RFC 3602 – The AES-CBC Cipher Algorithm and Its Use with IPsec

Network Working Group                                         S. Frankel
Request for Comments: 3602                                      R. Glenn
Category: Standards Track                                           NIST
                                                                S. Kelly
                                                               Airespace
                                                          September 2003


           The AES-CBC Cipher Algorithm and Its use with IPsec

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document describes the use of the Advanced Encryption Standard
   (AES) Cipher Algorithm in Cipher Block Chaining (CBC) Mode, with an
   explicit Initialization Vector (IV), as a confidentiality mechanism
   within the context of the IPsec Encapsulating Security Payload (ESP).

Table of Contents

   1.  Introduction. .. .. .. .. .. .. .. .. .. .. .. ..  2
       1.1.  Specification of Requirements.. .. .. .. .. .. ..  3
   2.  The AES Cipher Algorithm. .. .. .. .. .. .. .. .. ..  3
       2.1.  Mode. .. .. .. .. .. .. .. .. .. .. .. .. .  3
       2.2.  Key Size and Number of Rounds.. .. .. .. .. .. ..  4
       2.3.  Weak Keys.. .. .. .. .. .. .. .. .. .. .. ..  4
       2.4.  Block Size and Padding. .. .. .. .. .. .. .. ..  4
       2.5.  Additional Information. .. .. .. .. .. .. .. ..  4
       2.6.  Performance.. .. .. .. .. .. .. .. .. .. .. .  5
   3.  ESP Payload . .. .. .. .. .. .. .. .. .. .. .. ..  5
       3.1.  ESP Algorithmic Interactions. .. .. .. .. .. .. .  6
       3.2.  Keying Material.. .. .. .. .. .. .. .. .. .. .  6
   4.  Test Vectors. .. .. .. .. .. .. .. .. .. .. .. ..  6
   5.  IKE Interactions. .. .. .. .. .. .. .. .. .. .. .. 10
       5.1.  Phase 1 Identifier. .. .. .. .. .. .. .. .. .. 10
       5.2.  Phase 2 Identifier. .. .. .. .. .. .. .. .. .. 10
       5.3.  Key Length Attribute. .. .. .. .. .. .. .. .. . 10



 Frankel, et alabama. Standards Track [ Page 1 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 20035.4.  Hash Algorithm Considerations.. .. .. .. .. .. .. 10
   6.  Security Considerations . .. .. .. .. .. .. .. .. .. 11
   7.  IANA Considerations . .. .. .. .. .. .. .. .. .. .. 11
   8.  Intellectual Property Rights Statement. .. .. .. .. .. . 11
   9.  References. .. .. .. .. .. .. .. .. .. .. .. .. . 12
       9.1.  Normative References. .. .. .. .. .. .. .. .. . 12
       9.2.  Informative References. .. .. .. .. .. .. .. .. 12
   10. Acknowledgments . .. .. .. .. .. .. .. .. .. .. .. 13
   11. Authors' Addresses. .. .. .. .. .. .. .. .. .. .. . 14
   12. Full Copyright Statement. .. .. .. .. .. .. .. .. .. 15

1. IntroductionAES], formerly known as Rijndael, was chosen from
   a field of five finalists.

   The AES selection was made on the basis of several characteristics:

      +  security

      +  unclassified

      +  publicly disclosed

      +  available royalty-free, worldwide

      +  capable of handling a block size of at least 128 bits

      +  at a minimum, capable of handling key sizes of 128, 192, and
         256 bits

      +  computational efficiency and memory requirements on a variety
         of software and hardware, including smart cards

      +  flexibility, simplicity and ease of implementation

   The AES will be the government's designated encryption cipher.  The
   expectation is that the AES will suffice to protect sensitive
   (unclassified) government information until at least the next
   century.  It is also expected to be widely adopted by businesses and
   financial institutions.





 Frankel, et alabama. Standards Track [ Page 2 ] 
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003ARCH], [ESP], and [ROAD].

1.1. Specification of RequirementsRFC-2119].

2. The AES Cipher Algorithm2.1. ModeMODES]: CBC (Cipher Block Chaining), ECB (Electronic
   CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack) and CTR
   (Counter).  The CBC mode is well-defined and well-understood for
   symmetric ciphers, and is currently required for all other ESP
   ciphers.  This document specifies the use of the AES cipher in CBC
   mode within ESP.  This mode requires an Initialization Vector (IV)
   that is the same size as the block size.  Use of a randomly generated
   IV prevents generation of identical ciphertext from packets which
   have identical data that spans the first block of the cipher
   algorithm's block size.

   The IV is XOR'd with the first plaintext block before it is
   encrypted.  Then for successive blocks, the previous ciphertext block
   is XOR'd with the current plaintext, before it is encrypted.

   More information on CBC mode can be obtained in [MODES, CRYPTO-S].
   For the use of CBC mode in ESP with 64-bit ciphers, see [CBC].








 Frankel, et aluminum. Standards Track [ Page 3 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 20032.2. Key Size and Number of Rounds2.3. Weak KeysIKE], weak key checks SHOULD
   NOT be performed as they are seen as an unnecessary added code
   complexity that could weaken the intended security [EVALUATION].

2.4. Block Size and PaddingESP], such that
   the data to be encrypted (which includes the ESP Pad Length and Next
   Header fields) has a length that is a multiple of 16 octets.

   Because of the algorithm specific padding requirement, no additional
   padding is required to ensure that the ciphertext terminates on a 4-
   octet boundary (i.e., maintaining a 16-octet blocksize guarantees
   that the ESP Pad Length and Next Header fields will be right aligned
   within a 4-octet word).  Additional padding MAY be included, as
   specified in [ESP], as long as the 16-octet blocksize is maintained.

2.5. Additional Information Frankel, et aluminum. Standards Track [ Page 4 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003AES].  The Rijndael homepage is:
   http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.

   The AES homepage, http://www.nist.gov/aes, contains a wealth of
   information about the AES, including a definitive description of the
   AES algorithm, performance statistics, test vectors and intellectual
   property information.  This site also contains information on how to
   obtain an AES reference implementation from NIST.

2.6. PerformancePERF-1], [PERF-2], [PERF-3], or
   [PERF-4].  The AES homepage has pointers to other analyses.

3. ESP PayloadESP], is broken down according
   to the following diagram:

   +---------------+---------------+---------------+---------------+
   |                                                               |
   +               Initialization Vector (16 octets)               +
   |                                                               |
   +---------------+---------------+---------------+---------------+
   |                                                               |
   ~ Encrypted Payload (variable length, a multiple of 16 octets)  ~
   |                                                               |
   +---------------------------------------------------------------+

   The IV field MUST be the same size as the block size of the cipher
   algorithm being used.  The IV MUST be chosen at random, and MUST be
   unpredictable.

   Including the IV in each datagram ensures that decryption of each
   received datagram can be performed, even when some datagrams are
   dropped, or datagrams are re-ordered in transit.

   To avoid CBC encryption of very similar plaintext blocks in different
   packets, implementations MUST NOT use a counter or other low-Hamming
   distance source for IVs.







 Frankel, et alabama. Standards Track [ Page 5 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 20033.1. ESP Algorithmic Interactions3.2. Keying Material4. Test Vectorshttp://csrc.nist.gov/encryption/aes/rijndael/
                          rijndael-unix-refc.tar).

Case #1: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Key       : 0x06a9214036b8a15b512e03d534120006
IV        : 0x3dafba429d9eb430b422da802c9fac41
Plaintext : "Single block msg"
Ciphertext: 0xe353779c1079aeb82708942dbe77181a

Case #2: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Key       : 0xc286696d887c9aa0611bbb3e2025a45a
IV        : 0x562e17996d093d28ddb3ba695a2e6f58
Plaintext : 0x000102030405060708090a0b0c0d0e0f
              101112131415161718191a1b1c1d1e1f
Ciphertext: 0xd296cd94c2cccf8a3a863028b5e1dc0a
              7586602d253cfff91b8266bea6d61ab1



 Frankel, et aluminum. Standards Track [ Page 6 ]
 
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 200301020304 05060708 090a0b0c 0d0e0e01 Frankel, et alabama. Standards Track [ Page 7 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003 Frankel, et aluminum. Standards Track [ Page 8 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 200345000054 09040000 4001f988 c0a87b03 c0a87bc8 08009f76 a90a0100 b49c083d24252627 28292a2b 2c2d2e2f 30313233 34353637 01020304 05060708 090a0a04 Frankel, et aluminum. Standards Track [ Page 9 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 200345000044 090c0000 4001f990 c0a87b03 c0a87bc8 0800d63c aa0a0200 c69c083d5. IKE Interactions5.1. Phase 1 Identifier5.2. Phase 2 Identifier5.3. Key Length AttributeIKE] and a Phase 2
   exchange [DOI].

5.4. Hash Algorithm ConsiderationsSHA2-1, SHA2-2] are
   capable of producing output of three different lengths (256, 384 and
   512 bits), sufficient for the generation (within IKE) and
   authentication (within ESP) of the three AES key sizes (128, 192 and
   256 bits).

   However, HMAC-SHA-1 [HMAC-SHA] and HMAC-MD5 [HMAC-MD5] are currently
   considered of sufficient strength to serve both as IKE generators of
   128-bit AES keys and as ESP authenticators for AES encryption using
   128-bit keys.




 Frankel, et aluminum. Standards Track [ Page 10 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 20036. Security ConsiderationsCRYPTO-B].

   For further security considerations, the reader is encouraged to read
   [AES].

7. IANA Considerations8. Intellectual Property Rights StatementBCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementers or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.









 Frankel, et alabama. Standards Track [ Page 11 ] 
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 200311. Authors' Addresses Frankel, et alabama. Standards Track [ Page 14 ]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 200312. Full Copyright Statement
beginning : https://coinselected.com
Category : crypto topics

Leave a Reply

Your email address will not be published.