JunHyukNetwork Working Group J. SongRadhaRequest for Comments: 4615 R. Poovendran Category: Standards Track University of WashingtonJicheolJ. Lee Samsung ElectronicsTetsuT. IwataINTERNET DRAFT IbarakiNagoya UniversityExpires:August2, 2006 February 32006 TheAES-CMAC-PRF-128Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)draft-songlee-aes-cmac-prf-128-03.txtStatus of This MemoBy submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents ofThis document specifies an Internet standards track protocol for the InternetEngineering Task Force (IETF), its areas,community, andits working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents validrequests discussion and suggestions fora maximumimprovements. Please refer to the current edition ofsix monthsthe "Internet Official Protocol Standards" (STD 1) for the standardization state andmay be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The liststatus ofcurrent Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The listthis protocol. Distribution ofInternet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Some implementations of IP Security (IPsec) may want to use a pseudo-random functionderived from(PRF) based on the Advanced Encryption Standard (AES). This memo describes such an algorithm, calledAES-CMAC- PRF-128.AES-CMAC-PRF-128. It supports fixed and variable key sizes. Table of Contents 1. Introduction ....................................................2 2. Basic Definitions ...............................................2 3. The AES-CMAC-PRF-128 Algorithm ..................................2 4. Test Vectors ....................................................4 5. Security Considerations .........................................4 6. IANA Considerations .............................................5 7. Acknowledgements ................................................5 8. References ......................................................5 8.1. Normative References .......................................5 8.2. Informative References .....................................5 1. Introduction[AES-CMAC][RFC4493] describes a method to use the Advanced Encryption Standard (AES) as amessage authentication codeMessage Authentication Code (MAC)whosethat has a 128-bit outputis 128 bits long. 128 bitslength. The 128-bit output is useful as a long-lived pseudo- random function(PRF) in either IKE version 1 or version 2.(PRF). This document specifies a PRF thatsupportsupports fixed and variable key sizes for IKEv2[IKEv2][RFC4306] Key Derivation Function (KDF) and authentication. 2. BasicdefinitionsDefinitions VKVariable lengthVariable-length key for AES-CMAC-PRF-128,Denoteddenoted by VK.0^n0^128 The string that consists ofn zero-bits. 0^3 means that 000 in binary format. 10^4 means that 10000128 zero-bits, which is equivalent to 0x00000000000000000000000000000000 inbinary format. 10^i means that 1 followed by i-times repeated zero's.hexadecimal notation. AES-CMAC The AES-CMAC algorithm with128 bitsa 128-bit long key described in section 2.4 of[AES-CMAC].[RFC4493]. 3. The AES-CMAC-PRF-128 Algorithm The AES-CMAC-PRF-128 algorithm is identical to AES-CMAC defined in[AES-CMAC][RFC4493] except that the128 bits128-bit key length restriction is removed. IKEv2[IKEv2][RFC4306] uses PRFs for multiple purposes, most notably for generating keying material and authentication of thetheIKE_SA. The IKEv2 specification differentiates between PRFs with fixed key sizes and those with variable keysizessizes. When using AES-CMAC-PRF-128 as the PRF described inthis document withIKEv2,the PRFAES-CMAC- PRF-128 is considered tobe fixed-lengthtake fixed size (16 octets) keys for generating keying material butvariable-lengthit takes variable key sizes for authentication. That is, when generating keying material, "half the bits must come from Ni and half from Nr, taking the first bits of each" as described in IKEv2, section 2.14; but for authenticating with shared secrets (IKEv2, section 2.16), the shared secret does not have to be 16 octets and the length may vary. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + AES-CMAC-PRF-128 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + + Input : VK( Variable length key )(Variable-length key) + + : M( Message to be authenticated )(Message, i.e., the input data of the PRF) + + : VKlen( length(length of VK)in octets) + + : len( length(length ofmessageM inoctets )octets) + + Output : PRV( 128 bits Pseudo Random Variable )(128-bit Pseudo-Random Variable) + + + +-------------------------------------------------------------------+ +Variables:Variable: K( 128-bits fixed(128-bit key)for AES-CMAC) + + + + Step 1.+ +If VKlen is equal to 16octets then+ + Step 1a. then + + K := VK; + +Else + +Step 1b. else + + K :=AES-CMAC (0^128,AES-CMAC(0^128, VK, VKlen); + ++ +Step 2.+ +PRV :=AES-CMAC (K,M,len);AES-CMAC(K, M, len); + + return PRV; + + + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Figure 1. The AES-CMAC-PRF-128 Algorithm In step 1, thekey128-bit key, K, forAES-CMAC-PRF-128AES-CMAC iscreatedderived as follows: o If thekeykey, VK, is exactly 128bits long,bits, then we use it as-is. o Ifthe keyit is longer or shorter than 128bits long,bits, then we derivenew key Kthe key, K, byperformingapplying the AES-CMAC algorithm using128 bits all zerothe 128-bit all-zero string as the key and VK as the input message. This step is described in step 1b. In step 2, weperformapply the AES-CMAC algorithm using K as the key and M as the input message. The output of this algorithm is returned.5.4. Test Vectors ------------------------------------------------------------ Test Case AES-CMAC-PRF-128 with 20-octet input Key : 00010203 04050607 08090a0b 0c0d0e0f edcb Key Length : 18 Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF Output : 84a348a4 a45d235b abfffc0d 2b4da09a Test Case AES-CMAC-PRF-128 with 20-octet input Key : 00010203 04050607 08090a0b 0c0d0e0f Key Length : 16 Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF Output : 980ae87b 5f4c9c52 14f5b6a8 455e4c2d Test Case AES-CMAC-PRF-128 with 20-octet input Key : 00010203 04050607 0809 Key Length : 10 Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF Output : 290d9e11 2edb09ee 141fcf64 c0b72f3d ------------------------------------------------------------6.5. Security Considerations The security provided by AES-CMAC-PRF-128 is based upon the strength of AES and AES-CMAC. At the time of this writing, there are no known practical cryptographic attacks against AES or AES-CMAC.HoweverHowever, as is true with any cryptographic algorithm, part of its strength lies in the secret key,'K'VK, and the correctness of the implementation in all of the participating systems.Keys needThe key, VK, needs to be chosenat randomindependently and randomly based on RFC 4086[RFC4086][RFC4086], and both keys, VK and K, should be keptinsafe and periodically refreshed.Whenever keys largerSection 4 presents test vectors that assist in verifying the correctness of the AES-CMAC-PRF-128 code. If VK is longer than 128 bitsare reducedand it is shortened to meet the AES-128 keyinputsize, then some entropy might be lost. However,if using collision- resistant hash function suchasAES-CMAC when generatinglong as VK is longer than 128 bits, then the newkey for pseudo-random function, itkey, K, preserves sufficient entropy, i.e., the entropyas long asof K is about 128 bits. Therefore, we recommend thepseudo-random functionuse of VK that is longer than or equal tobe used requires128bits long input key. 7.bits, and we discourage the use of VK that is shorter than or equal to 64 bits, because of the small entropy. 6. IANAConsiderationConsiderations IANAshould allocatehas allocated a value of 8 for IKEv2 Transform Type 2(Pseudo-Random(Pseudo- Random Function) to the PRF_AES128_CMACalgorithm when this document is published. 8. Acknowledgementalgorithm. 7. Acknowledgements Portions of this text were borrowed from[AES-XCBC-PRF] and [AES-XCBC-PRF_bis],[RFC3664] andmany[RFC4434]. Many thanks to Russ Housley and Paul Hoffman for suggestions and guidance.9. Reference 9.1We also thank Alfred Hoenes for many useful comments. We acknowledge support from the following grants: Collaborative Technology Alliance (CTA) from US Army Research Laboratory, DAAD19-01-2-0011; Presidential Award from Army Research Office,- W911NF-05-1-0491; ONR YIP N00014-04-1-0479. Results do not reflect any position of the funding agencies. 8. References 8.1. Normative References[AES-CMAC] JunHyuk[RFC4493] Song,JicheolJH., Poovendran, R., Lee,Radha PoovendranJ., andTetsuT. Iwata, "The AES-CMACAlgorithm," draft-songlee-aes-cmac-03.txt, (work in progress) December 2005. [IKEv2]Algorithm", RFC 4493, June 2006. [RFC4306] Kaufman, C.,Ed.,"Internet Key Exchange (IKEv2) Protocol",draft-ietf-ipsec-ikev2-17 (work in progress), September 2004.RFC 4306, December 2005. [RFC4086]Eastlake 3rd,Eastlake, D.,Crocker, S., and J.3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC40864086, June2005 9.2.2005. 8.2. Informative References[AH] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document Roadmap", RFC 2411, November 1998. [AES-XCBC-PRF] P.[RFC3664] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol(IKE)," RFC3664, Jan(IKE)", RFC 3664, January 2004.[AES-XCBC-PRF-bis] P.[RFC4434] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol(IKE)," draft-hoffman-rfc3664bis-05.txt (work in progress), October 2005. Author's Address Junhyuk(IKE)", RFC 4434, February 2006. Authors' Addresses JunHyuk Song Samsung Electronics University of Washington Phone: (206) 853-5843songlee@u.washington.edu junhyuk.song@samsung.com Jicheol Lee Samsung Electronics +82-31-279-3605 jicheol.lee@samsung.comEMail: junhyuk.song@samsung.com, junhyuk.song@gmail.com Radha Poovendran Network Security Lab University of Washington Phone: (206) 221-6512 EMail: radha@ee.washington.edu Jicheol Lee Samsung Electronics Phone: +82-31-279-3605 EMail: jicheol.lee@samsung.com Tetsu IwataIbarakiNagoya Universityiwata@cis.ibaraki.ac.jpEMail: iwata@cse.nagoya-u.ac.jp Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyStatementThe IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. AcknowledgmentAcknowledgement Funding for the RFC Editor function iscurrentlyprovided by theInternet Society.IETF Administrative Support Activity (IASA).