{ NULL IDENTIFIED BY id-Gost28147-89-None-KeyMix }
}
Gost28147-89-KeyWrapAlgorithms ALGORITHM-IDENTIFIER ::= {
{ NULL IDENTIFIED BY id-Gost28147-89-CryptoPro-KeyWrap } |
{ NULL IDENTIFIED BY id-Gost28147-89-None-KeyWrap }
}
where
eUZ - S-box value;
mode - cipher mode;
shiftBits - cipher parameter;
keyWrap - key export algorithm identifier;
keyMeshing - key meshing algorithm identifier.
6.2 Digest algorithm parameters
This table contains the list of proposed parameter sets for
[GOST341194]:
GostR3411-94-ParamSetAlgorithms ALGORITHM-IDENTIFIER ::= {
{ GostR3411-94-ParamSetParameters IDENTIFIED BY
id-GostR3411-94-TestParamSet
} |
{ GostR3411-94-ParamSetParameters IDENTIFIED BY
id-GostR3411-94-CryptoProParamSet
}
Popov,Kurepkin,Leontiev Informational [Page 9]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
}
Identifier values can be found in Appendix.
Parameters for [GOST341194] are presented in the following form:
GostR3411-94-ParamSetParameters ::=
SEQUENCE {
hUZ Gost28147-89-UZ, -- S-Box for digest
h0 GostR3411-94-Digest -- start digest value
}
GostR3411-94-Digest ::= OCTET STRING (SIZE (32))
6.3 GOST R 34.10-94 public key algorithm parameters
This table contains the list of proposed parameter sets for GOST R
34.10-94:
GostR3410-94-ParamSetAlgorithm ALGORITHM-IDENTIFIER ::= {
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-TestParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-A-ParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-B-ParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-C-ParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-D-ParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-XchA-ParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-XchB-ParamSet } |
{ GostR3410-94-ParamSetParameters IDENTIFIED BY
id-GostR3410-94-CryptoPro-XchC-ParamSet }
}
Identifier values can be found in Appendix.
Parameters for GOST R 34.10-94 are presented in the following form:
GostR3410-94-ParamSetParameters ::=
SEQUENCE {
p INTEGER,
q INTEGER,
a INTEGER,
validationAlgorithm AlgorithmIdentifier {{
GostR3410-94-ValidationAlgorithms
Popov,Kurepkin,Leontiev Informational [Page 10]
Internet-Draft Crypto-Pro cryptographic algorithms 15 February 2004
}} OPTIONAL
}
GostR3410-94-ValidationParameters ::=
SEQUENCE {
t INTEGER,
x0 INTEGER,
c INTEGER,
d INTEGER OPTIONAL
}
Where
p - modulus, prime number, 2^1023