TOC |
|
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 11, 2009.
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
This note provides test cases for the use of AES GCM and GMAC in ESP, as defined in RFC4106 and RFC4543, and clarifies some points in the latter specification.
1.
Introduction
1.1.
Conventions Used In This Document
2.
AES-GCM in ESP
3.
AES-GMAC in ESP
4.
Test Cases
5.
Security Considerations
6.
IANA Considerations
7.
Acknowledgements
8.
References
8.1.
Normative References
8.2.
Informative References
§
Author's Address
TOC |
This document reviews the use of the Galois/Counter Mode (GCM) and Galois Message Authentication Code (GMAC) modes of operation for the Advanced Encryption Standard as they are used in the Encapsulating Security Payload (ESP) [RFC4303] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.).
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
TOC |
We briefly review the AES-GCM-ESP and AES-GMAC-ESP definitions and establish the notation used in the test cases. The GCM encryption operation takes as input a key, a nonce, a plaintext, and an additional authenticated data (AAD) value. It outputs a ciphertext and an authentication tag, or "tag" for short. Here we follow [RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.) and refer to the GCM initialization vector (IV) as a nonce in order to differentiate it from the IV that is carried in the ESP packet. The eight-byte ESP IV forms part of the 12-byte GCM nonce.
In [RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.), "The Use of Galois/Counter Mode (GCM) in IPsec ESP", the GCM inputs and ESP fields are as follows:
nonce = Salt || IV aad = SPI || SequenceNumber plaintext = RestOfPayloadData || TFCpadding || Padding || PadLength || NextHeader PayloadData = IV || ciphertext ICV = tag
Figure 1: The format of the GCM inputs and ESP fields for
AES-GCM-ESP, where the symbol || denotes concatenation. |
Here the fields RestOfPayloadData, TFCpadding, Padding, PadLength, NextHeader, SPI, SequenceNumber, and ICV are as defined in [RFC4303] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.) and the fields Salt and IV are as defined in [RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.). The field RestOfPayloadData contains the plaintext data that is described by the NextHeader field, and no other data. (Recall that the PayloadData field contains both the IV and the RestOfPayloadData; see [RFC4303] (Kent, S., “IP Encapsulating Security Payload (ESP),” December 2005.) for an illustration.)
[RFC4106] (Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” June 2005.) defines the tag as the ICV, instead of defining it as the final part of the Payload Data. However, the two definitions are functionally equivalent.
TOC |
In RFC 4543, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", the GMAC inputs and ESP fields are as follows:
nonce = Salt || IV aad = SPI || SequenceNumber || IV || RestOfPayloadData || TFCpadding || Padding || PadLength || NextHeader plaintext = {} Payload = IV || PayloadData || TFCpadding || Padding || PadLength || NextHeader ICV = tag
Figure 2: The format of the GMAC inputs for ESP. |
Here the symbol {} refers to the zero-length octet string.
The "Payload Data" is called the "Authenticated Payload" in one part of RFC 4543. It consists of the eight-octet IV, followed by the data encapsulated by ESP, that is, the data referred to by the Next Header field.
RFC 4543, Section 7 (Security Considerations), second sentence, should read "In AES-GCM-ESP, the IV is not included in either the plaintext or the additional authenticated data." It currently contains a typographical error, and reads "In ENCR_NULL_AUTH_AES_GMAC, the IV is not included in either the plaintext or the additional authenticated data."
TOC |
Here are the test cases.
- algorithm -
- The algorithm used in the test case.
- key -
- The secret key used by AES-GCM or AES-GMAC.
- spi -
- The ESP SPI field.
- seq -
- The ESP Sequence Number field, if the length is four octets, or the ESP Extended Sequence Number, if the length is eight octets.
- nonce -
- The AES-GCM or AES-GMAC nonce; it is an input to the algorithm.
- plaintext -
- The AES-GCM plaintext, which is an input to that algorithm.
- aad -
- The AES-GCM or AES-GMAC additional authenticated data; it is an input to that algorithm.
- ctext+tag -
- The AES-GCM ciphertext and authentication tag, or the AES-GMAC authentication tag; this is an output from the algorithm.
- packet -
- The complete ESP packet.
algorithm = AES-GCM-ESP key = 4c80cdefbb5d10da906ac73c3613a634 (16 octets) spi = 00004321 seq = 8765432100000000 (8 octets) nonce = 2e443b684956ed7e3b244cfe plaintext = 45000048699a000080114db7c0a80102 c0a801010a9bf15638d3010000010000 00000000045f736970045f7564700373 69700963796265726369747902646b00 0021000101020201 (72 octets) aad = 000043218765432100000000 (12 octets) ctext+tag = fecf537e729d5b07dc30df528dd22b76 8d1b98736696a6fd348509fa13ceac34 cfa2436f14a3f3cf65925bf1f4a13c5d 15b21e1884f5ff6247aeabb786b93bce 61bc17d768fd9732459018148f6cbe72 2fd04796562dfdb4 (88 octets) packet = 00004321000000004956ed7e3b244cfe fecf537e729d5b07dc30df528dd22b76 8d1b98736696a6fd348509fa13ceac34 cfa2436f14a3f3cf65925bf1f4a13c5d 15b21e1884f5ff6247aeabb786b93bce 61bc17d768fd9732459018148f6cbe72 2fd04796562dfdb4 (104 octets)
algorithm = AES-GCM-ESP key = feffe9928665731c6d6a8f9467308308 (16 octets) spi = 0000a5f8 seq = 0000000a (4 octets) nonce = cafebabefacedbaddecaf888 plaintext = 4500003e698f000080114dccc0a80102 c0a801010a980035002a2343b2d00100 00010000000000000373697009637962 65726369747902646b00000100010001 (64 octets) aad = 0000a5f80000000a (8 octets) ctext+tag = deb22cd9b07c72c16e3a65beeb8df304 a5a5897d33ae530f1ba76d5d114d2a5c 3de81827c10e9a4f51330d0eec416642 cfbb85a5b47e48a4ec3b9ba95d918bd1 83b70d3aa8bc6ee4c309e9d85a41ad4a (80 octets) packet = 0000a5f80000000afacedbaddecaf888 deb22cd9b07c72c16e3a65beeb8df304 a5a5897d33ae530f1ba76d5d114d2a5c 3de81827c10e9a4f51330d0eec416642 cfbb85a5b47e48a4ec3b9ba95d918bd1 83b70d3aa8bc6ee4c309e9d85a41ad4a (96 octets)
algorithm = AES-GCM-ESP key = abbccddef00112233445566778899aab abbccddef00112233445566778899aab (32 octets) spi = 4a2cbfe3 seq = 00000002 (4 octets) nonce = 112233440102030405060708 plaintext = 4500003069a6400080062690c0a80102 9389155e0a9e008b2dc57ee000000000 7002400020bf0000020405b401010402 01020201 (52 octets) aad = 4a2cbfe300000002 (8 octets) ctext+tag = ff425c9b724599df7a3bcd510194e00d 6a78107f1b0b1cbf06efae9d65a5d763 748a637985771d347f0545659f14e99d ef842d8eb335f4eecfdbf831824b4c49 15956c96 (68 octets) packet = 4a2cbfe3000000020102030405060708 ff425c9b724599df7a3bcd510194e00d 6a78107f1b0b1cbf06efae9d65a5d763 748a637985771d347f0545659f14e99d ef842d8eb335f4eecfdbf831824b4c49 15956c96 (84 octets)
algorithm = AES-GCM-ESP key = 00000000000000000000000000000000 (16 octets) spi = 00000000 seq = 00000001 (4 octets) nonce = 000000000000000000000000 plaintext = 4500003c99c500008001cb7a40679318 010101010800075c0200440061626364 65666768696a6b6c6d6e6f7071727374 75767761626364656667686901020201 (64 octets) aad = 0000000000000001 (8 octets) ctext+tag = 4688daf2f973a392732909c331d56d60 f694abaa414b5e7ff5fdcdfff5e9a284 456476492719ffb64de7d9dca1e1d894 bc3bd57873ed4d181d19d4d5c8c18af3 f821d496eeb096e98ad2b69e4799c71d (80 octets) packet = 00000000000000010000000000000000 4688daf2f973a392732909c331d56d60 f694abaa414b5e7ff5fdcdfff5e9a284 456476492719ffb64de7d9dca1e1d894 bc3bd57873ed4d181d19d4d5c8c18af3 f821d496eeb096e98ad2b69e4799c71d (96 octets)
algorithm = AES-GCM-ESP key = 3de09874b388e6491988d0c3607eae1f (16 octets) spi = 42f67e3f seq = 1010101010101010 (8 octets) nonce = 57690e434e280000a2fca1a3 plaintext = 4500003c99c300008001cb7c40679318 010101010800085c0200430061626364 65666768696a6b6c6d6e6f7071727374 75767761626364656667686901020201 (64 octets) aad = 42f67e3f1010101010101010 (12 octets) ctext+tag = fba2caa4853cf9f0f22cb10d86dd83b0 fec75691cf1a04b00d1138ec9c357917 65acbd8701ad79845bf9fe3fba487bc9 1755e6662b4c8d0d1f5e22739530320a e0d731cc978ecafaeae88f00e80d6e48 (80 octets) packet = 42f67e3f101010104e280000a2fca1a3 fba2caa4853cf9f0f22cb10d86dd83b0 fec75691cf1a04b00d1138ec9c357917 65acbd8701ad79845bf9fe3fba487bc9 1755e6662b4c8d0d1f5e22739530320a e0d731cc978ecafaeae88f00e80d6e48 (96 octets)
algorithm = AES-GCM-ESP key = 3de09874b388e6491988d0c3607eae1f (16 octets) spi = 42f67e3f seq = 1010101010101010 (8 octets) nonce = 57690e434e280000a2fca1a3 plaintext = 4500001c42a200008001441f406793b6 e00000020a00f5ff01020201 (28 octets) aad = 42f67e3f1010101010101010 (12 octets) ctext+tag = fba2ca845e5df9f0f22c3e6e86dd831e 1fc65792cd1af9130e1379ed369f071f 35e034be95f112e4e7d05d35 (44 octets) packet = 42f67e3f101010104e280000a2fca1a3 fba2ca845e5df9f0f22c3e6e86dd831e 1fc65792cd1af9130e1379ed369f071f 35e034be95f112e4e7d05d35 (60 octets)
algorithm = AES-GCM-ESP key = feffe9928665731c6d6a8f9467308308 feffe9928665731c (24 octets) spi = 0000a5f8 seq = 0000000a (4 octets) nonce = cafebabefacedbaddecaf888 plaintext = 45000028a4ad4000400678800a01038f 0a010612802306b8cb712602dd6bb03e 501016d075680001 (40 octets) aad = 0000a5f80000000a (8 octets) ctext+tag = a5b1f8066029aea40e598b8122de0242 0938b3ab33f828e687b8858b5bfbdbd0 315b27452144cc7795457b9652037f53 18027b5b4cd7a636 (56 octets) packet = 0000a5f80000000afacedbaddecaf888 a5b1f8066029aea40e598b8122de0242 0938b3ab33f828e687b8858b5bfbdbd0 315b27452144cc7795457b9652037f53 18027b5b4cd7a636 (72 octets)
algorithm = AES-GCM-ESP key = abbccddef00112233445566778899aab (16 octets) spi = 00000100 seq = 0000000000000001 (8 octets) nonce = decaf888cafedebaceface74 plaintext = 4500004933ba00007f119106c3fb1d10 c2b1d326c02831ce0035dd7b800302d5 00004e20001e8c18d75b81dc91baa047 6b91b924b280389d92c963bac046ec95 9b6266c04722b14923010101 (76 octets) aad = 000001000000000000000001 (12 octets) ctext+tag = 18a6fd42f72cbf4ab2a2ea901f73d814 e3e7f243d95412e1c349c1d2fbec168f 9190feebaf2cb01984e65863965d7472 b79da345e0e780191f0d2f0e0f496c22 6f2127b27db35724e7845d68651f57e6 5f354f75ff17015769623436 (92 octets) packet = 0000010000000001cafedebaceface74 18a6fd42f72cbf4ab2a2ea901f73d814 e3e7f243d95412e1c349c1d2fbec168f 9190feebaf2cb01984e65863965d7472 b79da345e0e780191f0d2f0e0f496c22 6f2127b27db35724e7845d68651f57e6 5f354f75ff17015769623436 (108 octets)
algorithm = AES-GCM-ESP key = abbccddef00112233445566778899aab abbccddef00112233445566778899aab (32 octets) spi = 17405e67 seq = 156f3126dd0db99b (8 octets) nonce = 73616c74616e640169766563 plaintext = 45080028732c00004006e9f90a010612 0a01038f06b88023dd6bafbecb712602 50101f646d540001 (40 octets) aad = 17405e67156f3126dd0db99b (12 octets) ctext+tag = f2d69ecdbd5a0d5b8d5ef38bad4da58d 1f278fde98ef67549d524a3018d9a57f f4d3a31ce673119e451626c2415771e3 b7eebca614c89b35 (56 octets) packet = 17405e67dd0db99b616e640169766563 f2d69ecdbd5a0d5b8d5ef38bad4da58d 1f278fde98ef67549d524a3018d9a57f f4d3a31ce673119e451626c2415771e3 b7eebca614c89b35 (72 octets)
algorithm = AES-GCM-ESP key = 3de09874b388e6491988d0c3607eae1f (16 octets) spi = 42f67e3f seq = 1010101010101010 (8 octets) nonce = 57690e434e280000a2fca1a3 plaintext = 45000049333e00007f119182c3fb1d10 c2b1d326c02831ce0035cb458003025b 000001e0001e8c18d65759d52284a035 2c71475c8880391c764d6e5ee0496b32 5ae270c03899493915010101 (76 octets) aad = 42f67e3f1010101010101010 (12 octets) ctext+tag = fba2cad12fc1f9f00d3cebf305410db8 3d7784b607323d220f24b0a97d541828 00cadb0f68d99ef0e0c0c89ae9bea888 4e52d65bc1afd0740f742444747b5b39 ab533163aad4550ee5160975cdb608c5 769189609763b8e18caa81e2 (92 octets) packet = 42f67e3f101010104e280000a2fca1a3 fba2cad12fc1f9f00d3cebf305410db8 3d7784b607323d220f24b0a97d541828 00cadb0f68d99ef0e0c0c89ae9bea888 4e52d65bc1afd0740f742444747b5b39 ab533163aad4550ee5160975cdb608c5 769189609763b8e18caa81e2 (108 octets)
algorithm = AES-GCM-ESP key = abbccddef00112233445566778899aab abbccddef00112233445566778899aab (32 octets) spi = 17405e67 seq = 156f3126dd0db99b (8 octets) nonce = 73616c74616e640169766563 plaintext = 636973636f0172756c65730174686501 6e6574776501646566696e6501746865 746563686e6f6c6f6769657301746861 7477696c6c01646566696e65746f6d6f 72726f7701020201 (72 octets) aad = 17405e67156f3126dd0db99b (12 octets) ctext+tag = d4b7ed86a1777f2ea13d6973d324c69e 7b43f826fb56831226508bebd2dceb18 d0a6df10e5487df074113e14c641024e 3e6773d91a62ee429b043a10e3efe6b0 12a49363412364f8c0cac587f249e56b 11e24f30e44ccc76 (88 octets) packet = 17405e67dd0db99b616e640169766563 d4b7ed86a1777f2ea13d6973d324c69e 7b43f826fb56831226508bebd2dceb18 d0a6df10e5487df074113e14c641024e 3e6773d91a62ee429b043a10e3efe6b0 12a49363412364f8c0cac587f249e56b 11e24f30e44ccc76 (104 octets)
algorithm = AES-GCM-ESP key = 7d773d00c144c525ac619d18c84a3f47 (16 octets) spi = 335467ae seq = ffffffff (4 octets) nonce = d966426743457e9182443bc6 plaintext = 01020201 (4 octets) aad = 335467aeffffffff (8 octets) ctext+tag = 437f866bcb3f699fe9b0822bac961c45 04bef270 (20 octets) packet = 335467aeffffffff43457e9182443bc6 437f866bcb3f699fe9b0822bac961c45 04bef270 (36 octets)
algorithm = AES-GCM-ESP key = abbccddef00112233445566778899aab (16 octets) spi = 00000100 seq = 0000000000000001 (8 octets) nonce = decaf888cafedebaceface74 plaintext = 746f016265016f72016e6f7401746f01 62650001 (20 octets) aad = 000001000000000000000001 (12 octets) ctext+tag = 29c9fc69a197d038ccdd14e2ddfcaa05 43332164412503524303ed3c6c5f2838 43af8c3e (36 octets) packet = 0000010000000001cafedebaceface74 29c9fc69a197d038ccdd14e2ddfcaa05 43332164412503524303ed3c6c5f2838 43af8c3e (52 octets)
algorithm = AES-GCM-ESP key = 6c6567616c697a656d6172696a75616e 61616e64646f69746265666f72656961 (32 octets) spi = 796b6963 seq = ffffffffffffffff (8 octets) nonce = 7475726e333021696765746d plaintext = 45000030da3a00008001df3bc0a80005 c0a800010800c6cd0200070061626364 65666768696a6b6c6d6e6f7071727374 01020201 (52 octets) aad = 796b6963ffffffffffffffff (12 octets) ctext+tag = f97ab2aa356d8edce17644ac8c78e25d d24dedbb29ebf1b64a274b39b49c3a86 4cd3d78ca4ae68a32b42458fb57dbe82 1dcc63b9d0937ba2945f669368661a32 9fb4c053 (68 octets) packet = 796b6963ffffffff333021696765746d f97ab2aa356d8edce17644ac8c78e25d d24dedbb29ebf1b64a274b39b49c3a86 4cd3d78ca4ae68a32b42458fb57dbe82 1dcc63b9d0937ba2945f669368661a32 9fb4c053 (84 octets)
algorithm = AES-GMAC-ESP key = 4c80cdefbb5d10da906ac73c3613a634 (16 octets) spi = 00004321 seq = 00000007 (4 octets) nonce = 22433c640000000000000000 plaintext = (0 octets) aad = 00004321000000070000000000000000 45000030da3a00008001df3bc0a80005 c0a800010800c6cd0200070061626364 65666768696a6b6c6d6e6f7071727374 01020201 (68 octets) ctext+tag = (16 octets) packet = 00004321000000070000000000000000 45000030da3a00008001df3bc0a80005 c0a800010800c6cd0200070061626364 65666768696a6b6c6d6e6f7071727374 01020201f2a9a836e155106aa8dcd618 e4099aaa (84 octets)
algorithm = AES-GCM-ESP key = 3de09874b388e6491988d0c3607eae1f (16 octets) spi = 3f7ef642 seq = 1010101010101010 (8 octets) nonce = 57690e434e280000a2fca1a3 plaintext = 45000030da3a00008001df3bc0a80005 c0a800010800c6cd0200070061626364 65666768696a6b6c6d6e6f7071727374 01020201 (52 octets) aad = 3f7ef6421010101010101010 (12 octets) ctext+tag = fba2caa8c6c5f9f0f22ca54a061210ad 3f6e5791cf1aca210d117cec9c357917 65acbd8701ad79845bf9fe3fba487bc9 6321930684eecadb56912546e7a95c97 40d7cb05 (68 octets) packet = 3f7ef642101010104e280000a2fca1a3 fba2caa8c6c5f9f0f22ca54a061210ad 3f6e5791cf1aca210d117cec9c357917 65acbd8701ad79845bf9fe3fba487bc9 6321930684eecadb56912546e7a95c97 40d7cb05 (84 octets)
algorithm = AES-GCM-ESP key = 4c80cdefbb5d10da906ac73c3613a634 (16 octets) spi = 00004321 seq = 8765432100000007 (8 octets) nonce = 22433c644855ec7d3a234bfd plaintext = 0800c6cd020007006162636465666768 696a6b6c6d6e6f707172737401020201 (32 octets) aad = 000043218765432100000007 (12 octets) ctext+tag = 74752e8aeb5d873cd7c0f4acc36c4bff 84b7d7b98f0ca8b6acda6894bc619069 ef9cbc28fe1b56a7c4e0d58c86cd2bc0 (48 octets) packet = 00004321000000074855ec7d3a234bfd 74752e8aeb5d873cd7c0f4acc36c4bff 84b7d7b98f0ca8b6acda6894bc619069 ef9cbc28fe1b56a7c4e0d58c86cd2bc0 (64 octets)
TOC |
An improperly implemented crypto algorithm may be insecure.
TOC |
This document has no actions for IANA.
TOC |
Thanks to Arpan Srivastava and Aravindhan P. for generating and validating test cases.
TOC |
TOC |
[RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
TOC |
[RFC4106] | Viega, J. and D. McGrew, “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP),” RFC 4106, June 2005 (TXT). |
[RFC4303] | Kent, S., “IP Encapsulating Security Payload (ESP),” RFC 4303, December 2005 (TXT). |
TOC |
David A. McGrew | |
Cisco Systems, Inc. | |
510 McCarthy Blvd. | |
Milpitas, CA 95035 | |
US | |
Phone: | (408) 525 8651 |
Email: | mcgrew@cisco.com |
URI: | http://www.mindspring.com/~dmcgrew/dam.htm |