TOC |
|
By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 20, 2008.
This document describes the use of the Camellia block cipher algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode and Counter with CBC-MAC (CCM) mode, as an IPsec Encapsulating Security Payload (ESP) mechanism to provide confidentiality, data origin authentication, and connectionless integrity.
1.
Introduction
1.1.
Terminology
2.
The Camellia Cipher Algorithm
2.1.
Key Size
2.2.
Weak Keys
2.3.
Block Size and Padding
2.4.
Performance
3.
Modes
3.1.
CBC
3.2.
Counter
3.3.
Counter with CBC-MAC
4.
ESP Payload
4.1.
CBC
4.1.1.
ESP Algorithmic Interactions
4.2.
Counter
4.2.1.
Counter Block Format
4.2.2.
Keying Material
4.3.
Counter with CBC-MAC
4.3.1.
Initialization Vector (IV)
4.3.2.
Encrypted Payload
4.3.3.
Authentication Data
4.3.4.
Nonce Format
4.3.5.
AAD Construction
5.
IKE Conventions
5.1.
Transform Type 1
5.2.
Key Length Attribute
5.3.
Keying Material
6.
Security Considerations
7.
IANA Considerations
8.
Acknowledgements
9.
References
9.1.
Normative
9.2.
Informative
§
Authors' Addresses
§
Intellectual Property and Copyright Statements
TOC |
This document describes the use of the Camellia block cipher algorithm in Cipher Block Chaining mode (CBC), Counter (CTR) mode and Counter with CBC-MAC (CCM) mode, as an IPsec Encapsulating Security Payload (ESP) mechanism to provide confidentiality, data origin authentication, and connectionless integrity.
Camellia is a symmetric cipher with a Feistel structure. Camellia was developed jointly by NTT and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic experts. Camellia is suitable for implementation in software and hardware, offering encryption speed in software and hardware implementations that is comparable to Advanced Encryption Standard (AES) [5] (National Institute of Standards and Technology, “Advanced Encryption Standard (AES),” November 2001.).
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the same interface specifications as the AES. Therefore, it is easy to implement Camellia based algorithms by replacing AES block of AES based algorithms to Camellia block.
Camellia is adopted for the one of three ISO/IEC international standard cipher [6] (International Organization for Standardization, “Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers,” July 2005.) as 128bit block cipher (Camellia, AES and SEED). Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project [7] (, “The NESSIE project (New European Schemes for Signatures, Integrity and Encryption),” .) and was included in the list of cryptographic techniques for Japanese e-Government systems that was selected by the Japan CRYPTREC (Cryptography Research and Evaluation Committees) [8] (Information-technology Promotion Agency (IPA), “Cryptography Research and Evaluation Committees,” .).
Since optimized source code is provided by several open source lisences, Camellia is also adopted by several open source projects (Openssl, FreeBSD, Linux and Gran Paradiso).
The algorithm specification and object identifiers are described in [9] (Matsui, M., Nakajima, J., and S. Moriai, “A Description of the Camellia Encryption Algorithm,” April 2004.).
The Camellia homepage contains a wealth of information about Camellia, including detailed specification, security analysis, performance figures, reference implementation, optimized implementation, test vectors, and intellectual property information.The remainder of this document specifies the additional modes of operation Camellia within the context of IPsec ESP. For further information on how the various pieces of ESP fit together to provide security services, please refer to [10] (Kent, S. and K. Seo, “Security Architecture for the Internet Protocol,” December 2005.) [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.), and [11] (Thayer, R., Doraswamy, N., and R. Glenn, “IP Security Document Roadmap,” November 1998.).
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [2] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
TOC |
All symmetric block cipher algorithms share common characteristics and variables, including mode, key size, weak keys, block size, and rounds. The following sections contain descriptions of the relevant characteristics of Camellia.
The algorithm specification and object identifiers are described in [9] (Matsui, M., Nakajima, J., and S. Moriai, “A Description of the Camellia Encryption Algorithm,” April 2004.).
TOC |
Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations MUST support this key size. Implementations MAY also support key sizes of 192 bits and 256 bits.
Camellia uses a different number of rounds for each of the defined key sizes. When a 128-bit key is used, implementations MUST use 18 rounds. When a 192-bit key is used, implementations MUST use 24 rounds. When a 256-bit key is used, implementations MUST use 24 rounds.
TOC |
At the time of writing this document there are no known weak keys for Camellia.
TOC |
Camellia uses a block size of sixteen octets (128 bits).
Padding is required by the algorithms to maintain a 16-octet (128-bit) block size. Padding MUST be added, as specified in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.), such that the data to be encrypted (which includes the ESP Pad Length and Next Header fields) has a length that is a multiple of 16 octets.
Because of the algorithm specific padding requirement, no additional padding is required to ensure that the ciphertext terminates on a 4-octet boundary (i.e. maintaining a 16-octet block size guarantees that the ESP Pad Length and Next Header fields will be right aligned within a 4-octet word). Additional padding MAY be included, as specified in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.), as long as the 16-octet block size is maintained.
TOC |
Performance figures of Camellia are available at http://info.isl.ntt.co.jp/crypt/camellia/. NESSIE project has reported performance of Optimized Implementations independently [7] (, “The NESSIE project (New European Schemes for Signatures, Integrity and Encryption),” .).
TOC |
TOC |
NIST has defined seven modes of operation for AES and other FIPS- approved ciphers : CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack), CTR (Counter), CMAC (Cipher-based MAC) and CCM (CBC MAC). The CBC mode is well defined and well understood for symmetric ciphers, and it is currently used for all other ESP ciphers. This document specifies the use of the Camellia cipher in CBC mode within ESP. This mode requires an Initialization Vector (IV) size that is the same as the block size. Use of a randomly generated IV prevents generation of identical cipher text from packets that have identical data spanning the first block of the cipher algorithm's block size.
The CBC IV is XOR'd with the first plaintext block before it is encrypted. Then, for successive blocks, the previous cipher text block is XOR'd with the current plain text before it is encrypted. More information on CBC mode can be obtained in [3] (Dworkin, M., “Recommendation for Block Cipher Modes of Operation - Methods and Techniques,” November 2001.).
TOC |
Camellia-CTR [12] (Kato, A. and M. Kanda, “Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms,” November 2007.) requires the encryptor to generate a unique per-packet value, and communicate this value to the decryptor. This specification calls this per-packet value an initialization vector (IV). The same IV and key combination MUST NOT be used more than once. The encryptor can generate the IV in any manner that ensures uniqueness. Common approaches to IV generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs).
This specification calls for the use of a nonce for additional protection against precomputation attacks. The nonce value need not be secret. However, the nonce MUST be unpredictable prior to the establishment of the IPsec Security Association (SA) that is making use of Camellia-CTR.
Camellia-CTR has many properties that make it an attractive encryption algorithm for in high-speed networking. Camellia-CTR uses the Camellia block cipher to create a stream cipher. Data is encrypted and decrypted by XORing with the key stream produced by Camellia encrypting sequential counter block values. Camellia-CTR is easy to implement, and Camellia-CTR can be pipelined and parallelized. Camellia-CTR also supports key stream precomputation.
Pipelining is possible because Camellia has multiple rounds (see Section 2 (The Camellia Cipher Algorithm).). A hardware implementation (and some software implementations) can create a pipeline by unwinding the loop implied by this round structure. For example, after a 16-octet block has been input, one round later another 16-octet block can be input, and so on. In Camellia-CTR, these inputs are the sequential counter block values used to generate the key stream.
Multiple independent Camellia encrypt implementations can also be used to improve performance. For example, one could use two Camellia encrypt implementations in parallel, to process a sequence of counter block values, doubling the effective throughput.
The sender can precompute the key stream. Since the key stream does not depend on any data in the packet, the key stream can be precomputed once the nonce and IV are assigned. This precomputation can reduce packet latency. The receiver cannot perform similar precomputation because the IV will not be known before the packet arrives.
When used correctly, Camellia-CTR provides a high level of confidentiality. Unfortunately, Camellia-CTR is easy to use incorrectly. Being a stream cipher, any reuse of the per-packet value, called the IV, with the same nonce and key is catastrophic. An IV collision immediately leaks information about the plaintext in both packets. For this reason, it is inappropriate to use this mode of operation with static keys. Extraordinary measures would be needed to prevent reuse of an IV value with the static key across power cycles. To be safe, implementations MUST use fresh keys with Camellia-CTR. The Internet Key Exchange (IKEv2) [4] (Kaufman, C., “Internet Key Exchange (IKEv2) Protocol,” December 2005.) protocol can be used to establish fresh keys. IKE can also provide the nonce value.
With Camellia-CTR, it is trivial to use a valid ciphertext to forge other (valid to the decryptor) ciphertexts. Thus, it is equally catastrophic to use Camellia-CTR without a companion authentication function. Implementations MUST use Camellia-CTR in conjunction with an authentication function, such as Camellia-CMAC-96 [13] (Kato, A., Kanda, M., and T. Iwata, “The Camellia-CMAC-96 and Camellia-CMAC-PRF-128 Algorithms and Its Use with IPsec,” November 2007.).
More information and Test Vectors for Camellia-CTR can be obtained in [12] (Kato, A. and M. Kanda, “Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms,” November 2007.).
TOC |
CCM is a generic authenticate-and-encrypt block cipher mode. In this specification, CCM is used with the Camellia [12] (Kato, A. and M. Kanda, “Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms,” November 2007.) block cipher.
Camellia-CCM [12] (Kato, A. and M. Kanda, “Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms,” November 2007.) has two parameters:
- M
- M indicates the size of the integrity check value (ICV). CCM defines values of 4, 6, 8, 10, 12, 14, and 16 octets; However, to maintain alignment and provide adequate security, only the values that are a multiple of four and are at least eight are permitted. Implementations MUST support M values of 8 octets and 16 octets, and implementations MAY support an M value of 12 octets.
- L
- L indicates the size of the length field in octets. CCM defines values of L between 2 octets and 8 octets. This specification only supports L = 4. Implementations MUST support an L value of 4 octets, which accommodates a full Jumbogram [14] (Borman, D., Deering, S., and R. Hinden, “IPv6 Jumbograms,” August 1999.); however, the length includes all of the encrypted data, which also includes the ESP Padding, Pad Length, and Next Header fields.
There are four inputs to CCM originator processing:
- key
- A single key is used to calculate the ICV using CBC-MAC and to perform payload encryption using counter mode. Camellia supports key sizes of 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and implementations MUST support this key size. Implementations MAY also support key sizes of 192 bits and 256 bits.
- nonce
- The size of the nonce depends on the value selected for the parameter L. It is 15-L octets. Implementations MUST support a nonce of 11 octets. The construction of the nonce is described in Section 4.3.4 (Nonce Format).
- payload
- The payload of the ESP packet. The payload MUST NOT be longer than 4,294,967,295 octets, which is the maximum size of a Jumbogram [14] (Borman, D., Deering, S., and R. Hinden, “IPv6 Jumbograms,” August 1999.); however, the ESP Padding, Pad Length, and Next Header fields are also part of the payload.
- AAD
- CCM provides data integrity and data origin authentication for some data outside the payload. CCM does not allow additional authenticated data (AAD) to be longer than 18,446,744,073,709,551,615 octets. The ICV is computed from the ESP header, Payload, and ESP trailer fields, which is significantly smaller than the CCM-imposed limit. The construction of the AAD described in Section 4.3.5 (AAD Construction).
Camellia-CCM requires the encryptor to generate a unique per-packet value and to communicate this value to the decryptor. This per-packet value is one of the component parts of the nonce, and it is referred to as the initialization vector (IV). The same IV and key combination MUST NOT be used more than once. The encryptor can generate the IV in any manner that ensures uniqueness. Common approaches to IV generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs).
Camellia-CCM employs counter mode for encryption. As with any stream cipher, reuse of the same IV value with the same key is catastrophic. An IV collision immediately leaks information about the plaintext in both packets. For this reason, it is inappropriate to use this CCM with statically configured keys. Extraordinary measures would be needed to prevent reuse of an IV value with the static key across power cycles. To be safe, implementations MUST use fresh keys with Camellia-CCM. The IKEv2 protocol [4] (Kaufman, C., “Internet Key Exchange (IKEv2) Protocol,” December 2005.) can be used to establish fresh keys.
More information and Test Vectors for Camellia-CCM can be obtained in [12] (Kato, A. and M. Kanda, “Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms,” November 2007.).
TOC |
TOC |
The ESP payload for Camellia-CBC is made up of the IV followed by raw cipher-text. Thus, the payload field, as defined in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.), is broken down according to the following diagram:
+---------------+---------------+---------------+---------------+ | | + Initialization Vector (16 octets) + | | +---------------+---------------+---------------+---------------+ | | ~ Encrypted Payload (variable length, a multiple of 16 octets) ~ | | +---------------------------------------------------------------+
Figure 1: ESP Payload Encrypted with Camellia-CBC |
The IV field MUST be the same size as the block size of the cipher algorithm being used. The IV MUST be chosen at random, and MUST be unpredictable.
Including the IV in each datagram ensures that each received datagram can be decrypted, even when some datagrams are dropped or re-ordered in transit.
To avoid CBC encryption of very similar plaintext blocks in different packets, implementations MUST NOT use a counter or other low Hamming-distance source for IVs.
TOC |
Currently, there are no known issues regarding interactions between the Camellia and other aspects of ESP, such as the use of certain authentication schemes.
TOC |
The ESP payload for Camellia-CBC is made up of the IV followed by raw cipher-text. bits. Figure 2 (ESP Payload Encrypted with Camellia-CTR) shows the format of the counter block.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Encrypted Payload (variable) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Authentication Data (variable) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: ESP Payload Encrypted with Camellia-CTR |
The components of the counter block are as follows:
- Initialization Vector
- The Camellia-CTR IV field MUST be eight octets. The IV MUST be chosen by the encryptor in a manner that ensures that the same IV value is used only once for a given key. The encryptor can generate the IV in any manner that ensures uniqueness. Common approaches to IV generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs). Including the IV in each packet ensures that the decryptor can generate the key stream needed for decryption, even when some packets are lost or reordered.
- Encrypted Payload
- The encrypted payload contains the ciphertext. Camellia-CTR mode does not require plaintext padding. However, ESP does require padding to 32-bit word-align the authentication data. The padding, Pad Length, and the Next Header MUST be concatenated with the plaintext before performing encryption, as described in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.).
- Authentication Data
- Since it is trivial to construct a forgery Camellia-CTR ciphertext from a valid Camellia-CTR ciphertext, Camellia-CTR implementations MUST employ a non-NULL ESP authentication method. Camellia-CMAC-96 [13] (Kato, A., Kanda, M., and T. Iwata, “The Camellia-CMAC-96 and Camellia-CMAC-PRF-128 Algorithms and Its Use with IPsec,” November 2007.) is a likely choice.
TOC |
The Camellia-CTR counter block is 128 bits. Figure 3 (Counter Block Format) shows the format of the counter block.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector (IV) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Counter | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Counter Block Format |
The components of the counter block are as follows:
- Nonce
- The Nonce field is 32 bits. As the name implies, the nonce is a single use value. That is, a fresh nonce value MUST be assigned for each SA. It MUST be assigned at the beginning of the SA. The nonce value need not be secret, but it MUST be unpredictable prior to the beginning of the SA.
- Initialization Vector
- The IV field is 64 bits. As described in section 3.1, the IV MUST be chosen by the encryptor in a manner that ensures that the same IV value is used only once for a given key.
- Block Counter
- The block counter field is the least significant 32 bits of the counter block. The block counter begins with the value of one, and it is incremented to generate subsequent portions of the key stream. The block counter is a 32-bit big-endian integer value.
Using the encryption process described in Section 3.2 (Counter), this construction permits each packet to consist of up to:
(2^32)-1 blocks = 4,294,967,295 blocks = 68,719,476,720 octets
This construction can produce enough key stream for each packet sufficient to handle any IPv6 jumbogram [14] (Borman, D., Deering, S., and R. Hinden, “IPv6 Jumbograms,” August 1999.).
TOC |
The minimum number of bits sent from the key exchange protocol to the ESP algorithm must be greater than or equal to the key size.
The cipher's encryption and decryption key is taken from the first 128, 192, or 256 bits of the keying material.
TOC |
The ESP payload is composed of the IV followed by the ciphertext. The payload field, as defined in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.), is structured as shown in Figure 4 (ESP Payload Encrypted with Camellia-CCM).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Encrypted Payload (variable) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Authentication Data (variable) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: ESP Payload Encrypted with Camellia-CCM |
TOC |
The Camellia-CCM IV field MUST be eight octets. The IV MUST be chosen by the encryptor in a manner that ensures that the same IV value is used only once for a given key. The encryptor can generate the IV in any manner that ensures uniqueness. Common approaches to IV generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs).
Including the IV in each packet ensures that the decryptor can generate the key stream needed for decryption, even when some datagrams are lost or reordered.
TOC |
The encrypted payload contains the ciphertext.
Camellia-CCM mode does not require plaintext padding. However, ESP does require padding to 32-bit word-align the authentication data. The Padding, Pad Length, and Next Header fields MUST be concatenated with the plaintext before performing encryption, as described in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.). When padding is required, it MUST be generated and checked in accordance with the conventions specified in [1] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.).
TOC |
Camellia-CCM provides an encrypted ICV. The ICV provided by CCM is carried in the Authentication Data fields without further encryption. Implementations MUST support ICV sizes of 8 octets and 16 octets. Implementations MAY also support ICV 12 octets.
TOC |
Each packet conveys the IV that is necessary to construct the sequence of counter blocks used by counter mode to generate the key stream. The Camellia counter block is 16 octets. One octet is used for the CCM Flags, and 4 octets are used for the block counter, as specified by the CCM L parameter. The remaining octets are the nonce. These octets occupy the second through the twelfth octets in the counter block. Figure 5 (Nonce Format of CCM) shows the format of the nonce.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Salt | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Nonce Format of CCM |
The components of the nonce are as follows:
- Salt
- The salt field is 24 bits. As the name implies, it contains an unpredictable value. It MUST be assigned at the beginning of the SA. The salt value need not be secret, but it MUST NOT be predictable prior to the beginning of the SA.
- Initialization Vector
- The IV field is 64 bits. As described in Section 3.1, the IV MUST be chosen by the encryptor in a manner that ensures that the same IV value is used only once for a given key.
This construction permits each packet to consist of up to:
2^32 blocks = 4,294,967,296 blocks = 68,719,476,736 octets
This construction provides more key stream for each packet than is needed to handle any IPv6 Jumbogram [14] (Borman, D., Deering, S., and R. Hinden, “IPv6 Jumbograms,” August 1999.).
TOC |
The data integrity and data origin authentication for the Security Parameters Index (SPI) and (Extended) Sequence Number fields is provided without encrypting them. Two formats are defined: one for 32-bit sequence numbers and one for 64-bit extended sequence numbers. The format with 32-bit sequence numbers is shown in Figure 6 ( AAD Format with 32-bit Sequence Number), and the format with 64-bit extended sequence numbers is shown in Figure 7 ( AAD Format with 64-bit Sequence Number).
Sequence Numbers are conveyed canonical network byte order. Extended Sequence Numbers are conveyed canonical network byte order, placing the high-order 32 bits first and the low-order 32 bits second. Canonical network byte order is fully described in RFC 791, Appendix B.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32-bit Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: AAD Format with 32-bit Sequence Number |
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 64-bit Extended Sequence Number | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: AAD Format with 64-bit Sequence Number |
TOC |
This section describes the transform ID and conventions used to generate keying material for use with ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CTR and ENCR_CAMELLIA_CCM using the Internet Key Exchange (IKEv2) [4] (Kaufman, C., “Internet Key Exchange (IKEv2) Protocol,” December 2005.).
TOC |
For IKEv2 negotiations, IANA has assigned five ESP Transform Identifiers for Camellia-CBC, Camellia-CTR and Camellia-CCM.
<TBD1> for Camellia-CBC with explicit IV; <TBD2> for Camellia-CTR with explicit IV; <TBD3> for Camellia-CCM with an 8-octet ICV; <TBD4> for Camellia-CCM with a 12-octet ICV; and <TBD5> for Camellia-CCM with a 16-octet ICV.
TOC |
Since the Camellia supports three key lengths, the Key Length attribute MUST be specified in the IKE exchange [4] (Kaufman, C., “Internet Key Exchange (IKEv2) Protocol,” December 2005.). The Key Length attribute MUST have a value of 128, 192, or 256.
TOC |
The size of KEYMAT MUST be equal or longer than the associated Camellia key. The keying material is used as follows:
- Camellia-CBC with a 128-bit key
- The KEYMAT requested for each Camellia-CBC key is 16 octets. The whole octets are the 128-bit Camellia key.
- Camellia-CBC with a 192-bit key
- The KEYMAT requested for each Camellia-CBC key is 24 octets. The whole octets are the 192-bit Camellia key.
- Camellia-CBC with a 256-bit key
- The KEYMAT requested for each Camellia-CBC key is 32 octets. The whole octets are the 256-bit Camellia key.
- Camellia-CTR with a 128-bit key
- The KEYMAT requested for each Camellia-CTR key is 20 octets. The first 16 octets are the 128-bit Camellia key, and the remaining four octets are used as the nonce value in the counter block.
- Camellia-CTR with a 192-bit key
- The KEYMAT requested for each Camellia-CTR key is 28 octets. The first 24 octets are the 192-bit Camellia key, and the remaining four octets are used as the nonce value in the counter block.
- Camellia-CTR with a 128-bit key
- The KEYMAT requested for each Camellia-CTR key is 36 octets. The first 32 octets are the 256-bit Camellia key, and the remaining four octets are used as the nonce value in the counter block.
- Camellia-CCM with a 128-bit key
- The KEYMAT requested for each Camellia-CCM key is 19 octets. The first 16 octets are the 128-bit Camellia key, and the remaining three octets are used as the salt value in the counter block.
- Camellia-CCM with a 192-bit key
- The KEYMAT requested for each Camellia-CCM key is 27 octets. The first 24 octets are the 192-bit Camellia key, and the remaining three octets are used as the salt value in the counter block.
- Camellia-CCM with a 256-bit key
- The KEYMAT requested for each Camellia-CCM key is 35 octets. The first 32 octets are the 256-bit Camellia key, and the remaining three octets are used as the salt value in the counter block.
TOC |
Implementations are encouraged to use the largest key sizes they can, taking into account performance considerations for their particular hardware and software configuration. Note that encryption necessarily affects both sides of a secure channel, so such consideration must take into account not only the client side, but also the server. However, a key size of 128 bits is considered secure for the foreseeable future.
Camellia-CTR and Camellia-CCM employs counter (CTR) mode for confidentiality. If a counter value is ever used for more that one packet with the same key, then the same key stream will be used to encrypt both packets, and the confidentiality guarantees are voided.
What happens if the encryptor XORs the same key stream with two different packet plaintexts? Suppose two packets are defined by two plaintext byte sequences P1, P2, P3 and Q1, Q2, Q3, then both are encrypted with key stream K1, K2, K3. The two corresponding ciphertexts are:
(P1 XOR K1), (P2 XOR K2), (P3 XOR K3) (Q1 XOR K1), (Q2 XOR K2), (Q3 XOR K3)
If both of these two ciphertext streams are exposed to an attacker, then a catastrophic failure of confidentiality results, because:
(P1 XOR K1) XOR (Q1 XOR K1) = P1 XOR Q1 (P2 XOR K2) XOR (Q2 XOR K2) = P2 XOR Q2 (P3 XOR K3) XOR (Q3 XOR K3) = P3 XOR Q3
Once the attacker obtains the two plaintexts XORed together, it is relatively straightforward to separate them. Thus, using any stream cipher, including Camellia-CTR, to encrypt two plaintexts under the same key stream leaks the plaintext.
Therefore, Camellia-CTR and Camellia-CCM should not be used with statically configured keys. Extraordinary measures would be needed to prevent the reuse of a counter block value with the static key across power cycles. To be safe, implementations MUST use fresh keys with Camellia-CTR and Camellia-CCM. The IKEv2 [4] (Kaufman, C., “Internet Key Exchange (IKEv2) Protocol,” December 2005.) protocol can be used to establish fresh keys.
When IKE is used to establish fresh keys between two peer entities, separate keys are established for the two traffic flows. If a different mechanism is used to establish fresh keys, one that establishes only a single key to encrypt packets, then there is a high probability that the peers will select the same IV values for some packets. Thus, to avoid counter block collisions, ESP implementations that permit use of the same key for encrypting and decrypting packets with the same peer MUST ensure that the two peers assign different salt values to the SA.
Regardless of the mode used, Camellia with a 128-bit key is vulnerable to the birthday attack after 2^64 blocks are encrypted with a single key. Since ESP with Extended Sequence Numbers allows for up to 2^64 packets in a single SA, there is real potential for more than 2^64 blocks to be encrypted with one key. Implementations SHOULD generate a fresh key before 2^64 blocks are encrypted with the same key. Note that ESP with 32-bit Sequence Numbers will not exceed 2^64 blocks even if all of the packets are maximum-length Jumbograms.
No security problem has been found on Camellia [8] (Information-technology Promotion Agency (IPA), “Cryptography Research and Evaluation Committees,” .), [7] (, “The NESSIE project (New European Schemes for Signatures, Integrity and Encryption),” .).
TOC |
IANA has assigned five IKEv2 parameters for use with Camellia-CBC, Camellia-CTR and Camellia-CCM for Transform Type 1 (Encryption Algorithm):
<TBD1> for ENCR_CAMELLIA_CBC; <TBD2> for ENCR_CAMELLIA_CTR; <TBD3> for ENCR_CAMELLIA_CCM with an 8-octet ICV; <TBD4> for ENCR_CAMELLIA_CCM with a 12-octet ICV; and <TBD5> for ENCR_CAMELLIA_CCM with a 16-octet ICV.
TOC |
We thank Tim Polk and Tero Kivinen for their initial review of this document.
TOC |
TOC |
[1] | Kent, S., “IP Encapsulating Security Payload (ESP),” RFC 4303, December 2005 (TXT). |
[2] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
[3] | Dworkin, M., “Recommendation for Block Cipher Modes of Operation - Methods and Techniques,” NIST Special Publication 800-38A, November 2001. |
[4] | Kaufman, C., “Internet Key Exchange (IKEv2) Protocol,” RFC 4306, December 2005 (TXT). |
TOC |
[5] | National Institute of Standards and Technology, “Advanced Encryption Standard (AES),” FIPS PUB 197, November 2001. |
[6] | International Organization for Standardization, “Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers,” ISO/IEC 18033-3, July 2005. |
[7] | “The NESSIE project (New European Schemes for Signatures, Integrity and Encryption).” |
[8] | Information-technology Promotion Agency (IPA), “Cryptography Research and Evaluation Committees” (HTML). |
[9] | Matsui, M., Nakajima, J., and S. Moriai, “A Description of the Camellia Encryption Algorithm,” RFC 3713, April 2004 (TXT). |
[10] | Kent, S. and K. Seo, “Security Architecture for the Internet Protocol,” RFC 4301, December 2005 (TXT). |
[11] | Thayer, R., Doraswamy, N., and R. Glenn, “IP Security Document Roadmap,” RFC 2411, November 1998 (TXT, HTML, XML). |
[12] | Kato, A. and M. Kanda, “Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms,” draft-kato-camellia-ctrccm-00 (work in progress), November 2007. |
[13] | Kato, A., Kanda, M., and T. Iwata, “The Camellia-CMAC-96 and Camellia-CMAC-PRF-128 Algorithms and Its Use with IPsec,” draft-kato-ipsec-camellia-cmac96and128-02 (work in progress), November 2007. |
[14] | Borman, D., Deering, S., and R. Hinden, “IPv6 Jumbograms,” RFC 2675, August 1999 (TXT). |
TOC |
Akihiro Kato | |
NTT Software Corporation | |
Phone: | +81-45-212-7577 |
Fax: | +81-45-212-7800 |
Email: | akato@po.ntts.co.jp |
Masayuki Kanda | |
Nippon Telegraph and Telephone Corporation | |
Phone: | +81-422-59-3456 |
Fax: | +81-422-59-4015 |
Email: | kanda.masayuki@lab.ntt.co.jp |
TOC |
Copyright © The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.