IPSECME Working Group B. Han INTERNET-DRAFT S. Yoon Intended Status: Informational H. Jeong Expires: December 12, 2011 Y. Won (Korea Internet & Security Agency) June 10, 2011 Using SEED CTR, CCM, GCM modes with IPsec ESP draft-seokung-ipsecme-seed-ipsec-modes-01 Abstract This document describes the use of the SEED block cipher algorithm in Counter (CTR) Mode, Counter with CBC-MAC (CCM) Mode and Galois/Counter Mode (GCM) as an IPsec Encapsulation Security Payload (ESP) mechanism to provide confidentiality and data origin authentication, and connectionless integrity. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 12, 2011. Copyright and License Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Han, et al. Expires December 12, 2011 [Page 1] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Conventions Used in This Documents . . . . . . . . . . . . 3 2. SEED Modes of Operation for Use with IPsec ESP . . . . . . . . 3 2.1. SEED-CTR Mode . . . . . . . . . . . . . . . . . . . . . . . 3 2.1.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . . 3 2.1.2. Initialization Vector . . . . . . . . . . . . . . . . . 4 2.1.3. Authentication Data . . . . . . . . . . . . . . . . . . 4 2.1.4. Counter Block Format . . . . . . . . . . . . . . . . . 4 2.2. SEED-CCM Mode . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . . 4 2.2.2. Parameters . . . . . . . . . . . . . . . . . . . . . . 5 2.2.3. Counter Block . . . . . . . . . . . . . . . . . . . . . 5 2.2.4. AAD Construction . . . . . . . . . . . . . . . . . . . 5 2.3. SEED-GCM Mode . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.1. ESP Payload . . . . . . . . . . . . . . . . . . . . . . 6 2.3.2. Counter Block . . . . . . . . . . . . . . . . . . . . . 6 2.3.3. AAD Construction . . . . . . . . . . . . . . . . . . . 6 3. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Keying Material and Nonce Values . . . . . . . . . . . . . 6 3.2. Transform Type 1 . . . . . . . . . . . . . . . . . . . . . 7 3.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Test Vectors for ENCR_SEED_CTR . . . . . . . . . . . . . . 8 6.2. Test Vectors for ENCR_SEED_CCM . . . . . . . . . . . . . . 10 6.3. Test Vectors for ENCR_SEED_GCM . . . . . . . . . . . . . . 13 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7.1. Normative References . . . . . . . . . . . . . . . . . . . 15 7.2. Informative References . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Han, et al. Expires December 12, 2011 [Page 2] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 1 Introduction The SEED [RFC4269] is a block cipher, and it can be used in many different modes. This document describes the use of the SEED block cipher algorithm in Counter Mode (CTR), Counter with CBC-MAC (CCM) Mode and Galois/Counter Mode (GCM), as an IPsec Encapsulation Security Payload (ESP) [RFC4303] mechanism to provide confidentiality and data origin authentication, and connectionless integrity. This document does not provide an overview of IPsec. However, information about how the various components of IPsec and the way in which they collectively provide security services is available in [RFC4301] and [RFC2411]. 1.1 Conventions Used in This Documents The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. SEED Modes of Operation for Use with IPsec ESP This document describes three modes of operation for the use of SEED with IPsec: CTR (Counter), CCM (Counter with CBC-MAC), and GCM (Galois/Counter Mode). SEED in CTR, CCM, and GCM modes is used in IPsec ESP as AES in [RFC3686], [RFC4309], and [RFC4106]. 2.1. SEED-CTR Mode SEED Counter mode (SEED-CTR) uses the only SEED encrypt operation (for both encryption and decryption). 2.1.1. ESP Payload The ESP payload of SEED-CTR is composed of IV followed by payload and authentication data. ESP Payload := IV (8 octets) || Encrypted Payload (variable) || Authentication Data (variable) Han, et al. Expires December 12, 2011 [Page 3] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 2.1.2. Initialization Vector SEED-CTR requires the encryptor to generate a unique initialization vector (IV). The same IV and key combination MUST NOT be used more than once. The SEED-CTR IV field MUST be eight octets. The encryptor can generate the IV in any manner that ensures uniqueness. 2.1.3. Authentication Data SEED-CTR implementations MUST employ a non-NULL ESP authentication method. HMAC-SHA-1-96 [RFC2404] is a likely choice. 2.1.4. Counter Block Format The counter block used to generate the key stream necessary to encrypt/decrypt the payload. The SEED counter block is 128 bits. The components of the counter block are as follows Counter Block := Nonce || IV || Block Counter Nonce The Nonce field is 32 bits. It MUST be assigned at the beginning of the security association. IV The IV field is 64 bits. Block Counter The block counter field is the least significant 32 bits of the counter block. The block counter begins with the value of one (big-endian). 2.2. SEED-CCM Mode SEED Counter with CBC-MAC mode (SEED-CCM) uses the only SEED encrypt operation (for both encryption and decryption). 2.2.1. ESP Payload The ESP payload of SEED-CCM is composed of IV followed by payload and authentication data. ESP Payload := IV (8 octets) || Encrypted Payload (variable) || Authentication Data (variable) Han, et al. Expires December 12, 2011 [Page 4] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 2.2.2. Parameters SEED-CCM has two parameters: M M indicates the size of the integrity check value (ICV). Implementations MUST support M values of 8 octets and 16 octets, and implementations MAY support M values of 12 octets. L L indicates the size of the length field in octets. This specification only support L = 4. 2.2.3. Counter Block The SEED-CCM counter block is 16 octets. The most significant one octet is used for the CCM flags, and the least significant 4 octets are used for the block counter, as specified by the CCM L parameter. The remaining octets are the nonce. The nonce consists of salt and IV, and the size of nonce depends on the value selected for the parameter L. It is 15-L octets. Counter Block := CCM flags(1) || Nonce(15-L) || Block counter(L) Nonce := Salt(3) || IV(8) Salt The salt field is 24 bits. It must be assigned at the beginning of security association. IV The IV field is 64 bits. 2.2.4. AAD Construction For the AAD, the Security Parameter Index (SPI) and (Extended) Sequence Number field are used. a) AAD (64 bits) := SPI (32 bits) || Seq. No. (32 bits) b) AAD (96 bits) := SPI (32 bits) || Extended Seq. No. (64 bits) 2.3. SEED-GCM Mode SEED Galois/Counter mode (SEED-GCM) uses the only SEED encrypt operation (for both encryption and decryption). Han, et al. Expires December 12, 2011 [Page 5] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 2.3.1. ESP Payload The ESP payload of SEED-GCM is composed of IV followed by payload. The ICV associated with payload. ESP Payload := IV (8 octets) || Encrypted Payload (variable) 2.3.2. Counter Block The SEED-GCM counter block (GCTR Block) is 16 octets. In this specification, the 12 octets are the nonce, and the least significant 4 octets are used for the block counter. The nonce consists of salt and IV. GCTR Block := Nonce (12) || Block counter (4) Nonce := Salt (4) || IV (8) Salt The salt field is 32 bits. It must be assigned at the beginning of security association. IV The IV field is 64 bits. 2.3.3. AAD Construction For the AAD, the Security Parameter Index (SPI) and (Extended) Sequence Number field are used. a) AAD (64 bits) := SPI (32 bits) || Seq. No. (32 bits) b) AAD (96 bits) := SPI (32 bits) || Extended Seq. No. (64 bits) 3. IKEv2 Conventions This section describes the conventions used to generate keying material and nonce values (nonce, salt) for use with SEED-CTR, SEED- CCM, and SEED-GCM using the Internet Key Exchange version 2 (IKEv2) [RFC4306] protocol. The identifiers and attributes needed to negotiate a security association that uses SEED-CTR, SEED-CCM, and SEED-GCM are also defined. 3.1. Keying Material and Nonce Values IKEv2 makes use of a pseudo-random function (PRF) to derive keying material. The PRF is used iteratively to derive keying material of arbitrary size, called KEYMAT. Keying material is extracted from the output string without regard to boundaries. The keying material is used as follows: Han, et al. Expires December 12, 2011 [Page 6] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 SEED-CTR The KEYMAT requested for each SEED-CTR key is 20 octets. The first 16 octets are the 128-bit SEED key, and the remaining four octets are used as the nonce value in the counter block. SEED-CCM The KEYMAT requested for each SEED-CCM key is 19 octets. The first 16 octets are the 128-bit SEED key, and the remaining three octets are used as the salt value in the counter block. SEED-GCM The KEYMAT requested for each SEED-GCM key is 20 octets. The first 16 octets are the 128-bit SEED key, and the remaining four octets are used as the salt value in the nonce. 3.2. Transform Type 1 For IKEv2 negotiations, IANA has assigned ESP Transform Identifiers for SEED-CTR, SEED-CCM and SEED-GCM, as recorded in Section 5. 3.3. Key Length Attribute Since SEED only supports one key length, the Key Length attribute MUST NOT be used in the IKE exchange version 2. 4. Security Considerations No security problem has been found on SEED. SEED is secure against all known attacks including Differential cryptanalysis, linear cryptanalysis, and related key attacks. The only known attack is an exhaustive search for the key. For further security considerations, the reader is encouraged to read [SEED-EVAL]. See [CCM] and [RFC4106] for security considerations, regarding the CCM and GCM modes of operation, respectively. Han, et al. Expires December 12, 2011 [Page 7] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 5. IANA Considerations IANA has assigned Transform Type 1 (Encryption Algorithm) Identifiers for SEED-CTR, SEED-CCM, and SEED-GCM with an explicit IV in the "IKEv2 Parameters" registry: Number Name -------- --------------------------------- ENCR_SEED_CTR; ENCR_SEED_CCM_8_ICV; ENCR_SEED_CCM_12_ICV; ENCR_SEED_CCM_16_ICV; ENCR_SEED_GCM_8_ICV; ENCR_SEED_GCM_12_ICV; and ENCR_SEED_GCM_16_ICV. 6. Test Vectors [SEED] provides algorithm specification of SEED, and [SEED-TEST] provides test vectors that will assist implementers with SEED algorithm. 6.1. Test Vectors for ENCR_SEED_CTR IV=8 octets, Nonce=4 octets, Blockcounter=4 octets, Payload=64 octets 1) Encryption 1-1) Input data for CTR mode ===================================================== Key 88E34F8F 081779F1 E9F39437 0AD40589 IV 00000000 00000000 Nonce 00000000 Initial CTR 000000FE Plaintext D76D0D18 327EC562 B15E6BC3 65AC0C0F 8D41E0BB 938568AE EBFD92ED 1AFFA096 394D20FC 5277DDFC 4DE8B0FC E1EB2B93 D4AE40EF 4768C613 B50B8942 F7D4B9B3 ===================================================== 1-2) Encryption ===================================================== CTR Block 1 00000000 00000000 00000000 000000FE Key Stream 1 837311DC 65D8CD5C 58A5E15F 578B4DE2 Ciphertext 1 541E1CC4 57A6083E E9FB8A9C 322741ED ----------------------------------------------------- Han, et al. Expires December 12, 2011 [Page 8] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 CTR Block 2 00000000 00000000 00000000 000000FF Key Stream 2 197BCC56 B6DFF49E 132CACFD 287555D3 Ciphertext 2 943A2CED 255A9C30 F8D13E10 328AF545 ----------------------------------------------------- CTR Block 3 00000000 00000000 00000000 00000100 Key Stream 3 151FFD7E 39932C79 5B0F8D05 FE2730C8 Ciphertext 3 2C52DD82 6BE4F185 16E73DF9 1FCC1B5B ----------------------------------------------------- CTR Block 4 00000000 00000000 00000000 00000101 Key Stream 4 0FA34018 624C971B 9677E251 A7314CB6 Ciphertext 4 DB0D00F7 25245108 237C6B13 50E5F505 ===================================================== 1-3) Result - Ciphertext ===================================================== Ciphertext 541E1CC4 57A6083E E9FB8A9C 322741ED 943A2CED 255A9C30 F8D13E10 328AF545 2C52DD82 6BE4F185 16E73DF9 1FCC1B5B DB0D00F7 25245108 237C6B13 50E5F505 ===================================================== 2) Encryption 2-1) Input data for CTR mode ===================================================== Key 88E34F8F 081779F1 E9F39437 0AD40589 IV 00000000 00000000 Nonce 00000000 Initial CTR 000000FE Ciphertext 541E1CC4 57A6083E E9FB8A9C 322741ED 943A2CED 255A9C30 F8D13E10 328AF545 2C52DD82 6BE4F185 16E73DF9 1FCC1B5B DB0D00F7 25245108 237C6B13 50E5F505 ===================================================== 2-2) Decryption ===================================================== CTR Block 1 00000000 00000000 00000000 000000FE Key Stream 1 837311DC 65D8CD5C 58A5E15F 578B4DE2 Plaintext 1 D76D0D18 327EC562 B15E6BC3 65AC0C0F ----------------------------------------------------- CTR Block 2 00000000 00000000 00000000 000000FF Key Stream 2 197BCC56 B6DFF49E 132CACFD 287555D3 Plaintext 2 8D41E0BB 938568AE EBFD92ED 1AFFA096 ----------------------------------------------------- CTR Block 3 00000000 00000000 00000000 00000100 Key Stream 3 151FFD7E 39932C79 5B0F8D05 FE2730C8 Plaintext 3 394D20FC 5277DDFC 4DE8B0FC E1EB2B93 Han, et al. Expires December 12, 2011 [Page 9] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 ----------------------------------------------------- CTR Block 4 00000000 00000000 00000000 00000101 Key Stream 4 0FA34018 624C971B 9677E251 A7314CB6 Plaintext 4 D4AE40EF 4768C613 B50B8942 F7D4B9B3 ===================================================== 2-3) Result - Plaintext ===================================================== Plaintext D76D0D18 327EC562 B15E6BC3 65AC0C0F 8D41E0BB 938568AE EBFD92ED 1AFFA096 394D20FC 5277DDFC 4DE8B0FC E1EB2B93 D4AE40EF 4768C613 B50B8942 F7D4B9B3 ===================================================== 6.2. Test Vectors for ENCR_SEED_CCM M=8 octets, L=3 octets, AAD=20 octets, Payload=24 octets 1) Encryption 1-1) Input data for CCM mode ===================================================== Key 40414243 44454647 48494a4b 4c4d4e4f Nonce 10111213 14151617 18191a1b AAD 00010203 04050607 08090a0b 0c0d0e0f 10111213 Payload 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353600 ===================================================== 1-2) Formatted input data ===================================================== Formatted 5a101112 13141516 1718191a 1b000018 Input 00140001 02030405 06070809 0a0b0c0d (B) 0e0f1011 12130000 00000000 00000000 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353600 00000000 00000000 ===================================================== 1-3) Calculating CBC-MAC ===================================================== B-0 5a101112 13141516 1718191a 1b000018 SEED input 5a101112 13141516 1718191a 1b000018 SEED output b60c31dd 0c1090a7 190fcd82 47ceb3c2 ----------------------------------------------------- B-1 00140001 02030405 06070809 0a0b0c0d SEED input b61831dc 0e1394a2 1f08c58b 4dc5bfcf SEED output 5d0996a2 13f6a0aa 22e77daf d4419eff Han, et al. Expires December 12, 2011 [Page 10] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 ----------------------------------------------------- B-2 0e0f1011 12130000 00000000 00000000 SEED input 530686b3 01e5a0aa 22e77daf d4419eff SEED output ebfa0c15 771190f6 0b8d365c c093e097 ----------------------------------------------------- B-3 20212223 24252627 28292a2b 2c2d2e2f SEED input cbdb2e36 5334b6d1 23a41c77 ecbeceb8 SEED output 27892df2 babdeda5 83fc0481 97b68309 ----------------------------------------------------- B-4 30313233 34353600 00000000 00000000 SEED input 17b81fc1 8e88dba5 83fc0481 97b68309 SEED output dcdcea6a b82c5dbe 56de3bfe 5631aa65 ===================================================== CBC-MAC dcdcea6a b82c5dbe ===================================================== 1-4) Formatted counter block and its encryption result ===================================================== CTR Block 0 02101112 13141516 1718191a 1b000000 Key Stream 0 682b1a22 ba0164d5 c4987a1a b7e087cb ----------------------------------------------------- CTR Block 1 02101112 13141516 1718191a 1b000001 Key Stream 1 81318ba2 70d0a16f 3ec7c2cf 76f16b56 ----------------------------------------------------- CTR Block 2 02101112 13141516 1718191a 1b000002 Key Stream 2 ad4ac71d 7fcacbaf a0a6f9f7 fe3e2997 ===================================================== 1-5) Result of CCM encryption ===================================================== Encrypted a110a981 54f58748 16eee8e4 5adc4579 Payload 9d7bf52e 4bfffdaf ----------------------------------------------------- ICV(Enc-MAC) b4f7f048 022d396b ===================================================== 2) Decryption 2-1) Input data for CCM mode ===================================================== Key 40414243 44454647 48494a4b 4c4d4e4f Nonce 10111213 14151617 18191a1b AAD 00010203 04050607 08090a0b 0c0d0e0f 10111213 Encrypted a110a981 54f58748 16eee8e4 5adc4579 Payload 9d7bf52e 4bfffdaf ICV(Enc-MAC) b4f7f048 022d396b ===================================================== Han, et al. Expires December 12, 2011 [Page 11] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 2-2) Formatted counter block and its encryption result ===================================================== CTR Block 0 02101112 13141516 1718191a 1b000000 Key Stream 0 682b1a22 ba0164d5 c4987a1a b7e087cb ----------------------------------------------------- CTR Block 1 02101112 13141516 1718191a 1b000001 Key Stream 1 81318ba2 70d0a16f 3ec7c2cf 76f16b56 ----------------------------------------------------- CTR Block 2 02101112 13141516 1718191a 1b000002 Key Stream 2 ad4ac71d 7fcacbaf a0a6f9f7 fe3e2997 ===================================================== 2-3) Result of CCM Decryption ===================================================== Payload 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353600 CBC-MAC dcdcea6a b82c5dbe ===================================================== 2-4) Decrypt the payload and getting formatted input data ===================================================== Formatted 5a101112 13141516 1718191a 1b000018 Input 00140001 02030405 06070809 0a0b0c0d (B) 0e0f1011 12130000 00000000 00000000 20212223 24252627 28292a2b 2c2d2e2f 30313233 34353600 00000000 00000000 ===================================================== 2-5) Calculating CBC-MAC and check integrity ===================================================== B-0 5a101112 13141516 1718191a 1b000018 SEED input 5a101112 13141516 1718191a 1b000018 SEED output b60c31dd 0c1090a7 190fcd82 47ceb3c2 ----------------------------------------------------- B-1 00140001 02030405 06070809 0a0b0c0d SEED input b61831dc 0e1394a2 1f08c58b 4dc5bfcf SEED output 5d0996a2 13f6a0aa 22e77daf d4419eff ----------------------------------------------------- B-2 0e0f1011 12130000 00000000 00000000 SEED input 530686b3 01e5a0aa 22e77daf d4419eff SEED output ebfa0c15 771190f6 0b8d365c c093e097 ----------------------------------------------------- B-3 20212223 24252627 28292a2b 2c2d2e2f SEED input cbdb2e36 5334b6d1 23a41c77 ecbeceb8 SEED output 27892df2 babdeda5 83fc0481 97b68309 ----------------------------------------------------- Han, et al. Expires December 12, 2011 [Page 12] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 B-4 30313233 34353600 00000000 00000000 SEED input 17b81fc1 8e88dba5 83fc0481 97b68309 SEED output dcdcea6a b82c5dbe 56de3bfe 5631aa65 ===================================================== CBC-MAC dcdcea6a b82c5dbe ===================================================== 6.3. Test Vectors for ENCR_SEED_GCM ICV=16 octets, IV=12 octets, AAD=20 octet, Payload=60 octets 1) Encryption 1-1) Input data for GCM mode ===================================================== Key feffe992 8665731c 6d6a8f94 67308308 Nonce cafebabe facedbad decaf888 AAD 3ad77bb4 0d7a3660 a89ecaf3 2466ef97 f5d3d585 Payload d9313225 f88406e5 a55909c5 aff5269a 86a7a953 1534f7da 2e4c303d 8a318a72 1c3c0c95 95680953 2fcf0e24 49a6b525 b16aedf5 aa0de657 ba637b39 ===================================================== 1-2) Encrypt payload with GCTR ===================================================== J-0 cafebabe facedbad decaf888 00000001 ===================================================== GCTR Block 0 cafebabe facedbad decaf888 00000002 Key Stream 0 c37299fe f385d702 7d593194 7919d14c Enc-Pay 0 1a43abdb 0b01d1e7 d8003851 d6ecf7d6 ----------------------------------------------------- GCTR Block 1 cafebabe facedbad decaf888 00000003 Key Stream 1 f8995257 0f856564 afa8ce5a 3b7f0c4d Enc-Pay-1 7e3efb04 1ab192be 81e4fe67 b14e863f ----------------------------------------------------- GCTR Block 2 cafebabe facedbad decaf888 00000004 Key Stream 2 6ba45d2a 4cfbcbf2 b043d026 56cfd780 Enc-Pay-2 779851bf d993c2a1 9f8cde02 1f6962a5 ----------------------------------------------------- GCTR Block 3 cafebabe facedbad decaf888 00000005 Key Stream 3 75b89720 f450f0b7 47100a49 e12cfbbf Enc-Pay-3 c4d27ad5 5e5d16e0 fd737170 ===================================================== Han, et al. Expires December 12, 2011 [Page 13] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 1-3) Calculate Hash-subkey, H = SEED(0^128) ===================================================== SEED input 00000000 00000000 00000000 00000000 SEED output(H) addab0a6 958b6567 19702b91 73e3dbb4 ===================================================== 1-4) Calculate ICV using AAD and Encrypted payload ============================================================== (a)GHASH-H(AAD,Enc-Pay) 371f5691 eb6587df b91a5eef c7472e68 ============================================================== GCTR Block (J-0) cafebabe facedbad decaf888 00000001 (b)Key Stream (J-0) cb99d743 4d4d1962 7026c832 4d5523f9 ============================================================== ICV = (a) XOR (b) fc8681d2 a6289ebd c93c96dd 8a120d91 ============================================================== 1-5) Result of GCM encryption ===================================================== Encrypted 1a43abdb 0b01d1e7 d8003851 d6ecf7d6 Payload 7e3efb04 1ab192be 81e4fe67 b14e863f 779851bf d993c2a1 9f8cde02 1f6962a5 c4d27ad5 5e5d16e0 fd737170 ----------------------------------------------------- ICV fc8681d2 a6289ebd c93c96dd 8a120d91 ===================================================== 2) Decryption 2-1) Input data for GCM mode ===================================================== Key feffe992 8665731c 6d6a8f94 67308308 Nonce cafebabe facedbad decaf888 AAD 3ad77bb4 0d7a3660 a89ecaf3 2466ef97 f5d3d585 Encrypted 1a43abdb 0b01d1e7 d8003851 d6ecf7d6 Payload 7e3efb04 1ab192be 81e4fe67 b14e863f 779851bf d993c2a1 9f8cde02 1f6962a5 c4d27ad5 5e5d16e0 fd737170 ----------------------------------------------------- ICV fc8681d2 a6289ebd c93c96dd 8a120d91 ===================================================== 2-2) Decrypt payload with GCTR ===================================================== J-0 cafebabe facedbad decaf888 00000001 ===================================================== Han, et al. Expires December 12, 2011 [Page 14] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 GCTR Block 0 cafebabe facedbad decaf888 00000002 Key Stream 0 c37299fe f385d702 7d593194 7919d14c Payload 0 d9313225 f88406e5 a55909c5 aff5269a ----------------------------------------------------- GCTR Block 1 cafebabe facedbad decaf888 00000003 Key Stream 1 f8995257 0f856564 afa8ce5a 3b7f0c4d Payload 1 86a7a953 1534f7da 2e4c303d 8a318a72 ----------------------------------------------------- GCTR Block 2 cafebabe facedbad decaf888 00000004 Key Stream 1 6ba45d2a 4cfbcbf2 b043d026 56cfd780 Payload 2 1c3c0c95 95680953 2fcf0e24 49a6b525 ----------------------------------------------------- GCTR Block 3 cafebabe facedbad decaf888 00000005 Key Stream 3 75b89720 f450f0b7 47100a49 e12cfbbf Payload 3 b16aedf5 aa0de657 ba637b39 ===================================================== 2-3) Result of GCM Decryption ===================================================== Payload d9313225 f88406e5 a55909c5 aff5269a 86a7a953 1534f7da 2e4c303d 8a318a72 1c3c0c95 95680953 2fcf0e24 49a6b525 b16aedf5 aa0de657 ba637b39 ===================================================== 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)", Han, et al. Expires December 12, 2011 [Page 15] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 RFC 5996, September 2010. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. [CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-MAC (CCM)", RFC 3610, September 2003. [SEED] Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The SEED Encryption Algorithm", RFC 4269, December 2005. [SEED-CBC] Lee, H., Yoon, J., Lee, S., and J. Lee, "The SEED Cipher Algorithm and Its Use with IPsec", RFC 4196, October 2005. [GCM] Dworkin, M., "NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", U.S. National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800- 38D.pdf. 7.2. Informative References [RFC2411] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document Roadmap", RFC 2411, November 1998. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [SEED-EVAL] KISA, "Self Evaluation Report", http://seed.kisa.or.kr/seed/down/SEED_Evaluation_Report_ by_CRYPTREC.pdf [SEED-TEST] KISA, "Test Vectors for Modified SEED", http://seed.kisa.or.kr/seed/down/SEED_Test_Vectors_for_ Modified_SEED.pdf Han, et al. Expires December 12, 2011 [Page 16] INTERNET DRAFT SEED CTR, CCM, GCM modes with IPsec ESP June 10, 2011 Authors' Addresses Byoungjin Han Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: bjhan@kisa.or.kr Seokung Yoon Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: seokung@kisa.or.kr Hyuncheol Jeong Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: hcjung@kisa.or.kr Yoojae Won Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 Email: yjwon@kisa.or.kr Han, et al. Expires December 12, 2011 [Page 17]