IPSECME Working Group S. Yoon Internet Draft Y. Kang Obsolete: 4196 H. Kim (if approved) H. Jeong Intended Status: Standards Track J. Lee Expires: January 4, 2011 Korea Internet & Security Agency July 4, 2010 Modes of Operation for SEED for Use with IPsec draft-seokung-ipsecme-seed-ipsec-modes-00 Abstract This document describes the use of the SEED block cipher algorithm in Counter (CTR) Mode, Counter with CBC-MAC (CCM) Mode and Galois/Counter Mode (GCM) as an IPsec Encapsulation Security Payload (ESP) mechanism to provide confidentiality and data origin authentication, and connectionless integrity. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 4, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Yoon, et al. Expires January 4, 2011 [Page 1] Internet-Draft IPSEC-SEED July 4, 2010 This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction ................................................. 3 1.1. Conventions Used in This Document ....................... 3 2. Modes ........................................................ 3 3. IKEv2 Conventions ............................................ 3 3.1. Keying Material.......................................... 3 3.2. Transform Type 1 ........................................ 4 3.3. Key Length Attribute .................................... 4 4. Security Considerations ...................................... 4 5. IANA Considerations .......................................... 4 6. References ................................................... 5 6.1. Normative References .................................... 5 6.2. Informative References .................................. 6 Author's Addresses .............................................. 7 Yoon, et al. Expires January 4, 2011 [Page 2] Internet-Draft IPSEC-SEED July 4, 2010 1. Introduction The SEED [RFC4269] is a block cipher, and it can be used in many different modes. This document describes the use of the SEED block cipher algorithm in Counter Mode (CTR), Counter with CBC-MAC (CCM) Mode and Galois/Counter Mode (GCM), as an IPsec Encapsulation Security Payload (ESP) [RFC4303] mechanism to provide confidentiality and data origin authentication, and connectionless integrity. This document does not provide an overview of IPsec. However, information about how the various components of IPsec and the way in which they collectively provide security services is available in [RFC4301] and [RFC2411]. 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Modes This document describes three modes of operation for the use of SEED with IPsec: CBC (Cipher Block Chaining), CTR (Counter), CCM (Counter with CBC-MAC), and GCM (Galois/Counter Mode). SEED in CTR, CCM, and GCM modes is used in IPsec as AES in [RFC4309], [RFC3686], and [RFC4106]. 3. IKEv2 Conventions This section describes the conventions used to generate keying material and nonces for use with SEED-CTR, keying material and salt values for use with SEED-CCM and SEED-GCM using the Internet Key Exchange version 2 (IKEv2) [RFC4306] protocol. The identifiers and attributes needed to negotiate a security association that uses SEED- CTR, SEED-CCM, and SEED-GCM are also defined. 3.1. Keying Material IKEv2 makes use of a pseudo-random function (PRF) to derive keying material. The PRF is used iteratively to derive keying material of arbitrary size, called KEYMAT. Keying material is extracted from the output string without regard to boundaries. The size of KEYMAT MUST be equal or longer than the associated SEED key. The keying material is used as follows: Yoon, et al. Expires January 4, 2011 [Page 3] Internet-Draft IPSEC-SEED July 4, 2010 SEED-CTR The KEYMAT requested for each SEED-CTR key is 20 octets. The first 16 octets are the 128-bit SEED key, and the remaining four octets are used as the nonce value in the counter block. SEED-CCM The KEYMAT requested for each SEED-CCM key is 19 octets. The first 16 octets are the 128-bit SEED key, and the remaining three octets are used as the salt value in the counter block. SEED-GCM The KEYMAT requested for each SEED-GCM key is 20 octets. The first 16 octets are the 128-bit SEED key, and the remaining four octets are used as the salt value in the nonce. 3.2. Transform Type 1 For IKEv2 negotiations, IANA has assigned three ESP Transform Identifiers for SEED-CTR, SEED-CCM and SEED-GCM, as recorded in Section 5. 3.3. Key Length Attribute Since SEED only supports one key length, the Key Length attribute MUST be specified in the IKE exchange version 2. The Key Length attribute MUST have a value of 128 bits. 4. Security Considerations No security problem has been found on SEED. SEED is secure against all known attacks including Differential cryptanalysis, linear cryptanalysis, and related key attacks. The only known attack is an exhaustive search for the key. For further security considerations, the reader is encouraged to read [SEED-EVAL]. See [RFC3610] and [GCM] for security considerations regarding the CCM and GCM Modes of Operation, respectively. 5. IANA Considerations IANA has assigned Transform Type 1 (Encryption Algorithm) Identifiers for SEED-CTR, SEED-CCM, and SEED-GCM with an explicit IV in the "IKEv2 Parameters" registry: Yoon, et al. Expires January 4, 2011 [Page 4] Internet-Draft IPSEC-SEED July 4, 2010 Number Name -------- --------------------------------- SEED-CTR SEED-CCM with an 8 octet ICV SEED-CCM with a 12 octet ICV SEED-CCM with a 16 octet ICV SEED-GCM with an 8 octet ICV SEED-GCM with a 12 octet ICV SEED-GCM with a 16 octet ICV 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-MAC (CCM)", RFC 3610, September 2003. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4106] Viega. J., and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4269] H. Lee, S. Lee, J. Yoon, D. Cheon, J. Lee, "The SEED Encryption Algorithm", RFC 4269, December 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. Yoon, et al. Expires January 4, 2011 [Page 5] Internet-Draft IPSEC-SEED July 4, 2010 [GCM] Dworkin, M., "NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", U.S. National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-38D/SP- 800-38D.pdf. 6.2. Informative References [RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document Roadmap", RFC 2411, November 1998. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [SEED-EVAL] KISA, "Self Evaluation Report", http://www.kisa.or.kr/kisa/seed/down/SEED_Evaluation_Repo rt_by_CRYPTREC.pdf Yoon, et al. Expires January 4, 2011 [Page 6] Internet-Draft IPSEC-SEED July 4, 2010 Author's Addresses Seokung Yoon Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: seokung@kisa.or.kr Yeonjung Kang Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: yjkang@kisa.or.kr Hwankuk Kim Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: rinyfeel@kisa.or.kr Hyuncheol Jeong Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: hcjung@kisa.or.kr Jaeil Lee Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: jilee@kisa.or.kr Yoon, et al. Expires January 4, 2011 [Page 7]