1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
|
<pre>Network Working Group S. Frankel
Request for Comments: 3566 NIST
Category: Standards Track H. Herbert
Intel
September 2003
<span class="h1">The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec</span>
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
A Message Authentication Code (MAC) is a key-dependent one way hash
function. One popular way to construct a MAC algorithm is to use a
block cipher in conjunction with the Cipher-Block-Chaining (CBC) mode
of operation. The classic CBC-MAC algorithm, while secure for
messages of a pre-selected fixed length, has been shown to be
insecure across messages of varying lengths such as the type found in
typical IP datagrams. This memo specifies the use of AES in CBC mode
with a set of extensions to overcome this limitation. This new
algorithm is named AES-XCBC-MAC-96.
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-2">2</a>. Specification of Requirements . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-3">3</a>. Basic CBC-MAC with Obligatory 10* Padding . . . . . . . . <a href="#page-3">3</a>
<a href="#section-4">4</a>. AES-XCBC-MAC-96 . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-4.1">4.1</a>. Keying Material. . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-4.2">4.2</a>. Padding . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.3">4.3</a>. Truncation . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.4">4.4</a>. Interaction with the ESP Cipher Mechanism. . . . . . <a href="#page-6">6</a>
<a href="#section-4.5">4.5</a>. Performance. . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.6">4.6</a>. Test Vectors . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-5">5</a>. Security Considerations . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-6">6</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-7">7</a>. Intellectual Property Rights Statement . . . . . . . . . . <a href="#page-8">8</a>
<span class="grey">Frankel & Herbert Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
<a href="#section-8">8</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-9">9</a>. References . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-9.1">9.1</a>. Normative References . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-9.2">9.2</a>. Informative References . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-10">10</a>. Authors' Addresses . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-11">11</a>. Full Copyright Statement . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Message authentication provides data integrity and data origin
authentication with respect to the original message source. A
Message Authentication Code (MAC) is a key-dependent one way hash
function. One popular way to construct a MAC algorithm is to use a
block cipher in conjunction with the Cipher-Block-Chaining (CBC) mode
of operation. The classic CBC-MAC algorithm, while secure for
messages of a pre-selected fixed length [<a href="#ref-CBC-MAC-2" title=""The Security of the Cipher Block Chaining Message Authentication Code,"">CBC-MAC-2</a>], has been shown
to be insecure across messages of varying lengths such as the type
found in typical IP datagrams [CBC-MAC-2, <a href="#section-5">section 5</a>]. In fact, it is
trivial to produce forgeries for a second message given the MAC of a
prior message. [HANDBOOK, <a href="#section-9.62">section 9.62</a>, p. 354]
This memo specifies the use of AES [<a href="#ref-AES" title=""Advanced Encryption Standard (AES),"">AES</a>] in CBC mode [<a href="#ref-MODES" title=""Recommendation for Block Cipher Modes of Operation: Methods and Techniques,"">MODES</a>] with a
set of extensions [<a href="#ref-XCBC-MAC-1" title=""A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC,"">XCBC-MAC-1</a>] to overcome this limitation. This new
algorithm is named AES-XCBC-MAC-96. Using the AES block cipher, with
its increased block size (128 bits) and increased key length (128
bits), provides the new algorithm with the ability to withstand
continuing advances in crypto-analytic techniques and computational
capability. AES-XCBC-MAC-96 is used as an authentication mechanism
within the context of the IPsec Encapsulating Security Payload (ESP)
and the Authentication Header (AH) protocols. For further
information on ESP, refer to [<a href="#ref-ESP" title=""IP Encapsulating Security Payload (ESP)"">ESP</a>] and [<a href="#ref-ROADMAP" title=""IP Security Document Roadmap"">ROADMAP</a>]. For further
information on AH, refer to [<a href="#ref-AH" title=""IP Authentication Header"">AH</a>] and [<a href="#ref-ROADMAP" title=""IP Security Document Roadmap"">ROADMAP</a>].
The goal of AES-XCBC-MAC-96 is to ensure that the datagram is
authentic and cannot be modified in transit. Data integrity and data
origin authentication as provided by AES-XCBC-MAC-96 are dependent
upon the scope of the distribution of the secret key. If the key is
known only by the source and destination, this algorithm will provide
both data origin authentication and data integrity for datagrams sent
between the two parties. In addition, only a party with the
identical key can verify the hash.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Specification of Requirements</span>
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
appear in this document are to be interpreted as described in <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>,
<a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC-2119</a>].
<span class="grey">Frankel & Herbert Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Basic CBC-MAC with Obligatory 10* Padding</span>
CBC-MAC uses a block cipher for encryption; the block cipher
transforms b bits of plaintext to b bits of ciphertext. The basic
CBC-MAC [<a href="#ref-CBC-MAC-1" title=""CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions,"">CBC-MAC-1</a>, <a href="#ref-CBC-MAC-2" title=""The Security of the Cipher Block Chaining Message Authentication Code,"">CBC-MAC-2</a>] with Obligatory 10* Padding over a
b-bit block cipher is calculated as follows for a message M:
(1) Append a single 1 bit to M. Then append the minimum number of 0
bits to M such that the length of M is a multiple of b.
[NOTE: This is 1 of several padding schemes that can be used for
CBC-MAC. Several others are described in [<a href="#ref-MODES" title=""Recommendation for Block Cipher Modes of Operation: Methods and Techniques,"">MODES</a>].]
(2) Break M into n blocks, M[1] ... M[n], where the blocksize of
blocks M[1] ... M[n] is b bits
(3) Define E[0] = 0x00000000000000000000000000000000
(4) For each block M[i], where i = 1 ... n:
XOR M[i] with E[i-1], then encrypt the result with Key K,
yielding E[i].
(5) E[n] is the b-bit authenticator.
Basic CBC-MAC with obligatory 10* padding has been shown to be secure
for messages up to (but not including) a pre-selected fixed length,
in which the length is a multiple of the blocksize. This algorithm
is not suitable for IPsec for the following reasons:
+ Any IPsec authenticator must be able to handle messages of
arbitrary length. However, the basic CBC-MAC cannot securely
handle messages that exceed the pre-selected fixed length.
+ For messages shorter than the pre-selected fixed length, padding
the message to the pre-selected fixed length may necessitate
additional encryption operations, adding an unacceptable
computational penalty.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. AES-XCBC-MAC-96</span>
[<a id="ref-AES">AES</a>] describes the underlying AES algorithm, while [<a href="#ref-CBC-MAC-1" title=""CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions,"">CBC-MAC-1</a>] and
[<a href="#ref-XCBC-MAC-1" title=""A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC,"">XCBC-MAC-1</a>] describe the AES-XCBC-MAC algorithm.
The AES-XCBC-MAC-96 algorithm is a variant of the basic CBC-MAC with
obligatory 10* padding; however, AES-XCBC-MAC-96 is secure for
messages of arbitrary length. The AES-XCBC-MAC-96 calculations
require numerous encryption operations; this encryption MUST be
accomplished using AES with a 128-bit key. Given a 128-bit secret
key K, AES-XCBC-MAC-96 is calculated as follows for a message M that
<span class="grey">Frankel & Herbert Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
consists of n blocks, M[1] ... M[n], in which the blocksize of blocks
M[1] ... M[n-1] is 128 bits and the blocksize of block M[n] is
between 1 and 128 bits:
(1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
key K, as follows:
K1 = 0x01010101010101010101010101010101 encrypted with Key K
K2 = 0x02020202020202020202020202020202 encrypted with Key K
K3 = 0x03030303030303030303030303030303 encrypted with Key K
(2) Define E[0] = 0x00000000000000000000000000000000
(3) For each block M[i], where i = 1 ... n-1:
XOR M[i] with E[i-1], then encrypt the result with Key K1,
yielding E[i].
(4) For block M[n]:
a) If the blocksize of M[n] is 128 bits:
XOR M[n] with E[n-1] and Key K2, then encrypt the result with
Key K1, yielding E[n].
b) If the blocksize of M[n] is less than 128 bits:
i) Pad M[n] with a single "1" bit, followed by the number of
"0" bits (possibly none) required to increase M[n]'s
blocksize to 128 bits.
ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
with Key K1, yielding E[n].
(5) The authenticator value is the leftmost 96 bits of the 128-bit
E[n].
NOTE1: If M is the empty string, pad and encrypt as in (4)(b) to
create M[1] and E[1]. This will never be the case for ESP or AH, but
is included for completeness sake.
NOTE2: [<a href="#ref-CBC-MAC-1" title=""CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions,"">CBC-MAC-1</a>] defines K1 as follows:
K1 = Constant1A encrypted with Key K |
Constant1B encrypted with Key K.
However, the second encryption operation is only needed for
AES-XCBC-MAC with keys greater than 128 bits; thus, it is not
included in the definition of AES-XCBC-MAC-96.
<span class="grey">Frankel & Herbert Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
AES-XCBC-MAC-96 verification is performed as follows:
Upon receipt of the AES-XCBC-MAC-96 authenticator, the entire
128-bit value is computed and the first 96 bits are compared to
the value stored in the authenticator field.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Keying Material</span>
AES-XCBC-MAC-96 is a secret key algorithm. For use with either ESP or
AH a fixed key length of 128-bits MUST be supported. Key lengths
other than 128-bits MUST NOT be supported (i.e., only 128-bit keys are
to be used by AES-XCBC-MAC-96).
AES-XCBC-MAC-96 actually requires 384 bits of keying material (128
bits for the AES keysize + 2 times the blocksize). This keying
material can either be provided through the key generation mechanism
or it can be generated from a single 128-bit key. The latter approach
has been selected for AES-XCBC-MAC-96, since it is analogous to other
authenticators used within IPsec. The reason AES-XCBC-MAC-96 uses 3
keys is so the length of the input stream does not need to be known
in advance. This may be useful for systems that do one-pass assembly
of large packets.
A strong pseudo-random function MUST be used to generate the required
128-bit key. This key, along with the 3 derived keys (K1, K2 and K3),
should be used for no purposes other than those specified in the
algorithm. In particular, they should not be used as keys in another
cryptographic setting. Such abuses will invalidate the security of
the authentication algorithm.
At the time of this writing there are no specified weak keys for use
with AES-XCBC-MAC-96. This does not mean to imply that weak keys do
not exist. If, at some point, a set of weak keys for AES-XCBC-MAC-96
are identified, the use of these weak keys MUST be rejected followed
by a request for replacement keys or a newly negotiated Security
Association.
[<a id="ref-ARCH">ARCH</a>] describes the general mechanism for obtaining keying material
when multiple keys are required for a single SA (e.g., when an ESP SA
requires a key for confidentiality and a key for authentication).
In order to provide data origin authentication, the key distribution
mechanism must ensure that unique keys are allocated and that they
are distributed only to the parties participating in the
communication.
<span class="grey">Frankel & Herbert Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
Current attacks do not necessitate a specific recommended frequency
for key changes. However, periodic key refreshment is a fundamental
security practice that helps against potential weaknesses of the
function and the keys, reduces the information available to a
cryptanalyst, and limits the damage resulting from a compromised key.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Padding</span>
AES-XCBC-MAC-96 operates on 128-bit blocks of data. Padding
requirements are specified in [<a href="#ref-CBC-MAC-1" title=""CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions,"">CBC-MAC-1</a>] and are part of the XCBC
algorithm. If you build AES-XCBC-MAC-96 according to [<a href="#ref-CBC-MAC-1" title=""CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions,"">CBC-MAC-1</a>] you
do not need to add any additional padding as far as AES-XCBC-MAC-96
is concerned. With regard to "implicit packet padding" as defined in
[<a href="#ref-AH" title=""IP Authentication Header"">AH</a>], no implicit packet padding is required.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Truncation</span>
AES-XCBC-MAC produces a 128-bit authenticator value. AES-XCBC-MAC-96
is derived by truncating this 128-bit value as described in [<a href="#ref-HMAC" title=""HMAC: Keyed-Hashing for Message Authentication"">HMAC</a>]
and verified in [<a href="#ref-XCBC-MAC-2" title="email communications">XCBC-MAC-2</a>]. For use with either ESP or AH, a
truncated value using the first 96 bits MUST be supported. Upon
sending, the truncated value is stored within the authenticator
field. Upon receipt, the entire 128-bit value is computed and the
first 96 bits are compared to the value stored in the authenticator
field. No other authenticator value lengths are supported by
AES-XCBC-MAC-96.
The length of 96 bits was selected because it is the default
authenticator length as specified in [<a href="#ref-AH" title=""IP Authentication Header"">AH</a>] and meets the security
requirements described in [<a href="#ref-XCBC-MAC-2" title="email communications">XCBC-MAC-2</a>].
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Interaction with the ESP Cipher Mechanism</span>
As of this writing, there are no known issues which preclude the use
of AES-XCBC-MAC-96 with any specific cipher algorithm.
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Performance</span>
For any CBC MAC variant, the major computational effort is expended
in computing the underlying block cipher. This algorithm uses a
minimum number of AES invocations, one for each block of the message
or fraction thereof, resulting in performance equivalent to classic
CBC-MAC.
The key expansion requires 3 additional AES encryption operations,
but these can be performed once in advance for each secret key.
<span class="grey">Frankel & Herbert Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
<span class="h3"><a class="selflink" id="section-4.6" href="#section-4.6">4.6</a>. Test Vectors</span>
These test cases were provided by John Black, co-author of the
XCBC-MAC algorithm, who verified them with 2 independent
implementations. All values are hexadecimal numbers.
Test Case #1 : AES-XCBC-MAC-96 with 0-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : <empty string>
AES-XCBC-MAC : 75f0251d528ac01c4573dfd584d79f29
AES-XCBC-MAC-96: 75f0251d528ac01c4573dfd5
Test Case #2 : AES-XCBC-MAC-96 with 3-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102
AES-XCBC-MAC : 5b376580ae2f19afe7219ceef172756f
AES-XCBC-MAC-96: 5b376580ae2f19afe7219cee
Test Case #3 : AES-XCBC-MAC-96 with 16-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f
AES-XCBC-MAC : d2a246fa349b68a79998a4394ff7a263
AES-XCBC-MAC-96: d2a246fa349b68a79998a439
Test Case #4 : AES-XCBC-MAC-96 with 20-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f10111213
AES-XCBC-MAC : 47f51b4564966215b8985c63055ed308
AES-XCBC-MAC-96: 47f51b4564966215b8985c63
Test Case #5 : AES-XCBC-MAC-96 with 32-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f10111213141516171819
1a1b1c1d1e1f
AES-XCBC-MAC : f54f0ec8d2b9f3d36807734bd5283fd4
AES-XCBC-MAC-96: f54f0ec8d2b9f3d36807734b
Test Case #6 : AES-XCBC-MAC-96 with 34-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 000102030405060708090a0b0c0d0e0f10111213141516171819
1a1b1c1d1e1f2021
AES-XCBC-MAC : becbb3bccdb518a30677d5481fb6b4d8
AES-XCBC-MAC-96: becbb3bccdb518a30677d548
Test Case #7 : AES-XCBC-MAC-96 with 1000-byte input
Key (K) : 000102030405060708090a0b0c0d0e0f
Message (M) : 00000000000000000000 ... <a href="#page-00000000000000000000">00000000000000000000</a>
[1000 bytes]
<span class="grey">Frankel & Herbert Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
AES-XCBC-MAC : f0dafee895db30253761103b5d84528f
AES-XCBC-MAC-96: f0dafee895db30253761103b
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
The security provided by AES-XCBC-MAC-96 is based upon the strength
of AES. At the time of this writing there are no practical
cryptographic attacks against AES or AES-XCBC-MAC-96.
As is true with any cryptographic algorithm, part of its strength
lies in the correctness of the algorithm implementation, the security
of the key management mechanism and its implementation, the strength
of the associated secret key, and upon the correctness of the
implementation in all of the participating systems. This document
contains test vectors to assist in verifying the correctness of
AES-XCBC-MAC-96 code.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IANA Considerations</span>
IANA has assigned AH Transform Identifier 9 to AH_AES-XCBC-MAC. IANA
has assigned AH/ESP Authentication Algorithm Value 9 to AES-XCBC-MAC.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Intellectual Property Rights Statement</span>
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in <a href="https://www.rfc-editor.org/bcp/bcp11">BCP-11</a>. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementers or users of this specification can
be obtained from the IETF Secretariat.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Acknowledgments</span>
Portions of this text were unabashedly borrowed from [<a href="#ref-HMAC-SHA" title=""The Use of HMAC-SHA-1-96 within ESP and AH"">HMAC-SHA</a>].
Thanks to the XCBC-MAC authors for their expert advice and rapid
response to our queries: to Phil Rogaway for providing values for the
XCBC-MAC constants; and to John Black for detailed corrections to the
algorithm specifications and for providing the test cases. Thanks
also to Andrew Krywaniuk for insisting on (and providing wording for)
a rationale for the 3-key approach.
<span class="grey">Frankel & Herbert Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. References</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. Normative References</span>
[<a id="ref-AES">AES</a>] NIST, FIPS PUB 197, "Advanced Encryption Standard
(AES)," November 2001.
<a href="http://csrc.nist.gov/publications/fips/fips197/fips-197">http://csrc.nist.gov/publications/fips/fips197/</a>
<a href="http://csrc.nist.gov/publications/fips/fips197/fips-197">fips-197</a>.{ps,pdf}
[<a id="ref-AH">AH</a>] Kent, S. and R. Atkinson, "IP Authentication Header",
<a href="./rfc2402">RFC 2402</a>, November 1998.
[<a id="ref-CBC-MAC-1">CBC-MAC-1</a>] Black, J. and P. Rogaway, "CBC MACs for
Arbitrary-Length Messages: The Three-Key
Constructions," in M. Bellare, editor, Advances in
Cryptology -- CRYPTO '00, volume 1880 of Lecture Notes
in Computer Science, p. 0197, August 2000,
Springer-Verlag.
<a href="http://www.cs.ucdavis.edu/~rogaway/papers/3k.ps">http://www.cs.ucdavis.edu/~rogaway/papers/3k.ps</a>
[<a id="ref-ESP">ESP</a>] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", <a href="./rfc2406">RFC 2406</a>, November 1998.
[<a id="ref-RFC-2119">RFC-2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-XCBC-MAC-1">XCBC-MAC-1</a>] Black, J. and P. Rogaway, "A Suggestion for Handling
Arbitrary-Length Messages with the CBC MAC," NIST
Second Modes of Operation Workshop, August 2001.
<a href="http://csrc.nist.gov/encryption/modes/proposedmodes/xcbc-mac/xcbc-mac-spec.pdf">http://csrc.nist.gov/encryption/modes/proposedmodes/</a>
<a href="http://csrc.nist.gov/encryption/modes/proposedmodes/xcbc-mac/xcbc-mac-spec.pdf">xcbc-mac/xcbc-mac-spec.pdf</a>
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Informative References</span>
[<a id="ref-ARCH">ARCH</a>] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", <a href="./rfc2401">RFC 2401</a>, November 1998.
[<a id="ref-CBC-MAC-2">CBC-MAC-2</a>] Bellare, M., J. Kilian and P. Rogaway, "The Security of
the Cipher Block Chaining Message Authentication Code,"
Journal of Computer and System Sciences (JCSS), Vol.
61, No. 3, December 2000, pp. 362-399.
<a href="http://www.cse.ucsd.edu/users/mihir/papers/cbc">http://www.cse.ucsd.edu/users/mihir/papers/cbc</a>.{ps,pdf}
[<a id="ref-HMAC">HMAC</a>] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication", <a href="./rfc2104">RFC 2104</a>,
February 1997.
<span class="grey">Frankel & Herbert Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
[<a id="ref-HMAC-SHA">HMAC-SHA</a>] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96
within ESP and AH", <a href="./rfc2404">RFC 2404</a>, November 1998.
[<a id="ref-HANDBOOK">HANDBOOK</a>] Menezes, A., P. Van Oorschot and S. Vanstone, "Handbook
of Applied Cryptography", CRC Press, 1997.
[<a id="ref-MODES">MODES</a>] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods and Techniques," NIST Special
Publication 800-38A, December 2001.
<a href="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf">http://csrc.nist.gov/publications/nistpubs/800-38a</a>
<a href="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf">/sp800-38a.pdf</a>
[<a id="ref-RFC-2026">RFC-2026</a>] Bradner, S., "The Internet Standards Process -- Revision
3", <a href="https://www.rfc-editor.org/bcp/bcp9">BCP 9</a>, <a href="./rfc2026">RFC 2026</a>, October 1996.
[<a id="ref-ROADMAP">ROADMAP</a>] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security
Document Roadmap", <a href="./rfc2411">RFC 2411</a>, November 1998.
[<a id="ref-XCBC-MAC-2">XCBC-MAC-2</a>] Rogaway, Phil, email communications, October 2001.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Authors' Addresses</span>
Sheila Frankel
NIST - National Institute of Standards and Technology
820 West Diamond Ave.
Room 677
Gaithersburg, MD 20899
Phone: +1 (301) 975-3297
EMail: sheila.frankel@nist.gov
Howard C. Herbert
Intel Corporation
Lan Access Division
5000 West Chandler Blvd.
MS-CH7-404
Chandler, Arizona 85226
Phone: +1 (480) 554-3116
EMail: howard.c.herbert@intel.com
<span class="grey">Frankel & Herbert Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc3566">RFC 3566</a> AES-XCBC-MAC-96 Algorithm September 2003</span>
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Full Copyright Statement</span>
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Frankel & Herbert Standards Track [Page 11]
</pre>
|
